LocalSend Stored Cross-Site Scripting Vulnerability in Web Share Interface

A stored cross-site scripting vulnerability has been identified in LocalSend versions through 1.17.0. When users initiate a 'Share via Link' session, the application launches a local HTTP server to share selected files. The web interface's client-side logic, located in 'app/assets/web/main.js', contains a function that generates the file list HTML by directly inserting filenames into the DOM without proper sanitization. This unsanitized filename, sourced from the file system via the 'prepare-download' API endpoint, can be exploited by renaming a file to include a malicious payload, such as an image tag with an error event handler. Once shared, this payload is executed in the browser of anyone accessing the shared link.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user accessing the shared link.

Reproduction

To reproduce this vulnerability, create a file with a name that includes a malicious payload, such as an image tag designed to execute JavaScript. After renaming the file, open the LocalSend application and select the file to share. Choose the 'Share via Link' option, which will start a local server and provide a link to access the shared file. Open this link in a web browser, and the injected script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users can update to LocalSend version 1.17.1 or later, where this vulnerability has been patched.