Filebrowser
CVE-2023-39612
CRITICAL
Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
A cross-site scripting (XSS) vulnerability in FileBrowser before v2.23.0 allows an authenticated attacker to escalate privileges to Administrator via user interaction with a crafted HTML file or URL.
AnalysisAI
A cross-site scripting (XSS) vulnerability in FileBrowser before v2.23.0 allows an authenticated attacker to escalate privileges to Administrator via user interaction with a crafted HTML file or URL. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. A cross-site scripting (XSS) vulnerability in FileBrowser before v2.23.0 allows an authenticated attacker to escalate privileges to Administrator via user interaction with a crafted HTML file or URL. Affected products include: Filebrowser.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
More in Filebrowser
View allUnauthorized file operations in File Browser before fix. PoC and patch available.
Path normalization bypass in Filebrowser prior to 2.57.1 allows authenticated users to circumvent file access restrictio
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ
File Browser versions prior to 2.61.0 incorrectly set the filesystem root to a parent directory when generating public s
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ
Filebrowser versions prior to 2.57.1 allow authenticated users to reset passwords without verifying the current password
Path traversal in FileBrowser Quantum (gtsteffaniak fork) versions prior to 1.3.2-stable, 1.4.0-beta, and 1.4.1-beta all
Filebrowser versions up to 2.55.0 contains a vulnerability that allows attackers to enumerate valid usernames by measuri
Pre-authentication remote code execution in File Browser before 2.63.6 lets unauthenticated attackers run arbitrary OS c
Authentication bypass and privilege escalation in File Browser (versions 2.0.0-rc.1 and later) lets a remote unauthentic
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today