漏洞平台

POC详情： bdb52238b3375824211aa225226d2690215c7799

来源

https://github.com/fdzdev/CVE-2024-33231

关联漏洞

标题： Ferozo Email 安全漏洞 (CVE-2024-33231)
描述：Ferozo Email是Ferozo公司的一个强大而简单的托管面板。 Ferozo Email 1.1版本存在安全漏洞，该漏洞源于容易受到跨站脚本攻击，本地攻击者可以通过精心设计的有效载荷对PDF预览组件执行任意代码。

描述

XSS Vulnerability via File Upload in Ferozo Webmail Application

介绍

# Ferozo Webmail XSS Vulnerability via File Upload (CVE-2024-33231)

## Description
Ferozo Webmail version `1.1` is vulnerable to Cross-Site Scripting (XSS) through the file upload functionality. An attacker can exploit this vulnerability by uploading a specially crafted file containing malicious JavaScript code. When the file is processed or viewed within the application, the embedded script executes within the victim's session, potentially leading to:

- **Session Hijacking**
- **Unauthorized Actions**
- **Theft of Sensitive Information**

This vulnerability arises due to insufficient sanitization and validation of file metadata and content during the upload process, allowing malicious users to inject unauthorized scripts and compromise the security of the webmail platform.

## Attack Complexity
- **Low**

## Privileges Required
- **Low** (An authenticated user is required to upload a file.)

## User Interaction
- **Required** (A user or administrator must interact with or open the uploaded file.)

## Affected Components
- **File Upload Feature**: The vulnerability lies in the file upload functionality, where improper sanitization and validation lead to the execution of malicious JavaScript code in the browser of any user interacting with the uploaded file.

## Impact
- **Unauthorized Script Execution**: The XSS vulnerability allows the execution of malicious JavaScript code within the user's session.
- **Session Hijacking & Credential Theft**: Attackers can hijack user sessions, steal sensitive information, or perform unauthorized actions under the victim’s session.

## Remediation
- **Input Validation & Sanitization**: Properly validate and sanitize all file metadata and content during the upload process.
- **Restrict File Types**: Limit the types of files that can be uploaded to prevent the execution of embedded scripts.
- **Security Measures**: Implement additional security controls to ensure that uploaded files are properly handled and do not execute unauthorized scripts.

---

**CVE-2024-33231**  
*Reported by [Facundo Fernandez / Security Researcher]*

文件快照


 [4.0K]  /data/pocs/bdb52238b3375824211aa225226d2690215c7799
└── [2.1K]  README.md

0 directories, 1 file

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。