CVE-2023-47623 Information
Description
Scrypted is a home video integration and automation platform. In versions 0.55.0 and prior a reflected cross-site scripting vulnerability exists in the login page via the redirect_uri parameter. By specifying a url with the javascript scheme (javascript:) an attacker can run arbitrary JavaScript code after the login. As of time of publication no known patches are available.
Reference
https://securitylab.github.com/advisories/GHSL-2023-218_GHSL-2023-219_scrypted/
https://github.com/koush/scrypted/blob/v0.55.0/plugins/core/ui/src/Login.vue#L79
Scrypted
is
a
home
video
integration
and
automation
platform.
In
versions
0.55.0
and
prior
a
reflected
cross-site
scripting
vulnerability
exists
in
the
login
page
via
the
redirect_uri
parameter.
By
specifying
a
url
with
the
javascript
scheme
(javascript:)
an
attacker
can
run
arbitrary
JavaScript
code
after
the
login.
As
of
time
of
publication
no
known
patches
are
available.