Stored XSS and OS Command Injection in Popcorn Time 0.4.7 via 'Movies API Server(s)' Field

Stored XSS and OS Command Injection in Popcorn Time 0.4.7 via 'Movies API Server(s)' Field

CVE-2022-25229 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Popcorn Time 0.4.7 has a Stored XSS in the 'Movies API Server(s)' field via the 'settings' page. The 'nodeIntegration' configuration is set to on which allows the 'webpage' to use 'NodeJs' features, an attacker can leverage this to run OS commands.

Learn more about our Web App Pen Testing.