Skip to content

Ekultek/CVE-2019-17625

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 
 
 
 
 

Repository files navigation

CVE-2019-17625

There is a stored XSS vulnerability in rambox 0.6.9 due to unsantized parameters in the name field when a user is adding a service. Since rambox runs on NodeJS this allows for the use of OS commands to be injected into an <a> or <img> tag.

Note: This code has only been tested on MacOS and may need to be reconfigured for other operating systems

Exploit code

The exploit code will create a service (using discord as a base), the shell requires that the system has mkfifo on it. You can of course swap out the payload for whatever you want.

PoC

rce_rambox_poc

About

Working exploit code for CVE-2019-17625

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages