CVE-2023-36474 - Vulnerability Details - OpenCVE

Interactsh is an open-source tool for detecting out-of-band interactions. Domains configured with interactsh server prior to version 1.0.0 were vulnerable to subdomain takeover for a specific subdomain, i.e `app.` Interactsh server used to create cname entries for `app` pointing to `projectdiscovery.github.io` as default, which intended to used for hosting interactsh web client using GitHub pages. This is a security issue with a self-hosted interactsh server in which the user may not have configured a web client but still have a CNAME entry pointing to GitHub pages, making them vulnerable to subdomain takeover. This allows a threat actor to host / run arbitrary client side code (cross-site scripting) in a user's browser when browsing the vulnerable subdomain. Version 1.0.0 fixes this issue by making CNAME optional, rather than default.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Projectdiscovery	Interactsh

Configuration 1 [-]

cpe:2.3:a:projectdiscovery:interactsh:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/projectdiscovery/interactsh/issues/136
https://github.com/projectdiscovery/interactsh/pull/155
https://github.com/projectdiscovery/interactsh/security/advisories/GHSA-m36x-mgfh-8g78
https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/

History

Wed, 06 Nov 2024 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-06-28T21:20:22.455Z

Updated: 2024-11-06T17:16:00.767Z

Reserved: 2023-06-21T18:50:41.703Z

Link: CVE-2023-36474

Vulnrichment

Updated: 2024-08-02T16:45:57.107Z

NVD

Status : Modified

Published: 2023-06-28T22:15:09.503

Modified: 2024-11-21T08:09:47.257

Link: CVE-2023-36474

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-36474", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-06-21T18:50:41.703Z", "datePublished": "2023-06-28T21:20:22.455Z", "dateUpdated": "2024-11-06T17:16:00.767Z"}, "containers": {"cna": {"title": "Interactsh server settings make users vulnerable to Subdomain Takeover", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/projectdiscovery/interactsh/security/advisories/GHSA-m36x-mgfh-8g78", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/projectdiscovery/interactsh/security/advisories/GHSA-m36x-mgfh-8g78"}, {"name": "https://github.com/projectdiscovery/interactsh/issues/136", "tags": ["x_refsource_MISC"], "url": "https://github.com/projectdiscovery/interactsh/issues/136"}, {"name": "https://github.com/projectdiscovery/interactsh/pull/155", "tags": ["x_refsource_MISC"], "url": "https://github.com/projectdiscovery/interactsh/pull/155"}, {"name": "https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/", "tags": ["x_refsource_MISC"], "url": "https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/"}], "affected": [{"vendor": "projectdiscovery", "product": "interactsh", "versions": [{"version": "< 1.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-06-28T21:20:22.455Z"}, "descriptions": [{"lang": "en", "value": "Interactsh is an open-source tool for detecting out-of-band interactions. Domains configured with interactsh server prior to version 1.0.0 were vulnerable to subdomain takeover for a specific subdomain, i.e `app.` Interactsh server used to create cname entries for `app` pointing to `projectdiscovery.github.io` as default, which intended to used for hosting interactsh web client using GitHub pages. This is a security issue with a self-hosted interactsh server in which the user may not have configured a web client but still have a CNAME entry pointing to GitHub pages, making them vulnerable to subdomain takeover. This allows a threat actor to host / run arbitrary client side code (cross-site scripting) in a user's browser when browsing the vulnerable subdomain. Version 1.0.0 fixes this issue by making CNAME optional, rather than default."}], "source": {"advisory": "GHSA-m36x-mgfh-8g78", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:45:57.107Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/projectdiscovery/interactsh/security/advisories/GHSA-m36x-mgfh-8g78", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/projectdiscovery/interactsh/security/advisories/GHSA-m36x-mgfh-8g78"}, {"name": "https://github.com/projectdiscovery/interactsh/issues/136", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/projectdiscovery/interactsh/issues/136"}, {"name": "https://github.com/projectdiscovery/interactsh/pull/155", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/projectdiscovery/interactsh/pull/155"}, {"name": "https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/"}]}, {"affected": [{"vendor": "projectdiscovery", "product": "interactsh", "cpes": ["cpe:2.3:a:projectdiscovery:interactsh:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.0.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-06T17:15:13.386206Z", "id": "CVE-2023-36474", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-06T17:16:00.767Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/projectdiscovery/interactsh/security/advisories/GHSA-m36x-mgfh-8g78", "name": "https://github.com/projectdiscovery/interactsh/security/advisories/GHSA-m36x-mgfh-8g78", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/projectdiscovery/interactsh/issues/136", "name": "https://github.com/projectdiscovery/interactsh/issues/136", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/projectdiscovery/interactsh/pull/155", "name": "https://github.com/projectdiscovery/interactsh/pull/155", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/", "name": "https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:45:57.107Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-36474", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-06T17:15:13.386206Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:projectdiscovery:interactsh:*:*:*:*:*:*:*:*"], "vendor": "projectdiscovery", "product": "interactsh", "versions": [{"status": "affected", "version": "0", "lessThan": "1.0.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-06T17:15:55.607Z"}}], "cna": {"title": "Interactsh server settings make users vulnerable to Subdomain Takeover", "source": {"advisory": "GHSA-m36x-mgfh-8g78", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "projectdiscovery", "product": "interactsh", "versions": [{"status": "affected", "version": "< 1.0.0"}]}], "references": [{"url": "https://github.com/projectdiscovery/interactsh/security/advisories/GHSA-m36x-mgfh-8g78", "name": "https://github.com/projectdiscovery/interactsh/security/advisories/GHSA-m36x-mgfh-8g78", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/projectdiscovery/interactsh/issues/136", "name": "https://github.com/projectdiscovery/interactsh/issues/136", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/projectdiscovery/interactsh/pull/155", "name": "https://github.com/projectdiscovery/interactsh/pull/155", "tags": ["x_refsource_MISC"]}, {"url": "https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/", "name": "https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Interactsh is an open-source tool for detecting out-of-band interactions. Domains configured with interactsh server prior to version 1.0.0 were vulnerable to subdomain takeover for a specific subdomain, i.e `app.` Interactsh server used to create cname entries for `app` pointing to `projectdiscovery.github.io` as default, which intended to used for hosting interactsh web client using GitHub pages. This is a security issue with a self-hosted interactsh server in which the user may not have configured a web client but still have a CNAME entry pointing to GitHub pages, making them vulnerable to subdomain takeover. This allows a threat actor to host / run arbitrary client side code (cross-site scripting) in a user's browser when browsing the vulnerable subdomain. Version 1.0.0 fixes this issue by making CNAME optional, rather than default."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-06-28T21:20:22.455Z"}}}, "cveMetadata": {"cveId": "CVE-2023-36474", "state": "PUBLISHED", "dateUpdated": "2024-11-06T17:16:00.767Z", "dateReserved": "2023-06-21T18:50:41.703Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-06-28T21:20:22.455Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:projectdiscovery:interactsh:*:*:*:*:*:*:*:*", "matchCriteriaId": "B784FE37-ACDC-4D8A-B3B0-3A72EFBCACC6", "versionEndExcluding": "1.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Interactsh is an open-source tool for detecting out-of-band interactions. Domains configured with interactsh server prior to version 1.0.0 were vulnerable to subdomain takeover for a specific subdomain, i.e `app.` Interactsh server used to create cname entries for `app` pointing to `projectdiscovery.github.io` as default, which intended to used for hosting interactsh web client using GitHub pages. This is a security issue with a self-hosted interactsh server in which the user may not have configured a web client but still have a CNAME entry pointing to GitHub pages, making them vulnerable to subdomain takeover. This allows a threat actor to host / run arbitrary client side code (cross-site scripting) in a user's browser when browsing the vulnerable subdomain. Version 1.0.0 fixes this issue by making CNAME optional, rather than default."}], "id": "CVE-2023-36474", "lastModified": "2024-11-21T08:09:47.257", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-06-28T22:15:09.503", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/projectdiscovery/interactsh/issues/136"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/projectdiscovery/interactsh/pull/155"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/projectdiscovery/interactsh/security/advisories/GHSA-m36x-mgfh-8g78"}, {"source": "security-advisories@github.com", "tags": ["Technical Description"], "url": "https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://github.com/projectdiscovery/interactsh/issues/136"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/projectdiscovery/interactsh/pull/155"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/projectdiscovery/interactsh/security/advisories/GHSA-m36x-mgfh-8g78"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Technical Description"], "url": "https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}