CVE-2025-53839

Severity CVSS v4.0:

Pending analysis

Type:

CWE-79 Cross-Site Scripting (XSS)

Publication date:

15/07/2025

Last modified:

15/07/2025

Description

DRACOON is a file sharing service, and the DRACOON Branding Service allows customers to customize their DRACOON interface with their brand. Versions of the DRACOON Branding Service prior to 2.10.0 are vulnerable to cross-site scripting. Improper neutralization of input from administrative users could inject HTML code into the workflow for newly onboarded users. A fix was made available in version 2.10.0 and rolled out to the DRACOON service. DRACOON customers do not need to take action.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS v3.1 Severity and Metrics:

Base Score: 4.00 MEDIUM
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N

Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): High
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): Low
Integrity (I): Low
Availability (A): None

Base Score 3.x

4.00

Severity 3.x

MEDIUM

References to Advisories, Solutions, and Tools

https://github.com/dracoon/security-advisories/security/advisories/GHSA-jv2h-8mw7-mc97