Audiobookshelf Stored Cross-Site Scripting Vulnerability in Login Page

A stored cross-site scripting vulnerability has been identified in Audiobookshelf versions prior to 2.33.0. This issue arises from inadequate sanitization of the 'authLoginCustomMessage' field in the '/api/auth-settings' endpoint. An attacker with administrative rights can inject arbitrary HTML or JavaScript, which is then executed on the login page for all users. Although the exploitation requires user interaction, it allows for the interception of credentials entered in the login form, potentially leading to unauthorized account access.

Impact

Exploitation of this vulnerability allows injected scripts to execute in the context of the user visiting the login page, capturing usernames and passwords entered into the login form. This could result in a complete compromise of the affected user's account.

Reproduction

To reproduce this vulnerability, an authenticated administrator can send a request to the '/api/auth-settings' endpoint with a malicious 'authLoginCustomMessage' payload. Once this message is saved, the injected script will execute for all users who visit the login page.

Remediation

Users are advised to update to Audiobookshelf version 2.33.0 or later.