CVE-2020-37087

Vulnerability

Overview

Easy Transfer Wifi Transfer v1.7 for iOS contains a persistent cross-site scripting (XSS) vulnerability. The root cause is improper input validation of the oldPath, newPath, and path parameters in the Create Folder and Move/Edit functions. Attackers can inject arbitrary JavaScript code through these parameters, which is then stored and executed in the context of the mobile web application [1][4].

Exploitation

An attacker can exploit this vulnerability by sending specially crafted POST requests to the affected endpoints. No authentication is required, as the application operates with open privileges [1]. The injected script executes when other users access the manipulated folder or file operations, leading to persistent XSS. User interaction is minimal, typically just viewing the affected page [1].

Impact

Successful exploitation allows arbitrary JavaScript execution within the web interface of the Easy Transfer app. This can lead to data theft, session hijacking, defacement, or further compromise of the user's device and files transferred through the application [4].

Mitigation

As of the public disclosure date (April 2020), no official patch has been released for this vulnerability. The application remains available on the Apple App Store [3]. Users are advised to exercise caution when using the app, avoid accessing untrusted content, and consider alternative file transfer solutions until a fix is provided [1][3].