CVE-2024-27306

Advisory

Affected versions of the `aiohttp` package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of user input on index pages for static file handling. The vulnerability exists because the `show_index` option, when enabled, allows unsanitized user input to be rendered directly into the HTML content of directory listings. An attacker can exploit this vulnerability by crafting a malicious URL that, when accessed, executes arbitrary JavaScript in the context of the user's browser, potentially leading to session hijacking or data theft.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://github.com/aio-libs/aiohttp/commit/28335525d1eac015a7e7584137678cbb6ff19397
• https://github.com/aio-libs/aiohttp/pull/8319
• https://github.com/aio-libs/aiohttp/security/advisories/GHSA-7gpw-8wmc-pm8g
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27306