Skip to content

Information about new CVE-2018-13065 (Author: Adipta Basu) #1829

Closed
@theMiddleBlue

Description

@theMiddleBlue

Hi,

just to inform you that yesterday (3rd July 2018) was published a presumptive vulnerability on "ModSecurity 3.0.0" (?!). The author writes that using the following two payloads, inside an argument on the request querystring, he was able to elude XSS filters: <img src=x onError=prompt(3)> and <img src=x onError=prompt(document.cookie)>.

First: the author of the CVE has not included information about the ruleset that he used during his test.

Second: if he used the CRS3, obviously both payloads are detected by the rule 941100 (XSS Attack Detected via libinjection) with a Paranoia Level set to 1.

I've written to cve.mitre.org including all these information and asking for tag this CVE as DISPUTED until the author gives more information (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13065). Based on what he has written on exploit-db (https://www.exploit-db.com/exploits/44970/) it seems that he hasn't used any ruleset... otherwise he needs to specify it. Anyway, IMHO, the CVE description is wrong because identifies as vulnerable libModSecurity instead a rule or a ruleset.

What do you think about?

Metadata

Metadata

Labels

3.xRelated to ModSecurity version 3.x

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions