Kentico - Installer Privilege Escalation
ID: CVE-2017-17736
Severity: critical
Author: shiar
Tags: cve2017,cve,kentico,cms,install,unauth,edb
Description
Section titled “Description”Kentico 9.0 before 9.0.51 and 10.0 before 10.0.48 are susceptible to a privilege escalation attack. An attacker can obtain Global Administrator access by visiting CMSInstall/install.aspx and then navigating to the CMS Administration Dashboard.
YAML Source
Section titled “YAML Source”id: CVE-2017-17736
info: name: Kentico - Installer Privilege Escalation author: shiar severity: critical description: | Kentico 9.0 before 9.0.51 and 10.0 before 10.0.48 are susceptible to a privilege escalation attack. An attacker can obtain Global Administrator access by visiting CMSInstall/install.aspx and then navigating to the CMS Administration Dashboard. impact: | An attacker can gain administrative privileges on the Kentico CMS system. remediation: | Upgrade to the latest version of Kentico CMS to fix the privilege escalation vulnerability. reference: - https://www.exploit-db.com/ghdb/5694 - https://nvd.nist.gov/vuln/detail/CVE-2017-17736 - https://blog.hivint.com/advisory-access-control-bypass-in-kentico-cms-cve-2017-17736-49e1e43ae55b - https://github.com/0xSojalSec/Nuclei-TemplatesNuclei-Templates-CVE-2017-17736 - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2017-17736 cwe-id: CWE-425 epss-score: 0.1483 epss-percentile: 0.95656 cpe: cpe:2.3:a:kentico:kentico_cms:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: kentico product: kentico_cms shodan-query: - cpe:"cpe:2.3:a:kentico:kentico_cms" - http.title:"kentico database setup" fofa-query: title="kentico database setup" google-query: intitle:"kentico database setup" tags: cve2017,cve,kentico,cms,install,unauth,edb
http: - method: GET path: - "{{BaseURL}}/CMSInstall/install.aspx"
matchers-condition: or matchers: - type: word words: - "Kentico" - "Database Setup" - "SQLServer" condition: and
- type: word words: - "Database Setup" - "SQLServer" condition: and# digest: 4b0a004830460221008c9a2e76d3f24296ea68d1e687fbe44c21be1387b47db9e5a97630fcfbd2507f022100d25174644bde6e3c18ff23c09db6003aa0849df401c30c1d4080e89fbea2da13:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2017/CVE-2017-17736.yaml"