GHSA-754x-4jwp-cqp6

Source

https://github.com/advisories/GHSA-754x-4jwp-cqp6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-754x-4jwp-cqp6/GHSA-754x-4jwp-cqp6.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-754x-4jwp-cqp6

Aliases

CVE-2019-15600

Published

2020-03-31T17:02:26Z

Modified

2023-11-08T04:01:14.707965Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Cross-Site Scripting in http_server

Details

All versions of http_server are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize filenames, allowing attackers to execute arbitrary JavaScript in the victim's browser through files with names containing malicious code.

Recommendation

No fix is currently available. Consider using an alternative package until a fix is made available.

Database specific

{
    "cwe_ids": [
        "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-03-31T15:39:05Z",
    "nvd_published_at": null,
    "severity": "HIGH"
}

References

Affected packages

npm / http_server

Package

Name: http_server; View open source insights on deps.dev
Purl: pkg:npm/http_server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.0.12

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-754x-4jwp-cqp6/GHSA-754x-4jwp-cqp6.json"