I would like to report stored xss in fileview module
It allows an attacker to embed malicious js code in filename there was no sanitization performed.
module name:fileviewversion:0.1.6npm page: https://www.npmjs.com/package/fileview
File browsers on web. It’s easy to browser your local file.
since there was no sanitizations performed on filenames ,an attacker can include filenames with malicious js code which gets executed when browsed to the file over the web browser
1.install fileview:
npm install fileview -g
2:now create a file with xss payload as follows:
"><img src>.jpg
3.running below command on terminal will start a file server at port 8080
fileview -p /root/ -P 8080
4.now goto http://127.0.0.1:8080/
you will see the xss got executed
> If you’re able to provide a patch with the fix please post it in this section
> State all technical information about the stack where the vulnerability was found
> Select Y or N for the following statements:
this could have allowed an attacker to embed malicious js code in filename and executes it when victim browse to file over the web browser