GHSA-mmpx-jh39-wrv6: FileBrowser Vulnerable to Stored XSS via SVG File in Public Share (Missing CSP Header)
FileBrowser Quantum serves inline SVG files without a Content-Security-Policy header, allowing embedded JavaScript in SVG files to execute when accessed via public share links.
Verified on v1.3.0-stable.
References
Code Behaviors & Features
Detect and mitigate GHSA-mmpx-jh39-wrv6 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →