Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-5024 PoC — Planno Comment cross site scripting

Source
https://github.com/PH03N1XSP/CVE-2023-5024
Associated Vulnerability
Title:Planno Comment cross site scripting (CVE-2023-5024)
Description:A vulnerability was found in Planno 23.04.04. It has been classified as problematic. This affects an unknown part of the component Comment Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-239865 was assigned to this vulnerability.
Readme
- Exploit Title: PLANNO 23.04.04 COMMENT CROSS SITE SCRIPTING
- Exploit Author: Angel Metz AKA PH03N1XSP
- Vendor Homepage: [Planno](https://www.planno.fr/)
- Software Link: [GitHub - PlanningBiblio](https://github.com/PlanningBiblio/PlanningBiblio)
- Version: <= 23.04.04
- Tested on: Linux
- CVE-2023-5024

A vulnerability has been discovered in Planno version <= 23.04.04, and it has been categorized as problematic. This vulnerability affects an undisclosed portion of the Comment Handler component's code and can lead to cross-site scripting (XSS) attacks. It has been assigned the name CVE-2023-5024. Importantly, this type of attack can be initiated remotely, and furthermore, an exploit is known to exist to exploit this vulnerability.

## Description: PLANNO 23.04.04 COMMENT CROSS SITE SCRIPTING

### 1st Path

1. Proceed to log in using your credentials.
2. Navigate to the bottom and click on "Ajouter un commentaire."
3. Write a malicious script to obtain a Reflected XSS (`"><script>alert(1);</script>`)
4. Once the script is entered, proceed to obtain the reflected XSS.

### 2nd Path

1. Proceed to log in using your credentials.
2. Go to the upper right and click on "Enregistrer comme modele."
3. In "Nom du module," write a malicious script to obtain a Reflected XSS (`"><script>alert(1);</script>`) and then click on "Enregistrer."
4. Once the script is entered, proceed to obtain the reflected XSS.

You can learn more about it at the following links:

- [CVE-2023-5024 - NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-5024)
- [CVE-2023-5024 - VulDB](https://vuldb.com/?id.239865)
- [CVE-2023-5024 - INCIBE](https://www.incibe.es/incibe-cert/alerta-temprana/vulnerabilidades/cve-2023-5024)
- [CVE-2023-5024 - CVE Report](https://cve.report/CVE-2023-5024)
- [CVE-2023-5024 - Debricked](https://debricked.com/vulnerability-database/vulnerability/CVE-2023-5024)
- [CVE-2023-5024 - GitHub Advisories](https://github.com/advisories/GHSA-phww-594j-mchh)
- [CVE-2023-5024 - MITRE CVE](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5024)
File Snapshot

 [4.0K]  /data/pocs/602f5428e89871de23c0ff7380d837cce4c1ef11
├── [1.0K]  LICENSE
└── [2.0K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →