Miggo Logo

CVE-2024-32966: static-web-server vulnerable to stored Cross-site Scripting in directory listings via file names

5.8

CVSS Score
3.1

Basic Information

EPSS Score
0.22266%
Published
5/1/2024
Updated
5/1/2024
KEV Status
No
Technology
TechnologyRust

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
static-web-serverrust< 2.30.02.30.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unescaped HTML output in directory listings. The release notes show directory listing handling was refactored in PR #367 using maud templates, which auto-escape by default. This implies previous implementations (vulnerable versions) used unsafe string concatenation. The core functions responsible for rendering directory listings and formatting individual entries would have directly inserted user-controlled file names into HTML without sanitization. The 'current_path' and 'file_name' parameters mentioned in the advisory map directly to values processed by these listing rendering functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry I* *ir**tory listin*s *r* *n**l** *or * *ir**tory t**t *n untrust** us*r **s uplo** privil***s *or, * m*li*ious *il* n*m* lik* `<im* sr*=x on*rror=*l*rt(*)>.txt` will *llow J*v*S*ript *o** *x**ution in t** *ont*xt o* t** w** s*rv*r’s *om*

Reasoning

T** vuln*r**ility st*ms *rom un*s**p** *TML output in *ir**tory listin*s. T** r*l**s* not*s s*ow *ir**tory listin* **n*lin* w*s r****tor** in PR #*** usin* m*u* t*mpl*t*s, w*i** *uto-*s**p* *y ****ult. T*is impli*s pr*vious impl*m*nt*tions (vuln*r**l
CVE-2024-32966: static-web-server Dir List XSS | Miggo