Serviio PRO DOM-Based Cross-Site Scripting Vulnerability

A DOM-based cross-site scripting vulnerability has been identified in Serviio PRO version 1.8.0.0, as well as in versions 1.7.1, 1.7.0, and 1.6.1. This vulnerability allows attackers to execute arbitrary HTML and script code by injecting malicious payloads. Exploitation involves crafting URLs with harmful input that is extracted from document.location and sent to document.write() within the mediabrowser component, enabling code execution in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's browser, potentially leading to cookie theft or other malicious actions.

Reproduction

To reproduce this vulnerability, send a request to the media browser component with a URL that includes a crafted payload. The injected script will be executed as part of the response, demonstrating the cross-site scripting vulnerability.