CVE-2024-32966

Name of the Vulnerable Software and Affected Versions Static Web Server (SWS) (affected versions not specified)

Description The issue allows JavaScript code execution in the context of the web server's domain when directory listings are enabled for a directory that an untrusted user has upload privileges for. A malicious file name, such as <img src=x onerror=alert(1)>.txt, can be used to exploit this. The web server does not perform escaping of HTML entities on values inserted in the directory listing, making file name and current path potentially malicious. This becomes a stored Cross-site Scripting vulnerability for web servers that allow users to upload files or create directories under a name of their choosing.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.