Home

Description

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.34.1, a missing password policy and brute-force protection makes the authentication process insecure. Attackers could mount a brute-force attack to retrieve the passwords of all accounts in a given instance. This issue has been patched in version 2.34.1.

PUBLISHED Reserved 2025-06-24 | Published 2025-06-30 | Updated 2025-08-04 | Assigner GitHub_M




MEDIUM: 5.9CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-307: Improper Restriction of Excessive Authentication Attempts

CWE-521: Weak Password Requirements

CWE-1392: Use of Default Credentials

Product status

< 2.34.1
affected

References

github.com/...rowser/security/advisories/GHSA-cm2r-rg7r-p7gg

github.com/...ommit/bf37f88c32222ad9c186482bb97338a9c9b4a93c

github.com/...0327-01_Filebrowser_Insecure_Password_Handling

cve.org (CVE-2025-52997)

nvd.nist.gov (CVE-2025-52997)

Download JSON