{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/epub/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":4.8,"id":"CVE-2024-35236"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["filebrowser","xss","epub","cve-2026-34529"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eFile Browser, a web-based file management application, is susceptible to stored XSS attacks in versions 2.62.1 and earlier. The vulnerability stems from the application\u0026rsquo;s EPUB preview functionality, which allows scripted content (\u003ccode\u003eallowScriptedContent: true\u003c/code\u003e) to execute within an iframe.  The iframe\u0026rsquo;s sandbox is misconfigured, including both \u003ccode\u003eallow-scripts\u003c/code\u003e and \u003ccode\u003eallow-same-origin\u003c/code\u003e, effectively bypassing the intended security restrictions. An attacker can upload a specially crafted EPUB file containing malicious JavaScript code. When a user previews the file, the embedded JavaScript executes in their browser, enabling session hijacking via JWT token theft, data exfiltration, and potential privilege escalation if the victim is an administrator.  This vulnerability is similar to CVE-2024-35236 found in audiobookshelf, highlighting a recurring pattern of insecure EPUB handling.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious EPUB file containing embedded JavaScript designed to steal JWT tokens and exfiltrate data.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the File Browser application with a valid, potentially low-privilege, user account.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious EPUB file to the File Browser server via the \u003ccode\u003e/api/resources\u003c/code\u003e endpoint, potentially overwriting existing files using the \u003ccode\u003eoverride=true\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe server stores the malicious EPUB file.\u003c/li\u003e\n\u003cli\u003eA victim, potentially an administrator, views the uploaded EPUB file through the File Browser\u0026rsquo;s web interface, triggering the EPUB preview function.\u003c/li\u003e\n\u003cli\u003eThe application renders the EPUB file within an iframe. Due to the \u003ccode\u003eallowScriptedContent\u003c/code\u003e setting and misconfigured sandbox, the embedded JavaScript executes.\u003c/li\u003e\n\u003cli\u003eThe JavaScript steals the victim\u0026rsquo;s JWT token from \u003ccode\u003ewindow.parent.localStorage\u003c/code\u003e and exfiltrates it to an attacker-controlled server (\u003ccode\u003ehttps://attacker.example/?stolen=\u003c/code\u003e). It may also attempt to gather additional information, such as the victim\u0026rsquo;s public IP address by requesting \u003ccode\u003ehttps://ifconfig.me/ip\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen JWT token to hijack the victim\u0026rsquo;s session, potentially gaining administrative privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XSS vulnerability allows attackers to steal JWT tokens, leading to full session hijacking and potential privilege escalation. A low-privilege user with upload permissions can compromise administrator accounts. This can lead to unauthorized access to sensitive files, data exfiltration, and modification or deletion of critical data. The vulnerability affects File Browser instances version 2.62.1 and earlier.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply patches or upgrade File Browser to a version greater than 2.62.1 to mitigate CVE-2026-34529.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect File Browser EPUB XSS Attempt\u003c/code\u003e to identify potential exploitation attempts by monitoring for network connections to \u003ccode\u003eifconfig.me\u003c/code\u003e originating from the File Browser application.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect File Browser JWT Exfiltration\u003c/code\u003e to detect potential exfiltration of JWT tokens by monitoring network connections to \u003ccode\u003eattacker.example\u003c/code\u003e with a \u003ccode\u003estolen\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eDisable EPUB preview functionality or sanitize EPUB files before rendering them to prevent the execution of malicious scripts. This addresses the root cause by preventing attacker-controlled JavaScript execution.\u003c/li\u003e\n\u003cli\u003eReview and harden the iframe sandbox configuration used for EPUB previews to restrict access to sensitive resources and prevent script execution, if preview functionality cannot be disabled.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-31T23:44:36Z","date_published":"2026-03-31T23:44:36Z","id":"/briefs/2024-07-filebrowser-xss/","summary":"File Browser version 2.62.1 and earlier is vulnerable to stored cross-site scripting (XSS) via crafted EPUB files, allowing attackers to execute arbitrary JavaScript in a victim's browser by exploiting the application's misconfigured iframe sandbox and stealing sensitive information like JWT tokens.","title":"File Browser Stored XSS via Crafted EPUB File","url":"https://feed.craftedsignal.io/briefs/2024-07-filebrowser-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Epub","version":"https://jsonfeed.org/version/1.1"}