PDW File Browser Stored and Reflected Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in PDW File Browser version 1.3. This vulnerability exists in both stored and reflected forms, allowing authenticated attackers to inject malicious scripts through file rename and path parameters. When victims access the file browser, the injected scripts are executed, potentially leading to unauthorized actions or information disclosure.

Impact

Exploitation of this vulnerability allows for stored and reflected cross-site scripting, where injected scripts are executed in the context of the user's browser.

Reproduction

The stored XSS vulnerability can be reproduced by renaming a file with an XSS payload, such as a SVG image tag with an 'onload' event. This payload will execute when any authenticated user navigates to the PDW File Browser page. The reflected XSS vulnerability can be reproduced by sending a crafted URL that includes an XSS payload in the 'path' parameter. When the URL is accessed, the payload will be executed.