CVE-2025-52902

Опубликовано: 26 июн. 2025

Источник: nvd

CVSS3: 7.6

CVSS3: 5.4

EPSS Низкий

Описание

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. The Markdown preview function of File Browser prior to v2.33.7 is vulnerable to Stored Cross-Site-Scripting (XSS). Any JavaScript code that is part of a Markdown file uploaded by a user will be executed by the browser. Version 2.33.7 contains a fix for the issue.

Ссылки

https://github.com/filebrowser/filebrowser/commit/f19943a42e8e092e811dffbe9f4623dac36f1f0d
Patch
https://github.com/filebrowser/filebrowser/security/advisories/GHSA-4wx8-5gm2-2j97
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*

Версия до 2.33.7 (исключая)

EPSS

Процентиль: 3%

0.00017

Низкий

7.6 High

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-4wx8-5gm2-2j97

CVSS3: 7.6

github

7 месяцев назад

filebrowser allows Stored Cross-Site Scripting through the Markdown preview function

EPSS

Процентиль: 3%

0.00017

Низкий

7.6 High

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-79