Copyparty is a portable file server. Prior to v1.20.11., the nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images. A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the context of whichever user opens it.
This has been fixed in v1.20.11.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
Required
User action required
Impact Assessment
Confidentiality
Low
Partial data leak
Integrity
Low
Partial data modification
Availability
None
No disruption
CVSS Vector v3.1
Weakness Type (CWE)
Vulnerable Products 1
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
9001 Copyparty
cpe:2.3:a:9001:copyparty:*:*:*:*:*:*:*:*
|
— |
1.20.11
|
References 3
https://github.com/9001/copyparty/commit/1c9f894e149b6be3cc7de81efc93a4ce4766e0…
security-advisories@github.com
https://github.com/9001/copyparty/releases/tag/v1.20.11
security-advisories@github.com
https://github.com/9001/copyparty/security/advisories/GHSA-m6hv-x64c-27mm
security-advisories@github.com