Mutation Stored XSS at homepage in bookwyrm-social/bookwyrm
Jul 4th 2022
bookwyrm HTML input sanitizer is vulnerable to Mutation XSS. The payload could be stored and displayed on the homepage of the website (path
/#discovery) making it widely affects all users and the main website.
Proof of Concept
Edit a book description:
// PoC <math><mtext><table><mglyph><style><![CDATA ><img src=x onerror=alert('Pwned')></style><img title="]]></mglyph><img	src=1	onerror=alert('Pwned')>">
Access to the
/#feed (homepage of logged-in user) or
/#discovery (which contains the book payload) will trigger the malicious code and pop up a
The vulnerable base on the weakness of
HTMLParserthat it is not guaranteed to successfully parse all kinds of string input. You could find another replacement sanitizer, such as DOMPurify to achieve more accuracy and still support HTML.
The attacker can deface the website, leak users' sensitive data, sneakily collect data, or take advantage of other attacks (see XSS - OSWAP more details)