CVE-2023-31584 PoC — Silicon Notes 跨站脚本漏洞

Source

https://github.com/rootd4ddy/CVE-2023-31584

Associated Vulnerability

Title:Silicon Notes 跨站脚本漏洞 (CVE-2023-31584)
Description:Silicon Notes是一个基于网络的个人知识库。 Silicon Notes 存在安全漏洞。攻击者利用该漏洞可以执行跨站脚本攻击。

Description

Public disclosure for CVE-2023-31584.

Readme

CVE-2023-31584 - Cross Site Scripting vulnerability in cu/silicon

Github link: https://github.com/cu/silicon

Version Affected: 1

Severity and CVSS: Will update when review is done by NIST.

Type: Cross Site Scripting

Root Cause: Lack of proper input validation and sanitization before inserting user-provided data (title and body) into the database.

Impact: Information Disclosure

Below is the effected function.

https://github.com/cu/silicon/blob/a9ef3681896481bbb443197b9d1c4cb7d22a5983/silicon/page.py#L66-L80

```
def write(title, body):
    """
    * Write a new revision (title and body) to the database.
    * If there was a problem, return error message.
    """
    try:
        db = get_db()
        db.execute(
            "INSERT INTO pages (revision, title, body) VALUES (?, ?, ?)",
            (datetime.now().isoformat(), title, body)
        )
        db.commit()
    except Exception as err:
        current_app.logger.critical(f"Error saving page {title}: {err}")
        return "Unable to save page"
```

File Snapshot


 [4.0K]  /data/pocs/4d1299594ed3b9ffe3deee14e51fe778d3fe25ef
└── [1.0K]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!