CVE-2022-50951

Analysis

The WiFi File Transfer application version 1.0.8 contains a persistent cross-site scripting (XSS) vulnerability rooted in improper input validation of file and folder names [1][3]. The application's web server does not sanitize or encode user-supplied names when rendering file listings, allowing attackers to inject arbitrary HTML and JavaScript into page content. This vulnerability is classified as CWE-79 and is rated Medium severity with a CVSS v3 score of 6.4 [3].

Exploitation

Exploitation requires the attacker to be able to create files or folders on the Android device through the application's web interface, which is accessible over the local WiFi network without authentication [1]. The attacker uploads a file or creates a folder with a name containing malicious script code, such as `` [1][3]. Any user who then browses the file list in the web interface—including the victim themselves—will trigger the script execution when the browser renders the infected file path. The attack is considered remote, with low user interaction required [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript within the context of the victim's browser session that is connected to the WiFi File Transfer web interface [1][3]. This could enable actions such as session hijacking, unauthorized file uploads/deletions, or redirection to malicious sites. Because the application runs with the same permissions granted by the user on the Android device, an attacker who compromises a session may be able to access, modify, or exfiltrate files stored on the device.

Mitigation

As of the public disclosure date in October 2022, the vendor has not released a patched version to address this vulnerability [1][3]. Users are advised to treat files and folders created by untrusted sources with caution, restrict network access to the application's interface, and consider using alternative file transfer applications that properly sanitize user input.