usd-2022-0032 | Seafile 9.0.6 - Cross-Site Scripting

Advisory ID: usd-2022-0032
Product: Seafile
Affected Version: 9.0.6
Vulnerability Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Security Risk: Medium
Vendor URL:
Vendor Status: fixed
CVE number:  requested


The Seafile application allows to set up a self-hosted cloud storage system. It supports common functions such as synchronization of files between server and client, as well as group sharing.
In addition to the basic functions, Seafile also provides it's users with a wiki and a discussion feature. The markdown editor, provided by the application, does not properly filter javscript URIs from the `href` attribute, which results in stored XSS.

Proof of Concept

The markdown editor allows an attacker to inject a javascript payload in the *href* attribute of the *a* tag.

The payload is executed if a user visits and clicks on the link on the wiki page (or the file somewhere else).


It is recommended to treat all input on the website as potentially dangerous.
Hence, all output that is dynamically generated based on user-controlled data should be encoded according to its context.
The majority of programming languages support standard procedures for encoding meta characters.



  • 2022-07-15: First contact request via
  • 2022-08-02: Second contact request via
  • 2022-08-11: Third contact request via and
  • 2022-09-02: Vendor reports vulnerability as fixed (usd-2022-0032). Second advisory still in triage(usd-2022-0033)
  • 2022-10-31: Both advisories fixed in new release 9.0.7
  • 2023-02-14: The advisory is published


This security vulnerability was found by Christian Pöschl of usd AG.