Palant

**Name of the Vulnerable Software and Affected Versions** Static Web Server (SWS) (affected versions not specified) **Description** The issue allows JavaScript code execution in the context of the web server's domain when directory listings are enabled for a directory that an untrusted user has upload privileges for. A malicious file name, such as `<img src=x onerror=alert(1)>.txt`, can be used to exploit this. The web server does not perform escaping of HTML entities on values inserted in the directory listing, making `file name` and `current path` potentially malicious. This becomes a stored Cross-site Scripting vulnerability for web servers that allow users to upload files or create directories under a name of their choosing. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.