https://github.com/mbadanoiu/cve-2021-42560

CVE-2021-42560: Unsafe XML Parsing in MITRE Caldera
https://github.com/mbadanoiu/cve-2021-42560

0-day authenticated cve cve-2021-42560 cves xxe

Last synced: about 2 months ago
JSON representation

CVE-2021-42560: Unsafe XML Parsing in MITRE Caldera

• Host: GitHub
• URL: https://github.com/mbadanoiu/cve-2021-42560
• Owner: mbadanoiu
• Created: 2024-06-09T21:33:07.000Z (11 months ago)
• Default Branch: main
• Last Pushed: 2024-06-09T21:40:16.000Z (11 months ago)
• Last Synced: 2025-01-12T09:29:27.752Z (4 months ago)
• Topics: 0-day, authenticated, cve, cve-2021-42560, cves, xxe
• Homepage:
• Size: 232 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        
# CVE-2021-42560: Unsafe XML Parsing in MITRE Caldera

The Debrief plugin in Caldera (versions <=2.9.0) receives base64 encoded "SVG" parameters when generating a PDF. These SVG are parsed in an unsafe manner and can be leveraged for XXE attacks (e.g. File Exfiltration, Server-Side Request Forgery, Out of Band Exfiltration, etc.). 

### Vendor Disclosure:

The vendor's disclosure for this vulnerability can be found [here](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42560).

### Requirements:

This vulnerability requires:




- Valid user credentials

### Proof Of Concept:

More details and the exploitation process can be found in this [PDF](https://github.com/mbadanoiu/CVE-2021-42560/blob/main/Caldera%20-%20CVE-2021-42560.pdf).