Executive Summary

This vulnerability is a stored cross-site scripting (XSS) issue in the Audiobookshelf application, specifically on the Login Page. It occurs because the application does not properly sanitize the authLoginCustomMessage field in the /api/auth-settings endpoint.

An attacker who has administrative privileges can inject arbitrary HTML or JavaScript code into this field. This malicious code is then rendered on the login page for all users, potentially allowing the attacker to execute scripts in the context of users' browsers.

Useful 0 Not Useful 0

Impact Analysis

If exploited, this vulnerability can allow an attacker to capture credentials entered by users on the login page, including plaintext usernames and passwords before they are sent to the server.

Since the injected malicious script runs in the context of the login page, it can intercept sensitive information, leading to potential account compromise.

However, exploitation requires that the attacker first has administrative privileges to inject the malicious code, and user interaction is needed for the attack to succeed.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the audiobookshelf instance is running a version prior to 2.33.0 and if the authLoginCustomMessage field in the /api/auth-settings endpoint contains unsanitized HTML or JavaScript code.

Since the vulnerability involves stored cross-site scripting via the authLoginCustomMessage field, you can inspect the login page source code for unexpected or suspicious scripts or HTML injected through this field.

To detect this on your system, you can use API calls or curl commands to retrieve the current authLoginCustomMessage setting and examine its content.

• Use a curl command to fetch the auth settings (authentication required): curl -X GET -H "Authorization: Bearer <admin_token>" https://<audiobookshelf_url>/api/auth-settings
• Inspect the authLoginCustomMessage field in the response for any suspicious HTML or JavaScript code.

Additionally, monitoring network traffic for unexpected scripts loading on the login page or using web vulnerability scanners that detect stored XSS can help identify exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and most effective mitigation step is to upgrade the audiobookshelf application to version 2.33.0 or later, where this vulnerability has been fixed.

If upgrading immediately is not possible, restrict administrative access to trusted users only, as exploitation requires administrative privileges to inject malicious code.

Review and sanitize the authLoginCustomMessage field in the /api/auth-settings endpoint to remove any injected HTML or JavaScript code.

Monitor login pages for suspicious scripts and educate users about the risk of entering credentials on potentially compromised login pages.

Useful 0 Not Useful 0

Compliance Impact

The stored cross-site scripting (XSS) vulnerability in Audiobookshelf allows an attacker with administrative privileges to inject malicious scripts on the login page, potentially capturing plaintext usernames and passwords entered by users.

This exposure of user credentials could lead to unauthorized access to personal data, which may result in non-compliance with data protection regulations such as GDPR and HIPAA that require safeguarding user information and preventing unauthorized disclosure.

Therefore, if exploited, this vulnerability poses confidentiality risks that could impact compliance with these common standards and regulations.

Useful 0 Not Useful 0