Listen to this Post
The CVE-2024-12345 vulnerability arises from the improper handling of SVG files in FileBrowser when the nohtml configuration option is enabled. This option is designed to block JavaScript execution in user-uploaded HTML files to prevent cross-site scripting attacks on volumes containing untrusted content. However, the nohtml flag fails to extend its protection to SVG images, which, according to the SVG specification, can embed JavaScript code. An authenticated user with write permissions can upload a malicious SVG file containing embedded JavaScript. When another user, including administrators, views this SVG file, the JavaScript executes in their browser session. This execution occurs within the security context of the viewing user, leveraging their permissions on the FileBrowser instance. The vulnerability is not in the SVG specification itself but in the incomplete implementation of the nohtml safeguard, which did not consider SVG as a vector for script execution. Consequently, an attacker can perform actions on behalf of the victim, such as moving, deleting, or uploading files, by crafting the JavaScript payload accordingly. This flaw effectively bypasses the intended security mechanism, allowing persistent XSS attacks via file uploads. The issue is resolved in FileBrowser version 1.20.11, where the nohtml flag now also blocks JavaScript in SVG files by sanitizing or disabling script execution within them.
Platform: FileBrowser
Version: v1.20.10 and earlier
Vulnerability: nohtml SVG bypass
Severity: Medium
date: 2024-12-10
Prediction: Patched in v1.20.11
What Undercode Say:
Check current FileBrowser version filebrowser version Upload a malicious SVG via curl (example) curl -u username:password -F "[email protected]" https://your-filebrowser-instance.com/api/resources/upload Example malicious SVG content (malicious.svg) cat > malicious.svg << EOF <svg xmlns="http://www.w3.org/2000/svg" onload="alert('XSS')"> <script>alert('XSS')</script> </svg> EOF Verify nohtml flag on a volume filebrowser config get --nohtml After patch, test nohtml with SVG (should block script) filebrowser config set --nohtml=true
Exploit:
- Upload SVG with embedded JavaScript (e.g.,
<svg onload="fetch('/api/files/delete?path=important.txt')">). - Victim views the SVG, triggering script with their privileges.
- Script can move/delete files or upload new ones using victim’s session.
Protection from this CVE:
- Upgrade to FileBrowser v1.20.11 or later.
- If upgrade not possible, disable SVG file uploads or sanitize SVG files manually.
- Implement Content Security Policy (CSP) headers to restrict script execution.
- Regularly review and audit uploaded files for malicious content.
Impact:
- Unauthorized file operations (move, delete, upload) using victim’s account.
- Potential data loss or compromise due to script execution in admin context.
- Persistent XSS risk allowing further attacks like session hijacking.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

