Skip to main content

CVE-2025-54789: CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in humhub cfiles

Medium
VulnerabilityCVE-2025-54789cvecve-2025-54789cwe-80
Published: Fri Aug 01 2025 (08/01/2025, 23:26:32 UTC)
Source: CVE Database V5
Vendor/Project: humhub
Product: cfiles

Description

Files is a module for managing files inside spaces and user profiles. In versions 0.16.9 and below, the File Move functionality does not contain logic that prevents injection of arbitrary JavaScript, which can lead to Browser JS code execution in the context of the user’s session. This is fixed in version 0.16.10.

AI-Powered Analysis

AILast updated: 08/09/2025, 00:57:03 UTC

Technical Analysis

CVE-2025-54789 is a medium severity vulnerability classified under CWE-80, which pertains to improper neutralization of script-related HTML tags, commonly known as a Cross-Site Scripting (XSS) vulnerability. This specific issue affects the 'cfiles' module of the HumHub platform, a social collaboration software used for managing files within spaces and user profiles. The vulnerability exists in versions 0.16.9 and earlier of the cfiles module. The root cause is the lack of proper input validation or sanitization in the File Move functionality, which allows an attacker to inject arbitrary JavaScript code. When a user interacts with the affected functionality, the malicious script executes in the context of their browser session, potentially leading to session hijacking, unauthorized actions, or data theft. The vulnerability requires no authentication (PR:L means low privileges required), and no user interaction is strictly necessary for exploitation, but UI:P indicates some user interaction is involved, such as clicking or navigating to a maliciously crafted file move operation. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N) indicates network attack vector, low attack complexity, no attack or user privileges needed beyond low, partial user interaction, and limited scope impact. The vulnerability does not affect confidentiality, integrity, or availability directly but impacts session security and user trust. The issue was fixed in version 0.16.10 of the cfiles module. No known exploits are reported in the wild as of the publication date, August 1, 2025.

Potential Impact

For European organizations using HumHub with the vulnerable cfiles module, this XSS vulnerability could lead to targeted attacks where malicious actors inject scripts to hijack user sessions or perform unauthorized actions under the guise of legitimate users. This is particularly critical in environments where HumHub is used for sensitive collaboration, file sharing, or internal communications. The exploitation could result in data leakage, unauthorized access to confidential files, or the spread of malware within the organization. Since the vulnerability requires some user interaction, phishing or social engineering campaigns could be used to trick users into triggering the exploit. The impact is heightened in sectors with strict data protection regulations such as GDPR, where unauthorized data exposure can lead to legal and financial penalties. Additionally, compromised user sessions could facilitate lateral movement within the network, increasing the risk of broader compromise.

Mitigation Recommendations

European organizations should immediately upgrade the HumHub cfiles module to version 0.16.10 or later, where the vulnerability is patched. Until the upgrade is applied, organizations should implement strict input validation and output encoding on all user-supplied data related to file operations within HumHub, if possible. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the platform. Conduct user awareness training to recognize and avoid phishing attempts that could trigger the exploit. Monitor logs for unusual file move operations or suspicious user activity within HumHub. Network segmentation and limiting access to the HumHub platform to trusted users can reduce exposure. Finally, consider deploying Web Application Firewalls (WAFs) with rules targeting XSS attack patterns specific to HumHub's cfiles module.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2025-07-29T16:50:28.393Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 688d4e9cad5a09ad00cfd476

Added to database: 8/1/2025, 11:32:44 PM

Last enriched: 8/9/2025, 12:57:03 AM

Last updated: 9/15/2025, 1:30:16 PM

Views: 38

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats