#17814 closed Bugs (Fixed)

Cross-Site Scripting in Kodi

Reported by: advidsec Owned by: Montellese
Priority: 4 - Normal
Component: Web Server / Web Interface / Web API / JSON-RPC Version: 17.4 "Krypton" final
Severity: Normal Keywords:
Cc: jez500 Blocked By:
Blocking: Platform: All

Description

Hello,

In the web interface of kodi, i can inject javascript code creating a playlist because the html <img> label it is not sanitized.

For example, if i create a playlist named:

<img src=x onerror=alert(1)>

I can inject javascript code

Attachments (1)

XSS Kodi.mp4 (392.7 KB) - added by advidsec at 2018-03-19T09:09:30Z.
Video of PoC

Change History (5)

Changed at 2018-03-19T09:09:30Z by advidsec

Video of PoC

comment:1 Changed at 2018-03-20T08:15:45Z by advidsec

Last stable version 17.6 is vulnerable also.

comment:2 Changed at 2018-03-30T13:17:30+01:00 by Rechi

  • Cc jez500 added

comment:3 Changed at 2018-03-30T22:33:39+01:00 by advidsec

Issue solved yet or in future versions of Kodi?

comment:4 Changed at 2018-10-14T09:41:12+01:00 by yol

  • Resolution set to Fixed
  • Status changed from new to closed

Fixed in chorus2 release 2.4.6, to be shipped with Kodi 18.

https://github.com/xbmc/chorus2/pull/338

Note: See TracTickets for help on using tickets.