Safety vulnerability ID: 76328
The information on this page was manually curated by our Cybersecurity Intelligence Team.
By handing someone a maliciously-named file, and then tricking them into dragging the file into Copyparty's Web-UI, an attacker could execute arbitrary JavaScript with the same privileges as that user. For example, this could give unintended read access to files owned by that user. The bug is triggered by the drag-drop action itself; it is not necessary to initiate the upload. The file must be empty (zero bytes).
Note: As a general-purpose web server, it is intentionally possible to upload HTML files with arbitrary JavaScript in <script> tags, which will execute when the file is opened. The difference is that this vulnerability would trigger the execution of JavaScript during the act of uploading, and not when the uploaded file is opened.
Latest version: 1.16.18
Portable file server with accelerated resumable uploads, deduplication, WebDAV, FTP, zeroconf, media indexer, video thumbnails, audio transcoding, and write-only folders
This vulnerability has no description
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application