CVE-2025-52900

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-52900

5.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

F

ile Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. The file access permissions for files uploaded to or created from File Browser are never explicitly set by the application. The same is true for the database used by File Browser. On standard servers using File Browser prior to version 2.33.7 where the umask configuration has not been hardened before, this makes all the stated files readable by any operating system account. Version 2.33.7 fixes the issue.

References
Link Resource
https://github.com/filebrowser/filebrowser/commit/ca86f916216620365c0f81629c0934ce02574d76 Patch
https://github.com/filebrowser/filebrowser/security/advisories/GHSA-jj2r-455p-5gvf Exploit Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*
History

10 Jul 2025, 01:17

Type Values Removed Values Added
Summary
  • (es) File Browser proporciona una interfaz de gestión de archivos dentro de un directorio específico y permite cargar, eliminar, previsualizar, renombrar y editar archivos. La aplicación nunca configura explícitamente los permisos de acceso a los archivos cargados o creados desde el Explorador de Archivos. Lo mismo ocurre con la base de datos que utiliza. En servidores estándar que utilizan el Explorador de Archivos antes de la versión 2.33.7, donde la configuración de umask no se ha reforzado previamente, esto permite que todos los archivos indicados sean legibles por cualquier cuenta del sistema operativo. La versión 2.33.7 soluciona el problema.
References () https://github.com/filebrowser/filebrowser/commit/ca86f916216620365c0f81629c0934ce02574d76 - () https://github.com/filebrowser/filebrowser/commit/ca86f916216620365c0f81629c0934ce02574d76 - Patch
References () https://github.com/filebrowser/filebrowser/security/advisories/GHSA-jj2r-455p-5gvf - () https://github.com/filebrowser/filebrowser/security/advisories/GHSA-jj2r-455p-5gvf - Exploit, Vendor Advisory
CPE cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*
First Time Filebrowser filebrowser
Filebrowser

26 Jun 2025, 15:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-06-26 15:15

Updated : 2025-07-10 01:17

NVD link : CVE-2025-52900

Mitre link : CVE-2025-52900

CVE.ORG link : CVE-2025-52900

JSON object : View

Products Affected

filebrowser

CWE
CWE-276

Incorrect Default Permissions