Severity: moderate

Cross-Site Scripting



Versions 1.6.2 and earlier of serve-index are affected by a cross-site scripting vulnerability. Because file and directory names are not escaped in the module's HTML output, a remote attacker that can influence file or directory names can launch a persistent cross-site scripting attack on the application.


Update to version 1.6.3 or later.


Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Mar 14th, 2015
  2. reported

    Initial report by Ivan Kozik
    Oct 17th, 2015