cvelistv5 - cve-2019-5458

CVE-2019-5458 (GCVE-0-2019-5458)

Vulnerability from cvelistv5 – Published: 2019-07-30 20:21 – Updated: 2024-08-04 19:54

Summary

Cross-site scripting (XSS) vulnerability in http-file-server (all versions) allows an attacker with access to the server file system to execute arbitrary JavaScript code in victim's browser.

Severity ?

No CVSS data available.

CWE

CWE-79 - Cross-site Scripting (XSS) - Stored (CWE-79)

Assigner

hackerone

References

URL

Tags

https://hackerone.com/reports/570563

x_refsource_MISC

Impacted products

	Vendor	Product	Version
	http-file-server	http-file-server	Affected: Not Fixed

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T19:54:53.487Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/570563"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "http-file-server",
          "vendor": "http-file-server",
          "versions": [
            {
              "status": "affected",
              "version": "Not Fixed"
            }
          ]
        }
      ],
      "datePublic": "2019-07-24T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross-site scripting (XSS) vulnerability in http-file-server (all versions) allows an attacker with access to the server file system to execute arbitrary JavaScript code in victim\u0027s browser."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "Cross-site Scripting (XSS) - Stored (CWE-79)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-07-30T20:21:09",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://hackerone.com/reports/570563"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "support@hackerone.com",
          "ID": "CVE-2019-5458",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "http-file-server",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Not Fixed"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "http-file-server"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Cross-site scripting (XSS) vulnerability in http-file-server (all versions) allows an attacker with access to the server file system to execute arbitrary JavaScript code in victim\u0027s browser."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Cross-site Scripting (XSS) - Stored (CWE-79)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://hackerone.com/reports/570563",
              "refsource": "MISC",
              "url": "https://hackerone.com/reports/570563"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2019-5458",
    "datePublished": "2019-07-30T20:21:09",
    "dateReserved": "2019-01-04T00:00:00",
    "dateUpdated": "2024-08-04T19:54:53.487Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:http-file-server_project:http-file-server:0.1.0:*:*:*:*:node.js:*:*\", \"matchCriteriaId\": \"4B418951-2797-46BA-8051-B9C1A6C08AA5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:http-file-server_project:http-file-server:0.2.0:*:*:*:*:node.js:*:*\", \"matchCriteriaId\": \"7DAF5268-09C6-4269-8512-27711BD0B810\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:http-file-server_project:http-file-server:0.2.1:*:*:*:*:node.js:*:*\", \"matchCriteriaId\": \"1F1BC10A-2920-4ED0-A03D-913AED5F00BA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:http-file-server_project:http-file-server:0.2.2:*:*:*:*:node.js:*:*\", \"matchCriteriaId\": \"790DF25F-1DDA-4B72-95A9-FF2D16D259F1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:http-file-server_project:http-file-server:0.2.3:*:*:*:*:node.js:*:*\", \"matchCriteriaId\": \"1CE53E1D-2FD7-402D-B817-E5146FA70769\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:http-file-server_project:http-file-server:0.2.4:*:*:*:*:node.js:*:*\", \"matchCriteriaId\": \"D86310F7-D3F4-45AA-A001-B1941671FF12\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:http-file-server_project:http-file-server:0.2.5:*:*:*:*:node.js:*:*\", \"matchCriteriaId\": \"967FEFF5-075F-4886-856D-E990110886A0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:http-file-server_project:http-file-server:0.2.6:*:*:*:*:node.js:*:*\", \"matchCriteriaId\": \"C3691626-F061-4A54-A1FE-2E062D4012E1\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Cross-site scripting (XSS) vulnerability in http-file-server (all versions) allows an attacker with access to the server file system to execute arbitrary JavaScript code in victim\u0027s browser.\"}, {\"lang\": \"es\", \"value\": \"La vulnerabilidad de tipo cross-site scripting (XSS) en http-file-server (todas las versiones), permite a un atacante con acceso al sistema de archivos del servidor ejecutar c\\u00f3digo JavaScript arbitrario en el navegador de la v\\u00edctima.\"}]",
      "id": "CVE-2019-5458",
      "lastModified": "2024-11-21T04:44:58.353",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.3, \"impactScore\": 2.7}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:S/C:N/I:P/A:N\", \"baseScore\": 3.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 6.8, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2019-07-30T21:15:12.177",
      "references": "[{\"url\": \"https://hackerone.com/reports/570563\", \"source\": \"support@hackerone.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://hackerone.com/reports/570563\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "support@hackerone.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"support@hackerone.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-5458\",\"sourceIdentifier\":\"support@hackerone.com\",\"published\":\"2019-07-30T21:15:12.177\",\"lastModified\":\"2024-11-21T04:44:58.353\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Cross-site scripting (XSS) vulnerability in http-file-server (all versions) allows an attacker with access to the server file system to execute arbitrary JavaScript code in victim\u0027s browser.\"},{\"lang\":\"es\",\"value\":\"La vulnerabilidad de tipo cross-site scripting (XSS) en http-file-server (todas las versiones), permite a un atacante con acceso al sistema de archivos del servidor ejecutar c\u00f3digo JavaScript arbitrario en el navegador de la v\u00edctima.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:N/I:P/A:N\",\"baseScore\":3.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":6.8,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"support@hackerone.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:http-file-server_project:http-file-server:0.1.0:*:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"4B418951-2797-46BA-8051-B9C1A6C08AA5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:http-file-server_project:http-file-server:0.2.0:*:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"7DAF5268-09C6-4269-8512-27711BD0B810\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:http-file-server_project:http-file-server:0.2.1:*:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"1F1BC10A-2920-4ED0-A03D-913AED5F00BA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:http-file-server_project:http-file-server:0.2.2:*:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"790DF25F-1DDA-4B72-95A9-FF2D16D259F1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:http-file-server_project:http-file-server:0.2.3:*:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"1CE53E1D-2FD7-402D-B817-E5146FA70769\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:http-file-server_project:http-file-server:0.2.4:*:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"D86310F7-D3F4-45AA-A001-B1941671FF12\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:http-file-server_project:http-file-server:0.2.5:*:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"967FEFF5-075F-4886-856D-E990110886A0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:http-file-server_project:http-file-server:0.2.6:*:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"C3691626-F061-4A54-A1FE-2E062D4012E1\"}]}]}],\"references\":[{\"url\":\"https://hackerone.com/reports/570563\",\"source\":\"support@hackerone.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://hackerone.com/reports/570563\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
  }
}

FKIE_CVE-2019-5458

Vulnerability from fkie_nvd - Published: 2019-07-30 21:15 - Updated: 2024-11-21 04:44

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Summary

Cross-site scripting (XSS) vulnerability in http-file-server (all versions) allows an attacker with access to the server file system to execute arbitrary JavaScript code in victim's browser.

References

	URL	Tags
	support@hackerone.com	https://hackerone.com/reports/570563	Exploit, Third Party Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://hackerone.com/reports/570563	Exploit, Third Party Advisory

Impacted products

Vendor	Product	Version
http-file-server_project	http-file-server	0.1.0
http-file-server_project	http-file-server	0.2.0
http-file-server_project	http-file-server	0.2.1
http-file-server_project	http-file-server	0.2.2
http-file-server_project	http-file-server	0.2.3
http-file-server_project	http-file-server	0.2.4
http-file-server_project	http-file-server	0.2.5
http-file-server_project	http-file-server	0.2.6

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:http-file-server_project:http-file-server:0.1.0:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "4B418951-2797-46BA-8051-B9C1A6C08AA5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:http-file-server_project:http-file-server:0.2.0:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "7DAF5268-09C6-4269-8512-27711BD0B810",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:http-file-server_project:http-file-server:0.2.1:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "1F1BC10A-2920-4ED0-A03D-913AED5F00BA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:http-file-server_project:http-file-server:0.2.2:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "790DF25F-1DDA-4B72-95A9-FF2D16D259F1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:http-file-server_project:http-file-server:0.2.3:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "1CE53E1D-2FD7-402D-B817-E5146FA70769",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:http-file-server_project:http-file-server:0.2.4:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "D86310F7-D3F4-45AA-A001-B1941671FF12",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:http-file-server_project:http-file-server:0.2.5:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "967FEFF5-075F-4886-856D-E990110886A0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:http-file-server_project:http-file-server:0.2.6:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "C3691626-F061-4A54-A1FE-2E062D4012E1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Cross-site scripting (XSS) vulnerability in http-file-server (all versions) allows an attacker with access to the server file system to execute arbitrary JavaScript code in victim\u0027s browser."
    },
    {
      "lang": "es",
      "value": "La vulnerabilidad de tipo cross-site scripting (XSS) en http-file-server (todas las versiones), permite a un atacante con acceso al sistema de archivos del servidor ejecutar c\u00f3digo JavaScript arbitrario en el navegador de la v\u00edctima."
    }
  ],
  "id": "CVE-2019-5458",
  "lastModified": "2024-11-21T04:44:58.353",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 3.5,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 6.8,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-07-30T21:15:12.177",
  "references": [
    {
      "source": "support@hackerone.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://hackerone.com/reports/570563"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://hackerone.com/reports/570563"
    }
  ],
  "sourceIdentifier": "support@hackerone.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "support@hackerone.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

VAR-201907-0117

Vulnerability from variot - Updated: 2023-12-18 12:50

Cross-site scripting (XSS) vulnerability in http-file-server (all versions) allows an attacker with access to the server file system to execute arbitrary JavaScript code in victim's browser. http-file-server Contains a cross-site scripting vulnerability.The information may be obtained and the information may be falsified. Http-file-server is an HTTP file server. The vulnerability stems from the lack of proper validation of client data for web applications. An attacker could exploit the vulnerability to execute client code

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201907-0117",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "http-file-server",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "http file server",
        "version": "0.2.1"
      },
      {
        "model": "http-file-server",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "http file server",
        "version": "0.2.4"
      },
      {
        "model": "http-file-server",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "http file server",
        "version": "0.2.3"
      },
      {
        "model": "http-file-server",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "http file server",
        "version": "0.2.0"
      },
      {
        "model": "http-file-server",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "http file server",
        "version": "0.2.6"
      },
      {
        "model": "http-file-server",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "http file server",
        "version": "0.2.5"
      },
      {
        "model": "http-file-server",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "http file server",
        "version": "0.1.0"
      },
      {
        "model": "http-file-server",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "http file server",
        "version": "0.2.2"
      },
      {
        "model": "http file server",
        "scope": null,
        "trust": 0.8,
        "vendor": "rejetto",
        "version": null
      },
      {
        "model": "http-file-server",
        "scope": null,
        "trust": 0.6,
        "vendor": "http file server",
        "version": null
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-25322"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-007123"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-5458"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:http-file-server_project:http-file-server:0.1.0:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:http-file-server_project:http-file-server:0.2.0:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:http-file-server_project:http-file-server:0.2.1:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:http-file-server_project:http-file-server:0.2.2:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:http-file-server_project:http-file-server:0.2.3:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:http-file-server_project:http-file-server:0.2.4:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:http-file-server_project:http-file-server:0.2.5:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:http-file-server_project:http-file-server:0.2.6:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2019-5458"
      }
    ]
  },
  "cve": "CVE-2019-5458",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 6.8,
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "LOW",
            "trust": 1.0,
            "userInteractionRequired": true,
            "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Medium",
            "accessVector": "Network",
            "authentication": "Single",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 3.5,
            "confidentialityImpact": "None",
            "exploitabilityScore": null,
            "id": "CVE-2019-5458",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Low",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 10.0,
            "id": "CNVD-2019-25322",
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "exploitabilityScore": 2.3,
            "impactScore": 2.7,
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "trust": 1.0,
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 5.4,
            "baseSeverity": "Medium",
            "confidentialityImpact": "Low",
            "exploitabilityScore": null,
            "id": "CVE-2019-5458",
            "impactScore": null,
            "integrityImpact": "Low",
            "privilegesRequired": "Low",
            "scope": "Changed",
            "trust": 0.8,
            "userInteraction": "Required",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2019-5458",
            "trust": 1.8,
            "value": "MEDIUM"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2019-25322",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201907-1574",
            "trust": 0.6,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-25322"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-007123"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-5458"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201907-1574"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Cross-site scripting (XSS) vulnerability in http-file-server (all versions) allows an attacker with access to the server file system to execute arbitrary JavaScript code in victim\u0027s browser. http-file-server Contains a cross-site scripting vulnerability.The information may be obtained and the information may be falsified. Http-file-server is an HTTP file server. The vulnerability stems from the lack of proper validation of client data for web applications. An attacker could exploit the vulnerability to execute client code",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2019-5458"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-007123"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-25322"
      }
    ],
    "trust": 2.16
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2019-5458",
        "trust": 3.0
      },
      {
        "db": "HACKERONE",
        "id": "570563",
        "trust": 2.4
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-007123",
        "trust": 0.8
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-25322",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201907-1574",
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-25322"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-007123"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-5458"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201907-1574"
      }
    ]
  },
  "id": "VAR-201907-0117",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-25322"
      }
    ],
    "trust": 0.06
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "Network device"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-25322"
      }
    ]
  },
  "last_update_date": "2023-12-18T12:50:15.100000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Introduction",
        "trust": 0.8,
        "url": "https://www.rejetto.com/hfs/"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-007123"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-79",
        "trust": 1.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-007123"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-5458"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.4,
        "url": "https://hackerone.com/reports/570563"
      },
      {
        "trust": 2.0,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-5458"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-5458"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-25322"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-007123"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-5458"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201907-1574"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-25322"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-007123"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-5458"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201907-1574"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2019-07-31T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2019-25322"
      },
      {
        "date": "2019-08-05T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2019-007123"
      },
      {
        "date": "2019-07-30T21:15:12.177000",
        "db": "NVD",
        "id": "CVE-2019-5458"
      },
      {
        "date": "2019-07-30T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201907-1574"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2019-07-31T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2019-25322"
      },
      {
        "date": "2019-08-05T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2019-007123"
      },
      {
        "date": "2023-01-31T21:17:58.967000",
        "db": "NVD",
        "id": "CVE-2019-5458"
      },
      {
        "date": "2019-08-02T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201907-1574"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201907-1574"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Http-file-server cross-site scripting vulnerability",
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-25322"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201907-1574"
      }
    ],
    "trust": 1.2
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "XSS",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201907-1574"
      }
    ],
    "trust": 0.6
  }
}

CNVD-2019-25322

Vulnerability from cnvd - Published: 2019-07-31

Title

http-file-server跨站脚本漏洞

Description

http-file-server是一款HTTP文件服务器。 http-file-server (全部版本)中存在跨站脚本漏洞。该漏洞源于WEB应用缺少对客户端数据的正确验证。攻击者可利用该漏洞执行客户端代码。

Severity

中

Formal description

目前厂商暂未发布修复措施解决此安全问题，建议使用此软件的用户随时关注厂商主页或参考网址以获取解决办法： https://www.npmjs.com/package/http-file-server

Reference

https://nvd.nist.gov/vuln/detail/CVE-2019-5458

Impacted products

Name
http-file-server http-file-server

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-5458"
    }
  },
  "description": "http-file-server\u662f\u4e00\u6b3eHTTP\u6587\u4ef6\u670d\u52a1\u5668\u3002\n\nhttp-file-server (\u5168\u90e8\u7248\u672c)\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8eWEB\u5e94\u7528\u7f3a\u5c11\u5bf9\u5ba2\u6237\u7aef\u6570\u636e\u7684\u6b63\u786e\u9a8c\u8bc1\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u5ba2\u6237\u7aef\u4ee3\u7801\u3002",
  "discovererName": "unKnow",
  "formalWay": "\u76ee\u524d\u5382\u5546\u6682\u672a\u53d1\u5e03\u4fee\u590d\u63aa\u65bd\u89e3\u51b3\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u5efa\u8bae\u4f7f\u7528\u6b64\u8f6f\u4ef6\u7684\u7528\u6237\u968f\u65f6\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u6216\u53c2\u8003\u7f51\u5740\u4ee5\u83b7\u53d6\u89e3\u51b3\u529e\u6cd5\uff1a\r\nhttps://www.npmjs.com/package/http-file-server",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-25322",
  "openTime": "2019-07-31",
  "products": {
    "product": "http-file-server http-file-server"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2019-5458",
  "serverity": "\u4e2d",
  "submitTime": "2019-07-31",
  "title": "http-file-server\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

GHSA-7J93-2H6R-HM49

Vulnerability from github – Published: 2019-07-31 04:22 – Updated: 2023-02-01 09:19

Summary

Cross-Site Scripting in http-file-server

Details

All versions of http-file-server are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize filenames, allowing attackers to execute arbitrary JavaScript in the victim's browser through files with names containing malicious code.

Recommendation

No fix is currently available. Consider using an alternative package until a fix is made available.

Severity ?

5.4 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "http-file-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.2.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-5458"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2019-07-31T03:41:20Z",
    "nvd_published_at": "2019-07-30T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "All versions of `http-file-server` are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize filenames, allowing attackers to execute arbitrary JavaScript in the victim\u0027s browser through files with names containing malicious code.\n\n\n## Recommendation\n\nNo fix is currently available. Consider using an alternative package until a fix is made available.",
  "id": "GHSA-7j93-2h6r-hm49",
  "modified": "2023-02-01T09:19:41Z",
  "published": "2019-07-31T04:22:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5458"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/570563"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1110"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cross-Site Scripting in http-file-server"
}

GSD-2019-5458

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Cross-site scripting (XSS) vulnerability in http-file-server (all versions) allows an attacker with access to the server file system to execute arbitrary JavaScript code in victim's browser.

Aliases

CVE-2019-5458

Aliases

CVE-2019-5458

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2019-5458",
    "description": "Cross-site scripting (XSS) vulnerability in http-file-server (all versions) allows an attacker with access to the server file system to execute arbitrary JavaScript code in victim\u0027s browser.",
    "id": "GSD-2019-5458"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2019-5458"
      ],
      "details": "Cross-site scripting (XSS) vulnerability in http-file-server (all versions) allows an attacker with access to the server file system to execute arbitrary JavaScript code in victim\u0027s browser.",
      "id": "GSD-2019-5458",
      "modified": "2023-12-13T01:23:56.912821Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "support@hackerone.com",
        "ID": "CVE-2019-5458",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "http-file-server",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "Not Fixed"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "http-file-server"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Cross-site scripting (XSS) vulnerability in http-file-server (all versions) allows an attacker with access to the server file system to execute arbitrary JavaScript code in victim\u0027s browser."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Cross-site Scripting (XSS) - Stored (CWE-79)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://hackerone.com/reports/570563",
            "refsource": "MISC",
            "url": "https://hackerone.com/reports/570563"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=0.1.0 \u003c=0.2.6",
          "affected_versions": "All versions starting from 0.1.0 up to 0.2.6",
          "cvss_v2": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2019-10-09",
          "description": "Cross-site scripting (XSS) vulnerability in http-file-server allows an attacker with access to the server file system to execute arbitrary JavaScript code in victim\u0027s browser.",
          "fixed_versions": [],
          "identifier": "CVE-2019-5458",
          "identifiers": [
            "CVE-2019-5458"
          ],
          "package_slug": "npm/http-file-server",
          "pubdate": "2019-07-30",
          "solution": "Unfortunately, there is no solution available yet.",
          "title": "Cross-site Scripting",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2019-5458"
          ],
          "uuid": "a83b4481-311a-4251-9ede-4b993ba82834"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:http-file-server_project:http-file-server:0.1.0:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:http-file-server_project:http-file-server:0.2.0:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:http-file-server_project:http-file-server:0.2.1:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:http-file-server_project:http-file-server:0.2.2:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:http-file-server_project:http-file-server:0.2.3:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:http-file-server_project:http-file-server:0.2.4:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:http-file-server_project:http-file-server:0.2.5:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:http-file-server_project:http-file-server:0.2.6:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve-assignments@hackerone.com",
          "ID": "CVE-2019-5458"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Cross-site scripting (XSS) vulnerability in http-file-server (all versions) allows an attacker with access to the server file system to execute arbitrary JavaScript code in victim\u0027s browser."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://hackerone.com/reports/570563",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://hackerone.com/reports/570563"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 6.8,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.3,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2023-01-31T21:17Z",
      "publishedDate": "2019-07-30T21:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2019-5458 (GCVE-0-2019-5458)

FKIE_CVE-2019-5458

VAR-201907-0117

CNVD-2019-25322

GHSA-7J93-2H6R-HM49

Recommendation

GSD-2019-5458

Tags

Sightings

Nomenclature