CVE-2021-32772
HIGHPoddycast < 0.8.1 - Remote Code Execution via Malicious Podcast Feed Content
Title source: llmDescription
Poddycast is a podcast app made with Electron. Prior to version 0.8.1, an attacker can create a podcast or episode with malicious characters and execute commands on the client machine. The application does not clean the HTML characters of the podcast information obtained from the Feed, which allows the injection of HTML and JS code (cross-site scripting). Being an application made in electron, cross-site scripting can be scaled to remote code execution, making it possible to execute commands on the machine where the application is running. The vulnerability is patched in Poddycast version 0.8.1.
References (4)
Core 4
Core References
Third Party Advisory x_refsource_confirm
https://github.com/MrChuckomo/poddycast/security/advisories/GHSA-wjmh-9fj2-rqh6
Third Party Advisory x_refsource_misc
https://github.com/MrChuckomo/poddycast/blob/8d31daa5cee04a389ec35f974959ea3fe4638be9/app/js/favorite.js#L4-L14
Third Party Advisory x_refsource_misc
https://github.com/MrChuckomo/poddycast/blob/8d31daa5cee04a389ec35f974959ea3fe4638be9/app/js/feed.js#L285
Third Party Advisory x_refsource_misc
https://github.com/MrChuckomo/poddycast/blob/8d31daa5cee04a389ec35f974959ea3fe4638be9/app/js/helper/helper_entries.js#L80
Scores
CVSS v3
8.8
EPSS
0.0239
EPSS Percentile
81.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-78
CWE-79
Status
published
Products (1)
electronjs/poddycast
0.8.0
Published
Aug 03, 2021
Tracked Since
Feb 18, 2026