Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-33231 PoC — Ferozo Email 安全漏洞

Source
https://github.com/fdzdev/CVE-2024-33231
Associated Vulnerability
Title:Ferozo Email 安全漏洞 (CVE-2024-33231)
Description:Cross Site Scripting vulnerability in Ferozo Email version 1.1 allows a local attacker to execute arbitrary code via a crafted payload to the PDF preview component.
Description
XSS Vulnerability via File Upload in Ferozo Webmail Application
Readme
# Ferozo Webmail XSS Vulnerability via File Upload (CVE-2024-33231)

## Description
Ferozo Webmail version `1.1` is vulnerable to Cross-Site Scripting (XSS) through the file upload functionality. An attacker can exploit this vulnerability by uploading a specially crafted file containing malicious JavaScript code. When the file is processed or viewed within the application, the embedded script executes within the victim's session, potentially leading to:

- **Session Hijacking**
- **Unauthorized Actions**
- **Theft of Sensitive Information**

This vulnerability arises due to insufficient sanitization and validation of file metadata and content during the upload process, allowing malicious users to inject unauthorized scripts and compromise the security of the webmail platform.

## Attack Complexity
- **Low**

## Privileges Required
- **Low** (An authenticated user is required to upload a file.)

## User Interaction
- **Required** (A user or administrator must interact with or open the uploaded file.)

## Affected Components
- **File Upload Feature**: The vulnerability lies in the file upload functionality, where improper sanitization and validation lead to the execution of malicious JavaScript code in the browser of any user interacting with the uploaded file.

## Impact
- **Unauthorized Script Execution**: The XSS vulnerability allows the execution of malicious JavaScript code within the user's session.
- **Session Hijacking & Credential Theft**: Attackers can hijack user sessions, steal sensitive information, or perform unauthorized actions under the victim’s session.

## Remediation
- **Input Validation & Sanitization**: Properly validate and sanitize all file metadata and content during the upload process.
- **Restrict File Types**: Limit the types of files that can be uploaded to prevent the execution of embedded scripts.
- **Security Measures**: Implement additional security controls to ensure that uploaded files are properly handled and do not execute unauthorized scripts.

---

**CVE-2024-33231**  
*Reported by [Facundo Fernandez / Security Researcher]*
File Snapshot

 [4.0K]  /data/pocs/bdb52238b3375824211aa225226d2690215c7799
└── [2.1K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →