CVE-2023-50639

Vulnerability

A Cross-Site Scripting (XSS) vulnerability exists in CuteHttpFileServer versions 1.0 and 2.0, specifically in the file upload function accessible from the home page [1]. The flaw allows an attacker to upload a specially crafted PDF file containing malicious JavaScript. When a victim opens this PDF in a browser (e.g., Google Chrome), the embedded script executes within the context of the application [1].

Exploitation

An attacker must have network access to the CuteHttpFileServer web interface and be able to upload files (no authentication is required for the file upload function in these versions) [1]. The attacker prepares a PDF file with embedded JavaScript and uploads it via the upload form. Any user who then clicks on the uploaded file link and opens it in a browser that renders PDF inline (like Chrome) will trigger the XSS payload [1]. The attack requires no user interaction beyond opening the malicious file.

Impact

Successful exploitation leads to execution of arbitrary JavaScript in the victim's browser in the context of the CuteHttpFileServer origin. This can be leveraged to steal sensitive information such as session cookies, perform actions on behalf of the victim, or deface the application interface. The attacker does not gain server-side code execution, but can compromise user sessions and data confidentiality [1].

Mitigation

As of the latest disclosure, the vendor has not released a patched version for CuteHttpFileServer v1.0 or v2.0 [1]. Users should consider upgrading to any newer version if available, or restrict access to the file upload functionality (e.g., via network segmentation or by disabling the upload feature if not required). No workaround is documented in the available references [1].