Skip to content

Instantly share code, notes, and snippets.

@zeyu2001
Last active April 29, 2023 07:19
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save zeyu2001/1985d03ff919d08a9ea79bdeb5a16949 to your computer and use it in GitHub Desktop.
Save zeyu2001/1985d03ff919d08a9ea79bdeb5a16949 to your computer and use it in GitHub Desktop.
CVE-2023-30334
[Description]
AsmBB v2.9.1 was discovered to contain multiple cross-site scripting
(XSS) vulnerabilities via the MiniMag.asm and bbcode.asm libraries.
------------------------------------------
[Additional Information]
This vulnerability was discovered through the hxp CTF.
Several teams used different variations of the vulnerability but the root cause and impact are similar.
------------------------------------------
[Vulnerability Type]
Cross Site Scripting (XSS)
------------------------------------------
[Vendor of Product]
johnfound
------------------------------------------
[Affected Product Code Base]
AsmBB, Fresh IDE - v2.9.1
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Code execution]
true
------------------------------------------
[Impact Escalation of Privileges]
true
------------------------------------------
[Attack Vectors]
To exploit the vulnerability, the victim must visit a malicious forum thread or crafted link.
------------------------------------------
[Reference]
> https://board.asm32.info/thanks-to-the-hxp-ctf-challenge-several-serious-vulnerabilities-has-been-fixed.394/
> https://ctf.zeyu2001.com/2023/hxp-ctf/true_web_assembly
> https://asm32.info/fossil/asmbb/info/7dfa4f56b473f76c
> https://fresh.flatassembler.net/fossil/repo/fresh/info/a3caaf7ad8503348
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Zhang Zeyu
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment