Headline
CVE-2023-23286: Provide server v.14.4
Cross Site Scripting (XSS) vulnerability in Provide server 14.4 allows attackers to execute arbitrary code through the server-log via username field from the login form.
CWE-79: Improper Neutralization of Input During Web Page Generation
Unauthenticated stored XSS in server-log delivered via username field from login-form
CWE-352: Cross-Site Request Forgery
CSRF-token exposed in javascript, makes it possible to get a valid CSRF-Token and use it in XMLHTTPRequests. Using CSRF to add task, that runs commands on server as “NT-System”
POC Video