Advisories for Npm/Serve-Index package

2017

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in the serve-index package before 1.6.3 for Node.js allows remote attackers to inject arbitrary web script or HTML via a crafted file or directory name.

2015

XSS via file names

File and directory names are not escaped in HTML output. If remote users can influence file or directory names, this can trigger a persistent XSS attack.