From 0b1a79f39df5f17facc6fa28bd63834d9fa3d01a Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Wed, 19 Oct 2022 17:11:27 -0400
Subject: [PATCH] Dashboard Content Enhancements (#5704)
Dashboard Content Enhancements
---
cves/2010/CVE-2010-1980.yaml | 2 +-
cves/2010/CVE-2010-2033.yaml | 2 +-
cves/2015/CVE-2015-4074.yaml | 2 +-
cves/2016/CVE-2016-10368.yaml | 8 +++++---
cves/2017/CVE-2017-11586.yaml | 6 ++++--
cves/2017/CVE-2017-12138.yaml | 5 ++++-
cves/2018/CVE-2018-12300.yaml | 4 +++-
cves/2018/CVE-2018-12675.yaml | 8 +++++---
cves/2018/CVE-2018-14474.yaml | 6 ++++--
cves/2018/CVE-2018-14574.yaml | 7 +++++--
cves/2018/CVE-2018-16761.yaml | 6 ++++--
cves/2018/CVE-2018-17422.yaml | 7 +++++--
cves/2018/CVE-2018-19287.yaml | 6 ++++--
cves/2018/CVE-2018-6200.yaml | 7 +++++--
cves/2019/CVE-2019-1010290.yaml | 6 ++++--
cves/2019/CVE-2019-14223.yaml | 10 ++++++----
cves/2019/CVE-2019-18957.yaml | 13 ++++++++-----
cves/2019/CVE-2019-3912.yaml | 7 +++++--
cves/2019/CVE-2019-7275.yaml | 7 +++++--
cves/2019/CVE-2019-9915.yaml | 7 +++++--
cves/2020/CVE-2020-15129.yaml | 7 +++++--
cves/2020/CVE-2020-17526.yaml | 10 +++++++---
cves/2020/CVE-2020-18268.yaml | 7 +++++--
cves/2020/CVE-2020-20285.yaml | 6 ++++--
cves/2020/CVE-2020-22840.yaml | 7 +++++--
cves/2020/CVE-2020-23015.yaml | 9 ++++++---
cves/2020/CVE-2020-24550.yaml | 7 +++++--
cves/2020/CVE-2020-35489.yaml | 2 +-
cves/2020/CVE-2020-36365.yaml | 7 +++++--
cves/2020/CVE-2020-8772.yaml | 12 ++++++------
cves/2021/CVE-2021-20031.yaml | 8 +++++---
cves/2021/CVE-2021-22873.yaml | 8 +++++---
cves/2021/CVE-2021-22911.yaml | 9 ++++++---
cves/2021/CVE-2021-24165.yaml | 8 +++++---
cves/2021/CVE-2021-24210.yaml | 10 +++++-----
cves/2021/CVE-2021-24288.yaml | 8 +++++---
cves/2021/CVE-2021-24838.yaml | 7 +++++--
cves/2021/CVE-2021-24940.yaml | 7 +++++--
cves/2021/CVE-2021-25111.yaml | 7 +++++--
cves/2021/CVE-2021-27909.yaml | 6 ++++--
cves/2021/CVE-2021-29622.yaml | 8 ++++++--
cves/2021/CVE-2021-32618.yaml | 10 +++++-----
cves/2021/CVE-2021-3654.yaml | 7 +++++--
cves/2021/CVE-2021-41432.yaml | 6 ++++--
cves/2021/CVE-2021-45046.yaml | 2 +-
cves/2022/CVE-2022-0412.yaml | 6 ++++--
cves/2022/CVE-2022-0535.yaml | 6 ++++--
cves/2022/CVE-2022-0679.yaml | 7 ++++---
cves/2022/CVE-2022-0781.yaml | 6 ++++--
cves/2022/CVE-2022-1768.yaml | 8 +++++---
cves/2022/CVE-2022-1910.yaml | 6 ++++--
cves/2022/CVE-2022-2467.yaml | 6 ++++--
cves/2022/CVE-2022-29272.yaml | 8 +++++---
cves/2022/CVE-2022-29775.yaml | 8 +++++---
cves/2022/CVE-2022-30512.yaml | 7 ++++---
cves/2022/CVE-2022-30513.yaml | 8 ++++----
cves/2022/CVE-2022-30514.yaml | 8 +++++---
cves/2022/CVE-2022-35914.yaml | 8 +++++---
cves/2022/CVE-2022-38553.yaml | 8 +++++---
cves/2022/CVE-2022-40083.yaml | 8 ++++++--
cves/2022/CVE-2022-40684.yaml | 12 ++++++++----
cves/2022/CVE-2022-41473.yaml | 7 +++++--
exposures/backups/sql-dump.yaml | 10 +++++++++-
exposures/configs/joomla-config-file.yaml | 2 +-
file/logs/suspicious-sql-error-messages.yaml | 10 ++++++++--
fuzzing/header-command-injection.yaml | 10 ++++++++--
misconfiguration/caddy-open-redirect.yaml | 11 +++++++++--
misconfiguration/exposed-sqlite-manager.yaml | 7 +++++--
misconfiguration/office365-open-redirect.yaml | 10 +++++++++-
.../elasticsearch-sql-client-detect.yaml | 5 ++++-
.../apache/apache-ofbiz-log4j-rce.yaml | 6 +++---
.../apache/apache-solr-log4j-rce.yaml | 2 +-
.../cisco-unified-communications-log4j.yaml | 2 +-
vulnerabilities/cisco/cisco-vmanage-log4j.yaml | 2 +-
vulnerabilities/code42/code42-log4j-rce.yaml | 2 +-
.../dedecms/dedecms-openredirect.yaml | 9 ++++++++-
vulnerabilities/generic/open-redirect.yaml | 10 ++++++++--
.../httpbin/httpbin-open-redirect.yaml | 9 ++++++++-
vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml | 2 +-
.../netsweeper/netsweeper-open-redirect.yaml | 10 ++++++++--
vulnerabilities/other/aspnuke-openredirect.yaml | 13 +++++++++++--
vulnerabilities/other/bitrix-open-redirect.yaml | 12 +++++++++---
.../other/elasticsearch5-log4j-rce.yaml | 2 +-
vulnerabilities/other/fatpipe-auth-bypass.yaml | 7 ++++---
vulnerabilities/other/fatpipe-backdoor.yaml | 6 ++++--
vulnerabilities/other/flatpress-xss.yaml | 11 ++++++++---
.../other/goanywhere-mft-log4j-rce.yaml | 2 +-
vulnerabilities/other/graylog-log4j.yaml | 2 +-
.../other/homeautomation-v3-openredirect.yaml | 11 +++++++++--
vulnerabilities/other/icewarp-openredirects.yaml | 9 ++++++++-
vulnerabilities/other/jamf-pro-log4j.yaml | 2 +-
vulnerabilities/other/metabase-log4j.yaml | 2 +-
.../other/netgear-router-auth-bypass.yaml | 11 ++++++++---
.../other/netgear-wac124-router-auth-bypass.yaml | 12 +++++++++---
vulnerabilities/other/odoo-cms-redirect.yaml | 8 +++++++-
.../other/opennms-log4j-jndi-rce.yaml | 2 +-
vulnerabilities/other/otobo-open-redirect.yaml | 10 ++++++++--
vulnerabilities/other/pollbot-redirect.yaml | 10 ++++++++--
vulnerabilities/other/rundeck-log4j.yaml | 2 +-
vulnerabilities/other/sap-redirect.yaml | 10 ++++++++--
vulnerabilities/other/thinkific-redirect.yaml | 12 ++++++++++--
.../other/unifi-network-log4j-rce.yaml | 2 +-
.../other/vmware-siterecovery-log4j-rce.yaml | 2 +-
.../sangfor/sangfor-edr-auth-bypass.yaml | 11 ++++++++---
vulnerabilities/vmware/vmware-hcx-log4j.yaml | 2 +-
.../vmware/vmware-horizon-log4j-jndi-rce.yaml | 2 +-
vulnerabilities/vmware/vmware-nsx-log4j.yaml | 2 +-
.../vmware/vmware-operation-manager-log4j.yaml | 2 +-
.../vmware/vmware-vcenter-log4j-jndi-rce.yaml | 2 +-
.../vmware/vrealize-operations-log4j-rce.yaml | 2 +-
.../wordpress/age-gate-open-redirect.yaml | 10 ++++++++--
.../wordpress/attitude-theme-open-redirect.yaml | 10 ++++++++--
.../eatery-restaurant-open-redirect.yaml | 10 ++++++++--
.../wordpress/music-store-open-redirect.yaml | 10 ++++++++--
.../wordpress/ultimatemember-open-redirect.yaml | 11 +++++++++--
.../weekender-newspaper-open-redirect.yaml | 10 ++++++++--
.../wordpress/wordpress-woocommerce-listing.yaml | 6 ++++--
.../wordpress/wp-grimag-open-redirect.yaml | 11 +++++++++--
.../wordpress/wp-gtranslate-open-redirect.yaml | 10 ++++++++--
.../wordpress/wp-multiple-theme-ssrf.yaml | 9 ++++++++-
.../wordpress/wp-prostore-open-redirect.yaml | 8 +++++---
.../wordpress/wp-security-open-redirect.yaml | 12 ++++++++++--
.../wordpress/wptouch-open-redirect.yaml | 16 ++++++++--------
123 files changed, 613 insertions(+), 260 deletions(-)
diff --git a/cves/2010/CVE-2010-1980.yaml b/cves/2010/CVE-2010-1980.yaml
index 9d7f73a0c4..06dc394908 100644
--- a/cves/2010/CVE-2010-1980.yaml
+++ b/cves/2010/CVE-2010-1980.yaml
@@ -4,7 +4,7 @@ info:
name: Joomla! Component Joomla! Flickr 1.0 - Local File Inclusion
author: daffainfo
severity: high
- description: A directory traversal vulnerability in joomlaflickr.php in the Joomla Flickr (com_joomlaflickr) component 1.0.3 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
+ description: A directory traversal vulnerability in joomlaflickr.php in the Joomla! Flickr (com_joomlaflickr) component 1.0.3 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12085
- https://www.cvedetails.com/cve/CVE-2010-1980
diff --git a/cves/2010/CVE-2010-2033.yaml b/cves/2010/CVE-2010-2033.yaml
index c961bef8ea..5bd8b33f5d 100644
--- a/cves/2010/CVE-2010-2033.yaml
+++ b/cves/2010/CVE-2010-2033.yaml
@@ -1,7 +1,7 @@
id: CVE-2010-2033
info:
- name: Joomla Percha Categories Tree 0.6 - Local File Inclusion
+ name: Joomla! Percha Categories Tree 0.6 - Local File Inclusion
author: daffainfo
severity: high
description: A directory traversal vulnerability in the Percha Fields Attach (com_perchafieldsattach) component 1.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.
diff --git a/cves/2015/CVE-2015-4074.yaml b/cves/2015/CVE-2015-4074.yaml
index ec54af72e6..01735983ba 100644
--- a/cves/2015/CVE-2015-4074.yaml
+++ b/cves/2015/CVE-2015-4074.yaml
@@ -1,7 +1,7 @@
id: CVE-2015-4074
info:
- name: Joomla Helpdesk Pro plugin <1.4.0 - Local File Inclusion
+ name: Joomla! Helpdesk Pro plugin <1.4.0 - Local File Inclusion
author: 0x_Akoko
severity: high
description: Directory traversal vulnerability in the Helpdesk Pro plugin before 1.4.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter in a ticket.download_attachment task.
diff --git a/cves/2016/CVE-2016-10368.yaml b/cves/2016/CVE-2016-10368.yaml
index dbdb8c43ad..83bb9e950a 100644
--- a/cves/2016/CVE-2016-10368.yaml
+++ b/cves/2016/CVE-2016-10368.yaml
@@ -1,15 +1,15 @@
id: CVE-2016-10368
info:
- name: Opsview Monitor Pro 4.5.x - Open Redirect
+ name: Opsview Monitor Pro - Open Redirect
author: 0x_Akoko
severity: medium
description: |
- Open redirect vulnerability in Opsview Monitor Pro (Prior to 5.1.0.162300841 prior to 5.0.2.27475, prior to 4.6.4.162391051, and 4.5.x without a certain 2016 security patch) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the back parameter to the login URI.
+ Opsview Monitor Pro before 5.1.0.162300841, before 5.0.2.27475, before 4.6.4.162391051, and 4.5.x without a certain 2016 security patch contains an open redirect vulnerability. An attacker can redirect users to arbitrary web sites and conduct phishing attacks via the back parameter to the login URI.
reference:
- https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18774
- - https://nvd.nist.gov/vuln/detail/CVE-2016-10368
- https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-016/?fid=8341
+ - https://nvd.nist.gov/vuln/detail/CVE-2016-10368
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@@ -36,3 +36,5 @@ requests:
- type: status
status:
- 302
+
+# Enhanced by mp on 2022/10/12
diff --git a/cves/2017/CVE-2017-11586.yaml b/cves/2017/CVE-2017-11586.yaml
index 4b939cb7d6..60ba90a48a 100644
--- a/cves/2017/CVE-2017-11586.yaml
+++ b/cves/2017/CVE-2017-11586.yaml
@@ -1,11 +1,11 @@
id: CVE-2017-11586
info:
- name: FineCms < 5.0.9 - Open redirect
+ name: FineCMS <5.0.9 - Open Redirect
author: 0x_Akoko
severity: medium
description: |
- dayrui FineCms 5.0.9 has URL Redirector Abuse via the url parameter in a sync action.
+ FineCMS 5.0.9 contains an open redirect vulnerability via the url parameter in a sync action. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- http://lorexxar.cn/2017/07/20/FineCMS%20multi%20vulnerablity%20before%20v5.0.9/#URL-Redirector-Abuse
- https://nvd.nist.gov/vuln/detail/CVE-2017-11586
@@ -37,3 +37,5 @@ requests:
part: header
regex:
- 'Refresh:(.*)url=http:\/\/interact\.sh'
+
+# Enhanced by mp on 2022/10/12
diff --git a/cves/2017/CVE-2017-12138.yaml b/cves/2017/CVE-2017-12138.yaml
index 2931b0c317..924d872ac1 100644
--- a/cves/2017/CVE-2017-12138.yaml
+++ b/cves/2017/CVE-2017-12138.yaml
@@ -4,11 +4,12 @@ info:
name: XOOPS Core 2.5.8 - Open Redirect
author: 0x_Akoko
severity: medium
- description: XOOPS Core 2.5.8 has a stored URL redirect bypass vulnerability in /modules/profile/index.php because of the URL filter.
+ description: XOOPS Core 2.5.8 contains an open redirect vulnerability in /modules/profile/index.php due to the URL filter. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/XOOPS/XoopsCore25/issues/523
- https://xoops.org
- https://www.cvedetails.com/cve/CVE-2017-12138
+ - https://nvd.nist.gov/vuln/detail/CVE-2017-12138
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@@ -35,3 +36,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
+
+# Enhanced by md on 2022/10/13
diff --git a/cves/2018/CVE-2018-12300.yaml b/cves/2018/CVE-2018-12300.yaml
index aa316b4cd7..7dafab0bbb 100644
--- a/cves/2018/CVE-2018-12300.yaml
+++ b/cves/2018/CVE-2018-12300.yaml
@@ -4,7 +4,7 @@ info:
name: Seagate NAS OS 4.3.15.1 - Open Redirect
author: 0x_Akoko
severity: medium
- description: Arbitrary Redirect in echo-server.html in Seagate NAS OS version 4.3.15.1 allows attackers to disclose information in the Referer header via the 'state' URL parameter.
+ description: Seagate NAS OS 4.3.15.1 contains an open redirect vulnerability in echo-server.html, which can allow an attacker to disclose information in the referer header via the state URL parameter.
reference:
- https://blog.securityevaluators.com/invading-your-personal-cloud-ise-labs-exploits-the-seagate-stcr3000101-ecf89de2170
- https://nvd.nist.gov/vuln/detail/CVE-2018-12300
@@ -26,3 +26,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
+
+# Enhanced by md on 2022/10/13
diff --git a/cves/2018/CVE-2018-12675.yaml b/cves/2018/CVE-2018-12675.yaml
index b2311e0466..d1f5d24b6f 100644
--- a/cves/2018/CVE-2018-12675.yaml
+++ b/cves/2018/CVE-2018-12675.yaml
@@ -1,16 +1,16 @@
id: CVE-2018-12675
info:
- name: SV3C HD Camera L-SERIES - Open Redirect
+ name: SV3C HD Camera L Series - Open Redirect
author: 0x_Akoko
severity: medium
description: |
- The SV3C HD Camera (L-SERIES V2.3.4.2103-S50-NTD-B20170508B and V2.3.4.2103-S50-NTD-B20170823B) does not perform origin checks on URLs that the camera's web interface redirects a user to. This can be leveraged to send a user to an unexpected endpoint.
+ SV3C HD Camera L Series 2.3.4.2103-S50-NTD-B20170508B and 2.3.4.2103-S50-NTD-B20170823B contains an open redirect vulnerability. It does not perform origin checks on URLs in the camera's web interface, which can be leveraged to send a user to an unexpected endpoint. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://bishopfox.com/blog/sv3c-l-series-hd-camera-advisory
- https://vuldb.com/?id.125799
- - https://nvd.nist.gov/vuln/detail/CVE-2018-12675
- https://www.bishopfox.com/news/2018/10/sv3c-l-series-hd-camera-multiple-vulnerabilities/
+ - https://nvd.nist.gov/vuln/detail/CVE-2018-12675
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@@ -30,3 +30,5 @@ requests:
part: body
words:
- ''
+
+# Enhanced by md on 2022/10/13
diff --git a/cves/2018/CVE-2018-14474.yaml b/cves/2018/CVE-2018-14474.yaml
index 65e39bbcda..d096ac5052 100644
--- a/cves/2018/CVE-2018-14474.yaml
+++ b/cves/2018/CVE-2018-14474.yaml
@@ -1,11 +1,11 @@
id: CVE-2018-14474
info:
- name: OrangeForum 1.4.0 - Open Redirect
+ name: Orange Forum 1.4.0 - Open Redirect
author: 0x_Akoko
severity: medium
description: |
- views/auth.go in Orange Forum 1.4.0 allows Open Redirection via the next parameter to /login or /signup.
+ Orange Forum 1.4.0 contains an open redirect vulnerability in views/auth.go via the next parameter to /login or /signup. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/s-gv/orangeforum/commit/1f6313cb3a1e755880fc1354f3e1efc4dd2dd4aa
- https://seclists.org/fulldisclosure/2019/Jan/32
@@ -30,3 +30,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
+
+# Enhanced by md on 2022/10/13
diff --git a/cves/2018/CVE-2018-14574.yaml b/cves/2018/CVE-2018-14574.yaml
index 97cad4590b..65fcbd3e9f 100644
--- a/cves/2018/CVE-2018-14574.yaml
+++ b/cves/2018/CVE-2018-14574.yaml
@@ -1,10 +1,10 @@
id: CVE-2018-14574
info:
- name: Django Open Redirect
+ name: Django - Open Redirect
author: pikpikcu
severity: medium
- description: django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect.
+ description: Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 contains an open redirect vulnerability. If django.middleware.common.CommonMiddleware and APPEND_SLASH settings are selected, and if the project has a URL pattern that accepts any path ending in a slash, an attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://www.djangoproject.com/weblog/2018/aug/01/security-releases/
- https://usn.ubuntu.com/3726-1/
@@ -12,6 +12,7 @@ info:
- https://www.debian.org/security/2018/dsa-4264
- http://web.archive.org/web/20210124194607/https://www.securityfocus.com/bid/104970/
- https://access.redhat.com/errata/RHSA-2019:0265
+ - https://nvd.nist.gov/vuln/detail/CVE-2018-14574
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@@ -34,3 +35,5 @@ requests:
- "Location: https://www.interact.sh"
- "Location: http://www.interact.sh"
part: header
+
+# Enhanced by md on 2022/10/13
diff --git a/cves/2018/CVE-2018-16761.yaml b/cves/2018/CVE-2018-16761.yaml
index b492c0e2a3..7f0883240e 100644
--- a/cves/2018/CVE-2018-16761.yaml
+++ b/cves/2018/CVE-2018-16761.yaml
@@ -1,11 +1,11 @@
id: CVE-2018-16761
info:
- name: Eventum v3.3.4 - Open Redirect
+ name: Eventum <3.4.0 - Open Redirect
author: 0x_Akoko
severity: medium
description: |
- Eventum before 3.4.0 has an open redirect vulnerability.
+ Eventum before 3.4.0 contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://www.invicti.com/web-applications-advisories/ns-18-021-open-redirection-vulnerabilities-in-eventum/
- https://github.com/eventum/eventum/releases/tag/v3.4.0
@@ -29,3 +29,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
+
+# Enhanced by md on 2022/10/13
diff --git a/cves/2018/CVE-2018-17422.yaml b/cves/2018/CVE-2018-17422.yaml
index 02d8bd123f..487f59d925 100644
--- a/cves/2018/CVE-2018-17422.yaml
+++ b/cves/2018/CVE-2018-17422.yaml
@@ -1,14 +1,15 @@
id: CVE-2018-17422
info:
- name: dotCMS < 5.0.2 - Open Redirect
+ name: dotCMS <5.0.2 - Open Redirect
author: 0x_Akoko,daffainfo
severity: medium
description: |
- dotCMS before 5.0.2 has open redirects via the html/common/forward_js.jsp FORWARD_URL parameter or the html/portlet/ext/common/page_preview_popup.jsp hostname parameter.
+ dotCMS before 5.0.2 contains multiple open redirect vulnerabilities via the html/common/forward_js.jsp FORWARD_URL parameter or the html/portlet/ext/common/page_preview_popup.jsp hostname parameter. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/dotCMS/core/issues/15286
- https://www.cvedetails.com/cve/CVE-2018-17422
+ - https://nvd.nist.gov/vuln/detail/CVE-2018-17422
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@@ -37,3 +38,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by md on 2022/10/13
diff --git a/cves/2018/CVE-2018-19287.yaml b/cves/2018/CVE-2018-19287.yaml
index b51052c757..0ed57f548c 100644
--- a/cves/2018/CVE-2018-19287.yaml
+++ b/cves/2018/CVE-2018-19287.yaml
@@ -1,11 +1,11 @@
id: CVE-2018-19287
info:
- name: Ninja Forms <= 3.3.17 - Cross-Site Scripting
+ name: WordPress Ninja Forms <3.3.18 - Cross-Site Scripting
author: theamanrawat
severity: medium
description: |
- XSS in the Ninja Forms plugin before 3.3.18 for WordPress allows Remote Attackers to execute JavaScript.
+ WordPress Ninja Forms plugin before 3.3.18 contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in includes/Admin/Menus/Submissions.php via the begin_date, end_date, or form_id parameters. This can allow an attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://wpscan.com/vulnerability/fb036dc2-0ee8-4a3e-afac-f52050b3f8c7
- https://wordpress.org/plugins/ninja-forms/
@@ -50,3 +50,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by md on 2022/10/17
diff --git a/cves/2018/CVE-2018-6200.yaml b/cves/2018/CVE-2018-6200.yaml
index 3ef39cbffe..289dfa7e87 100644
--- a/cves/2018/CVE-2018-6200.yaml
+++ b/cves/2018/CVE-2018-6200.yaml
@@ -1,14 +1,15 @@
id: CVE-2018-6200
info:
- name: vBulletin 3.x.x & 4.2.x - Open Redirect
+ name: vBulletin - Open Redirect
author: 0x_Akoko,daffainfo
severity: medium
description: |
- vBulletin 3.x.x and 4.2.x through 4.2.5 has an open redirect via the redirector.php url parameter.
+ vBulletin 3.x.x and 4.2.x through 4.2.5 contains an open redirect vulnerability via the redirector.php URL parameter. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://cxsecurity.com/issue/WLB-2018010251
- https://www.cvedetails.com/cve/CVE-2018-6200
+ - https://nvd.nist.gov/vuln/detail/CVE-2018-6200
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@@ -35,3 +36,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by md on 2022/10/13
diff --git a/cves/2019/CVE-2019-1010290.yaml b/cves/2019/CVE-2019-1010290.yaml
index 4c2ef5bfde..98fce55eb6 100644
--- a/cves/2019/CVE-2019-1010290.yaml
+++ b/cves/2019/CVE-2019-1010290.yaml
@@ -1,10 +1,10 @@
id: CVE-2019-1010290
info:
- name: Babel - Open Redirection
+ name: Babel - Open Redirect
author: 0x_Akoko
severity: medium
- description: Babel Multilingual site Babel All is affected by Open Redirection The impact is Redirection to any URL, which is supplied to redirect in a newurl parameter. The component is redirect The attack vector is The victim must open a link created by an attacker
+ description: Babel contains an open redirect vulnerability via redirect.php in the newurl parameter. An attacker can use any legitimate site using Babel to redirect user to a malicious site, thus possibly obtaining sensitive information, modifying data, and/or executing unauthorized operations.
reference:
- https://untrustednetwork.net/en/2019/02/20/open-redirection-vulnerability-in-babel/
- http://dev.cmsmadesimple.org/project/files/729
@@ -26,3 +26,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
+
+# Enhanced by md on 2022/10/13
diff --git a/cves/2019/CVE-2019-14223.yaml b/cves/2019/CVE-2019-14223.yaml
index 52999cd8cd..a2aedf6ded 100644
--- a/cves/2019/CVE-2019-14223.yaml
+++ b/cves/2019/CVE-2019-14223.yaml
@@ -1,14 +1,14 @@
id: CVE-2019-14223
info:
- name: Alfresco Share Open Redirect
+ name: Alfresco Share - Open Redirect
author: pdteam
severity: medium
- description: An issue was discovered in Alfresco Community Edition versions below 5.2.6, 6.0.N and 6.1.N. The Alfresco Share application is vulnerable to an Open Redirect attack via a crafted POST request. By manipulating
- the POST parameters, an attacker can redirect a victim to a malicious website over any protocol the attacker desires (e.g.,http, https, ftp, smb, etc.).
+ description: Alfresco Share before 5.2.6, 6.0.N and 6.1.N contains an open redirect vulnerability via a crafted POST request. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://community.alfresco.com/content?filterID=all~objecttype~thread%5Bquestions%5D
- https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-14223-Open%20Redirect%20in%20Alfresco%20Share-Alfresco%20Community
+ - https://nvd.nist.gov/vuln/detail/CVE-2019-14223
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@@ -31,4 +31,6 @@ requests:
- type: regex
part: header
regex:
- - "(?m)^(?:Location\\s*:\\s*)(?:https?://|//|\\\\)?(?:[a-zA-Z0-9\\-_]*\\.)?interact\\.sh(?:\\s*)$"
\ No newline at end of file
+ - "(?m)^(?:Location\\s*:\\s*)(?:https?://|//|\\\\)?(?:[a-zA-Z0-9\\-_]*\\.)?interact\\.sh(?:\\s*)$"
+
+# Enhanced by md on 2022/10/13
diff --git a/cves/2019/CVE-2019-18957.yaml b/cves/2019/CVE-2019-18957.yaml
index 3292d43566..bbc7080061 100644
--- a/cves/2019/CVE-2019-18957.yaml
+++ b/cves/2019/CVE-2019-18957.yaml
@@ -1,15 +1,16 @@
id: CVE-2019-18957
+
info:
- name: Microstrategy Library before 11.1.3 XSS
+ name: MicroStrategy Library <11.1.3 - Cross-Site Scripting
author: tess
severity: medium
description: |
- Microstrategy Library in MicroStrategy before 2019 before 11.1.3 has reflected XSS.
+ MicroStrategy Library before 11.1.3 contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+ remediation: The issue can be resolved by downloading and installing 1.1.3, which has the patch.
reference:
- - https://nvd.nist.gov/vuln/detail/CVE-2019-18957
- - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18957
- - https://www.cvedetails.com/cve/CVE-2019-18957/
- https://seclists.org/bugtraq/2019/Nov/23
+ - https://packetstormsecurity.com/files/155320/MicroStrategy-Library-Cross-Site-Scripting.html
+ - https://nvd.nist.gov/vuln/detail/CVE-2019-18957
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@@ -37,3 +38,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by md on 2022/10/18
diff --git a/cves/2019/CVE-2019-3912.yaml b/cves/2019/CVE-2019-3912.yaml
index 26ddc2eb9c..c8e7f22c1b 100644
--- a/cves/2019/CVE-2019-3912.yaml
+++ b/cves/2019/CVE-2019-3912.yaml
@@ -1,13 +1,14 @@
id: CVE-2019-3912
info:
- name: LabKey Server < 18.3.0 - Open Redirect
+ name: LabKey Server Community Edition <18.3.0 - Open Redirect
author: 0x_Akoko
severity: medium
- description: An open redirect vulnerability in LabKey Server Community Edition before 18.3.0-61806.763 via the /__r1/ returnURL parameter allows an unauthenticated remote attacker to redirect users to arbitrary web sites.
+ description: LabKey Server Community Edition before 18.3.0-61806.763 contains an open redirect vulnerability via the /__r1/ returnURL parameter, which allows an attacker to redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://www.tenable.com/security/research/tra-2019-03
- https://www.cvedetails.com/cve/CVE-2019-3912
+ - https://nvd.nist.gov/vuln/detail/CVE-2019-3912
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@@ -27,3 +28,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
+
+# Enhanced by md on 2022/10/13
diff --git a/cves/2019/CVE-2019-7275.yaml b/cves/2019/CVE-2019-7275.yaml
index 718300f26e..30d4e97567 100644
--- a/cves/2019/CVE-2019-7275.yaml
+++ b/cves/2019/CVE-2019-7275.yaml
@@ -1,15 +1,16 @@
id: CVE-2019-7275
info:
- name: Open Redirect in Optergy Proton/Enterprise BMS
+ name: Optergy Proton/Enterprise Building Management System - Open Redirect
author: 0x_Akoko
severity: medium
- description: Optergy Proton/Enterprise devices allow Open Redirect.
+ description: Optergy Proton/Enterprise Building Management System contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://packetstormsecurity.com/files/155268/Optergy-Proton-Enterprise-BMS-2.3.0a-Open-Redirect.html
- https://applied-risk.com/resources/ar-2019-008
- https://cxsecurity.com/issue/WLB-2019110074
- https://applied-risk.com/labs/advisories
+ - https://nvd.nist.gov/vuln/detail/CVE-2019-7275
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@@ -27,3 +28,5 @@ requests:
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header
+
+# Enhanced by md on 2022/10/13
diff --git a/cves/2019/CVE-2019-9915.yaml b/cves/2019/CVE-2019-9915.yaml
index a985850155..0a46dc948d 100644
--- a/cves/2019/CVE-2019-9915.yaml
+++ b/cves/2019/CVE-2019-9915.yaml
@@ -1,15 +1,16 @@
id: CVE-2019-9915
info:
- name: GetSimpleCMS 3.3.13 - Open Redirection
+ name: GetSimple CMS 3.3.13 - Open Redirect
author: 0x_Akoko
severity: medium
- description: GetSimpleCMS 3.3.13 has an Open Redirect via the admin/index.php redirect parameter.
+ description: GetSimple CMS 3.3.13 contains an open redirect vulnerability via the admin/index.php redirect parameter. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://www.invicti.com/web-applications-advisories/ns-18-056-open-redirection-vulnerability-in-getsimplecms
- https://github.com/GetSimpleCMS/GetSimpleCMS/issues/1300
- https://www.cvedetails.com/cve/CVE-2019-9915
- https://www.netsparker.com/web-applications-advisories/ns-18-056-open-redirection-vulnerability-in-getsimplecms/
+ - https://nvd.nist.gov/vuln/detail/CVE-2019-9915
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@@ -33,3 +34,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/' # https://regex101.com/r/ZDYhFh/1
+
+# Enhanced by md on 2022/10/13
diff --git a/cves/2020/CVE-2020-15129.yaml b/cves/2020/CVE-2020-15129.yaml
index 2f13517b4a..4f987e6fd9 100644
--- a/cves/2020/CVE-2020-15129.yaml
+++ b/cves/2020/CVE-2020-15129.yaml
@@ -1,15 +1,16 @@
id: CVE-2020-15129
info:
- name: Open-redirect in Traefik
+ name: Traefik - Open Redirect
author: dwisiswant0
severity: medium
- description: There exists a potential open redirect vulnerability in Traefik's handling of the X-Forwarded-Prefix header. Active Exploitation of this issue is unlikely as it would require active header injection, however the Traefik team may want to address this issue nonetheless to prevent abuse in e.g. cache poisoning scenarios.
+ description: Traefik before 1.7.26, 2.2.8, and 2.3.0-rc3 contains an open redirect vulnerability in the X-Forwarded-Prefix header. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://securitylab.github.com/advisories/GHSL-2020-140-Containous-Traefik
- https://github.com/containous/traefik/releases/tag/v2.2.8
- https://github.com/containous/traefik/pull/7109
- https://github.com/containous/traefik/security/advisories/GHSA-6qq8-5wq3-86rp
+ - https://nvd.nist.gov/vuln/detail/CVE-2020-15129
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 4.7
@@ -35,3 +36,5 @@ requests:
part: body
words:
- "Found"
+
+# Enhanced by md on 2022/10/13
diff --git a/cves/2020/CVE-2020-17526.yaml b/cves/2020/CVE-2020-17526.yaml
index 031af8b6a7..4b03aaefda 100644
--- a/cves/2020/CVE-2020-17526.yaml
+++ b/cves/2020/CVE-2020-17526.yaml
@@ -1,20 +1,22 @@
id: CVE-2020-17526
info:
- name: Apache Airflow < 1.10.14 - Authentication Bypass
+ name: Apache Airflow <1.10.14 - Authentication Bypass
author: piyushchhiroliya
severity: high
description: |
- Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A.
+ Apache Airflow prior to 1.10.14 contains an authentication bypass vulnerability via incorrect session validation with default configuration. An attacker on site A can access unauthorized Airflow on site B through the site A session.
+ remediation: Change default value for [webserver] secret_key config.
reference:
- https://kloudle.com/academy/authentication-bypass-in-apache-airflow-cve-2020-17526-and-aws-cloud-platform-compromise
- - https://nvd.nist.gov/vuln/detail/CVE-2020-17526
- https://lists.apache.org/thread.html/rbeeb73a6c741f2f9200d83b9c2220610da314810c4e8c9cf881d47ef%40%3Cusers.airflow.apache.org%3E
- http://www.openwall.com/lists/oss-security/2020/12/21/1
+ - https://nvd.nist.gov/vuln/detail/CVE-2020-17526
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
cvss-score: 7.7
cve-id: CVE-2020-17526
+ cwe-id: CWE-287
metadata:
fofa-query: Apache Airflow
verified: "true"
@@ -49,3 +51,5 @@ requests:
- "contains(body_1, 'Redirecting...')"
- "status_code_1 == 302"
condition: and
+
+# Enhanced by md on 2022/10/19
diff --git a/cves/2020/CVE-2020-18268.yaml b/cves/2020/CVE-2020-18268.yaml
index 30e754c8d8..52b839a8e7 100644
--- a/cves/2020/CVE-2020-18268.yaml
+++ b/cves/2020/CVE-2020-18268.yaml
@@ -1,14 +1,15 @@
id: CVE-2020-18268
info:
- name: Z-BlogPHP 1.5.2 - Open Redirect
+ name: Z-Blog <=1.5.2 - Open Redirect
author: 0x_Akoko
severity: medium
- description: Open Redirect in Z-BlogPHP v1.5.2 and earlier allows remote attackers to obtain sensitive information via the "redirect" parameter in the component "zb_system/cmd.php."
+ description: Z-Blog 1.5.2 and earlier contains an open redirect vulnerability via the redirect parameter in zb_system/cmd.php. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/zblogcn/zblogphp/issues/216
- https://www.cvedetails.com/cve/CVE-2020-18268
- https://github.com/zblogcn/zblogphp/issues/209
+ - https://nvd.nist.gov/vuln/detail/CVE-2020-18268
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@@ -37,3 +38,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
+
+# Enhanced by md on 2022/10/13
diff --git a/cves/2020/CVE-2020-20285.yaml b/cves/2020/CVE-2020-20285.yaml
index f6e48d1942..859834c7df 100644
--- a/cves/2020/CVE-2020-20285.yaml
+++ b/cves/2020/CVE-2020-20285.yaml
@@ -1,11 +1,11 @@
id: CVE-2020-20285
info:
- name: zzcms - Reflected XSS
+ name: ZZcms - Cross-Site Scripting
author: edoardottt
severity: medium
description: |
- There is a XSS in the user login page in zzcms 2019. Users can inject js code by the referer header via user/login.php
+ ZZcms 2019 contains a cross-site scripting vulnerability in the user login page. An attacker can inject arbitrary JavaScript code in the referer header via user/login.php, which can allow theft of cookie-based credentials and launch of subsequent attacks.
reference:
- https://github.com/iohex/ZZCMS/blob/master/zzcms2019_login_xss.md
- https://nvd.nist.gov/vuln/detail/CVE-2020-20285
@@ -41,3 +41,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by md on 2022/10/17
diff --git a/cves/2020/CVE-2020-22840.yaml b/cves/2020/CVE-2020-22840.yaml
index d4ac572b08..2f95022b5a 100644
--- a/cves/2020/CVE-2020-22840.yaml
+++ b/cves/2020/CVE-2020-22840.yaml
@@ -1,14 +1,15 @@
id: CVE-2020-22840
info:
- name: b2evolution CMS - Open Redirect
+ name: b2evolution CMS <6.11.6 - Open Redirect
author: geeknik
severity: medium
- description: Open redirect vulnerability in b2evolution CMS version prior to 6.11.6 allows an attacker to perform malicious open redirects to an attacker controlled resource via redirect_to parameter in email_passthrough.php.
+ description: b2evolution CMS before 6.11.6 contains an open redirect vulnerability via the redirect_to parameter in email_passthrough.php. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/b2evolution/b2evolution/issues/102
- http://packetstormsecurity.com/files/161362/b2evolution-CMS-6.11.6-Open-Redirection.html
- https://www.exploit-db.com/exploits/49554
+ - https://nvd.nist.gov/vuln/detail/CVE-2020-22840
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@@ -26,3 +27,5 @@ requests:
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?interact\.sh(?:\s*?)$'
part: header
+
+# Enhanced by md on 2022/10/13
diff --git a/cves/2020/CVE-2020-23015.yaml b/cves/2020/CVE-2020-23015.yaml
index a718da52a7..646db73c62 100644
--- a/cves/2020/CVE-2020-23015.yaml
+++ b/cves/2020/CVE-2020-23015.yaml
@@ -1,13 +1,14 @@
id: CVE-2020-23015
info:
- name: OPNsense 20.1.5. Open Redirect
+ name: OPNsense <=20.1.5 - Open Redirect
author: 0x_Akoko
severity: medium
- description: An open redirect issue was discovered in OPNsense through 20.1.5. The redirect parameter "url" in login page was not filtered and can redirect user to any website.
+ description: OPNsense through 20.1.5 contains an open redirect vulnerability via the url redirect parameter in the login page, which is not filtered. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/opnsense/core/issues/4061
- https://www.cvedetails.com/cve/CVE-2020-23015
+ - https://nvd.nist.gov/vuln/detail/CVE-2020-23015
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@@ -25,4 +26,6 @@ requests:
- type: regex
part: header
regex:
- - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?interact\.sh(?:\s*?)$'
\ No newline at end of file
+ - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?interact\.sh(?:\s*?)$'
+
+# Enhanced by md on 2022/10/13
diff --git a/cves/2020/CVE-2020-24550.yaml b/cves/2020/CVE-2020-24550.yaml
index 344189257f..0be6d3e6ca 100644
--- a/cves/2020/CVE-2020-24550.yaml
+++ b/cves/2020/CVE-2020-24550.yaml
@@ -1,12 +1,13 @@
id: CVE-2020-24550
info:
- name: EpiServer <13.2.7 - Open Redirect
+ name: EpiServer Find <13.2.7 - Open Redirect
author: dhiyaneshDK
severity: medium
- description: An Open Redirect vulnerability in EpiServer Find before 13.2.7 allows an attacker to redirect users to untrusted websites via the _t_redirect parameter in a crafted URL, such as a /find_v2/_click URL.
+ description: EpiServer Find before 13.2.7 contains an open redirect vulnerability via the _t_redirect parameter in a crafted URL, such as a /find_v2/_click URL. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://labs.nettitude.com/blog/cve-2020-24550-open-redirect-in-episerver-find/
+ - https://nvd.nist.gov/vuln/detail/CVE-2020-24550
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@@ -29,3 +30,5 @@ requests:
- type: status
status:
- 301
+
+# Enhanced by md on 2022/10/13
diff --git a/cves/2020/CVE-2020-35489.yaml b/cves/2020/CVE-2020-35489.yaml
index 8fcc8610d1..9f6144dd36 100644
--- a/cves/2020/CVE-2020-35489.yaml
+++ b/cves/2020/CVE-2020-35489.yaml
@@ -15,7 +15,7 @@ info:
cvss-score: 10
cve-id: CVE-2020-35489
cwe-id: CWE-434
- tags: cve,cve2020,wordpress,wp-plugin,rce,upload,intrusive
+ tags: cve,cve2020,wordpress,wp-plugin,rce,fileupload,intrusive
requests:
- method: GET
diff --git a/cves/2020/CVE-2020-36365.yaml b/cves/2020/CVE-2020-36365.yaml
index 1d16630c70..b9ba68b772 100644
--- a/cves/2020/CVE-2020-36365.yaml
+++ b/cves/2020/CVE-2020-36365.yaml
@@ -1,14 +1,15 @@
id: CVE-2020-36365
info:
- name: Smartstore < 4.1.0 - Open Redirect
+ name: Smartstore <4.1.0 - Open Redirect
author: 0x_Akoko
severity: medium
- description: Smartstore (aka SmartStoreNET) before 4.1.0 allows CommonController.ClearCache, ClearDatabaseCache, RestartApplication, and ScheduleTaskController.Edit open redirect.
+ description: Smartstore (aka "SmartStoreNET") before 4.1.0 contains an open redirect vulnerability via CommonController.ClearCache, ClearDatabaseCache, RestartApplication, and ScheduleTaskController.Edit. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/smartstore/SmartStoreNET/issues/2113
- https://www.cvedetails.com/cve/CVE-2020-36365
- https://github.com/smartstore/SmartStoreNET
+ - https://nvd.nist.gov/vuln/detail/CVE-2020-36365
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@@ -29,3 +30,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
+
+# Enhanced by md on 2022/10/14
diff --git a/cves/2020/CVE-2020-8772.yaml b/cves/2020/CVE-2020-8772.yaml
index e490de4ab9..5802361ec5 100644
--- a/cves/2020/CVE-2020-8772.yaml
+++ b/cves/2020/CVE-2020-8772.yaml
@@ -1,19 +1,17 @@
id: CVE-2020-8772
info:
- name: WordPress InfiniteWP Client < 1.9.4.5 - Authentication Bypass
+ name: WordPress InfiniteWP <1.9.4.5 - Authorization Bypass
author: princechaddha,scent2d
severity: critical
description: |
- The InfiniteWP Client plugin before 1.9.4.5 for WordPress has a missing
- authorization check in iwp_mmb_set_request in init.php. Any attacker who
- knows the username of an administrator can log in.
+ WordPress InfiniteWP plugin before 1.9.4.5 for WordPress contains an authorization bypass vulnerability via a missing authorization check in iwp_mmb_set_request in init.php. An attacker who knows the username of an administrator can log in, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations.
+ remediation: Upgrade to InfiniteWP 1.9.4.5 or higher.
reference:
- https://wpscan.com/vulnerability/10011
- - https://nvd.nist.gov/vuln/detail/CVE-2020-8772
- https://www.webarxsecurity.com/vulnerability-infinitewp-client-wp-time-capsule/
- https://wpvulndb.com/vulnerabilities/10011
- remediation: Upgrade to InfiniteWP Client 1.9.4.5 or higher.
+ - https://nvd.nist.gov/vuln/detail/CVE-2020-8772
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@@ -72,3 +70,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by md on 2022/10/19
diff --git a/cves/2021/CVE-2021-20031.yaml b/cves/2021/CVE-2021-20031.yaml
index 2868443a01..0f880cf873 100644
--- a/cves/2021/CVE-2021-20031.yaml
+++ b/cves/2021/CVE-2021-20031.yaml
@@ -1,15 +1,15 @@
id: CVE-2021-20031
info:
- name: Sonicwall SonicOS 7.0 - Host Header Injection
+ name: SonicWall SonicOS 7.0 - Open Redirect
author: gy741
severity: medium
- description: A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages. An issue was discovered in Sonicwall NAS, SonicWall Analyzer version 8.5.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack
+ description: SonicWall SonicOS 7.0 contains an open redirect vulnerability. The values of the Host headers are implicitly set as trusted. An attacker can spoof a particular host header, allowing the attacker to render arbitrary links, obtain sensitive information, modify data, execute unauthorized operations. and/or possibly redirect a user to a malicious site.
reference:
- https://www.exploit-db.com/exploits/50414
- - https://nvd.nist.gov/vuln/detail/CVE-2021-20031
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0019
- http://packetstormsecurity.com/files/164502/Sonicwall-SonicOS-7.0-Host-Header-Injection.html
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-20031
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@@ -37,3 +37,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by md on 2022/10/14
diff --git a/cves/2021/CVE-2021-22873.yaml b/cves/2021/CVE-2021-22873.yaml
index 8854ab6514..d74f402d14 100644
--- a/cves/2021/CVE-2021-22873.yaml
+++ b/cves/2021/CVE-2021-22873.yaml
@@ -1,15 +1,15 @@
id: CVE-2021-22873
info:
- name: Revive Adserver < 5.1.0 Open Redirect
+ name: Revive Adserver <5.1.0 - Open Redirect
author: pudsec
severity: medium
- description: Revive Adserver before 5.1.0 is vulnerable to open redirects via the dest, oadest, and ct0 parameters of the lg.php and ck.php delivery scripts.
+ description: Revive Adserver before 5.1.0 contains an open redirect vulnerability via the dest, oadest, and ct0 parameters of the lg.php and ck.php delivery scripts. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- - https://nvd.nist.gov/vuln/detail/CVE-2021-22873
- https://hackerone.com/reports/1081406
- https://github.com/revive-adserver/revive-adserver/issues/1068
- http://seclists.org/fulldisclosure/2021/Jan/60
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-22873
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@@ -38,3 +38,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
+
+# Enhanced by md on 2022/10/14
diff --git a/cves/2021/CVE-2021-22911.yaml b/cves/2021/CVE-2021-22911.yaml
index 87dbd5eb98..fa55be1229 100644
--- a/cves/2021/CVE-2021-22911.yaml
+++ b/cves/2021/CVE-2021-22911.yaml
@@ -1,16 +1,17 @@
id: CVE-2021-22911
+
info:
- name: RocketChat - NoSQL injection
+ name: Rocket.Chat <=3.13 - NoSQL Injection
author: tess,sullo
severity: critical
- description: Rocket.Chat server versions 3.11, 3.12 and 3.1 allow unauthenticated access to an API endpoint which leads to NoSQL injection in the database.
+ description: Rocket.Chat 3.11, 3.12 and 3.13 contains a NoSQL injection vulnerability which allows unauthenticated access to an API endpoint. An attacker can possibly obtain sensitive information from a database, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- http://packetstormsecurity.com/files/162997/Rocket.Chat-3.12.1-NoSQL-Injection-Code-Execution.html
- https://github.com/vulhub/vulhub/tree/master/rocketchat/CVE-2021-22911
- https://hackerone.com/reports/1130721
- - https://nvd.nist.gov/vuln/detail/CVE-2021-22911
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22911
- https://blog.sonarsource.com/nosql-injections-in-rocket-chat
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-22911
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@@ -47,3 +48,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by mp on 2022/10/12
diff --git a/cves/2021/CVE-2021-24165.yaml b/cves/2021/CVE-2021-24165.yaml
index ec65dbe367..b80bf03591 100644
--- a/cves/2021/CVE-2021-24165.yaml
+++ b/cves/2021/CVE-2021-24165.yaml
@@ -1,15 +1,15 @@
id: CVE-2021-24165
info:
- name: Ninja Forms < 3.4.34 - Administrator Open Redirect
+ name: WordPress Ninja Forms <3.4.34 - Open Redirect
author: dhiyaneshDk,daffainfo
severity: medium
description: |
- The wp_ajax_nf_oauth_connect AJAX action was vulnerable to open redirect due to the use of a user supplied redirect parameter and no protection in place.
+ WordPress Ninja Forms plugin before 3.4.34 contains an open redirect vulnerability via the wp_ajax_nf_oauth_connect AJAX action, due to the use of a user-supplied redirect parameter and no protection in place. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://wpscan.com/vulnerability/6147acf5-e43f-47e6-ab56-c9c8be584818
- - https://nvd.nist.gov/vuln/detail/CVE-2021-24165
- https://www.wordfence.com/blog/2021/02/one-million-sites-affected-four-severe-vulnerabilities-patched-in-ninja-forms/
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-24165
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@@ -41,3 +41,5 @@ requests:
- 'status_code_2 == 302'
- "contains(all_headers_2, 'Location: https://interact.sh?client_id=1')"
condition: and
+
+# Enhanced by md on 2022/10/14
diff --git a/cves/2021/CVE-2021-24210.yaml b/cves/2021/CVE-2021-24210.yaml
index a866cb9404..5fcb07b1ff 100644
--- a/cves/2021/CVE-2021-24210.yaml
+++ b/cves/2021/CVE-2021-24210.yaml
@@ -1,17 +1,15 @@
id: CVE-2021-24210
info:
- name: PhastPress < 1.111 - Open Redirect
+ name: WordPress PhastPress <1.111 - Open Redirect
author: 0x_Akoko
severity: medium
description: |
- There is an open redirect in the PhastPress WordPress plugin before 1.111 that allows an attacker to malform a request to a page
- with the plugin and then redirect the victim to a malicious page. There is also a support comment from another user one year
- ago (https://wordpress.org/support/topic/phast-php-used-for-remote-fetch/) that says that the php involved in the request only
- go to whitelisted pages but it's possible to redirect the victim to any domain.
+ WordPress PhastPress plugin before 1.111 contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://wpscan.com/vulnerability/9b3c5412-8699-49e8-b60c-20d2085857fb
- https://plugins.trac.wordpress.org/changeset/2497610/
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-24210
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@@ -29,3 +27,5 @@ requests:
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header
+
+# Enhanced by md on 2022/10/14
diff --git a/cves/2021/CVE-2021-24288.yaml b/cves/2021/CVE-2021-24288.yaml
index e7ca796c7e..2ba63c208f 100644
--- a/cves/2021/CVE-2021-24288.yaml
+++ b/cves/2021/CVE-2021-24288.yaml
@@ -1,13 +1,13 @@
id: CVE-2021-24288
info:
- name: AcyMailing < 7.5.0 - Open Redirect
+ name: WordPress AcyMailing <7.5.0 - Open Redirect
author: 0x_Akoko
severity: medium
- description: When using acymailing to subscribe to a newsletter, you make a POST request with various parameters. Turning that to a GET request and adding the parameters as GET parameters, you can successfully
- go through with the subscription.
+ description: WordPress AcyMailing plugin before 7.5.0 contains an open redirect vulnerability due to improper sanitization of the redirect parameter. An attacker turning the request from POST to GET can craft a link containing a potentially malicious landing page and send it to the user.
reference:
- https://wpscan.com/vulnerability/56628862-1687-4862-9ed4-145d8dfbca97
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-24288
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@@ -25,3 +25,5 @@ requests:
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header
+
+# Enhanced by md on 2022/10/14
diff --git a/cves/2021/CVE-2021-24838.yaml b/cves/2021/CVE-2021-24838.yaml
index 66ac6d2839..a19bab39ee 100644
--- a/cves/2021/CVE-2021-24838.yaml
+++ b/cves/2021/CVE-2021-24838.yaml
@@ -1,13 +1,14 @@
id: CVE-2021-24838
info:
- name: AnyComment < 0.3.5 - Open Redirect
+ name: WordPress AnyComment <0.3.5 - Open Redirect
author: noobexploiter
severity: medium
description: |
- The plugin has an API endpoint which passes user input via the redirect parameter to the wp_redirect() function without being validated first, leading to an Open Redirect issue, which according to the vendor, is a feature.
+ WordPress AnyComment plugin before 0.3.5 contains an open redirect vulnerability via an API endpoint which passes user input via the redirect parameter to the wp_redirect() function without being validated. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://wpscan.com/vulnerability/562e81ad-7422-4437-a5b4-fcab9379db82
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-24838
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@@ -34,3 +35,5 @@ requests:
- type: status
status:
- 302
+
+# Enhanced by md on 2022/10/14
diff --git a/cves/2021/CVE-2021-24940.yaml b/cves/2021/CVE-2021-24940.yaml
index 38cd9510b5..6b0c52a02f 100644
--- a/cves/2021/CVE-2021-24940.yaml
+++ b/cves/2021/CVE-2021-24940.yaml
@@ -1,11 +1,12 @@
id: CVE-2021-24940
info:
- name: Persian Woocommerce < 5.9.8 - Cross-Site Scripting
+ name: WordPress Persian Woocommerce <=5.8.0 - Cross-Site Scripting
author: daffainfo
severity: medium
description: |
- The Persian Woocommerce WordPress plugin through 5.8.0 does not escape the s parameter before outputting it back in an attribute in the admin dashboard, which could lead to a Reflected Cross-Site Scripting issue
+ WordPress Persian Woocommerce plugin through 5.8.0 contains a cross-site scripting vulnerability. The plugin does not escape the s parameter before outputting it back in an attribute in the admin dashboard. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site and possibly steal cookie-based authentication credentials and launch other attacks.
+ remediation: Fixed in 5.9.8.
reference:
- https://wpscan.com/vulnerability/1980c5ca-447d-4875-b542-9212cc7ff77f
- https://nvd.nist.gov/vuln/detail/CVE-2021-24940
@@ -41,3 +42,5 @@ requests:
- contains(body_2, 'accesskey=X onclick=alert(1) test=')
- contains(body_2, 'woocommerce_persian_translate')
condition: and
+
+# Enhanced by md on 2022/10/17
diff --git a/cves/2021/CVE-2021-25111.yaml b/cves/2021/CVE-2021-25111.yaml
index 5f19090f61..42b2530141 100644
--- a/cves/2021/CVE-2021-25111.yaml
+++ b/cves/2021/CVE-2021-25111.yaml
@@ -1,12 +1,13 @@
id: CVE-2021-25111
info:
- name: English WordPress Admin < 1.5.2 - Unauthenticated Open Redirect
+ name: WordPress English Admin <1.5.2 - Open Redirect
author: akincibor
severity: medium
- description: The plugin does not validate the admin_custom_language_return_url before redirecting users o it, leading to an open redirect issue.
+ description: WordPress English Admin plugin before 1.5.2 contains an open redirect vulnerability. The plugin does not validate the admin_custom_language_return_url before redirecting users to it. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://wpscan.com/vulnerability/af548fab-96c2-4129-b609-e24aad0b1fc4
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-25111
tags: cve2021,unauth,wpscan,wp-plugin,redirect,wordpress,wp,cve
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
@@ -24,3 +25,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
+
+# Enhanced by md on 2022/10/14
diff --git a/cves/2021/CVE-2021-27909.yaml b/cves/2021/CVE-2021-27909.yaml
index f5518dd9ec..3472fde686 100644
--- a/cves/2021/CVE-2021-27909.yaml
+++ b/cves/2021/CVE-2021-27909.yaml
@@ -1,10 +1,10 @@
id: CVE-2021-27909
info:
- name: Mautic - Cross-Site Scripting
+ name: Mautic <3.3.4 - Cross-Site Scripting
author: kiransau
severity: medium
- description: Mautic versions prior to 3.3.4 are vulnerable to reflected XSS on password reset page where a vulnerable parameter, "bundle," in the URL could allow an attacker to execute Javascript code.
+ description: Mautic before 3.3.4 contains a cross-site scripting vulnerability on the password reset page in the bundle parameter of the URL. An attacker can inject arbitrary script, steal cookie-based authentication credentials, and/or launch other attacks.
reference:
- https://github.com/mautic/mautic/security/advisories/GHSA-32hw-3pvh-vcvc
- https://nvd.nist.gov/vuln/detail/CVE-2021-27909
@@ -40,3 +40,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by md on 2022/10/17
diff --git a/cves/2021/CVE-2021-29622.yaml b/cves/2021/CVE-2021-29622.yaml
index 144d5434a0..1f71394bd7 100644
--- a/cves/2021/CVE-2021-29622.yaml
+++ b/cves/2021/CVE-2021-29622.yaml
@@ -1,14 +1,16 @@
id: CVE-2021-29622
info:
- name: Prometheus v2.23.0 to v2.26.0, and v2.27.0 Open Redirect
+ name: Prometheus - Open Redirect
author: geeknik
severity: medium
- description: In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint.
+ description: Prometheus 2.23.0 through 2.26.0 and 2.27.0 contains an open redirect vulnerability. To ensure a seamless transition to 2.27.0, the default UI was changed to the new UI with a URL prefixed by /new redirect to /. Due to a bug in the code, an attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
+ remediation: The issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. The workaround is to disable access to /new via a reverse proxy in front of Prometheus.
reference:
- https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7
- https://github.com/prometheus/prometheus/releases/tag/v2.26.1
- https://github.com/prometheus/prometheus/releases/tag/v2.27.1
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-29622
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@@ -26,3 +28,5 @@ requests:
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header
+
+# Enhanced by md on 2022/10/14
diff --git a/cves/2021/CVE-2021-32618.yaml b/cves/2021/CVE-2021-32618.yaml
index 9516d961a3..1faa15b4ef 100644
--- a/cves/2021/CVE-2021-32618.yaml
+++ b/cves/2021/CVE-2021-32618.yaml
@@ -1,12 +1,10 @@
id: CVE-2021-32618
info:
- name: Flask Open Redirect
+ name: Python Flask-Security - Open Redirect
author: 0x_Akoko
severity: medium
- description: There is code in FS to validate that the url specified in the next parameter is either relative OR has the same netloc (network location) as the requesting URL. This check utilizes Pythons urlsplit
- library. However many browsers are very lenient on the kind of URL they accept and 'fill in the blanks' when presented with a possibly incomplete URL. As a concrete example - setting http://login?next=\\\github.com
- will pass FS's relative URL check however many browsers will gladly convert this to http://interact.sh.
+ description: Python Flask-Security contains an open redirect vulnerability. Existing code validates that the URL specified in the next parameter is either relative or has the same network location as the requesting URL. Certain browsers accept and fill in the blanks of possibly incomplete or malformed URLs. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-6qmf-fj6m-686c
- https://github.com/Flask-Middleware/flask-security/issues/486
@@ -27,4 +25,6 @@ requests:
- type: regex
part: header
regex:
- - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
\ No newline at end of file
+ - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
+
+# Enhanced by md on 2022/10/14
diff --git a/cves/2021/CVE-2021-3654.yaml b/cves/2021/CVE-2021-3654.yaml
index 89990fba3a..4d2abfe3aa 100644
--- a/cves/2021/CVE-2021-3654.yaml
+++ b/cves/2021/CVE-2021-3654.yaml
@@ -1,15 +1,16 @@
id: CVE-2021-3654
info:
- name: noVNC Open Redirect
+ name: Nova noVNC - Open Redirect
author: geeknik
severity: medium
- description: A user-controlled input redirects noVNC users to an external website.
+ description: Nova noVNC contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://seclists.org/oss-sec/2021/q3/188
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3654
- https://bugs.python.org/issue32084
- https://opendev.org/openstack/nova/commit/04d48527b62a35d912f93bc75613a6cca606df66
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-3654
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@@ -34,3 +35,5 @@ requests:
status:
- 302
- 301
+
+# Enhanced by md on 2022/10/14
diff --git a/cves/2021/CVE-2021-41432.yaml b/cves/2021/CVE-2021-41432.yaml
index c1b75af34d..3c8873a4e6 100644
--- a/cves/2021/CVE-2021-41432.yaml
+++ b/cves/2021/CVE-2021-41432.yaml
@@ -1,11 +1,11 @@
id: CVE-2021-41432
info:
- name: FlatPress 1.2.1 - Cross-site scripting
+ name: FlatPress 1.2.1 - Stored Cross-Site Scripting
author: arafatansari
severity: medium
description: |
- A stored cross-site scripting (XSS) vulnerability exists in FlatPress 1.2.1 that allows for arbitrary execution of JavaScript commands through blog content.
+ FlatPress 1.2.1 contains a stored cross-site scripting vulnerability that allows for arbitrary execution of JavaScript commands through blog content. An attacker can possibly steal cookie-based authentication credentials and launch other attacks.
reference:
- https://github.com/flatpressblog/flatpress/issues/88
- https://nvd.nist.gov/vuln/detail/CVE-2021-41432
@@ -74,3 +74,5 @@ requests:
group: 1
regex:
- 'name="_wpnonce" value="([0-9a-z]+)" />'
+
+# Enhanced by md on 2022/10/17
diff --git a/cves/2021/CVE-2021-45046.yaml b/cves/2021/CVE-2021-45046.yaml
index 651ced1cbb..677a692f1e 100644
--- a/cves/2021/CVE-2021-45046.yaml
+++ b/cves/2021/CVE-2021-45046.yaml
@@ -13,7 +13,7 @@ info:
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
- cvss-score: 9
+ cvss-score: 9.0
cve-id: CVE-2021-45046
cwe-id: CWE-502
tags: cve,cve2021,rce,oast,log4j,injection
diff --git a/cves/2022/CVE-2022-0412.yaml b/cves/2022/CVE-2022-0412.yaml
index 0a8c08b94e..9b13911ec7 100644
--- a/cves/2022/CVE-2022-0412.yaml
+++ b/cves/2022/CVE-2022-0412.yaml
@@ -1,11 +1,11 @@
id: CVE-2022-0412
info:
- name: TI WooCommerce Wishlist WP plugin < 1.40.1 - SQL Injection
+ name: WordPress TI WooCommerce Wishlist <1.40.1 - SQL Injection
author: edoardottt
severity: critical
description: |
- The TI WooCommerce Wishlist WordPress plugin before 1.40.1, TI WooCommerce Wishlist Pro WordPress plugin before 1.40.1 do not sanitise and escape the item_id parameter before using it in a SQL statement via the wishlist/remove_product REST endpoint, allowing unauthenticated attackers to perform SQL injection attacks.
+ WordPress TI WooCommerce Wishlist plugin before 1.40.1 contains a SQL injection vulnerability. The plugin does not sanitize and escape the item_id parameter before using it in a SQL statement via the wishlist/remove_product REST endpoint.
reference:
- https://wpscan.com/vulnerability/e984ba11-abeb-4ed4-9dad-0bfd539a9682
- https://wordpress.org/plugins/ti-woocommerce-wishlist/advanced/
@@ -40,3 +40,5 @@ requests:
- type: status
status:
- 400
+
+# Enhanced by mp on 2022/10/12
diff --git a/cves/2022/CVE-2022-0535.yaml b/cves/2022/CVE-2022-0535.yaml
index c9f5198133..1e9e090375 100644
--- a/cves/2022/CVE-2022-0535.yaml
+++ b/cves/2022/CVE-2022-0535.yaml
@@ -1,11 +1,11 @@
id: CVE-2022-0535
info:
- name: E2Pdf < 1.16.45 - Cross-Site Scripting
+ name: WordPress E2Pdf <1.16.45 - Cross-Site Scripting
author: theamanrawat
severity: medium
description: |
- The E2Pdf WordPress plugin before 1.16.45 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
+ WordPress E2Pdf plugin before 1.16.45 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape some of its settings, even when the unfiltered_html capability is disallowed. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, making it possible to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://wpscan.com/vulnerability/a4162e96-a3c5-4f38-a60b-aa3ed9508985
- https://wordpress.org/plugins/e2pdf/
@@ -62,3 +62,5 @@ requests:
group: 1
regex:
- 'name="_nonce" value="([0-9a-zA-Z]+)"'
+
+# Enhanced by md on 2022/10/18
diff --git a/cves/2022/CVE-2022-0679.yaml b/cves/2022/CVE-2022-0679.yaml
index 2e76668747..653b6f5f12 100644
--- a/cves/2022/CVE-2022-0679.yaml
+++ b/cves/2022/CVE-2022-0679.yaml
@@ -1,15 +1,14 @@
id: CVE-2022-0679
info:
- name: Narnoo Distributor <= 2.5.1 - Unauthenticated LFI to Arbitrary File Read / RCE
+ name: WordPress Narnoo Distributor <=2.5.1 - Local File Inclusion
author: Veshraj
severity: critical
description: |
- The plugin fails to validate and sanitize the lib_path parameter before it is passed into a call to require() via the narnoo_distributor_lib_request AJAX action (available to both unauthenticated and authenticated users) which results in the disclosure of arbitrary files as the content of the file is then displayed in the response as JSON data. This could also lead to RCE with various tricks but depends on the underlying system and it's configuration.
+ WordPress Narnoo Distributor plugin 2.5.1 and prior is susceptible to local file inclusion. The plugin does not validate and sanitize the lib_path parameter before being passed into a call to require() via the narnoo_distributor_lib_request AJAX action, and the content of the file is displayed in the response as JSON data. This can also lead to a remote code execution vulnerability depending on system and configuration.
reference:
- https://wpscan.com/vulnerability/0ea79eb1-6561-4c21-a20b-a1870863b0a8
- https://nvd.nist.gov/vuln/detail/CVE-2022-0679
- - https://www.cvedetails.com/cve/CVE-2022-0679/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@@ -39,3 +38,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by mp on 2022/10/12
diff --git a/cves/2022/CVE-2022-0781.yaml b/cves/2022/CVE-2022-0781.yaml
index ac123053cb..9e057c78fd 100644
--- a/cves/2022/CVE-2022-0781.yaml
+++ b/cves/2022/CVE-2022-0781.yaml
@@ -1,11 +1,11 @@
id: CVE-2022-0781
info:
- name: Nirweb support < 2.8.2 - Unauthenticated SQLi
+ name: WordPress Nirweb Support <2.8.2 - SQL Injection
author: theamanrawat
severity: critical
description: |
- The Nirweb support WordPress plugin before 2.8.2 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action (available to unauthenticated users), leading to an SQL injection.
+ WordPress Nirweb support plugin before 2.8.2 contains a SQL injection vulnerability. The plugin does not sanitize and escape a parameter before using it in a SQL statement via an AJAX action. An attacker can possibly obtain sensitive information from a database, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://wpscan.com/vulnerability/1a8f9c7b-a422-4f45-a516-c3c14eb05161
- https://wordpress.org/plugins/nirweb-support/
@@ -41,3 +41,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by md on 2022/10/12
diff --git a/cves/2022/CVE-2022-1768.yaml b/cves/2022/CVE-2022-1768.yaml
index cb9a933fa4..bef9abc90f 100644
--- a/cves/2022/CVE-2022-1768.yaml
+++ b/cves/2022/CVE-2022-1768.yaml
@@ -1,16 +1,16 @@
id: CVE-2022-1768
info:
- name: RSVPMaker WordPress plugin <= 9.3.2 - SQL Injection
+ name: WordPress RSVPMaker <=9.3.2 - SQL Injection
author: edoardottt
severity: high
description: |
- The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to insufficient escaping and parameterization on user supplied data passed to multiple SQL queries in the ~/rsvpmaker-email.php file. This makes it possible for unauthenticated attackers to steal sensitive information from the database in versions up to, and including, 9.3.2.
+ WordPress RSVPMaker plugin through 9.3.2 contains a SQL injection vulnerability due to insufficient escaping and parameterization on user-supplied data passed to multiple SQL queries in ~/rsvpmaker-email.php. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://gist.github.com/Xib3rR4dAr/441d6bb4a5b8ad4b25074a49210a02cc
- https://wordpress.org/plugins/rsvpmaker/
- - https://nvd.nist.gov/vuln/detail/CVE-2022-1768
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2725322%40rsvpmaker&new=2725322%40rsvpmaker&sfp_email=&sfph_mail=
+ - https://nvd.nist.gov/vuln/detail/CVE-2022-1768
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@@ -49,3 +49,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by md on 2022/10/12
diff --git a/cves/2022/CVE-2022-1910.yaml b/cves/2022/CVE-2022-1910.yaml
index e2244d6821..c31593fdf5 100644
--- a/cves/2022/CVE-2022-1910.yaml
+++ b/cves/2022/CVE-2022-1910.yaml
@@ -1,11 +1,11 @@
id: CVE-2022-1910
info:
- name: Shortcodes and extra features for Phlox theme < 2.9.8 - Cross-Site-Scripting
+ name: WordPress Shortcodes and Extra Features for Phlox <2.9.8 - Cross-Site Scripting
author: Akincibor
severity: medium
description: |
- The plugin does not sanitise and escape a parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting.
+ WordPress Shortcodes and extra features plugin for the Phlox theme before 2.9.8 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape a parameter before outputting it back in the response. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://wpscan.com/vulnerability/8afe1638-66fa-44c7-9d02-c81573193b47
- https://wordpress.org/plugins/auxin-elements/
@@ -41,3 +41,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by md on 2022/10/17
diff --git a/cves/2022/CVE-2022-2467.yaml b/cves/2022/CVE-2022-2467.yaml
index 92a1b5bf42..175a0dee04 100644
--- a/cves/2022/CVE-2022-2467.yaml
+++ b/cves/2022/CVE-2022-2467.yaml
@@ -1,11 +1,11 @@
id: CVE-2022-2467
info:
- name: SourceCodester Garage Management System 1.0 - SQL Injection
+ name: Garage Management System 1.0 - SQL Injection
author: edoardottt
severity: critical
description: |
- A vulnerability has been found in SourceCodester Garage Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /login.php. The manipulation of the argument username with the input 1@a.com' AND (SELECT 6427 FROM (SELECT(SLEEP(5)))LwLu) AND 'hsvT'='hsvT leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
+ Garage Management System 1.0 contains a SQL injection vulnerability in /login.php via manipulation of the argument username with input 1@a.com' AND (SELECT 6427 FROM (SELECT(SLEEP(5)))LwLu) AND 'hsvT'='hsvT. An attacker can possibly obtain sensitive information from a database, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://github.com/xiahao90/CVEproject/blob/main/xiahao.webray.com.cn/Garage-Management-System.md
- https://www.sourcecodester.com/php/15485/garage-management-system-using-phpmysql-source-code.html
@@ -43,3 +43,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by mp on 2022/10/12
diff --git a/cves/2022/CVE-2022-29272.yaml b/cves/2022/CVE-2022-29272.yaml
index d98809525a..ca9dac25e6 100644
--- a/cves/2022/CVE-2022-29272.yaml
+++ b/cves/2022/CVE-2022-29272.yaml
@@ -1,16 +1,16 @@
id: CVE-2022-29272
info:
- name: Nagios XI < 5.8.5 - Open Redirect
+ name: Nagios XI <5.8.5 - Open Redirect
author: ritikchaddha
severity: medium
description: |
- In Nagios XI through 5.8.5, an open redirect vulnerability exists in the login function that could lead to spoofing.
+ Nagios XI through 5.8.5 contains an open redirect vulnerability in the login function. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/sT0wn-nl/CVEs/tree/master/CVE-2022-29272
- - https://nvd.nist.gov/vuln/detail/CVE-2022-29272
- https://github.com/4LPH4-NL/CVEs
- https://github.com/sT0wn-nl/CVEs/blob/master/README.md#nagios-xi
+ - https://nvd.nist.gov/vuln/detail/CVE-2022-29272
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@@ -48,3 +48,5 @@ requests:
regex:
- ''
- ""
+
+# Enhanced by md on 2022/10/14
diff --git a/cves/2022/CVE-2022-29775.yaml b/cves/2022/CVE-2022-29775.yaml
index d075765694..011247fe3e 100644
--- a/cves/2022/CVE-2022-29775.yaml
+++ b/cves/2022/CVE-2022-29775.yaml
@@ -1,16 +1,16 @@
id: CVE-2022-29775
info:
- name: iSpyConnect iSpy v7.2.2.0 - Improper Authentication
+ name: iSpy 7.2.2.0 - Authentication Bypass
author: arafatansari
severity: critical
description: |
- iSpyConnect iSpy v7.2.2.0 allows attackers to bypass authentication via a crafted URL.
+ iSpy 7.2.2.0 contains an authentication bypass vulnerability. An attacker can craft a URL and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://gist.github.com/securylight/79f673aa3a453c80c0e78f356a8f650b
- https://github.com/securylight/CVES_write_ups/blob/main/iSpy_connect.pdf
- - https://nvd.nist.gov/vuln/detail/CVE-2022-29775
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-29775
+ - https://nvd.nist.gov/vuln/detail/CVE-2022-29775
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@@ -44,3 +44,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by md on 2022/10/19
diff --git a/cves/2022/CVE-2022-30512.yaml b/cves/2022/CVE-2022-30512.yaml
index c3cfe86622..5673f0d940 100644
--- a/cves/2022/CVE-2022-30512.yaml
+++ b/cves/2022/CVE-2022-30512.yaml
@@ -5,12 +5,11 @@ info:
author: tess
severity: critical
description: |
- School Dormitory Management System 1.0 is vulnerable to SQL Injection via accounts/payment_history.php:31.
+ School Dormitory Management System 1.0 contains a SQL injection vulnerability via accounts/payment_history.php:31. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://github.com/bigzooooz/CVE-2022-30512
- - https://nvd.nist.gov/vuln/detail/CVE-2022-30512
- - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-3051
- https://www.sourcecodester.com/php/15319/school-dormitory-management-system-phpoop-free-source-code.html
+ - https://nvd.nist.gov/vuln/detail/CVE-2022-30512
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@@ -43,3 +42,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by mp on 2022/10/12
diff --git a/cves/2022/CVE-2022-30513.yaml b/cves/2022/CVE-2022-30513.yaml
index 6e7b70e0df..f2dcf98586 100644
--- a/cves/2022/CVE-2022-30513.yaml
+++ b/cves/2022/CVE-2022-30513.yaml
@@ -1,17 +1,15 @@
id: CVE-2022-30513
info:
- name: School Dormitory Management - Authenticated XSS
+ name: School Dormitory Management System 1.0 - Authenticated Cross-Site Scripting
author: tess
severity: medium
description: |
- School Dormitory Management System v1.0 is vulnerable to reflected
- cross-site scripting (XSS) via admin/inc/navigation.php:125
+ School Dormitory Management System 1.0 contains an authenticated cross-site scripting vulnerability via admin/inc/navigation.php:125. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://github.com/bigzooooz/CVE-2022-30513
- https://www.sourcecodester.com/php/15319/school-dormitory-management-system-phpoop-free-source-code.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-30513
- - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30513
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@@ -49,3 +47,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by md on 2022/10/17
diff --git a/cves/2022/CVE-2022-30514.yaml b/cves/2022/CVE-2022-30514.yaml
index af310d36ee..f736275b13 100644
--- a/cves/2022/CVE-2022-30514.yaml
+++ b/cves/2022/CVE-2022-30514.yaml
@@ -1,16 +1,16 @@
id: CVE-2022-30514
info:
- name: School Dormitory Management - Authenticated XSS via "s=" parameter
+ name: School Dormitory Management System 1.0 - Authenticated Cross-Site Scripting
author: tess
severity: medium
description: |
- School Dormitory Management System v1.0 is vulnerable to reflected cross-site scripting (XSS) via admin/inc/navigation.php:125
+ School Dormitory Management System 1.0 contains an authenticated cross-site scripting vulnerability in admin/inc/navigation.php:126. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://github.com/bigzooooz/CVE-2022-30514
- https://www.sourcecodester.com/php/15319/school-dormitory-management-system-phpoop-free-source-code.html
- - https://nvd.nist.gov/vuln/detail/CVE-2022-30514
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30514
+ - https://nvd.nist.gov/vuln/detail/CVE-2022-30514
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@@ -48,3 +48,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by md on 2022/10/17
diff --git a/cves/2022/CVE-2022-35914.yaml b/cves/2022/CVE-2022-35914.yaml
index 00d4ea6869..2ead7eb0d7 100644
--- a/cves/2022/CVE-2022-35914.yaml
+++ b/cves/2022/CVE-2022-35914.yaml
@@ -1,16 +1,16 @@
id: CVE-2022-35914
info:
- name: GLPI - Remote Code Execution
+ name: GLPI <=10.0.2 - Remote Command Execution
author: For3stCo1d
severity: critical
description: |
- /vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection.
+ GLPI through 10.0.2 is susceptible to remote command execution injection in /vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module.
reference:
- https://mayfly277.github.io/posts/GLPI-htmlawed-CVE-2022-35914
- https://github.com/cosad3s/CVE-2022-35914-poc
- - https://nvd.nist.gov/vuln/detail/CVE-2022-35914
- http://www.bioinformatics.org/phplabware/sourceer/sourceer.php?&Sfs=htmLawedTest.php&Sl=.%2Finternal_utilities%2FhtmLawed
+ - https://nvd.nist.gov/vuln/detail/CVE-2022-35914
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@@ -44,3 +44,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by mp on 2022/10/12
diff --git a/cves/2022/CVE-2022-38553.yaml b/cves/2022/CVE-2022-38553.yaml
index d15ee20546..eb2d6a07b6 100644
--- a/cves/2022/CVE-2022-38553.yaml
+++ b/cves/2022/CVE-2022-38553.yaml
@@ -1,16 +1,16 @@
id: CVE-2022-38553
info:
- name: Academy Learning Management System < v5.9.1 - Reflected XSS
+ name: Academy Learning Management System <5.9.1 - Cross-Site Scripting
author: edoardottt
severity: medium
description: |
- Academy Learning Management System before v5.9.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Search parameter.
+ Academy Learning Management System before 5.9.1 contains a cross-site scripting vulnerability via the Search parameter. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://www.youtube.com/watch?v=yFiZffHoeKs&ab_channel=4websecurity
- https://github.com/4websecurity/CVE-2022-38553
- - https://nvd.nist.gov/vuln/detail/CVE-2022-38553
- https://codecanyon.net/item/academy-course-based-learning-management-system/22703468
+ - https://nvd.nist.gov/vuln/detail/CVE-2022-38553
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@@ -43,3 +43,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by md on 2022/10/18
diff --git a/cves/2022/CVE-2022-40083.yaml b/cves/2022/CVE-2022-40083.yaml
index 42f38d17bb..99d53eff29 100644
--- a/cves/2022/CVE-2022-40083.yaml
+++ b/cves/2022/CVE-2022-40083.yaml
@@ -1,13 +1,15 @@
id: CVE-2022-40083
info:
- name: Labstack Echo < v4.9.0 - Open Redirect
+ name: Labstack Echo 4.8.0 - Open Redirect
author: pdteam
severity: critical
description: |
- Labstack Echo v4.8.0 was discovered to contain an open redirect vulnerability via the Static Handler component. This vulnerability can be leveraged by attackers to cause a Server-Side Request Forgery (SSRF).
+ Labstack Echo 4.8.0 contains an open redirect vulnerability via the Static Handler component. An attacker can leverage this vulnerability to cause server-side request forgery, making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations.
+ remediation: Download and install 4.9.0, which contains a patch for this issue.
reference:
- https://github.com/labstack/echo/issues/2259
+ - https://nvd.nist.gov/vuln/detail/CVE-2022-40083
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
cvss-score: 9.6
@@ -30,3 +32,5 @@ requests:
- type: status
status:
- 301
+
+# Enhanced by md on 2022/10/18
diff --git a/cves/2022/CVE-2022-40684.yaml b/cves/2022/CVE-2022-40684.yaml
index 9e3673f294..044f154f43 100644
--- a/cves/2022/CVE-2022-40684.yaml
+++ b/cves/2022/CVE-2022-40684.yaml
@@ -1,19 +1,21 @@
id: CVE-2022-40684
info:
- name: Fortigate - Authentication bypass
+ name: Fortinet - Authentication Bypass
author: Shockwave,nagli,carlosvieira
severity: critical
description: |
- Enables an unauthenticated remote attacker to use administrative interfaces by sending specially crafted HTTP or HTTPS requests, allowing them to log in to various products of Fortinet that are unpatched.
+ Fortinet contains an authentication bypass vulnerability via using an alternate path or channel in FortiOS 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy 7.2.0 and 7.0.0 through 7.0.6, and FortiSwitchManager 7.2.0 and 7.0.0. An attacker can perform operations on the administrative interface via specially crafted HTTP or HTTPS requests, thus making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/horizon3ai/CVE-2022-40684/blob/master/CVE-2022-40684.py
- https://securityonline.info/researchers-have-developed-cve-2022-40684-poc-exploit-code/
- https://socradar.io/what-do-you-need-to-know-about-fortinet-critical-authentication-bypass-vulnerability-cve-2022-40684/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40684
+ - https://nvd.nist.gov/vuln/detail/CVE-2022-40684
classification:
cvss-score: 9.6
cve-id: CVE-2022-27593
+ cwe-id: CWE-288
tags: cve,cve2022,fortinet,fortigate,fortios,fortiproxy,auth-bypass,kev
requests:
@@ -33,8 +35,8 @@ requests:
Forwarded: for=[127.0.0.1]:8000;by=[127.0.0.1]:9000;
Content-Length: 610
- {
- "ssh-public-key1":"{{randstr}}"
+ {
+ "ssh-public-key1":"{{randstr}}"
}
stop-at-first-match: true
@@ -54,3 +56,5 @@ requests:
- 'Invalid SSH public key.'
- 'cli_error'
condition: and
+
+# Enhanced by md on 2022/10/19
diff --git a/cves/2022/CVE-2022-41473.yaml b/cves/2022/CVE-2022-41473.yaml
index 3f906df55f..0f5b7a7393 100644
--- a/cves/2022/CVE-2022-41473.yaml
+++ b/cves/2022/CVE-2022-41473.yaml
@@ -1,13 +1,14 @@
id: CVE-2022-41473
info:
- name: RPCMS 3.0.2 - Cross-site scripting (XSS)
+ name: RPCMS 3.0.2 - Cross-Site Scripting
author: arafatansari
severity: medium
description: |
- RPCMS v3.0.2 was discovered to contain a reflected cross-site scripting (XSS) vulnerability in the Search function.
+ RPCMS 3.0.2 contains a cross-site scripting vulnerability in the Search function. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://github.com/ralap-z/rpcms/issues/1
+ - https://nvd.nist.gov/vuln/detail/CVE-2022-41473
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@@ -40,3 +41,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by md on 2022/10/18
diff --git a/exposures/backups/sql-dump.yaml b/exposures/backups/sql-dump.yaml
index 418868119a..ba77e6ba09 100644
--- a/exposures/backups/sql-dump.yaml
+++ b/exposures/backups/sql-dump.yaml
@@ -1,11 +1,17 @@
id: default-sql-dump
info:
- name: MySQL Dump Files
+ name: MySQL - Dump Files
author: geeknik,dwisiswant0,ELSFA7110
severity: medium
+ description: A MySQL dump file was found
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+ cvss-score: 5.3
+ cwe-id: CWE-200
tags: exposure,backup,mysql
+
requests:
- method: GET
path:
@@ -45,3 +51,5 @@ requests:
- 200
- 206
condition: or
+
+# Enhanced by mp on 2022/10/12
diff --git a/exposures/configs/joomla-config-file.yaml b/exposures/configs/joomla-config-file.yaml
index ce01415e5f..895eaf6079 100644
--- a/exposures/configs/joomla-config-file.yaml
+++ b/exposures/configs/joomla-config-file.yaml
@@ -4,7 +4,7 @@ info:
name: Joomla! Config Dist File
author: oppsec
severity: low
- description: configuration.php-dist is a file created by Joomla! to save Joomla settings.
+ description: configuration.php-dist is a file created by Joomla! to save application settings.
tags: config,exposure,joomla
requests:
diff --git a/file/logs/suspicious-sql-error-messages.yaml b/file/logs/suspicious-sql-error-messages.yaml
index 165559ac3c..328ba630c6 100644
--- a/file/logs/suspicious-sql-error-messages.yaml
+++ b/file/logs/suspicious-sql-error-messages.yaml
@@ -1,10 +1,14 @@
id: suspicious-sql-error-messages
info:
- name: Suspicious SQL Error Messages
+ name: SQL - Error Messages
author: geeknik
severity: high
- description: Detects SQL error messages that indicate probing for an injection attack
+ description: SQL error messages that indicate probing for an injection attack were detected.
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cwe-id: CWE-89
tags: file,logs,sql,error
file:
@@ -36,3 +40,5 @@ file:
regex:
- 'near \"\*\"\: syntax error'
- 'SELECTs to the left and right of UNION do not have the same number of result columns'
+
+# Enhanced by mp on 2022/10/12
diff --git a/fuzzing/header-command-injection.yaml b/fuzzing/header-command-injection.yaml
index 82767a0a53..3e7415b216 100644
--- a/fuzzing/header-command-injection.yaml
+++ b/fuzzing/header-command-injection.yaml
@@ -1,10 +1,14 @@
id: header-command-injection
info:
- name: Header Command Injection
+ name: Header - Remote Command Injection
author: geeknik
severity: high
- description: Fuzzing headers for command injection
+ description: Headers were tested for remote command injection vulnerabilities.
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+ cvss-score: 10.0
+ cwe-id: CWE-77
tags: fuzz,rce
requests:
@@ -33,3 +37,5 @@ requests:
- type: regex
regex:
- "root:.*:0:0:"
+
+# Enhanced by mp on 2022/10/12
diff --git a/misconfiguration/caddy-open-redirect.yaml b/misconfiguration/caddy-open-redirect.yaml
index 40f51f9b7c..5e9a63aa4d 100644
--- a/misconfiguration/caddy-open-redirect.yaml
+++ b/misconfiguration/caddy-open-redirect.yaml
@@ -1,11 +1,16 @@
id: caddy-open-redirect
info:
- name: Caddy 2.4.6 Open Redirect (php_fastcgi)
+ name: Caddy 2.4.6 Open Redirect
author: dhiyaneshDK
severity: medium
+ description: Caddy 2.4.6 contains an open redirect vulnerability via php_fastcgi. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/caddyserver/caddy/issues/4502
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cwe-id: CWE-601
tags: redirect,caddy,server
requests:
@@ -17,4 +22,6 @@ requests:
- type: regex
part: header
regex:
- - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
\ No newline at end of file
+ - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
+
+# Enhanced by md on 2022/10/14
diff --git a/misconfiguration/exposed-sqlite-manager.yaml b/misconfiguration/exposed-sqlite-manager.yaml
index 53be2f3e80..59e4876160 100644
--- a/misconfiguration/exposed-sqlite-manager.yaml
+++ b/misconfiguration/exposed-sqlite-manager.yaml
@@ -1,9 +1,10 @@
id: exposed-sqlite-manager
info:
- name: SQLiteManager
- author: dhiyaneshDK,ritikchaddha
+ name: SQLiteManager - Text Display
+ author: dhiyaneshDK
severity: medium
+ description: SQLiteManager panel contains inconsistent text display in title and text.
reference:
- https://www.exploit-db.com/ghdb/5003
tags: misconfig,sqlite,edb
@@ -25,3 +26,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by mp on 2022/10/12
diff --git a/misconfiguration/office365-open-redirect.yaml b/misconfiguration/office365-open-redirect.yaml
index 70ac3cab60..aab0e5467e 100644
--- a/misconfiguration/office365-open-redirect.yaml
+++ b/misconfiguration/office365-open-redirect.yaml
@@ -1,11 +1,17 @@
id: office365-open-redirect
info:
- name: Office365 Open Redirect From Autodiscover
+ name: Office365 Autodiscover - Open Redirect
author: dhiyaneshDk
severity: low
+ description: Office365 Autodiscover contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
+ remediation: See https://learn.microsoft.com/en-us/outlook/troubleshoot/connectivity/how-to-suppress-autodiscover-redirect-warning for a workaround.
reference:
- https://medium.com/@heinjame/office365-open-redirect-from-autodiscover-64284d26c168
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cwe-id: CWE-601
tags: redirect,office365,microsoft
requests:
@@ -23,3 +29,5 @@ requests:
- type: status
status:
- 302
+
+# Enhanced by md on 2022/10/14
diff --git a/technologies/elasticsearch-sql-client-detect.yaml b/technologies/elasticsearch-sql-client-detect.yaml
index 0522884878..d17d5c2a41 100644
--- a/technologies/elasticsearch-sql-client-detect.yaml
+++ b/technologies/elasticsearch-sql-client-detect.yaml
@@ -1,9 +1,10 @@
id: elasticsearch-sql-client-detect
info:
- name: Elasticsearch SQL Client Detect
+ name: Elasticsearch - SQL Client Detection
author: pussycat0x
severity: low
+ description: Elasticsearch detected SQL client.
metadata:
shodan-query: http.title:"Elasticsearch-sql client"
tags: elasticsearch,tech,sql
@@ -23,3 +24,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by mp on 2022/10/12
diff --git a/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml b/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml
index 150174ac80..2e90772b2b 100644
--- a/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml
+++ b/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml
@@ -6,17 +6,17 @@ info:
severity: critical
description: |
Apache OFBiz is affected by a remote code execution vulnerability in the bundled Apache Log4j logging library. Apache Log4j is vulnerable due to insufficient protections on message lookup substitutions when dealing with user controlled input. A remote, unauthenticated attacker can exploit this, via a web request, to execute arbitrary code with the permission level of the running Java process.
+ remediation: Upgrade to Apache OFBiz version 8.12.03 or later.
reference:
- https://issues.apache.org/jira/browse/OFBIZ-12449
- https://ofbiz.apache.org/
- https://logging.apache.org/log4j/2.x/security.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
- remediation: Upgrade to Apache OFBiz version 8.12.03 or later.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
- cvss-score: 10
+ cvss-score: 10.0
cve-id: CVE-2021-44228
- cwe-id: CWE-917
+ cwe-id: CWE-77
metadata:
shodan-query: http.html:"Apache OFBiz"
tags: cve,cve2021,ofbiz,oast,log4j,rce,apache,jndi,kev
diff --git a/vulnerabilities/apache/apache-solr-log4j-rce.yaml b/vulnerabilities/apache/apache-solr-log4j-rce.yaml
index 162aa46f02..98bc72fa50 100644
--- a/vulnerabilities/apache/apache-solr-log4j-rce.yaml
+++ b/vulnerabilities/apache/apache-solr-log4j-rce.yaml
@@ -16,7 +16,7 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2021-44228
- cwe-id: CWE-917
+ cwe-id: CWE-77
metadata:
shodan-query: http.html:"Apache Solr"
verified: "true"
diff --git a/vulnerabilities/cisco/cisco-unified-communications-log4j.yaml b/vulnerabilities/cisco/cisco-unified-communications-log4j.yaml
index 39e335aeea..56654b93ee 100644
--- a/vulnerabilities/cisco/cisco-unified-communications-log4j.yaml
+++ b/vulnerabilities/cisco/cisco-unified-communications-log4j.yaml
@@ -13,7 +13,7 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2021-44228
- cwe-id: CWE-917
+ cwe-id: CWE-77
metadata:
shodan-query: title:"Cisco Unified"
verified: "true"
diff --git a/vulnerabilities/cisco/cisco-vmanage-log4j.yaml b/vulnerabilities/cisco/cisco-vmanage-log4j.yaml
index 525e0faf86..3fac022a37 100644
--- a/vulnerabilities/cisco/cisco-vmanage-log4j.yaml
+++ b/vulnerabilities/cisco/cisco-vmanage-log4j.yaml
@@ -13,7 +13,7 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2021-44228
- cwe-id: CWE-917
+ cwe-id: CWE-77
metadata:
shodan-query: title:"vManage"
verified: "true"
diff --git a/vulnerabilities/code42/code42-log4j-rce.yaml b/vulnerabilities/code42/code42-log4j-rce.yaml
index f3e1b218f6..dabd9fe7fe 100644
--- a/vulnerabilities/code42/code42-log4j-rce.yaml
+++ b/vulnerabilities/code42/code42-log4j-rce.yaml
@@ -19,7 +19,7 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2021-44228
- cwe-id: CWE-917
+ cwe-id: CWE-77
tags: jndi,log4j,rce,cve,cve2021,oast,code42,kev
requests:
diff --git a/vulnerabilities/dedecms/dedecms-openredirect.yaml b/vulnerabilities/dedecms/dedecms-openredirect.yaml
index f240d95c4d..4b433c6dc4 100644
--- a/vulnerabilities/dedecms/dedecms-openredirect.yaml
+++ b/vulnerabilities/dedecms/dedecms-openredirect.yaml
@@ -1,11 +1,16 @@
id: dedecms-openredirect
info:
- name: DedeCMS Open Redirect
+ name: DedeCMS - Open Redirect
author: pikpikcu
severity: low
+ description: DedeCMS contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://blog.csdn.net/ystyaoshengting/article/details/82734888
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cwe-id: CWE-601
metadata:
verified: true
shodan-query: http.html:"power by dedecms" || title:"dedecms"
@@ -26,3 +31,5 @@ requests:
- type: status
status:
- 302
+
+# Enhanced by md on 2022/10/14
diff --git a/vulnerabilities/generic/open-redirect.yaml b/vulnerabilities/generic/open-redirect.yaml
index 9882c469e4..9729aeddde 100644
--- a/vulnerabilities/generic/open-redirect.yaml
+++ b/vulnerabilities/generic/open-redirect.yaml
@@ -1,10 +1,14 @@
id: open-redirect
info:
- name: Open URL redirect detection
+ name: Open Redirect - Detection
author: afaq,melbadry9,Elmahdi,pxmme1337,Regala_,andirrahmani1,geeknik
severity: low
- description: A user-controlled input redirects users to an external website.
+ description: An open redirect vulnerability was detected. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cwe-id: CWE-601
tags: redirect,generic
requests:
@@ -121,3 +125,5 @@ requests:
- 307
- 308
condition: or
+
+# Enhanced by mp on 2022/10/14
diff --git a/vulnerabilities/httpbin/httpbin-open-redirect.yaml b/vulnerabilities/httpbin/httpbin-open-redirect.yaml
index 961d4ae06f..c39b8f33d1 100644
--- a/vulnerabilities/httpbin/httpbin-open-redirect.yaml
+++ b/vulnerabilities/httpbin/httpbin-open-redirect.yaml
@@ -4,8 +4,13 @@ info:
name: HTTPBin - Open Redirect
author: Adam Crosser
severity: low
+ description: HTTPBin contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/postmanlabs/httpbin
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cwe-id: CWE-601
metadata:
shodan-query:
- html:"https://github.com/requests/httpbin"
@@ -25,4 +30,6 @@ requests:
- type: status
status:
- - 302
\ No newline at end of file
+ - 302
+
+# Enhanced by md on 2022/10/14
diff --git a/vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml b/vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml
index a07cadbf9e..212771d3c6 100644
--- a/vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml
+++ b/vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml
@@ -15,7 +15,7 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2021-44228
- cwe-id: CWE-917
+ cwe-id: CWE-77
metadata:
shodan-query: http.html:"JamF"
verified: "true"
diff --git a/vulnerabilities/netsweeper/netsweeper-open-redirect.yaml b/vulnerabilities/netsweeper/netsweeper-open-redirect.yaml
index 3a642b46b5..95d101cfd7 100644
--- a/vulnerabilities/netsweeper/netsweeper-open-redirect.yaml
+++ b/vulnerabilities/netsweeper/netsweeper-open-redirect.yaml
@@ -1,12 +1,16 @@
id: netsweeper-open-redirect
info:
- name: Netsweeper 4.0.9 - Open Redirection
+ name: Netsweeper 4.0.9 - Open Redirect
author: daffainfo
severity: medium
- description: Netsweeper version 4.0.9 was vulnerable to an Unauthenticated and Authenticated Open Redirect vulnerability.
+ description: Netsweeper 4.0.9 contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://packetstormsecurity.com/files/download/133034/netsweeper-issues.tgz
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cwe-id: CWE-601
tags: netsweeper,redirect,packetstorm
requests:
@@ -19,3 +23,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
+
+# Enhanced by md on 2022/10/14
diff --git a/vulnerabilities/other/aspnuke-openredirect.yaml b/vulnerabilities/other/aspnuke-openredirect.yaml
index 1dcc28d81d..3561f65aa6 100644
--- a/vulnerabilities/other/aspnuke-openredirect.yaml
+++ b/vulnerabilities/other/aspnuke-openredirect.yaml
@@ -1,9 +1,16 @@
id: aspnuke-openredirect
info:
- name: ASP-Nuke Open Redirect
+ name: ASP-Nuke - Open Redirect
author: pdteam
severity: low
+ description: ASP-Nuke contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
+ reference:
+ - https://packetstormsecurity.com/files/125931/ASP-Nuke-2.0.7-Open-Redirect.html
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cwe-id: CWE-601
tags: aspnuke,redirect
requests:
@@ -15,4 +22,6 @@ requests:
- type: regex
part: header
regex:
- - '(?m)^(?:Location\s*:\s*)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?interact\.sh(?:\s*)$'
\ No newline at end of file
+ - '(?m)^(?:Location\s*:\s*)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?interact\.sh(?:\s*)$'
+
+# Enhanced by md on 2022/10/14
diff --git a/vulnerabilities/other/bitrix-open-redirect.yaml b/vulnerabilities/other/bitrix-open-redirect.yaml
index d717cc9e11..75a0719244 100644
--- a/vulnerabilities/other/bitrix-open-redirect.yaml
+++ b/vulnerabilities/other/bitrix-open-redirect.yaml
@@ -1,12 +1,16 @@
id: bitrix-open-redirect
info:
- name: Bitrix Open URL redirect detection
+ name: Bitrix Site Management Russia 2.0 - Open Redirect
author: pikpikcu
severity: low
- description: The Bitrix Russia Site Management 2.0 accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect.
+ description: Bitrix Site Management Russia 2.0 contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://packetstormsecurity.com/files/151955/1C-Bitrix-Site-Management-Russia-2.0-Open-Redirection.html
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cwe-id: CWE-601
tags: redirect,bitrix,packetstorm
requests:
@@ -37,4 +41,6 @@ requests:
condition: or
status:
- 302
- - 301
\ No newline at end of file
+ - 301
+
+# Enhanced by md on 2022/10/14
diff --git a/vulnerabilities/other/elasticsearch5-log4j-rce.yaml b/vulnerabilities/other/elasticsearch5-log4j-rce.yaml
index 43cb9dd10a..a071696eae 100644
--- a/vulnerabilities/other/elasticsearch5-log4j-rce.yaml
+++ b/vulnerabilities/other/elasticsearch5-log4j-rce.yaml
@@ -14,7 +14,7 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2021-44228
- cwe-id: CWE-917
+ cwe-id: CWE-77
metadata:
verified: "true"
tags: jndi,log4j,rce,oast,elasticsearch,cve,cve2021,kev
diff --git a/vulnerabilities/other/fatpipe-auth-bypass.yaml b/vulnerabilities/other/fatpipe-auth-bypass.yaml
index cf2b04c028..f1b569b2dd 100644
--- a/vulnerabilities/other/fatpipe-auth-bypass.yaml
+++ b/vulnerabilities/other/fatpipe-auth-bypass.yaml
@@ -1,11 +1,10 @@
id: fatpipe-auth-bypass
info:
- name: FatPipe Networks WARP 10.2.2 Authorization Bypass
+ name: FatPipe WARP 10.2.2 - Authorization Bypass
author: gy741
severity: high
- description: Improper access control occurs when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources
- behind protected pages.
+ description: FatPipe WARP 10.2.2 contains an authorization bypass vulnerability. Improper access control occurs when the application provides direct access to objects based on user-supplied input. As a result, an attacker can bypass proper authorization and access resources behind protected pages.
reference:
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5682.php
- https://www.fatpipeinc.com/support/advisories.php
@@ -37,3 +36,5 @@ requests:
part: body
regex:
- 'version: "([0-9.a-z]+)"'
+
+# Enhanced by md on 2022/10/19
diff --git a/vulnerabilities/other/fatpipe-backdoor.yaml b/vulnerabilities/other/fatpipe-backdoor.yaml
index 98e6e53d22..4e40848dd8 100644
--- a/vulnerabilities/other/fatpipe-backdoor.yaml
+++ b/vulnerabilities/other/fatpipe-backdoor.yaml
@@ -1,10 +1,10 @@
id: fatpipe-backdoor
info:
- name: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Hidden Backdoor Account
+ name: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Authorization Bypass
author: gy741
severity: high
- description: FatPipe Networks has a hidden administrative account cmuser that has no password and has write access permissions to the device. The user cmuser is not visible in Users menu list of the application.
+ description: FatPipe WARP/IPVPN/MPVPN 10.2.2 contains an authorization bypass vulnerability via hidden administrative account cmuse, which has no password, has write access permissions to the device, and is not visible in Users menu list. An attacker can gain access by bypassing proper authorization, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php
- https://www.fatpipeinc.com/support/advisories.php
@@ -35,3 +35,5 @@ requests:
- '"loginRes":"success"'
- '"activeUserName":"cmuser"'
condition: and
+
+# Enhanced by md on 2022/10/19
diff --git a/vulnerabilities/other/flatpress-xss.yaml b/vulnerabilities/other/flatpress-xss.yaml
index 4490f030e4..1291a7f645 100644
--- a/vulnerabilities/other/flatpress-xss.yaml
+++ b/vulnerabilities/other/flatpress-xss.yaml
@@ -1,14 +1,17 @@
id: flatpress-xss
info:
- name: FlatPress 1.2.1 - Cross-site scripting
+ name: FlatPress 1.2.1 - Stored Cross-Site Scripting
author: arafatansari
severity: medium
description: |
- A Reflected cross-site scripting (XSS) vulnerability exists in FlatPress 1.2.1 that allows for arbitrary execution of JavaScript commands through blog content.
+ FlatPress 1.2.1 contains a stored cross-site scripting vulnerability that allows for arbitrary execution of JavaScript commands through blog content. An attacker can steal cookie-based authentication credentials and launch other attacks. Note: this is similar to CVE-2021-41432, however this attack uses the "page" parameter.
reference:
- https://github.com/flatpressblog/flatpress/issues/153
- - https://github.com/flatpressblog/flatpress
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cwe-id: CWE-79
metadata:
verified: true
shodan-query: http.html:"Flatpress"
@@ -56,3 +59,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by md on 2022/10/18
diff --git a/vulnerabilities/other/goanywhere-mft-log4j-rce.yaml b/vulnerabilities/other/goanywhere-mft-log4j-rce.yaml
index 0f72c350d8..f67b3644e1 100644
--- a/vulnerabilities/other/goanywhere-mft-log4j-rce.yaml
+++ b/vulnerabilities/other/goanywhere-mft-log4j-rce.yaml
@@ -12,8 +12,8 @@ info:
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
+ cwe-id: CWE-77
cve-id: CVE-2021-44228
- cwe-id: CWE-917
metadata:
shodan-query: http.html:"GoAnywhere Managed File Transfer"
verified: "true"
diff --git a/vulnerabilities/other/graylog-log4j.yaml b/vulnerabilities/other/graylog-log4j.yaml
index ee855b8998..acfa5cf54e 100644
--- a/vulnerabilities/other/graylog-log4j.yaml
+++ b/vulnerabilities/other/graylog-log4j.yaml
@@ -13,7 +13,7 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2021-44228
- cwe-id: CWE-917
+ cwe-id: CWE-77
metadata:
shodan-query: title:"Graylog Web Interface"
verified: "true"
diff --git a/vulnerabilities/other/homeautomation-v3-openredirect.yaml b/vulnerabilities/other/homeautomation-v3-openredirect.yaml
index f73aa868e7..d1cb2dc4f4 100644
--- a/vulnerabilities/other/homeautomation-v3-openredirect.yaml
+++ b/vulnerabilities/other/homeautomation-v3-openredirect.yaml
@@ -1,12 +1,17 @@
id: homeautomation-v3-openredirect
info:
- name: HomeAutomation v3.3.2 Open Redirect
+ name: HomeAutomation 3.3.2 - Open Redirect
author: 0x_Akoko
severity: medium
- description: A vulnerability in the HomeAutomation product allows remote unauthenticated attackers to inject a redirect URL via the 'api.php' endpoint and the 'redirect' parameter.
+ description: HomeAutomation 3.3.2 contains an open redirect vulnerability. An attacker can inject a redirect URL via the api.php endpoint and the redirect parameter, making it possible to redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5559.php
+ - https://packetstormsecurity.com/files/155795/HomeAutomation-3.3.2-Open-Redirect.html
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cwe-id: CWE-601
tags: iot,redirect
requests:
@@ -19,3 +24,5 @@ requests:
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header
+
+# Enhanced by md on 2022/10/18
diff --git a/vulnerabilities/other/icewarp-openredirects.yaml b/vulnerabilities/other/icewarp-openredirects.yaml
index f040c3581e..51c76e83fb 100644
--- a/vulnerabilities/other/icewarp-openredirects.yaml
+++ b/vulnerabilities/other/icewarp-openredirects.yaml
@@ -4,7 +4,12 @@ info:
name: IceWarp - Open Redirect
author: uomogrande
severity: medium
- description: Detects icewarp open redirects / fixed in Version 13.0.2.4
+ description: IceWarp open redirect vulnerabilities were detected. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
+ remediation: Fixed in 13.0.2.4.
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cwe-id: CWE-601
metadata:
verified: true
shodan-query: title:"icewarp"
@@ -34,3 +39,5 @@ requests:
group: 1
regex:
- 'Server: (.{4,20})'
+
+# Enhanced by md on 2022/10/18
diff --git a/vulnerabilities/other/jamf-pro-log4j.yaml b/vulnerabilities/other/jamf-pro-log4j.yaml
index 339df8b8b2..88a068ec05 100644
--- a/vulnerabilities/other/jamf-pro-log4j.yaml
+++ b/vulnerabilities/other/jamf-pro-log4j.yaml
@@ -13,7 +13,7 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2021-44228
- cwe-id: CWE-917
+ cwe-id: CWE-77
metadata:
shodan-query: title:"Jamf Pro"
verified: "true"
diff --git a/vulnerabilities/other/metabase-log4j.yaml b/vulnerabilities/other/metabase-log4j.yaml
index 82aa4e7965..98e9c6d790 100644
--- a/vulnerabilities/other/metabase-log4j.yaml
+++ b/vulnerabilities/other/metabase-log4j.yaml
@@ -13,7 +13,7 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2021-44228
- cwe-id: CWE-917
+ cwe-id: CWE-77
metadata:
shodan-query: title:"Metabase"
verified: "true"
diff --git a/vulnerabilities/other/netgear-router-auth-bypass.yaml b/vulnerabilities/other/netgear-router-auth-bypass.yaml
index 2de4ae3d45..84c2159ef1 100644
--- a/vulnerabilities/other/netgear-router-auth-bypass.yaml
+++ b/vulnerabilities/other/netgear-router-auth-bypass.yaml
@@ -1,14 +1,17 @@
id: netgear-router-auth-bypass
info:
- name: NETGEAR DGN2200v1 Router Authentication Bypass
+ name: NETGEAR DGN2200v1 - Authentication Bypass
author: gy741
severity: high
- description: NETGEAR DGN2200v1 Router does not require authentication if a page has ".jpg", ".gif", or "ess_" substrings, however matches the entire URL. Any page on the device can therefore be accessed, including
- those that require authentication, by appending a GET variable with the relevant substring (e.g., "?.gif").
+ description: NETGEAR DGN2200v1 router contains an authentication bypass vulnerability. It does not require authentication if a page has ".jpg", ".gif", or "ess_" substrings but matches the entire URL. Any page on the device can therefore be accessed, including those that require authentication, by appending a GET variable with the relevant substring.
reference:
- https://www.microsoft.com/security/blog/2021/06/30/microsoft-finds-new-netgear-firmware-vulnerabilities-that-could-lead-to-identity-theft-and-full-system-compromise/
- https://kb.netgear.com/000062646/Security-Advisory-for-Multiple-HTTPd-Authentication-Vulnerabilities-on-DGN2200v1
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 8.1
+ cwe-id: CWE-287
tags: netgear,auth-bypass,router
requests:
@@ -32,3 +35,5 @@ requests:
- type: word
words:
- "WAN Setup"
+
+# Enhanced by md on 2022/10/19
diff --git a/vulnerabilities/other/netgear-wac124-router-auth-bypass.yaml b/vulnerabilities/other/netgear-wac124-router-auth-bypass.yaml
index 4c8c191714..f07e46a171 100644
--- a/vulnerabilities/other/netgear-wac124-router-auth-bypass.yaml
+++ b/vulnerabilities/other/netgear-wac124-router-auth-bypass.yaml
@@ -1,14 +1,18 @@
id: netgear-wac124-router-auth-bypass
info:
- name: NETGEAR WAC124 Router Authentication Bypass
+ name: NETGEAR WAC124 - Authentication Bypass
author: gy741
severity: high
description: |
- This vulnerability allows network-adjacent attackers to bypass authentication on affected of WAC124, AC2000 routers. Authentication is not required to exploit this vulnerability.
+ NETGEAR WAC124 AC2000 routers contain an authentication bypass vulnerability. An attacker can gain access by bypassing proper authentication, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://flattsecurity.medium.com/finding-bugs-to-trigger-unauthenticated-command-injection-in-a-netgear-router-psv-2022-0044-2b394fb9edc
- https://kb.netgear.com/000064730/Security-Advisory-for-Multiple-Vulnerabilities-on-the-WAC124-PSV-2022-0044
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 8.1
+ cwe-id: CWE-287
tags: netgear,auth-bypass,router,iot
requests:
@@ -24,4 +28,6 @@ requests:
- type: word
words:
- - "Enable Telnet"
\ No newline at end of file
+ - "Enable Telnet"
+
+# Enhanced by md on 2022/10/19
diff --git a/vulnerabilities/other/odoo-cms-redirect.yaml b/vulnerabilities/other/odoo-cms-redirect.yaml
index 431683a7c5..126f2ce3b1 100644
--- a/vulnerabilities/other/odoo-cms-redirect.yaml
+++ b/vulnerabilities/other/odoo-cms-redirect.yaml
@@ -4,10 +4,14 @@ info:
name: Odoo CMS - Open Redirect
author: 0x_Akoko
severity: low
- description: Odoo CMS - Open redirection in all versions due to Odoo's policy.
+ description: Odoo CMS contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://cxsecurity.com/issue/WLB-2021020143
- https://www.odoo.com/page/security-nonvuln-redirectors
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cwe-id: CWE-601
tags: odoo,redirect
requests:
@@ -20,3 +24,5 @@ requests:
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header
+
+# Enhanced by md on 2022/10/18
diff --git a/vulnerabilities/other/opennms-log4j-jndi-rce.yaml b/vulnerabilities/other/opennms-log4j-jndi-rce.yaml
index 9f487fe810..004e17b440 100644
--- a/vulnerabilities/other/opennms-log4j-jndi-rce.yaml
+++ b/vulnerabilities/other/opennms-log4j-jndi-rce.yaml
@@ -15,7 +15,7 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2021-44228
- cwe-id: CWE-917
+ cwe-id: CWE-77
metadata:
shodan-query: title:"OpenNMS Web Console"
verified: "true"
diff --git a/vulnerabilities/other/otobo-open-redirect.yaml b/vulnerabilities/other/otobo-open-redirect.yaml
index 905cf5afd8..6da2460a30 100644
--- a/vulnerabilities/other/otobo-open-redirect.yaml
+++ b/vulnerabilities/other/otobo-open-redirect.yaml
@@ -1,13 +1,17 @@
id: otobo-open-redirect
info:
- name: Open Redirect in Otobo
+ name: Otobo - Open Redirect
author: 0x_Akoko
severity: medium
- description: There is a open redirect vulnerability in Otobo
+ description: Otobo contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://huntr.dev/bounties/de64ac71-9d06-47cb-b643-891db02f2a1f/
- https://github.com/rotheross/otobo
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cwe-id: CWE-601
tags: redirect,otobo,huntr
requests:
@@ -20,3 +24,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
+
+# Enhanced by md on 2022/10/18
diff --git a/vulnerabilities/other/pollbot-redirect.yaml b/vulnerabilities/other/pollbot-redirect.yaml
index 251cdd6ee3..de0c19ddd3 100644
--- a/vulnerabilities/other/pollbot-redirect.yaml
+++ b/vulnerabilities/other/pollbot-redirect.yaml
@@ -1,13 +1,17 @@
id: pollbot-redirect
info:
- name: Mozilla Pollbot Services - Unauthenticated Open Redirect
+ name: Mozilla Pollbot - Open Redirect
author: Evan Rubinstien
severity: medium
- description: Mozilla has a medium severity open redirect vulnerability in pollbot that could be used for social engineering attaks.
+ description: Mozilla Pollbot contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://bugzilla.mozilla.org/show_bug.cgi?id=1753838
- https://github.com/mozilla/PollBot
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cwe-id: CWE-601
tags: redirect,mozilla,pollbot
requests:
@@ -25,3 +29,5 @@ requests:
- type: status
status:
- 301
+
+# Enhanced by md on 2022/10/18
diff --git a/vulnerabilities/other/rundeck-log4j.yaml b/vulnerabilities/other/rundeck-log4j.yaml
index 731700c3e4..4a5bf2b8ab 100644
--- a/vulnerabilities/other/rundeck-log4j.yaml
+++ b/vulnerabilities/other/rundeck-log4j.yaml
@@ -13,7 +13,7 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2021-44228
- cwe-id: CWE-917
+ cwe-id: CWE-77
metadata:
shodan-query: title:"Rundeck"
verified: "true"
diff --git a/vulnerabilities/other/sap-redirect.yaml b/vulnerabilities/other/sap-redirect.yaml
index fdb3dab9d7..019fa00351 100644
--- a/vulnerabilities/other/sap-redirect.yaml
+++ b/vulnerabilities/other/sap-redirect.yaml
@@ -1,10 +1,14 @@
id: sap-redirect
info:
- name: SAP wide open redirect
+ name: SAP Solution Manager - Open Redirect
author: Gal Nagli
severity: medium
- description: A vulnerability in SAP's 'logoff' endpoint allows attackers to redirect victims to their URL of choice.
+ description: SAP Solution Manager contains an open redirect vulnerability via the logoff endpoint. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cwe-id: CWE-601
tags: redirect,sap
requests:
@@ -26,3 +30,5 @@ requests:
- "Location: https://interact.sh"
condition: or
part: header
+
+# Enhanced by md on 2022/10/18
diff --git a/vulnerabilities/other/thinkific-redirect.yaml b/vulnerabilities/other/thinkific-redirect.yaml
index a5baf35e95..aab7394155 100644
--- a/vulnerabilities/other/thinkific-redirect.yaml
+++ b/vulnerabilities/other/thinkific-redirect.yaml
@@ -1,9 +1,15 @@
id: thinkific-redirect
info:
- name: Open Redirect vulnerability on thinkific websites
+ name: Thinkific - Open Redirect
author: Gal Nagli
severity: medium
+ description: Thinkific contains an open redirect vulnerability via the http://interact.sh URL. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
+ reference: https://gitlab.austinoneil.com/aoneil/bb-automation/-/blob/master/tools/nuclei-templates/vulnerabilities/other/thinkific-redirect.yaml
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cwe-id: CWE-601
tags: redirect
requests:
@@ -19,6 +25,8 @@ requests:
- 302
- type: word
words:
- - "