There was a missing permission-check in the shares feature (the shr global-option). When a share is created for just one file inside a folder, it was possible to access the other files inside that folder by guessing the filenames. It was not possible to descend into subdirectories in this manner; only the sibling files were accessible. This issue did not affect filekeys or dirkeys.
The filter parameter for the "Recent uploads" page allows arbitrary Regexes. If this feature is enabled (which is the default), an attacker can craft a filter which deadlocks the server.
Unauthorized reflected Cross-Site-Scripting when accessing the URL for recent uploads with the filter parameter containing JavaScript code.
An unauthenticated attacker is able to execute arbitrary JavaScript code in a victim's browser due to improper sanitization of multimedia tags in music files, including m3u files.
An unauthenticated attacker is able to execute arbitrary JavaScript code in a victim's browser due to improper sanitization of multimedia tags in music files, including m3u files.
A DOM-Based XSS was discovered in copyparty, a portable fileserver. The vulnerability is considered low-risk.
The application contains a reflected cross-site scripting via URL-parameter ?k304=… and ?setck=…
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in copyparty.
All versions before 1.8.2 have a path traversal vulnerability, allowing an attacker to download unintended files from the server.