一、 漏洞 CVE-2025-27145 基础信息
漏洞标题
Copyparty在用户上传空文件时将未过滤的文件名作为HTML渲染
来源:AIGC 神龙大模型
漏洞描述信息
便携式文件服务器copyparty在1.16.15之前的版本中存在基于DOM的跨站脚本漏洞。该漏洞被认为风险较低。攻击者可以通过将一个恶意命名的文件交给受害者,并诱使其将该文件拖放到copyparty的Web-UI中,从而以受害者的权限执行任意的javascript代码。例如,这可能会给攻击者意外的读取该用户拥有文件的权限。该漏洞在拖放文件时触发,无需实际开始上传过程。文件必须为空(零字节)。需要注意的是,作为一种通用的Web服务器,copyparty允许上传包含任意javascript代码的HTML文件,这些代码会在文件打开时执行。这里的漏洞区别在于,它可以在上传过程中执行javascript代码,而不是在上传的文件被打开时执行。1.16.15版本已修复此漏洞。
来源:AIGC 神龙大模型
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
来源:AIGC 神龙大模型
漏洞类别
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
来源:AIGC 神龙大模型
漏洞标题
copyparty renders unsanitized filenames as HTML when user uploads empty files
来源:美国国家漏洞数据库 NVD
漏洞描述信息
copyparty, a portable file server, has a DOM-based cross-site scripting vulnerability in versions prior to 1.16.15. The vulnerability is considered low-risk. By handing someone a maliciously-named file, and then tricking them into dragging the file into copyparty's Web-UI, an attacker could execute arbitrary javascript with the same privileges as that user. For example, this could give unintended read-access to files owned by that user. The bug is triggered by the drag-drop action itself; it is not necessary to actually initiate the upload. The file must be empty (zero bytes). Note that, as a general-purpose webserver, it is intentionally possible to upload HTML-files with arbitrary javascript in `<script>` tags, which will execute when the file is opened. The difference is that this vulnerability would trigger execution of javascript during the act of uploading, and not when the uploaded file was opened. Version 1.16.15 contains a fix.
来源:美国国家漏洞数据库 NVD
CVSS信息
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
来源:美国国家漏洞数据库 NVD
漏洞类别
Web页面属性中脚本转义处理不恰当
来源:美国国家漏洞数据库 NVD
二、漏洞 CVE-2025-27145 的公开POC
# POC 描述 源链接 神龙链接
三、漏洞 CVE-2025-27145 的情报信息