Impact
The vulnerability is an HTML injection flaw in the file view endpoint of LiquidFiles version 4.2.7, allowing authenticated users to upload a crafted HTML file. When the recipient opens the file in a browser, the injected HTML causes the browser to execute arbitrary JavaScript in the victim’s context. This can lead to session hijacking, data theft, defacement, or other malicious actions carried out entirely within the victim’s session.
Affected Systems
LiquidFiles, version 4.2.7, which implements the file view endpoint that exposes this injection surface. No other product versions are explicitly referenced in the advisory.
Risk and Exploitability
The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, but the lack of public exploitation data does not negate its potential impact. Because the flaw requires authenticated upload access, attackers need to be authenticated as a user of the system. No specific attack vector details beyond this context are disclosed in the description, so it is inferred that an attacker must first upload a specially crafted file and then have another authorized user view it.
OpenCVE Enrichment