6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-50183

CVE-2025-50183: OpenList (frontend) allows XSS Attacks in the built-in Markdown Viewer

XSS via .py file containing script tag interpreted as HTML

Summary

A vulnerability exists in the file preview/browsing feature of the application, where files with a .py extension that contain JavaScript code wrapped in <script> tags may be interpreted and executed as HTML in certain modes. This leads to a stored XSS vulnerability.

Affected Versions

<= 4.0.0-rc.3

PoC

Create a .py file with arbitrary JavaScript content wrapped in <script> tags. For example:

<script>alert(document.cookie);</script>

When a victim views the file in browsing mode (e.g., a rendered preview), the JavaScript is executed in the browser context.

Attack vector

An attacker can place such a .py file in the system via remote channels, such as:

Convincing a webmaster to download or upload the file;
Tricking users into accessing a file link via public URLs.

Required permissions

None, if public or visitor access is enabled.
If the file is uploaded by a user with elevated permissions, potential privilege boundaries may be crossed.

User interaction

Yes. The user must manually click to switch to the browsing or preview mode to trigger the script. And seems only when using ISO-8859-1 encoding.

Scope

Unchanged (S:U) - The attack does not cross system or privilege boundaries in general.
⚠️ Controversial edge case: If sensitive preview files are accessible due to misconfiguration, scope could be considered Changed (S:C).

Impact

Confidentiality: User information including cookies, login state, and localStorage may be accessed. Some files that only can be viewed via this user will leak too.
Integrity & Availability: Not directly impacted.

Recommendations

Treat all previewed file types (including non-HTML like .py) as plain text unless explicitly sanitized.
Disable rendering modes that can interpret user-uploaded content as HTML.

Timeline

| Date | Event | |------|-------| | 2025-06-17 | Vulnerability reported | | 2025-06-17 | Comminuty Manager confirmed | | 2025-06-17 | Fixed |

Credits

Discovered by: @zyk2507
Reported to: The OpenList Team
Analyzed and confirmed by: @jyxjjj
Fixed by: @cxw620
Fixed in: 4.0.0-rc.4

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-50183

CVE-2025-50183:

6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@openlist-frontend/openlist-frontend	npm	<= 4.0.0-rc.3	4.0.0-rc.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability allows XSS when previewing files with a .py extension that contain JavaScript code within <script> tags. The provided patch modifies the MdPreview function in src/pages/home/previews/markdown_with_word_wrap.tsx. This function is responsible for displaying file previews.

The core of the fix is the addition of the ext={ext(objStore.obj.name)} prop to the Markdown component within MdPreview. This implies that prior to the patch, the Markdown component (or the way MdPreview used it) did not correctly distinguish or handle different file types, particularly non-Markdown files like .py. As a result, it would interpret HTML-like tags (e.g., <script>) within these files, leading to XSS.

The MdPreview function is identified as vulnerable because it was the component directly responsible for invoking the rendering logic in a way that was susceptible to this XSS. While the Markdown component is where the misinterpretation likely happened, the patch is applied to MdPreview, indicating that MdPreview's usage of Markdown was the point of failure addressed. During exploitation, a stack trace would likely show MdPreview as part of the call chain leading to the unsafe rendering of the .py file content.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-50183: OpenList (frontend) allows XSS Attacks in the built-in Markdown Viewer

Summary

Affected Versions

PoC

Attack vector

Required permissions

User interaction

Scope

Impact

Recommendations

Timeline

Credits

CVE-2025-50183:

6.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

6.5

6.5

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Technical Details

CVE-2025-50183: OpenList (frontend) allows XSS Attacks in the built-in Markdown Viewer

Summary

Affected Versions

PoC

Attack vector

Required permissions

User interaction

Scope

Impact

Recommendations

Timeline

Credits

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI