Cross-Site Scripting

Module: serve-index

Published: March 14th, 2015

Reported by: Ivan Kozik

CVE-2015-8856

CWE-725

Vulnerable: <1.6.3
Patched: >=1.6.3

Overview

Versions 1.6.2 and earlier of serve-index are affected by a cross-site scripting vulnerability. Because file and directory names are not escaped in the module's HTML output, a remote attacker that can influence file or directory names can launch a persistent cross-site scripting attack on the application.

Remediation

Update to version 1.6.3 or later.

References

Issue #28