CVE-2024-38353 PoC — CodiMD 安全漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-38353.yaml

Associated Vulnerability

Title:CodiMD 安全漏洞 (CVE-2024-38353)
Description:CodiMD是HackMD开源的一个实时协作笔记应用程序。 CodiMD 2.5.3版本存在安全漏洞，该漏洞源于缺少身份验证和访问控制漏洞，允许未经身份验证的攻击者未经授权访问上传的图像数据。

Description

CodiMD does not require valid authentication to access uploaded images or to upload new image data. An attacker who can determine an uploaded image's URL can gain unauthorised access to uploaded image data. Due to the insecure random filename generation in the underlying Formidable library, an attacker can determine the filenames for previously uploaded images and the likelihood of this issue being exploited is increased.

File Snapshot


 id: CVE-2024-38353

info:
  name: CodiMD <2.5.4 - Insecure Filename Randomization
  author: denandz,

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!