CVE Details
Basic Information
| Title | Files is Vulnerable to Reflected Self-XSS through its File Move Functionality |
|---|---|
| Type | cve |
| Published | 2025-08-01T23:26:32.195Z |
| Modified | 2025-08-01T23:26:32.195Z |
Product Information
| Vendor | humhub |
|---|---|
| Product | cfiles |
| Version | < 0.6.10 |
CVSS Information
| Base Score | 5.1 (MEDIUM) |
|---|---|
| Attack Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
AI Analysis
| AI Description | A Reflected Self-XSS vulnerability in the File Move functionality affects versions 0.16.9 and below of the Files module, allowing arbitrary JavaScript injection. This is fixed in version 0.16.10. |
|---|---|
| AI Severity | Medium |
| AI Vendor | humhub |
| AI Product | cfiles |
| AI Version | 0.16.9 and below |
Affected Products
- humhub cfiles < 0.6.10
Additional Information
| CWE List | CWE-80 |
|---|---|
| Source | GitHub_M |
Description
Files is a module for managing files inside spaces and user profiles. In versions 0.16.9 and below, the File Move functionality does not contain logic that prevents injection of arbitrary JavaScript, which can lead to Browser JS code execution in the context of the userβs session. This is fixed in version 0.16.10.