script.php in Jirafeau before 3.4.1 is affected by two stored Cross-Site Scripting (XSS) vulnerabilities. These are stored within the shared files description file and allow the execution of a JavaScript payload each time an administrator searches or lists uploaded files. These two injections could be triggered without authentication, and target the administrator. The attack vectors are the Content-Type field and the filename parameter.
{
"unresolved_ranges": [
{
"cpes": [
"cpe:2.3:a:jirafeau:jirafeau:*:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"fixed": "3.4.1"
},
{
"fixed": "3.4.1"
}
],
"vendor_product": "jirafeau:jirafeau",
"source": "CPE_RANGE"
}
]
}