CVE-2020-36988

Vulnerability

Overview

PDW File Browser version 1.3, a plugin for TinyMCE and CKEditor, contains both stored and reflected cross-site scripting (XSS) vulnerabilities. The root cause is insufficient input sanitization in the file rename functionality and the path parameter used when fetching file specifications. This allows authenticated attackers to inject malicious scripts that execute in the browsers of other authenticated users [1][2].

Exploitation

Exploitation

For stored XSS, an attacker can rename a file to include an XSS payload (e.g., `) via a POST request to actions.php. The payload executes when any authenticated user navigates to the PDW File Browser page. For reflected XSS, an attacker crafts a URL with a malicious path parameter in path parameter in file_specs.php (e.g., ?ajax=true&path=`). When an authenticated user visits the crafted URL, the payload executes immediately [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser within the context of the PDW File Browser application. This can lead to session hijacking, data theft, or further malicious actions, all while the victim is authenticated [1][2].

Mitigation

As of the advisory publication date (October 2020), no patched version was available. Users of PDW File Browser version 1.3 or earlier are advised to upgrade to a newer version if available, or to implement input validation and output encoding as a workaround. The vulnerability is publicly documented in the Exploit Database [1] and tracked by VulnCheck [2].