Description

File Browser is vulnerable to Stored Cross-site Scripting via crafted EPUB file

Summary

The EPUB preview function in File Browser is vulnerable to Stored Cross-site Scripting (XSS). JavaScript embedded in a crafted EPUB file executes in the victim's browser when they preview the file.

Details

frontend/src/views/files/Preview.vue passes allowScriptedContent: true to the vue-reader (epub.js) component:

// frontend/src/views/files/Preview.vue (Line 87)
:epubOptions="{
  allowPopups: true,
  allowScriptedContent: true,
}"

epub.js renders EPUB content inside a sandboxed with srcdoc. However, the sandbox includes both allow-scripts and allow-same-origin, which renders the sandbox ineffective — the script can access the parent frame's DOM and storage.

The epub.js developers explicitly warn against enabling scripted content.

PoC

I've crafted the PoC python script that could be ran on test environment using docker compose:

services:

  filebrowser:
    image: filebrowser/filebrowser:v2.62.1
    user: 0:0
    ports:
      - "80:80"

And running this PoC python script:

import argparse
import io
import sys
import zipfile
import requests


BANNER = """...
Show more

And terminal output:

root@server205:~/sec-filebrowser# python3 poc_xss_epub.py  -t http://localhost -u admin -p VJlfum8fGTmyXx8t

  Stored XSS via EPUB PoC
  Affected: filebrowser/filebrowser <=v2.62.1
  Root cause: Preview.vue -> epubOptions: { allowScriptedContent: true }
  Related: CVE-2024-35236 (same pattern in audiobookshelf)

...
Show more

Impact

JWT token theft — full session hijacking

Privilege escalation — a low-privilege user with upload (Create) permission can steal an admin's token

Mitigation

Aliases

References