CVE-2018-16484

## Vulnerability m-server versions prior to 1.4.2 contain a cross-site scripting (XSS) vulnerability in the handling of folder names. The module does not escape special characters in folder names [1][2][3]. An attacker who can create or upload folders with crafted names can inject arbitrary JavaScript or HTML code that will execute in the context of users who browse or list those folders.

Exploitation

An attacker with the ability to create folder names (for example, through file upload or a shared directory feature) can include malicious payloads such as `` in a folder name. When another user accesses the web interface that lists folders, the payload is rendered and executed in the user's browser [1]. No authentication or special privileges are required beyond the ability to create folders.

Impact

Successful exploitation leads to arbitrary JavaScript execution in the victim's browser within the context of the m-server application [3]. This can result in session hijacking, data theft, defacement, or further attacks against the application or its users.

Mitigation

Update to m-server version 1.4.2 or later, which includes proper escaping of special characters in folder names [2][3]. No workaround is available; users running an affected version should upgrade immediately.