Audiobookshelf Mobile Application WrappingMarquee Component Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the Audiobookshelf mobile application, specifically in versions prior to 0.12.0-beta. This vulnerability allows for the execution of arbitrary JavaScript through malicious library metadata. Attackers with the ability to modify library items or control a malicious podcast RSS feed can inject code that executes in the context of the user's WebView. This could lead to session hijacking, unauthorized access to native device APIs, and data exfiltration.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the user's WebView, with access to session storage, authentication tokens, and native device APIs via Capacitor. This could result in session hijacking, especially if an admin user's token is stolen, and unauthorized access to the user's library data.

Reproduction

To reproduce this vulnerability, an attacker with library management privileges can add a book or podcast title containing malicious JavaScript into the metadata. Once the item is played in the Audiobookshelf mobile app, the injected script will execute after a short delay, taking advantage of the app's scrolling marquee feature to trigger the payload.

Remediation

Users can update to Audiobookshelf mobile application version 0.12.0-beta, which addresses this vulnerability.