statics-server Cross-site Scripting vulnerability
Moderate severity
GitHub Reviewed
Published
May 13, 2022
to the GitHub Advisory Database
•
Updated May 2, 2024
Description
Published by the National Vulnerability Database
Jul 20, 2018
Published to the GitHub Advisory Database
May 13, 2022
Reviewed
Apr 22, 2024
Last updated
May 2, 2024
An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser. Statics-server does not implement any HTML escaping when displays directory index in the browser. Variable
v
is used in<a href>
element without escaping, which allows to embed HTML<iframe>
tag withsrc
attribute points to another HTML file in the directory. This file can contain malicious JavaScript code, which will be executed:References