EUVD-2025-201190CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3Tags
Description
A stored cross-site scripting (XSS) vulnerability was discovered in Seafile Community Edition prior to version 13.0.12. When Seafile is configured with the Golang file server, an attacker can upload a crafted SVG file containing malicious JavaScript and share it using a public link. Opening the link triggers script execution in the victim's browser. This issue has been fixed in Seafile Community Edition 13.0.12.
Analysis
A stored cross-site scripting (XSS) vulnerability was discovered in Seafile Community Edition prior to version 13.0.12. When Seafile is configured with the Golang file server, an attacker can upload a crafted SVG file containing malicious JavaScript and share it using a public link. Opening the link triggers script execution in the victim's browser. This issue has been fixed in Seafile Community Edition 13.0.12.
Technical Context
Cross-site scripting (XSS) allows injection of client-side scripts into web pages viewed by other users due to insufficient output encoding.
Affected Products
Affected products: Seafile Seafile Server
Remediation
Encode all user-supplied output contextually (HTML, JS, URL). Implement Content Security Policy (CSP) headers. Use HTTPOnly and Secure cookie flags.
Priority Score
Vendor Status
Debian
Bug #865830| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| open | - | - |
Share
External POC / Exploit Code
Leaving vuln.today