Listen to this Post
This stored Cross-Site Scripting vulnerability in Seafile v12.0.10 stems from inadequate input sanitization in the ‘name’ parameter of PUT requests to the ‘/api/v2.1/user/’ API endpoint. An authenticated attacker can inject malicious JavaScript code into the ‘name’ field during a user profile update. The payload is stored on the server without proper validation or encoding. When other users or administrators access pages where the compromised username is displayed, such as user lists or profiles, the embedded script automatically executes in their browsers. This allows the attacker to perform actions within the context of the victim’s session, leading to potential session hijacking, data theft, or website defacement. The vulnerability requires network access and low privileges, but user interaction is necessary for exploitation, contributing to its MEDIUM CVSS rating. The attack persists because the malicious input remains in the database until removed. Developers must enforce strict input validation and output encoding to prevent such injections. Users should monitor for patches from Seafile to address this security flaw.
Platform: Seafile
Version: v12.0.10
Vulnerability: Stored XSS
Severity: MEDIUM
date: 12/04/2025
Prediction: Patch expected soon
What Undercode Say:
Analytics:
curl -X PUT -H “Content-Type: application/json” -d ‘{“name”:”“}’ https://target/api/v2.1/user/
echo “Check XSS payload”
grep -r “name” seafile-code
How Exploit:
Authenticate via API.
Inject script in name.
Store payload server-side.
Victims load compromised page.
Protection from this CVE:
Input validation encoding.
Content Security Policy.
Update Seafile version.
Impact:
Session hijacking risk.
Arbitrary code execution.
Data confidentiality loss.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
