CVE-2024-6922
published 2024-07-26CVE-2024-6922: Automation Anywhere Automation 360 v21-v32 is vulnerable to Server-Side Request Forgery in a web API component. An attacker with unauthenticated access to the…
PriorityP261medium6.9CVSS 4.0
AVNACLATNPRNUINVCLVILVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
30.17%
98.0th percentile
Automation Anywhere Automation 360 v21-v32 is vulnerable to Server-Side Request Forgery in a web API component. An attacker with unauthenticated access to the Automation 360 Control Room HTTPS service (port 443) or HTTP service (port 80) can trigger arbitrary web requests from the server.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| automationanywhere | automation_360 | 21 – 32 | — |
Detection & IOCsextracted from sources · hover to see the quote
urlPOST /v1/proxy/test HTTP/1.1
path/v1/proxy/test
otherhttp.favicon.hash:-1005691603
othericon_hash="-1005691603"
command{"saasUrl":"{{interactsh-url}}/?param=one#"}
- →Exploit sends an unauthenticated POST request to /v1/proxy/test with a JSON body containing a 'saasUrl' key pointing to an attacker-controlled URL, triggering SSRF.
- →Successful exploitation returns HTTP 400 with a JSON body containing '{"message":' and Content-Type: application/json — monitor for this pattern on /v1/proxy/test.
- →Out-of-band DNS interaction is the primary confirmation of SSRF exploitation; monitor for unexpected DNS lookups originating from the Automation 360 Control Room server.
- →Identify Automation Anywhere Automation 360 Control Room instances via Shodan favicon hash -1005691603 or FOFA icon_hash="-1005691603".
- →The vulnerability is unauthenticated — no session token or credentials are required in the POST request to /v1/proxy/test. ↗
- ·Affected versions are Automation 360 v21 through v32 only; instances outside this range are not vulnerable. ↗
- ·The SSRF endpoint /v1/proxy/test requires no authentication, meaning network-level controls (firewall rules blocking ports 80/443 to untrusted clients) are the primary mitigation layer until patching. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Scripts For Sites EZ e-store searchresults.php where Parameter SQL Injection
suricata·2010-07-30·CVSS 7.5
CVE-2008-6242 [HIGH] ET WEB_SPECIFIC_APPS Scripts For Sites EZ e-store searchresults.php where Parameter SQL Injection
ET WEB_SPECIFIC_APPS Scripts For Sites EZ e-store searchresults.php where Parameter SQL Injection
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Scripts For Sites EZ e-store searchresults.php where Parameter SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/SearchResults.php?"; nocase; content:"where="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:cve,CVE-2008-6242; reference:bugtraq,32039; reference:url,milw0rm.com/exploits/6922; classtype:web-application-attack; sid:2009727; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2024
Nuclei
Automation Anywhere Automation 360 - Server-Side Request Forgery
nuclei·CVSS 6.9
CVE-2024-6922 [MEDIUM] Automation Anywhere Automation 360 - Server-Side Request Forgery
Automation Anywhere Automation 360 - Server-Side Request Forgery
Automation Anywhere Automation 360 v21-v32 is vulnerable to Server-Side Request Forgery in a web API component.
Template:
id: CVE-2024-6922
info:
name: Automation Anywhere Automation 360 - Server-Side Request Forgery
author: DhiyaneshDK
severity: high
description: |
Automation Anywhere Automation 360 v21-v32 is vulnerable to Server-Side Request Forgery in a web API component.
remediation: |
Apply the latest security patches and updates from the vendor to address this vulnerability.
impact: |
An attacker with unauthenticated access to the Automation 360 Control Room HTTPS service (port 443) or HTTP service (port 80) can trigger arbitrary web requests from the server.
reference:
- https://www.automationanywhere.com/products
No writeups or analysis indexed.
2024-07-26
Published