{"uuid": "1da003bb-c763-4fee-a253-eb72dde9a2cb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-27145", "type": "seen", "source": "https://t.me/cvedetector/18848", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2025-27145 - \"copyparty DOM-Based Cross-Site Scripting Vulnerability\"\", \n  \"Content\": \"CVE ID : CVE-2025-27145 \nPublished : Feb. 25, 2025, 2:15 a.m. | 1\u00a0hour, 2\u00a0minutes ago \nDescription : copyparty, a portable file server, has a DOM-based cross-site scripting vulnerability in versions prior to 1.16.15. The vulnerability is considered low-risk. By handing someone a maliciously-named file, and then tricking them into dragging the file into copyparty's Web-UI, an attacker could execute arbitrary javascript with the same privileges as that user. For example, this could give unintended read-access to files owned by that user. The bug is triggered by the drag-drop action itself; it is not necessary to actually initiate the upload. The file must be empty (zero bytes). Note that, as a general-purpose webserver, it is intentionally possible to upload HTML-files with arbitrary javascript in `\",\n  \"Detection Date\": \"25 Feb 2025\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2025-02-25T04:49:57.000000Z"}