Security Research & Bug Bounty Hunter
Hello there,
Sharing my proof of concept for Atlassian Crowd RCE – CVE-2019-11580. I was going to make a blog post detailing all the inner workings but someone has already made a very detailed analysis here: https://www.corben.io/atlassian-crowd-rce/
You can find all the source code here:
https://gitlab.com/zeroauth/cve-2019-11580_poc_exploit
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress.
wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
An attacker could leverage this CSRF to include a script-tag that will execute upon CSRF, coupled with a wordpress user-create payload could potentially lead to RCE.
Proof of Concept:
where poc.js could be a payload similar to:
https://github.com/hakluke/weaponised-XSS-payloads/blob/master/wordpress_create_admin_user.js