CVE-2021-37794
MEDIUMfilebrowser < 2.16.0 - Authenticated Stored Cross-Site Scripting via SVG File Upload
Title source: llmDescription
A stored cross-site scripting (XSS) vulnerability exists in FileBrowser < v2.16.0 that allows an authenticated user authorized to upload a malicious .svg file which acts as a stored XSS payload. If this stored XSS payload is triggered by an administrator it will trigger malicious OS commands on the server running the FileBrowser instance.
References (3)
Core 3
Core References
Product, Third Party Advisory x_refsource_misc
https://github.com/filebrowser/filebrowser
Third Party Advisory x_refsource_misc
https://gist.github.com/omriinbar/1e28649f31d795b0e9b7698a9d255b5c
Patch, Third Party Advisory x_refsource_misc
https://github.com/filebrowser/filebrowser/commit/201329abce4e92ae9071b9ded81e267aae159fbd
Scores
CVSS v3
5.4
EPSS
0.0075
EPSS Percentile
50.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
filebrowser_project/filebrowser
< 2.16.0
Published
Aug 31, 2021
Tracked Since
Feb 18, 2026