6.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-38501

CVE-2023-38501: copyparty vulnerable to reflected cross-site scripting via k304 parameter

Summary

The application contains a reflected cross-site scripting via URL-parameter ?k304=... and ?setck=...

Details

A reflected cross-site scripting (XSS) vulnerability exists in the web interface of the application that could allow an attacker to execute malicious javascript code by tricking users into accessing a malicious link.

The worst-case outcome of this is being able to move or delete existing files on the server, or upload new files, using the account of the person who clicks the malicious link.

It is recommended to change the passwords of your copyparty accounts, unless you have inspected your logs and found no trace of attacks.

Checking for exposure

if copyparty is running behind a reverse proxy, you can check the access-logs for traces of attacks, by grepping for URLs containing ?hc= with < somewhere in its value, for example using the following command:

nginx:

(gzip -dc access.log*.gz; cat access.log) | sed -r 's/" [0-9]+ .*//' | grep -iE '%0[da]%0[da]%0[da]%0[da]|[?&](hc|pw)=.*[<>]'

the above commands also check for attacks against GHSA-cw7j-v52w-fp5r

PoC

https://localhost:3923/?k304=y%0D%0A%0D%0A%3Cimg+src%3Dcopyparty+onerror%3Dalert(1)%3E

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-38501

CVE-2023-38501:

6.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
copyparty	pip	<= 1.8.6	1.8.7

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper input sanitization in cookie generation. The commit diff shows:

A new control character check was added to query parameters (ptn_cc regex)
The set_k304 function was modified to sanitize input (lowercasing and restricting values)
Header validation was added to prevent control characters in responses

Before patching, set_k304 used raw user input from the 'k304' parameter to create cookies via gencookie(), allowing attackers to inject newlines (%0D%0A) to break HTTP headers and inject malicious HTML/JS into the response body. The PoC demonstrates this by injecting <img> tags through newline-separated headers.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-38501: copyparty vulnerable to reflected cross-site scripting via k304 parameter

Summary

Details

Checking for exposure

PoC

CVE-2023-38501:

6.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

CVE-2023-38501: copyparty vulnerable to reflected cross-site scripting via k304 parameter

Summary

Details

Checking for exposure

PoC

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

6.3

6.3

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI