CVE-2018-11351

Name of the Vulnerable Software and Affected Versions Jirafeau versions prior to 3.4.1

Description The issue affects the shared files description file, allowing the execution of a JavaScript payload when an administrator searches or lists uploaded files. This is due to two stored Cross-Site Scripting (XSS) vulnerabilities. The attack vectors are the Content-Type field and the filename parameter. These injections can be triggered without authentication and target the administrator.

Recommendations For versions prior to 3.4.1, update to version 3.4.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the shared files description file to minimize the risk of exploitation. Avoid using the filename parameter in affected areas until the issue is resolved.