Copyparty Unexpected JavaScript Execution Vulnerability via Crafted URL

A vulnerability in Copyparty prior to version 1.20.12 allows for unexpected execution of JavaScript in a user's context. This issue arises when an attacker, with both read and write permissions on the server, uploads a malicious file named '.prologue.html'. While JavaScript execution is intended when the file is directly accessed, the vulnerability lies in the fact that the JavaScript is also executed when the file is referenced through a crafted link, such as 'https://example.com/foo/?b'. This behavior is not expected. Although strict SameSite cookies provide some defense, an attacker could exploit this vulnerability by having the target click the crafted link from a page served by the server, potentially after editing a resource.

Impact

Exploitation of this vulnerability could allow the attacker to execute arbitrary JavaScript that could manipulate files on the server, such as moving, deleting, or uploading files, using the account of the user who clicked the link.

Remediation

Users can upgrade to Copyparty version 1.20.12 or later to address this vulnerability.