OS Command Injection in mrchuckomo/poddycast

Valid

Reported on

Jun 25th 2021

✍️ Description

The application does not clean the HTML characters of the podcast information obtained from the Feed, which allows the injection of HTML and JS code. (XSS)

Being an application made in electron, an XSS can be scaled to RCE, making it possible to execute commands on the machine where the application is running.

🕵️‍♂️ Proof of Concept

Paste this URL in the search input

https://apimocha.com/overlabs/podcast

Click on the heart to bookmark the podcast
Click on the "favorites" menu options.
Done!, this opens firefox on linux and calculator on windows.

If you see the text "html injection here" underlined, it is because there is also the vulnerability.

💥 Impact

An attacker can create a podcast or episode with malicious characters and execute commands on the client machine

Occurrences

helper_entries.js L80

We have contacted a member of the mrchuckomo/poddycast team and are waiting to hear back 2 years ago

A mrchuckomo/poddycast maintainer validated this vulnerability 2 years ago

Jonathan Toledo has been awarded the disclosure bounty

The fix bounty is now up for grabs

A mrchuckomo/poddycast maintainer marked this as fixed with commit b82d62 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation