CVE-2025-52904— FileBrowser 安全漏洞

File Browser: Command Execution not Limited to Scope

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In versions of the web application on the 2.x branch, all users have a scope assigned, and they only have access to the files within that scope. The Command Execution feature of Filebrowser allows the execution of shell commands which are not restricted to the scope, potentially giving an attacker read and write access to all files managed by the server. Until this issue is fixed, the maintainers recommend to completely disable `Execute commands` for all accounts. Since the command execution is an inherently dangerous feature that is not used by all deployments, it should be possible to completely disable it in the application's configuration. This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations. To exploit this vulnerability, the instance administrator must turn on a feature and ignore all the warnings about known vulnerabilities.

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

在命令中使用的特殊元素转义处理不恰当(命令注入)

FileBrowser 安全漏洞

FileBrowser是开源的一款网页文件浏览器。提供指定目录下的文件管理界面，可用于上传、删除、预览、重命名和编辑您的文件。它允许创建多个用户，每个用户可以有自己的目录。它可以用作独立的应用程序或中间件。 FileBrowser 2.32.0版本存在安全漏洞，该漏洞源于命令执行功能不受范围限制，可能导致访问服务器管理的所有文件。

N/A

N/A