Cross-Site Scripting in PHP File Manager by Dulldusk

Posted date 06/06/2024
Identificador
INCIBE-2024-0298
Importance
3 - Medium
Affected Resources

PHP File Manager, version 1.7.8.

Description

INCIBE has coordinated the publication of 1 medium severity vulnerability affecting PHP File Manager, version 1.7.8, a quick access file system management tool and also for verifying the configuration and security of the PHP server, which has been discovered by Rafael Pedrero.

This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE:

  • CVE-2024-5673: 6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | CWE-79.
Solution

There is no reported solution at this time.

Detail

CVE-2024-5673: vulnerability in Dulldusk's PHP File Manager affecting version 1.7.8. This vulnerability consists of an XSS through the fm_current_dir parameter of index.php. An attacker could send a specially crafted JavaScript payload to an authenticated user and partially hijack their browser session.

References list