Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
2 vulnerabilities by dracoon
CVE-2025-53839 (GCVE-0-2025-53839)
Vulnerability from nvd – Published: 2025-07-14 23:12 – Updated: 2025-07-15 19:49
VLAI
EPSS
VEX
Title
DRACOON Branding Service vulnerable to Cross-site Scripting
Summary
DRACOON is a file sharing service, and the DRACOON Branding Service allows customers to customize their DRACOON interface with their brand. Versions of the DRACOON Branding Service prior to 2.10.0 are vulnerable to cross-site scripting. Improper neutralization of input from administrative users could inject HTML code into the workflow for newly onboarded users. A fix was made available in version 2.10.0 and rolled out to the DRACOON service. DRACOON customers do not need to take action.
Severity
4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/dracoon/security-advisories/se… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| dracoon | security-advisories |
Affected:
< 2.10.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53839",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-15T13:45:36.110363Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-15T19:49:12.926Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "dracoon",
"versions": [
{
"status": "affected",
"version": "\u003c 2.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "DRACOON is a file sharing service, and the DRACOON Branding Service allows customers to customize their DRACOON interface with their brand. Versions of the DRACOON Branding Service prior to 2.10.0 are vulnerable to cross-site scripting. Improper neutralization of input from administrative users could inject HTML code into the workflow for newly onboarded users. A fix was made available in version 2.10.0 and rolled out to the DRACOON service. DRACOON customers do not need to take action."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T23:12:09.992Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dracoon/security-advisories/security/advisories/GHSA-jv2h-8mw7-mc97",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dracoon/security-advisories/security/advisories/GHSA-jv2h-8mw7-mc97"
}
],
"source": {
"advisory": "GHSA-jv2h-8mw7-mc97",
"discovery": "UNKNOWN"
},
"title": "DRACOON Branding Service vulnerable to Cross-site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53839",
"datePublished": "2025-07-14T23:12:09.992Z",
"dateReserved": "2025-07-09T14:14:52.532Z",
"dateUpdated": "2025-07-15T19:49:12.926Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53839 (GCVE-0-2025-53839)
Vulnerability from cvelistv5 – Published: 2025-07-14 23:12 – Updated: 2025-07-15 19:49
VLAI
EPSS
VEX
Title
DRACOON Branding Service vulnerable to Cross-site Scripting
Summary
DRACOON is a file sharing service, and the DRACOON Branding Service allows customers to customize their DRACOON interface with their brand. Versions of the DRACOON Branding Service prior to 2.10.0 are vulnerable to cross-site scripting. Improper neutralization of input from administrative users could inject HTML code into the workflow for newly onboarded users. A fix was made available in version 2.10.0 and rolled out to the DRACOON service. DRACOON customers do not need to take action.
Severity
4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/dracoon/security-advisories/se… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| dracoon | security-advisories |
Affected:
< 2.10.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53839",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-15T13:45:36.110363Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-15T19:49:12.926Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "dracoon",
"versions": [
{
"status": "affected",
"version": "\u003c 2.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "DRACOON is a file sharing service, and the DRACOON Branding Service allows customers to customize their DRACOON interface with their brand. Versions of the DRACOON Branding Service prior to 2.10.0 are vulnerable to cross-site scripting. Improper neutralization of input from administrative users could inject HTML code into the workflow for newly onboarded users. A fix was made available in version 2.10.0 and rolled out to the DRACOON service. DRACOON customers do not need to take action."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T23:12:09.992Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dracoon/security-advisories/security/advisories/GHSA-jv2h-8mw7-mc97",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dracoon/security-advisories/security/advisories/GHSA-jv2h-8mw7-mc97"
}
],
"source": {
"advisory": "GHSA-jv2h-8mw7-mc97",
"discovery": "UNKNOWN"
},
"title": "DRACOON Branding Service vulnerable to Cross-site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53839",
"datePublished": "2025-07-14T23:12:09.992Z",
"dateReserved": "2025-07-09T14:14:52.532Z",
"dateUpdated": "2025-07-15T19:49:12.926Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}