beets_XSS_01 Vulnerability Report: We discovered a XSS vulnerability in the beets project
Hello, I have recently spent some time understanding this project. While analyzing the code logic, I found one area that may lead to unintended behavior under specific conditions. With the project's security in mind, I would like to share the analysis results with your team to see whether this may indicate a potential security risk.
Overview
- Verified Version:
80cd21554124da07d17a4f962c7d770a4f70d0f2
- Vulnerability Type: Stored XSS
- Affected Location:
beetsplug/web/templates/index.html:42
- Trigger Scenario: Metadata fields such as
title, lyrics, or comments are rendered with raw template interpolation and inserted into DOM via .html(...).
Root Cause
The bundled web UI uses Underscore template interpolation mode <%= ... %> for untrusted metadata fields. In this runtime, <%= ... %> is raw insertion and HTML escaping is only performed by <%- ... %>. Rendered output is then inserted with .html(...), allowing attacker-controlled markup to become active DOM.
Source-to-Sink Chain
- Source (attacker-controlled input)
- Item metadata values (for example
title, lyrics, comments) can contain attacker HTML payload.
- Data flow
- Templates in
beetsplug/web/templates/index.html:42-46,87-91 render metadata with <%= ... %>.
- Underscore runtime defines
<%= ... %> as raw interpolation (beetsplug/web/static/underscore.js:890-907).
- Sink (security-sensitive action)
- Frontend inserts rendered template output into DOM via
$(this.el).html(this.template(this.model.toJSON())); in beetsplug/web/static/beets.js:182,208,220.
Exploitation Preconditions
- Victim opens the web UI page that renders attacker-controlled metadata.
- Metadata includes executable HTML/JS payload.
Risk
Stored payload executes in the web UI context and can perform actions available to that origin.
Impact
Attacker can run arbitrary JavaScript in the victim browser, exfiltrate viewable data, and perform UI-driven actions as the victim session.
Remediation
- Replace raw interpolation
<%= ... %> with escaped output <%- ... %> for untrusted fields.
- Avoid
.html(...) for untrusted template output; use text-safe rendering.
- Sanitize metadata values on ingest and before rendering, including attribute contexts.
beets_XSS_01 Vulnerability Report: We discovered a XSS vulnerability in the beets project
Hello, I have recently spent some time understanding this project. While analyzing the code logic, I found one area that may lead to unintended behavior under specific conditions. With the project's security in mind, I would like to share the analysis results with your team to see whether this may indicate a potential security risk.
Overview
80cd21554124da07d17a4f962c7d770a4f70d0f2beetsplug/web/templates/index.html:42title,lyrics, orcommentsare rendered with raw template interpolation and inserted into DOM via.html(...).Root Cause
The bundled web UI uses Underscore template interpolation mode
<%= ... %>for untrusted metadata fields. In this runtime,<%= ... %>is raw insertion and HTML escaping is only performed by<%- ... %>. Rendered output is then inserted with.html(...), allowing attacker-controlled markup to become active DOM.Source-to-Sink Chain
title,lyrics,comments) can contain attacker HTML payload.beetsplug/web/templates/index.html:42-46,87-91render metadata with<%= ... %>.<%= ... %>as raw interpolation (beetsplug/web/static/underscore.js:890-907).$(this.el).html(this.template(this.model.toJSON()));inbeetsplug/web/static/beets.js:182,208,220.Exploitation Preconditions
Risk
Stored payload executes in the web UI context and can perform actions available to that origin.
Impact
Attacker can run arbitrary JavaScript in the victim browser, exfiltrate viewable data, and perform UI-driven actions as the victim session.
Remediation
<%= ... %>with escaped output<%- ... %>for untrusted fields..html(...)for untrusted template output; use text-safe rendering.