Plateforme
php
Composant
extplorer
Corrigé dans
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.1.10
2.1.11
2.1.12
2.1.13
2.1.14
2.1.15
2.1.16
A cross-site scripting (XSS) vulnerability has been identified in eXtplorer versions 2.1.0 through 2.1.15. This flaw resides within an unknown function of the Filename Handler component, allowing attackers to potentially inject malicious scripts. Successful exploitation could lead to session hijacking or defacement. Applying the provided patch is the recommended solution to address this security concern.
The XSS vulnerability in eXtplorer allows an attacker to inject arbitrary JavaScript code into a user's browser session. This can be exploited to steal cookies, redirect users to malicious websites, or modify the content of the eXtplorer interface. The impact is amplified if the eXtplorer instance is publicly accessible or integrated with other systems, potentially leading to broader data compromise or system takeover. While the CVSS score is LOW, the ease of exploitation and potential for user interaction make it a significant risk, especially in environments with sensitive data or critical functionality.
CVE-2025-13058 was publicly disclosed on 2025-11-12. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of this writing. Given the relatively low CVSS score and lack of public exploits, the probability of active exploitation is currently considered low, but ongoing monitoring is recommended.
Organizations and individuals using eXtplorer versions 2.1.0 through 2.1.15, particularly those hosting the application publicly or integrating it with other systems containing sensitive data, are at risk. Shared hosting environments where multiple users share the same eXtplorer instance are also particularly vulnerable.
• php / web: Examine access logs for suspicious requests containing JavaScript code within filenames or file paths.
grep -i 'script|onload|onerror' /var/log/apache2/access.log• php / web: Check eXtplorer configuration files for any custom code that might be vulnerable to XSS. • generic web: Use a WAF to monitor for XSS attack patterns targeting eXtplorer endpoints. Configure alerts for suspicious JavaScript payloads.
disclosure
Statut de l'Exploit
EPSS
0.10% (percentile 28%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-13058 is to immediately apply the provided patch: 002def70b985f7012586df2c44368845bf405ab3. If patching is not immediately feasible, consider implementing input validation and output encoding on all user-supplied data handled by the Filename Handler. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Review eXtplorer's configuration to ensure it adheres to security best practices, such as restricting access to sensitive files and directories. After applying the patch, verify the fix by attempting to inject a simple XSS payload through the Filename Handler and confirming it is properly sanitized.
Aplicar el parche identificado como 002def70b985f7012586df2c44368845bf405ab3 para solucionar la vulnerabilidad XSS. Se recomienda actualizar a una versión posterior a la 2.1.15 si hay una disponible que incluya la corrección.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-13058 is a cross-site scripting (XSS) vulnerability affecting eXtplorer versions 2.1.0 through 2.1.15, allowing attackers to inject malicious scripts.
You are affected if you are using eXtplorer versions 2.1.0 to 2.1.15. Upgrade to the patched version immediately.
Apply the patch 002def70b985f7012586df2c44368845bf405ab3. Consider input validation and output encoding as additional measures.
Currently, there are no known public exploits or confirmed active exploitation campaigns for CVE-2025-13058.
Refer to the eXtplorer project's official website or security mailing list for the advisory related to CVE-2025-13058.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.