cve-2025-52902
Vulnerability from cvelistv5
Published
2025-06-26 14:37
Modified
2025-06-26 15:01
Severity ?
EPSS score ?
Summary
File Browser has Stored Cross-Site Scripting vulnerability
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| filebrowser | filebrowser |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52902",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-26T15:01:08.206100Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-26T15:01:19.861Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "filebrowser",
"vendor": "filebrowser",
"versions": [
{
"status": "affected",
"version": "\u003c 2.33.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. The Markdown preview function of File Browser prior to v2.33.7 is vulnerable to Stored Cross-Site-Scripting (XSS). Any JavaScript code that is part of a Markdown file uploaded by a user will be executed by the browser. Version 2.33.7 contains a fix for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-26T14:37:45.905Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-4wx8-5gm2-2j97",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-4wx8-5gm2-2j97"
},
{
"name": "https://github.com/filebrowser/filebrowser/commit/f19943a42e8e092e811dffbe9f4623dac36f1f0d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/filebrowser/filebrowser/commit/f19943a42e8e092e811dffbe9f4623dac36f1f0d"
}
],
"source": {
"advisory": "GHSA-4wx8-5gm2-2j97",
"discovery": "UNKNOWN"
},
"title": "File Browser has Stored Cross-Site Scripting vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-52902",
"datePublished": "2025-06-26T14:37:45.905Z",
"dateReserved": "2025-06-20T17:42:25.712Z",
"dateUpdated": "2025-06-26T15:01:19.861Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-52902\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-06-26T15:15:23.687\",\"lastModified\":\"2025-06-26T18:57:43.670\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. The Markdown preview function of File Browser prior to v2.33.7 is vulnerable to Stored Cross-Site-Scripting (XSS). Any JavaScript code that is part of a Markdown file uploaded by a user will be executed by the browser. Version 2.33.7 contains a fix for the issue.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N\",\"baseScore\":7.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":4.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"},{\"lang\":\"en\",\"value\":\"CWE-80\"}]}],\"references\":[{\"url\":\"https://github.com/filebrowser/filebrowser/commit/f19943a42e8e092e811dffbe9f4623dac36f1f0d\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/filebrowser/filebrowser/security/advisories/GHSA-4wx8-5gm2-2j97\",\"source\":\"security-advisories@github.com\"}]}}"
}
}
ghsa-4wx8-5gm2-2j97
Vulnerability from github
Published
2025-06-27 15:01
Modified
2025-06-27 15:02
Severity ?
Summary
filebrowser allows Stored Cross-Site Scripting through the Markdown preview function
Details
Summary
The Markdown preview function of File Browser v2.32.0 is vulnerable to Stored Cross-Site-Scripting (XSS). Any JavaScript code that is part of a Markdown file uploaded by a user will be executed by the browser
Impact
A user can upload a malicious Markdown file to the application which can contain arbitrary HTML code. If another user within the same scope clicks on that file, a rendered preview is opened. JavaScript code that has been included will be executed.
Malicious actions that are possible include:
- Obtaining a user's session token
- Elevating the attacker's privileges, if the victim is an administrator (e.g., gaining command execution rights)
Vulnerability Description
Most Markdown parsers accept arbitrary HTML in a document and try rendering it accordingly. For instance, if one creates a file called xss.md with the following content:
```markdown
Hallo
foo
bar
```
Bold and italic text will be rendered. Also, the renderer used in File Browser will try to display the image and execute the code in the onerror event handler.
Proof of Concept
The screenshot shows that the code from the file mentioned above has actually been executed in the victim's browser:
Recommended Countermeasures
The most thorough fix would be to reconfigure the application's Markdown parser to ignore all HTML elements and only render rich text which is part of the Markdown specification. If HTML rendering is considered to be a required feature, an HTML sanitizer like DOMPurify should be used, preferably in conjunction with a Content Security Policy (CSP).
Timeline
2025-03-25Identified the vulnerability in version 2.32.02025-04-11Contacted the project2025-04-18Vulnerability disclosed to the project2025-06-25Uploaded advisories to the project's GitHub repository2025-06-26CVE ID assigned by GitHub2025-06-26Fix released with version 2.33.7
References
Credits
- Mathias Tausig (SBA Research)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/filebrowser/filebrowser/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.33.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/filebrowser/filebrowser"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.11.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-52902"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-27T15:01:15Z",
"nvd_published_at": "2025-06-26T15:15:23Z",
"severity": "HIGH"
},
"details": "## Summary ##\n\nThe Markdown preview function of File Browser v2.32.0 is vulnerable to *Stored Cross-Site-Scripting (XSS)*. Any JavaScript code that is part of a Markdown file uploaded by a user will be executed by the browser\n\n## Impact ##\n\nA user can upload a malicious Markdown file to the application which can contain arbitrary HTML code. If another user within the same scope clicks on that file, a rendered preview is opened. JavaScript code that has been included will be executed.\n\n Malicious actions that are possible include:\n \n * Obtaining a user\u0027s session token\n * Elevating the attacker\u0027s privileges, if the victim is an administrator (e.g., gaining command execution rights)\n\n## Vulnerability Description ##\n\nMost Markdown parsers accept arbitrary HTML in a document and try rendering it accordingly. For instance, if one creates a file called `xss.md` with the following content:\n\n```markdown\n# Hallo\n\n\u003cb\u003efoo\u003c/b\u003e\n\n\u003cimg src=\"xx\" onerror=alert(9)\u003e\n\u003ci\u003ebar\u003c/i\u003e\n```\n\nBold and italic text will be rendered. Also, the renderer used in File Browser will try to display the image and execute the code in the `onerror` event handler.\n\n## Proof of Concept ##\n\nThe screenshot shows that the code from the file mentioned above has actually been executed in the victim\u0027s browser:\n\n\n\n## Recommended Countermeasures ##\n\nThe most thorough fix would be to reconfigure the application\u0027s Markdown parser to ignore all HTML elements and only render rich text which is part of the Markdown specification. If HTML rendering is considered to be a required feature, an HTML sanitizer like DOMPurify should be used, preferably in conjunction with a *Content Security Policy* (CSP).\n\n## Timeline ##\n\n* `2025-03-25` Identified the vulnerability in version 2.32.0\n* `2025-04-11` Contacted the project\n* `2025-04-18` Vulnerability disclosed to the project\n* `2025-06-25` Uploaded advisories to the project\u0027s GitHub repository\n* `2025-06-26` CVE ID assigned by GitHub\n* `2025-06-26` Fix released with version 2.33.7\n\n## References ##\n\n* [DOMPurify](https://github.com/cure53/DOMPurify)\n\n## Credits ##\n\n* Mathias Tausig ([SBA Research](https://www.sba-research.org/))",
"id": "GHSA-4wx8-5gm2-2j97",
"modified": "2025-06-27T15:02:17Z",
"published": "2025-06-27T15:01:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-4wx8-5gm2-2j97"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52902"
},
{
"type": "WEB",
"url": "https://github.com/filebrowser/filebrowser/commit/f19943a42e8e092e811dffbe9f4623dac36f1f0d"
},
{
"type": "PACKAGE",
"url": "https://github.com/filebrowser/filebrowser"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "filebrowser allows Stored Cross-Site Scripting through the Markdown preview function"
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.