Cross-Site Scripting

Module: serve-index

Published: March 14th, 2015

Reported by: Ivan Kozik

CVE-2015-8856

CWE-

Vulnerable: <1.6.3
Patched: >=1.6.3

Overview

When using serve-index middleware version < 1.6.3 file and directory names are not escaped in HTML output. If remote users can influence file or directory names, this can trigger a persistent XSS attack.

Remediation

  • Update to version 1.6.3 or greater

References

Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo