The title of a document is not properly escaped in the search result of MyDocmanSearch widget.
A malicious user with the capability to create a document could force victim to execute uncontrolled code.
CVSSv3.1 score: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
The issue can be demonstrated by creating a document with title
Foobar <script>alert(1)</script> and:
- search its id with the personal widget
Document Id Search.
- lock it and go to document administration » locked documents
OWASP Cross-site Scripting