| 标题 | stonith404 pingvin-share 1.13.0 DOM-Based XSS, Open Redirect |
|---|
| 描述 | A reflected Cross-Site Scripting (XSS) vulnerability has been discovered in Pingvin Share's sign-in auto-redirect functionality. The application improperly trusts a URL parameter (redirect) during the sign-in redirect flow. An attacker can craft a malicious link that, when opened by an authenticated user, performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim.
---
CVSS v3.1 Score Justification
Base Score: 8.2 (High)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Attack Vector (AV): Network (N) – The vulnerability is exploitable remotely over the network via a crafted URL.
Attack Complexity (AC): Low (L) – The attack does not require complex conditions; the vulnerable code path is easily reached. The attacker only needs to know the correct parameter name (redirect).
Privileges Required (PR): None (N) – Attacker does not need any privileges to craft a malicious link.
User Interaction (UI): Required (R) – The victim must click on the attacker's malicious link.
Scope (S): Changed (C) – The vulnerable component is the client-side code, but the impact (executing arbitrary script) affects the user's browser session and the data accessible within the application's security context.
Confidentiality (C): High (H) – Successful exploitation could lead to complete loss of confidentiality. An attacker can call authenticated API endpoints, access sensitive data, and other information stored in the browser's context.
Integrity (I): Low (L) – An attacker could potentially modify some data or perform actions on behalf of the user.
Availability (A): None (N) – The attack does not directly impact the availability of the application or its data.
---
Note to moderator: The vendor was notified on March 8, 2026 with a 45-day disclosure deadline of Apr. 22, 2026. Vendor responded promptly with "I’m not maintaining Pingvin Share anymore and therefore the project is archived." After a bit of back and forth, the absence of activity on the GitHub project, and the expiry past the disclosure deadline, I have decided to proceed with public disclosure. It is reasonable that users self-hosting the product are unaware of the vulnerability. Let me know if you require screenshots/evidence of the CVD email chain (I am unable to upload private documents).
CVD: https://gist.github.com/TrebledJ/0efceef4f3a2e0515cc2fe96b4c22679
Vendor: https://github.com/stonith404/
Product: https://github.com/stonith404/pingvin-share
Similar VDB Entries: VDB-358037, VDB-356245 |
|---|
| 来源 | ⚠️ https://gist.github.com/TrebledJ/0efceef4f3a2e0515cc2fe96b4c22679 |
|---|
| 用户 | trebledj (UID 94356) |
|---|
| 提交 | 2026-04-27 19時45分 (1 月前) |
|---|
| 管理 | 2026-05-25 21時10分 (28 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 365539 [stonith404 pingvin-share 直到 1.13.0 Sign-in Auto-Redirect signIn.tsx getServerSideProps redirect 跨网站脚本] |
|---|
| 积分 | 20 |
|---|