PT-2022-17168 · Unknown+1 · Popcorn Time+1

Alestorm980

Published

2022-05-20

Updated

2022-05-31

CVE-2022-25229

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Popcorn Time version 0.4.7

Description The issue is related to a Stored XSS in the 'Movies API Server(s)' field via the 'settings' page. The 'nodeIntegration' configuration is set to on, allowing the webpage to use NodeJs features. An attacker can leverage this to run OS commands.

Recommendations For Popcorn Time version 0.4.7, consider disabling the 'nodeIntegration' configuration as a temporary workaround to minimize the risk of exploitation. Restrict access to the 'Movies API Server(s)' field in the settings page until a patch is available. Avoid using the 'settings' page with the 'nodeIntegration' configuration enabled until the issue is resolved.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2022-25229

Affected Products

Node.Js

Popcorn Time

PT-2022-17168 · Unknown+1 · Popcorn Time+1

CVE-2022-25229

Weakness Enumeration

Related Identifiers

Affected Products

References · 8