CVE-2018-3755

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the npm package sexstatic versions <= 0.6.2. The bug occurs when an attacker can create or rename a directory on the server where sexstatic is used. The directory name is not properly sanitized, allowing HTML injection. Specifically, a directory name containing an `` element will be rendered unsafely by the application, leading to stored XSS. [1][2]

Exploitation

An attacker needs the ability to create or rename directories within the file system served by sexstatic. This could be achieved through write access to the server (e.g., via filesystem permissions or an accompanying file upload feature). The attacker creates a directory with a name containing malicious HTML, such as ` followed by any valid name suffix. When other users or administrators browse to the directory listing, the injected ` is rendered in their browser. No user interaction beyond navigating to the affected directory is required. [1][2]

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, data exfiltration, or further malicious actions within the web application's domain. The attack is stored, meaning every victim visiting the affected directory will be impacted without needing to click a crafted link. [1][2]

Mitigation

The vulnerability is addressed in versions after 0.6.2, but no specific patched version number or release date is disclosed in the available references. Users of sexstatic should upgrade to the latest version as soon as possible. If upgrading is not feasible, ensure that untrusted users cannot create or modify directories on the server, and consider sanitizing directory listings with a reverse proxy or web application firewall. [1][2]