CVE-2017-9249

Name of the Vulnerable Software and Affected Versions Allen Disk version 1.6

Description A cross-site scripting (XSS) issue allows remote authenticated users to inject arbitrary web script or HTML persistently by uploading a crafted HTML file. The attack vector is the content of this file, and the filename must be specified in the "readfile.php" to exploit this issue.

Recommendations For Allen Disk version 1.6, consider restricting access to the file upload feature and the readfile.php endpoint until a fix is available. As a temporary workaround, avoid using the file upload feature to minimize the risk of exploitation.