CVE-2025-27088 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2025-27088 Interim 1 7 2026-03-05T01:11:33Z current 2025-03-14T00:12:32Z 2026-03-05T01:11:33Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2025-27088 oxyno-zeta/s3-proxy is an aws s3 proxy written in go. In affected versions a Reflected Cross-site Scripting (XSS) vulnerability enables attackers to create malicious URLs that, when visited, inject scripts into the web application. This can lead to session hijacking or phishing attacks on a trusted domain, posing a moderate risk to all users. It's possible to inject html elements, including scripts through the folder-list template. The affected template allows users to interact with the URL path provided by the `Request.URL.Path` variable, which is then rendered directly into the HTML without proper sanitization or escaping. This can be abused by attackers who craft a malicious URL containing injected HTML or JavaScript. When users visit such a URL, the malicious script will be executed in the user's context. This issue has been addressed in version 4.18.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings Container suse/sl-micro/6.0/baremetal-os-container:latest Container suse/sl-micro/6.0/base-os-container:latest Container suse/sl-micro/6.0/kvm-os-container:latest Container suse/sl-micro/6.0/rt-os-container:latest Container suse/sl-micro/6.0/toolbox:latest Image SL-Micro Image SL-Micro-Base Image SL-Micro-Base-RT Image SL-Micro-Base-RT-SelfInstall Image SL-Micro-Base-RT-encrypted Image SL-Micro-Base-SelfInstall Image SL-Micro-Base-encrypted Image SL-Micro-Base-qcow Image SL-Micro-Default Image SL-Micro-Default-SelfInstall Image SL-Micro-Default-encrypted Image SL-Micro-Default-qcow Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE SUSE Linux Enterprise Server 16.0 openSUSE Tumbleweed govulncheck-vulndb-0.0.20250312T181707-1.1 govulncheck-vulndb-0.0.20250814T182633-160000.1.2 libxml2-2-2.11.6-3.1 libxml2-tools-2.11.6-3.1 update-alternatives-1.22.0-slfo.1.1_2.1 libxml2-2-2.11.6-3.1 as a component of Container suse/sl-micro/6.0/baremetal-os-container:latest libxml2-2-2.11.6-3.1 as a component of Container suse/sl-micro/6.0/base-os-container:latest libxml2-2-2.11.6-3.1 as a component of Container suse/sl-micro/6.0/kvm-os-container:latest libxml2-2-2.11.6-3.1 as a component of Container suse/sl-micro/6.0/rt-os-container:latest libxml2-2-2.11.6-3.1 as a component of Container suse/sl-micro/6.0/toolbox:latest libxml2-2-2.11.6-3.1 as a component of Image SL-Micro update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Base update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Base-RT update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Base-RT-SelfInstall update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Base-RT-encrypted update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Base-SelfInstall update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Base-encrypted update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Base-qcow update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Default update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Default-SelfInstall update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Default-encrypted update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Default-qcow libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro-Azure libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro-Azure update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro-Azure libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro-BYOS libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro-BYOS update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro-BYOS libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro-BYOS-Azure libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro-BYOS-Azure update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro-BYOS-Azure libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro-BYOS-EC2 libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro-BYOS-EC2 update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro-BYOS-EC2 libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro-BYOS-GCE libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro-BYOS-GCE update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro-BYOS-GCE libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro-EC2 libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro-EC2 update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro-EC2 libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro-GCE libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro-GCE update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro-GCE govulncheck-vulndb-0.0.20250814T182633-160000.1.2 as a component of SUSE Linux Enterprise Server 16.0 govulncheck-vulndb-0.0.20250312T181707-1.1 as a component of openSUSE Tumbleweed oxyno-zeta/s3-proxy is an aws s3 proxy written in go. In affected versions a Reflected Cross-site Scripting (XSS) vulnerability enables attackers to create malicious URLs that, when visited, inject scripts into the web application. This can lead to session hijacking or phishing attacks on a trusted domain, posing a moderate risk to all users. It's possible to inject html elements, including scripts through the folder-list template. The affected template allows users to interact with the URL path provided by the `Request.URL.Path` variable, which is then rendered directly into the HTML without proper sanitization or escaping. This can be abused by attackers who craft a malicious URL containing injected HTML or JavaScript. When users visit such a URL, the malicious script will be executed in the user's context. This issue has been addressed in version 4.18.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability. CVE-2025-27088 Container suse/sl-micro/6.0/baremetal-os-container:latest:libxml2-2-2.11.6-3.1 Container suse/sl-micro/6.0/base-os-container:latest:libxml2-2-2.11.6-3.1 Container suse/sl-micro/6.0/kvm-os-container:latest:libxml2-2-2.11.6-3.1 Container suse/sl-micro/6.0/rt-os-container:latest:libxml2-2-2.11.6-3.1 Container suse/sl-micro/6.0/toolbox:latest:libxml2-2-2.11.6-3.1 Image SL-Micro:libxml2-2-2.11.6-3.1 Image SL-Micro:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base-RT:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base-RT-SelfInstall:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base-RT-encrypted:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base-SelfInstall:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base-VMware:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base-encrypted:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base-qcow:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Default:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Default-SelfInstall:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Default-VMware:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Default-encrypted:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Default-qcow:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro:libxml2-2-2.11.6-3.1 Image SLE-Micro:libxml2-tools-2.11.6-3.1 Image SLE-Micro:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro-Azure:libxml2-2-2.11.6-3.1 Image SLE-Micro-Azure:libxml2-tools-2.11.6-3.1 Image SLE-Micro-Azure:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro-BYOS:libxml2-2-2.11.6-3.1 Image SLE-Micro-BYOS:libxml2-tools-2.11.6-3.1 Image SLE-Micro-BYOS:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro-BYOS-Azure:libxml2-2-2.11.6-3.1 Image SLE-Micro-BYOS-Azure:libxml2-tools-2.11.6-3.1 Image SLE-Micro-BYOS-Azure:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro-BYOS-EC2:libxml2-2-2.11.6-3.1 Image SLE-Micro-BYOS-EC2:libxml2-tools-2.11.6-3.1 Image SLE-Micro-BYOS-EC2:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro-BYOS-GCE:libxml2-2-2.11.6-3.1 Image SLE-Micro-BYOS-GCE:libxml2-tools-2.11.6-3.1 Image SLE-Micro-BYOS-GCE:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro-EC2:libxml2-2-2.11.6-3.1 Image SLE-Micro-EC2:libxml2-tools-2.11.6-3.1 Image SLE-Micro-EC2:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro-GCE:libxml2-2-2.11.6-3.1 Image SLE-Micro-GCE:libxml2-tools-2.11.6-3.1 Image SLE-Micro-GCE:update-alternatives-1.22.0-slfo.1.1_2.1 SUSE Linux Enterprise Server 16.0:govulncheck-vulndb-0.0.20250814T182633-160000.1.2 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1 important 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N