copyparty vulnerable to reflected cross-site scripting via k304 parameter
CVE-2023-38501

6.3MEDIUM

Key Information:

Vendor

9001

Status
Copyparty
Vendor
CVE Published:
25 July 2023

What is CVE-2023-38501?

copyparty is file server software. Prior to version 1.8.7, the application contains a reflected cross-site scripting via URL-parameter ?k304=... and ?setck=.... The worst-case outcome of this is being able to move or delete existing files on the server, or upload new files, using the account of the person who clicks the malicious link. It is recommended to change the passwords of one's copyparty accounts, unless one have inspected one's logs and found no trace of attacks. Version 1.8.7 contains a patch for the issue.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

copyparty < 1.8.7

References

https://github.com/9001/copyparty/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/9001/copyparty/commit/007d948cb982daa0...
x_refsource_MISC
http://packetstormsecurity.com/files/173821/Copyparty-1.8...

EPSS Score

81% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.