Listen to this Post
A stored Cross-Site Scripting (XSS) vulnerability exists in FileBrowser, identified as CVE-2025-52902, affecting versions prior to v2.33.7 . The vulnerability is rooted in the Markdown preview functionality. When a user uploads a Markdown (.md) file, the application renders it in the browser for preview. The Markdown parser used by FileBrowser does not properly sanitize or escape embedded HTML and JavaScript code within the Markdown content. Consequently, an attacker can upload a file containing malicious JavaScript. When another user, potentially an administrator, views this file, the embedded script executes within their browser session . The core issue is the failure to neutralize input during Markdown rendering, which is classified under CWE-79. This allows the attacker to perform actions in the context of the victim, such as stealing session tokens, which could lead to privilege escalation to administrator level and full system compromise via the web interface . The vulnerability is stored and persistent, requiring no user interaction beyond viewing the malicious file.
Platform: FileBrowser
Version: v1.2.1
Vulnerability: Stored XSS
Severity: Medium
date: 2025-06-26
Prediction: v2.33.7
What Undercode Say:
Analytics
The vulnerability is triggered via the Markdown preview feature. An attacker can create a malicious Markdown file with embedded HTML/JavaScript. The following proof-of-concept content can be saved as a `.md` file (e.g., xss.md) and uploaded to the FileBrowser instance.
Hallo
<b>foo</b>
<img src="xx" onerror=alert('Session:'+document.cookie)>
<i>bar</i>
When an administrator or any other user clicks on this file to view it, the JavaScript within the `onerror` event handler will execute, potentially exposing their session cookie .
How Exploit:
- Prerequisites: An attacker must have a valid user account on the FileBrowser instance with permissions to upload files .
- Craft Payload: Create a text file with a `.md` extension containing the malicious JavaScript, as shown in the Analytics section.
- Upload: Upload this file to any directory accessible by the attacker within the FileBrowser interface.
- Deliver Link: Obtain the direct link to the uploaded Markdown file and share it with the victim (e.g., an administrator).
- Execution: When the victim opens the link, the browser renders the Markdown, executes the malicious script, and sends the victim’s session cookie to the attacker .
Protection from this CVE
- Update FileBrowser: Immediately update to version 2.33.7 or later, which contains the fix for this vulnerability . This can be done by pulling the latest Docker image or updating the binary.
For Docker users docker pull filebrowser/filebrowser:latest Check your current version to ensure it's v2.33.7 or higher filebrowser version
- Disable Markdown Previews (Workaround): If an immediate update is not possible, temporarily disable the Markdown preview feature. This can be done by modifying the configuration to prevent the rendering of Markdown files or by restricting uploads of `.md` files .
Impact
- Arbitrary Script Execution: Attackers can execute malicious JavaScript in the browsers of other users, including administrators .
- Session Hijacking: The injected script can steal session cookies, allowing the attacker to impersonate the victim.
- Privilege Escalation: If an administrator’s session is hijacked, the attacker can gain full control over the file system, create new admin users, and potentially execute system commands .
- Data Exfiltration: Sensitive files managed by the application can be accessed and stolen.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

