Aandrew-me ytDownloader DOM-Based Cross-Site Scripting Vulnerability Allowing Remote Code Execution

A cross-site scripting (XSS) vulnerability has been identified in Aandrew-me ytDownloader versions up to 3.20.2. This issue arises in the Error Details Panel component, specifically within the createTextNode function. The vulnerability allows for remote code execution by exploiting unsafe handling of untrusted input, which is inserted into the DOM using innerHTML without proper encoding or sanitization. The Electron application, which integrates yt-dlp and ffmpeg for media downloading and processing, has its security settings configured to allow direct access to Node.js and Electron APIs, facilitating the execution of arbitrary commands on the local machine with the user's privileges.

Impact

Exploitation of this vulnerability allows for the execution of JavaScript in the Electron renderer, access to Electron and Node.js APIs, execution of arbitrary local commands with the current user's privileges, and potential access to local files or application data.

Reproduction

The vulnerability can be reproduced by inserting untrusted input, such as attacker-controlled URLs or error messages from failed metadata retrieval, into the Error Details Panel. This input is processed by the application without proper sanitization, allowing for the execution of malicious scripts.

Remediation

Users are advised to update to a version that addresses this vulnerability. The maintainer has acknowledged the issue and is working on a fix.