Описание
Navidrome has XSS via comment from song metadata
Summary
An XSS vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials.
An attacker's maliciously crafted song has to be added to Navidrome to exploit the vulnerability.
Details
The frontend is using React. In various places, the code uses the dangerouslySetInnerHTML escape hatch to set the content of an HTML element.
In some places, the value is first sanitized by removing anything looking like an HTML tag. In at least one place the value is used as is, thus leading to the XSS vulnerability.
In MultiLineTextField component, the input is split into lines and rendered through the dangerouslySetInnerHTML property.
This component is then used in the SongInfo and AlbumInfo components, when rendering the comment of the song or album. The contents of the comments field is taken verbatim from the metadata of a song, such as the VORBIS COMMENT comment of a FLAC file.
By crafting the contents of the comment field, an attacker can inject code into the frontend, which runs whenever a user views the song or album info.
Additionally, as the Navidrome API token is kept in local storage and since there's no CSP in place unless the user's configured one outside of Navidrome, the attacker can exfiltrate the API token.
PoC
- Modify the comment field of a song to contain the following payload using a tool like MusicBrain'z Picard:
or use metaflac:
- Add the song to Navidrome
- Enter the "Songs" or one of the albums page, click the "kebab menu" and then "Get Info"
In this payload, a broken image can be seen in the info dialog.
In the developer tools' network inspector, the request exfiltrating the token to an example domain can be seen.
Impact
The vulnerability affects users of the Navidrome UI with songs from untrusted sources.
Mitigations
- Users of Navidrome should configure a strict [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP) in their reverse-proxy to make exfiltration more difficult
- Users of Navidrome should not index songs from untrusted sources without first vetting their metadata
Пакеты
github.com/navidrome/navidrome
< 0.60.0
0.60.0
Связанные уязвимости
Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched in version 0.60.0.