Bug 2451404 (CVE-2026-30587)
| Summary: | CVE-2026-30587 Seafile Server: Seadoc editor: seahub: seadoc-editor: Seafile Server: Arbitrary client-side code execution via Stored Cross-Site Scripting in Seadoc editor | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | Keywords: | Security |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in Seafile Server and its Seadoc editor. This Stored Cross-Site Scripting (XSS) vulnerability allows authenticated remote attackers to inject malicious JavaScript code. The application fails to properly sanitize WebSocket messages during document structure updates. By exploiting this, an attacker can execute arbitrary client-side scripts, potentially leading to information disclosure or unauthorized actions within a user's browser.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
OSIDB Bzimport
2026-03-25 18:01:58 UTC
|