GHSA-cwv4-h3j5-w3cf: rama has Stored XSS in ServeDir HTML directory listing via unescaped file names and URI path
plabayo/rama contains a stored/reflected cross-site scripting issue in the ServeDir HTML directory listing feature.
When ServeDir is configured with DirectoryServeMode::HtmlFileList, file names and URI path components are inserted directly into generated HTML without HTML escaping. If an attacker can create or influence a file or directory name inside a served directory, they may inject HTML or JavaScript into the directory listing page.
This can execute script in the browser of any user who visits the affected directory listing.
References
Code Behaviors & Features
Detect and mitigate GHSA-cwv4-h3j5-w3cf with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →