Cross-Site Scripting in PHP File Manager by Dulldusk

Posted date 06/06/2024
3 - Medium
Affected Resources

PHP File Manager, version 1.7.8.


INCIBE has coordinated the publication of 1 medium severity vulnerability affecting PHP File Manager, version 1.7.8, a quick access file system management tool and also for verifying the configuration and security of the PHP server, which has been discovered by Rafael Pedrero.

This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE:

  • CVE-2024-5673: 6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | CWE-79.

There is no reported solution at this time.


CVE-2024-5673: vulnerability in Dulldusk's PHP File Manager affecting version 1.7.8. This vulnerability consists of an XSS through the fm_current_dir parameter of index.php. An attacker could send a specially crafted JavaScript payload to an authenticated user and partially hijack their browser session.

References list