Vulnerability Details : CVE-2023-39612
A cross-site scripting (XSS) vulnerability in FileBrowser before v2.23.0 allows an authenticated attacker to escalate privileges to Administrator via user interaction with a crafted HTML file or URL.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2023-39612
- cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-39612
0.15%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 51 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-39612
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.0
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H |
2.3
|
6.0
|
NIST |
CWE ids for CVE-2023-39612
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2023-39612
-
https://github.com/filebrowser/filebrowser/issues/2570
Potential XSS in FileBrowser leads to Admin account takeover in Filebrowser · Issue #2570 · filebrowser/filebrowser · GitHubExploit;Issue Tracking
-
https://febin0x4e4a.wordpress.com/2023/09/15/xss-in-filebrowser-leads-to-admin-account-takeover-in-filebrowser/
Stored XSS in FileBrowser leads to Admin account Takeover + RCE | febiNJExploit;Third Party Advisory
-
https://github.com/filebrowser/filebrowser/commit/b508ac3d4f7f0f75d6b49c99bdc661a6d2173f30
fix: xss vulnerability in /api/raw (#2570) (#2572) · filebrowser/filebrowser@b508ac3 · GitHubPatch
Jump to