CVE-2024-27292 PoC — Docassemble unauthorized access through URL manipulation

Source

https://github.com/NingXin2002/Docassemble_poc

Associated Vulnerability

Title:Docassemble unauthorized access through URL manipulation (CVE-2024-27292)
Description:Docassemble is an expert system for guided interviews and document assembly. The vulnerability allows attackers to gain unauthorized access to information on the system through URL manipulation. It affects versions 1.4.53 to 1.4.96. The vulnerability has been patched in version 1.4.97 of the master branch.

Description

Docassemble任意文件读取漏洞(CVE-2024-27292)

Readme

# Docassemble_poc
Docassemble任意文件读取漏洞(CVE-2024-27292)

 python Docassemble_poc.py -h                              

                ) (`-.            ) (`-.
         ( OO ).           ( OO ).
        (_/.  \_)-. ,-.-')(_/.  \_)-. ,-.-')
         \  `.'  /  |  |OO)\  `.'  /  |  |OO)
          \     /\  |  |  \ \     /\  |  |  \
           \   \ |  |  |(_/  \   \ |  |  |(_/
          .'    \_),|  |_.' .'    \_),|  |_.'
         /  .'.  \(_|  |   /  .'.  \(_|  |
        '--'   '--' `--'  '--'   '--' `--'

usage: Docassemble_poc.py [-h] [-u URL] [-f FILE]  

Docassemble任意文件读取漏洞(CVE-2024-27292)  

optional arguments:  
  -h, --help            show this help message and exit  
  -u URL, --url URL     添加url信息  
  -f FILE, --file FILE  添加txt文件  

example:  
    python3 Docassemble_poc.py -u http://xxxx.xxxx.xxxx.xxxx  
    python3 Docassemble_poc.py -f x_url.txt

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!