# CVE-2024-34241: A Step-by-Step Discovery Guide

It was late at night, and I was starting to burn out from hunting bugs in a few bug bounty programs I am active on. I still had that hacker itch I wanted to scratch, so I decided to look at a few web applications to see if I could find any easy "0days" to add a few more web-based CVEs to my resume.

My requirements are quite simple. To warm up, I usually look for PHP applications that are actively maintained, have a decent sales volume or user base, and are ideally open-source so I can access the source code. Additionally, I prefer applications with a low number of previous CVEs reported on older versions. I decided to check out the PHP applications sold on [https://codecanyon.net/](https://codecanyon.net/), a marketplace for developers selling various applications, plugins, and more.

I decided to search for popular PHP scripts because higher sales numbers usually indicate a decent user base. I found that [Rocket LMS](https://lms.rocket-soft.org/), a learning management system, had over 2,700 sales and 5-star reviews. I felt this would be an ideal target.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1715916749968/5c919759-f067-4d9e-9754-7e463607341e.jpeg align="center")

I decided to use the "instructor" user account, assuming it would offer additional functionality to explore. When I landed on the dashboard, I started testing the input fields with some simple payloads, and the application seemed to sanitize the user input very well. Eventually, I navigated to the Courses section, which allows me to create and edit new courses for my students. What intrigued me about this functionality was the use of a WYSIWYG editor in the Description section. Further research confirmed that the WYSIWYG editor implemented by RocketSoft is [Summernote version 0.8.18](https://summernote.org).

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1715917342669/8e1eeb1b-68a5-4302-b3d2-f39eeebff698.png align="center")

Given the history of various WYSIWYG editors suffering from consistent reflected cross-site scripting and stored cross-site scripting vulnerabilities, I felt this was a good opportunity to see what I could find. I decided to input a simple XSS payload and saved the record, but the payload did not execute and appeared to be properly sanitized.

Next, I saved the course record with random text in the Description section and intercepted the POST request using BurpSuite. I then modified the **description** parameter with my XSS payload and forwarded the request:

```javascript
<details/open/ontoggle=prompt(origin)>
```

I then navigated back to the course record and saw that the application had stored and executed our malicious payload. This immediately prompted the origin, confirming that we had DOM access. I realized that this simple "bypass" indicated a systemic issue throughout the entire application where the Summernote WYSIWYG editor is used.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1715917772152/218a11c5-7fa3-4987-b927-18612670027e.png align="center")

I sat there and asked myself if this had already been reported. A quick Google search showed it hadn't been. I guess it was my lucky day; I found a new CVE in 10 minutes.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1715918176154/61718af7-afa2-4503-a347-c9412b98c4bb.jpeg align="center")

I will end this write-up as I always do. You don't need to be a super hacker to find CVEs or bugs on bug bounty platforms. As long as you consistently practice exploiting different vulnerabilities, you'll train yourself to see things from a hacker's perspective. In my opinion, passion for hacking and thinking like a hacker are the key traits that separate the good from the great in this industry.

Until next time my fellow nerds,  
@[Sergio Medeiros](@grumpz)
