VYPR
← All advisories
Low severity3.5NVD Advisory· Published May 23, 2024· Updated Apr 15, 2026

CVE-2024-5279

CVE-2024-5279

Description

A vulnerability was found in Qiwen Netdisk up to 1.4.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component File Rename Handler. The manipulation with the input leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-266083.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Qiwen Netdisk ≤1.4.0 has a stored XSS in the file rename handler via an tag with onerror, allowing remote attackers to execute arbitrary JavaScript.

Vulnerability

Description A stored cross-site scripting (XSS) vulnerability exists in Qiwen Netdisk up to version 1.4.0. The issue resides in the file rename handler, where user input is not properly sanitized. An attacker can inject a malicious payload such as `` as the new filename, which will be stored and executed when other users view the file listing.

Attack

Vector The attack requires only the ability to rename a file, which is typically accessible to authenticated users. When a victim navigates to the file listing page, the crafted filename is rendered without proper encoding, causing the browser to execute the injected JavaScript. No special privileges or complex interaction are needed beyond triggering the file listing display.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session cookie theft, page defacement, or redirection to malicious sites, compromising the confidentiality and integrity of user data.

Mitigation

The vulnerability has been disclosed in a public issue on the project's repository [1]. As of May 2024, no official patch has been confirmed, but users are advised to update to a fixed version if available or implement output encoding for file names to mitigate the risk.

References
  1. qiwen-file has a stored XSS vulnerability. · Issue #I8W3H2 · 奇文社区/qiwen-file - Gitee

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.