header-logo
Suggest Exploit
vendor:
Nova
by:
iqzer0
7.5
CVSS
HIGH
Denial of Service (DoS)
400
CWE
Product Name: Nova
Affected Version From: v3.7.0
Affected Version To: v3.7.0
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Manjaro, Chrome v83
2020

Laravel Nova 3.7.0 – ‘range’ DoS

An authenticated user can crash the application by setting a higher value to the 'range' (default 30) parameter and sending simultaneous requests (10 simultaneous requests was enough to DoS the server in my testing).

Mitigation:

Limit the range parameter to a reasonable value and ensure that the application is able to handle simultaneous requests.
Source

Exploit-DB raw data:

# Exploit Title: Laravel Nova 3.7.0 - 'range' DoS
# Date: June 22, 2020
# Exploit Author: iqzer0
# Vendor Homepage: https://nova.laravel.com/
# Software Link: https://nova.laravel.com/releases
# Version: Version v3.7.0
# Tested on: Manjaro / Chrome v83

An authenticated user can crash the application by setting a higher
value to the 'range' (default 30) parameter and sending simultaneous
requests (10 simultaneous requests was enough to DoS the server in my
testing)

Vulnerable URL:
https://example.com/nova-api/metrics/sum-orders?timezone=Indian%2FMaldives&twelveHourTime=true&range=3000000
Vulnerable Parameter: range

Navigation

Suggest Exploit

Services By CQR