We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-52997

File Browser Insecurely Handles Passwords



Description

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.34.1, a missing password policy and brute-force protection makes the authentication process insecure. Attackers could mount a brute-force attack to retrieve the passwords of all accounts in a given instance. This issue has been patched in version 2.34.1.

Reserved 2025-06-24 | Published 2025-06-30 | Updated 2025-06-30 | Assigner GitHub_M


MEDIUM: 5.9CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-307: Improper Restriction of Excessive Authentication Attempts

CWE-521: Weak Password Requirements

CWE-1392: Use of Default Credentials

Product status

< 2.34.1
affected

References

github.com/...rowser/security/advisories/GHSA-cm2r-rg7r-p7gg

github.com/...ommit/bf37f88c32222ad9c186482bb97338a9c9b4a93c

cve.org (CVE-2025-52997)

nvd.nist.gov (CVE-2025-52997)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-52997

Support options

Helpdesk Chat, Email, Knowledgebase