From 26d1adc695fb93d914a04949b50e6dcda301b763 Mon Sep 17 00:00:00 2001
From: Adnan Jakati <mj3184@nyu.edu>
Date: Sun, 29 Dec 2024 13:15:40 +0530
Subject: [PATCH 1/2] Add template CVE-2024-56145

---
 http/cves/2024/CVE-2024-56145.yaml | 57 ++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)
 create mode 100644 http/cves/2024/CVE-2024-56145.yaml

diff --git a/http/cves/2024/CVE-2024-56145.yaml b/http/cves/2024/CVE-2024-56145.yaml
new file mode 100644
index 000000000000..705f72ea2e94
--- /dev/null
+++ b/http/cves/2024/CVE-2024-56145.yaml
@@ -0,0 +1,57 @@
+id: CVE-2024-56145
+
+info:
+  name: Remote Code Execution in Craft CMS via Template Path Manipulation
+  author: jackhax
+  severity: critical
+  description: |
+    This template identifies a critical Remote Code Execution (RCE) vulnerability in Craft CMS, identified as GHSA-2p6p-9rc9-62j9.
+    The vulnerability exists due to improper handling of the `--templatesPath` query parameter, allowing attackers to execute arbitrary code by referencing malicious Twig templates.
+  impact: |
+    Successful exploitation of this vulnerability could allow an unauthenticated attacker to perform remote code execution.
+  remediation: |
+    Upgrade CraftCMD to either >5.5.2 or >4.13.2 or >3.9.14. Or If you can't upgrade yet, and register_argc_argv is enabled, you can disable it to mitigate the issue.
+  reference:
+    - https://github.com/advisories/GHSA-2p6p-9rc9-62j9
+    - https://www.assetnote.io/resources/research/how-an-obscure-php-footgun-led-to-rce-in-craft-cms
+    - https://github.com/Chocapikk/CVE-2024-56145
+  classification:
+    cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
+    cvss-score: 9.3
+    cve-id: CVE-2024-56145
+    cwe-id: CWE-94
+    cpe: cpe:2.3:a:craftcms:craft:*:*:*:*:*:*:*:*
+  metadata:
+    verified: true
+    max-request: 1
+    vendor: craftcms
+    product: cms
+  tags: rce, craftcms, template-injection, cve2024, critical
+
+variables:
+  nonce: "{{rand_int(1000000000,9999999999)}}"
+
+requests:
+  - raw:
+      - |
+        GET ?--configPath=/nuclei_test/{{nonce}} HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: nuclei-scanner
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '{{nonce}}'
+          - 'mkdir()'
+          - 'Permission denied'
+
+      - type: status
+        status:
+          - 503
+
+      - type: status
+        status:
+          - 200
+        negative: true
\ No newline at end of file

From 3d3afc8f139d25ebaee37b70b98f4691e6ad91e8 Mon Sep 17 00:00:00 2001
From: sandeep <8293321+ehsandeep@users.noreply.github.com>
Date: Sun, 29 Dec 2024 20:15:54 +0530
Subject: [PATCH 2/2] minor improvement

---
 http/cves/2024/CVE-2024-56145.yaml | 29 ++++++++++++++++++-----------
 1 file changed, 18 insertions(+), 11 deletions(-)

diff --git a/http/cves/2024/CVE-2024-56145.yaml b/http/cves/2024/CVE-2024-56145.yaml
index 705f72ea2e94..d7db2c016803 100644
--- a/http/cves/2024/CVE-2024-56145.yaml
+++ b/http/cves/2024/CVE-2024-56145.yaml
@@ -1,7 +1,7 @@
 id: CVE-2024-56145
 
 info:
-  name: Remote Code Execution in Craft CMS via Template Path Manipulation
+  name: Craft CMS - Remote Code Execution via Template Path Manipulation
   author: jackhax
   severity: critical
   description: |
@@ -10,33 +10,43 @@ info:
   impact: |
     Successful exploitation of this vulnerability could allow an unauthenticated attacker to perform remote code execution.
   remediation: |
-    Upgrade CraftCMD to either >5.5.2 or >4.13.2 or >3.9.14. Or If you can't upgrade yet, and register_argc_argv is enabled, you can disable it to mitigate the issue.
+    Upgrade CraftCMS to either >5.5.2 or >4.13.2 or >3.9.14. Or If you can't upgrade yet, and register_argc_argv is enabled, you can disable it to mitigate the issue.
   reference:
     - https://github.com/advisories/GHSA-2p6p-9rc9-62j9
     - https://www.assetnote.io/resources/research/how-an-obscure-php-footgun-led-to-rce-in-craft-cms
     - https://github.com/Chocapikk/CVE-2024-56145
+    - https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3
+    - https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9
   classification:
     cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
     cvss-score: 9.3
     cve-id: CVE-2024-56145
     cwe-id: CWE-94
+    epss-score: 0.00043
+    epss-percentile: 0.10941
     cpe: cpe:2.3:a:craftcms:craft:*:*:*:*:*:*:*:*
   metadata:
     verified: true
     max-request: 1
     vendor: craftcms
     product: cms
-  tags: rce, craftcms, template-injection, cve2024, critical
+    shodan-query:
+      - http.html:"craftcms"
+      - http.favicon.hash:"-47932290"
+    fofa-query:
+      - icon_hash=-47932290
+      - body=craftcms
+    publicwww-query: craftcms
+  tags: cve,cve2024,rce,craftcms,ssti
 
 variables:
   nonce: "{{rand_int(1000000000,9999999999)}}"
 
-requests:
+http:
   - raw:
       - |
         GET ?--configPath=/nuclei_test/{{nonce}} HTTP/1.1
         Host: {{Hostname}}
-        User-Agent: nuclei-scanner
 
     matchers-condition: and
     matchers:
@@ -46,12 +56,9 @@ requests:
           - '{{nonce}}'
           - 'mkdir()'
           - 'Permission denied'
+          - 'No such file or directory'
+        condition: and
 
       - type: status
         status:
-          - 503
-
-      - type: status
-        status:
-          - 200
-        negative: true
\ No newline at end of file
+          - 503
\ No newline at end of file