GHSA-w4hv-vmv9-hgcr: 
JavaScript vulnerability analysis and mitigation

Two reflected Cross-Site Scripting (XSS) vulnerabilities were discovered in Scrypted, a home video integration and automation platform, affecting versions up to and including v0.55.0. The vulnerabilities were identified by GitHub Security Lab team member Kevin Stubbings and assigned GHSL-2023-218 and GHSL-2023-219, with corresponding CVE identifiers CVE-2023-47620 and CVE-2023-47623. The issues were disclosed on October 13, 2023, and affect the @scrypted/core package (versions <= 0.1.142) and @scrypted/server package (versions <= 0.56.0) (GitHub Advisory).

The first vulnerability (GHSL-2023-218) exists in plugin-http.ts where the 'owner' and 'pkg' parameters are reflected back in the response when an endpoint is not found, enabling a reflected XSS attack. The second vulnerability (GHSL-2023-219) is present in the login page via the 'redirect_uri' parameter, where specifying a URL with the javascript scheme allows arbitrary JavaScript code execution after login. Both vulnerabilities have been assigned a CVSS v3.1 base score of 8.4 (High) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H (GitHub Advisory).

The vulnerabilities could allow attackers to impersonate any user who clicks on specially crafted links. In the worst-case scenario, an attacker may be able to impersonate an administrator and execute arbitrary commands, potentially leading to Remote Code Execution (RCE). The vulnerabilities affect both confidentiality and integrity of the system with high severity ratings (GitHub Advisory).

For GHSL-2023-218, it is recommended to ensure parameters are not reflected back in the response and set the Content-Type to text/plain for error responses where HTML is unnecessary. For GHSL-2023-219, user-controlled data should not be placed into the DOM, and the redirect_uri parameter should be validated to only allow redirects to the current domain. As of the time of publication, no official patches are available (GitHub Advisory).