Headline
CVE-2023-30334: CVE-2023-30334
AsmBB v2.9.1 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities via the MiniMag.asm and bbcode.asm libraries.
[Description]
AsmBB v2.9.1 was discovered to contain multiple cross-site scripting
(XSS) vulnerabilities via the MiniMag.asm and bbcode.asm libraries.
------------------------------------------
[Additional Information]
This vulnerability was discovered through the hxp CTF.
Several teams used different variations of the vulnerability but the root cause and impact are similar.
------------------------------------------
[Vulnerability Type]
Cross Site Scripting (XSS)
------------------------------------------
[Vendor of Product]
johnfound
------------------------------------------
[Affected Product Code Base]
AsmBB, Fresh IDE - v2.9.1
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Code execution]
true
------------------------------------------
[Impact Escalation of Privileges]
true
------------------------------------------
[Attack Vectors]
To exploit the vulnerability, the victim must visit a malicious forum thread or crafted link.
------------------------------------------
[Reference]
> https://board.asm32.info/thanks-to-the-hxp-ctf-challenge-several-serious-vulnerabilities-has-been-fixed.394/
> https://ctf.zeyu2001.com/2023/hxp-ctf/true_web_assembly
> https://asm32.info/fossil/asmbb/info/7dfa4f56b473f76c
> https://fresh.flatassembler.net/fossil/repo/fresh/info/a3caaf7ad8503348
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Zhang Zeyu