statics-server Cross-site Scripting vulnerability

An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser. Statics-server does not implement any HTML escaping when displays directory index in the browser. Variable v is used in <a href> element without escaping, which allows to embed HTML <iframe> tag with src attribute points to another HTML file in the directory. This file can contain malicious JavaScript code, which will be executed:

// ./node_modules/statics-server/index.js, line 18:

    if(fs.lstatSync(staticPath).isDirectory()){
        var files=fs.readdirSync(staticPath);
        var lis='';
        files.forEach((v,i)=>{
            if(fs.lstatSync(path.resolve(staticPath,v)).isDirectory()){
                lis+=`<li><a href="${req.url}${v}/">${v}/</a></li>`;
            }else {
                lis+=`<li><a href="${req.url}${v}">${v}</a></li>`
            }
        });

        (...)

References

Published by the National Vulnerability Database Jul 20, 2018

Published to the GitHub Advisory Database May 13, 2022

Reviewed Apr 22, 2024

Last updated May 2, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

References

Severity

CVSS base metrics

Weaknesses

CVE ID

GHSA ID

Source code