Beets Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Beets, a media library management system, in versions prior to 2.10.0. The issue arises in the bundled web UI, where untrusted metadata fields are rendered using raw template interpolation. This allows attacker-controlled HTML to be executed as active DOM. The vulnerability has been patched in version 2.10.0.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the victim's browser, with the potential to exfiltrate data and perform actions as the victim.

Reproduction

The vulnerability can be reproduced by adding HTML payloads into the metadata fields such as title, lyrics, or comments. When this metadata is rendered in the web UI, the payload executes as JavaScript. This occurs because the template interpolation used for these fields does not escape HTML, allowing the injected script to run.

Remediation

Users can upgrade to Beets version 2.10.0 or later, where this vulnerability has been fixed. For those using earlier versions, it's recommended to sanitize metadata values before rendering and to avoid using raw HTML interpolation for untrusted content.