cbcvebase.
CVE-2023-43323
published 2023-09-28

CVE-2023-43323: mooSocial 3.1.8 is vulnerable to external service interaction on post function. When executed, the server sends a HTTP and DNS request to external server. The…

PriorityP345medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
EXPLOIT
EPSS
1.86%
76.6th percentile
mooSocial 3.1.8 is vulnerable to external service interaction on post function. When executed, the server sends a HTTP and DNS request to external server. The Parameters effected are multiple - messageText, data[wall_photo], data[userShareVideo] and data[userShareLink].

Affected

1 ranges
VendorProductVersion rangeFixed in
moosocialmoosocial

Detection & IOCsextracted from sources · hover to see the quote

url/activities/ajax_share
otherdata[type]=User&data[target_id]=0&data[action]=wall_post&data[wall_photo]=&data[subject_type]=&messageText=asas&data[userShareLink]=&data[userShareVideo]=http://<oast>&data[userTagging]=&data[shareImage]=1&data[privacy]=1
  • Fingerprint mooSocial instances by checking HTTP response body for the string 'mooConfig' before probing for the vulnerability.
  • The exploit triggers outbound HTTP and DNS callbacks from the server; confirm exploitation by monitoring for both 'http' and 'dns' interactions on an OOB (OAST) listener.
  • The vulnerable endpoint is POST /activities/ajax_share with Content-Type: application/x-www-form-urlencoded. Monitor for POST requests to this path containing external URLs in the parameters messageText, data[wall_photo], data[userShareVideo], or data[userShareLink].
  • Use Shodan query 'http.favicon.hash:702863115' or FOFA queries 'mooSocial', 'moosocial', or 'icon_hash="702863115"' to identify exposed mooSocial 3.1.8 instances for proactive scanning.
  • The attack requires no authentication (PR:N, UI:N per CVSS) — any unauthenticated POST to /activities/ajax_share with an external URL in the affected parameters should be treated as a potential exploitation attempt.
  • ·The vulnerability is confirmed only against mooSocial version 3.1.8 (CPE: cpe:2.3:a:moosocial:moosocial:3.1.8). Ensure version fingerprinting is performed before acting on detections.
  • ·Detection requires an OOB/OAST (out-of-band) interaction server to confirm exploitation, as the server sends HTTP and DNS requests to an external server rather than returning a visible error or payload in the response.
  • ·The Nuclei template uses a two-step flow (http(1) && http(2)): the first request validates the 'mooConfig' fingerprint before sending the exploit request. Standalone detection rules should replicate this two-step logic to reduce false positives.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.