OS Command Injection in mrchuckomo/poddycastValid
The application does not clean the HTML characters of the podcast information obtained from the Feed, which allows the injection of HTML and JS code. (XSS)
Being an application made in electron, an XSS can be scaled to RCE, making it possible to execute commands on the machine where the application is running.
🕵️♂️ Proof of Concept
- Paste this URL in the search input
- Click on the heart to bookmark the podcast
- Click on the "favorites" menu options.
- Done!, this opens firefox on linux and calculator on windows.
If you see the text "html injection here" underlined, it is because there is also the vulnerability.
An attacker can create a podcast or episode with malicious characters and execute commands on the client machine