CVE-2023-38501

EPSS 66.83%
Published 25.07.2023 22:15:10
Last modified 04.09.2025 13:04:46
Source security-advisories@github.com
Teams watchlist Login
Open Login

copyparty is file server software. Prior to version 1.8.7, the application contains a reflected cross-site scripting via URL-parameter `?k304=...` and `?setck=...`. The worst-case outcome of this is being able to move or delete existing files on the server, or upload new files, using the account of the person who clicks the malicious link. It is recommended to change the passwords of one's copyparty accounts, unless one have inspected one's logs and found no trace of attacks. Version 1.8.7 contains a patch for the issue.

Affected products Warnungen 0 Metrics 3 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

9001 ≫ Copyparty Version < 1.8.7

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	66.83%	0.985

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com	6.3	2.8	3.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

http://packetstormsecurity.com/files/173821/Copyparty-1.8.6-Cross-Site-Scripting.html

Third Party Advisory

VDB Entry

https://github.com/9001/copyparty/commit/007d948cb982daa05bc6619cd20ee55b7e834c38

Patch

https://github.com/9001/copyparty/security/advisories/GHSA-f54q-j679-p9hh

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-38501

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-38501

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-38501

EUVD