CVE-2025-54423

Опубликовано: 28 июл. 2025

Источник: nvd

CVSS3: 5.4

CVSS3: 6.1

EPSS Низкий

Описание

copyparty is a portable file server. In versions up to and including versions 1.18.4, an unauthenticated attacker is able to execute arbitrary JavaScript code in a victim's browser due to improper sanitization of multimedia tags in music files, including m3u files. This is fixed in version 1.18.5.

Ссылки

https://github.com/9001/copyparty/commit/895880aeb0be0813ddf732487596633f8f9fc3a6
Patch
https://github.com/9001/copyparty/releases/tag/v1.18.5
Release Notes
https://github.com/9001/copyparty/security/advisories/GHSA-9q4r-x2hj-jmvr
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:9001:copyparty:*:*:*:*:*:*:*:*

Версия до 1.18.5 (исключая)

EPSS

Процентиль: 18%

0.00059

Низкий

5.4 Medium

CVSS3

6.1 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-9q4r-x2hj-jmvr

CVSS3: 5.4

github

6 месяцев назад

copyparty has DOM-Based XSS vulnerability when displaying multimedia metadata

EPSS

Процентиль: 18%

0.00059

Низкий

5.4 Medium

CVSS3

6.1 Medium

CVSS3

Дефекты

CWE-79