FileBrowser Quantum Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in FileBrowser Quantum versions prior to 1.3.1-beta and 1.2.2-stable. The issue arises in the public share page, where unsanitized share metadata fields, such as the title and description, are rendered into HTML without proper context-aware escaping. This flaw allows injected scripts to execute when the share URL is visited. The vulnerability is rooted in the server's use of text/template for rendering, which lacks the necessary HTML escaping, enabling the execution of malicious scripts.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary scripts in the context of the application origin. This could lead to the compromise of user accounts or sessions, execution of actions similar to Cross-Site Request Forgery, and unauthorized data access from authenticated contexts. The stored nature of the XSS means that no additional social engineering is required beyond sharing the link.

Reproduction

To reproduce this vulnerability, log in as a user with permission to create shares. Create a share by sending a POST request to the share API with malicious metadata, such as a script injection in the title field. Once the share is created, open the corresponding public share URL in a browser. The injected script will execute, demonstrating the stored cross-site scripting vulnerability.

Remediation

Users can upgrade to FileBrowser Quantum versions 1.3.1-beta or 1.2.2-stable to address this vulnerability.