SourceCodester AI Font Matcher Cross-Site Scripting Vulnerability

A Cross-Site Scripting (XSS) vulnerability has been identified in the SourceCodester AI Font Matcher application, posted on October 10, 2025. This vulnerability allows remote attackers to execute arbitrary JavaScript in the context of the victim's browser. The issue arises in the webfonts API handling, where font family names are not properly sanitized. Attackers can intercept fetch requests to the webfonts endpoint and inject malicious JavaScript payloads through the font family names. This exploitation could lead to theft of session cookies, account hijacking, and unauthorized actions performed on behalf of authenticated users.

Impact

Exploitation of this vulnerability allows for arbitrary JavaScript execution in the victim's browser, exfiltration of non-HttpOnly session cookies, and subsequent account hijacking.

Reproduction

The vulnerability can be reproduced by injecting a fetch hook that intercepts requests to the webfonts API. The hooked fetch function can be programmed to exfiltrate cookies to an external server and return a response that includes a malicious script payload. This can be done by running the application, hooking into the fetch API, and then triggering the font fetching functionality in the user interface.