CVE-2025-7066 (GCVE-0-2025-7066)

Vulnerability from cvelistv5 – Published: 2025-07-04 12:02 – Updated: 2025-09-16 11:01
VLAI?
Title
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Jirafeau
Summary
Jirafeau normally prevents browser preview for text files due to the possibility that for example SVG and HTML documents could be exploited for cross site scripting. This was done by storing the MIME type of a file and allowing only browser preview for MIME types beginning with image (except for image/svg+xml, see CVE-2022-30110 and CVE-2024-12326), video and audio. However, it was possible to bypass this check by sending a manipulated MIME type containing a comma and an other MIME type like text/html (for example image/png,text/html). Browsers see multiple MIME types and text/html would takes precedence, allowing a possible attacker to do a cross-site scripting attack. The check for MIME types was enhanced to prevent a browser preview when the stored MIME type contains a comma.
Severity ?
6.1 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
Vendor Product Version
Jirafeau project Jirafeau Affected: 0 , < 4.6.3 (semver)
Create a notification for this product.
Credits
Yann Cam Killian Chevrier Patrick Canterino
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-7066",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-07T14:38:09.223238Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-07T14:57:28.422Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Jirafeau",
          "vendor": "Jirafeau project",
          "versions": [
            {
              "lessThan": "4.6.3",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Yann Cam"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Killian Chevrier"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "Patrick Canterino"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Jirafeau normally prevents browser preview for text files due to the possibility that for example SVG and HTML documents could be exploited for cross site scripting. This was done by storing the MIME type of a file and allowing only browser preview for MIME types beginning with image (except for image/svg+xml, see CVE-2022-30110 and CVE-2024-12326), video and audio. However, it was possible to bypass this check by sending a manipulated MIME type containing a comma and an other MIME type like text/html (for example image/png,text/html). Browsers see multiple MIME types and text/html would takes precedence, allowing a possible attacker to do a cross-site scripting attack. The check for MIME types was enhanced to prevent a browser preview when the stored MIME type contains a comma."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-16T11:01:26.893Z",
        "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
        "shortName": "GitLab"
      },
      "references": [
        {
          "url": "https://gitlab.com/jirafeau/Jirafeau/-/commit/79464ec6276e8eb0e0b0ad597db02b85080d2b63"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-30110"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-12326"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to version 4.6.3"
        }
      ],
      "title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) in Jirafeau"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
    "assignerShortName": "GitLab",
    "cveId": "CVE-2025-7066",
    "datePublished": "2025-07-04T12:02:34.287Z",
    "dateReserved": "2025-07-04T12:02:29.560Z",
    "dateUpdated": "2025-09-16T11:01:26.893Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-7066\",\"sourceIdentifier\":\"cve@gitlab.com\",\"published\":\"2025-07-04T12:15:35.740\",\"lastModified\":\"2025-08-14T14:00:20.763\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Jirafeau normally prevents browser preview for text files due to the possibility that for example SVG and HTML documents could be exploited for cross site scripting. This was done by storing the MIME type of a file and allowing only browser preview for MIME types beginning with image (except for image/svg+xml, see CVE-2022-30110 and CVE-2024-12326), video and audio. However, it was possible to bypass this check by sending a manipulated MIME type containing a comma and an other MIME type like text/html (for example image/png,text/html). Browsers see multiple MIME types and text/html would takes precedence, allowing a possible attacker to do a cross-site scripting attack. The check for MIME types was enhanced to prevent a browser preview when the stored MIME type contains a comma.\"},{\"lang\":\"es\",\"value\":\"Jirafeau normalmente impide la vista previa del navegador para archivos de texto debido a la posibilidad de que, por ejemplo, documentos SVG y HTML pudieran ser explotados para ataques de cross site scripting. Esto se lograba almacenando el tipo MIME de un archivo y permitiendo solo la vista previa del navegador para tipos MIME que empiezan por imagen (excepto para image/svg+xml, v\u00e9anse CVE-2022-30110 y CVE-2024-12326), v\u00eddeo y audio. Sin embargo, era posible omitir esta comprobaci\u00f3n enviando un tipo MIME manipulado que conten\u00eda una coma y otro tipo MIME como text/html (por ejemplo, image/png,text/html). Los navegadores ven m\u00faltiples tipos MIME y text/html tendr\u00eda prioridad, lo que permitir\u00eda a un posible atacante realizar un ataque de cross site scripting. La comprobaci\u00f3n de tipos MIME se mejor\u00f3 para evitar la vista previa del navegador cuando el tipo MIME almacenado contiene una coma.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve@gitlab.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"cve@gitlab.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jirafeau:jirafeau:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.6.3\",\"matchCriteriaId\":\"889B7727-FB6E-484A-B66F-490BDD78D17A\"}]}]}],\"references\":[{\"url\":\"https://gitlab.com/jirafeau/Jirafeau/-/commit/79464ec6276e8eb0e0b0ad597db02b85080d2b63\",\"source\":\"cve@gitlab.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://www.cve.org/CVERecord?id=CVE-2022-30110\",\"source\":\"cve@gitlab.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.cve.org/CVERecord?id=CVE-2024-12326\",\"source\":\"cve@gitlab.com\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-7066\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-07T14:38:09.223238Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-07T14:40:31.440Z\"}}], \"cna\": {\"title\": \"Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) in Jirafeau\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Yann Cam\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Killian Chevrier\"}, {\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Patrick Canterino\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Jirafeau project\", \"product\": \"Jirafeau\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"4.6.3\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Upgrade to version 4.6.3\"}], \"references\": [{\"url\": \"https://gitlab.com/jirafeau/Jirafeau/-/commit/79464ec6276e8eb0e0b0ad597db02b85080d2b63\"}, {\"url\": \"https://www.cve.org/CVERecord?id=CVE-2022-30110\"}, {\"url\": \"https://www.cve.org/CVERecord?id=CVE-2024-12326\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Jirafeau normally prevents browser preview for text files due to the possibility that for example SVG and HTML documents could be exploited for cross site scripting. This was done by storing the MIME type of a file and allowing only browser preview for MIME types beginning with image (except for image/svg+xml, see CVE-2022-30110 and CVE-2024-12326), video and audio. However, it was possible to bypass this check by sending a manipulated MIME type containing a comma and an other MIME type like text/html (for example image/png,text/html). Browsers see multiple MIME types and text/html would takes precedence, allowing a possible attacker to do a cross-site scripting attack. The check for MIME types was enhanced to prevent a browser preview when the stored MIME type contains a comma.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"ceab7361-8a18-47b1-92ba-4d7d25f6715a\", \"shortName\": \"GitLab\", \"dateUpdated\": \"2025-09-16T11:01:26.893Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-7066\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-09-16T11:01:26.893Z\", \"dateReserved\": \"2025-07-04T12:02:29.560Z\", \"assignerOrgId\": \"ceab7361-8a18-47b1-92ba-4d7d25f6715a\", \"datePublished\": \"2025-07-04T12:02:34.287Z\", \"assignerShortName\": \"GitLab\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.