CVE-2018-16480

Vulnerability

The public npm module before version 0.1.4 contains a stored cross-site scripting (XSS) vulnerability. The module serves directory listings and renders file and folder names without proper sanitization. This allows an attacker to inject arbitrary HTML and JavaScript into the page when a user browses a directory containing a maliciously named file or folder. [1][2]

Exploitation

An attacker must have the ability to create files or folders on the server where the public module is used. By naming a file or folder with a payload such as ``, the malicious script is included in the directory listing page. When a victim visits that directory, the script executes in their browser. No additional user interaction beyond visiting the page is required. [1][2]

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, cookie theft, redirection to malicious sites, or other actions that the victim can perform on the application. The impact is limited to the browser context and does not directly affect the server. [1][2]

Mitigation

The vulnerability is fixed in version 0.1.4 of the public module. Users should upgrade to this version or later. No workarounds are documented. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog. [2]