Skip to content

Cross-Site Scripting (XSS) Vulnerability via dangerouslySetInnerHTML

Moderate
lunika published GHSA-rcx4-hgwr-2hh6 Dec 10, 2025

Package

No package listed

Affected versions

>=3.4.0;<4.1.0

Patched versions

4.1.0

Description

Security Advisory: Cross-Site Scripting (XSS) Vulnerability via dangerouslySetInnerHTML

Summary

A Cross-Site Scripting (XSS) vulnerability was identified in the Docs application frontend that could allow malicious actors to inject and execute arbitrary JavaScript code through document titles in the document move confirmation dialog.

Vulnerability Details

Type: Cross-Site Scripting (XSS)
Severity: Moderate (CVSS 5.4)
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N
CVSS v3.1 Base Score: 5.4
Component: Frontend - Document Grid Management
Affected File: src/frontend/apps/impress/src/features/docs/docs-grid/components/DocGridContentList.tsx
CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation)
Scope: Limited - Requires editor permissions to exploit and owner/administrator victim

Description

The application used React's dangerouslySetInnerHTML to render translated strings containing HTML in the document move confirmation modal. Specifically, when moving a document, the target document's title was interpolated directly into an HTML string without proper sanitization:

<span
  dangerouslySetInnerHTML={{
    __html: t(
      'By moving this document to <strong>{{targetDocumentTitle}}</strong>...',
      {
        targetDocumentTitle: onDragData.current?.target.title ?? t('Unnamed document'),
      },
    ),
  }}
/>

Important Note: This vulnerability has a limited scope due to permission requirements. While any user with editor permissions or higher can create or rename a document with a malicious title, only users with owner or administrator privileges can perform the "move document" action that triggers the vulnerable modal. This significantly limits the potential impact.

If an attacker with at least editor rights created a document with a malicious title containing JavaScript code (e.g., <img src=x onerror=alert('XSS')>), this code would be executed when a user with owner or administrator privileges attempted to move another document into the malicious document, potentially allowing:

  • Session token theft from privileged users (owners/administrators)
  • Unauthorized actions on behalf of the victim with elevated privileges
  • Phishing attacks targeting privileged users within the application context
  • Data exfiltration from privileged accounts

The attack surface is significantly reduced since:

  • The attacker must be an authenticated user with at least editor permissions
  • The victim must have owner or administrator privileges to perform document moves
  • The victim must specifically interact with the malicious document by attempting to move another document into it
  • The vulnerability only affects the document move confirmation modal, not other parts of the application

Affected Versions

  • All versions from 3.4.0 to 4.1.0

Fixed Versions

  • 4.1.0 and later

Remediation

The vulnerability was fixed in commit 9c575e397c8ff3829c176dbb9073ec6a2b9f7a38 by replacing dangerouslySetInnerHTML with React's Trans component from react-i18next, which safely handles HTML elements:

<Text $display="inline">
  <Trans
    i18nKey="By moving this document to <strong>{{targetDocumentTitle}}</strong>..."
    values={{
      targetDocumentTitle: onDragData.current?.target.title ?? untitledDocument,
    }}
    components={{ strong: <strong /> }}
  />
</Text>

This approach ensures that user-supplied content (document titles) is properly escaped while still allowing safe HTML formatting through predefined React components.

Recommendations

For Users

  • Update immediately to version 4.1.0 or later
  • Review document titles for any suspicious content created before the patch

For Administrators

  • Deploy version 4.1.0 or later as soon as possible
  • Consider reviewing audit logs for document move operations

References

Timeline

  • 2025-12-09: Vulnerability fixed and version 4.1.0 released
  • 2025-12-09: Security advisory drafted
  • 2025-12-07: Vulnerability disclose

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N

CVE ID

CVE-2025-67512

Weaknesses

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Learn more on MITRE.

Credits