Listen to this Post
The CVE-2025-41080 vulnerability is a stored Cross-Site Scripting (XSS) flaw in Seafile version 12.0.10. It specifically affects the API endpoint ‘/api/v2.1/repos/{repo_id}/file/’ where the POST parameter ‘p’ is used for file operations. An attacker with low-privileged access can inject malicious JavaScript payloads into the ‘p’ parameter during requests to this endpoint. These payloads are stored on the server without proper input sanitization or output encoding. When a victim, such as another user, accesses the compromised repository or file through the web interface, the malicious script is delivered and executed in their browser session. This execution occurs within the context of the Seafile application, allowing the attacker to hijack user sessions, steal authentication tokens, redirect to malicious sites, or perform unauthorized actions on behalf of the victim. The vulnerability requires the attacker to be authenticated, albeit with low privileges, and requires user interaction as the victim must trigger the payload by viewing the affected content. The stored nature means the attack persists until the payload is removed, posing a continuous risk. The CVSS 4.0 rating of medium reflects the combination of network attack vector, low attack complexity, low privileges required, and user interaction, leading to impacts on confidentiality and integrity at a low scope.
Platform: Seafile
Version: v12.0.10
Vulnerability: Stored XSS
Severity: Medium
date: 2025-12-04
Prediction: Patch date TBA
What Undercode Say:
Showing bash commands and codes related to the blog
curl -X POST ‘https://target/api/v2.1/repos/123/file/’ -H ‘Authorization: Token abc’ -d ‘p=‘
How Exploit:
Inject script via parameter p.
Protection from this CVE
Apply vendor patch.
Impact:
Session hijacking possible.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
