CVE-2022-40931: 
vulnerability analysis and mitigation

CVE-2022-40931 is a security vulnerability discovered in transfer.sh, affecting the content type handling in the inline file viewing functionality. The vulnerability was identified and reported on August 11, 2022, by security researcher Farhan Khursheed (GitHub Issue).

The vulnerability stems from improper implementation of content type handling in the server/handlers.go file. When viewing files using the 'inline' parameter in URLs (e.g., https://transfer.sh/inline/[FILE_ID]/[FILENAME]), the application fails to properly set the content type, allowing for potential Cross-Site Scripting (XSS) attacks. The issue specifically occurs around line 1035 of the handlers.go file where the content disposition is set without proper content type validation (GitHub PR).

The vulnerability allows attackers to execute stored Cross-Site Scripting (XSS) attacks by uploading specially crafted files without extensions. When these files are viewed using the inline parameter, the malicious HTML/JavaScript code can be executed in the victim's browser (GitHub Issue).

The vulnerability was fixed by implementing proper content type handling in the server/handlers.go file. The fix involves setting the content type to 'text/plain' when the metadata.ContentType is unable to determine the file's content type. The fix was merged into the main branch on August 20, 2022 (GitHub PR).