Login Sign Up

CVE-2025-13058

3.5 LOW
Cross-Site Scripting

📋 TL;DR

This CVE describes a cross-site scripting (XSS) vulnerability in soerennb eXtplorer file manager up to version 2.1.15. The flaw exists in the filename handler component and allows attackers to inject malicious scripts that execute in users' browsers. Anyone using affected versions of eXtplorer is vulnerable to this remote attack.

💻 Affected Systems

Products:
  • soerennb eXtplorer
Versions: Up to and including 2.1.15
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of affected versions are vulnerable regardless of configuration.

📦 What is this software?

Extplorer by Extplorer

View all CVEs affecting Extplorer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, deface the application, or redirect users to malicious sites.

🟠

Likely Case

Attackers inject malicious scripts to steal user credentials or session tokens from authenticated users.

🟢

If Mitigated

With proper input validation and output encoding, the impact is limited to potential script execution in specific contexts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

XSS vulnerabilities typically have low exploitation complexity and can be exploited remotely without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 002def70b985f7012586df2c44368845bf405ab3

Vendor Advisory: https://github.com/soerennb/extplorer/commit/002def70b985f7012586df2c44368845bf405ab3

Restart Required: No

Instructions:

1. Update to the latest version from GitHub. 2. Apply commit 002def70b985f7012586df2c44368845bf405ab3. 3. Verify the fix by testing filename handling functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize filename inputs before processing.

Content Security Policy

all

Implement CSP headers to restrict script execution sources.

🧯 If You Can't Patch

  • Implement WAF rules to block XSS payloads in filename parameters
  • Restrict access to eXtplorer to trusted networks only

🔍 How to Verify

Check if Vulnerable:

Check if eXtplorer version is 2.1.15 or earlier. Test by attempting to upload files with XSS payloads in filenames.

Check Version:

Check the version in the eXtplorer interface or review the source code version information.

Verify Fix Applied:

Verify that commit 002def70b985f7012586df2c44368845bf405ab3 is applied. Test filename handling with XSS payloads to confirm they are properly sanitized.

📡 Detection & Monitoring

Log Indicators:

  • Unusual filename patterns containing script tags or JavaScript code
  • Multiple failed upload attempts with suspicious filenames

Network Indicators:

  • HTTP requests with XSS payloads in filename parameters
  • Unusual outbound connections following file uploads

SIEM Query:

web_requests WHERE url CONTAINS "<script>" OR url CONTAINS "javascript:" AND url CONTAINS "extplorer"

📊 Metadata

CVE ID: CVE-2025-13058
CVSS v3 Score: 3.5 (LOW)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
CWE: CWE-79
EPSS Score: 0.08% exploit probability (23.4th percentile)
Published: November 12, 2025
Last Updated: February 24, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13058, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)