CVE-2018-25157
Description
Phraseanet 4.0.3 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through crafted file names during document uploads. Attackers can upload files with embedded SVG scripts that execute in the browser, potentially stealing cookies or redirecting users when the file is viewed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Phraseanet 4.0.3 is vulnerable to stored XSS via crafted file names containing SVG scripts during document upload, allowing authenticated attackers to steal cookies or redirect users.
Vulnerability
Phraseanet 4.0.3 contains a stored cross-site scripting (XSS) vulnerability in its document upload feature. The root cause is insufficient sanitization of file names; an authenticated user can upload a file with a name containing a double-quote followed by an SVG onload event handler, such as "><svg onload=alert(1)>.jpg [4].
Exploitation
An attacker must be an authenticated user (or potentially a guest, depending on configuration) and upload a file with a maliciously crafted name. The SVG script executes when the file is viewed in a browser, triggering the payload on any subsequent page load for any user visiting the uploaded content [4]. The exploit does not require special network position other than access to the upload interface. Note that browsers with built-in XSS filters (e.g., Chrome) may mitigate the attack, but other browsers remain affected [4].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. Common payloads include cookie theft (via alert(document.cookie)) or user redirection (via window.history.back()), potentially leading to account takeover or phishing [4].
Mitigation
The vulnerability has been fixed in Phraseanet version 4.0.7 [4]. Users running 4.0.3 or any earlier version should upgrade immediately. The project has since evolved into Phrasea, a rewritten solution, which should not be affected by this legacy flaw [1][3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = 4.0.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-gcpq-mrgg-v5f3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-25157ghsaADVISORY
- www.exploit-db.com/exploits/46935nvdWEB
- www.phraseanet.comnvdWEB
- www.phraseanet.com/en/downloadghsaWEB
- www.vulncheck.com/advisories/phraseanet-stored-xss-via-document-uploadnvdWEB
- www.phraseanet.com/en/download/nvd
News mentions
0No linked articles in our index yet.