CVE-2021-32772 Information

Jun 07, 2022 cve

Description

Poddycast is a podcast app made with Electron. Prior to version 0.8.1 an attacker can create a podcast or episode with malicious characters and execute commands on the client machine. The application does not clean the HTML characters of the podcast information obtained from the Feed which allows the injection of HTML and JS code (cross-site scripting). Being an application made in electron cross-site scripting can be scaled to remote code execution making it possible to execute commands on the machine where the application is running. The vulnerability is patched in Poddycast version 0.8.1.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Reference

https://github.com/MrChuckomo/poddycast/security/advisories/GHSA-wjmh-9fj2-rqh6 https://github.com/MrChuckomo/poddycast/blob/8d31daa5cee04a389ec35f974959ea3fe4638be9/app/js/favorite.js#L4-L14 https://github.com/MrChuckomo/poddycast/blob/8d31daa5cee04a389ec35f974959ea3fe4638be9/app/js/feed.js#L285 https://github.com/MrChuckomo/poddycast/blob/8d31daa5cee04a389ec35f974959ea3fe4638be9/app/js/helper/helper_entries.js#L80

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.8

Share on: