CVE-2025-50985 in Community Edition
Summary
by MITRE • 08/27/2025
diskover-web v2.3.0 Community Edition is vulnerable to multiple reflected cross-site scripting (XSS) flaws in its web interface. Unsanitized GET parameters including maxage, maxindex, index, path, q (query), and doctype are directly echoed into the HTML response, allowing attackers to inject and execute arbitrary JavaScript when a victim visits a maliciously crafted URL.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 08/29/2025
The vulnerability identified as CVE-2025-50985 affects diskover-web version 2.3.0 Community Edition, presenting a critical security risk through multiple reflected cross-site scripting flaws within its web interface. This vulnerability stems from the application's failure to properly sanitize user-supplied input parameters that are subsequently reflected back into HTML responses without adequate encoding or validation. The affected parameters include maxage, maxindex, index, path, q (query), and doctype, all of which are processed as GET parameters and directly incorporated into the web response without proper security measures.
The technical exploitation of this vulnerability occurs when an attacker crafts malicious URLs containing specially formatted JavaScript code within the vulnerable parameters. When a victim navigates to such a crafted URL, the web application reflects the unsanitized input back to the user's browser, executing the injected JavaScript code within the victim's context. This creates a persistent threat vector where attackers can perform actions such as stealing session cookies, redirecting users to malicious sites, or performing unauthorized operations on behalf of the victim. The reflected nature of the vulnerability means that the attack payload is not stored on the server but is instead delivered through the web application's response to a specific request.
From an operational impact perspective, this vulnerability compromises the integrity of the web interface and potentially exposes sensitive data and system resources. The attack surface extends beyond simple script execution to include session hijacking and privilege escalation opportunities, particularly if the application handles authentication or authorization functions. The vulnerability affects all users of the Community Edition, which may include administrators and regular users, creating widespread potential for exploitation. Organizations relying on diskover-web for file system analysis and management face significant risk as attackers could manipulate the application's behavior to gain unauthorized access or disrupt normal operations.
The vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws in web applications, and follows patterns consistent with ATT&CK technique T1566.001 for initial access through malicious links. Organizations should immediately implement input validation and output encoding measures to prevent parameter injection, including implementing Content Security Policy headers to limit script execution. The recommended mitigations include sanitizing all user inputs through proper encoding, implementing strict input validation, and applying the principle of least privilege to limit the impact of potential exploitation. Additionally, regular security audits and vulnerability assessments should be conducted to identify similar issues in other web components and ensure comprehensive protection against similar attack vectors.