Lucene search

K
osvGoogleOSV:GHSA-J8X7-QCW4-XX85
HistoryJan 26, 2023 - 9:30 p.m.

Cross-site Scripting (XSS) in serve-lite

2023-01-2621:30:25
Google
osv.dev
6
cross-site scripting
serve-lite
vulnerable

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

29.1%

All versions of the package serve-lite are vulnerable to Cross-site Scripting (XSS) because when it detects a request to a directory, it renders a file listing of all of its contents with links that include the actual file names without any sanitization or output encoding.

CPENameOperatorVersion
serve-litele1.1.0

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

29.1%

Related for OSV:GHSA-J8X7-QCW4-XX85