OS Command Injection in mrchuckomo/poddycast

Reported on Jun 25th 2021

✍️ Description

The application does not clean the HTML characters of the podcast information obtained from the Feed, which allows the injection of HTML and JS code. (XSS)

Being an application made in electron, an XSS can be scaled to RCE, making it possible to execute commands on the machine where the application is running.

🕵️‍♂️ Proof of Concept

  1. Paste this URL in the search input
  1. Click on the heart to bookmark the podcast
  2. Click on the "favorites" menu options.
  3. Done!, this opens firefox on linux and calculator on windows.

If you see the text "html injection here" underlined, it is because there is also the vulnerability.

💥 Impact

An attacker can create a podcast or episode with malicious characters and execute commands on the client machine

We have contacted a member of the mrchuckomo/poddycast team and are waiting to hear back 15 days ago
mrchuckomo/poddycast maintainer validated this vulnerability 14 days ago
Jonathan Toledo has been awarded the disclosure bounty
The fix bounty is now up for grabs
mrchuckomo/poddycast maintainer confirmed that a fix has been merged on b82d62 13 days ago
The fix bounty has been dropped