Phraseanet Stored XSS: When Filenames Attack

Vulnerability ID: CVE-2018-25157
CVSS Score: 6.4
Published: 2026-02-11

A classic Stored Cross-Site Scripting (XSS) vulnerability in Phraseanet Digital Asset Management (DAM) software versions 4.0.3 and earlier. By simply renaming a file to contain malicious HTML and JavaScript, an attacker can turn a standard asset upload into a persistent trap for administrators and other users. The flaw lies in the application's failure to sanitize filenames before rendering them in the DOM.

TL;DR

Authenticated users can upload files with malicious names (e.g., containing script tags) to Phraseanet. Because the application fails to sanitize these names upon display, the code executes in the browser of anyone viewing the file. Fixed in version 4.0.7.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-79
• CVSS v3.1: 6.4 (Medium)
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: Low
• User Interaction: None (Stored)
• Exploit Status: PoC Available

Affected Systems

• Phraseanet DAM <= 4.0.3
• Phraseanet DAM 4.0.4-dev
• Phraseanet DAM Open Source: <= 4.0.3 (Fixed in: 4.0.7)
• Phraseanet DAM Open Source: 4.0.4-dev (Fixed in: 4.0.7)

Exploit Details

• Exploit-DB: Original Proof of Concept by Krzysztof Szulski demonstrating the stored XSS via filename.

Mitigation Strategies

• Input Sanitization
• Output Encoding
• Content Security Policy (CSP)

Remediation Steps:

1. Upgrade Phraseanet to version 4.0.7 or later immediately.
2. Audit existing filenames in the database for characters like < , >, ", and '.
3. Implement a Content Security Policy (CSP) that restricts unsafe-inline scripts to mitigate the impact of any missed XSS vectors.

References

• VulnCheck Advisory
• Exploit-DB: Phraseanet 4.0.3 - Stored XSS

---

Read the full report for CVE-2018-25157 on our website for more details including interactive diagrams and full exploit analysis.