Vulnerability Description
A stored cross-site scripting (XSS) vulnerability exists in FileBrowser < v2.16.0 that allows an authenticated user authorized to upload a malicious .svg file which acts as a stored XSS payload. If this stored XSS payload is triggered by an administrator it will trigger malicious OS commands on the server running the FileBrowser instance.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Filebrowser Project | Filebrowser | < 2.16.0 |
Related Weaknesses (CWE)
References
- https://gist.github.com/omriinbar/1e28649f31d795b0e9b7698a9d255b5cThird Party Advisory
- https://github.com/filebrowser/filebrowserProductThird Party Advisory
- https://github.com/filebrowser/filebrowser/commit/201329abce4e92ae9071b9ded81e26PatchThird Party Advisory
- https://gist.github.com/omriinbar/1e28649f31d795b0e9b7698a9d255b5cThird Party Advisory
- https://github.com/filebrowser/filebrowserProductThird Party Advisory
- https://github.com/filebrowser/filebrowser/commit/201329abce4e92ae9071b9ded81e26PatchThird Party Advisory
FAQ
What is CVE-2021-37794?
CVE-2021-37794 is a vulnerability with a CVSS score of 5.4 (MEDIUM). A stored cross-site scripting (XSS) vulnerability exists in FileBrowser < v2.16.0 that allows an authenticated user authorized to upload a malicious .svg file which acts as a stored XSS payload. If th...
How severe is CVE-2021-37794?
CVE-2021-37794 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-37794?
Check the references section above for vendor advisories and patch information. Affected products include: Filebrowser Project Filebrowser.