6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.3 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
10.4%
A XSS vulnerability exists on index pages for static file handling.
When using web.static(..., show_index=True)
, the resulting index pages do not escape file names.
If users can upload files with arbitrary filenames to the static directory, the server is vulnerable to XSS attacks.
We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected.
Other users can disable show_index
if unable to upgrade.
github.com/advisories/GHSA-7gpw-8wmc-pm8g
github.com/aio-libs/aiohttp/commit/28335525d1eac015a7e7584137678cbb6ff19397
github.com/aio-libs/aiohttp/pull/8319
github.com/aio-libs/aiohttp/pull/8319/files
github.com/aio-libs/aiohttp/security/advisories/GHSA-7gpw-8wmc-pm8g
lists.fedoraproject.org/archives/list/[email protected]/message/2EXRGTN2WG7VZLUZ7WOXU5GQJKCPPHKP
lists.fedoraproject.org/archives/list/[email protected]/message/NWEI6NIHZ3G7DURDZVMRK7ZEFC2BTD3U
lists.fedoraproject.org/archives/list/[email protected]/message/ZIVBMPEY7WWOFMC3CWXFBRQPFECV4SW3
nvd.nist.gov/vuln/detail/CVE-2024-27306
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.3 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
10.4%