CVE-2021-32772 HIGH

CVE-2021-32772: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in helper_entries

Vendor Mrchuckomo

Product poddycast

Weakness CWE-78

Published August 3, 2021

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Poddycast is a podcast app made with Electron. Prior to version 0.8.1, an attacker can create a podcast or episode with malicious characters and execute commands on the client machine. The application does not clean the HTML characters of the podcast information obtained from the Feed, which allows the injection of HTML and JS code (cross-site scripting). Being an application made in electron, cross-site scripting can be scaled to remote code execution, making it possible to execute commands on the machine where the application is running. The vulnerability is patched in Poddycast version 0.8.1.

Key dates

02Disclosure timeline

August 3, 2021 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-32772

Related vulnerabilities

CVE-2021-32772: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in helper_entries

01Description

02Disclosure timeline

03References

04Related CVE