cbcvebase.
CVE-2023-4168
published 2023-08-05

CVE-2023-4168: A vulnerability was found in Templatecookie Adlisting 2.14.0. It has been classified as problematic. Affected is an unknown function of the file /ad-list of…

PriorityP264high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
36.20%
98.3th percentile
A vulnerability was found in Templatecookie Adlisting 2.14.0. It has been classified as problematic. Affected is an unknown function of the file /ad-list of the component Redirect Handler. The manipulation leads to information disclosure. It is possible to launch the attack remotely. The identifier of this vulnerability is VDB-236184. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Affected

1 ranges
VendorProductVersion rangeFixed in
templatecookieadlisting

Detection & IOCsextracted from sources · hover to see the quote

url/ad-list-search?keyword=&lat=&long=&long=&lat=&location=&category=&keyword=
url/push-notification
  • HTTP GET request to /ad-list-search or /ad-list endpoints returning HTTP 200 with body containing all three strings: 'google_map_key', 'api_key', and 'auth_domain' simultaneously indicates successful information disclosure exploitation.
  • Sensitive fields exposed in redirect/page response bodies to look for include: google_map_key, api_key, auth_domain, project_id, storage_bucket, messaging_sender_id, app_id, and measurement_id — all corresponding to Firebase Push Notification Configuration.
  • The vulnerability is unauthenticated (PR:N, UI:N) and exploitable via a simple GET request with no special headers or authentication required.
  • Monitor HTTP responses from /ad-list* paths for content-type text/html with status 200 containing Firebase/Google API credential field names, which should never appear in unauthenticated page responses.
  • ·The vulnerability affects specifically version 2.14.0 of Templatecookie Adlisting; the CPE scope is narrow and detection should be scoped accordingly.
  • ·The same leaked credentials (API keys, server keys, app ID) are also stored in the Firebase Push Notification Configuration in the Administration Panel at /push-notification, meaning a compromise of the page response also implies those admin-configured credentials are exposed.
  • ·The EPSS score is extremely high (0.733, 98.8th percentile), indicating this vulnerability has a very high probability of being exploited in the wild and should be prioritized.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.