CVE-2024-35475 PoC — OpenKM 安全漏洞

Source

https://github.com/carsonchan12345/CVE-2024-35475

Associated Vulnerability

Title:OpenKM 安全漏洞 (CVE-2024-35475)
Description:A Cross-Site Request Forgery (CSRF) vulnerability was discovered in OpenKM Community Edition on or before version 6.3.12. The vulnerability exists in /admin/DatabaseQuery, which allows an attacker to manipulate a victim with administrative privileges to execute arbitrary SQL commands.

Readme

# CVE-2024-35475

**Vulnerability:** Cross-Site Request Forgery (CSRF)
---------------------------------------------
### Affected Product
OpenKM Community Edition
### Affected Version
On or Before 6.3.12
### Vulnerable URL
/OpenKM/admin/DatabaseQuery
### Description
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in OpenKM Community Edition on or before version 6.3.12. The vulnerability exists in the /admin/DatabaseQuery endpoint, which allows an attacker to manipulate a victim with administrative privileges to execute arbitrary SQL commands.
### Attack Vector
An attacker can craft a malicious CSRF payload that, when executed by an administrator, can execute arbitrary SQL commands on the vulnerable system. This can lead to unauthorized data modification, extraction, or destruction.
### Impact
* Unauthorized data modification
* Unauthorized data extraction
* Unauthorized data destruction
* Elevation of privileges
### References
* OpenKM Community Edition:
* https://www.openkm.com/
* https://github.com/openkm/document-management-system
* https://www.cve.org/CVERecord?id=CVE-2024-35475
* CWE: CWE-352 (Cross-Site Request Forgery)

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →