Movary Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Movary, a web application for tracking and rating movies. This issue affects versions through 0.69.0 and arises from inadequate input validation, allowing attackers to inject malicious scripts via the 'categoryDeleted' parameter. The vulnerability has been addressed in version 0.70.0.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious JavaScript that is executed in the context of the user's browser. This could lead to theft of session cookies, unauthorized actions performed on behalf of the user, or the display of misleading content.

Reproduction

To reproduce this vulnerability, navigate to the 'settings/account/locations' page and append the 'categoryDeleted' parameter to the URL with an XSS payload, such as an image tag (with an invalid image source) using an 'onerror' attribute. The injected script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users can update to Movary version 0.70.0, which addresses this vulnerability by improving input validation to prevent XSS payloads from being executed.