nuclei-templates/vulnerabilities/other/ueditor-file-upload.yaml

id: ueditor-file-upload

info:
  name: UEditor - Arbitrary File Upload
  author: princechaddha
  severity: high
  description: UEditor contains an arbitrary file upload vulnerability. An attacker can upload arbitrary files to the server, which in turn can be used to make the application execute file content as code, As a result, an attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
  reference:
    - https://zhuanlan.zhihu.com/p/85265552
    - https://www.freebuf.com/vuls/181814.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cwe-id: CWE-434
  tags: ueditor,fileupload

requests:
  - method: GET
    path:
      - "{{BaseURL}}/ueditor/net/controller.ashx?action=catchimage&encode=utf-8"
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: word
        words:
          - "没有指定抓取源"
        part: body

# Enhanced by md on 2022/10/31
Create ueditor-file-upload.yaml 2021-04-23 12:15:09 +00:00			`id: ueditor-file-upload`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00
Create ueditor-file-upload.yaml 2021-04-23 12:15:09 +00:00			`info:`
fix-conflict 2022-10-25 13:40:49 +00:00			`name: UEditor - Arbitrary File Upload`
Create ueditor-file-upload.yaml 2021-04-23 12:15:09 +00:00			`author: princechaddha`
			`severity: high`
fix-conflict 2022-10-25 13:40:49 +00:00			`description: UEditor contains an arbitrary file upload vulnerability. An attacker can upload arbitrary files to the server, which in turn can be used to make the application execute file content as code, As a result, an attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.`
Removed pipe (\|) character from references, because the structure requires it to be a string slice, not a string Related nuclei tickets: * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-18 11:37:49 +00:00			`reference:`
Create ueditor-file-upload.yaml 2021-04-23 12:15:09 +00:00			`- https://zhuanlan.zhihu.com/p/85265552`
			`- https://www.freebuf.com/vuls/181814.html`
Dashboard Content Enhancements (#5943) Dashboard Content Enhancements 2022-11-08 20:55:31 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 8.8`
			`cwe-id: CWE-434`
Create ueditor-file-upload.yaml 2021-04-23 12:15:09 +00:00			`tags: ueditor,fileupload`

			`requests:`
			`- method: GET`
			`path:`
			`- "{{BaseURL}}/ueditor/net/controller.ashx?action=catchimage&encode=utf-8"`
			`matchers-condition: and`
			`matchers:`
			`- type: status`
			`status:`
			`- 200`
			`- type: word`
			`words:`
			`- "没有指定抓取源"`
			`part: body`
fix-conflict 2022-10-25 13:40:49 +00:00
Dashboard Content Enhancements (#5943) Dashboard Content Enhancements 2022-11-08 20:55:31 +00:00			`# Enhanced by md on 2022/10/31`