Multiple vulnerabilities in Seafile
Seafile, versions prior to 12.0.14.
INCIBE has coordinated the publication of two medium-severity vulnerabilities affecting Seafile, an open-source software for synchronizing and sharing files. The vulnerabilities were discovered by Arnau Sola López and Arnau Yepes Huguet.
These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type for each vulnerability:
- CVE-2025-41079 y CVE-2025-41080: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
The vulnerabilities have been fixed by the Seafile team in version 12.0.14.
A stored Cross-Site Scripting (XSS) vulnerability has been found in Seafile v12.0.10. This vulnerability allows an attacker to execute arbitrary code in the victim's browser by storing malicious payloads. The relationship between parameters and assigned identifiers is as follows:
- CVE-2025-41079: PUT parámetro 'name' in '/api/v2.1/user/'.
- CVE-2025-41080: POST parámetro 'p' in '/api/v2.1/repos/{repo_id}/file/'.
