Platform
php
Component
extplorer
Fixed in
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.1.10
2.1.11
2.1.12
2.1.13
CVE-2019-25096 describes a cross-site scripting (XSS) vulnerability discovered in eXtplorer, a PHP-based file manager. This vulnerability allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The vulnerability affects versions 2.1.0 through 2.1.12 of eXtplorer, and a patch is available in version 2.1.13.
Successful exploitation of CVE-2019-25096 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to a variety of malicious actions, including stealing session cookies, redirecting users to phishing sites, or injecting malicious content into the eXtplorer interface. The impact is particularly severe if eXtplorer is used to manage sensitive files or if it is integrated with other applications. An attacker could potentially gain unauthorized access to files and directories, modify data, or even compromise the entire server if the application is running with elevated privileges.
CVE-2019-25096 was publicly disclosed on January 5, 2023. While no active exploitation campaigns have been definitively linked to this specific vulnerability, XSS vulnerabilities are frequently targeted by attackers. There are publicly available proof-of-concept exploits demonstrating the vulnerability's impact. The vulnerability is not currently listed on CISA KEV.
Exploit Status
EPSS
0.33% (56% percentile)
CVSS Vector
The primary mitigation for CVE-2019-25096 is to upgrade eXtplorer to version 2.1.13 or later, which includes the necessary patch. If upgrading is not immediately feasible, consider implementing input validation and output encoding measures to sanitize user-supplied data. Web application firewalls (WAFs) can also be configured to detect and block XSS attacks. Review eXtplorer's configuration to ensure that file access permissions are properly restricted and that unnecessary features are disabled. After upgrading, confirm the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) through an input field and verifying that it is properly sanitized or blocked.
Actualice eXtplorer a la versión 2.1.13 o superior. Esta versión contiene una corrección para la vulnerabilidad de Cross-Site Scripting (XSS). Puede descargar la última versión desde el sitio web oficial o repositorio del proyecto.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-25096 is a cross-site scripting (XSS) vulnerability affecting eXtplorer versions 2.1.0 through 2.1.12, allowing attackers to inject malicious scripts.
You are affected if you are using eXtplorer versions 2.1.0 to 2.1.12. Upgrade to 2.1.13 or later to mitigate the risk.
Upgrade eXtplorer to version 2.1.13 or later. Implement input validation and output encoding as a temporary workaround.
While no active campaigns are confirmed, XSS vulnerabilities are frequently targeted, so prompt patching is crucial.
Refer to the eXtplorer project's website or GitHub repository for the official advisory and patch details.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.