cbcvebase.
CVE-2024-31839
published 2024-04-12

CVE-2024-31839: Cross Site Scripting vulnerability in tiagorlampert CHAOS v.5.0.1 allows a remote attacker to escalate privileges via the sendCommandHandler function in the…

PriorityP275medium4.8CVSS 3.1
AVNACHPRNUINSUCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.10%
94.1th percentile
Cross Site Scripting vulnerability in tiagorlampert CHAOS v.5.0.1 allows a remote attacker to escalate privileges via the sendCommandHandler function in the handler.go component.

Affected

2 ranges
VendorProductVersion rangeFixed in
github.comtiagorlampert_chaos0 – 5.0.1
tiagorlampertchaos

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /auth HTTP/1.1
path/auth
path/command
commandecho 'alert(document.domain)'
hash7d5b20ad7e58e5b525abdcb3a12514b88e87cef2
  • Detect XSS exploitation attempt: POST to /command endpoint with multipart form-data containing an XSS payload in the 'command' field, with response body echoing the payload and Content-Type text/plain.
  • Monitor for POST requests to /auth followed by GET / to extract a shell address token (href='/shell?address=...'), then POST to /command — this three-step flow is the exploit chain.
  • The XSS vulnerability is triggered in the sendCommandHandler function in handler.go when a logged-in user executes a command on an agent and the returned value contains an XSS payload.
  • Attackers may supply a JWT token from a CHAOS agent to emulate a compromised host; monitor for JWT-authenticated requests to /command that return XSS payloads.
  • The exploit chain can also pivot to RCE via the 'generate new executable' feature; monitor for authenticated POST requests to the binary generation endpoint following XSS exploitation.
  • Multipart boundary value '---------------------------7531776718188184812862255877' is used in the authentication POST; its presence in traffic may indicate exploit tooling (e.g., Nuclei template).
  • Multipart boundary value '---------------------------424661958414611637671358243344' is used in the /command POST; its presence in traffic may indicate exploit tooling.
  • ·The Nuclei template is marked 'intrusive' and requires valid credentials (username/password) to authenticate before triggering the XSS; unauthenticated detection is not possible with this method.

CVSS provenance

nvdv3.14.8MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
vulncheck4.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.