KCFinder is prone to a Cross-site Scripting (XSS) vulnerability. The problem exists because the application does not sanitize the names of files that are web-browsed by users of the server upon which the application is running. HTML and script can be added to the names of files and/or folders. When a user traverses to a location on the server where a file/folder contains embedded HTML/script within its name, then the HTML/script contained within the file name (or folder name) will execute within the user’s browser environment. This XSS is persistent in that the XSS will be triggered for any user who can access the KCFinder application on a server until the affected file/folder is removed or renamed. I have verified that this XSS issue exists in versions 3.11 of KCFinder. Other older versions of KCFinder could be prone to this vulnerability.
The following two images show how the XSS can be triggered. The first image gives an example of a filename that contains script. The second image shows the script in the filename executing in a user's browser.
The text was updated successfully, but these errors were encountered:
Please be advised:
KCFinder is prone to a Cross-site Scripting (XSS) vulnerability. The problem exists because the application does not sanitize the names of files that are web-browsed by users of the server upon which the application is running. HTML and script can be added to the names of files and/or folders. When a user traverses to a location on the server where a file/folder contains embedded HTML/script within its name, then the HTML/script contained within the file name (or folder name) will execute within the user’s browser environment. This XSS is persistent in that the XSS will be triggered for any user who can access the KCFinder application on a server until the affected file/folder is removed or renamed. I have verified that this XSS issue exists in versions 3.11 of KCFinder. Other older versions of KCFinder could be prone to this vulnerability.
Mitre has assigned CVE-2014-3988 to this issue.
The following two images show how the XSS can be triggered. The first image gives an example of a filename that contains script. The second image shows the script in the filename executing in a user's browser.
The text was updated successfully, but these errors were encountered: