CVE-2019-5458

Vulnerability

Overview

CVE-2019-5458 is a cross-site scripting (XSS) vulnerability in the http-file-server application, affecting all versions. The root cause is insufficient sanitization of file names or content when the server serves files to users. An attacker who can write files to the server's filesystem can inject malicious JavaScript code that will be executed in the context of any victim's browser that accesses the crafted file [1].

Exploitation

Prerequisites

To exploit this vulnerability, an attacker must have write access to the server's file system—for example, through an upload feature or direct file creation. No authentication is required from the victim; simply browsing to the malicious file triggers the XSS. The attack does not require any special network position beyond being able to reach the server [1].

Impact

Successful exploitation allows arbitrary JavaScript execution in the victim's browser. This can lead to theft of sensitive data, session hijacking, or defacement of the served content. Since the vulnerability exists in all versions of http-file-server, any deployment is at risk until a fix is applied [1].

Mitigation

Status

As of the publication date (2019-07-30), no official patch was available. Users are advised to disable the http-file-server service or implement strict input validation and output encoding for file names and content. The issue was reported via HackerOne, and further details can be found in the referenced report [1].