Lookyloo Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability exists in Lookyloo versions prior to 1.35.3. The issue arises when a user submits a list of URLs for capture, and one of the URLs includes an HTML element. If the capture fails, the error message generated includes the problematic URL, which can trigger the XSS vulnerability. This issue has been addressed in version 1.35.3.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, submit a list of URLs through the Lookyloo web interface, ensuring that one of the URLs contains an HTML element. When the capture fails, the error message will include the URL with the HTML element, triggering the XSS vulnerability.

Remediation

Users are advised to update to Lookyloo version 1.35.3 or later. If the update is not possible, avoid using the multiple captures functionality on the web interface.