Iib0011 Omni-Tools Remote Code Execution Vulnerability

A remote code execution vulnerability exists in iib0011 omni-tools version 0.4.0 due to unsafe JSON deserialization. The JSON Stringify tool improperly uses the eval() function to interpret user-supplied text as a JavaScript object. This flaw allows remote attackers to craft malicious strings or JSON files that exploit the comma operator, executing arbitrary code before the JSON is fully parsed. Such exploitation could lead to various client-side attacks, including Cross-Site Scripting (XSS), session hijacking, and data exfiltration, particularly when the malicious payload is entered into the tool's text field or uploaded as a file.

Impact

Exploitation of this vulnerability allows for remote code execution on the client side, potentially leading to Cross-Site Scripting (XSS) attacks, session hijacking, and unauthorized data access or exfiltration.

Reproduction

To reproduce this vulnerability, upload a JSON file or input a string that includes a crafted JavaScript payload exploiting the comma operator into the 'Stringify JSON' tool on the omni-tools website. The tool will then execute the injected code before processing the JSON as intended.