FileRise Vulnerable to Stored XSS via SVG Upload

FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to 2.2.3, a stored cross-site scripting (XSS) vulnerability exists in the Filerise application due to improper handling of uploaded SVG files. The application accepts user-supplied SVG uploads without sanitizing or restricting embedded script content. When a malicious SVG containing inline JavaScript or event-based payloads is uploaded, it is later rendered directly in the browser whenever viewed within the application. Because SVGs are XML-based and allow scripting, they execute in the origin context of the application, enabling full stored XSS. This vulnerability is fixed in 2.2.3.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

FileRise 跨站脚本漏洞

FileRise是Ryan个人开发者的一个轻量级、自托管的基于web的文件管理器。 FileRise 2.2.3之前版本存在跨站脚本漏洞，该漏洞源于SVG文件处理不当，可能导致存储型跨站脚本。

N/A

N/A