2 matches found
CVE-2018-16484
The CVE-2018-16484 entry concerns m-server prior to 1.4.2, where filenames displayed in directory listings are not escaped, allowing stored XSS via crafted filenames to execute malicious JavaScript/HTML. Affected component: m-server (module used for static HTTP serving); root cause: lack of escap...
CVE-2018-16485
CVE-2018-16485 describes a directory traversal vulnerability in the m-server Node.js module prior to version 1.4.1. The flaw arises because the server constructs targetPath with req.url using path.join and then serves the file without sanitizing the path, enabling an attacker to read arbitrary fi...