Security Researcher and Open Source Developer. Passionate about Computing, Nature and cooking.
Author: Edoardo Ottavianelli
In this post I will go through CVE-2023-27069: the description, replication of the vulnerability and POC.
link to the GitHub repo
). From the GitHub description we can read:
"OpenPlatform is a stylish and straightforward Web OS platform / Portal for running, integrating, and managing multiple 3rd party web applications. OpenPlatform provides running applications with a set of services, such as user and security management or notifications, so that programmers can focus on business logic. OpenPlatform is an enterprise-ready solution"
Among its benefits they list:
container for 3rd party apps
Supports user groups and permissions
Supports notifications, and sounds
Powerful user management
Fully optimized for mobile devices
and many more...
Description of the vulnerability
) and after few hours the maintainer provided a patch (
Replication of the vulnerability
Login in the application.
Click on user profile picture in the right corner below.
Click My Account
"><img src=x onerror=alert(document.domain)>
as account name and save.
Each time a target will visit the dashboard the payload will fire, even if the target is not logged in! In order to test this, just click logout and reload the page.
See the Youtube Video POC at the top of the page.