CVE-2019-14315

Vulnerability

Overview

A cross-site scripting (XSS) vulnerability exists in SunHater KCFinder, affecting versions 3.20-test1, 3.20-test2, 3.12, and earlier. The flaw resides in the upload.php script, where the CKEditorFuncNum parameter is directly echoed into a JavaScript call without proper sanitization. Specifically, the value from $_GET['CKEditorFuncNum'] is assigned to an array key and later rendered without being passed through htmlentities(), allowing an attacker to inject arbitrary HTML and JavaScript [1][3].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL. For example, sending a request such as curl localhost/kcfinder/upload.php?type=files&CKEditor=editor1&CKEditorFuncNum=);}alert(1);if(1){//&langCode=en causes the injected script to be executed in the context of the victim's browser. No authentication is required, and the attack is reflected (the payload is part of the URL) [3]. The vulnerable code is found at line 201 of core/class/uploader.php, where the CKEditorFuncNum parameter is used without escaping [3].

Impact

Successful exploitation enables an attacker to execute arbitrary JavaScript in the user's browser, potentially leading to session hijacking, defacement, or theft of sensitive data. Since KCFinder is commonly integrated with editors like CKEditor, the attack surface includes any user who interacts with the file manager [1][2].

Mitigation

The repository has been archived, and no official patched release exists [3][4]. A contributed fix was proposed in pull request #186 that attempts to block injection by removing invalid characters, but the project is no longer maintained [4]. Users are advised to replace KCFinder with an actively maintained alternative or apply input sanitization (e.g., htmlentities() on CKEditorFuncNum) as a workaround [3][4].