cve/2024/CVE-2024-50344.md

### [CVE-2024-50344](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50344)
![](https://img.shields.io/static/v1?label=Product&message=i-librarian-free&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3C%205.11.2%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-80%3A%20Improper%20Neutralization%20of%20Script-Related%20HTML%20Tags%20in%20a%20Web%20Page%20(Basic%20XSS)&color=brightgreen)

### Description

I, Librarian is an open-source version of a PDF managing SaaS. Supplemental Files are allowed to be viewed in the browser, only if they have a white-listed MIME type. Unfortunately, this logic is broken, thus allowing unsafe files containing Javascript to be executed with the application context. An attacker can exploit this vulnerability by uploading a supplementary file that contains a malicious code or script. This code will then be executed when the file is loaded in the browser. The vulnerability was fixed in version 5.11.2.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/alessio-romano/Sfoffo-Pentesting-Notes
- https://github.com/alessio-romano/alessio-romano
- https://github.com/fkie-cad/nvd-json-data-feeds