m-server@1.3.1 vulnerabilities

m-server is a mini http static server that without any dependencies.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). In m-server/lib/utils.js line 59 and 64, html push does not escapeHtml for variable path. By changing the path of URL via traversal, attacker can control this variable path.

PoC

GET /../../../../home/vagrant/tmp/test/<svg/onload=alert(document.domain)>/../../../test/ HTTP/1.1
Host: 192.168.57.105:3001
User-Agent: curl/7.54.0
Accept: */*
Connection: close

There is no fixed version for m-server.

m-server is a mini http static server.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks. It displays content of selected directory as HTML in the browser without escaping. A malicious user could inject iframe element with JavaScript code via crafted filename.

Upgrade m-server to version 1.4.2 or higher.

m-server is a M-Server is a mini http static server that without any dependencies;.

Affected versions of the package are vulnerable to Directory Traversal, which may allow access to sensitive files and data on the server. For example, requesting the following url /..%2f..%2fetc/passwd would result in /etc/passwd leak.

There is no fixed version for m-server.