OS Command Injection in mrchuckomo/poddycast
Jun 25th 2021
The application does not clean the HTML characters of the podcast information obtained from the Feed, which allows the injection of HTML and JS code. (XSS)
Being an application made in electron, an XSS can be scaled to RCE, making it possible to execute commands on the machine where the application is running.
🕵️♂️ Proof of Concept
- Paste this URL in the search input
- Click on the heart to bookmark the podcast
- Click on the "favorites" menu options.
- Done!, this opens firefox on linux and calculator on windows.
If you see the text "html injection here" underlined, it is because there is also the vulnerability.
An attacker can create a podcast or episode with malicious characters and execute commands on the client machine
We have contacted a member of the mrchuckomo/poddycast team and are waiting to hear back 2 years ago
A mrchuckomo/poddycast maintainer validated this vulnerability 2 years ago
Jonathan Toledo has been awarded the disclosure bounty
The fix bounty is now up for grabs
A mrchuckomo/poddycast maintainer marked this as fixed with commit b82d62 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation