CVE-2018-25157 in DAM Open Source
Summary
by MITRE • 02/11/2026
Phraseanet 4.0.3 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through crafted file names during document uploads. Attackers can upload files with embedded SVG scripts that execute in the browser, potentially stealing cookies or redirecting users when the file is viewed.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/11/2026
Phraseanet version 4.0.3 suffers from a critical stored cross-site scripting vulnerability that represents a significant security risk for authenticated users. This vulnerability exists within the file upload functionality where the application fails to properly sanitize user-supplied file names before storing and rendering them in web pages. The flaw allows attackers who have gained authentication access to inject malicious scripts that persist in the system and execute whenever affected files are viewed by other users. The vulnerability specifically manifests when SVG files containing embedded scripts are uploaded with crafted filenames that bypass input validation mechanisms. This stored XSS vulnerability falls under the CWE-79 category for Cross-site Scripting and aligns with ATT&CK technique T1566.001 for Phishing with Spoofed Credentials, as attackers can leverage this flaw to establish persistent malicious presence within the application.
The technical implementation of this vulnerability stems from inadequate input sanitization and output encoding practices within the file management subsystem. When authenticated users upload files, the system stores the filename metadata without proper validation of special characters or script tags that could be embedded within SVG content. The application's rendering process fails to adequately escape or filter potentially malicious content, allowing the stored scripts to execute within the context of other users' browsers. This creates a persistent threat vector where attackers can establish long-term access to user sessions and potentially escalate privileges through session hijacking or credential theft. The vulnerability is particularly dangerous because it requires minimal privileges to exploit, as attackers only need authenticated access to upload files rather than compromising administrative accounts.
The operational impact of this vulnerability extends beyond simple script execution, as it enables sophisticated attack vectors including session hijacking, credential theft, and potential lateral movement within the application environment. When victims view infected files, their browsers execute the embedded scripts which can steal session cookies, redirect to malicious sites, or perform other malicious actions. The stored nature of this vulnerability means that once a malicious file is uploaded, it remains active indefinitely until manually removed from the system. This persistent threat can be exploited by attackers to establish footholds within organizations using Phraseanet, potentially leading to data exfiltration, unauthorized access to sensitive documents, or as a stepping stone for broader network compromise. The vulnerability affects all authenticated users who can upload files, making it particularly concerning for environments where multiple users have upload privileges.
Mitigation strategies for this vulnerability should focus on implementing comprehensive input validation and output encoding mechanisms throughout the file upload and rendering processes. Organizations should immediately implement proper sanitization of filenames and content, particularly for SVG files which are common attack vectors for XSS exploits. The application should enforce strict validation of file metadata, reject or sanitize any input containing script tags or suspicious characters, and implement proper HTML escaping when rendering stored filenames. Additionally, organizations should consider implementing content security policies that restrict script execution within the application context. The fix should align with OWASP secure coding practices and address the underlying CWE-79 weakness through proper input validation and output encoding. Regular security testing and code reviews should be implemented to prevent similar vulnerabilities from emerging in other parts of the application. The vulnerability demonstrates the critical importance of securing file upload mechanisms and implementing defense-in-depth strategies to prevent persistent XSS attacks that can compromise entire user sessions and data access controls.