SCA: security update for copyparty (GHSA-m2jw-cj8v-937r)

medium Tenable Self-Hosted Container Security Plugin ID 421003

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- copyparty, a portable file server, has a DOM-based cross-site scripting vulnerability in versions prior to
1.16.15. The vulnerability is considered low-risk. By handing someone a maliciously-named file, and then
tricking them into dragging the file into copyparty's Web-UI, an attacker could execute arbitrary
javascript with the same privileges as that user. For example, this could give unintended read-access to
files owned by that user. The bug is triggered by the drag-drop action itself; it is not necessary to
actually initiate the upload. The file must be empty (zero bytes). Note that, as a general-purpose
webserver, it is intentionally possible to upload HTML-files with arbitrary javascript in `<script>` tags,
which will execute when the file is opened. The difference is that this vulnerability would trigger
execution of javascript during the act of uploading, and not when the uploaded file was opened. Version
1.16.15 contains a fix. (CVE-2025-27145)

See Also

https://github.com/advisories/GHSA-m2jw-cj8v-937r

Plugin Details

Severity: Medium

ID: 421003

Version: Revision 1.10

Type: Local

Family: SCA Checks

Published: 2/27/2025

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.14

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2025-27145

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/26/2025

Vulnerability Publication Date: 2/25/2025

Reference Information

CVE: CVE-2025-27145