zeyu2001/CVE-2023-30334.txt

## CVE-2023-30334.txt
[Description]
AsmBB v2.9.1 was discovered to contain multiple cross-site scripting
(XSS) vulnerabilities via the MiniMag.asm and bbcode.asm libraries.

------------------------------------------

[Additional Information]
This vulnerability was discovered through the hxp CTF.
Several teams used different variations of the vulnerability but the root cause and impact are similar.

------------------------------------------

[Vulnerability Type]
Cross Site Scripting (XSS)

------------------------------------------

[Vendor of Product]
johnfound

------------------------------------------

[Affected Product Code Base]
AsmBB,  Fresh IDE - v2.9.1

------------------------------------------

[Attack Type]
Remote

------------------------------------------

[Impact Code execution]
true

------------------------------------------

[Impact Escalation of Privileges]
true

------------------------------------------

[Attack Vectors]
To exploit the vulnerability, the victim must visit a malicious forum thread or crafted link.

------------------------------------------

[Reference]
> https://board.asm32.info/thanks-to-the-hxp-ctf-challenge-several-serious-vulnerabilities-has-been-fixed.394/
> https://ctf.zeyu2001.com/2023/hxp-ctf/true_web_assembly
> https://asm32.info/fossil/asmbb/info/7dfa4f56b473f76c
> https://fresh.flatassembler.net/fossil/repo/fresh/info/a3caaf7ad8503348

------------------------------------------

[Has vendor confirmed or acknowledged the vulnerability?]
true

------------------------------------------

[Discoverer]
Zhang Zeyu
	[Description]
	AsmBB v2.9.1 was discovered to contain multiple cross-site scripting
	(XSS) vulnerabilities via the MiniMag.asm and bbcode.asm libraries.

	------------------------------------------

	[Additional Information]
	This vulnerability was discovered through the hxp CTF.
	Several teams used different variations of the vulnerability but the root cause and impact are similar.

	------------------------------------------

	[Vulnerability Type]
	Cross Site Scripting (XSS)

	------------------------------------------

	[Vendor of Product]
	johnfound

	------------------------------------------

	[Affected Product Code Base]
	AsmBB, Fresh IDE - v2.9.1

	------------------------------------------

	[Attack Type]
	Remote

	------------------------------------------

	[Impact Code execution]
	true

	------------------------------------------

	[Impact Escalation of Privileges]
	true

	------------------------------------------

	[Attack Vectors]
	To exploit the vulnerability, the victim must visit a malicious forum thread or crafted link.

	------------------------------------------

	[Reference]
	> https://board.asm32.info/thanks-to-the-hxp-ctf-challenge-several-serious-vulnerabilities-has-been-fixed.394/
	> https://ctf.zeyu2001.com/2023/hxp-ctf/true_web_assembly
	> https://asm32.info/fossil/asmbb/info/7dfa4f56b473f76c
	> https://fresh.flatassembler.net/fossil/repo/fresh/info/a3caaf7ad8503348

	------------------------------------------

	[Has vendor confirmed or acknowledged the vulnerability?]
	true

	------------------------------------------

	[Discoverer]
	Zhang Zeyu