CVE-2024-48591 PoC — Inflectra SpiraTeam 安全漏洞

Source

https://github.com/GCatt-AS/CVE-2024-48591

Associated Vulnerability

Title:Inflectra SpiraTeam 安全漏洞 (CVE-2024-48591)
Description:Inflectra SpiraTeam是Inflectra公司的一款项目管理软件。用于软件开发和测试项目的管理与交付。 Inflectra SpiraTeam 7.2.00版本存在安全漏洞，该漏洞源于上传特制的SVG文件可能导致跨站脚本攻击。

Readme

# CVE-2024-48591

# Vulnerability Disclosure: XSS in Inflectra SpiraTeam 7.2.00

## Description
Inflectra SpiraTeam version 7.2.00 is vulnerable to Cross-Site Scripting (XSS) through the upload of specially crafted SVG files, which can execute JavaScript when viewed directly.

## Vulnerability Type
Cross-Site Scripting (XSS)

## Vendor
Inflectra

## Affected Product
SpiraTeam 7.2.00

## Affected Component
TestRuns section

## Attack Type
Remote

## Impact
- **Escalation of Privileges**: Allows attackers to potentially gain higher access levels.

## Attack Vectors
An attacker can upload a specially crafted SVG file containing JavaScript. When the file is viewed directly, the JavaScript executes in the viewer's browser.

## References
- [OWASP: Cross-Site Scripting (XSS)](https://owasp.org/www-community/attacks/xss/)
- [CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')](https://cwe.mitre.org/data/definitions/79.html)

## Vendor Acknowledgment
Inflectra has confirmed the existence of this vulnerability.

## Discoverer
Gareth Catterall

## Note
Users of SpiraTeam 7.2.00 should update to the latest version.

File Snapshot


 [4.0K]  /data/pocs/a30d403d475ff572c9953d653d08adcc89d82a01
└── [1.1K]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!