nvd-json-data-feeds/CVE-2021/CVE-2021-327xx/CVE-2021-32772.json

{
  "id": "CVE-2021-32772",
  "sourceIdentifier": "security-advisories@github.com",
  "published": "2021-08-03T15:15:08.503",
  "lastModified": "2022-04-25T17:25:25.273",
  "vulnStatus": "Analyzed",
  "descriptions": [
    {
      "lang": "en",
      "value": "Poddycast is a podcast app made with Electron. Prior to version 0.8.1, an attacker can create a podcast or episode with malicious characters and execute commands on the client machine. The application does not clean the HTML characters of the podcast information obtained from the Feed, which allows the injection of HTML and JS code (cross-site scripting). Being an application made in electron, cross-site scripting can be scaled to remote code execution, making it possible to execute commands on the machine where the application is running. The vulnerability is patched in Poddycast version 0.8.1."
    },
    {
      "lang": "es",
      "value": "Poddycast es una aplicaci\u00f3n de podcast hecha con Electron. Anterior a versi\u00f3n 0.8.1, un atacante puede crear un podcast o episodio con caracteres maliciosos y ejecutar comandos en la m\u00e1quina cliente. La aplicaci\u00f3n no limpia los caracteres HTML de la informaci\u00f3n del podcast obtenida del Feed, lo que permite la inyecci\u00f3n de c\u00f3digo HTML y JS (cross-site scripting). Al tratarse de una aplicaci\u00f3n realizada en electron, el ataque de tipo cross-site scripting puede escalar a la ejecuci\u00f3n de c\u00f3digo remota, haciendo posible la ejecuci\u00f3n de comandos en la m\u00e1quina donde se ejecuta la aplicaci\u00f3n. La vulnerabilidad est\u00e1 parcheada en la versi\u00f3n 0.8.1 de Poddycast"
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "NONE",
          "userInteraction": "REQUIRED",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9
      },
      {
        "source": "security-advisories@github.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9
      }
    ],
    "cvssMetricV2": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "2.0",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "accessVector": "NETWORK",
          "accessComplexity": "MEDIUM",
          "authentication": "NONE",
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "availabilityImpact": "NONE",
          "baseScore": 4.3
        },
        "baseSeverity": "MEDIUM",
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "acInsufInfo": false,
        "obtainAllPrivilege": false,
        "obtainUserPrivilege": false,
        "obtainOtherPrivilege": false,
        "userInteractionRequired": true
      }
    ]
  },
  "weaknesses": [
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ]
    },
    {
      "source": "security-advisories@github.com",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:electronjs:poddycast:0.8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "790DD050-D6E1-43E9-9C5E-980E28B2424E"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://github.com/MrChuckomo/poddycast/blob/8d31daa5cee04a389ec35f974959ea3fe4638be9/app/js/favorite.js#L4-L14",
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://github.com/MrChuckomo/poddycast/blob/8d31daa5cee04a389ec35f974959ea3fe4638be9/app/js/feed.js#L285",
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://github.com/MrChuckomo/poddycast/blob/8d31daa5cee04a389ec35f974959ea3fe4638be9/app/js/helper/helper_entries.js#L80",
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://github.com/MrChuckomo/poddycast/security/advisories/GHSA-wjmh-9fj2-rqh6",
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ]
    }
  ]
}