Vikunja Desktop Electron Wrapper Node Integration Vulnerability Allowing Remote Code Execution

A vulnerability in the Vikunja Desktop Electron wrapper, present in versions 0.21.0 prior to 2.2.0, allows for remote code execution. This issue arises because the Electron wrapper enables node integration in the renderer process without proper context isolation or sandboxing. As a result, any cross-site scripting (XSS) vulnerability in the Vikunja web frontend can be exploited to execute arbitrary code on the user's machine, with the injected scripts gaining access to Node.js APIs. The vulnerability is rooted in the 'BrowserWindow' being created with 'nodeIntegration' set to true, while lacking essential hardening options such as 'contextIsolation', 'sandbox', and 'webviewTag'.

Impact

The vulnerability allows for any XSS vulnerability in the Vikunja web frontend to escalate to full remote code execution in the Vikunja Desktop application, executing commands as the user's operating system account.

Reproduction

To reproduce this vulnerability, first, ensure that Vikunja Desktop versions 0.21.0 prior to 2.2.0 are installed. Then, introduce a cross-site scripting vulnerability in the Vikunja web frontend, which can be done by bypassing sanitization in user-generated content or manipulating URL parameters. Once the XSS is established, it can be exploited to execute JavaScript in the context of the victim's browser, taking advantage of the enabled node integration to access Node.js modules and execute arbitrary commands on the machine.

Remediation

Users can upgrade to Vikunja version 2.2.0 or later, where this vulnerability has been fixed. Instructions for updating are available in the Vikunja documentation.