CVE-2025-7066 (GCVE-0-2025-7066)
Vulnerability from cvelistv5
Published
2025-07-04 12:02
Modified
2025-09-16 11:01
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Jirafeau normally prevents browser preview for text files due to the possibility that for example SVG and HTML documents could be exploited for cross site scripting. This was done by storing the MIME type of a file and allowing only browser preview for MIME types beginning with image (except for image/svg+xml, see CVE-2022-30110 and CVE-2024-12326), video and audio. However, it was possible to bypass this check by sending a manipulated MIME type containing a comma and an other MIME type like text/html (for example image/png,text/html). Browsers see multiple MIME types and text/html would takes precedence, allowing a possible attacker to do a cross-site scripting attack. The check for MIME types was enhanced to prevent a browser preview when the stored MIME type contains a comma.
References
Impacted products
Vendor Product Version
Jirafeau project Jirafeau Version: 0   
Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-7066",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-07T14:38:09.223238Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-07T14:57:28.422Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Jirafeau",
          "vendor": "Jirafeau project",
          "versions": [
            {
              "lessThan": "4.6.3",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Yann Cam"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Killian Chevrier"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "Patrick Canterino"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Jirafeau normally prevents browser preview for text files due to the possibility that for example SVG and HTML documents could be exploited for cross site scripting. This was done by storing the MIME type of a file and allowing only browser preview for MIME types beginning with image (except for image/svg+xml, see CVE-2022-30110 and CVE-2024-12326), video and audio. However, it was possible to bypass this check by sending a manipulated MIME type containing a comma and an other MIME type like text/html (for example image/png,text/html). Browsers see multiple MIME types and text/html would takes precedence, allowing a possible attacker to do a cross-site scripting attack. The check for MIME types was enhanced to prevent a browser preview when the stored MIME type contains a comma."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-16T11:01:26.893Z",
        "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
        "shortName": "GitLab"
      },
      "references": [
        {
          "url": "https://gitlab.com/jirafeau/Jirafeau/-/commit/79464ec6276e8eb0e0b0ad597db02b85080d2b63"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-30110"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-12326"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to version 4.6.3"
        }
      ],
      "title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) in Jirafeau"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
    "assignerShortName": "GitLab",
    "cveId": "CVE-2025-7066",
    "datePublished": "2025-07-04T12:02:34.287Z",
    "dateReserved": "2025-07-04T12:02:29.560Z",
    "dateUpdated": "2025-09-16T11:01:26.893Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-7066\",\"sourceIdentifier\":\"cve@gitlab.com\",\"published\":\"2025-07-04T12:15:35.740\",\"lastModified\":\"2025-08-14T14:00:20.763\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Jirafeau normally prevents browser preview for text files due to the possibility that for example SVG and HTML documents could be exploited for cross site scripting. This was done by storing the MIME type of a file and allowing only browser preview for MIME types beginning with image (except for image/svg+xml, see CVE-2022-30110 and CVE-2024-12326), video and audio. However, it was possible to bypass this check by sending a manipulated MIME type containing a comma and an other MIME type like text/html (for example image/png,text/html). Browsers see multiple MIME types and text/html would takes precedence, allowing a possible attacker to do a cross-site scripting attack. The check for MIME types was enhanced to prevent a browser preview when the stored MIME type contains a comma.\"},{\"lang\":\"es\",\"value\":\"Jirafeau normalmente impide la vista previa del navegador para archivos de texto debido a la posibilidad de que, por ejemplo, documentos SVG y HTML pudieran ser explotados para ataques de cross site scripting. Esto se lograba almacenando el tipo MIME de un archivo y permitiendo solo la vista previa del navegador para tipos MIME que empiezan por imagen (excepto para image/svg+xml, v\u00e9anse CVE-2022-30110 y CVE-2024-12326), v\u00eddeo y audio. Sin embargo, era posible omitir esta comprobaci\u00f3n enviando un tipo MIME manipulado que conten\u00eda una coma y otro tipo MIME como text/html (por ejemplo, image/png,text/html). Los navegadores ven m\u00faltiples tipos MIME y text/html tendr\u00eda prioridad, lo que permitir\u00eda a un posible atacante realizar un ataque de cross site scripting. La comprobaci\u00f3n de tipos MIME se mejor\u00f3 para evitar la vista previa del navegador cuando el tipo MIME almacenado contiene una coma.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve@gitlab.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"cve@gitlab.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jirafeau:jirafeau:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.6.3\",\"matchCriteriaId\":\"889B7727-FB6E-484A-B66F-490BDD78D17A\"}]}]}],\"references\":[{\"url\":\"https://gitlab.com/jirafeau/Jirafeau/-/commit/79464ec6276e8eb0e0b0ad597db02b85080d2b63\",\"source\":\"cve@gitlab.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://www.cve.org/CVERecord?id=CVE-2022-30110\",\"source\":\"cve@gitlab.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.cve.org/CVERecord?id=CVE-2024-12326\",\"source\":\"cve@gitlab.com\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-7066\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-07T14:38:09.223238Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-07T14:40:31.440Z\"}}], \"cna\": {\"title\": \"Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) in Jirafeau\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Yann Cam\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Killian Chevrier\"}, {\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Patrick Canterino\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Jirafeau project\", \"product\": \"Jirafeau\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"4.6.3\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Upgrade to version 4.6.3\"}], \"references\": [{\"url\": \"https://gitlab.com/jirafeau/Jirafeau/-/commit/79464ec6276e8eb0e0b0ad597db02b85080d2b63\"}, {\"url\": \"https://www.cve.org/CVERecord?id=CVE-2022-30110\"}, {\"url\": \"https://www.cve.org/CVERecord?id=CVE-2024-12326\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Jirafeau normally prevents browser preview for text files due to the possibility that for example SVG and HTML documents could be exploited for cross site scripting. This was done by storing the MIME type of a file and allowing only browser preview for MIME types beginning with image (except for image/svg+xml, see CVE-2022-30110 and CVE-2024-12326), video and audio. However, it was possible to bypass this check by sending a manipulated MIME type containing a comma and an other MIME type like text/html (for example image/png,text/html). Browsers see multiple MIME types and text/html would takes precedence, allowing a possible attacker to do a cross-site scripting attack. The check for MIME types was enhanced to prevent a browser preview when the stored MIME type contains a comma.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"ceab7361-8a18-47b1-92ba-4d7d25f6715a\", \"shortName\": \"GitLab\", \"dateUpdated\": \"2025-09-16T11:01:26.893Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-7066\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-09-16T11:01:26.893Z\", \"dateReserved\": \"2025-07-04T12:02:29.560Z\", \"assignerOrgId\": \"ceab7361-8a18-47b1-92ba-4d7d25f6715a\", \"datePublished\": \"2025-07-04T12:02:34.287Z\", \"assignerShortName\": \"GitLab\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.