CVE-2023-41471 identifies a Cross Site Scripting (XSS) vulnerability in the copyparty software prior to version 1.9.2. The vulnerability resides in the WEEKEND-PLANS function, which processes user input in a way that allows injection and execution of arbitrary JavaScript code. This XSS flaw is exploitable by local attackers who already possess write access to the server hosting copyparty. The attack vector requires crafting a malicious payload that, when processed by the vulnerable function, executes arbitrary code within the context of the application. The vulnerability is disputed because the function is not accessible to unauthenticated or read-only users, limiting the attack surface to trusted users with elevated permissions. Furthermore, these users could achieve similar malicious outcomes by uploading HTML files containing JavaScript, making this vulnerability less critical in practical terms. The CVSS v3.1 base score of 7.8 reflects the high potential impact on confidentiality, integrity, and availability, with an attack vector classified as local (AV:L), low attack complexity (AC:L), no privileges required (PR:N), and requiring user interaction (UI:R). No public exploits have been reported, and no official patches are linked yet, though upgrading to version 1.9.2 or later is recommended. The vulnerability is categorized under CWE-79, which covers improper neutralization of input during web page generation leading to XSS.

For European organizations using copyparty, particularly in multi-user environments where multiple users have write access to the server, this vulnerability could allow a malicious insider or compromised user to execute arbitrary JavaScript code. This could lead to theft of sensitive information, session hijacking, or further compromise of the server environment. Although the attack requires write access, the impact on confidentiality, integrity, and availability is high if exploited. Organizations relying on copyparty for file sharing or content management should consider the risk of insider threats or compromised accounts. The lack of known exploits in the wild reduces immediate risk, but the potential for damage remains significant in environments with insufficient access controls or monitoring. The vulnerability does not affect unauthenticated users, limiting its impact on external attackers.

European organizations should ensure that copyparty installations are updated to version 1.9.2 or later, where this vulnerability is addressed. Until patches are applied, strict access controls should be enforced to limit write permissions only to fully trusted users. Implement monitoring and logging of user actions on the server to detect suspicious activities related to the WEEKEND-PLANS function or file uploads. Employ web application firewalls (WAFs) with rules to detect and block XSS payloads targeting copyparty endpoints. Educate users with write access about the risks of uploading malicious content and enforce content validation or sanitization where possible. Consider isolating copyparty instances in segmented network zones to reduce lateral movement risk if an insider threat exploits this vulnerability. Regularly audit user permissions and review server logs for anomalies. Since no official patch links are provided, maintain contact with copyparty developers or community for updates and security advisories.