CVE-2023-46694 PoC — Vtenext 安全漏洞

Source

https://github.com/invisiblebyte/CVE-2023-46694

Associated Vulnerability

Title:Vtenext 安全漏洞 (CVE-2023-46694)
Description:Vtenext是意大利Vtenext公司的一款客户关系管理系统帮助使用者管理商业活动中的CRM过程 Vtenext 21.02版本存在安全漏洞，该漏洞源于应用程序在访问 Ckeditor 文件管理器功能时未能实施适当的身份验证控制，允许经过身份验证的攻击者上传任意文件，从而可能使攻击者能够执行远程命令。

Description

CVE-2023-46694 proof-of-concept

Readme

# CVE-2023-46694

**Discovered by: Federico Zambito with Innovery**

## Summary

Vtenext 21.02 allows an authenticated attacker to upload arbitrary files, resulting in remote code execution. This flaw exists due to the application's failure to enforce proper authentication controls when accessing the Ckeditor file manager functionality.

Discovery date: 11/04/23

05/07/23 - Vendor contacted by email (1st time)

11/07/23 - Report sent to the vendor

25/10/23 - CVE issued CVE-2023-46694

17/11/23 - Vendor contacted again but no response

01/03/24 - Public disclosure

File Snapshot


 [4.0K]  /data/pocs/ba1b3df8ff10f5b465b7526cd9dee1455ce7c37d
├── [4.0K]  CVE-2023-46694
│   ├── [5.5K]  CVE-2023-46694.py
│   └── [  92]  earth_sh.jpg
└── [ 571]  README.md

1 directory, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!