filmov
tv
01 PVE XSS RCE masked

Показать описание
An attacker can access every functionality in the web interface of Proxmox VE by executing malicious JavaScript code. One of the features is to execute shell commands. Here is a video demonstrating a possible attack scenario. In the video, the victim logged in to PVE web UI, and then visited a link. A reverse shell of the PVE host was spawned on the attacker's machine.