CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 2CVE-2023-39612
https://notcve.org/view.php?id=CVE-2023-39612
A cross-site scripting (XSS) vulnerability in FileBrowser before v2.23.0 allows an authenticated attacker to escalate privileges to Administrator via user interaction with a crafted HTML file or URL. Una vulnerabilidad de Cross-Site Scripting (XSS) en FileBrowser anterior a v2.23.0 permite a un atacante autenticado escalar privilegios a Administrador a través de la interacción del usuario con un archivo HTML o URL manipulada. • https://febin0x4e4a.wordpress.com/2023/09/15/xss-in-filebrowser-leads-to-admin-account-takeover-in-filebrowser https://github.com/filebrowser/filebrowser/commit/b508ac3d4f7f0f75d6b49c99bdc661a6d2173f30 https://github.com/filebrowser/filebrowser/issues/2570 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 7CVE-2021-46398 – FileBrowser 2.17.2 - Cross Site Request Forgery (CSRF) to Remote Code Execution (RCE)
https://notcve.org/view.php?id=CVE-2021-46398
A Cross-Site Request Forgery vulnerability exists in Filebrowser < 2.18.0 that allows attackers to create a backdoor user with admin privilege and get access to the filesystem via a malicious HTML webpage that is sent to the victim. An admin can run commands using the FileBrowser and hence it leads to RCE. Existe una vulnerabilidad de falsificación de solicitud en sitios cruzados en Filebrowser versiones anteriores 2.18.0 que permite a los atacantes crear un usuario de puerta trasera con privilegios de administrador y obtener acceso al sistema de archivos a través de una página web HTML maliciosa que se envía a la víctima. Un administrador puede ejecutar comandos utilizando el FileBrowser y por lo tanto conduce a RCE FileBrowser versions 2.17.2 and below suffer from a cross site request forgery vulnerability that can lead to remote code execution. • https://www.exploit-db.com/exploits/50717 https://github.com/LalieA/CVE-2021-46398 http://packetstormsecurity.com/files/165885/FileBrowser-2.17.2-Code-Execution-Cross-Site-Request-Forgery.html https://febin0x4e4a.blogspot.com/2022/01/critical-csrf-in-filebrowser.html https://febin0x4e4a.wordpress.com/2022/01/19/critical-csrf-in-filebrowser https://febinj.medium.com/critical-csrf-to-rce-in-filebrowser-865a3c34b8e7 https://github.com/filebrowser/filebrowser/commit/74b7cd8e81840537a8206317344f118093153e8d https://s • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-37794
https://notcve.org/view.php?id=CVE-2021-37794
A stored cross-site scripting (XSS) vulnerability exists in FileBrowser < v2.16.0 that allows an authenticated user authorized to upload a malicious .svg file which acts as a stored XSS payload. If this stored XSS payload is triggered by an administrator it will trigger malicious OS commands on the server running the FileBrowser instance. Se presenta una vulnerabilidad de tipo cross-site scripting (XSS) almacenado en FileBrowser versiones anteriores a v2.16.0, que permite a un usuario autenticado y autorizado cargar un archivo .svg malicioso que actúa como carga útil de tipo XSS almacenado. Si esta carga útil de tipo XSS almacenado es desencadenada por un administrador, activará comandos maliciosos del Sistema Operativo en el servidor ejecutando la instancia de FileBrowser • https://gist.github.com/omriinbar/1e28649f31d795b0e9b7698a9d255b5c https://github.com/filebrowser/filebrowser https://github.com/filebrowser/filebrowser/commit/201329abce4e92ae9071b9ded81e267aae159fbd • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •