Headline

CVE-2022-25229: Popcorn Time 0.4.7 - XSS to RCE | Fluid Attacks

Popcorn Time 0.4.7 has a Stored XSS in the 'Movies API Server(s)‘’ field via the ‘settings’ page. The ‘nodeIntegration’ configuration is set to on which allows the webpage to use ‘NodeJs’ features, an attacker can leverage this to run OS commands.

2 years ago

CVE

Open in Source

#xss #vulnerability #web #windows #nodejs #js #git #rce

Home
Advisories
Popcorn Time 0.4.7 XSS to RCE

Summary

Name

Popcorn Time 0.4.7 - XSS to RCE

Code name

Bowie

Product

Popcorn Time

Affected versions

Version 0.4.7 (Just Keep Swimming)

State

Public

Release date

2022-05-17

Vulnerability

Kind

XSS to RCE

Rule

010. Stored cross-site scripting (XSS)

Remote

CVSSv3 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

CVSSv3 Base Score

7.7

Exploit available

CVE ID(s)

CVE-2022-25229

Description

Popcorn Time 0.4.7 has a Stored XSS in the Movies API Server(s) field via the settings page. The nodeIntegration configuration is set to on which allows the webpage to use NodeJs features, an attacker can leverage this to run OS commands.

Proof of Concept****Steps to reproduce

Open the Popcorn time application.
Go to settings.
Enable Show advanced settings.
Scroll down to the API Server(s) section.
Insert the following PoC inside the Movies API Server(s) field and click on Check for updates.

a"><script>require('child_process').exec('calc');</script>

Scroll down to the Database section and click on Export database.
The application will create a .zip file with the current configuration.
Send the configuration to the victim.
The victim must go to Settings -> Database and click on Import Database
When the victim restarts the application the XSS will be triggered and will run the calc command.

System Information