6.3

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-cw7j-v52w-fp5r

EPSS Score

CWE

CWE-79

Published

7/21/2023

Updated

9/4/2023

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-cw7j-v52w-fp5r

GHSA-cw7j-v52w-fp5r: copyparty vulnerable to reflected cross-site scripting via hc parameter

Summary

The application contains a reflected cross-site scripting via URL-parameter ?hc=...

Details

A reflected cross-site scripting (XSS) vulnerability exists in the web interface of the application that could allow an attacker to execute malicious javascript code by tricking users into accessing a malicious link.

The worst-case outcome of this is being able to move or delete existing files on the server, or upload new files, using the account of the person who clicks the malicious link.

It is recommended to change the passwords of your copyparty accounts, unless you have inspected your logs and found no trace of attacks.

Checking for exposure

if copyparty is running behind a reverse proxy, you can check the access-logs for traces of attacks, by grepping for URLs containing ?hc= with < somewhere in its value, for example using the following command:

nginx:

(gzip -dc access.log*.gz; cat access.log) | sed -r 's/" [0-9]+ .*//' | grep -E '[?&](hc|pw)=.*[<>]'

PoC

http://127.0.0.1:3923/?hc="><script>alert(1);</script>
http://127.0.0.1:3923/?pw=<script>alert(1);</script>

(GitHub Advisory)

6.3

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-cw7j-v52w-fp5r

EPSS Score

CWE

CWE-79

Published

7/21/2023

Updated

9/4/2023

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
copyparty	pip	< 1.8.6	1.8.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The commit diff shows the vulnerability was in httpcli.py's tx_svcs method where: 1) The 'hc' parameter was accessed via self.uparam["hc"] 2) It was only .lstrip("/") with no XSS protection 3) The parameter value was passed into a Jinja template (self.j2s("svcs")) 4) The fix added regex substitution to neutralize dangerous characters. The unescaped insertion of user-controlled hc parameter into HTML output directly matches the XSS vulnerability described in the advisory.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry T** *ppli**tion *ont*ins * r**l**t** *ross-sit* s*riptin* vi* URL-p*r*m*t*r `?**=...` ### **t*ils * r**l**t** *ross-sit* s*riptin* (XSS) vuln*r**ility *xists in t** w** int*r**** o* t** *ppli**tion t**t *oul* *llow *n *tt**k*r to *x**ut*

Reasoning

T** *ommit *i** s*ows t** vuln*r**ility w*s in `*ttp*li.py`'s tx_sv*s m*t*o* w**r*: *) T** '**' p*r*m*t*r w*s ****ss** vi* s*l*.up*r*m["**"] *) It w*s only .lstrip("/") wit* no XSS prot**tion *) T** p*r*m*t*r v*lu* w*s p*ss** into * Jinj* t*mpl*t* (`

6.3

Basic Information

Concerned about an active attack path?

GHSA-cw7j-v52w-fp5r: copyparty vulnerable to reflected cross-site scripting via hc parameter

Summary

Details

Checking for exposure

PoC

6.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI