Primary

Context

Quark Drive Stored Cross-Site Scripting Vulnerability in System Configuration Page

Vulnerability

A stored cross-site scripting vulnerability has been identified in Quark Drive versions prior to 0.8.5. The issue arises in the System Configuration page, where the application improperly renders key names using Vue.js's v-html directive without proper escaping. This flaw allows authenticated attackers to inject HTML or JavaScript payloads as key names through the POST /update endpoint. The injected payloads are persisted to disk and executed in the browsers of all authenticated users accessing the System Configuration tab. This exploitation can lead to session cookie exfiltration and the ability to perform arbitrary actions on behalf of the authenticated user.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the System Configuration page.

Remediation

Users can update to Quark Drive version 0.8.6 or later, where this vulnerability has been patched.

Added: May 13, 2026, 9:23 PM

Updated: May 13, 2026, 9:23 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

5.7

remediation

0.0

relevance

8.2

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

5.7

remediation

0.0

relevance

8.2

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Quark Drive Stored Cross-Site Scripting Vulnerability in System Configuration Page

Vulnerability

Impact

Remediation

Affected Products

Quark Drive

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating