7 Sticky Notes v1.9 - OS Command Injection

vendor:

7 Sticky Notes

by:

Ahmet Ümit BAYRAM

7.1

CVSS

HIGH

OS Command Injection

CWE

Product Name: 7 Sticky Notes

Affected Version From: 1.9

Affected Version To: 1.9

Patch Exists: NO

Related CWE: CVE-2023-XXXX (example)

CPE: a:7_sticky_notes_project:7_sticky_notes:1.9

Metasploit:

Other Scripts:

Platforms Tested: Windows

2023

7 Sticky Notes v1.9 – OS Command Injection

7 Sticky Notes v1.9 allows OS command injection via the 'Alarms' feature. By setting an alarm with a malicious command in the 'Action' field, an attacker can execute arbitrary commands on the underlying operating system.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize user inputs and validate commands before executing them within the application.

Source

Exploit-DB raw data:

# Exploit Title: 7 Sticky Notes v1.9 - OS Command Injection
# Discovered by: Ahmet Ümit BAYRAM
# Discovered Date: 12.09.2023
# Vendor Homepage: http://www.7stickynotes.com
# Software Link:
http://www.7stickynotes.com/download/Setup7StickyNotesv19.exe
# Tested Version: 1.9 (latest)
# Tested on: Windows 2019 Server 64bit

# # #  Steps to Reproduce # # #

# Open the program.
# Click on "New Note".
# Navigate to the "Alarms" tab.
# Click on either of the two buttons.
# From the "For" field, select "1" and "seconds" (to obtain the shell
within 1 second).
# From the "Action" dropdown, select "command".
# In the activated box, enter the reverse shell command and click the "Set"
button to set the alarm.
# Finally, click on the checkmark to save the alarm.
# Reverse shell obtained!