6.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-3771

GHSA ID

GHSA-393x-fr59-r8fg

EPSS Score

0.59096%

CWE

CWE-79

Published

5/13/2022

Updated

5/2/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-3771

CVE-2018-3771: statics-server Cross-site Scripting vulnerability

An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser. Statics-server does not implement any HTML escaping when displays directory index in the browser. Variable v is used in <a href> element without escaping, which allows to embed HTML <iframe> tag with src attribute points to another HTML file in the directory. This file can contain malicious JavaScript code, which will be executed:

// ./node_modules/statics-server/index.js, line 18:

    if(fs.lstatSync(staticPath).isDirectory()){
        var files=fs.readdirSync(staticPath);
        var lis='';
        files.forEach((v,i)=>{
            if(fs.lstatSync(path.resolve(staticPath,v)).isDirectory()){
                lis+=`<li><a href="${req.url}${v}/">${v}/</a></li>`;
            }else {
                lis+=`<li><a href="${req.url}${v}">${v}</a></li>`
            }
        });

        (...)

(GitHub Advisory)

6.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-3771

GHSA ID

GHSA-393x-fr59-r8fg

EPSS Score

0.59096%

CWE

CWE-79

Published

5/13/2022

Updated

5/2/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
statics-server	npm	<= 0.0.9

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability occurs in the directory listing generation code where user-controlled input (filenames) is directly interpolated into HTML without proper escaping. The code builds <a> tags using template literals with ${v} in both href attribute and link text. Since filenames can contain HTML metacharacters, this allows XSS payloads to be injected. The HackerOne report explicitly identifies this unescaped use of variable v as the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n XSS in st*ti*s-s*rv*r <= *.*.* **n ** us** vi* inj**t** i*r*m* in t** *il*n*m* w**n st*ti*s-s*rv*r *ispl*ys *ir**tory in**x in t** *rows*r. St*ti*s-s*rv*r *o*s not impl*m*nt *ny *TML *s**pin* w**n *ispl*ys *ir**tory in**x in t** *rows*r. V*ri**l*

Reasoning

T** vuln*r**ility o**urs in t** *ir**tory listin* **n*r*tion *o** w**r* us*r-*ontroll** input (*il*n*m*s) is *ir**tly int*rpol*t** into *TML wit*out prop*r *s**pin*. T** *o** *uil*s <*> t**s usin* t*mpl*t* lit*r*ls wit* ${v} in *ot* *r** *ttri*ut* *n

6.1

Basic Information

Concerned about an active attack path?

CVE-2018-3771: statics-server Cross-site Scripting vulnerability

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI