Description
Rejetto HFS 3.0.0 through 3.2.0 does not escape file names in its fallback "basic" web listing, and this listing can be forced by any browser via the ?get=basic parameter. A user with upload permission - or an anonymous user on servers with an open upload folder - can store a file whose name contains script that executes in the browser of anyone viewing the listing.
Problem types
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Product status
3.0.0 (semver) before 3.2.1
Credits
Zach Hanley (@hacks_zach) of Horizon3.ai, in collaboration with Claude and Anthropic Research
References
github.com/rejetto/hfs/releases/tag/v3.2.1 (hfs v3.2.1 Release Notes)
www.vulncheck.com/...xss-via-file-names-in-basic-web-listing