Quark Auto Save
Monthly
Stored cross-site scripting in Quark Drive (quark-auto-save) before version 0.8.5 allows an authenticated low-privileged user to inject persistent JavaScript payloads that execute in the browsers of all authenticated users who view the System Configuration page. The root cause is Vue.js's v-html directive rendering push_config key names as raw HTML without sanitization, with payloads written to disk via the POST /update endpoint. No public exploit code has been identified at time of analysis, and the EPSS score of 0.03% (10th percentile) signals very low current exploitation probability, but the persistent, multi-victim nature of the stored XSS elevates real-world impact in multi-user deployments.
Mass assignment in Quark Auto Save (also referenced as Quark Drive) before version 0.8.5 lets authenticated users overwrite administrator credentials by posting an arbitrary 'webui' object to the config_data dictionary through the POST /update endpoint. Successful exploitation locks out legitimate administrators and grants persistent control over scheduled tasks, cloud storage tokens, and notification integrations. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.05% (16th percentile), though a vendor patch is available in release v0.8.5.
Stored cross-site scripting in Quark Drive (quark-auto-save) before version 0.8.5 allows an authenticated low-privileged user to inject persistent JavaScript payloads that execute in the browsers of all authenticated users who view the System Configuration page. The root cause is Vue.js's v-html directive rendering push_config key names as raw HTML without sanitization, with payloads written to disk via the POST /update endpoint. No public exploit code has been identified at time of analysis, and the EPSS score of 0.03% (10th percentile) signals very low current exploitation probability, but the persistent, multi-victim nature of the stored XSS elevates real-world impact in multi-user deployments.
Mass assignment in Quark Auto Save (also referenced as Quark Drive) before version 0.8.5 lets authenticated users overwrite administrator credentials by posting an arbitrary 'webui' object to the config_data dictionary through the POST /update endpoint. Successful exploitation locks out legitimate administrators and grants persistent control over scheduled tasks, cloud storage tokens, and notification integrations. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.05% (16th percentile), though a vendor patch is available in release v0.8.5.