01642 06 11 11 Arrange Call

Stored XSS and OS Command Injection in Popcorn Time 0.4.7 via 'Movies API Server(s)' Field

CVE-2022-25229 · MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-25229

Popcorn Time 0.4.7 has a Stored XSS in the 'Movies API Server(s)' field via the 'settings' page. The 'nodeIntegration' configuration is set to on which allows the 'webpage' to use 'NodeJs' features, an attacker can leverage this to run OS commands.

Learn more about our Web App Pen Testing.