CVE-2021-3395 PoC — Pryaniki 跨站脚本漏洞

Source

https://github.com/jet-pentest/CVE-2021-3395

Associated Vulnerability

Title:Pryaniki 跨站脚本漏洞 (CVE-2021-3395)
Description:Pryaniky是俄罗斯Pryaniky公司的一个用于搭建企业交流平台的建站系统。该平台用于组织公司内部的沟通，动机计划，想法管理项目和其他业务流程。 Pryaniki 6.44.3 存在跨站脚本漏洞，该漏洞源于允许未授权用户上传任意文件。

Readme

# CVE-2021-3395
## [Suggested description]
A cross-site scripting (XSS) vulnerability in Pryaniki 6.44.3 allows remote authenticated users to upload an arbitrary file. The JavaScript code will execute when someone visits the attachment.

## [Vulnerability Type]
Cross Site Scripting (XSS)

## [Vendor of Product]
OOO  Tekhnologii zashchity

## [Affected Product Code Base]
PRYANIKY - 6.44.3

## [Attack Type]
Remote

## [Attack Vectors]
To exploit this vulnerability someone must open a crafted HTML file.

## [Has vendor confirmed or acknowledged the vulnerability?] true
true

## [Discoverer]
Irina Belyaeva (Jet Infosystems, jet.su), Maria Kononova (Jet Infosystems, jet.su)

## [Reference]
https://pryaniky.com/en/

File Snapshot


 [4.0K]  /data/pocs/c5462a12de395bbe6fa8ab4790ec842496f22251
└── [ 719]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!