daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Dashboard Content Enhancements (#5704) 

Dashboard Content Enhancements
patch-1
MostInterestingBotInTheWorld 2022-10-19 17:11:27 -04:00 committed by GitHub
parent 8ca4a00e89
commit 0b1a79f39d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
123 changed files with 613 additions and 260 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cves/2010/CVE-2010-1980.yaml
View File

@ -4,7 +4,7 @@ info:
name: Joomla! Component Joomla! Flickr 1.0 - Local File Inclusion
author: daffainfo
severity: high
description: A directory traversal vulnerability in joomlaflickr.php in the Joomla Flickr (com_joomlaflickr) component 1.0.3 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in joomlaflickr.php in the Joomla! Flickr (com_joomlaflickr) component 1.0.3 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12085
- https://www.cvedetails.com/cve/CVE-2010-1980

2
cves/2010/CVE-2010-2033.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2010-2033
info:
name: Joomla Percha Categories Tree 0.6 - Local File Inclusion
name: Joomla! Percha Categories Tree 0.6 - Local File Inclusion
author: daffainfo
severity: high
description: A directory traversal vulnerability in the Percha Fields Attach (com_perchafieldsattach) component 1.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.

2
cves/2015/CVE-2015-4074.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2015-4074
info:
name: Joomla Helpdesk Pro plugin <1.4.0 - Local File Inclusion
name: Joomla! Helpdesk Pro plugin <1.4.0 - Local File Inclusion
author: 0x_Akoko
severity: high
description: Directory traversal vulnerability in the Helpdesk Pro plugin before 1.4.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter in a ticket.download_attachment task.

8
cves/2016/CVE-2016-10368.yaml
View File

@ -1,15 +1,15 @@
id: CVE-2016-10368
info:
name: Opsview Monitor Pro 4.5.x - Open Redirect
name: Opsview Monitor Pro - Open Redirect
author: 0x_Akoko
severity: medium
description: |
Open redirect vulnerability in Opsview Monitor Pro (Prior to 5.1.0.162300841 prior to 5.0.2.27475, prior to 4.6.4.162391051, and 4.5.x without a certain 2016 security patch) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the back parameter to the login URI.
Opsview Monitor Pro before 5.1.0.162300841, before 5.0.2.27475, before 4.6.4.162391051, and 4.5.x without a certain 2016 security patch contains an open redirect vulnerability. An attacker can redirect users to arbitrary web sites and conduct phishing attacks via the back parameter to the login URI.
reference:
- https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18774
- https://nvd.nist.gov/vuln/detail/CVE-2016-10368
- https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-016/?fid=8341
- https://nvd.nist.gov/vuln/detail/CVE-2016-10368
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -36,3 +36,5 @@ requests:
- type: status
status:
- 302
# Enhanced by mp on 2022/10/12

6
cves/2017/CVE-2017-11586.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2017-11586
info:
name: FineCms < 5.0.9 - Open redirect
name: FineCMS <5.0.9 - Open Redirect
author: 0x_Akoko
severity: medium
description: |
dayrui FineCms 5.0.9 has URL Redirector Abuse via the url parameter in a sync action.
FineCMS 5.0.9 contains an open redirect vulnerability via the url parameter in a sync action. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- http://lorexxar.cn/2017/07/20/FineCMS%20multi%20vulnerablity%20before%20v5.0.9/#URL-Redirector-Abuse
- https://nvd.nist.gov/vuln/detail/CVE-2017-11586
@ -37,3 +37,5 @@ requests:
part: header
regex:
- 'Refresh:(.*)url=http:\/\/interact\.sh'
# Enhanced by mp on 2022/10/12

5
cves/2017/CVE-2017-12138.yaml
View File

@ -4,11 +4,12 @@ info:
name: XOOPS Core 2.5.8 - Open Redirect
author: 0x_Akoko
severity: medium
description: XOOPS Core 2.5.8 has a stored URL redirect bypass vulnerability in /modules/profile/index.php because of the URL filter.
description: XOOPS Core 2.5.8 contains an open redirect vulnerability in /modules/profile/index.php due to the URL filter. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/XOOPS/XoopsCore25/issues/523
- https://xoops.org
- https://www.cvedetails.com/cve/CVE-2017-12138
- https://nvd.nist.gov/vuln/detail/CVE-2017-12138
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -35,3 +36,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2022/10/13

4
cves/2018/CVE-2018-12300.yaml
View File

@ -4,7 +4,7 @@ info:
name: Seagate NAS OS 4.3.15.1 - Open Redirect
author: 0x_Akoko
severity: medium
description: Arbitrary Redirect in echo-server.html in Seagate NAS OS version 4.3.15.1 allows attackers to disclose information in the Referer header via the 'state' URL parameter.
description: Seagate NAS OS 4.3.15.1 contains an open redirect vulnerability in echo-server.html, which can allow an attacker to disclose information in the referer header via the state URL parameter.
reference:
- https://blog.securityevaluators.com/invading-your-personal-cloud-ise-labs-exploits-the-seagate-stcr3000101-ecf89de2170
- https://nvd.nist.gov/vuln/detail/CVE-2018-12300
@ -26,3 +26,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2022/10/13

8
cves/2018/CVE-2018-12675.yaml
View File

@ -1,16 +1,16 @@
id: CVE-2018-12675
info:
name: SV3C HD Camera L-SERIES - Open Redirect
name: SV3C HD Camera L Series - Open Redirect
author: 0x_Akoko
severity: medium
description: |
The SV3C HD Camera (L-SERIES V2.3.4.2103-S50-NTD-B20170508B and V2.3.4.2103-S50-NTD-B20170823B) does not perform origin checks on URLs that the camera's web interface redirects a user to. This can be leveraged to send a user to an unexpected endpoint.
SV3C HD Camera L Series 2.3.4.2103-S50-NTD-B20170508B and 2.3.4.2103-S50-NTD-B20170823B contains an open redirect vulnerability. It does not perform origin checks on URLs in the camera's web interface, which can be leveraged to send a user to an unexpected endpoint. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://bishopfox.com/blog/sv3c-l-series-hd-camera-advisory
- https://vuldb.com/?id.125799
- https://nvd.nist.gov/vuln/detail/CVE-2018-12675
- https://www.bishopfox.com/news/2018/10/sv3c-l-series-hd-camera-multiple-vulnerabilities/
- https://nvd.nist.gov/vuln/detail/CVE-2018-12675
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -30,3 +30,5 @@ requests:
part: body
words:
- '<META http-equiv="Refresh" content="0;URL=http://interact.sh">'
# Enhanced by md on 2022/10/13

6
cves/2018/CVE-2018-14474.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2018-14474
info:
name: OrangeForum 1.4.0 - Open Redirect
name: Orange Forum 1.4.0 - Open Redirect
author: 0x_Akoko
severity: medium
description: |
views/auth.go in Orange Forum 1.4.0 allows Open Redirection via the next parameter to /login or /signup.
Orange Forum 1.4.0 contains an open redirect vulnerability in views/auth.go via the next parameter to /login or /signup. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/s-gv/orangeforum/commit/1f6313cb3a1e755880fc1354f3e1efc4dd2dd4aa
- https://seclists.org/fulldisclosure/2019/Jan/32
@ -30,3 +30,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2022/10/13

7
cves/2018/CVE-2018-14574.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2018-14574
info:
name: Django Open Redirect
name: Django - Open Redirect
author: pikpikcu
severity: medium
description: django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect.
description: Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 contains an open redirect vulnerability. If django.middleware.common.CommonMiddleware and APPEND_SLASH settings are selected, and if the project has a URL pattern that accepts any path ending in a slash, an attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://www.djangoproject.com/weblog/2018/aug/01/security-releases/
- https://usn.ubuntu.com/3726-1/
@ -12,6 +12,7 @@ info:
- https://www.debian.org/security/2018/dsa-4264
- http://web.archive.org/web/20210124194607/https://www.securityfocus.com/bid/104970/
- https://access.redhat.com/errata/RHSA-2019:0265
- https://nvd.nist.gov/vuln/detail/CVE-2018-14574
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -34,3 +35,5 @@ requests:
- "Location: https://www.interact.sh"
- "Location: http://www.interact.sh"
part: header
# Enhanced by md on 2022/10/13

6
cves/2018/CVE-2018-16761.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2018-16761
info:
name: Eventum v3.3.4 - Open Redirect
name: Eventum <3.4.0 - Open Redirect
author: 0x_Akoko
severity: medium
description: |
Eventum before 3.4.0 has an open redirect vulnerability.
Eventum before 3.4.0 contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://www.invicti.com/web-applications-advisories/ns-18-021-open-redirection-vulnerabilities-in-eventum/
- https://github.com/eventum/eventum/releases/tag/v3.4.0
@ -29,3 +29,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2022/10/13

7
cves/2018/CVE-2018-17422.yaml
View File

@ -1,14 +1,15 @@
id: CVE-2018-17422
info:
name: dotCMS < 5.0.2 - Open Redirect
name: dotCMS <5.0.2 - Open Redirect
author: 0x_Akoko,daffainfo
severity: medium
description: |
dotCMS before 5.0.2 has open redirects via the html/common/forward_js.jsp FORWARD_URL parameter or the html/portlet/ext/common/page_preview_popup.jsp hostname parameter.
dotCMS before 5.0.2 contains multiple open redirect vulnerabilities via the html/common/forward_js.jsp FORWARD_URL parameter or the html/portlet/ext/common/page_preview_popup.jsp hostname parameter. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/dotCMS/core/issues/15286
- https://www.cvedetails.com/cve/CVE-2018-17422
- https://nvd.nist.gov/vuln/detail/CVE-2018-17422
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -37,3 +38,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/13

6
cves/2018/CVE-2018-19287.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2018-19287
info:
name: Ninja Forms <= 3.3.17 - Cross-Site Scripting
name: WordPress Ninja Forms <3.3.18 - Cross-Site Scripting
author: theamanrawat
severity: medium
description: |
XSS in the Ninja Forms plugin before 3.3.18 for WordPress allows Remote Attackers to execute JavaScript.
WordPress Ninja Forms plugin before 3.3.18 contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in includes/Admin/Menus/Submissions.php via the begin_date, end_date, or form_id parameters. This can allow an attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://wpscan.com/vulnerability/fb036dc2-0ee8-4a3e-afac-f52050b3f8c7
- https://wordpress.org/plugins/ninja-forms/
@ -50,3 +50,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/17

7
cves/2018/CVE-2018-6200.yaml
View File

@ -1,14 +1,15 @@
id: CVE-2018-6200
info:
name: vBulletin 3.x.x & 4.2.x - Open Redirect
name: vBulletin - Open Redirect
author: 0x_Akoko,daffainfo
severity: medium
description: |
vBulletin 3.x.x and 4.2.x through 4.2.5 has an open redirect via the redirector.php url parameter.
vBulletin 3.x.x and 4.2.x through 4.2.5 contains an open redirect vulnerability via the redirector.php URL parameter. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://cxsecurity.com/issue/WLB-2018010251
- https://www.cvedetails.com/cve/CVE-2018-6200
- https://nvd.nist.gov/vuln/detail/CVE-2018-6200
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -35,3 +36,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/13

6
cves/2019/CVE-2019-1010290.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2019-1010290
info:
name: Babel - Open Redirection
name: Babel - Open Redirect
author: 0x_Akoko
severity: medium
description: Babel Multilingual site Babel All is affected by Open Redirection The impact is Redirection to any URL, which is supplied to redirect in a newurl parameter. The component is redirect The attack vector is The victim must open a link created by an attacker
description: Babel contains an open redirect vulnerability via redirect.php in the newurl parameter. An attacker can use any legitimate site using Babel to redirect user to a malicious site, thus possibly obtaining sensitive information, modifying data, and/or executing unauthorized operations.
reference:
- https://untrustednetwork.net/en/2019/02/20/open-redirection-vulnerability-in-babel/
- http://dev.cmsmadesimple.org/project/files/729
@ -26,3 +26,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2022/10/13

10
cves/2019/CVE-2019-14223.yaml
View File

@ -1,14 +1,14 @@
id: CVE-2019-14223
info:
name: Alfresco Share Open Redirect
name: Alfresco Share - Open Redirect
author: pdteam
severity: medium
description: An issue was discovered in Alfresco Community Edition versions below 5.2.6, 6.0.N and 6.1.N. The Alfresco Share application is vulnerable to an Open Redirect attack via a crafted POST request. By manipulating
the POST parameters, an attacker can redirect a victim to a malicious website over any protocol the attacker desires (e.g.,http, https, ftp, smb, etc.).
description: Alfresco Share before 5.2.6, 6.0.N and 6.1.N contains an open redirect vulnerability via a crafted POST request. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://community.alfresco.com/content?filterID=all~objecttype~thread%5Bquestions%5D
- https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-14223-Open%20Redirect%20in%20Alfresco%20Share-Alfresco%20Community
- https://nvd.nist.gov/vuln/detail/CVE-2019-14223
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -31,4 +31,6 @@ requests:
- type: regex
part: header
regex:
- "(?m)^(?:Location\\s*:\\s*)(?:https?://|//|\\\\)?(?:[a-zA-Z0-9\\-_]*\\.)?interact\\.sh(?:\\s*)$"
- "(?m)^(?:Location\\s*:\\s*)(?:https?://|//|\\\\)?(?:[a-zA-Z0-9\\-_]*\\.)?interact\\.sh(?:\\s*)$"
# Enhanced by md on 2022/10/13

13
cves/2019/CVE-2019-18957.yaml
View File

@ -1,15 +1,16 @@
id: CVE-2019-18957
info:
name: Microstrategy Library before 11.1.3 XSS
name: MicroStrategy Library <11.1.3 - Cross-Site Scripting
author: tess
severity: medium
description: |
Microstrategy Library in MicroStrategy before 2019 before 11.1.3 has reflected XSS.
MicroStrategy Library before 11.1.3 contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
remediation: The issue can be resolved by downloading and installing 1.1.3, which has the patch.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2019-18957
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18957
- https://www.cvedetails.com/cve/CVE-2019-18957/
- https://seclists.org/bugtraq/2019/Nov/23
- https://packetstormsecurity.com/files/155320/MicroStrategy-Library-Cross-Site-Scripting.html
- https://nvd.nist.gov/vuln/detail/CVE-2019-18957
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -37,3 +38,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/18

7
cves/2019/CVE-2019-3912.yaml
View File

@ -1,13 +1,14 @@
id: CVE-2019-3912
info:
name: LabKey Server < 18.3.0 - Open Redirect
name: LabKey Server Community Edition <18.3.0 - Open Redirect
author: 0x_Akoko
severity: medium
description: An open redirect vulnerability in LabKey Server Community Edition before 18.3.0-61806.763 via the /__r1/ returnURL parameter allows an unauthenticated remote attacker to redirect users to arbitrary web sites.
description: LabKey Server Community Edition before 18.3.0-61806.763 contains an open redirect vulnerability via the /__r1/ returnURL parameter, which allows an attacker to redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://www.tenable.com/security/research/tra-2019-03
- https://www.cvedetails.com/cve/CVE-2019-3912
- https://nvd.nist.gov/vuln/detail/CVE-2019-3912
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -27,3 +28,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2022/10/13

7
cves/2019/CVE-2019-7275.yaml
View File

@ -1,15 +1,16 @@
id: CVE-2019-7275
info:
name: Open Redirect in Optergy Proton/Enterprise BMS
name: Optergy Proton/Enterprise Building Management System - Open Redirect
author: 0x_Akoko
severity: medium
description: Optergy Proton/Enterprise devices allow Open Redirect.
description: Optergy Proton/Enterprise Building Management System contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://packetstormsecurity.com/files/155268/Optergy-Proton-Enterprise-BMS-2.3.0a-Open-Redirect.html
- https://applied-risk.com/resources/ar-2019-008
- https://cxsecurity.com/issue/WLB-2019110074
- https://applied-risk.com/labs/advisories
- https://nvd.nist.gov/vuln/detail/CVE-2019-7275
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -27,3 +28,5 @@ requests:
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header
# Enhanced by md on 2022/10/13

7
cves/2019/CVE-2019-9915.yaml
View File

@ -1,15 +1,16 @@
id: CVE-2019-9915
info:
name: GetSimpleCMS 3.3.13 - Open Redirection
name: GetSimple CMS 3.3.13 - Open Redirect
author: 0x_Akoko
severity: medium
description: GetSimpleCMS 3.3.13 has an Open Redirect via the admin/index.php redirect parameter.
description: GetSimple CMS 3.3.13 contains an open redirect vulnerability via the admin/index.php redirect parameter. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://www.invicti.com/web-applications-advisories/ns-18-056-open-redirection-vulnerability-in-getsimplecms
- https://github.com/GetSimpleCMS/GetSimpleCMS/issues/1300
- https://www.cvedetails.com/cve/CVE-2019-9915
- https://www.netsparker.com/web-applications-advisories/ns-18-056-open-redirection-vulnerability-in-getsimplecms/
- https://nvd.nist.gov/vuln/detail/CVE-2019-9915
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -33,3 +34,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2022/10/13

7
cves/2020/CVE-2020-15129.yaml
View File

@ -1,15 +1,16 @@
id: CVE-2020-15129
info:
name: Open-redirect in Traefik
name: Traefik - Open Redirect
author: dwisiswant0
severity: medium
description: There exists a potential open redirect vulnerability in Traefik's handling of the X-Forwarded-Prefix header. Active Exploitation of this issue is unlikely as it would require active header injection, however the Traefik team may want to address this issue nonetheless to prevent abuse in e.g. cache poisoning scenarios.
description: Traefik before 1.7.26, 2.2.8, and 2.3.0-rc3 contains an open redirect vulnerability in the X-Forwarded-Prefix header. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://securitylab.github.com/advisories/GHSL-2020-140-Containous-Traefik
- https://github.com/containous/traefik/releases/tag/v2.2.8
- https://github.com/containous/traefik/pull/7109
- https://github.com/containous/traefik/security/advisories/GHSA-6qq8-5wq3-86rp
- https://nvd.nist.gov/vuln/detail/CVE-2020-15129
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 4.7
@ -35,3 +36,5 @@ requests:
part: body
words:
- "<a href=\"https://foo.nl/dashboard/\">Found</a>"
# Enhanced by md on 2022/10/13

10
cves/2020/CVE-2020-17526.yaml
View File

@ -1,20 +1,22 @@
id: CVE-2020-17526
info:
name: Apache Airflow < 1.10.14 - Authentication Bypass
name: Apache Airflow <1.10.14 - Authentication Bypass
author: piyushchhiroliya
severity: high
description: |
Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A.
Apache Airflow prior to 1.10.14 contains an authentication bypass vulnerability via incorrect session validation with default configuration. An attacker on site A can access unauthorized Airflow on site B through the site A session.
remediation: Change default value for [webserver] secret_key config.
reference:
- https://kloudle.com/academy/authentication-bypass-in-apache-airflow-cve-2020-17526-and-aws-cloud-platform-compromise
- https://nvd.nist.gov/vuln/detail/CVE-2020-17526
- https://lists.apache.org/thread.html/rbeeb73a6c741f2f9200d83b9c2220610da314810c4e8c9cf881d47ef%40%3Cusers.airflow.apache.org%3E
- http://www.openwall.com/lists/oss-security/2020/12/21/1
- https://nvd.nist.gov/vuln/detail/CVE-2020-17526
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
cvss-score: 7.7
cve-id: CVE-2020-17526
cwe-id: CWE-287
metadata:
fofa-query: Apache Airflow
verified: "true"
@ -49,3 +51,5 @@ requests:
- "contains(body_1, 'Redirecting...')"
- "status_code_1 == 302"
condition: and
# Enhanced by md on 2022/10/19

7
cves/2020/CVE-2020-18268.yaml
View File

@ -1,14 +1,15 @@
id: CVE-2020-18268
info:
name: Z-BlogPHP 1.5.2 - Open Redirect
name: Z-Blog <=1.5.2 - Open Redirect
author: 0x_Akoko
severity: medium
description: Open Redirect in Z-BlogPHP v1.5.2 and earlier allows remote attackers to obtain sensitive information via the "redirect" parameter in the component "zb_system/cmd.php."
description: Z-Blog 1.5.2 and earlier contains an open redirect vulnerability via the redirect parameter in zb_system/cmd.php. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/zblogcn/zblogphp/issues/216
- https://www.cvedetails.com/cve/CVE-2020-18268
- https://github.com/zblogcn/zblogphp/issues/209
- https://nvd.nist.gov/vuln/detail/CVE-2020-18268
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -37,3 +38,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2022/10/13

6
cves/2020/CVE-2020-20285.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2020-20285
info:
name: zzcms - Reflected XSS
name: ZZcms - Cross-Site Scripting
author: edoardottt
severity: medium
description: |
There is a XSS in the user login page in zzcms 2019. Users can inject js code by the referer header via user/login.php
ZZcms 2019 contains a cross-site scripting vulnerability in the user login page. An attacker can inject arbitrary JavaScript code in the referer header via user/login.php, which can allow theft of cookie-based credentials and launch of subsequent attacks.
reference:
- https://github.com/iohex/ZZCMS/blob/master/zzcms2019_login_xss.md
- https://nvd.nist.gov/vuln/detail/CVE-2020-20285
@ -41,3 +41,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/17

7
cves/2020/CVE-2020-22840.yaml
View File

@ -1,14 +1,15 @@
id: CVE-2020-22840
info:
name: b2evolution CMS - Open Redirect
name: b2evolution CMS <6.11.6 - Open Redirect
author: geeknik
severity: medium
description: Open redirect vulnerability in b2evolution CMS version prior to 6.11.6 allows an attacker to perform malicious open redirects to an attacker controlled resource via redirect_to parameter in email_passthrough.php.
description: b2evolution CMS before 6.11.6 contains an open redirect vulnerability via the redirect_to parameter in email_passthrough.php. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/b2evolution/b2evolution/issues/102
- http://packetstormsecurity.com/files/161362/b2evolution-CMS-6.11.6-Open-Redirection.html
- https://www.exploit-db.com/exploits/49554
- https://nvd.nist.gov/vuln/detail/CVE-2020-22840
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -26,3 +27,5 @@ requests:
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?interact\.sh(?:\s*?)$'
part: header
# Enhanced by md on 2022/10/13

9
cves/2020/CVE-2020-23015.yaml
View File

@ -1,13 +1,14 @@
id: CVE-2020-23015
info:
name: OPNsense 20.1.5. Open Redirect
name: OPNsense <=20.1.5 - Open Redirect
author: 0x_Akoko
severity: medium
description: An open redirect issue was discovered in OPNsense through 20.1.5. The redirect parameter "url" in login page was not filtered and can redirect user to any website.
description: OPNsense through 20.1.5 contains an open redirect vulnerability via the url redirect parameter in the login page, which is not filtered. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/opnsense/core/issues/4061
- https://www.cvedetails.com/cve/CVE-2020-23015
- https://nvd.nist.gov/vuln/detail/CVE-2020-23015
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -25,4 +26,6 @@ requests:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?interact\.sh(?:\s*?)$'
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?interact\.sh(?:\s*?)$'
# Enhanced by md on 2022/10/13

7
cves/2020/CVE-2020-24550.yaml
View File

@ -1,12 +1,13 @@
id: CVE-2020-24550
info:
name: EpiServer <13.2.7 - Open Redirect
name: EpiServer Find <13.2.7 - Open Redirect
author: dhiyaneshDK
severity: medium
description: An Open Redirect vulnerability in EpiServer Find before 13.2.7 allows an attacker to redirect users to untrusted websites via the _t_redirect parameter in a crafted URL, such as a /find_v2/_click URL.
description: EpiServer Find before 13.2.7 contains an open redirect vulnerability via the _t_redirect parameter in a crafted URL, such as a /find_v2/_click URL. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://labs.nettitude.com/blog/cve-2020-24550-open-redirect-in-episerver-find/
- https://nvd.nist.gov/vuln/detail/CVE-2020-24550
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -29,3 +30,5 @@ requests:
- type: status
status:
- 301
# Enhanced by md on 2022/10/13

2
cves/2020/CVE-2020-35489.yaml
View File

@ -15,7 +15,7 @@ info:
cvss-score: 10
cve-id: CVE-2020-35489
cwe-id: CWE-434
tags: cve,cve2020,wordpress,wp-plugin,rce,upload,intrusive
tags: cve,cve2020,wordpress,wp-plugin,rce,fileupload,intrusive
requests:
- method: GET

7
cves/2020/CVE-2020-36365.yaml
View File

@ -1,14 +1,15 @@
id: CVE-2020-36365
info:
name: Smartstore < 4.1.0 - Open Redirect
name: Smartstore <4.1.0 - Open Redirect
author: 0x_Akoko
severity: medium
description: Smartstore (aka SmartStoreNET) before 4.1.0 allows CommonController.ClearCache, ClearDatabaseCache, RestartApplication, and ScheduleTaskController.Edit open redirect.
description: Smartstore (aka "SmartStoreNET") before 4.1.0 contains an open redirect vulnerability via CommonController.ClearCache, ClearDatabaseCache, RestartApplication, and ScheduleTaskController.Edit. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/smartstore/SmartStoreNET/issues/2113
- https://www.cvedetails.com/cve/CVE-2020-36365
- https://github.com/smartstore/SmartStoreNET
- https://nvd.nist.gov/vuln/detail/CVE-2020-36365
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -29,3 +30,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2022/10/14

12
cves/2020/CVE-2020-8772.yaml
View File

@ -1,19 +1,17 @@
id: CVE-2020-8772
info:
name: WordPress InfiniteWP Client < 1.9.4.5 - Authentication Bypass
name: WordPress InfiniteWP <1.9.4.5 - Authorization Bypass
author: princechaddha,scent2d
severity: critical
description: |
The InfiniteWP Client plugin before 1.9.4.5 for WordPress has a missing
authorization check in iwp_mmb_set_request in init.php. Any attacker who
knows the username of an administrator can log in.
WordPress InfiniteWP plugin before 1.9.4.5 for WordPress contains an authorization bypass vulnerability via a missing authorization check in iwp_mmb_set_request in init.php. An attacker who knows the username of an administrator can log in, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations.
remediation: Upgrade to InfiniteWP 1.9.4.5 or higher.
reference:
- https://wpscan.com/vulnerability/10011
- https://nvd.nist.gov/vuln/detail/CVE-2020-8772
- https://www.webarxsecurity.com/vulnerability-infinitewp-client-wp-time-capsule/
- https://wpvulndb.com/vulnerabilities/10011
remediation: Upgrade to InfiniteWP Client 1.9.4.5 or higher.
- https://nvd.nist.gov/vuln/detail/CVE-2020-8772
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -72,3 +70,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/19

8
cves/2021/CVE-2021-20031.yaml
View File

@ -1,15 +1,15 @@
id: CVE-2021-20031
info:
name: Sonicwall SonicOS 7.0 - Host Header Injection
name: SonicWall SonicOS 7.0 - Open Redirect
author: gy741
severity: medium
description: A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages. An issue was discovered in Sonicwall NAS, SonicWall Analyzer version 8.5.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack
description: SonicWall SonicOS 7.0 contains an open redirect vulnerability. The values of the Host headers are implicitly set as trusted. An attacker can spoof a particular host header, allowing the attacker to render arbitrary links, obtain sensitive information, modify data, execute unauthorized operations. and/or possibly redirect a user to a malicious site.
reference:
- https://www.exploit-db.com/exploits/50414
- https://nvd.nist.gov/vuln/detail/CVE-2021-20031
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0019
- http://packetstormsecurity.com/files/164502/Sonicwall-SonicOS-7.0-Host-Header-Injection.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-20031
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -37,3 +37,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/14

8
cves/2021/CVE-2021-22873.yaml
View File

@ -1,15 +1,15 @@
id: CVE-2021-22873
info:
name: Revive Adserver < 5.1.0 Open Redirect
name: Revive Adserver <5.1.0 - Open Redirect
author: pudsec
severity: medium
description: Revive Adserver before 5.1.0 is vulnerable to open redirects via the dest, oadest, and ct0 parameters of the lg.php and ck.php delivery scripts.
description: Revive Adserver before 5.1.0 contains an open redirect vulnerability via the dest, oadest, and ct0 parameters of the lg.php and ck.php delivery scripts. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-22873
- https://hackerone.com/reports/1081406
- https://github.com/revive-adserver/revive-adserver/issues/1068
- http://seclists.org/fulldisclosure/2021/Jan/60
- https://nvd.nist.gov/vuln/detail/CVE-2021-22873
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -38,3 +38,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2022/10/14

9
cves/2021/CVE-2021-22911.yaml
View File

@ -1,16 +1,17 @@
id: CVE-2021-22911
info:
name: RocketChat - NoSQL injection
name: Rocket.Chat <=3.13 - NoSQL Injection
author: tess,sullo
severity: critical
description: Rocket.Chat server versions 3.11, 3.12 and 3.1 allow unauthenticated access to an API endpoint which leads to NoSQL injection in the database.
description: Rocket.Chat 3.11, 3.12 and 3.13 contains a NoSQL injection vulnerability which allows unauthenticated access to an API endpoint. An attacker can possibly obtain sensitive information from a database, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- http://packetstormsecurity.com/files/162997/Rocket.Chat-3.12.1-NoSQL-Injection-Code-Execution.html
- https://github.com/vulhub/vulhub/tree/master/rocketchat/CVE-2021-22911
- https://hackerone.com/reports/1130721
- https://nvd.nist.gov/vuln/detail/CVE-2021-22911
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22911
- https://blog.sonarsource.com/nosql-injections-in-rocket-chat
- https://nvd.nist.gov/vuln/detail/CVE-2021-22911
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -47,3 +48,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/10/12

8
cves/2021/CVE-2021-24165.yaml
View File

@ -1,15 +1,15 @@
id: CVE-2021-24165
info:
name: Ninja Forms < 3.4.34 - Administrator Open Redirect
name: WordPress Ninja Forms <3.4.34 - Open Redirect
author: dhiyaneshDk,daffainfo
severity: medium
description: |
The wp_ajax_nf_oauth_connect AJAX action was vulnerable to open redirect due to the use of a user supplied redirect parameter and no protection in place.
WordPress Ninja Forms plugin before 3.4.34 contains an open redirect vulnerability via the wp_ajax_nf_oauth_connect AJAX action, due to the use of a user-supplied redirect parameter and no protection in place. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://wpscan.com/vulnerability/6147acf5-e43f-47e6-ab56-c9c8be584818
- https://nvd.nist.gov/vuln/detail/CVE-2021-24165
- https://www.wordfence.com/blog/2021/02/one-million-sites-affected-four-severe-vulnerabilities-patched-in-ninja-forms/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24165
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -41,3 +41,5 @@ requests:
- 'status_code_2 == 302'
- "contains(all_headers_2, 'Location: https://interact.sh?client_id=1')"
condition: and
# Enhanced by md on 2022/10/14

10
cves/2021/CVE-2021-24210.yaml
View File

@ -1,17 +1,15 @@
id: CVE-2021-24210
info:
name: PhastPress < 1.111 - Open Redirect
name: WordPress PhastPress <1.111 - Open Redirect
author: 0x_Akoko
severity: medium
description: |
There is an open redirect in the PhastPress WordPress plugin before 1.111 that allows an attacker to malform a request to a page
with the plugin and then redirect the victim to a malicious page. There is also a support comment from another user one year
ago (https://wordpress.org/support/topic/phast-php-used-for-remote-fetch/) that says that the php involved in the request only
go to whitelisted pages but it's possible to redirect the victim to any domain.
WordPress PhastPress plugin before 1.111 contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://wpscan.com/vulnerability/9b3c5412-8699-49e8-b60c-20d2085857fb
- https://plugins.trac.wordpress.org/changeset/2497610/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24210
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -29,3 +27,5 @@ requests:
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header
# Enhanced by md on 2022/10/14

8
cves/2021/CVE-2021-24288.yaml
View File

@ -1,13 +1,13 @@
id: CVE-2021-24288
info:
name: AcyMailing < 7.5.0 - Open Redirect
name: WordPress AcyMailing <7.5.0 - Open Redirect
author: 0x_Akoko
severity: medium
description: When using acymailing to subscribe to a newsletter, you make a POST request with various parameters. Turning that to a GET request and adding the parameters as GET parameters, you can successfully
go through with the subscription.
description: WordPress AcyMailing plugin before 7.5.0 contains an open redirect vulnerability due to improper sanitization of the redirect parameter. An attacker turning the request from POST to GET can craft a link containing a potentially malicious landing page and send it to the user.
reference:
- https://wpscan.com/vulnerability/56628862-1687-4862-9ed4-145d8dfbca97
- https://nvd.nist.gov/vuln/detail/CVE-2021-24288
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -25,3 +25,5 @@ requests:
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header
# Enhanced by md on 2022/10/14

7
cves/2021/CVE-2021-24838.yaml
View File

@ -1,13 +1,14 @@
id: CVE-2021-24838
info:
name: AnyComment < 0.3.5 - Open Redirect
name: WordPress AnyComment <0.3.5 - Open Redirect
author: noobexploiter
severity: medium
description: |
The plugin has an API endpoint which passes user input via the redirect parameter to the wp_redirect() function without being validated first, leading to an Open Redirect issue, which according to the vendor, is a feature.
WordPress AnyComment plugin before 0.3.5 contains an open redirect vulnerability via an API endpoint which passes user input via the redirect parameter to the wp_redirect() function without being validated. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://wpscan.com/vulnerability/562e81ad-7422-4437-a5b4-fcab9379db82
- https://nvd.nist.gov/vuln/detail/CVE-2021-24838
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -34,3 +35,5 @@ requests:
- type: status
status:
- 302
# Enhanced by md on 2022/10/14

7
cves/2021/CVE-2021-24940.yaml
View File

@ -1,11 +1,12 @@
id: CVE-2021-24940
info:
name: Persian Woocommerce < 5.9.8 - Cross-Site Scripting
name: WordPress Persian Woocommerce <=5.8.0 - Cross-Site Scripting
author: daffainfo
severity: medium
description: |
The Persian Woocommerce WordPress plugin through 5.8.0 does not escape the s parameter before outputting it back in an attribute in the admin dashboard, which could lead to a Reflected Cross-Site Scripting issue
WordPress Persian Woocommerce plugin through 5.8.0 contains a cross-site scripting vulnerability. The plugin does not escape the s parameter before outputting it back in an attribute in the admin dashboard. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site and possibly steal cookie-based authentication credentials and launch other attacks.
remediation: Fixed in 5.9.8.
reference:
- https://wpscan.com/vulnerability/1980c5ca-447d-4875-b542-9212cc7ff77f
- https://nvd.nist.gov/vuln/detail/CVE-2021-24940
@ -41,3 +42,5 @@ requests:
- contains(body_2, 'accesskey=X onclick=alert(1) test=')
- contains(body_2, 'woocommerce_persian_translate')
condition: and
# Enhanced by md on 2022/10/17

7
cves/2021/CVE-2021-25111.yaml
View File

@ -1,12 +1,13 @@
id: CVE-2021-25111
info:
name: English WordPress Admin < 1.5.2 - Unauthenticated Open Redirect
name: WordPress English Admin <1.5.2 - Open Redirect
author: akincibor
severity: medium
description: The plugin does not validate the admin_custom_language_return_url before redirecting users o it, leading to an open redirect issue.
description: WordPress English Admin plugin before 1.5.2 contains an open redirect vulnerability. The plugin does not validate the admin_custom_language_return_url before redirecting users to it. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://wpscan.com/vulnerability/af548fab-96c2-4129-b609-e24aad0b1fc4
- https://nvd.nist.gov/vuln/detail/CVE-2021-25111
tags: cve2021,unauth,wpscan,wp-plugin,redirect,wordpress,wp,cve
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
@ -24,3 +25,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2022/10/14

6
cves/2021/CVE-2021-27909.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2021-27909
info:
name: Mautic - Cross-Site Scripting
name: Mautic <3.3.4 - Cross-Site Scripting
author: kiransau
severity: medium
description: Mautic versions prior to 3.3.4 are vulnerable to reflected XSS on password reset page where a vulnerable parameter, "bundle," in the URL could allow an attacker to execute Javascript code.
description: Mautic before 3.3.4 contains a cross-site scripting vulnerability on the password reset page in the bundle parameter of the URL. An attacker can inject arbitrary script, steal cookie-based authentication credentials, and/or launch other attacks.
reference:
- https://github.com/mautic/mautic/security/advisories/GHSA-32hw-3pvh-vcvc
- https://nvd.nist.gov/vuln/detail/CVE-2021-27909
@ -40,3 +40,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/17

8
cves/2021/CVE-2021-29622.yaml
View File

@ -1,14 +1,16 @@
id: CVE-2021-29622
info:
name: Prometheus v2.23.0 to v2.26.0, and v2.27.0 Open Redirect
name: Prometheus - Open Redirect
author: geeknik
severity: medium
description: In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint.
description: Prometheus 2.23.0 through 2.26.0 and 2.27.0 contains an open redirect vulnerability. To ensure a seamless transition to 2.27.0, the default UI was changed to the new UI with a URL prefixed by /new redirect to /. Due to a bug in the code, an attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
remediation: The issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. The workaround is to disable access to /new via a reverse proxy in front of Prometheus.
reference:
- https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7
- https://github.com/prometheus/prometheus/releases/tag/v2.26.1
- https://github.com/prometheus/prometheus/releases/tag/v2.27.1
- https://nvd.nist.gov/vuln/detail/CVE-2021-29622
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -26,3 +28,5 @@ requests:
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header
# Enhanced by md on 2022/10/14

10
cves/2021/CVE-2021-32618.yaml
View File

@ -1,12 +1,10 @@
id: CVE-2021-32618
info:
name: Flask Open Redirect
name: Python Flask-Security - Open Redirect
author: 0x_Akoko
severity: medium
description: There is code in FS to validate that the url specified in the next parameter is either relative OR has the same netloc (network location) as the requesting URL. This check utilizes Pythons urlsplit
library. However many browsers are very lenient on the kind of URL they accept and 'fill in the blanks' when presented with a possibly incomplete URL. As a concrete example - setting http://login?next=\\\github.com
will pass FS's relative URL check however many browsers will gladly convert this to http://interact.sh.
description: Python Flask-Security contains an open redirect vulnerability. Existing code validates that the URL specified in the next parameter is either relative or has the same network location as the requesting URL. Certain browsers accept and fill in the blanks of possibly incomplete or malformed URLs. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-6qmf-fj6m-686c
- https://github.com/Flask-Middleware/flask-security/issues/486
@ -27,4 +25,6 @@ requests:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2022/10/14

7
cves/2021/CVE-2021-3654.yaml
View File

@ -1,15 +1,16 @@
id: CVE-2021-3654
info:
name: noVNC Open Redirect
name: Nova noVNC - Open Redirect
author: geeknik
severity: medium
description: A user-controlled input redirects noVNC users to an external website.
description: Nova noVNC contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://seclists.org/oss-sec/2021/q3/188
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3654
- https://bugs.python.org/issue32084
- https://opendev.org/openstack/nova/commit/04d48527b62a35d912f93bc75613a6cca606df66
- https://nvd.nist.gov/vuln/detail/CVE-2021-3654
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -34,3 +35,5 @@ requests:
status:
- 302
- 301
# Enhanced by md on 2022/10/14

6
cves/2021/CVE-2021-41432.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2021-41432
info:
name: FlatPress 1.2.1 - Cross-site scripting
name: FlatPress 1.2.1 - Stored Cross-Site Scripting
author: arafatansari
severity: medium
description: |
A stored cross-site scripting (XSS) vulnerability exists in FlatPress 1.2.1 that allows for arbitrary execution of JavaScript commands through blog content.
FlatPress 1.2.1 contains a stored cross-site scripting vulnerability that allows for arbitrary execution of JavaScript commands through blog content. An attacker can possibly steal cookie-based authentication credentials and launch other attacks.
reference:
- https://github.com/flatpressblog/flatpress/issues/88
- https://nvd.nist.gov/vuln/detail/CVE-2021-41432
@ -74,3 +74,5 @@ requests:
group: 1
regex:
- 'name="_wpnonce" value="([0-9a-z]+)" />'
# Enhanced by md on 2022/10/17

2
cves/2021/CVE-2021-45046.yaml
View File

@ -13,7 +13,7 @@ info:
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 9
cvss-score: 9.0
cve-id: CVE-2021-45046
cwe-id: CWE-502
tags: cve,cve2021,rce,oast,log4j,injection

6
cves/2022/CVE-2022-0412.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2022-0412
info:
name: TI WooCommerce Wishlist WP plugin < 1.40.1 - SQL Injection
name: WordPress TI WooCommerce Wishlist <1.40.1 - SQL Injection
author: edoardottt
severity: critical
description: |
The TI WooCommerce Wishlist WordPress plugin before 1.40.1, TI WooCommerce Wishlist Pro WordPress plugin before 1.40.1 do not sanitise and escape the item_id parameter before using it in a SQL statement via the wishlist/remove_product REST endpoint, allowing unauthenticated attackers to perform SQL injection attacks.
WordPress TI WooCommerce Wishlist plugin before 1.40.1 contains a SQL injection vulnerability. The plugin does not sanitize and escape the item_id parameter before using it in a SQL statement via the wishlist/remove_product REST endpoint.
reference:
- https://wpscan.com/vulnerability/e984ba11-abeb-4ed4-9dad-0bfd539a9682
- https://wordpress.org/plugins/ti-woocommerce-wishlist/advanced/
@ -40,3 +40,5 @@ requests:
- type: status
status:
- 400
# Enhanced by mp on 2022/10/12

6
cves/2022/CVE-2022-0535.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2022-0535
info:
name: E2Pdf < 1.16.45 - Cross-Site Scripting
name: WordPress E2Pdf <1.16.45 - Cross-Site Scripting
author: theamanrawat
severity: medium
description: |
The E2Pdf WordPress plugin before 1.16.45 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
WordPress E2Pdf plugin before 1.16.45 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape some of its settings, even when the unfiltered_html capability is disallowed. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, making it possible to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://wpscan.com/vulnerability/a4162e96-a3c5-4f38-a60b-aa3ed9508985
- https://wordpress.org/plugins/e2pdf/
@ -62,3 +62,5 @@ requests:
group: 1
regex:
- 'name="_nonce" value="([0-9a-zA-Z]+)"'
# Enhanced by md on 2022/10/18

7
cves/2022/CVE-2022-0679.yaml
View File

@ -1,15 +1,14 @@
id: CVE-2022-0679
info:
name: Narnoo Distributor <= 2.5.1 - Unauthenticated LFI to Arbitrary File Read / RCE
name: WordPress Narnoo Distributor <=2.5.1 - Local File Inclusion
author: Veshraj
severity: critical
description: |
The plugin fails to validate and sanitize the lib_path parameter before it is passed into a call to require() via the narnoo_distributor_lib_request AJAX action (available to both unauthenticated and authenticated users) which results in the disclosure of arbitrary files as the content of the file is then displayed in the response as JSON data. This could also lead to RCE with various tricks but depends on the underlying system and it's configuration.
WordPress Narnoo Distributor plugin 2.5.1 and prior is susceptible to local file inclusion. The plugin does not validate and sanitize the lib_path parameter before being passed into a call to require() via the narnoo_distributor_lib_request AJAX action, and the content of the file is displayed in the response as JSON data. This can also lead to a remote code execution vulnerability depending on system and configuration.
reference:
- https://wpscan.com/vulnerability/0ea79eb1-6561-4c21-a20b-a1870863b0a8
- https://nvd.nist.gov/vuln/detail/CVE-2022-0679
- https://www.cvedetails.com/cve/CVE-2022-0679/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -39,3 +38,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/10/12

6
cves/2022/CVE-2022-0781.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2022-0781
info:
name: Nirweb support < 2.8.2 - Unauthenticated SQLi
name: WordPress Nirweb Support <2.8.2 - SQL Injection
author: theamanrawat
severity: critical
description: |
The Nirweb support WordPress plugin before 2.8.2 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action (available to unauthenticated users), leading to an SQL injection.
WordPress Nirweb support plugin before 2.8.2 contains a SQL injection vulnerability. The plugin does not sanitize and escape a parameter before using it in a SQL statement via an AJAX action. An attacker can possibly obtain sensitive information from a database, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://wpscan.com/vulnerability/1a8f9c7b-a422-4f45-a516-c3c14eb05161
- https://wordpress.org/plugins/nirweb-support/
@ -41,3 +41,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/12

8
cves/2022/CVE-2022-1768.yaml
View File

@ -1,16 +1,16 @@
id: CVE-2022-1768
info:
name: RSVPMaker WordPress plugin <= 9.3.2 - SQL Injection
name: WordPress RSVPMaker <=9.3.2 - SQL Injection
author: edoardottt
severity: high
description: |
The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to insufficient escaping and parameterization on user supplied data passed to multiple SQL queries in the ~/rsvpmaker-email.php file. This makes it possible for unauthenticated attackers to steal sensitive information from the database in versions up to, and including, 9.3.2.
WordPress RSVPMaker plugin through 9.3.2 contains a SQL injection vulnerability due to insufficient escaping and parameterization on user-supplied data passed to multiple SQL queries in ~/rsvpmaker-email.php. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://gist.github.com/Xib3rR4dAr/441d6bb4a5b8ad4b25074a49210a02cc
- https://wordpress.org/plugins/rsvpmaker/
- https://nvd.nist.gov/vuln/detail/CVE-2022-1768
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2725322%40rsvpmaker&new=2725322%40rsvpmaker&sfp_email=&sfph_mail=
- https://nvd.nist.gov/vuln/detail/CVE-2022-1768
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -49,3 +49,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/12

6
cves/2022/CVE-2022-1910.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2022-1910
info:
name: Shortcodes and extra features for Phlox theme < 2.9.8 - Cross-Site-Scripting
name: WordPress Shortcodes and Extra Features for Phlox <2.9.8 - Cross-Site Scripting
author: Akincibor
severity: medium
description: |
The plugin does not sanitise and escape a parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting.
WordPress Shortcodes and extra features plugin for the Phlox theme before 2.9.8 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape a parameter before outputting it back in the response. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://wpscan.com/vulnerability/8afe1638-66fa-44c7-9d02-c81573193b47
- https://wordpress.org/plugins/auxin-elements/
@ -41,3 +41,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/17

6
cves/2022/CVE-2022-2467.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2022-2467
info:
name: SourceCodester Garage Management System 1.0 - SQL Injection
name: Garage Management System 1.0 - SQL Injection
author: edoardottt
severity: critical
description: |
A vulnerability has been found in SourceCodester Garage Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /login.php. The manipulation of the argument username with the input 1@a.com' AND (SELECT 6427 FROM (SELECT(SLEEP(5)))LwLu) AND 'hsvT'='hsvT leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Garage Management System 1.0 contains a SQL injection vulnerability in /login.php via manipulation of the argument username with input 1@a.com' AND (SELECT 6427 FROM (SELECT(SLEEP(5)))LwLu) AND 'hsvT'='hsvT. An attacker can possibly obtain sensitive information from a database, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://github.com/xiahao90/CVEproject/blob/main/xiahao.webray.com.cn/Garage-Management-System.md
- https://www.sourcecodester.com/php/15485/garage-management-system-using-phpmysql-source-code.html
@ -43,3 +43,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/10/12

8
cves/2022/CVE-2022-29272.yaml
View File

@ -1,16 +1,16 @@
id: CVE-2022-29272
info:
name: Nagios XI < 5.8.5 - Open Redirect
name: Nagios XI <5.8.5 - Open Redirect
author: ritikchaddha
severity: medium
description: |
In Nagios XI through 5.8.5, an open redirect vulnerability exists in the login function that could lead to spoofing.
Nagios XI through 5.8.5 contains an open redirect vulnerability in the login function. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/sT0wn-nl/CVEs/tree/master/CVE-2022-29272
- https://nvd.nist.gov/vuln/detail/CVE-2022-29272
- https://github.com/4LPH4-NL/CVEs
- https://github.com/sT0wn-nl/CVEs/blob/master/README.md#nagios-xi
- https://nvd.nist.gov/vuln/detail/CVE-2022-29272
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -48,3 +48,5 @@ requests:
regex:
- '<input type="hidden" name="nsp" value="(.*)">'
- "<input type='hidden' name='nsp' value='(.*)'>"
# Enhanced by md on 2022/10/14

8
cves/2022/CVE-2022-29775.yaml
View File

@ -1,16 +1,16 @@
id: CVE-2022-29775
info:
name: iSpyConnect iSpy v7.2.2.0 - Improper Authentication
name: iSpy 7.2.2.0 - Authentication Bypass
author: arafatansari
severity: critical
description: |
iSpyConnect iSpy v7.2.2.0 allows attackers to bypass authentication via a crafted URL.
iSpy 7.2.2.0 contains an authentication bypass vulnerability. An attacker can craft a URL and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://gist.github.com/securylight/79f673aa3a453c80c0e78f356a8f650b
- https://github.com/securylight/CVES_write_ups/blob/main/iSpy_connect.pdf
- https://nvd.nist.gov/vuln/detail/CVE-2022-29775
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-29775
- https://nvd.nist.gov/vuln/detail/CVE-2022-29775
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -44,3 +44,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/19

7
cves/2022/CVE-2022-30512.yaml
View File

@ -5,12 +5,11 @@ info:
author: tess
severity: critical
description: |
School Dormitory Management System 1.0 is vulnerable to SQL Injection via accounts/payment_history.php:31.
School Dormitory Management System 1.0 contains a SQL injection vulnerability via accounts/payment_history.php:31. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://github.com/bigzooooz/CVE-2022-30512
- https://nvd.nist.gov/vuln/detail/CVE-2022-30512
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-3051
- https://www.sourcecodester.com/php/15319/school-dormitory-management-system-phpoop-free-source-code.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-30512
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -43,3 +42,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/10/12

8
cves/2022/CVE-2022-30513.yaml
View File

@ -1,17 +1,15 @@
id: CVE-2022-30513
info:
name: School Dormitory Management - Authenticated XSS
name: School Dormitory Management System 1.0 - Authenticated Cross-Site Scripting
author: tess
severity: medium
description: |
School Dormitory Management System v1.0 is vulnerable to reflected
cross-site scripting (XSS) via admin/inc/navigation.php:125
School Dormitory Management System 1.0 contains an authenticated cross-site scripting vulnerability via admin/inc/navigation.php:125. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://github.com/bigzooooz/CVE-2022-30513
- https://www.sourcecodester.com/php/15319/school-dormitory-management-system-phpoop-free-source-code.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-30513
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30513
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -49,3 +47,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/17

8
cves/2022/CVE-2022-30514.yaml
View File

@ -1,16 +1,16 @@
id: CVE-2022-30514
info:
name: School Dormitory Management - Authenticated XSS via "s=" parameter
name: School Dormitory Management System 1.0 - Authenticated Cross-Site Scripting
author: tess
severity: medium
description: |
School Dormitory Management System v1.0 is vulnerable to reflected cross-site scripting (XSS) via admin/inc/navigation.php:125
School Dormitory Management System 1.0 contains an authenticated cross-site scripting vulnerability in admin/inc/navigation.php:126. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://github.com/bigzooooz/CVE-2022-30514
- https://www.sourcecodester.com/php/15319/school-dormitory-management-system-phpoop-free-source-code.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-30514
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30514
- https://nvd.nist.gov/vuln/detail/CVE-2022-30514
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -48,3 +48,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/17

8
cves/2022/CVE-2022-35914.yaml
View File

@ -1,16 +1,16 @@
id: CVE-2022-35914
info:
name: GLPI - Remote Code Execution
name: GLPI <=10.0.2 - Remote Command Execution
author: For3stCo1d
severity: critical
description: |
/vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection.
GLPI through 10.0.2 is susceptible to remote command execution injection in /vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module.
reference:
- https://mayfly277.github.io/posts/GLPI-htmlawed-CVE-2022-35914
- https://github.com/cosad3s/CVE-2022-35914-poc
- https://nvd.nist.gov/vuln/detail/CVE-2022-35914
- http://www.bioinformatics.org/phplabware/sourceer/sourceer.php?&Sfs=htmLawedTest.php&Sl=.%2Finternal_utilities%2FhtmLawed
- https://nvd.nist.gov/vuln/detail/CVE-2022-35914
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -44,3 +44,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/10/12

8
cves/2022/CVE-2022-38553.yaml
View File

@ -1,16 +1,16 @@
id: CVE-2022-38553
info:
name: Academy Learning Management System < v5.9.1 - Reflected XSS
name: Academy Learning Management System <5.9.1 - Cross-Site Scripting
author: edoardottt
severity: medium
description: |
Academy Learning Management System before v5.9.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Search parameter.
Academy Learning Management System before 5.9.1 contains a cross-site scripting vulnerability via the Search parameter. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://www.youtube.com/watch?v=yFiZffHoeKs&ab_channel=4websecurity
- https://github.com/4websecurity/CVE-2022-38553
- https://nvd.nist.gov/vuln/detail/CVE-2022-38553
- https://codecanyon.net/item/academy-course-based-learning-management-system/22703468
- https://nvd.nist.gov/vuln/detail/CVE-2022-38553
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -43,3 +43,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/18

8
cves/2022/CVE-2022-40083.yaml
View File

@ -1,13 +1,15 @@
id: CVE-2022-40083
info:
name: Labstack Echo < v4.9.0 - Open Redirect
name: Labstack Echo 4.8.0 - Open Redirect
author: pdteam
severity: critical
description: |
Labstack Echo v4.8.0 was discovered to contain an open redirect vulnerability via the Static Handler component. This vulnerability can be leveraged by attackers to cause a Server-Side Request Forgery (SSRF).
Labstack Echo 4.8.0 contains an open redirect vulnerability via the Static Handler component. An attacker can leverage this vulnerability to cause server-side request forgery, making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations.
remediation: Download and install 4.9.0, which contains a patch for this issue.
reference:
- https://github.com/labstack/echo/issues/2259
- https://nvd.nist.gov/vuln/detail/CVE-2022-40083
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
cvss-score: 9.6
@ -30,3 +32,5 @@ requests:
- type: status
status:
- 301
# Enhanced by md on 2022/10/18

12
cves/2022/CVE-2022-40684.yaml
View File

@ -1,19 +1,21 @@
id: CVE-2022-40684
info:
name: Fortigate - Authentication bypass
name: Fortinet - Authentication Bypass
author: Shockwave,nagli,carlosvieira
severity: critical
description: |
Enables an unauthenticated remote attacker to use administrative interfaces by sending specially crafted HTTP or HTTPS requests, allowing them to log in to various products of Fortinet that are unpatched.
Fortinet contains an authentication bypass vulnerability via using an alternate path or channel in FortiOS 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy 7.2.0 and 7.0.0 through 7.0.6, and FortiSwitchManager 7.2.0 and 7.0.0. An attacker can perform operations on the administrative interface via specially crafted HTTP or HTTPS requests, thus making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/horizon3ai/CVE-2022-40684/blob/master/CVE-2022-40684.py
- https://securityonline.info/researchers-have-developed-cve-2022-40684-poc-exploit-code/
- https://socradar.io/what-do-you-need-to-know-about-fortinet-critical-authentication-bypass-vulnerability-cve-2022-40684/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40684
- https://nvd.nist.gov/vuln/detail/CVE-2022-40684
classification:
cvss-score: 9.6
cve-id: CVE-2022-27593
cwe-id: CWE-288
tags: cve,cve2022,fortinet,fortigate,fortios,fortiproxy,auth-bypass,kev
requests:
@ -33,8 +35,8 @@ requests:
Forwarded: for=[127.0.0.1]:8000;by=[127.0.0.1]:9000;
Content-Length: 610
{
"ssh-public-key1":"{{randstr}}"
{
"ssh-public-key1":"{{randstr}}"
}
stop-at-first-match: true
@ -54,3 +56,5 @@ requests:
- 'Invalid SSH public key.'
- 'cli_error'
condition: and
# Enhanced by md on 2022/10/19

7
cves/2022/CVE-2022-41473.yaml
View File

@ -1,13 +1,14 @@
id: CVE-2022-41473
info:
name: RPCMS 3.0.2 - Cross-site scripting (XSS)
name: RPCMS 3.0.2 - Cross-Site Scripting
author: arafatansari
severity: medium
description: |
RPCMS v3.0.2 was discovered to contain a reflected cross-site scripting (XSS) vulnerability in the Search function.
RPCMS 3.0.2 contains a cross-site scripting vulnerability in the Search function. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://github.com/ralap-z/rpcms/issues/1
- https://nvd.nist.gov/vuln/detail/CVE-2022-41473
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -40,3 +41,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/18

10
exposures/backups/sql-dump.yaml
View File

@ -1,11 +1,17 @@
id: default-sql-dump
info:
name: MySQL Dump Files
name: MySQL - Dump Files
author: geeknik,dwisiswant0,ELSFA7110
severity: medium
description: A MySQL dump file was found
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cwe-id: CWE-200
tags: exposure,backup,mysql
requests:
- method: GET
path:
@ -45,3 +51,5 @@ requests:
- 200
- 206
condition: or
# Enhanced by mp on 2022/10/12

2
exposures/configs/joomla-config-file.yaml
View File

@ -4,7 +4,7 @@ info:
name: Joomla! Config Dist File
author: oppsec
severity: low
description: configuration.php-dist is a file created by Joomla! to save Joomla settings.
description: configuration.php-dist is a file created by Joomla! to save application settings.
tags: config,exposure,joomla
requests:

10
file/logs/suspicious-sql-error-messages.yaml
View File

@ -1,10 +1,14 @@
id: suspicious-sql-error-messages
info:
name: Suspicious SQL Error Messages
name: SQL - Error Messages
author: geeknik
severity: high
description: Detects SQL error messages that indicate probing for an injection attack
description: SQL error messages that indicate probing for an injection attack were detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cwe-id: CWE-89
tags: file,logs,sql,error
file:
@ -36,3 +40,5 @@ file:
regex:
- 'near \"\*\"\: syntax error'
- 'SELECTs to the left and right of UNION do not have the same number of result columns'
# Enhanced by mp on 2022/10/12

10
fuzzing/header-command-injection.yaml
View File

@ -1,10 +1,14 @@
id: header-command-injection
info:
name: Header Command Injection
name: Header - Remote Command Injection
author: geeknik
severity: high
description: Fuzzing headers for command injection
description: Headers were tested for remote command injection vulnerabilities.
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cwe-id: CWE-77
tags: fuzz,rce
requests:
@ -33,3 +37,5 @@ requests:
- type: regex
regex:
- "root:.*:0:0:"
# Enhanced by mp on 2022/10/12

11
misconfiguration/caddy-open-redirect.yaml
View File

@ -1,11 +1,16 @@
id: caddy-open-redirect
info:
name: Caddy 2.4.6 Open Redirect (php_fastcgi)
name: Caddy 2.4.6 Open Redirect
author: dhiyaneshDK
severity: medium
description: Caddy 2.4.6 contains an open redirect vulnerability via php_fastcgi. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/caddyserver/caddy/issues/4502
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cwe-id: CWE-601
tags: redirect,caddy,server
requests:
@ -17,4 +22,6 @@ requests:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2022/10/14

7
misconfiguration/exposed-sqlite-manager.yaml
View File

@ -1,9 +1,10 @@
id: exposed-sqlite-manager
info:
name: SQLiteManager
author: dhiyaneshDK,ritikchaddha
name: SQLiteManager - Text Display
author: dhiyaneshDK
severity: medium
description: SQLiteManager panel contains inconsistent text display in title and text.
reference:
- https://www.exploit-db.com/ghdb/5003
tags: misconfig,sqlite,edb
@ -25,3 +26,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/10/12

10
misconfiguration/office365-open-redirect.yaml
View File

@ -1,11 +1,17 @@
id: office365-open-redirect
info:
name: Office365 Open Redirect From Autodiscover
name: Office365 Autodiscover - Open Redirect
author: dhiyaneshDk
severity: low
description: Office365 Autodiscover contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
remediation: See https://learn.microsoft.com/en-us/outlook/troubleshoot/connectivity/how-to-suppress-autodiscover-redirect-warning for a workaround.
reference:
- https://medium.com/@heinjame/office365-open-redirect-from-autodiscover-64284d26c168
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cwe-id: CWE-601
tags: redirect,office365,microsoft
requests:
@ -23,3 +29,5 @@ requests:
- type: status
status:
- 302
# Enhanced by md on 2022/10/14

5
technologies/elasticsearch-sql-client-detect.yaml
View File

@ -1,9 +1,10 @@
id: elasticsearch-sql-client-detect
info:
name: Elasticsearch SQL Client Detect
name: Elasticsearch - SQL Client Detection
author: pussycat0x
severity: low
description: Elasticsearch detected SQL client.
metadata:
shodan-query: http.title:"Elasticsearch-sql client"
tags: elasticsearch,tech,sql
@ -23,3 +24,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/10/12

6
vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml
View File

@ -6,17 +6,17 @@ info:
severity: critical
description: |
Apache OFBiz is affected by a remote code execution vulnerability in the bundled Apache Log4j logging library. Apache Log4j is vulnerable due to insufficient protections on message lookup substitutions when dealing with user controlled input. A remote, unauthenticated attacker can exploit this, via a web request, to execute arbitrary code with the permission level of the running Java process.
remediation: Upgrade to Apache OFBiz version 8.12.03 or later.
reference:
- https://issues.apache.org/jira/browse/OFBIZ-12449
- https://ofbiz.apache.org/
- https://logging.apache.org/log4j/2.x/security.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
remediation: Upgrade to Apache OFBiz version 8.12.03 or later.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cvss-score: 10.0
cve-id: CVE-2021-44228
cwe-id: CWE-917
cwe-id: CWE-77
metadata:
shodan-query: http.html:"Apache OFBiz"
tags: cve,cve2021,ofbiz,oast,log4j,rce,apache,jndi,kev

2
vulnerabilities/apache/apache-solr-log4j-rce.yaml
View File

@ -16,7 +16,7 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2021-44228
cwe-id: CWE-917
cwe-id: CWE-77
metadata:
shodan-query: http.html:"Apache Solr"
verified: "true"

2
vulnerabilities/cisco/cisco-unified-communications-log4j.yaml
View File

@ -13,7 +13,7 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2021-44228
cwe-id: CWE-917
cwe-id: CWE-77
metadata:
shodan-query: title:"Cisco Unified"
verified: "true"

2
vulnerabilities/cisco/cisco-vmanage-log4j.yaml
View File

@ -13,7 +13,7 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2021-44228
cwe-id: CWE-917
cwe-id: CWE-77
metadata:
shodan-query: title:"vManage"
verified: "true"

2
vulnerabilities/code42/code42-log4j-rce.yaml
View File

@ -19,7 +19,7 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2021-44228
cwe-id: CWE-917
cwe-id: CWE-77
tags: jndi,log4j,rce,cve,cve2021,oast,code42,kev
requests:

9
vulnerabilities/dedecms/dedecms-openredirect.yaml
View File

@ -1,11 +1,16 @@
id: dedecms-openredirect
info:
name: DedeCMS Open Redirect
name: DedeCMS - Open Redirect
author: pikpikcu
severity: low
description: DedeCMS contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://blog.csdn.net/ystyaoshengting/article/details/82734888
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cwe-id: CWE-601
metadata:
verified: true
shodan-query: http.html:"power by dedecms" || title:"dedecms"
@ -26,3 +31,5 @@ requests:
- type: status
status:
- 302
# Enhanced by md on 2022/10/14

10
vulnerabilities/generic/open-redirect.yaml
View File

@ -1,10 +1,14 @@
id: open-redirect
info:
name: Open URL redirect detection
name: Open Redirect - Detection
author: afaq,melbadry9,Elmahdi,pxmme1337,Regala_,andirrahmani1,geeknik
severity: low
description: A user-controlled input redirects users to an external website.
description: An open redirect vulnerability was detected. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cwe-id: CWE-601
tags: redirect,generic
requests:
@ -121,3 +125,5 @@ requests:
- 307
- 308
condition: or
# Enhanced by mp on 2022/10/14

9
vulnerabilities/httpbin/httpbin-open-redirect.yaml
View File

@ -4,8 +4,13 @@ info:
name: HTTPBin - Open Redirect
author: Adam Crosser
severity: low
description: HTTPBin contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/postmanlabs/httpbin
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cwe-id: CWE-601
metadata:
shodan-query:
- html:"https://github.com/requests/httpbin"
@ -25,4 +30,6 @@ requests:
- type: status
status:
- 302
- 302
# Enhanced by md on 2022/10/14

2
vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml
View File

@ -15,7 +15,7 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2021-44228
cwe-id: CWE-917
cwe-id: CWE-77
metadata:
shodan-query: http.html:"JamF"
verified: "true"

10
vulnerabilities/netsweeper/netsweeper-open-redirect.yaml
View File

@ -1,12 +1,16 @@
id: netsweeper-open-redirect
info:
name: Netsweeper 4.0.9 - Open Redirection
name: Netsweeper 4.0.9 - Open Redirect
author: daffainfo
severity: medium
description: Netsweeper version 4.0.9 was vulnerable to an Unauthenticated and Authenticated Open Redirect vulnerability.
description: Netsweeper 4.0.9 contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://packetstormsecurity.com/files/download/133034/netsweeper-issues.tgz
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cwe-id: CWE-601
tags: netsweeper,redirect,packetstorm
requests:
@ -19,3 +23,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
# Enhanced by md on 2022/10/14

13
vulnerabilities/other/aspnuke-openredirect.yaml
View File

@ -1,9 +1,16 @@
id: aspnuke-openredirect
info:
name: ASP-Nuke Open Redirect
name: ASP-Nuke - Open Redirect
author: pdteam
severity: low
description: ASP-Nuke contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://packetstormsecurity.com/files/125931/ASP-Nuke-2.0.7-Open-Redirect.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cwe-id: CWE-601
tags: aspnuke,redirect
requests:
@ -15,4 +22,6 @@ requests:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*:\s*)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?interact\.sh(?:\s*)$'
- '(?m)^(?:Location\s*:\s*)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?interact\.sh(?:\s*)$'
# Enhanced by md on 2022/10/14

12
vulnerabilities/other/bitrix-open-redirect.yaml
View File

@ -1,12 +1,16 @@
id: bitrix-open-redirect
info:
name: Bitrix Open URL redirect detection
name: Bitrix Site Management Russia 2.0 - Open Redirect
author: pikpikcu
severity: low
description: The Bitrix Russia Site Management 2.0 accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect.
description: Bitrix Site Management Russia 2.0 contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://packetstormsecurity.com/files/151955/1C-Bitrix-Site-Management-Russia-2.0-Open-Redirection.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cwe-id: CWE-601
tags: redirect,bitrix,packetstorm
requests:
@ -37,4 +41,6 @@ requests:
condition: or
status:
- 302
- 301
- 301
# Enhanced by md on 2022/10/14

2
vulnerabilities/other/elasticsearch5-log4j-rce.yaml
View File

@ -14,7 +14,7 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2021-44228
cwe-id: CWE-917
cwe-id: CWE-77
metadata:
verified: "true"
tags: jndi,log4j,rce,oast,elasticsearch,cve,cve2021,kev

7
vulnerabilities/other/fatpipe-auth-bypass.yaml
View File

@ -1,11 +1,10 @@
id: fatpipe-auth-bypass
info:
name: FatPipe Networks WARP 10.2.2 Authorization Bypass
name: FatPipe WARP 10.2.2 - Authorization Bypass
author: gy741
severity: high
description: Improper access control occurs when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources
behind protected pages.
description: FatPipe WARP 10.2.2 contains an authorization bypass vulnerability. Improper access control occurs when the application provides direct access to objects based on user-supplied input. As a result, an attacker can bypass proper authorization and access resources behind protected pages.
reference:
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5682.php
- https://www.fatpipeinc.com/support/advisories.php
@ -37,3 +36,5 @@ requests:
part: body
regex:
- 'version: "([0-9.a-z]+)"'
# Enhanced by md on 2022/10/19

6
vulnerabilities/other/fatpipe-backdoor.yaml
View File

@ -1,10 +1,10 @@
id: fatpipe-backdoor
info:
name: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Hidden Backdoor Account
name: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Authorization Bypass
author: gy741
severity: high
description: FatPipe Networks has a hidden administrative account cmuser that has no password and has write access permissions to the device. The user cmuser is not visible in Users menu list of the application.
description: FatPipe WARP/IPVPN/MPVPN 10.2.2 contains an authorization bypass vulnerability via hidden administrative account cmuse, which has no password, has write access permissions to the device, and is not visible in Users menu list. An attacker can gain access by bypassing proper authorization, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php
- https://www.fatpipeinc.com/support/advisories.php
@ -35,3 +35,5 @@ requests:
- '"loginRes":"success"'
- '"activeUserName":"cmuser"'
condition: and
# Enhanced by md on 2022/10/19

11
vulnerabilities/other/flatpress-xss.yaml
View File

@ -1,14 +1,17 @@
id: flatpress-xss
info:
name: FlatPress 1.2.1 - Cross-site scripting
name: FlatPress 1.2.1 - Stored Cross-Site Scripting
author: arafatansari
severity: medium
description: |
A Reflected cross-site scripting (XSS) vulnerability exists in FlatPress 1.2.1 that allows for arbitrary execution of JavaScript commands through blog content.
FlatPress 1.2.1 contains a stored cross-site scripting vulnerability that allows for arbitrary execution of JavaScript commands through blog content. An attacker can steal cookie-based authentication credentials and launch other attacks. Note: this is similar to CVE-2021-41432, however this attack uses the "page" parameter.
reference:
- https://github.com/flatpressblog/flatpress/issues/153
- https://github.com/flatpressblog/flatpress
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cwe-id: CWE-79
metadata:
verified: true
shodan-query: http.html:"Flatpress"
@ -56,3 +59,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/18

2
vulnerabilities/other/goanywhere-mft-log4j-rce.yaml
View File

@ -12,8 +12,8 @@ info:
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cwe-id: CWE-77
cve-id: CVE-2021-44228
cwe-id: CWE-917
metadata:
shodan-query: http.html:"GoAnywhere Managed File Transfer"
verified: "true"

2
vulnerabilities/other/graylog-log4j.yaml
View File

@ -13,7 +13,7 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2021-44228
cwe-id: CWE-917
cwe-id: CWE-77
metadata:
shodan-query: title:"Graylog Web Interface"
verified: "true"

11
vulnerabilities/other/homeautomation-v3-openredirect.yaml
View File

@ -1,12 +1,17 @@
id: homeautomation-v3-openredirect
info:
name: HomeAutomation v3.3.2 Open Redirect
name: HomeAutomation 3.3.2 - Open Redirect
author: 0x_Akoko
severity: medium
description: A vulnerability in the HomeAutomation product allows remote unauthenticated attackers to inject a redirect URL via the 'api.php' endpoint and the 'redirect' parameter.
description: HomeAutomation 3.3.2 contains an open redirect vulnerability. An attacker can inject a redirect URL via the api.php endpoint and the redirect parameter, making it possible to redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5559.php
- https://packetstormsecurity.com/files/155795/HomeAutomation-3.3.2-Open-Redirect.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cwe-id: CWE-601
tags: iot,redirect
requests:
@ -19,3 +24,5 @@ requests:
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header
# Enhanced by md on 2022/10/18

9
vulnerabilities/other/icewarp-openredirects.yaml
View File

@ -4,7 +4,12 @@ info:
name: IceWarp - Open Redirect
author: uomogrande
severity: medium
description: Detects icewarp open redirects / fixed in Version 13.0.2.4
description: IceWarp open redirect vulnerabilities were detected. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
remediation: Fixed in 13.0.2.4.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cwe-id: CWE-601
metadata:
verified: true
shodan-query: title:"icewarp"
@ -34,3 +39,5 @@ requests:
group: 1
regex:
- 'Server: (.{4,20})'
# Enhanced by md on 2022/10/18

2
vulnerabilities/other/jamf-pro-log4j.yaml
View File

@ -13,7 +13,7 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2021-44228
cwe-id: CWE-917
cwe-id: CWE-77
metadata:
shodan-query: title:"Jamf Pro"
verified: "true"

2
vulnerabilities/other/metabase-log4j.yaml
View File

@ -13,7 +13,7 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2021-44228
cwe-id: CWE-917
cwe-id: CWE-77
metadata:
shodan-query: title:"Metabase"
verified: "true"

11
vulnerabilities/other/netgear-router-auth-bypass.yaml
View File

@ -1,14 +1,17 @@
id: netgear-router-auth-bypass
info:
name: NETGEAR DGN2200v1 Router Authentication Bypass
name: NETGEAR DGN2200v1 - Authentication Bypass
author: gy741
severity: high
description: NETGEAR DGN2200v1 Router does not require authentication if a page has ".jpg", ".gif", or "ess_" substrings, however matches the entire URL. Any page on the device can therefore be accessed, including
those that require authentication, by appending a GET variable with the relevant substring (e.g., "?.gif").
description: NETGEAR DGN2200v1 router contains an authentication bypass vulnerability. It does not require authentication if a page has ".jpg", ".gif", or "ess_" substrings but matches the entire URL. Any page on the device can therefore be accessed, including those that require authentication, by appending a GET variable with the relevant substring.
reference:
- https://www.microsoft.com/security/blog/2021/06/30/microsoft-finds-new-netgear-firmware-vulnerabilities-that-could-lead-to-identity-theft-and-full-system-compromise/
- https://kb.netgear.com/000062646/Security-Advisory-for-Multiple-HTTPd-Authentication-Vulnerabilities-on-DGN2200v1
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.1
cwe-id: CWE-287
tags: netgear,auth-bypass,router
requests:
@ -32,3 +35,5 @@ requests:
- type: word
words:
- "<title>WAN Setup</title>"
# Enhanced by md on 2022/10/19

12
vulnerabilities/other/netgear-wac124-router-auth-bypass.yaml
View File

@ -1,14 +1,18 @@
id: netgear-wac124-router-auth-bypass
info:
name: NETGEAR WAC124 Router Authentication Bypass
name: NETGEAR WAC124 - Authentication Bypass
author: gy741
severity: high
description: |
This vulnerability allows network-adjacent attackers to bypass authentication on affected of WAC124, AC2000 routers. Authentication is not required to exploit this vulnerability.
NETGEAR WAC124 AC2000 routers contain an authentication bypass vulnerability. An attacker can gain access by bypassing proper authentication, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://flattsecurity.medium.com/finding-bugs-to-trigger-unauthenticated-command-injection-in-a-netgear-router-psv-2022-0044-2b394fb9edc
- https://kb.netgear.com/000064730/Security-Advisory-for-Multiple-Vulnerabilities-on-the-WAC124-PSV-2022-0044
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.1
cwe-id: CWE-287
tags: netgear,auth-bypass,router,iot
requests:
@ -24,4 +28,6 @@ requests:
- type: word
words:
- "Enable Telnet"
- "Enable Telnet"
# Enhanced by md on 2022/10/19

8
vulnerabilities/other/odoo-cms-redirect.yaml
View File

@ -4,10 +4,14 @@ info:
name: Odoo CMS - Open Redirect
author: 0x_Akoko
severity: low
description: Odoo CMS - Open redirection in all versions due to Odoo's policy.
description: Odoo CMS contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://cxsecurity.com/issue/WLB-2021020143
- https://www.odoo.com/page/security-nonvuln-redirectors
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cwe-id: CWE-601
tags: odoo,redirect
requests:
@ -20,3 +24,5 @@ requests:
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header
# Enhanced by md on 2022/10/18

2
vulnerabilities/other/opennms-log4j-jndi-rce.yaml
View File

@ -15,7 +15,7 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2021-44228
cwe-id: CWE-917
cwe-id: CWE-77
metadata:
shodan-query: title:"OpenNMS Web Console"
verified: "true"

10
vulnerabilities/other/otobo-open-redirect.yaml
View File

@ -1,13 +1,17 @@
id: otobo-open-redirect
info:
name: Open Redirect in Otobo
name: Otobo - Open Redirect
author: 0x_Akoko
severity: medium
description: There is a open redirect vulnerability in Otobo
description: Otobo contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://huntr.dev/bounties/de64ac71-9d06-47cb-b643-891db02f2a1f/
- https://github.com/rotheross/otobo
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cwe-id: CWE-601
tags: redirect,otobo,huntr
requests:
@ -20,3 +24,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2022/10/18

10
vulnerabilities/other/pollbot-redirect.yaml
View File

@ -1,13 +1,17 @@
id: pollbot-redirect
info:
name: Mozilla Pollbot Services - Unauthenticated Open Redirect
name: Mozilla Pollbot - Open Redirect
author: Evan Rubinstien
severity: medium
description: Mozilla has a medium severity open redirect vulnerability in pollbot that could be used for social engineering attaks.
description: Mozilla Pollbot contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://bugzilla.mozilla.org/show_bug.cgi?id=1753838
- https://github.com/mozilla/PollBot
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cwe-id: CWE-601
tags: redirect,mozilla,pollbot
requests:
@ -25,3 +29,5 @@ requests:
- type: status
status:
- 301
# Enhanced by md on 2022/10/18

2
vulnerabilities/other/rundeck-log4j.yaml
View File

@ -13,7 +13,7 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2021-44228
cwe-id: CWE-917
cwe-id: CWE-77
metadata:
shodan-query: title:"Rundeck"
verified: "true"

10
vulnerabilities/other/sap-redirect.yaml
View File

@ -1,10 +1,14 @@
id: sap-redirect
info:
name: SAP wide open redirect
name: SAP Solution Manager - Open Redirect
author: Gal Nagli
severity: medium
description: A vulnerability in SAP's 'logoff' endpoint allows attackers to redirect victims to their URL of choice.
description: SAP Solution Manager contains an open redirect vulnerability via the logoff endpoint. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cwe-id: CWE-601
tags: redirect,sap
requests:
@ -26,3 +30,5 @@ requests:
- "Location: https://interact.sh"
condition: or
part: header
# Enhanced by md on 2022/10/18

Some files were not shown because too many files have changed in this diff Show More