Versions 1.6.2 and earlier of
serve-index are affected by a cross-site scripting vulnerability. Because file and directory names are not escaped in the module's HTML output, a remote attacker that can influence file or directory names can launch a persistent cross-site scripting attack on the application.
Update to version 1.6.3 or later.
publishedAdvisory publishedMar 14th, 2015
reportedInitial report by Ivan KozikOct 17th, 2015