There is a stored XSS vulnerability in rambox 0.6.9 due to unsantized parameters in the name field when a user is adding a service. Since rambox runs on NodeJS this allows for the use of OS commands to be injected into an <a>
or <img>
tag.
Note: This code has only been tested on MacOS and may need to be reconfigured for other operating systems
The exploit code will create a service (using discord as a base), the shell requires that the system has mkfifo
on it. You can of course swap out the payload for whatever you want.