CVE-2024-31839
published 2024-04-12CVE-2024-31839: Cross Site Scripting vulnerability in tiagorlampert CHAOS v.5.0.1 allows a remote attacker to escalate privileges via the sendCommandHandler function in the…
PriorityP275medium4.8CVSS 3.1
AVNACHPRNUINSUCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.10%
94.1th percentile
Cross Site Scripting vulnerability in tiagorlampert CHAOS v.5.0.1 allows a remote attacker to escalate privileges via the sendCommandHandler function in the handler.go component.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | tiagorlampert_chaos | 0 – 5.0.1 | — |
| tiagorlampert | chaos | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect XSS exploitation attempt: POST to /command endpoint with multipart form-data containing an XSS payload in the 'command' field, with response body echoing the payload and Content-Type text/plain. ↗
- →Monitor for POST requests to /auth followed by GET / to extract a shell address token (href='/shell?address=...'), then POST to /command — this three-step flow is the exploit chain. ↗
- →The XSS vulnerability is triggered in the sendCommandHandler function in handler.go when a logged-in user executes a command on an agent and the returned value contains an XSS payload. ↗
- →Attackers may supply a JWT token from a CHAOS agent to emulate a compromised host; monitor for JWT-authenticated requests to /command that return XSS payloads. ↗
- →The exploit chain can also pivot to RCE via the 'generate new executable' feature; monitor for authenticated POST requests to the binary generation endpoint following XSS exploitation. ↗
- →Multipart boundary value '---------------------------7531776718188184812862255877' is used in the authentication POST; its presence in traffic may indicate exploit tooling (e.g., Nuclei template). ↗
- →Multipart boundary value '---------------------------424661958414611637671358243344' is used in the /command POST; its presence in traffic may indicate exploit tooling. ↗
- ·The Nuclei template is marked 'intrusive' and requires valid credentials (username/password) to authenticate before triggering the XSS; unauthenticated detection is not possible with this method. ↗
CVSS provenance
nvdv3.14.8MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
vulncheck4.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Cross site scripting in github.com/tiagorlampert/CHAOS
osv·2024-05-09
CVE-2024-31839 Cross site scripting in github.com/tiagorlampert/CHAOS
Cross site scripting in github.com/tiagorlampert/CHAOS
A malicious actor may be able to extract a JWT token via malicious "/command" request. This is a form of cross site scripting (XSS).
GHSA
tiagorlampert CHAOS vulnerable to Cross Site Scripting
ghsa·2024-04-12
CVE-2024-31839 [MEDIUM] CWE-79 tiagorlampert CHAOS vulnerable to Cross Site Scripting
tiagorlampert CHAOS vulnerable to Cross Site Scripting
Cross Site Scripting vulnerability in tiagorlampert CHAOS v.5.0.1 allows a remote attacker to escalate privileges via the sendCommandHandler function in the handler.go component.
OSV
tiagorlampert CHAOS vulnerable to Cross Site Scripting
osv·2024-04-12
CVE-2024-31839 [MEDIUM] tiagorlampert CHAOS vulnerable to Cross Site Scripting
tiagorlampert CHAOS vulnerable to Cross Site Scripting
Cross Site Scripting vulnerability in tiagorlampert CHAOS v.5.0.1 allows a remote attacker to escalate privileges via the sendCommandHandler function in the handler.go component.
VulnCheck
tiagorlampert chaos Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2024·CVSS 4.8
CVE-2024-31839 [MEDIUM] tiagorlampert chaos Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
tiagorlampert chaos Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross Site Scripting vulnerability in tiagorlampert CHAOS v.5.0.1 allows a remote attacker to escalate privileges via the sendCommandHandler function in the handler.go component.
Affected: tiagorlampert chaos
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.acronis.com/en-us/cyber-protection-center/posts/from-open-source-to-open-threat-tracking-chaos-rats-evolution/; https://securelist.com/vulnerabilities-and-exploits-in-q2-2025/117333/
No detection rules found.
Nuclei
CHAOS 5.0.1 'sendCommandHandler' - Cross-Site Scripting
nuclei·CVSS 4.8
CVE-2024-31839 [MEDIUM] CHAOS 5.0.1 'sendCommandHandler' - Cross-Site Scripting
CHAOS 5.0.1 'sendCommandHandler' - Cross-Site Scripting
Cross Site Scripting vulnerability in tiagorlampert CHAOS v.5.0.1 allows a remote attacker to escalate privileges via the sendCommandHandler function in the handler.go component.
Template:
id: CVE-2024-31839
info:
name: CHAOS 5.0.1 'sendCommandHandler' - Cross-Site Scripting
author: riteshs4hu
severity: medium
description: |
Cross Site Scripting vulnerability in tiagorlampert CHAOS v.5.0.1 allows a remote attacker to escalate privileges via the sendCommandHandler function in the handler.go component.
impact: |
Attackers can inject malicious scripts that execute in users' browsers, potentially escalating privileges and compromising user sessions.
remediation: |
Update CHAOS to a version that patches the XSS vulnerability in the sen
Metasploit
Chaos RAT XSS to RCE
metasploit
Chaos RAT XSS to RCE
Chaos RAT XSS to RCE
CHAOS v5.0.8 is a free and open-source Remote Administration Tool that allows generated binaries to control remote operating systems. The webapp contains a remote command execution vulnerability which can be triggered by an authenticated user when generating a new executable. The webapp also contains an XSS vulnerability within the view of a returned command being executed on an agent. Execution can happen through one of three routes: 1. Provided credentials can be used to execute the RCE directly 2. A JWT token from an agent can be provided to emulate a compromised host. If a logged in user attempts to execute a command on the host the returned value contains an xss payload. 3. Similar to technique 2, an agent executable can be provided and the JWT token can be extra
Securelist
Exploits and vulnerabilities in Q2 2025
blogs_securelist·2025-08-27·CVSS 8.2
CVE-2025-32433 [HIGH] Exploits and vulnerabilities in Q2 2025
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
C2 frameworks
Interesting vulnerabilities
CVE-2025-32433: vulnerability in the SSH server, part of the Erlang/OTP framework
CVE-2025-6218: directory traversal vulnerability in WinRAR
CVE-2025-3052: insecure data access vulnerability in NVRAM, allowing bypass of UEFI signature checks
CVE-2025-49113: insecure deserialization vulnerability in Roundcube Webmail
CVE-2025-1533: stack overflow vulnerability in the AsIO3.sys driver
Conclusion and advice
Authors
Alexander Kolesnikov
Vulnerability registrations in Q2 2025 proved to be quite dynamic. Vulnerabilities that were published i
Securelist
Vulnerability landscape analysis for Q2 2025
blogs_securelist·2025-08-27
Vulnerability landscape analysis for Q2 2025
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- C2 frameworks
- Interesting vulnerabilities
- Conclusion and advice
Authors
- Alexander Kolesnikov
Vulnerability registrations in Q2 2025 proved to be quite dynamic. Vulnerabilities that were published impact the security of nearly every computer subsystem: UEFI, drivers, operating systems, browsers, as well as user and web applications. Based on our analysis, threat actors continue to leverage vulnerabilities in real-world attacks as a means of gaining access to user systems, just like in previous periods.
This report also describes known vulnerabilities used with popular C2 frameworks during the first half of 2025.
## Statistics on registered vulnera
2024-04-12
Published
Exploited in the wild