CVE-2021-40927

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in callback.php of Spotify-for-Alfred version 0.13.9 and earlier [1]. The script directly outputs the user-supplied error GET parameter without any sanitization or encoding, as shown in the code snippet: <?php print $_GET['error']; ?> [2]. This allows an attacker to inject arbitrary HTML and JavaScript into the page response.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing a JavaScript payload in the error parameter, such as http://example.com/Spotify-for-Alfred/callback.php?error= [2]. The attacker then needs to coerce a victim into visiting this URL, for example via a phishing link or by embedding it in a web page. No authentication or special privileges are required; the attack is purely client-side and relies on user interaction.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to unauthorized actions, theft of session cookies, access to sensitive data, or denial of service [2]. The impact is limited to the browser session and does not directly affect the server or other users.

Mitigation

As of the latest available information, no official patch has been released for this vulnerability. The project appears to be unmaintained, with the latest version (0.13.9) still containing the flaw [1]. Users are advised to avoid using the affected workflow or to manually sanitize the error parameter in callback.php by applying output encoding (e.g., htmlspecialchars() in PHP) before rendering. No workaround is provided by the vendor.