| 제목 | Mayan EDMS CMS 4.10 Cross Site Scripting |
|---|
| 설명 | A DOM-based Cross-Site Scripting (XSS) vulnerability was identified in the Mayan EDMS web interface. The application reflects user-controlled data directly into a JavaScript context without proper sanitization, allowing an attacker to execute arbitrary JavaScript in the victim’s browser.
This issue can lead to account takeover, data exfiltration, privilege escalation, or full compromise of the affected user session.
The vulnerable code is located in the client-side template rendering logic responsible for handling dynamic navigation:
'''
<script> if (typeof partialNavigation === 'undefined') { document.write('<script type="text/undefined">') const currentLocation = '#' + window.location.pathname + window.location.search; const url = new URL(currentLocation, window.location.origin) window.location = url; } </script>
'''
User-controlled data from window.location is passed into JavaScript without sanitization, which makes it possible to inject executable code.
|
|---|
| 원천 | ⚠️ https://github.com/ionutluca888/Mayan-EDMS-XSS-POC |
|---|
| 사용자 | luca_irinel (UID 85391) |
|---|
| 제출 | 2025. 12. 10. AM 09:43 (4 개월 ago) |
|---|
| 모더레이션 | 2025. 12. 14. AM 11:41 (4 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 336409 [Mayan EDMS 까지 4.10.1 /authentication/ 크로스 사이트 스크립팅] |
|---|
| 포인트들 | 20 |
|---|