Lucene search

Veracode Vulnerability DatabaseVERACODE:41728

HistoryJul 26, 2023 - 9:09 a.m.

Cross-Site Scripting (XSS)

2023-07-2609:09:26

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

cross-site scripting

copyparty

user input validation

javascript injection

browser

6.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

0.002 Low

EPSS

Percentile

59.5%

JSON

copyparty is vulnerable to Cross-Site Scripting. The vulnerability exists due to a lack of user input validation in the ?k304= and ?setck= parameters which allows an attacker to inject and execute arbitrary JavaScript into the browser.

CPENameOperatorVersion
copypartyle1.8.6
copypartyle1.8.6

CPE	Name	Operator	Version
	copyparty	le	1.8.6
	copyparty	le	1.8.6

References

packetstormsecurity.com/files/173821/Copyparty-1.8.6-Cross-Site-Scripting.html

github.com/9001/copyparty/commit/007d948cb982daa05bc6619cd20ee55b7e834c38

github.com/9001/copyparty/releases/tag/v1.8.7

github.com/9001/copyparty/security/advisories/GHSA-f54q-j679-p9hh

github.com/advisories/GHSA-f54q-j679-p9hh