Versions 1.6.2 and earlier of serve-index
are affected by a cross-site scripting vulnerability. Because file and directory names are not escaped in the module’s HTML output, a remote attacker that can influence file or directory names can launch a persistent cross-site scripting attack on the application.
Update to version 1.6.3 or later.
www.openwall.com/lists/oss-security/2016/04/20/11
github.com/expressjs/serve-index
github.com/expressjs/serve-index/commit/7381a1d1458959e57ee53ac932b06ff17904777e
github.com/expressjs/serve-index/issues/28
nvd.nist.gov/vuln/detail/CVE-2015-8856
web.archive.org/web/20200227190911/www.securityfocus.com/bid/96392