GHSA-mmpx-jh39-wrv6 MEDIUM go/github.com/gtsteffaniak/filebrowser

CVE:

Summary

FileBrowser Quantum serves inline SVG files without a Content-Security-Policy header, allowing embedded JavaScript in SVG files to execute when accessed via public share links.

Verified on v1.3.0-stable.

Affected product

• Product: FileBrowser Quantum (gtsteffaniak/filebrowser)
• Verified version: v1.3.0-stable
• Docker image: gtstef/filebrowser:latest
• Affected endpoint: GET /public/api/resources/download?hash=HASH&inline=true
• CWE: CWE-79 — Cross-site Scripting (Stored)

Impact

• Stored XSS — Malicious SVG persists and executes for every visitor to the share link
• No authentication required to trigger — Public share links are accessible to anyone
• Session hijacking — If authenticated users click the link, their session can be stolen
• Phishing — Attacker can redirect or overlay fake login forms

Reproduction

1. Login as any user with upload permission

2. Upload SVG file:

```xml

<svg xmlns="http://www.w3.org/2000/svg">

<script>alert(document.domain)</script>

</svg>

```

3. Create public share for the file

4. Access the share link with ?inline=true

5. JavaScript executes in browser

Root cause

The inline download endpoint returns SVG files with:

Content-Type: image/svg+xml
Content-Disposition: inline; filename="xss.svg"
X-Content-Type-Options: nosniff

But no CSP header to block script execution. The upstream project (filebrowser/filebrowser) mitigates this with:

Content-Security-Policy: script-src 'none'

Suggested fix

Add CSP header on inline file downloads:

w.Header().Set("Content-Security-Policy", "script-src 'none'")

This matches the upstream filebrowser/filebrowser implementation.

📌 来源: GitHub-Advisory | 📅 2026-05-07