Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-23724 PoC — Ghost 跨站脚本漏洞

Source
https://github.com/Youssefdds/CVE-2024-23724
Associated Vulnerability
Title:Ghost 跨站脚本漏洞 (CVE-2024-23724)
Description:Ghost through 5.76.0 allows stored XSS, and resultant privilege escalation in which a contributor can take over any account, via an SVG profile picture that contains JavaScript code to interact with the API on localhost TCP port 3001. NOTE: The discoverer reports that "The vendor does not view this as a valid vector."
File Snapshot

 [4.0K]  /data/pocs/98233ebb0e8f78a4b433689d77d6a3cba5a78558
├── [ 43K]  boilerplate.svg
├── [ 352]  config.development.json
├── [640K]  CVE_2024_23724.pdf
├── [ 19M]  cve-web-demo.webm
├── [ 997]  docker-compose.yaml
├── [1.5K]  Evaluation_template.md
├── [4.5K]  generate-malicious-svg.py
├── [4.0K]  init_db
│   ├── [ 185]  Dockerfile
│   ├── [ 349]  init_db.sh
│   └── [209K]  mysql_dump.sql
├── [4.0K]  manual-setup
│   ├── [ 637]  config.example.json
│   └── [ 801]  docker-compose.yaml
├── [6.7K]  readme.md
├── [ 249]  setup-script.sh
├── [ 391]  simple-malicious.svg
└── [3.3K]  tenant-takeover.svg

2 directories, 16 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →