PT-2019-17687 · Unknown · Http File Server
Published
2019-07-30
·
Updated
2023-01-31
·
CVE-2019-5458
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
http-file-server (all versions)
Description
A cross-site scripting (XSS) issue allows an attacker with access to the server file system to execute arbitrary JavaScript code in a victim's browser. The package fails to sanitize filenames, enabling attackers to execute arbitrary JavaScript in the victim's browser through files with names containing malicious code.
Recommendations
For all versions, consider using an alternative package until a fix is made available. As a temporary workaround, consider restricting access to files with potentially malicious names to minimize the risk of exploitation.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Http File Server