CVE-2025-65790
Reflected XSS in FuguHub 8.1 SVG File Manager Enables Script Execution
Publication date: 2025-12-22
Last updated on: 2025-12-22
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fuguhub | fuguhub | 8.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-65790 is a reflected cross-site scripting (XSS) vulnerability in FuguHub 8.1 that occurs when serving SVG files through the /fs/ file manager interface. The vulnerability exists because FuguHub does not sanitize or restrict script execution inside SVG content. When a user opens a specially crafted SVG file containing an inline <script> element, the browser executes the attacker-controlled JavaScript, allowing malicious code to run in the victim's browser. [2]
How can this vulnerability impact me? :
This vulnerability allows remote attackers to execute arbitrary JavaScript in the victim's browser. Potential impacts include credential or session hijacking (if cookies are not HttpOnly), manipulation of the user interface, phishing attacks, forced user actions within the application, and an expanded cross-user attack surface. Essentially, attackers can perform actions on behalf of the user or steal sensitive information by exploiting this XSS flaw. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying SVG files served through the /fs/ file manager interface that contain inline <script> elements or event attributes. One approach is to scan the SVG files on the server for embedded <script> tags. For example, you can use the following command to find SVG files containing <script> tags: grep -ril '<script' /path/to/fuguhub/fs/. Additionally, monitoring HTTP responses for SVG files served without sanitization could help detect exploitation attempts. Testing with a crafted SVG file containing an inline script (like the proof of concept xss.svg) and observing if the script executes in the browser can confirm the vulnerability. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Strip <script> tags and event attributes from SVG files before serving them through the /fs/ interface. 2) Disable inline script execution or enforce sandboxing policies via Content-Security-Policy (CSP) headers. 3) Restrict or disable SVG file uploads, or convert SVG files to safer raster formats like PNG. 4) Sanitize or parse SVG files to remove executable scripts before serving. Implementing these measures will reduce the risk of arbitrary JavaScript execution in users' browsers. [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows remote attackers to execute arbitrary JavaScript in a victim's browser, potentially leading to credential or session hijacking, user interface manipulation, phishing attacks, and forced user actions. Such security breaches can result in unauthorized access to personal or sensitive data, which may violate data protection requirements under standards like GDPR and HIPAA. Therefore, this vulnerability could negatively impact compliance with these regulations by exposing user data to unauthorized access and exploitation. [2]