Copyparty JavaScript Execution Vulnerability in SVG Files via Nohtml Config Option

A vulnerability in Copyparty, a portable file server, allows for the execution of JavaScript embedded in SVG files. This issue affects versions prior to 1.20.11. The nohtml configuration option, designed to block JavaScript execution in user-uploaded HTML, did not extend to SVG images. As a result, a user with write permissions could upload an SVG file containing JavaScript, which would execute when the file is opened by any user. The vulnerability arises because the nohtml option, intended to safeguard against untrusted files, failed to consider the potential risks associated with SVGs. This issue has been addressed in version 1.20.11.

Impact

Exploitation of this vulnerability allows the uploaded JavaScript to execute in the context of the user who opens the SVG file. This could lead to unauthorized file manipulation, such as moving, deleting, or uploading files using the account of the user who accessed the SVG.

Reproduction

To reproduce this vulnerability, upload an SVG file containing embedded JavaScript to a Copyparty server version prior to 1.20.11, ensuring that the nohtml option is active. When the SVG is opened, the JavaScript will execute, demonstrating the vulnerability.

Remediation

Users can upgrade to Copyparty version 1.20.11 or later, where this vulnerability has been fixed.