CVE-2018-3771

Name of the Vulnerable Software and Affected Versions statics-server versions 0.0.0 through 0.0.9

Description The issue is related to a Cross-Site Scripting (XSS) vulnerability. It occurs when statics-server displays a directory index in the browser and an attacker injects an iframe in the filename. The statics-server does not implement HTML escaping when displaying the directory index, allowing an attacker to embed an HTML iframe tag with a src attribute pointing to another HTML file in the directory. This file can contain malicious JavaScript code that will be executed. The variable v is used in the <a href> element without escaping, which enables the embedding of the HTML <iframe> tag.

Recommendations For statics-server versions 0.0.0 through 0.0.9, consider disabling the directory index display feature in the browser until a patch is available. Restrict access to the directory index to minimize the risk of exploitation. Avoid using the variable v in the <a href> element without proper escaping to prevent the embedding of malicious HTML code.