Cross-site scripting (XSS) vulnerability in HTTP File Server (HFS) before 2.2c allows remote attackers to inject arbitrary web script or HTML via the userinfo subcomponent of a URL.

HTTP File Server (HFS) before 2.2c allows remote attackers to obtain configuration and usage details by using an id element such as <id>%version%</id> in HTTP Basic Authentication instead of a username and password, as demonstrated by placing this id