PT-2023-11572 · Zrlog · Zrlog
T-Podo
·
Publicado
2023-06-20
·
Atualizado
2024-12-10
·
CVE-2020-21052
CVSS v3.1
6.1
Média
| Vetor | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
zrlog version 2.1.3
Description
The issue allows a remote attacker to execute arbitrary code via the
nickame parameter of the "/post/addComment" API endpoint. This enables the attacker to perform actions such as injecting malicious scripts.Recommendations
For zrlog version 2.1.3, consider disabling the
/post/addComment function until a patch is available to prevent exploitation via the nickame parameter. Restrict access to this function to minimize the risk of arbitrary code execution.Exploit
Correção
XSS
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Zrlog