Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-33231 PoC — Ferozo Email 安全漏洞

Source
https://github.com/fdzdev/CVE-2024-33231
Associated Vulnerability
Title:Ferozo Email 安全漏洞 (CVE-2024-33231)
Description:Ferozo Email是Ferozo公司的一个强大而简单的托管面板。 Ferozo Email 1.1版本存在安全漏洞,该漏洞源于容易受到跨站脚本攻击,本地攻击者可以通过精心设计的有效载荷对PDF预览组件执行任意代码。
Description
XSS Vulnerability via File Upload in Ferozo Webmail Application
Readme
# Ferozo Webmail XSS Vulnerability via File Upload (CVE-2024-33231)

## Description
Ferozo Webmail version `1.1` is vulnerable to Cross-Site Scripting (XSS) through the file upload functionality. An attacker can exploit this vulnerability by uploading a specially crafted file containing malicious JavaScript code. When the file is processed or viewed within the application, the embedded script executes within the victim's session, potentially leading to:

- **Session Hijacking**
- **Unauthorized Actions**
- **Theft of Sensitive Information**

This vulnerability arises due to insufficient sanitization and validation of file metadata and content during the upload process, allowing malicious users to inject unauthorized scripts and compromise the security of the webmail platform.

## Attack Complexity
- **Low**

## Privileges Required
- **Low** (An authenticated user is required to upload a file.)

## User Interaction
- **Required** (A user or administrator must interact with or open the uploaded file.)

## Affected Components
- **File Upload Feature**: The vulnerability lies in the file upload functionality, where improper sanitization and validation lead to the execution of malicious JavaScript code in the browser of any user interacting with the uploaded file.

## Impact
- **Unauthorized Script Execution**: The XSS vulnerability allows the execution of malicious JavaScript code within the user's session.
- **Session Hijacking & Credential Theft**: Attackers can hijack user sessions, steal sensitive information, or perform unauthorized actions under the victim’s session.

## Remediation
- **Input Validation & Sanitization**: Properly validate and sanitize all file metadata and content during the upload process.
- **Restrict File Types**: Limit the types of files that can be uploaded to prevent the execution of embedded scripts.
- **Security Measures**: Implement additional security controls to ensure that uploaded files are properly handled and do not execute unauthorized scripts.

---

**CVE-2024-33231**  
*Reported by [Facundo Fernandez / Security Researcher]*
File Snapshot

 [4.0K]  /data/pocs/bdb52238b3375824211aa225226d2690215c7799
└── [2.1K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.