CVE-2022-50951
Unknown Unknown - Not Provided
Persistent XSS in WiFi File Transfer 1.0.8 Enables Browser Hijack

Publication date: 2026-02-01

Last updated on: 2026-02-01

Assigner: VulnCheck

Description
WiFi File Transfer 1.0.8 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through file and folder names. Attackers can exploit the web server's input validation weakness to execute arbitrary JavaScript when users preview infected file paths, potentially compromising user browser sessions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-01
Last Modified
2026-02-01
Generated
2026-06-16
AI Q&A
2026-02-01
EPSS Evaluated
2026-06-14
NVD
CVE-2022-50951
EUVD
EUVD-2022-55946
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
smarterdroid wifi_file_transfer 1.0.8
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2022-50951 is a persistent cross-site scripting (XSS) vulnerability in WiFi File Transfer version 1.0.8. It occurs because the web server component does not properly validate input, allowing attackers to inject malicious JavaScript code through file and folder names. When users preview these infected file paths in the web interface, the malicious scripts execute in their browsers, potentially compromising user sessions. [2, 3]

Impact Analysis

This vulnerability can lead to session hijacking, persistent phishing attacks, external redirects to malicious sites, and manipulation of application modules. Since the malicious code executes in the user's browser when previewing infected file paths, attackers can compromise user browser sessions. The vulnerability requires low user interaction and no authentication, making it exploitable by anyone on the local WiFi network. [2, 3]

Detection Guidance

This vulnerability can be detected by monitoring for specially crafted POST requests targeting the `data_file` parameter in the WiFi File Transfer web server. Detection involves checking for malicious script code injected in file or folder names via these POST requests. A practical approach is to capture and analyze HTTP traffic on the local WiFi network for suspicious POST requests containing script tags or JavaScript payloads in the `data_file` parameter. Example commands include using tools like curl to send test POST requests with payloads to the server or using network sniffers such as tcpdump or Wireshark to monitor traffic for suspicious input. For instance, a curl command to test injection might be: `curl -X POST -d "data_file=<script>alert(1)</script>" http://<target-ip>/upload` to see if the payload is accepted and reflected. [2]

Mitigation Strategies

Immediate mitigation steps include restricting input for folder, file, and zip names to disallow special characters that can be used for script injection. Additionally, encoding and escaping the `data_file` parameter to sanitize input is essential. Output sanitization and filtering in the file explorer path listings should be implemented to prevent execution of injected scripts. Until a patch is available, limiting access to the WiFi File Transfer web server to trusted users and networks can reduce risk. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2022-50951. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart