Cross-site Scripting (Stored XSS) in omeka/omeka-s


Reported on

Aug 2nd 2023


For any role that has permission to execute function assets, i can add a new asset. Even though the site only allows uploading images and gifs, I can still upload an html file by modifying the magic number and that leads to XSS.

Proof of Concept

  1. Link PoC:
  2. Link video PoC:


Through this vulnerability, an attacker is capable to execute malicious scripts.

We are processing your report and will contact the omeka/omeka-s team within 24 hours. 2 months ago
quanghuy25112000 modified the report
2 months ago
We have contacted a member of the omeka/omeka-s team and are waiting to hear back 2 months ago
John Flatness validated this vulnerability 2 months ago
quanghuy25112000 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
John Flatness marked this as fixed in 4.0.3 with commit 2a7fb2 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
John Flatness published this vulnerability 2 months ago
to join this conversation