Copyparty
Monthly
A security vulnerability in Copyparty (CVSS 6.5). Remediation should follow standard vulnerability management procedures.
Copyparty versions before 1.20.11 fail to apply the nohtml security restriction to SVG files, allowing authenticated users with write permissions to upload SVG images containing malicious JavaScript that executes when opened by other users. This cross-site scripting vulnerability bypasses the intended protection against JavaScript execution in user-uploaded content. The vulnerability has been patched in version 1.20.11.
Reflected XSS in Copyparty before version 1.20.9 allows unauthenticated attackers to inject malicious scripts through the setck URL parameter, potentially enabling session hijacking or credential theft from affected users. The vulnerability requires user interaction to click a crafted link but can be exploited remotely without authentication. A patch is available in version 1.20.9 and later.
Copyparty is a portable file server. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity.
Copyparty is a portable file server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
copyparty, a portable file server, has a DOM-based cross-site scripting vulnerability in versions prior to 1.16.15. Rated low severity (CVSS 3.6), this vulnerability is no authentication required. Public exploit code available.
A security vulnerability in Copyparty (CVSS 6.5). Remediation should follow standard vulnerability management procedures.
Copyparty versions before 1.20.11 fail to apply the nohtml security restriction to SVG files, allowing authenticated users with write permissions to upload SVG images containing malicious JavaScript that executes when opened by other users. This cross-site scripting vulnerability bypasses the intended protection against JavaScript execution in user-uploaded content. The vulnerability has been patched in version 1.20.11.
Reflected XSS in Copyparty before version 1.20.9 allows unauthenticated attackers to inject malicious scripts through the setck URL parameter, potentially enabling session hijacking or credential theft from affected users. The vulnerability requires user interaction to click a crafted link but can be exploited remotely without authentication. A patch is available in version 1.20.9 and later.
Copyparty is a portable file server. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity.
Copyparty is a portable file server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
copyparty, a portable file server, has a DOM-based cross-site scripting vulnerability in versions prior to 1.16.15. Rated low severity (CVSS 3.6), this vulnerability is no authentication required. Public exploit code available.