CVE-2023-43323
published 2023-09-28CVE-2023-43323: mooSocial 3.1.8 is vulnerable to external service interaction on post function. When executed, the server sends a HTTP and DNS request to external server. The…
PriorityP345medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
EXPLOIT
EPSS
1.86%
76.6th percentile
mooSocial 3.1.8 is vulnerable to external service interaction on post function. When executed, the server sends a HTTP and DNS request to external server. The Parameters effected are multiple - messageText, data[wall_photo], data[userShareVideo] and data[userShareLink].
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| moosocial | moosocial | — | — |
Detection & IOCsextracted from sources · hover to see the quote
otherdata[type]=User&data[target_id]=0&data[action]=wall_post&data[wall_photo]=&data[subject_type]=&messageText=asas&data[userShareLink]=&data[userShareVideo]=http://<oast>&data[userTagging]=&data[shareImage]=1&data[privacy]=1↗
- →Fingerprint mooSocial instances by checking HTTP response body for the string 'mooConfig' before probing for the vulnerability. ↗
- →The exploit triggers outbound HTTP and DNS callbacks from the server; confirm exploitation by monitoring for both 'http' and 'dns' interactions on an OOB (OAST) listener. ↗
- →The vulnerable endpoint is POST /activities/ajax_share with Content-Type: application/x-www-form-urlencoded. Monitor for POST requests to this path containing external URLs in the parameters messageText, data[wall_photo], data[userShareVideo], or data[userShareLink]. ↗
- →Use Shodan query 'http.favicon.hash:702863115' or FOFA queries 'mooSocial', 'moosocial', or 'icon_hash="702863115"' to identify exposed mooSocial 3.1.8 instances for proactive scanning. ↗
- →The attack requires no authentication (PR:N, UI:N per CVSS) — any unauthenticated POST to /activities/ajax_share with an external URL in the affected parameters should be treated as a potential exploitation attempt. ↗
- ·The vulnerability is confirmed only against mooSocial version 3.1.8 (CPE: cpe:2.3:a:moosocial:moosocial:3.1.8). Ensure version fingerprinting is performed before acting on detections. ↗
- ·Detection requires an OOB/OAST (out-of-band) interaction server to confirm exploitation, as the server sends HTTP and DNS requests to an external server rather than returning a visible error or payload in the response. ↗
- ·The Nuclei template uses a two-step flow (http(1) && http(2)): the first request validates the 'mooConfig' fingerprint before sending the exploit request. Standalone detection rules should replicate this two-step logic to reduce false positives. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
mooSocial 3.1.8 - External Service Interaction
nuclei·CVSS 6.5
CVE-2023-43323 [MEDIUM] mooSocial 3.1.8 - External Service Interaction
mooSocial 3.1.8 - External Service Interaction
mooSocial 3.1.8 is vulnerable to external service interaction via multiple parameters in the post function.
Template:
id: CVE-2023-43323
info:
name: mooSocial 3.1.8 - External Service Interaction
author: ritikchaddha
severity: medium
description: |
mooSocial 3.1.8 is vulnerable to external service interaction via multiple parameters in the post function.
impact: |
An attacker can exploit this vulnerability to interact with external services.
remediation: |
Upgrade to a patched version of mooSocial to mitigate CVE-2023-43323.
reference:
- https://github.com/ahrixia/CVE-2023-43323
- https://github.com/nomi-sec/PoC-in-GitHub
- https://nvd.nist.gov/vuln/detail/CVE-2023-43323
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:
No writeups or analysis indexed.
2023-09-28
Published