CVE-2023-47623: 
JavaScript vulnerability analysis and mitigation

Scrypted, a home video integration and automation platform, was found to contain a reflected cross-site scripting (XSS) vulnerability in versions 0.55.0 and prior. The vulnerability exists in the login page via the redirect_uri parameter, which allows an attacker to execute arbitrary JavaScript code after login by specifying a URL with the javascript scheme (GitHub Security Lab, NVD).

The vulnerability is caused by improper validation of the redirect_uri parameter in the login page. When processing the redirect after login, the application directly assigns the redirect_uri parameter value to window.location without proper sanitization. The vulnerability can be triggered by specifying a URL with the javascript: scheme, which leads to arbitrary JavaScript execution in the context of the authenticated user's session. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability could allow attackers to execute arbitrary JavaScript code in the context of an authenticated user's session. In the worst-case scenario, an attacker could potentially impersonate an administrator and run arbitrary commands, leading to remote code execution on the affected system (GitHub Security Lab).

As of the time of publication, no known patches are available for this vulnerability (NVD). Users should exercise caution when clicking on links to the Scrypted login page, especially those containing redirect_uri parameters.