An authenticated Stored Cross-site Scripting (XSS) vulnerability in laravel-file-manager v3.3.1 and below allows attackers with access to the file manager interface to inject and persist arbitrary JavaScript code in uploaded or created files. # CVE-2025-63307 – Authenticated Stored Cross-site Scripting (XSS) in laravel-file-manager v3.3.1
## 🧭 Overview
An authenticated Stored Cross-site Scripting (XSS) vulnerability in laravel-file-manager v3.3.1 and below allows attackers with access to the file manager interface to inject and persist arbitrary JavaScript code in uploaded or created files.
By uploading a specially crafted .html or .svg file containing malicious JavaScript, or by directly creating and editing such a file within the file manager, attackers can achieve stored XSS that executes when any other authenticated user or administrator views the file through the web interface.
## 🧱 Affected Component
- **Project:** `laravel-file-manager`
- **Component:** File upload, create, and render functionality (e.g., FileManagerController.php)
- **Affected version:** **v3.3.1 and below**
## 🎯 Attack Vectors
1. Authenticate with an account that has permission to upload, create, or rename files via the file manager interface.
2. Upload or create a file with a .svg or .html extension containing malicious JavaScript
3. The application stores this file without validating its content or sanitizing embedded scripts.
4. When another user (such as an administrator or repository maintainer) views or previews the file in their browser, the malicious JavaScript executes in the context of the application’s domain.
5. The script can then perform actions such as session hijacking, CSRF, or stealing sensitive data from the victim’s browser.
## 💥 Impact
- Stored XSS: Persistent JavaScript execution within the application's origin.
- Session Hijacking & Account Takeover: Attackers can steal cookies or perform actions as the victim.
- Phishing / UI Redressing: Injected scripts can spoof UI elements or redirect users to malicious sites.
- Sensitive Data Exposure: Access to information within the application accessible to the victim’s session.
## CVSS v3
### Base Score: 8.1
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
### Severity: High
## 🛡️ Recommended Remediation
- Implement strict server-side content-type validation and filtering for uploaded files.
- Disallow or sanitize uploads with .html, .svg, or other formats capable of containing active content.
- Serve user-uploaded files with the Content-Disposition: attachment header or from a separate, non-executable domain/subdomain.
- Apply output encoding and sanitization before rendering user-controlled content in the browser.
> ## 🙏 Credits
> Discovered and reported by: Chayawat Jeamprasertboon, Thanakorn Boontem, Sahapon Kanajanothai and Theethat Thamwasin
---
[4.0K] /data/pocs/6265f94fbcee3f34f87d0bc5affb38ab953a0197
├── [4.0K] images
│ ├── [156K] step10.png
│ ├── [188K] step11.png
│ ├── [ 58K] step12.png
│ ├── [110K] step1.png
│ ├── [206K] step2.png
│ ├── [156K] step3.png
│ ├── [193K] step4.png
│ ├── [ 57K] step5.png
│ ├── [140K] step6.png
│ ├── [168K] step7.png
│ ├── [158K] step8.png
│ └── [154K] step9.png
├── [3.9K] POC-CVE-63307.md
└── [2.6K] README.md
2 directories, 14 files