PT-2024-37043 · Unknown · Dulldusk'S Php File Manager

Rafael Pedrero

Published

2024-06-06

Updated

2024-06-11

CVE-2024-5673

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Dulldusk's PHP File Manager version 1.7.8

Description The issue consists of a Cross-Site Scripting (XSS) vulnerability through the fm current dir parameter of the "index.php" endpoint. An attacker could send a specially crafted JavaScript payload to an authenticated user and partially hijack their browser session.

Recommendations For version 1.7.8, consider disabling the fm current dir parameter in the "index.php" endpoint until a patch is available. Restrict access to the index.php endpoint to minimize the risk of exploitation. Avoid using the fm current dir parameter in the affected endpoint until the issue is resolved.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2024-5673

Affected Products

Dulldusk'S Php File Manager

PT-2024-37043 · Unknown · Dulldusk'S Php File Manager

CVE-2024-5673

Weakness Enumeration

Related Identifiers

Affected Products

References · 7