GHSA-8559-gwj3-q37r
EasyAdmin: Stored Cross-Site Scripting (XSS) via uploaded files served inline in FileField and ImageField
Details
EasyAdmin's `FileField` and `ImageField` accept browser-executable file types by default (`FileField` applies no MIME/extension restrictions; `ImageField`'s default `Image` constraint accepts SVG). When the upload directory is configured inside the public web root — as shown in the documentation — EasyAdmin links to the stored file inline (no download attribute or `Content-Disposition: attachment`).
An attacker with access to a form using these fields can upload an `.html` (`FileField`) or `.svg` (`ImageField`) file containing JavaScript. When another user opens it from the backend, it is served from the same origin and the script executes in the context of their authenticated admin session, enabling session/CSRF-token theft or privilege escalation.
Exploitation requires the developer to store uploads in the public directory and a privilege gap between the uploading user and the viewing administrator. This is stored XSS only — it does not allow remote code execution, because uploaded filenames are derived from Symfony's `guessExtension()`, which never produces `.php`/`.phtml`.
Credit
We would like to thank Emre Dogan for reporting the issue.
Are you affected?
Enter the version of the package you're using.
Affected packages
5.0.0 Fixed in: 5.0.13 composer require easycorp/easyadmin-bundle:^5.0.13 References
- https://github.com/EasyCorp/EasyAdminBundle/security/advisories/GHSA-8559-gwj3-q37r [WEB]
- https://github.com/EasyCorp/EasyAdminBundle/commit/8132b2b0ca3876c9261264fa267106a1b2c10a68 [WEB]
- https://github.com/EasyCorp/EasyAdminBundle [PACKAGE]
- https://github.com/EasyCorp/EasyAdminBundle/releases/tag/v5.0.13 [WEB]