Posts: 2,886
Threads: 65
Joined: Jun 2024
GeoServer is an open-source Java-based software server that enables users to view, edit, and share geospatial data. It offers a versatile and efficient solution for distributing geospatial information from various sources such as GIS databases, web-based data, and personal datasets.
In versions of GeoServer earlier than 2.23.2, 2.23.6, versions 2.24.0 to 2.24.3, and version 2.25.0, there exists a vulnerability (CVE-2024-36401) that permits Remote Code Execution (RCE) by unauthenticated users. This issue arises from the unsafe evaluation of property names as XPath expressions in multiple OGC request parameters.
Exploiting this vulnerability, an attacker can send a POST request containing a malicious XPath expression, which can result in arbitrary command execution as root on the system running GeoServer.
Posts: 27
Threads: 5
Joined: Jul 2024
Aug 05, 2024, 01:12 AM
(This post was last modified: Aug 05, 2024, 01:16 AM by PangPang.)
How do you find the vulnerable websites? I cant find any.
Edit: dork is provided
Posts: 135
Threads: 18
Joined: Aug 2024
Posts: 2,886
Threads: 65
Joined: Jun 2024
(Aug 05, 2024, 01:26 AM)orderfindrat Wrote: A month ago, you're kidding me
https://github.com/Chocapikk/CVE-2024-36401
what are you on about?
and why are you posting a hidden link as the reply?
Posts: 13
Threads: 1
Joined: Apr 2024
2222222222222222222222222222222
Posts: 4
Threads: 0
Joined: Aug 2024
Thank you, this is a very useful thing for my learning
Posts: 8
Threads: 1
Joined: Jul 2024
nice! need to check it out This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Scraping | https://breachforums.rs/Forum-Ban-Appeals if you feel this is incorrect.
Posts: 9
Threads: 0
Joined: Aug 2024
Thank you, this is a very useful
Posts: 60
Threads: 4
Joined: Aug 2024
(Aug 04, 2024, 08:03 PM)Loki Wrote: GeoServer is an open-source Java-based software server that enables users to view, edit, and share geospatial data. It offers a versatile and efficient solution for distributing geospatial information from various sources such as GIS databases, web-based data, and personal datasets.
In versions of GeoServer earlier than 2.23.2, 2.23.6, versions 2.24.0 to 2.24.3, and version 2.25.0, there exists a vulnerability (CVE-2024-36401) that permits Remote Code Execution (RCE) by unauthenticated users. This issue arises from the unsafe evaluation of property names as XPath expressions in multiple OGC request parameters.
Exploiting this vulnerability, an attacker can send a POST request containing a malicious XPath expression, which can result in arbitrary command execution as root on the system running GeoServer.
This file is amazing thank for sharing bro
Posts: 376
Threads: 11
Joined: Aug 2024
Someone should make this into a spiderfoot module to scan the net efficiently for vuln server 
|
