Popcorn Time 0.4.7 - XSS to RCE
7,7
High
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
Popcorn Time 0.4.7 - XSS to RCE
Code name
State
Public
Release date
17 may 2022
Affected product
Popcorn Time
Affected version(s)
Version 0.4.7 (Just Keep Swimming)
Vulnerability name
XSS to RCE
Vulnerability type
Remotely exploitable
No
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
CVSS v3.1 base score
7.7
Exploit available
No
CVE ID(s)
Description
Popcorn Time 0.4.7 has a Stored XSS in the Movies API Server(s) field via the settings page. The nodeIntegration configuration is set to on which allows the webpage to use NodeJs features, an attacker can leverage this to run OS commands.
Proof of Concept
Steps to reproduce
Open the Popcorn time application.
Go to
settings.Enable
Show advanced settings.Scroll down to the
API Server(s)section.Insert the following PoC inside the
Movies API Server(s)field and click onCheck for updates.Scroll down to the
Databasesection and click onExport database.The application will create a
.zipfile with the current configuration.Send the configuration to the victim.
The victim must go to
Settings -> Databaseand click onImport DatabaseWhen the victim restarts the application the XSS will be triggered and will run the
calccommand.
System Information
Version: Popcorn Time 0.4.7.
Operating System: Windows 10.0.19042 N/A Build 19042.
Installer: Popcorn-Time-0.4.7-win64-Setup.exe
Exploit
There is no exploit for the vulnerability but can be manually exploited.
Mitigation
An updated version of PopcornTime is available at the vendor page.
References
Timeline
IA generativa
26 abr 2022
Vendor Confirmed Vuln.
4 may 2022
Vulnerability patched
7 may 2022
Vendor contacted
26 abr 2022
Public disclosure
17 may 2022
