6.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-38501

GHSA ID

GHSA-f54q-j679-p9hh

EPSS Score

0.98896%

CWE

CWE-79

Published

7/25/2023

Updated

9/13/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-38501

CVE-2023-38501: copyparty vulnerable to reflected cross-site scripting via k304 parameter

Summary

The application contains a reflected cross-site scripting via URL-parameter ?k304=... and ?setck=...

Details

A reflected cross-site scripting (XSS) vulnerability exists in the web interface of the application that could allow an attacker to execute malicious javascript code by tricking users into accessing a malicious link.

The worst-case outcome of this is being able to move or delete existing files on the server, or upload new files, using the account of the person who clicks the malicious link.

It is recommended to change the passwords of your copyparty accounts, unless you have inspected your logs and found no trace of attacks.

Checking for exposure

if copyparty is running behind a reverse proxy, you can check the access-logs for traces of attacks, by grepping for URLs containing ?hc= with < somewhere in its value, for example using the following command:

nginx:

(gzip -dc access.log*.gz; cat access.log) | sed -r 's/" [0-9]+ .*//' | grep -iE '%0[da]%0[da]%0[da]%0[da]|[?&](hc|pw)=.*[<>]'

the above commands also check for attacks against GHSA-cw7j-v52w-fp5r

PoC

https://localhost:3923/?k304=y%0D%0A%0D%0A%3Cimg+src%3Dcopyparty+onerror%3Dalert(1)%3E

(GitHub Advisory)

6.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-38501

GHSA ID

GHSA-f54q-j679-p9hh

EPSS Score

0.98896%

CWE

CWE-79

Published

7/25/2023

Updated

9/13/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
copyparty	pip	<= 1.8.6	1.8.7

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper input sanitization in cookie generation. The commit diff shows:

A new control character check was added to query parameters (ptn_cc regex)
The set_k304 function was modified to sanitize input (lowercasing and restricting values)
Header validation was added to prevent control characters in responses

Before patching, set_k304 used raw user input from the 'k304' parameter to create cookies via gencookie(), allowing attackers to inject newlines (%0D%0A) to break HTTP headers and inject malicious HTML/JS into the response body. The PoC demonstrates this by injecting <img> tags through newline-separated headers.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry T** *ppli**tion *ont*ins * r**l**t** *ross-sit* s*riptin* vi* URL-p*r*m*t*r `?k***=...` *n* `?s*t*k=...` ### **t*ils * r**l**t** *ross-sit* s*riptin* (XSS) vuln*r**ility *xists in t** w** int*r**** o* t** *ppli**tion t**t *oul* *llow *n

Reasoning

T** vuln*r**ility st*ms *rom improp*r input s*nitiz*tion in *ooki* **n*r*tion. T** *ommit *i** s*ows: *. * n*w *ontrol ***r**t*r ****k w*s ***** to qu*ry p*r*m*t*rs (ptn_** r***x) *. T** s*t_k*** *un*tion w*s mo*i*i** to s*nitiz* input (low*r**sin* *

6.3

Basic Information

Concerned about an active attack path?

CVE-2023-38501: copyparty vulnerable to reflected cross-site scripting via k304 parameter

Summary

Details

Checking for exposure

PoC

6.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI