Stored XSS and OS Command Injection in Popcorn Time 0.4.7 via 'Movies API Server(s)' Field
CVE-2022-25229 · MEDIUM Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Popcorn Time 0.4.7 has a Stored XSS in the 'Movies API Server(s)' field via the 'settings' page. The 'nodeIntegration' configuration is set to on which allows the 'webpage' to use 'NodeJs' features, an attacker can leverage this to run OS commands.
Learn more about our Web App Pen Testing.