CVE-2023-39612 – This cross-site scripting (XSS) vulnerability i... (How to Fix)

Q: What is the severity of CVE-2023-39612?

CVE-2023-39612 has a CVSS score of 9.0 (CRITICAL). This cross-site scripting (XSS) vulnerability in FileBrowser allows authenticated attackers to escalate privileges to Administrator by tricking users into interacting with malicious HTML files or URLs. The vulnerability affects FileBrowser installations before version 2.23.0 where users have authenticated access.

📋 TL;DR

This cross-site scripting (XSS) vulnerability in FileBrowser allows authenticated attackers to escalate privileges to Administrator by tricking users into interacting with malicious HTML files or URLs. The vulnerability affects FileBrowser installations before version 2.23.0 where users have authenticated access.

💻 Affected Systems

Products:

FileBrowser

Versions: All versions before 2.23.0

Operating Systems: All platforms running FileBrowser

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access to exploit, but any authenticated user can potentially escalate to administrator.

📦 What is this software?

Filebrowser by Filebrowser

View all CVEs affecting Filebrowser →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete administrative takeover of the FileBrowser instance, allowing attackers to read, modify, or delete all files, change configurations, and potentially pivot to underlying systems.

🟠

Likely Case

Privilege escalation from regular user to administrator, enabling unauthorized access to sensitive files and system configuration.

🟢

If Mitigated

Limited impact if proper input validation and output encoding are implemented, or if users don't interact with malicious content.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated user interaction with crafted content, making social engineering a component of successful attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.23.0 and later

Vendor Advisory: https://github.com/filebrowser/filebrowser/commit/b508ac3d4f7f0f75d6b49c99bdc661a6d2173f30

Restart Required: Yes

Instructions:

1. Backup your FileBrowser configuration and data. 2. Stop the FileBrowser service. 3. Update to version 2.23.0 or later using your package manager or by downloading from GitHub. 4. Restart the FileBrowser service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Disable HTML file uploads

all

Prevent users from uploading HTML files that could contain malicious scripts

Configure FileBrowser settings to block .html file uploads

Restrict user permissions

all

Limit authenticated users to read-only access where possible

Set user permissions to 'read' only in FileBrowser configuration

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to prevent script execution
Isolate FileBrowser instance behind authentication proxy with additional security controls

🔍 How to Verify

Check if Vulnerable:

Check FileBrowser version: if version is below 2.23.0, the system is vulnerable

Check Version:

filebrowser version

Verify Fix Applied:

Verify FileBrowser version is 2.23.0 or higher and test that HTML file uploads are properly sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual privilege escalation events
Multiple failed authentication attempts followed by successful admin access
Suspicious file uploads with HTML extensions

Network Indicators:

Unexpected outbound connections from FileBrowser server
Traffic patterns suggesting data exfiltration

SIEM Query:

source="filebrowser" AND (event="privilege_escalation" OR event="admin_login" from non-admin user)

📊 Metadata

CVE ID: CVE-2023-39612

CVSS v3 Score: 9.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-79

Published: September 16, 2023

Last Updated: March 27, 2025

🔗 References

https://febin0x4e4a.wordpress.com/2023/09/15/xss-in-filebrowser-leads-to-admin-account-takeover-in-filebrowser/ Exploit,Third Party Advisory
https://github.com/filebrowser/filebrowser/commit/b508ac3d4f7f0f75d6b49c99bdc661a6d2173f30 Patch
https://github.com/filebrowser/filebrowser/issues/2570 Exploit,Issue Tracking
https://febin0x4e4a.wordpress.com/2023/09/15/xss-in-filebrowser-leads-to-admin-account-takeover-in-filebrowser/ Exploit,Third Party Advisory
https://github.com/filebrowser/filebrowser/commit/b508ac3d4f7f0f75d6b49c99bdc661a6d2173f30 Patch
https://github.com/filebrowser/filebrowser/issues/2570 Exploit,Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-39612, you might also want to check these: