关联漏洞
标题:
E-Staff 安全漏洞
(CVE-2024-40324)
描述:E-Staff是俄罗斯E-Staff公司的一个可靠的招聘工具,用于在服务器或云中进行招聘的现代综合解决方案,具有与任何系统和服务的广泛集成功能。 E-Staff 5.1版本存在安全漏洞。攻击者利用该漏洞可以将回车和换行符号插入到字段中来导致HTTP响应拆分和标头操纵。
介绍
# CVE-2024-40324
## Description
A CRLF injection vulnerability in E-Staff v5.1 allows attackers to insert Carriage Return (CR) and Line Feed (LF) characters into input fields, leading to HTTP response splitting and header manipulation.
## Vulnerability Type
CRLF
## Vendor of Product
E-Staff
## Affected Product Code Base
E-Staff 5.1
## Affected Component
HTTP headers
## Attack Type
Remote
## Impact Code execution
Potential for arbitrary header injection, cache poisoning, and session hijacking, cross-site scripting (XSS), and other exploits.
## Discoverer
- Aleksey Vistorobskiy
## Attack Vectors
An attacker can insert CRLF characters into input fields, manipulating HTTP headers. For example, injecting CRLF into HTTP headers can result in HTTP response splitting
Screenshot:
## Reference
- https://e-staff.ru/estaff_home
- https://github.com/aleksey-vi/CVE-2024-40324
文件快照
[4.0K] /data/pocs/d66f08b51a55f60b8924fa23a3f8ab602366b953
├── [ 99K] 1.png
└── [ 911] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。