Stored XSS vulnerability in BP Group Documents 1.2.1


Last revised:

“Display name” and “Description” fields are not escaped, meaning any tags including script tags can be stored in them.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 8 High
Vector Network
Complexity Low
Authentication Single
Confidentiality Partial
Integrity Partial
Availability Complete
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Go to the upload form, select a document to upload, set the “Display name” to “photograph of a cute puppy<script>alert(‘xss’)</script>” and set the “Description” to “this is an innocuous description<script>alert(‘xss again’)</script>”.

Advisory timeline

  • 2013-09-26: Discovered
  • 2013-09-30: Reported to
  • 2013-10-04: Fix released (1.2.2)

Mitigation/further actions

Update to version 1.2.2.