Skip to content

Reflected XSS via searchtags parameter

High
nodiscc published GHSA-7w7w-pw4j-265h Aug 16, 2025

Package

shaarli

Affected versions

<=0.14.0

Patched versions

>=0.15.0

Description

Summary

The input string in the cloud tag page is not properly sanitized. This allows the </title> tag to be prematurely closed, leading to a reflected Cross-Site Scripting (XSS) vulnerability.

Details

In the following page:
https://demo.shaarli.org/tags/cloud?do=tagcloud&searchtags=testxss
the searchtags parameter is reflected inside the <title> tag without proper sanitization. By injecting a payload like testxss</title>, an attacker can break out of the <title> context and inject arbitrary HTML or JavaScript into the page.

PoC

Visit the following URL:
https://demo.shaarli.org/tags/cloud?do=tagcloud&searchtags=testxss%3C/title%3E%3Cimg%20src=X%20onerror=alert(1)%3E
This triggers a JavaScript alert via an injected tag after breaking out of the <title> element.

Impact

This vulnerability represents a Reflected XSS issue, which can be exploited by an attacker to perform actions on behalf of other users or steal sensitive data.

https://shaarli.local.test/tags/list?do=taglist&searchtags=http%3C%2ftitle%3E%3Cscript%3Ealert(1)%3C%2fscript%3E

https://shaarli.local.test/tags/cloud?do=tagcloud&searchtags=http%3C%2ftitle%3E%3Cscript%3Ealert(1)%3C%2fscript%3E
shaarli-.0.14.0-Reflected-xss-via-searchtags.mp4

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CVE ID

CVE-2025-55291

Weaknesses

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as <, >, and & that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. Learn more on MITRE.

Improper Neutralization of Alternate XSS Syntax

The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax. Learn more on MITRE.

Credits