cbcvebase.
CVE-2024-28741
published 2024-04-06

CVE-2024-28741: Cross Site Scripting vulnerability in EginDemirbilek NorthStar C2 v1 allows a remote attacker to execute arbitrary code via the login.php component.

PriorityP269high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
78.16%
99.5th percentile
Cross Site Scripting vulnerability in EginDemirbilek NorthStar C2 v1 allows a remote attacker to execute arbitrary code via the login.php component.

Detection & IOCsextracted from sources · hover to see the quote

urllogin.php
hashe7fdce148b6a81516e8aa5e5e037acd082611f73
  • Detect unauthenticated agent registration requests to NorthStar C2 that contain XSS payloads — these are stored in the logs page and trigger when an authenticated user views logs.
  • Monitor NorthStar C2 logs page for stored XSS payloads injected via spoofed agent registration; session hijacking follows successful XSS execution.
  • After session hijack, attacker deploys a new payload to ALL compromised NorthStar C2 agents and kills the original agent — look for unexpected new agent check-ins or mass payload pushes from the C2 server.
  • ·Vulnerability is only present in NorthStar C2 versions prior to commit 7674a44 (March 11, 2024); patched instances are not affected.
  • ·Exploit was validated specifically on Ubuntu 22.04 (server) with a Windows 10 19045 agent; behavior on other OS/version combinations is unconfirmed.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.