OS Command Injection in mrchuckomo/poddycast


Reported on

Jun 25th 2021

✍️ Description

The application does not clean the HTML characters of the podcast information obtained from the Feed, which allows the injection of HTML and JS code. (XSS)

Being an application made in electron, an XSS can be scaled to RCE, making it possible to execute commands on the machine where the application is running.

🕵️‍♂️ Proof of Concept

  1. Paste this URL in the search input
  1. Click on the heart to bookmark the podcast
  2. Click on the "favorites" menu options.
  3. Done!, this opens firefox on linux and calculator on windows.

If you see the text "html injection here" underlined, it is because there is also the vulnerability.

💥 Impact

An attacker can create a podcast or episode with malicious characters and execute commands on the client machine

We have contacted a member of the mrchuckomo/poddycast team and are waiting to hear back 2 years ago
mrchuckomo/poddycast maintainer validated this vulnerability 2 years ago
Jonathan Toledo has been awarded the disclosure bounty
The fix bounty is now up for grabs
mrchuckomo/poddycast maintainer marked this as fixed with commit b82d62 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation