CVE-2023-39612

Severity Score

9.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

A cross-site scripting (XSS) vulnerability in FileBrowser before v2.23.0 allows an authenticated attacker to escalate privileges to Administrator via user interaction with a crafted HTML file or URL.

Una vulnerabilidad de Cross-Site Scripting (XSS) en FileBrowser anterior a v2.23.0 permite a un atacante autenticado escalar privilegios a Administrador a través de la interacción del usuario con un archivo HTML o URL manipulada.

*Credits: N/A

CVSS Scores

NISTv3.1 9.0

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2023-08-07 CVE Reserved
2023-09-16 CVE Published
2024-09-22 EPSS Updated
2024-09-25 CVE Updated
2024-09-25 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC
https://febin0x4e4a.wordpress.com/2023/09/15/xss-in-filebrowser-leads-to-admin-account-takeover-in-filebrowser	2024-09-25
https://github.com/filebrowser/filebrowser/issues/2570	2024-09-25

URL	Date	SRC
https://github.com/filebrowser/filebrowser/commit/b508ac3d4f7f0f75d6b49c99bdc661a6d2173f30	2023-09-20

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Filebrowser Search vendor "Filebrowser"		Filebrowser Search vendor "Filebrowser" for product "Filebrowser"				< 2.23.0 Search vendor "Filebrowser" for product "Filebrowser" and version " < 2.23.0"		-		Affected