CVE-2018-3771

Vulnerability

statics-server versions prior to and including 0.0.9 contain a stored cross-site scripting (XSS) vulnerability. When the server serves a directory index in the browser, the filename is not sanitized. An attacker can inject an HTML iframe element into a filename, causing arbitrary script execution in the context of the application [1].

Exploitation

An attacker with the ability to create or rename files in a directory served by statics-server can craft a filename containing an iframe tag (e.g., test.html). When a victim browses the directory listing, the unsanitized filename is rendered in the page, and the injected iframe executes in the victim's browser. No additional user interaction beyond visiting the directory index is required [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, data exfiltration, or other client-side attacks. The scope of compromise is limited to the user's interaction with the directory index page, but the attacker does not need to be authenticated [1].

Mitigation

Users should upgrade to a patched version of statics-server beyond 0.0.9. As of the referenced advisory, no fix version has been explicitly released; the vendor was notified via HackerOne. As a workaround, administrators can disable directory listing or implement reverse-proxy filtering of directory index responses [1].