GHSA-mmpx-jh39-wrv6

Summary

FileBrowser Quantum serves inline SVG files without a Content-Security-Policy header, allowing embedded JavaScript in SVG files to execute when accessed via public share links.

Verified on v1.3.0-stable.

Affected product

• Product: FileBrowser Quantum (gtsteffaniak/filebrowser)
• Verified version: v1.3.0-stable
• Docker image: gtstef/filebrowser:latest
• Affected endpoint: GET /public/api/resources/download?hash=HASH&inline=true
• CWE: CWE-79 — Cross-site Scripting (Stored)

Impact

• Stored XSS — Malicious SVG persists and executes for every visitor to the share link
• No authentication required to trigger — Public share links are accessible to anyone
• Session hijacking — If authenticated users click the link, their session can be stolen
• Phishing — Attacker can redirect or overlay fake login forms

Reproduction

1. Login as any user with upload permission
2. Upload SVG file:

   <svg xmlns="http://www.w3.org/2000/svg">
     <script>alert(document.domain)</script>
   </svg>
   

3. Create public share for the file
4. Access the share link with ?inline=true
5. JavaScript executes in browser

Root cause

The inline download endpoint returns SVG files with:

Content-Type: image/svg+xml
Content-Disposition: inline; filename="xss.svg"
X-Content-Type-Options: nosniff

But no CSP header to block script execution. The upstream project (filebrowser/filebrowser) mitigates this with:

Content-Security-Policy: script-src 'none'

Suggested fix

Add CSP header on inline file downloads:

w.Header().Set("Content-Security-Policy", "script-src 'none'")

This matches the upstream filebrowser/filebrowser implementation.