Cross-site Scripting (XSS) - Stored in cyrisxd/love-lock-card
Jan 15th 2022
Currenty, adding a
"+ to the password, or a DOM element to the title, you can inject scripts into HA.
I know that this library is meant to be not-secure by design, as stated in the README, and that if someone can update the Lovelance dashboard he can probably execute JS code in other ways, but I think that we can easily fix this.
Proof of Concept
// PoC title // Scripts in title will be executed on card load title: 'Title<img hidden src=x onerror="alert(document.location.href)"></img>' // PoC password // Scripts in password will be executed after password submittion password: '"+alert(document.location.href)+"'
A user that can edit Lovelance configuration can inject JS scripts for every user.
We are processing your report and will contact the cyrisxd/love-lock-card team within 24 hours. a year ago
We have contacted a member of the cyrisxd/love-lock-card team and are waiting to hear back a year ago
cyrisxd validated this vulnerability a year ago
Matteo Gheza has been awarded the disclosure bounty
The fix bounty is now up for grabs
This vulnerability will not receive a CVE
to join this conversation