Vulnerability Details CVE-2021-37794
A stored cross-site scripting (XSS) vulnerability exists in FileBrowser < v2.16.0 that allows an authenticated user authorized to upload a malicious .svg file which acts as a stored XSS payload. If this stored XSS payload is triggered by an administrator it will trigger malicious OS commands on the server running the FileBrowser instance.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 51.0%
CVSS Severity
CVSS v3 Score 5.4
CVSS v2 Score 3.5
References
- https://gist.github.com/omriinbar/1e28649f31d795b0e9b7698a9d255b5c
- https://github.com/filebrowser/filebrowser
- https://github.com/filebrowser/filebrowser/commit/201329abce4e92ae9071b9ded81e267aae159fbd
- https://gist.github.com/omriinbar/1e28649f31d795b0e9b7698a9d255b5c
- https://github.com/filebrowser/filebrowser
- https://github.com/filebrowser/filebrowser/commit/201329abce4e92ae9071b9ded81e267aae159fbd
Products affected by CVE-2021-37794
-
cpe:2.3:a:filebrowser_project:filebrowser:*