GHSA-393x-fr59-r8fg
Suggest an improvement- Source
- https://github.com/advisories/GHSA-393x-fr59-r8fg
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-393x-fr59-r8fg/GHSA-393x-fr59-r8fg.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-393x-fr59-r8fg
- Aliases
-
- CVE-2018-3771
- Published
- 2022-05-13T01:32:20Z
- Modified
- 2024-04-22T23:26:36.518156Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- statics-server Cross-site Scripting vulnerability
- Details
-
An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser. Statics-server does not implement any HTML escaping when displays directory index in the browser. Variable
vis used in<a href>element without escaping, which allows to embed HTML<iframe>tag withsrcattribute points to another HTML file in the directory. This file can contain malicious JavaScript code, which will be executed:// ./node_modules/statics-server/index.js, line 18: if(fs.lstatSync(staticPath).isDirectory()){ var files=fs.readdirSync(staticPath); var lis=''; files.forEach((v,i)=>{ if(fs.lstatSync(path.resolve(staticPath,v)).isDirectory()){ lis+=`<li><a href="${req.url}${v}/">${v}/</a></li>`; }else { lis+=`<li><a href="${req.url}${v}">${v}</a></li>` } }); (...) - Database specific
{ "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2024-04-22T23:08:32Z", "nvd_published_at": "2018-07-20T22:29:00Z", "severity": "MODERATE" }- References
Affected packages
npm / statics-server
Package
- Name
- statics-server
- View open source insights on deps.dev
- Purl
- pkg:npm/statics-server