Severity: moderate

Cross-Site Scripting

serve-index

Overview

Versions 1.6.2 and earlier of serve-index are affected by a cross-site scripting vulnerability. Because file and directory names are not escaped in the module's HTML output, a remote attacker that can influence file or directory names can launch a persistent cross-site scripting attack on the application.

Remediation

Update to version 1.6.3 or later.

Resources

Advisory timeline

  1. reported

    Oct 17th, 2015
  2. published

    Advisory published
    Mar 14th, 2015