by vicarius
log in join community
by @secatgourity
17 Apr 2024
#novel_exploit_analysis

An exploitation of a CVE vulnerability that has no prior exploit

publish

SSTI in mblog 3.5.1 - A tale of a glorified RCE (CVE-2024-28713) - novel exploit

by @secatgourity
by @secatgourity
17 Apr 2024
#novel_exploit_analysis

An exploitation of a CVE vulnerability that has no prior exploit

publish

SSTI in mblog 3.5.1 - A tale of a glorified RCE (CVE-2024-28713) - novel exploit

OS

Kali Linux
Kali LinuxKali
2024.1.*
2020.3.*
2019.4.*

Apps

M
MblogMblog Project
3.1.12.*
3.5.0.*
2.8.*
3.0.*
-.*

Screenshots from the blog posts

images/clv2ke3yop1sa1imx3h89aork.jpgimages/clv2ke3yop1sa1imx3h89aork.jpg

Summary

A Server-Side Template Injection (SSTI) vulnerability exists in in Mblog Blog system v.3.5.0, allowing an attacker to execute arbitrary code by uploading a malicious theme. This post unveils an automated exploit to get RCE on the underlying server where the `mblog` blogging system (version 3.5.0) is running!

general

Description

Tags

#RCE#trendingCVE#java#exploited#open-source#SSTI#template-injection#outdated-dependency

@secatgourity

190 posts

Total vcoins

0

Social media links

Comments (0)