BCheck: CVE-2021-20323 is not detecting fixed versions - Githubissues

PortSwigger / BChecks

BChecks collection for Burp Suite Professional and Burp Suite Enterprise Edition

https://portswigger.net/burp/documentation/scanner/bchecks

GNU Lesser General Public License v3.0

617 stars 109 forks source link

BCheck: CVE-2021-20323 is not detecting fixed versions #208

Open GanbaruTobi opened 4 months ago

GanbaruTobi commented 4 months ago

Current behavior

The check says that keycloak is vulnerable

Expected behavior

No warning for fixed versions

Motivation for change

Its not working as expected

Environment details

Burp version: 2024.4.2
BCheck language version:
Operating System: Linux

Additional details

The response contains an escaped xss payload instead of an unescaped: ...Unrecognized field \"<img src=x onerror=\"alert('Bo0oq')\"/>\ ...

But it would need to look like here: https://medium.com/@raia39499/how-i-exploit-cve-2021-20323-33d2f8d6826c

Hannah-PortSwigger commented 4 months ago

Hi

Just to check, is the issue related to this BCheck: https://github.com/PortSwigger/BChecks/blob/main/vulnerabilities-CVEd/CVE-2021-20323%20keycloak%20xss.bcheck

If you have any improvements to make, we'd love to see a pull request!