Thehackydog

**Name of the Vulnerable Software and Affected Versions** copyparty versions prior to 1.8.7 **Description** The application contains a reflected cross-site scripting vulnerability via URL-parameters `?k304=...` and `?setck=...`. This could allow an attacker to execute malicious javascript code by tricking users into accessing a malicious link. The worst-case outcome of this is being able to move or delete existing files on the server, or upload new files, using the account of the person who clicks the malicious link. **Recommendations** For versions prior to 1.8.7, update to version 1.8.7 to resolve the issue. As a precautionary measure, consider changing the passwords of your copyparty accounts, unless you have inspected your logs and found no trace of attacks. If copyparty is running behind a reverse proxy, check the access-logs for traces of attacks by grepping for URLs containing `?hc=` with `<` somewhere in its value.

**Name of the Vulnerable Software and Affected Versions** Copyparty versions prior to 1.8.2 **Description** The issue is related to a path traversal vulnerability detected in the `.cpr` subfolder, allowing an attacker to access files, directories, and commands outside the web document root directory. This vulnerability can be exploited to read, modify, or delete data. The Path Traversal attack technique enables an attacker to access sensitive information. There are no known workarounds for this vulnerability. **Recommendations** For versions prior to 1.8.2, upgrade to release 1.8.2 or later to address the path traversal vulnerability. As a temporary workaround, consider restricting access to the `.cpr` subfolder until a patch is available. Additionally, users can monitor their copyparty server logs for signs of potential attacks using commands such as `grep -aE '(Errno|Permission).*.cpr/'` to detect invalid attempts.