GHSA-j657-59rv-qwm6

Source

https://github.com/advisories/GHSA-j657-59rv-qwm6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-j657-59rv-qwm6/GHSA-j657-59rv-qwm6.json

Aliases

CVE-2019-5457

Published

2019-07-31T04:22:27Z

Modified

2023-11-08T04:01:36.531395Z

Details

All versions of min-http-server are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize filenames, allowing attackers to execute arbitrary JavaScript in the victim's browser through files with names containing malicious code.

Recommendation

No fix is currently available, consider using an alternative package until a fix is made available.

References

https://nvd.nist.gov/vuln/detail/CVE-2019-5457
https://hackerone.com/reports/570568
https://www.npmjs.com/advisories/1111

Affected packages

npm / min-http-server

Package

Name: min-http-server

Affected ranges

Type: SEMVER
Events: Introduced

0The exact introduced commit is unknown

Last affected

1.0.6