GHSA-4wx8-5gm2-2j97

Summary

The Markdown preview function of File Browser v2.32.0 is vulnerable to Stored Cross-Site-Scripting (XSS). Any JavaScript code that is part of a Markdown file uploaded by a user will be executed by the browser

Impact

A user can upload a malicious Markdown file to the application which can contain arbitrary HTML code. If another user within the same scope clicks on that file, a rendered preview is opened. JavaScript code that has been included will be executed.

Malicious actions that are possible include:

• Obtaining a user's session token
• Elevating the attacker's privileges, if the victim is an administrator (e.g., gaining command execution rights)

Vulnerability Description

Most Markdown parsers accept arbitrary HTML in a document and try rendering it accordingly. For instance, if one creates a file called xss.md with the following content:

# Hallo

<b>foo</b>

<img src="xx" onerror=alert(9)>
<i>bar</i>

Bold and italic text will be rendered. Also, the renderer used in File Browser will try to display the image and execute the code in the onerror event handler.

Proof of Concept

The screenshot shows that the code from the file mentioned above has actually been executed in the victim's browser:

Recommended Countermeasures

The most thorough fix would be to reconfigure the application's Markdown parser to ignore all HTML elements and only render rich text which is part of the Markdown specification. If HTML rendering is considered to be a required feature, an HTML sanitizer like DOMPurify should be used, preferably in conjunction with a Content Security Policy (CSP).

Timeline

• 2025-03-25 Identified the vulnerability in version 2.32.0
• 2025-04-11 Contacted the project
• 2025-04-18 Vulnerability disclosed to the project
• 2025-06-25 Uploaded advisories to the project's GitHub repository
• 2025-06-26 CVE ID assigned by GitHub
• 2025-06-26 Fix released with version 2.33.7

References

• DOMPurify

Credits

• Mathias Tausig (SBA Research)