Cross-site Scripting (XSS) Affecting simple-server package, versions <1.1.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Mature
EPSS
0.09% (41st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Cross-site Scripting (XSS) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDnpm:simple-server:20180126
  • published18 Mar 2018
  • disclosed26 Jan 2018
  • creditRafal Janicki (bl4de)

Introduced: 26 Jan 2018

CVE-2018-3717  (opens in a new tab)
CWE-79  (opens in a new tab)

How to fix?

Upgrade simple-server to version 1.1.0 or higher.

Overview

simple-server allows you to easily get a node.js static file server up and running anywhere anytime.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It allows to embed HTML in file names, which (in certain conditions) might lead to execute malicious JavaScript. This is caused by outdated version of connect framework.

Details

<>

References

CVSS Scores

version 3.1