Cross-site Scripting (XSS) - Stored in cyrisxd/love-lock-card

Valid

Reported on

Jan 15th 2022

Description

Currenty, adding a "+ to the password, or a DOM element to the title, you can inject scripts into HA. I know that this library is meant to be not-secure by design, as stated in the README, and that if someone can update the Lovelance dashboard he can probably execute JS code in other ways, but I think that we can easily fix this.

Proof of Concept

// PoC title
// Scripts in title will be executed on card load
title: 'Title<img hidden src=x onerror="alert(document.location.href)"></img>'

// PoC password
// Scripts in password will be executed after password submittion
password: '"+alert(document.location.href)+"'

Impact

A user that can edit Lovelance configuration can inject JS scripts for every user.

We are processing your report and will contact the cyrisxd/love-lock-card team within 24 hours. a year ago

Matteo Gheza submitted a

patch

a year ago

We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago

We have contacted a member of the cyrisxd/love-lock-card team and are waiting to hear back a year ago

cyrisxd validated this vulnerability a year ago

Matteo Gheza has been awarded the disclosure bounty

The fix bounty is now up for grabs

cyrisxd marked this as fixed in 1.1 with commit c82e15 a year ago

Matteo Gheza has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation