CVE-2024-40324 PoC — E-Staff 安全漏洞

Source

https://github.com/aleksey-vi/CVE-2024-40324

Associated Vulnerability

Title:E-Staff 安全漏洞 (CVE-2024-40324)
Description:E-Staff是俄罗斯E-Staff公司的一个可靠的招聘工具，用于在服务器或云中进行招聘的现代综合解决方案，具有与任何系统和服务的广泛集成功能。 E-Staff 5.1版本存在安全漏洞。攻击者利用该漏洞可以将回车和换行符号插入到字段中来导致HTTP响应拆分和标头操纵。

Readme

# CVE-2024-40324

## Description

A CRLF injection vulnerability in E-Staff v5.1 allows attackers to insert Carriage Return (CR) and Line Feed (LF) characters into input fields, leading to HTTP response splitting and header manipulation.

## Vulnerability Type

CRLF

## Vendor of Product

E-Staff

## Affected Product Code Base

E-Staff 5.1 

## Affected Component

HTTP headers

## Attack Type

Remote

## Impact Code execution

Potential for arbitrary header injection, cache poisoning, and session hijacking, cross-site scripting (XSS),  and other exploits.

## Discoverer

- Aleksey Vistorobskiy

## Attack Vectors

An attacker can insert CRLF characters into input fields, manipulating HTTP headers. For example, injecting CRLF into HTTP headers can result in HTTP response splitting


Screenshot:
![](/1.png)

## Reference

- https://e-staff.ru/estaff_home
- https://github.com/aleksey-vi/CVE-2024-40324

File Snapshot


 [4.0K]  /data/pocs/d66f08b51a55f60b8924fa23a3f8ab602366b953
├── [ 99K]  1.png
└── [ 911]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!