CVE-2024-27306

CVSS v2.0

6.4

Medium

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:N

Name of the Vulnerable Software and Affected Versions aiohttp versions prior to 3.9.4

Description A XSS vulnerability exists on index pages for static file handling. This issue arises when using web.static(..., show index=True), as the resulting index pages do not escape file names, making the server vulnerable to XSS attacks if users can upload files with arbitrary filenames to the static directory. Users who follow the recommendation of using a reverse proxy server, such as nginx, for serving static files are unaffected.

Recommendations For versions prior to 3.9.4, update to version 3.9.4 or later to resolve the issue. As a temporary workaround, consider disabling the show index parameter if unable to upgrade.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79CWE-80

Related Identifiers

ALT-PU-2024-16702

ALT-PU-2024-17380

ALT-PU-2024-17385

ALT-PU-2025-4037

AZL-43357

AZL-43372

BDU:2025-03458

CVE-2024-27306

DLA-4041-1

GHSA-7GPW-8WMC-PM8G

MGASA-2024-0235

OESA-2025-1250

OESA-2025-1271

OESA-2025-1272

OPENSUSE-SU-2024:13965-1

OPENSUSE-SU-2024_1866-1

OPENSUSE-SU-2024_4396-1

RHSA-2024:3781

RHSA-2024:5662

RHSA-2025:1335

SUSE-SU-2024:1866-1

SUSE-SU-2024:4396-1

SUSE-SU-2024_1866-1

SUSE-SU-2024_4396-1

USN-7642-1

Affected Products

Alt Linux

Debian

Linuxmint

Red Os

Suse

Ubuntu

Aiohttp

Nginx

CVE-2024-27306

Weakness Enumeration

Related Identifiers

Affected Products

References · 59