Impact
An attacker can create a podcast or episode with malicious characters and execute commands on the client machine.
The application does not clean the HTML characters of the podcast information obtained from the Feed, which allows the injection of HTML and JS code. (XSS)
Being an application made in electron, an XSS can be scaled to RCE, making it possible to execute commands on the machine where the application is running.
References
|
TitleElement.innerHTML = _Title |
|
document.getElementsByClassName('settings-header')[0].innerHTML = ChannelName |
|
var Feed = |
|
{ |
|
"artistName": _ArtistName, |
|
"collectionName": _CollectionName, |
|
"artworkUrl30": _Artwork30, |
|
"artworkUrl60": _Artwork60, |
|
"artworkUrl100": _Artwork100, |
|
"feedUrl": _FeedUrl, |
|
"addToInbox": true, |
|
"feedUrlStatus": 200 // Set default URL status to 200 |
|
} |
For more information
Paste this URL in the search input
https://apimocha.com/overlabs/podcast
Click on the heart to bookmark the podcast
Click on the "favorites" menu options.
Done!, this opens firefox on linux and calculator on windows.
If you see the text "html injection here" underlined, it is because there is also the vulnerability.
https://huntr.dev/bounties/1624637557081-MrChuckomo/poddycast/?token=52bf1219844a7ac839db5964748447e6334c6aa85338c9bdffb31a6ebf55f950ac0423e5146930e4d25a37fbcb797835e97f8dc333752dd439b334a3bbe3d425c5e368b7027d74cb1c5fdf6e9bb5f548a4195a78e77db9c7975796fcc3e32e51576c407643db2783bd419b02ebde5d4e25b63b0572f0648ca42204bee26fb7739d27552dfd47d0319c
Impact
An attacker can create a podcast or episode with malicious characters and execute commands on the client machine.
The application does not clean the HTML characters of the podcast information obtained from the Feed, which allows the injection of HTML and JS code. (XSS)
Being an application made in electron, an XSS can be scaled to RCE, making it possible to execute commands on the machine where the application is running.
References
poddycast/app/js/helper/helper_entries.js
Line 80 in 8d31daa
poddycast/app/js/feed.js
Line 285 in 8d31daa
poddycast/app/js/favorite.js
Lines 4 to 14 in 8d31daa
For more information
Paste this URL in the search input
Click on the heart to bookmark the podcast
Click on the "favorites" menu options.
Done!, this opens firefox on linux and calculator on windows.
If you see the text "html injection here" underlined, it is because there is also the vulnerability.
https://huntr.dev/bounties/1624637557081-MrChuckomo/poddycast/?token=52bf1219844a7ac839db5964748447e6334c6aa85338c9bdffb31a6ebf55f950ac0423e5146930e4d25a37fbcb797835e97f8dc333752dd439b334a3bbe3d425c5e368b7027d74cb1c5fdf6e9bb5f548a4195a78e77db9c7975796fcc3e32e51576c407643db2783bd419b02ebde5d4e25b63b0572f0648ca42204bee26fb7739d27552dfd47d0319c