CVE-2024-32966
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Summary
Static Web Server (SWS) is vulnerable to a stored cross-site scripting (XSS) vulnerability if directory listings are enabled for a directory that an untrusted user has upload privileges. An attacker can upload a malicious file name like <img src=x onerror=alert(1)>.txt which will allow JavaScript execution in the context of the web server's domain when directory listing is viewed. The vulnerability exists because SWS does not properly escape HTML entities in directory listings.
Impact
This vulnerability allows an attacker to execute arbitrary JavaScript in the browser of anyone viewing the directory listing containing the malicious file. The attacker could steal victim's cookies, deface the website, conduct phishing attacks, and perform other client-side attacks.
Exploitation
There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.
Patch
A patch is available and details can be found at https://github.com/advisories/GHSA-rwfq-v4hq-h7fg. The vulnerability is patched in the latest version.
Mitigation
Users are advised to upgrade to the latest patched version. There are no known workarounds. As a mitigation, disable directory listings or ensure untrusted users do not have upload privileges to any directories with directory listings enabled.
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L
Timeline
NVD published the first details for CVE-2024-32966
A CVSS base score of 5.8 has been assigned.
Feedly found the first article mentioning CVE-2024-32966. See article
EPSS Score was set to: 0.04% (Percentile: 8.3%)