Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Papra has an HTML Injection in Transactional Emails via Unescaped User Display Name
Vulnerability Description
Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, transactional email templates in Papra interpolate user.name directly into HTML without escaping or sanitization. An attacker who registers with a display name containing HTML tags will have those tags injected into the verification and password reset email bodies. Since emails are sent from the legitimate domain (e.g: auth@mail.papra.app), this enables convincing phishing attacks that appear to originate from official Papra notifications. This vulnerability is fixed in 26.4.0.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Vulnerability Type
Web页面中脚本相关HTML标签转义处理不恰当(基本跨站脚本)
Vulnerability Title
Papra 安全漏洞
Vulnerability Description
Papra是Papra开源的一个文档管理与归档平台。 Papra 26.4.0之前版本存在安全漏洞,该漏洞源于事务性电子邮件模板将user.name直接插入HTML而未进行转义或清理,可能导致注册时显示名包含HTML标签的攻击者将这些标签注入验证和密码重置电子邮件正文,从而发起看似来自官方Papra通知的钓鱼攻击。
CVSS Information
N/A
Vulnerability Type
N/A