Docmost Stored Cross-Site Scripting Vulnerability via Unsanitized Attachment URLs
Vulnerability
A stored cross-site scripting vulnerability has been identified in Docmost versions prior to 0.71.0. This issue allows low-privileged authenticated users to inject malicious 'javascript:' URLs into attachment nodes within page content. The vulnerability arises because Docmost does not properly sanitize attachment URLs before storing them. When another user views the page and interacts with the attachment link, the injected JavaScript executes in the context of the Docmost origin.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the user viewing the page.
Reproduction
To reproduce this vulnerability, a low-privileged authenticated user can create or edit a page and insert a 'javascript:' URL into an attachment node. Once the page is saved, another user can view the page and click on the attachment link, triggering the execution of the injected JavaScript.
Remediation
Users can upgrade to Docmost version 0.71.0 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.