CVE-2017-7178

HIGH

Deluge < 1.3.14 - Cross-Site Request Forgery via Crafted Plugin Installation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-7178. PoCs published by Kyle Neideck.

AI-analyzed exploit summary This exploit leverages a CSRF vulnerability in Deluge 1.3.13's Web UI to execute arbitrary code by tricking a logged-in user into downloading and enabling a malicious plugin via a crafted Magnet link.

Description

CSRF was discovered in the web UI in Deluge before 1.3.14. The exploitation methodology involves (1) hosting a crafted plugin that executes an arbitrary program from its __init__.py file and (2) causing the victim to download, install, and enable this plugin.

Exploits (1)

exploitdb WORKING POC

by Kyle Neideck · htmlwebappsjson

https://www.exploit-db.com/exploits/41541

View Code ZIP pw:eip

This exploit leverages a CSRF vulnerability in Deluge 1.3.13's Web UI to execute arbitrary code by tricking a logged-in user into downloading and enabling a malicious plugin via a crafted Magnet link.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Deluge 1.3.13

Auth required

Prerequisites: Deluge Web UI enabled and logged in · Victim visits attacker-controlled webpage

MITRE ATT&CK