ciubotaru share-on-diaspora new_window.php cross site scripting
Description
A vulnerability classified as problematic was found in ciubotaru share-on-diaspora 0.7.9. This vulnerability affects unknown code of the file new_window.php. The manipulation of the argument title/url leads to cross site scripting. The attack can be initiated remotely. The name of the patch is fb6fae2f8a9b146471450b5b0281046a17d1ac8d. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-220204.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in share-on-diaspora 0.7.9 via title/url parameters in new_window.php allows remote attackers to inject arbitrary web script.
Vulnerability
A reflected cross-site scripting (XSS) vulnerability exists in new_window.php of ciubotaru/share-on-diaspora version 0.7.9. The title and url parameters are directly concatenated into innerHTML assignments without sanitization, allowing injection of arbitrary HTML and JavaScript. The vulnerable code is in the redirect() function where document.getElementsByTagName('body')[0].innerHTML and document.getElementById("shareurl").innerHTML are set with unsanitized user input [1].
Exploitation
An attacker can craft a malicious URL containing a JavaScript payload in the title or url query parameters. The attack is remotely exploitable and requires no authentication. The victim must be tricked into clicking the crafted link or visiting a page that triggers the vulnerable code path. When the redirect() function executes, the payload is rendered in the victim's browser, leading to script execution [1].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to theft of sensitive data (e.g., cookies, session tokens), defacement, or actions performed on behalf of the victim within the application's domain.
Mitigation
The vulnerability is fixed in commit fb6fae2f8a9b146471450b5b0281046a17d1ac8d [1]. The patch introduces an escapeHtml() function that sanitizes the title, url, and localStorage["lastPod"] values before insertion into the DOM. Users should apply the patch or update to a version that includes this fix. No workarounds are documented.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2= 0.7.9+ 1 more
- (no CPE)range: = 0.7.9
- (no CPE)range: 0.7.9
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/ciubotaru/share-on-diaspora/commit/fb6fae2f8a9b146471450b5b0281046a17d1ac8dmitrepatch
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.