.. / CVE-2020-26258

Exploit for XStream <1.4.15 - Server-Side Request Forgery (CVE-2020-26258)

Description:

XStream before 1.4.15 is susceptible to server-side request forgery. An attacker can request data from internal resources that are not publicly available by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations.

Nuclei Template

View the template here CVE-2020-26258.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2020/CVE-2020-26258.yaml

References:

https://github.com/x-stream/xstream/security/advisories/GHSA-4cch-wxpw-8p28
https://nvd.nist.gov/vuln/detail/CVE-2020-26258
https://x-stream.github.io/CVE-2020-26258.html
https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34@%3Ccommits.struts.apache.org%3E
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26258

.. / CVE-2020-26258 if(localStorage["style"]=="true"){ document.getElementById('pagestyle').setAttribute('href','/assets/styleDark.css'); document.querySelector('input[type="checkbox"]').checked = true }

Exploit for XStream <1.4.15 - Server-Side Request Forgery (CVE-2020-26258)

Description:

Nuclei Template

Validate with Nuclei

.. / CVE-2020-26258