Overview
In js/activity.js, the built-in plugin loader prompts the user for a plugin name and directly uses the parsed string to fetch a configuration file (plugins/[name].json). Since the input is taken directly from the prompt() dialog and isn't rigorously validated, an attacker or malicious script could exploit this input field to trigger directory traversal.
While the exact impact might be constrained by the .json suffix and specific server routing rules, an input such as ../../sensitive-file can force the application to unintended directories, which may result in unexpected file reads or information disclosure based on server posture.
Where it happens
File: js/activity.js
this._doOpenPlugin = () => {
const name = prompt("Enter the name of a built-in plugin...");
// ...
this._loadBuiltInPlugin(name.trim().toLowerCase());
};The Impact
If a user is tricked into pasting a malicious string (or if an attacker finds a way to programmatically interact with this prompt), it forces the application to look outside the intended /plugins/ directory. Depending on how the application's backend serves these requested paths, this traversal could potentially expose sensitive files, cause a denial of service by requesting incredibly large files, or reveal hints about the application's true directory structure.
Overview
In
js/activity.js, the built-in plugin loader prompts the user for a plugin name and directly uses the parsed string to fetch a configuration file (plugins/[name].json). Since the input is taken directly from theprompt()dialog and isn't rigorously validated, an attacker or malicious script could exploit this input field to trigger directory traversal.While the exact impact might be constrained by the .json suffix and specific server routing rules, an input such as
../../sensitive-filecan force the application to unintended directories, which may result in unexpected file reads or information disclosure based on server posture.Where it happens
File:
js/activity.jsThe Impact
If a user is tricked into pasting a malicious string (or if an attacker finds a way to programmatically interact with this prompt), it forces the application to look outside the intended /plugins/ directory. Depending on how the application's backend serves these requested paths, this traversal could potentially expose sensitive files, cause a denial of service by requesting incredibly large files, or reveal hints about the application's true directory structure.