Impact
An authenticated stored cross‑site scripting flaw exists in the Upload File Shares API of LiquidFiles v4.2.7. By submitting a malicious payload in the Name field, an attacker who holds valid credentials can store executable JavaScript or HTML. When other users retrieve or view that file share, the injected code runs in their browsers, enabling session theft, defacement, or further social‑engineering attacks. The weakness corresponds to CWE‑79.
Affected Systems
LiquidFiles v4.2.7. No other versions or products were explicitly listed.
Risk and Exploitability
The flaw requires authentication and the ability to invoke the Upload File Shares API, so the threat is limited to users with legitimate access or compromised accounts. No EPSS data or KEV listing is available, indicating no publicly known exploitation at the time of analysis. Nevertheless, the ability to execute arbitrary script in a shared environment represents a high‑impact security risk once an attacker gains the necessary access.
OpenCVE Enrichment