Skip to content

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in helper_entries

High
MrChuckomo published GHSA-wjmh-9fj2-rqh6 Aug 3, 2021

Package

helper_entries (Poddycastapp)

Affected versions

0.8.0

Patched versions

0.8.1

Description

Impact

An attacker can create a podcast or episode with malicious characters and execute commands on the client machine.

The application does not clean the HTML characters of the podcast information obtained from the Feed, which allows the injection of HTML and JS code. (XSS)

Being an application made in electron, an XSS can be scaled to RCE, making it possible to execute commands on the machine where the application is running.

References

TitleElement.innerHTML = _Title

document.getElementsByClassName('settings-header')[0].innerHTML = ChannelName

var Feed =
{
"artistName": _ArtistName,
"collectionName": _CollectionName,
"artworkUrl30": _Artwork30,
"artworkUrl60": _Artwork60,
"artworkUrl100": _Artwork100,
"feedUrl": _FeedUrl,
"addToInbox": true,
"feedUrlStatus": 200 // Set default URL status to 200
}

For more information

Paste this URL in the search input

https://apimocha.com/overlabs/podcast

Click on the heart to bookmark the podcast
Click on the "favorites" menu options.
Done!, this opens firefox on linux and calculator on windows.

If you see the text "html injection here" underlined, it is because there is also the vulnerability.

https://huntr.dev/bounties/1624637557081-MrChuckomo/poddycast/?token=52bf1219844a7ac839db5964748447e6334c6aa85338c9bdffb31a6ebf55f950ac0423e5146930e4d25a37fbcb797835e97f8dc333752dd439b334a3bbe3d425c5e368b7027d74cb1c5fdf6e9bb5f548a4195a78e77db9c7975796fcc3e32e51576c407643db2783bd419b02ebde5d4e25b63b0572f0648ca42204bee26fb7739d27552dfd47d0319c

Severity

High

CVE ID

CVE-2021-32772

Weaknesses

Credits