All versions of the package serve-lite are vulnerable to Cross-site Scripting (XSS) because when it detects a request to a directory, it renders a file listing of all of its contents with links that include the actual file names without any sanitization or output encoding.

All versions of the package serve-lite are vulnerable to Directory Traversal due to missing input sanitization or other checks and protections employed to the req.url passed as-is to path.join().

Buffer overflow in the log viewing interface in Perception LiteServe 1.25 through 2.2 allows remote attackers to execute arbitrary code via a GET request with a long file name.

Cross-site scripting (XSS) vulnerability in Perception LiteServe 2.0.1 allows remote attackers to execute arbitrary web script via (1) a Host: header when DNS wildcards are supported or (2) the query string in a "dir" request to indexed folders.

Buffer overflow in HTTP server in LiteServe 2.0, 2.0.1 and 2.0.2 allows remote attackers to cause a denial of service (hang) via a large number of percent characters (%) in an HTTP GET request.

Perception LiteServe 2.0 through 2.0.1 allows remote attackers to obtain the source code of CGI scripts via an HTTP request with a trailing dot (".").

Perception LiteServe 2.0 allows remote attackers to read password protected files via a leading "/./" in a URL.

Perception LiteServe 1.25 allows remote attackers to obtain source code of CGI scripts via URLs that contain MS-DOS conventions such as (1) upper case letters or (2) 8.3 file names.