Audiobookshelf Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Audiobookshelf web application, affecting versions through 2.31.0. This vulnerability allows for the execution of arbitrary JavaScript by injecting malicious metadata into library items. Attackers with the ability to modify library content can exploit this issue, executing scripts in the context of users' browsers and potentially hijacking sessions or exfiltrating data. The vulnerability arises because the application’s tooltip component renders text using innerHTML without proper sanitization, enabling the execution of injected scripts.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the user’s browser, with the potential to steal sensitive data from localStorage, including access tokens that could grant administrative privileges if the token belongs to an admin user.

Reproduction

To reproduce this vulnerability, an attacker with library modification rights must upload a book with a title containing malicious JavaScript, such as a script designed to steal localStorage tokens. Once the book is added, the attacker or another user must hover over the book cover in the main library view, which triggers the tooltip to display the unsanitized title. This action executes the injected JavaScript in the browser.

Remediation

Users can update to Audiobookshelf version 2.32.0 or later, where this vulnerability has been patched.