daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #6818 from MostInterestingBotInTheWorld/dashboard 

Dashboard Content Enhancements
patch-1
Ritik Chaddha 2023-03-17 22:44:11 +05:30 committed by GitHub
parent b48d716911 05ba9aa284
commit 252b4bcbef
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
160 changed files with 1238 additions and 388 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
cves/2015/CVE-2015-2755.yaml
View File

@ -1,16 +1,21 @@
id: CVE-2015-2755
info:
name: AB Google Map Travel (AB-MAP) Wordpress Plugin <=3.4 - Stored XSS
name: WordPress AB Google Map Travel <=3.4 - Stored Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
Multiple cross-site scripting vulnerabilities in the AB Google Map Travel (AB-MAP) plugin before 4.0 for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) lat (Latitude), (2) long (Longitude), (3) map_width, (4) map_height, or (5) zoom (Map Zoom) parameter in the ab_map_options page to wp-admin/admin.php.
WordPress AB Google Map Travel plugin through 3.4 contains multiple stored cross-site scripting vulnerabilities. The plugin allows an attacker to hijack the administrator authentication for requests via the (1) lat (Latitude), (2) long (Longitude), (3) map_width, (4) map_height, or (5) zoom (Map Zoom) parameters in the ab_map_options page to wp-admin/admin.php.
reference:
- https://packetstormsecurity.com/files/131155/
- https://nvd.nist.gov/vuln/detail/https://nvd.nist.gov/vuln/detail/CVE-2015-2755
- http://packetstormsecurity.com/files/131155/WordPress-Google-Map-Travel-3.4-XSS-CSRF.html
- http://packetstormsecurity.com/files/130960/WordPress-AB-Google-Map-Travel-CSRF-XSS.html
- https://nvd.nist.gov/vuln/detail/https://nvd.nist.gov/vuln/detail/CVE-2015-2755
classification:
cve-id: CVE-2015-2755
cwe-id: CWE-79
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
metadata:
verified: "true"
tags: cve2015,xss,wordpress,wp-plugin,wp,ab-map,packetstorm,cve
@ -41,3 +46,5 @@ requests:
- 'contains(body_2, "<script>+-+-1-+-+alert(document.domain)</script>")'
- 'contains(body_2, "ab-google-map-travel")'
condition: and
# Enhanced by md on 2023/03/13

8
cves/2015/CVE-2015-2996.yaml
View File

@ -1,16 +1,16 @@
id: CVE-2015-2996
info:
name: SysAid Help Desk <15.2 - Local File Disclosure
name: SysAid Help Desk <15.2 - Local File Inclusion
author: 0x_Akoko
severity: high
description: |
Multiple directory traversal vulnerabilities in SysAid Help Desk before 15.2 allow remote attackers to (1) read arbitrary files via a .. (dot dot) in the fileName parameter to getGfiUpgradeFile or (2) cause a denial of service (CPU and memory consumption) via a .. (dot dot) in the fileName parameter to calculateRdsFileChecksum.
SysAid Help Desk before 15.2 contains multiple local file inclusion vulnerabilities which can allow remote attackers to read arbitrary files via .. (dot dot) in the fileName parameter of getGfiUpgradeFile or cause a denial of service (CPU and memory consumption) via .. (dot dot) in the fileName parameter of calculateRdsFileChecksum.
reference:
- https://seclists.org/fulldisclosure/2015/Jun/8
- https://nvd.nist.gov/vuln/detail/CVE-2015-2996
- https://www.sysaid.com/blog/entry/sysaid-15-2-your-voice-your-service-desk
- http://seclists.org/fulldisclosure/2015/Jun/8
- https://nvd.nist.gov/vuln/detail/CVE-2015-2996
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -36,3 +36,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/02/22

10
cves/2015/CVE-2015-4062.yaml
View File

@ -1,18 +1,18 @@
id: CVE-2015-4062
info:
name: NewStatPress 0.9.8 - SQL Injection
name: WordPress NewStatPress 0.9.8 - SQL Injection
author: r3Y3r53
severity: critical
description: |
The NewStatPress WordPress plugin was affected by SQL Injection security vulnerability.
WordPress NewStatPress 0.9.8 plugin contains a SQL injection vulnerability in includes/nsp_search.php. A remote authenticated user can execute arbitrary SQL commands via the where1 parameter in the nsp_search page to wp-admin/admin.php.
reference:
- https://packetstormsecurity.com/files/132038/
- https://nvd.nist.gov/vuln/detail/CVE-2015-4062
- https://wordpress.org/plugins/newstatpress
- http://packetstormsecurity.com/files/132038/WordPress-NewStatPress-0.9.8-Cross-Site-Scripting-SQL-Injection.html
- https://nvd.nist.gov/vuln/detail/CVE-2015-4062
remediation: |
Update to plugin version 0.9.9 or latest
Update to plugin version 0.9.9 or latest.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -43,3 +43,5 @@ requests:
- 'status_code == 200'
- 'contains(body_2, "newstatpress_page_nsp_search")'
condition: and
# Enhanced by md on 2023/03/13

13
cves/2015/CVE-2015-4063.yaml
View File

@ -1,17 +1,22 @@
id: CVE-2015-4063
info:
name: NewStatPress 0.9.8 - Cross Site Scripting
name: NewStatPress <0.9.9 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
Cross-site scripting (XSS) vulnerability in includes/nsp_search.php in the NewStatPress plugin before 0.9.9 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the where1 parameter in the nsp_search page to wp-admin/admin.php.
WordPress NewStatPress plugin before 0.9.9 contains a cross-site scripting vulnerability in includes/nsp_search.php. The plugin allows remote authenticated users to inject arbitrary web script or HTML via the where1 parameter in the nsp_search page to wp-admin/admin.php.
reference:
- https://packetstormsecurity.com/files/132038/
- https://nvd.nist.gov/vuln/detail/CVE-2015-4063
- https://wordpress.org/plugins/newstatpress/
- http://packetstormsecurity.com/files/132038/WordPress-NewStatPress-0.9.8-Cross-Site-Scripting-SQL-Injection.html
- https://nvd.nist.gov/vuln/detail/CVE-2015-4063
remediation: Update to plugin version 0.9.9 or latest.
classification:
cve-id: CVE-2015-4063
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cwe-id: CWE-80
metadata:
verified: "true"
tags: cve,cve2015,xss,wordpress,wp-plugin,wp,newstatpress,packetstorm
@ -36,3 +41,5 @@ requests:
- 'status_code_2 == 200'
- "contains(body_2, '<script>alert(document.domain)</script>') && contains(body_2, 'newstatpress')"
condition: and
# Enhanced by md on 2023/03/13

4
cves/2015/CVE-2015-9312.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2015-9312
info:
name: NewStatPress <= 1.0.4 - Cross Site Scripting
name: NewStatPress <= 1.0.4 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
@ -42,3 +42,5 @@ requests:
- 'contains(body_2, "<img src=x onerror=alert(document.domain)")'
- 'contains(body_2, "newstatpress")'
condition: and
# Enhanced by md on 2023/03/15

9
cves/2017/CVE-2017-14622.yaml
View File

@ -1,16 +1,17 @@
id: CVE-2017-14622
info:
name: 2kb Amazon Affiliates Store plugin < 2.1.1 - Reflected Cross-Site Scripting
name: WordPress 2kb Amazon Affiliates Store <2.1.1 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
Multiple cross-site scripting (XSS) vulnerabilities in the 2kb Amazon Affiliates Store plugin before 2.1.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) page parameter or (2) kbAction parameter in the kbAmz page to wp-admin/admin.php.
WordPress 2kb Amazon Affiliates Store plugin before 2.1.1 contains multiple cross-site scripting vulnerabilities. The plugin allows an attacker to inject arbitrary web script or HTML via the (1) page parameter or (2) kbAction parameter in the kbAmz page to wp-admin/admin.php, thus making possible theft of cookie-based authentication credentials and launch of other attacks.
reference:
- https://packetstormsecurity.com/files/144261/WordPress-2kb-Amazon-Affiliates-Store-2.1.0-Cross-Site-Scripting.html
- http://www.securityfocus.com/bid/101050
- https://web.archive.org/web/20200227144721/http://www.securityfocus.com/bid/101050
- https://wordpress.org/plugins/2kb-amazon-affiliates-store/#developers
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14622
- https://nvd.nist.gov/vuln/detail/CVE-2017-14622
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -43,3 +44,5 @@ requests:
- 'contains(body_2, "<script>alert(document.domain)</script>")'
- 'contains(body_2, "2kb-amazon-affiliates-store")'
condition: and
# Enhanced by md on 2023/03/13

10
cves/2018/CVE-2018-16159.yaml
View File

@ -1,17 +1,17 @@
id: CVE-2018-16159
info:
name: Gift Voucher < 4.1.8 - Unauthenticated Blind SQL Injection
name: WordPress Gift Voucher <4.1.8 - Blind SQL Injection
author: theamanrawat
severity: critical
description: |
The Gift Vouchers plugin through 2.0.1 for WordPress allows SQL Injection via the template_id parameter in a wp-admin/admin-ajax.php wpgv_doajax_front_template request.
WordPress Gift Vouchers plugin before 4.1.8 contains a blind SQL injection vulnerability via the template_id parameter in a wp-admin/admin-ajax.php wpgv_doajax_front_template request. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://wpscan.com/vulnerability/9117
- https://wordpress.org/plugins/gift-voucher/
- https://nvd.nist.gov/vuln/detail/CVE-2018-16159
- https://www.exploit-db.com/exploits/45255/
remediation: Fixed in version 4.1.8
- https://nvd.nist.gov/vuln/detail/CVE-2018-16159
remediation: Fixed in version 4.1.8.
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -39,3 +39,5 @@ requests:
- 'contains(content_type, "application/json")'
- 'contains(body, "images") && contains(body, "title")'
condition: and
# Enhanced by md on 2023/03/13

8
cves/2018/CVE-2018-6184.yaml
View File

@ -1,15 +1,15 @@
id: CVE-2018-6184
info:
name: ZEIT Next.js Framework Path Traversal
name: Zeit Next.js <4.2.3 - Local File Inclusion
author: DhiyaneshDK
severity: high
description: |
ZEIT Next.js 4 before 4.2.3 has Directory Traversal under the /_next request namespace.
Zeit Next.js before 4.2.3 is susceptible to local file inclusion under the /_next request namespace. An attacker can obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://github.com/PortSwigger/j2ee-scan/blob/master/src/main/java/burp/j2ee/issues/impl/NextFrameworkPathTraversal.java
- https://nvd.nist.gov/vuln/detail/CVE-2018-6184
- https://github.com/zeit/next.js/releases/tag/4.2.3
- https://nvd.nist.gov/vuln/detail/CVE-2018-6184
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -34,3 +34,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/03/07

6
cves/2019/CVE-2019-5434.yaml
View File

@ -5,12 +5,12 @@ info:
author: omarjezi
severity: critical
description: |
An attacker could send a specifically crafted payload to the XML-RPC invocation script and trigger the unserialize() call on the "what" parameter in the "openads.spc" RPC method. Such vulnerability could be used to perform various types of attacks, e.g. exploit serialize-related PHP vulnerabilities or PHP object injection. It is possible, although unconfirmed, that the vulnerability has been used by some attackers in order to gain access to some Revive Adserver instances and deliver malware through them to third party websites. This vulnerability was addressed in version 4.2.0
Revive Adserver 4.2 is susceptible to remote code execution. An attacker can send a crafted payload to the XML-RPC invocation script and trigger the unserialize() call on the "what" parameter in the "openads.spc" RPC method. This can be exploited to perform various types of attacks, e.g. serialize-related PHP vulnerabilities or PHP object injection. It is possible, although unconfirmed, that the vulnerability has been used by some attackers in order to gain access to some Revive Adserver instances and deliver malware through them to third-party websites.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2019-5434
- https://packetstormsecurity.com/files/155559/Revive-Adserver-4.2-Remote-Code-Execution.html
- https://www.exploit-db.com/exploits/47739
- https://www.revive-adserver.com/security/revive-sa-2019-001/
- https://nvd.nist.gov/vuln/detail/CVE-2019-5434
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -50,3 +50,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/03/13

9
cves/2020/CVE-2020-15895.yaml
View File

@ -1,16 +1,15 @@
id: CVE-2020-15895
info:
name: D-Link DIR-816L - Cross Site Scripting
name: D-Link DIR-816L 2.x - Cross-Site Scripting
author: edoardottt
severity: medium
description: |
An XSS issue was discovered on D-Link DIR-816L devices 2.x before 1.10b04Beta02. In the file webinc/js/info.php, no output filtration is applied to the RESULT parameter, before it's printed on the webpage.
D-Link DIR-816L devices 2.x before 1.10b04Beta02 contains a cross-site scripting vulnerability. In the file webinc/js/info.php, no output filtration is applied to the RESULT parameter before being printed on the webpage. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, which can allow for theft of cookie-based authentication credentials and launch of other attacks.
reference:
- https://research.loginsoft.com/vulnerability/multiple-vulnerabilities-discovered-in-the-d-link-firmware-dir-816l/
- https://nvd.nist.gov/vuln/detail/CVE-2020-15895
- https://research.loginsoft.com/bugs/multiple-vulnerabilities-discovered-in-the-d-link-firmware-dir-816l/
- https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10169
- https://nvd.nist.gov/vuln/detail/CVE-2020-15895
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -42,3 +41,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/02/22

6
cves/2021/CVE-2021-21311.yaml
View File

@ -4,7 +4,7 @@ info:
name: Adminer <4.7.9 - Server-Side Request Forgery
author: Adam Crosser,pwnhxl
severity: high
description: Adminer from version 4.0.0 through 4.7.8 is susceptible to server-side request forgery due to its use of verbose error messages. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected.
description: Adminer before 4.7.9 is susceptible to server-side request forgery due to exposure of sensitive information in error messages. Users of Adminer versions bundling all drivers, e.g. adminer.php, are affected. An attacker can possibly obtain this information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6
- https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf
@ -50,8 +50,10 @@ requests:
- type: word
part: body
words:
- "&lt;title&gt;400 - Bad Request&lt;/title&gt;"
- "<title>400 - Bad Request</title>"
- type: status
status:
- 403
# Enhanced by md on 2023/03/13

8
cves/2021/CVE-2021-24169.yaml
View File

@ -1,17 +1,17 @@
id: CVE-2021-24169
info:
name: Advanced Order Export For WooCommerce < 3.1.8 - Authenticated Reflected Cross-Site Scripting (XSS)
name: WordPress Advanced Order Export For WooCommerce <3.1.8 - Authenticated Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
This Advanced Order Export For WooCommerce WordPress plugin before 3.1.8 helps you to easily export WooCommerce order data. The tab parameter in the Admin Panel is vulnerable to reflected XSS.
WordPress Advanced Order Export For WooCommerce plugin before 3.1.8 contains an authenticated cross-site scripting vulnerability via the tab parameter in the admin panel. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://wpscan.com/vulnerability/09681a6c-57b8-4448-982a-fe8d28c87fc3
- https://www.exploit-db.com/exploits/50324
- https://wordpress.org/plugins/woo-order-export-lite/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24169
remediation: Fixed in version 3.1.8
remediation: Fixed in version 3.1.8.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -42,3 +42,5 @@ requests:
- 'contains(body_2, "<script>alert(document.domain)</script>")'
- 'contains(body_2, "woo-order-export-lite")'
condition: and
# Enhanced by md on 2023/03/13

10
cves/2021/CVE-2021-24287.yaml
View File

@ -1,17 +1,17 @@
id: CVE-2021-24287
info:
name: Select All Categories and Taxonomies < 1.3.2 - Reflected Cross-Site Scripting (XSS)
name: WordPress Select All Categories and Taxonomies <1.3.2 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
The settings page of the plugin did not properly sanitise the tab parameter before outputting it back, leading to a reflected Cross-Site Scripting issue
WordPress Select All Categories and Taxonomies plugin before 1.3.2 contains a cross-site scripting vulnerability. The settings page of the plugin does not properly sanitize the tab parameter before outputting it back. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://www.exploit-db.com/exploits/50349
- https://nvd.nist.gov/vuln/detail/CVE-2021-24287
- https://wpscan.com/vulnerability/56e1bb56-bfc5-40dd-b2d0-edef43d89bdf
- https://wordpress.org/plugins/select-all-categories-and-taxonomies-change-checkbox-to-radio-buttons/
remediation: Fixed in version 1.3.2
- https://nvd.nist.gov/vuln/detail/CVE-2021-24287
remediation: Fixed in version 1.3.2.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -42,3 +42,5 @@ requests:
- 'contains(body_2, "alert(document.domain)")'
- 'contains(body_2, "Set up the taxonomies")'
condition: and
# Enhanced by md on 2023/03/13

8
cves/2021/CVE-2021-24554.yaml
View File

@ -1,16 +1,16 @@
id: CVE-2021-24554
info:
name: Paytm - Donation Plugin <= 1.3.2 - Authenticated (admin+) SQL Injection
name: WordPress Paytm Donation <=1.3.2 - Authenticated SQL Injection
author: theamanrawat
severity: high
description: |
The Paytm Donation Plugin WordPress plugin through 1.3.2 does not sanitise, validate or escape the id GET parameter before using it in a SQL statement when deleting donations, leading to an authenticated SQL injection issue.
WordPress Paytm Donation plugin through 1.3.2 is susceptible to authenticated SQL injection. The plugin does not sanitize, validate, or escape the id GET parameter before using it in a SQL statement when deleting donations. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://wpscan.com/vulnerability/f2842ac8-76fa-4490-aa0c-5f2b07ecf2ad
- https://wordpress.org/plugins/wp-paytm-pay/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24554
- https://codevigilant.com/disclosure/2021/wp-plugin-wp-paytm-pay/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24554
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.2
@ -43,3 +43,5 @@ requests:
- 'contains(content_type_2, "text/html")'
- 'contains(body_2, "paytm-settings_page_wp_paytm_donation")'
condition: and
# Enhanced by md on 2023/03/13

8
cves/2021/CVE-2021-24875.yaml
View File

@ -1,12 +1,12 @@
id: CVE-2021-24875
info:
name: eCommerce Product Catalog for WordPress < 3.0.39 - Reflected Cross-Site Scripting
name: WordPress eCommerce Product Catalog <3.0.39 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
The plugin does not escape the ic-settings-search parameter before outputting it back in the page in an attribute, leading to a Reflected Cross-Site Scripting issue.
remediation: Fixed in version 3.0.39
WordPress eCommerce Product Catalog plugin before 3.0.39 contains a cross-site scripting vulnerability. The plugin does not escape the ic-settings-search parameter before outputting it back in the page in an attribute. This can allow an attacker to steal cookie-based authentication credentials and launch other attacks.
remediation: Fixed in version 3.0.39.
reference:
- https://wpscan.com/vulnerability/652efc4a-f931-4668-ae74-a58b288a5715
- https://nvd.nist.gov/vuln/detail/CVE-2021-24875
@ -40,3 +40,5 @@ requests:
- 'contains(body_2, "alert(document.domain)")'
- 'contains(body_2, "eCommerce Product Catalog")'
condition: and
# Enhanced by md on 2023/03/13

8
cves/2021/CVE-2021-24931.yaml
View File

@ -1,16 +1,16 @@
id: CVE-2021-24931
info:
name: Secure Copy Content Protection and Content Locking < 2.8.2 - Unauthenticated SQL Injection
name: WordPress Secure Copy Content Protection and Content Locking <2.8.2 - SQL Injection
author: theamanrawat
severity: critical
description: |
The Secure Copy Content Protection and Content Locking WordPress plugin before 2.8.2 does not escape the sccp_id parameter of the ays_sccp_results_export_file AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an SQL injection.
WordPress Secure Copy Content Protection and Content Locking plugin before 2.8.2 contains a SQL injection vulnerability. The plugin does not escape the sccp_id parameter of the ays_sccp_results_export_file AJAX action, available to both unauthenticated and authenticated users, before using it in a SQL statement. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://wpscan.com/vulnerability/1cd52d61-af75-43ed-9b99-b46c471c4231
- https://wordpress.org/plugins/secure-copy-content-protection/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24931
remediation: Fixed in version 2.8.2
remediation: Fixed in version 2.8.2.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -35,3 +35,5 @@ requests:
- 'contains(content_type, "text/html")'
- 'contains(body, "{\"status\":true")'
condition: and
# Enhanced by md on 2023/03/13

2
cves/2021/CVE-2021-25067.yaml
View File

@ -42,3 +42,5 @@ requests:
- 'contains(body_2, "test\\\" style=animation-name:rotation onanimationstart=alert(document.domain)")'
- 'contains(body_2, "Enter Page Title")'
condition: and
# Enhanced by cs 03/10/2023

6
cves/2021/CVE-2021-25114.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2021-25114
info:
name: Paid Memberships Pro < 2.6.7 - Unauthenticated Blind SQL Injection
name: WordPress Paid Memberships Pro <2.6.7 - Blind SQL Injection
author: theamanrawat
severity: critical
description: |
The plugin does not escape the discount_code in one of its REST route (available to unauthenticated users) before using it in a SQL statement, leading to a SQL injection.
WordPress Paid Memberships Pro plugin before 2.6.7 is susceptible to blind SQL injection. The plugin does not escape the discount_code in one of its REST routes before using it in a SQL statement. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://wpscan.com/vulnerability/6c25a5f0-a137-4ea5-9422-8ae393d7b76b
- https://wordpress.org/plugins/paid-memberships-pro/
@ -39,3 +39,5 @@ requests:
- status_code == 200
- contains(body_2, 'other_discount_code_')
condition: and
# Enhanced by md on 2023/02/22

6
cves/2021/CVE-2021-25299.yaml
View File

@ -5,12 +5,12 @@ info:
author: ritikchaddha
severity: medium
description: |
Nagios XI version xi-5.7.5 is affected by cross-site scripting (XSS). The vulnerability exists in the file /usr/local/nagiosxi/html/admin/sshterm.php due to improper sanitization of user-controlled input. A maliciously crafted URL, when clicked by an admin user, can be used to steal his/her session cookies or it can be chained with the previous bugs to get one-click remote command execution (RCE) on the Nagios XI server.
Nagios XI 5.7.5 contains a cross-site scripting vulnerability in the file /usr/local/nagiosxi/html/admin/sshterm.php, due to improper sanitization of user-controlled input. A maliciously crafted URL, when clicked by an admin user, can be used to steal session cookies, or it can be chained with the previous bugs to get one-click remote command execution on the Nagios XI server.
reference:
- https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md#cve-2021-25299
- https://nvd.nist.gov/vuln/detail/CVE-2021-25299
- http://nagios.com
- https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md
- https://nvd.nist.gov/vuln/detail/CVE-2021-25299
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -55,3 +55,5 @@ requests:
regex:
- 'name="nsp" value="(.*)">'
internal: true
# Enhanced by md on 2023/03/07

4
cves/2021/CVE-2021-25899.yaml
View File

@ -5,7 +5,7 @@ info:
author: edoardottt
severity: high
description: |
An issue was discovered in svc-login.php in Void Aural Rec Monitor 9.0.0.1. An unauthenticated attacker can send a crafted HTTP request to perform a blind time-based SQL Injection. The vulnerable parameter is param1.
Void Aural Rec Monitor 9.0.0.1 contains a SQL injection vulnerability in svc-login.php. An attacker can send a crafted HTTP request to perform a blind time-based SQL injection via the param1 parameter and thus possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/all-your-databases-belong-to-me-a-blind-sqli-case-study/
- https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=28765
@ -36,3 +36,5 @@ requests:
- 'contains(content_type, "text/html")'
- 'contains(body, "Contacte con el administrador")'
condition: and
# Enhanced by md on 2023/02/22

8
cves/2021/CVE-2021-27520.yaml
View File

@ -1,16 +1,16 @@
id: CVE-2021-27520
info:
name: FUDForum 3.1.0 - Cross Site Scripting
name: FUDForum 3.1.0 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
A cross-site scripting (XSS) issue in FUDForum 3.1.0 allows remote attackers to inject JavaScript via index.php in the "author" parameter.
FUDForum 3.1.0 contains a cross-site scripting vulnerability. An attacker can inject JavaScript via index.php in the author parameter, thereby possibly stealing cookie-based authentication credentials and launching other attacks.
reference:
- https://www.exploit-db.com/exploits/49943
- https://nvd.nist.gov/vuln/detail/CVE-2021-27520
- https://github.com/fudforum/FUDforum/issues/2
- http://packetstormsecurity.com/files/162942/FUDForum-3.1.0-Cross-Site-Scripting.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-27520
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -45,3 +45,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/03/13

6
cves/2021/CVE-2021-30134.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2021-30134
info:
name: php-mod/curl Library - Cross-Site Scripting
name: Php-mod/curl Library <2.3.2 - Cross-Site Scripting
author: theamanrawat
severity: medium
description: |
php-mod/curl (a wrapper of the PHP cURL extension) before 2.3.2 allows XSS via the post_file_path_upload.php key parameter and the POST data to post_multidimensional.php.
Php-mod/curl library before 2.3.2 contains a cross-site scripting vulnerability via the post_file_path_upload.php key parameter and the POST data to post_multidimensional.php. An attacker can inject arbitrary script, which can allow theft of cookie-based authentication credentials and launch of other attacks.
reference:
- https://wpscan.com/vulnerability/0b547728-27d2-402e-ae17-90d539344ec7
- https://nvd.nist.gov/vuln/detail/CVE-2021-30134
@ -38,3 +38,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/03/07

12
cves/2021/CVE-2021-36580.yaml
View File

@ -1,11 +1,19 @@
id: CVE-2021-36580
info:
name: IceWarp Open Redirect
name: IceWarp Mail Server - Open Redirect
author: DhiyaneshDk
description: |
IceWarp Mail Server contains an open redirect via the referer parameter. This can lead to phishing attacks or other unintended redirects.
severity: medium
reference:
- https://www.icewarp.com/
- https://twitter.com/shifacyclewala/status/1443298941311668227
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cwe-id: CWE-601
cve-id: CVE-2021-36580
metadata:
verified: true
shodan-query: title:"icewarp"
@ -21,3 +29,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1
# Enhanced by cs 03/02/2023

6
cves/2022/CVE-2022-0693.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2022-0693
info:
name: Master Elements <= 8.0 - Unauthenticated SQLi
name: WordPress Master Elements <=8.0 - SQL Injection
author: theamanrawat
severity: critical
description: |
The Master Elements WordPress plugin through 8.0 does not validate and escape the meta_ids parameter of its remove_post_meta_condition AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an unauthenticated SQL Injection.
WordPress Master Elements plugin through 8.0 contains a SQL injection vulnerability. The plugin does not validate and escape the meta_ids parameter of its remove_post_meta_condition AJAX action, available to both unauthenticated and authenticated users, before using it in a SQL statement. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://wpscan.com/vulnerability/a72bf075-fd4b-4aa5-b4a4-5f62a0620643
- https://wordpress.org/plugins/master-elements
@ -33,3 +33,5 @@ requests:
- 'status_code == 200'
- 'contains(body, "Post Meta Setting Deleted Successfully")'
condition: and
# Enhanced by md on 2023/03/13

6
cves/2022/CVE-2022-0760.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2022-0760
info:
name: Simple Link Directory < 7.7.2 - Unauthenticated SQL injection
name: WordPress Simple Link Directory <7.7.2 - SQL injection
author: theamanrawat
severity: critical
description: |
The plugin does not validate and escape the post_id parameter before using it in a SQL statement via the qcopd_upvote_action AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL Injection.
WordPress Simple Link Directory plugin before 7.7.2 contains a SQL injection vulnerability. The plugin does not validate and escape the post_id parameter before using it in a SQL statement via the qcopd_upvote_action AJAX action, available to unauthenticated and authenticated users. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://wpscan.com/vulnerability/1c83ed73-ef02-45c0-a9ab-68a3468d2210
- https://wordpress.org/plugins/simple-link-directory/
@ -37,3 +37,5 @@ requests:
- 'contains(content_type, "text/html")'
- 'contains(body, "vote_status") || contains(body, "critical error")'
condition: and
# Enhanced by md on 2023/03/13

8
cves/2022/CVE-2022-0949.yaml
View File

@ -1,12 +1,12 @@
id: CVE-2022-0949
info:
name: WP Block and Stop Bad Bots < 6.930 - Unauthenticated SQLi
name: WordPress Stop Bad Bots <6.930 - SQL Injection
author: theamanrawat
severity: critical
description: |
The Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection WordPress plugin before 6.930 does not properly sanitise and escape the fingerprint parameter before using it in a SQL statement via the stopbadbots_grava_fingerprint AJAX action, available to unauthenticated users, leading to a SQL injection.
remediation: Fixed in version 6.930
WordPress Stop Bad Bots plugin before 6.930 contains a SQL injection vulnerability. The plugin does not properly sanitise and escape the fingerprint parameter before using it in a SQL statement via the stopbadbots_grava_fingerprint AJAX action, available to unauthenticated users. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
remediation: Fixed in version 6.930.
reference:
- https://wpscan.com/vulnerability/a0fbb79a-e160-49df-9cf2-18ab64ea66cb
- https://wordpress.org/plugins/stopbadbots/
@ -54,3 +54,5 @@ requests:
- 'status_code_2 == 200'
- 'contains(body_3, "commentform")'
condition: and
# Enhanced by md on 2023/03/13

6
cves/2022/CVE-2022-1013.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2022-1013
info:
name: Personal Dictionary < 1.3.4 - Unauthenticated SQLi
name: WordPress Personal Dictionary <1.3.4 - Blind SQL Injection
author: theamanrawat
severity: critical
description: |
The Personal Dictionary WordPress plugin before 1.3.4 fails to properly sanitize user supplied POST data before it is being interpolated in an SQL statement and then executed, leading to a blind SQL injection vulnerability.
WordPress Personal Dictionary plugin before 1.3.4 contains a blind SQL injection vulnerability. The plugin fails to properly sanitize user-supplied POST data before being interpolated in an SQL statement and executed. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
remediation: Fixed in version 1.3.4.
reference:
- https://wpscan.com/vulnerability/eed70659-9e3e-42a2-b427-56c52e0fbc0d
@ -38,3 +38,5 @@ requests:
- 'contains(content_type, "text/html")'
- 'contains(body, "\"status\":true,")'
condition: and
# Enhanced by md on 2023/03/13

6
cves/2022/CVE-2022-2599.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2022-2599
info:
name: Anti-Malware Security and Brute-Force Firewall < 4.21.83 - Cross-Site Scripting
name: WordPress Anti-Malware Security and Brute-Force Firewall <4.21.83 - Cross-Site Scripting
author: ritikchaddha
severity: medium
description: |
The plugin does not sanitise and escape some parameters before outputting them back in an admin dashboard, leading to Reflected Cross-Site Scripting.
WordPress Anti-Malware Security and Brute-Force Firewall plugin before 4.21.83 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape some parameters before outputting them back in an admin dashboard.
reference:
- https://wpscan.com/vulnerability/276a7fc5-3d0d-446d-92cf-20060aecd0ef
- https://wordpress.org/plugins/gotmls/advanced/
@ -50,3 +50,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/03/07

7
cves/2022/CVE-2022-28923.yaml
View File

@ -1,15 +1,16 @@
id: CVE-2022-28923
info:
name: Caddy 2.4.6 Open Redirect
name: Caddy 2.4.6 - Open Redirect
author: Sascha Brendel,DhiyaneshDk
severity: medium
description: |
Caddy version 2.4.6 was discovered to contain an open redirection vulnerability which allows attackers to redirect users to phishing websites via crafted URLs.
Caddy 2.4.6 contains an open redirect vulnerability. An attacker can redirect a user to a malicious site via a crafted URL and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://lednerb.de/en/publications/responsible-disclosure/caddy-open-redirect-vulnerability/
- https://www.cve.org/CVERecord?id=CVE-2022-28923
- https://github.com/caddyserver/caddy/issues/4502
- https://nvd.nist.gov/vuln/detail/CVE-2022-28923
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -30,3 +31,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1
# Enhanced by md on 2023/03/07

8
cves/2022/CVE-2022-36446.yaml
View File

@ -1,16 +1,16 @@
id: CVE-2022-36446
info:
name: Webmin - Remote Code Execution (Authenticated)
name: Webmin <1.997 - Authenticated Remote Code Execution
author: gy741
severity: critical
description: |
Webmin before 1.997 is vulnerable to RCE exploits. an authenticated, remote attacker to perform command injection attacks.
Webmin before 1.997 is susceptible to authenticated remote code execution via software/apt-lib.pl, which lacks HTML escaping for a UI command. An attacker can perform command injection attacks and thereby execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
reference:
- https://medium.com/@emirpolat/cve-2022-36446-webmin-1-997-7a9225af3165
- https://www.exploit-db.com/exploits/50998
- https://nvd.nist.gov/vuln/detail/CVE-2022-36446
- https://github.com/webmin/webmin/compare/1.996...1.997
- https://nvd.nist.gov/vuln/detail/CVE-2022-36446
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -51,3 +51,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/02/22

6
cves/2022/CVE-2022-3934.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2022-3934
info:
name: Flat PM < 3.0.13 - Reflected Cross-Site Scripting
name: WordPress FlatPM <3.0.13 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
The FlatPM WordPress plugin before 3.0.13 does not sanitise and escape some parameters before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
WordPress FlatPM plugin before 3.0.13 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape certain parameters before outputting them back in pages, which can be exploited against high privilege users such as admin. An attacker can steal cookie-based authentication credentials and launch other attacks.
remediation: Fixed in version 3.0.13.
reference:
- https://wpscan.com/vulnerability/ab68381f-c4b8-4945-a6a5-1d4d6473b73a
@ -40,3 +40,5 @@ requests:
- 'status_code_2 == 200'
- 'contains(body_2, "alert(document.domain)") && contains(body_2, "Flat PM")'
condition: and
# Enhanced by md on 2023/03/13

8
cves/2022/CVE-2022-4063.yaml
View File

@ -1,12 +1,12 @@
id: CVE-2022-4063
info:
name: InPost Gallery < 2.1.4.1 - Unauthenticated LFI to RCE
name: WordPress InPost Gallery <2.1.4.1 - Local File Inclusion
author: theamanrawat
severity: critical
description: |
The InPost Gallery WordPress plugin before 2.1.4.1 insecurely uses PHP's extract() function when rendering HTML views, allowing attackers to force the inclusion of malicious files & URLs, which may enable them to run code on servers.
remediation: Fixed in version 2.1.4.1
WordPress InPost Gallery plugin before 2.1.4.1 is susceptible to local file inclusion. The plugin insecurely uses PHP's extract() function when rendering HTML views, which can allow attackers to force inclusion of malicious files and URLs. This, in turn, can enable them to execute code remotely on servers.
remediation: Fixed in version 2.1.4.1.
reference:
- https://wpscan.com/vulnerability/6bb07ec1-f1aa-4f4b-9717-c92f651a90a7
- https://wordpress.org/plugins/inpost-gallery/
@ -40,3 +40,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/03/13

8
cves/2022/CVE-2022-4301.yaml
View File

@ -1,12 +1,12 @@
id: CVE-2022-4301
info:
name: Sunshine Photo Cart < 2.9.15 - Cross Site Scripting
name: WordPress Sunshine Photo Cart <2.9.15 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
The Sunshine Photo Cart WordPress plugin before 2.9.15 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting.
remediation: Fixed in version 2.9.15
WordPress Sunshine Photo Cart plugin before 2.9.15 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape a parameter before outputting it back in the page. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
remediation: Fixed in version 2.9.15.
reference:
- https://wpscan.com/vulnerability/a8dca528-fb70-44f3-8149-21385039179d
- https://nvd.nist.gov/vuln/detail/CVE-2022-4301
@ -41,3 +41,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/03/14

8
cves/2022/CVE-2022-4306.yaml
View File

@ -1,12 +1,12 @@
id: CVE-2022-4306
info:
name: Panda Pods Repeater Field < 1.5.4 - Cross Site Scripting
name: WordPress Panda Pods Repeater Field <1.5.4 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
The plugin does not sanitize and escapes a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against a user having at least Contributor permission.
remediation: Fixed in version 1.5.4
WordPress Panda Pods Repeater Field before 1.5.4 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape a parameter before outputting it back in the page. This can be leveraged against a user who has at least Contributor permission. An attacker can also steal cookie-based authentication credentials and launch other attacks.
remediation: Fixed in version 1.5.4.
reference:
- https://wpscan.com/vulnerability/18d7f9af-7267-4723-9d6f-05b895c94dbe
- https://nvd.nist.gov/vuln/detail/CVE-2022-4306
@ -40,3 +40,5 @@ requests:
- 'contains(body_2, "alert(document.domain)")'
- 'contains(body_2, "panda-repeater-add-new")'
condition: and
# Enhanced by md on 2023/03/14

6
cves/2022/CVE-2022-4447.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2022-4447
info:
name: Fontsy <= 1.8.6 - Unauthenticated SQLi
name: WordPress Fontsy <=1.8.6 - SQL Injection
author: theamanrawat
severity: critical
description: |
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
WordPress Fontsy plugin through 1.8.6 is susceptible to SQL injection. The plugin does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://wpscan.com/vulnerability/6939c405-ac62-4144-bd86-944d7b89d0ad
- https://wordpress.org/plugins/fontsy/
@ -38,3 +38,5 @@ requests:
- 'contains(content_type, "text/html")'
- 'contains(body, "{{md5(num)}}")'
condition: and
# Enhanced by md on 2023/02/22

16
cves/2022/CVE-2022-45805.yaml
View File

@ -1,21 +1,21 @@
id: CVE-2022-45805
info:
name: WordPress Paytm Payment Gateway Plugin <= 2.7.3 - SQL Injection
name: WordPress Paytm Payment Gateway <=2.7.3 - SQL Injection
author: theamanrawat
severity: high
severity: critical
description: |
SQL Injection vulnerability in WordPress Paytm Payment Gateway Plugin. This could allow a malicious actor to directly interact with your database, including but not limited to stealing information and creating new administrator accounts. This vulnerability has been fixed in version 2.7.7.
remediation: Update to version 2.7.7, or a newer patched version.
WordPress Paytm Payment Gateway plugin through 2.7.3 contains a SQL injection vulnerability. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
remediation: Update to version 2.7.7 or a newer patched version.
reference:
- https://patchstack.com/database/vulnerability/paytm-payments/wordpress-paytm-payment-gateway-plugin-2-7-3-auth-sql-injection-sqli-vulnerability
- https://wordpress.org/plugins/paytm-payments/
- https://nvd.nist.gov/vuln/detail/CVE-2022-45805
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.2
cve-id: CVE-2022-45805
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cwe-id: CWE-89
cve-id: CVE-2022-45805
metadata:
verified: "true"
tags: cve,cve2022,sqli,wordpress,wp-plugin,wp,paytm-payments,authenticated
@ -42,3 +42,5 @@ requests:
- 'status_code_2 == 200'
- 'contains(body_2, "toplevel_page_paytm")'
condition: and
# Enhanced by cs on 2023/03/17

8
cves/2022/CVE-2022-46888.yaml
View File

@ -1,15 +1,15 @@
id: CVE-2022-46888
info:
name: NexusPHP - Cross-Site Scripting
name: NexusPHP <1.7.33 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
NexusPHPbefore 1.7.33 allow remote attackers to inject arbitrary web script or HTML via the secret parameter in /login.php.
NexusPHP before 1.7.33 contains multiple cross-site scripting vulnerabilities via the secret parameter in /login.php; q parameter in /user-ban-log.php; query parameter in /log.php; text parameter in /moresmiles.php; q parameter in myhr.php; or id parameter in /viewrequests.php. An attacker can inject arbitrary web script or HTML, which can allow theft of cookie-based authentication credentials and launch of other attacks..
reference:
- https://www.surecloud.com/resources/blog/nexusphp-surecloud-security-review-identifies-authenticated-unauthenticated-vulnerabilities
- https://nvd.nist.gov/vuln/detail/CVE-2022-46888
- https://github.com/xiaomlove/nexusphp/releases/tag/v1.7.33
- https://nvd.nist.gov/vuln/detail/CVE-2022-46888
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -43,3 +43,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/03/14

8
cves/2022/CVE-2022-4897.yaml
View File

@ -1,12 +1,12 @@
id: CVE-2022-4897
info:
name: BackupBuddy < 8.8.3 - Cross Site Scripting
name: WordPress BackupBuddy <8.8.3 - Cross Site Scripting
author: r3Y3r53
severity: medium
description: |
The BackupBuddy WordPress plugin before 8.8.3 does not sanitise and escape some parameters before outputting them back in various places, leading to Reflected Cross-Site Scripting.
remediation: Fixed in version 8.8.3
WordPress BackupBuddy plugin before 8.8.3 contains a cross-site vulnerability. The plugin does not sanitize and escape some parameters before outputting them back in various locations. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
remediation: Fixed in version 8.8.3.
reference:
- https://wpscan.com/vulnerability/7b0eeafe-b9bc-43b2-8487-a23d3960f73f
- https://nvd.nist.gov/vuln/detail/CVE-2022-4897
@ -40,3 +40,5 @@ requests:
- 'contains(body_2, "onload=alert(document.domain)")'
- 'contains(body_2, "BackupBudddy iFrame")'
condition: and
# Enhanced by md on 2023/03/14

6
cves/2023/CVE-2023-23488.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2023-23488
info:
name: Paid Memberships Pro < 2.9.8 - Unauthenticated Blind SQLi
name: WordPress Paid Memberships Pro <2.9.8 - Blind SQL Injection
author: dwisiswant0
severity: critical
description: |
The Paid Memberships Pro WordPress Plugin, version < 2.9.8, is affected by an unauthenticated SQL injection vulnerability in the 'code' parameter of the '/pmpro/v1/order' REST route.
WordPress Paid Memberships Pro plugin before 2.9.8 contains a blind SQL injection vulnerability in the 'code' parameter of the /pmpro/v1/order REST route. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://www.tenable.com/security/research/tra-2023-2
- https://wordpress.org/plugins/paid-memberships-pro/
@ -37,3 +37,5 @@ requests:
- status_code_1 != 403 # Wordfence
- contains(body_2, "pmpro_updates")
condition: and
# Enhanced by md on 2023/03/07

8
cves/2023/CVE-2023-23489.yaml
View File

@ -1,16 +1,16 @@
id: CVE-2023-23489
info:
name: Easy Digital Downloads 3.1.0.2 & 3.1.0.3 - Unauthenticated SQLi
name: WordPress Easy Digital Downloads 3.1.0.2/3.1.0.3 - SQL Injection
author: theamanrawat
severity: critical
description: |
The Easy Digital Downloads WordPress Plugin, versions 3.1.0.2 & 3.1.0.3, is affected by an unauthenticated SQL injection vulnerability in the 's' parameter of its 'edd_download_search' action.
WordPress Easy Digital Downloads plugin 3.1.0.2 and 3.1.0.3 contains a SQL injection vulnerability in the s parameter of its edd_download_search action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://wpscan.com/vulnerability/c5a6830c-6420-42fc-b20c-8e20224d6f18
- https://wordpress.org/plugins/easy-digital-downloads/
- https://nvd.nist.gov/vuln/detail/CVE-2023-23489
- https://www.tenable.com/security/research/tra-2023-2
- https://nvd.nist.gov/vuln/detail/CVE-2023-23489
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -38,3 +38,5 @@ requests:
- 'status_code_1 == 200'
- 'contains(body_1, "[]") && contains(body_2, "Easy Digital Downloads")'
condition: and
# Enhanced by md on 2023/03/07

12
cves/2023/CVE-2023-23492.yaml
View File

@ -3,18 +3,20 @@ id: CVE-2023-23492
info:
name: Login with Phone Number - Cross-Site Scripting
author: r3Y3r53
severity: high
severity: medium
description: |
Login with Phone Number, versions < 1.4.2, is affected by an reflected XSS vulnerability in the login-with-phonenumber.php' file in the 'lwp_forgot_password()' function.
Note that CVE-2023-23492 incorrectly describes and scores this as SQL injection vulnerability.
reference:
- https://wordpress.org/plugins/login-with-phone-number/
- https://www.tenable.com/security/research/tra-2023-3
- https://nvd.nist.gov/vuln/detail/CVE-2023-23492
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cwe-id: CWE-80
cve-id: CVE-2023-23492
cwe-id: CWE-89
metadata:
verified: "true"
tags: login-with-phonenumber,wordpress,wp,wp-plugin,xss,tenable,cve,cve2023
@ -41,3 +43,5 @@ requests:
- type: status
status:
- 200
# Enhanced by cs on 2023/03/17

8
cves/2023/CVE-2023-23752.yaml
View File

@ -1,17 +1,17 @@
id: CVE-2023-23752
info:
name: Joomla Improper AccessCheck in WebService Endpoint
name: Joomla! Webservice - Password Disclosure
author: badboycxcc,Sascha Brendel
severity: medium
description: |
An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.
remediation: Upgrade to Joomla! version 4.2.8 or later.
reference:
- https://unsafe.sh/go-149780.html
- https://twitter.com/gov_hack/status/1626471960141238272/photo/1
- https://cve.report/CVE-2023-23752
- https://developer.joomla.org/security-centre/894-20230201-core-improper-access-check-in-webservice-endpoints.html
remediation: Upgrade to Joomla! version 4.2.8 or later.
- https://nvd.nist.gov/vuln/detail/CVE-2023-23552
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
@ -47,3 +47,5 @@ requests:
- type: status
status:
- 200
# Enhanced by cs 02/23/2023

9
cves/2023/CVE-2023-24322.yaml
View File

@ -1,20 +1,21 @@
id: CVE-2023-24322
info:
name: mojoPortal - Cross-Site Scripting
name: mojoPortal 2.7.0.0 - Cross-Site Scripting
author: pikpikcu
severity: medium
description: |
A reflected cross-site scripting (XSS) vulnerability in the FileDialog.aspx component of mojoPortal v2.7.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the ed and tbi parameters.
mojoPortal 2.7.0.0 contains a cross-site scripting vulnerability in the FileDialog.aspx component, which can allow an attacker to execute arbitrary web scripts or HTML via a crafted payload injected into the ed and tbi parameters.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2023-24322
- https://github.com/blakduk/Advisories/blob/main/Mojoportal/README.md
- https://github.com/i7MEDIA/mojoportal/
- https://www.mojoportal.com/
- https://nvd.nist.gov/vuln/detail/CVE-2023-24322
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cwe-id: CWE-79
cve-id: CVE-2023-24322
metadata:
shodan-query: html:"mojoPortal"
verified: "true"
@ -42,3 +43,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/03/07

11
fuzzing/adminer-panel-fuzz.yaml → exposed-panels/adminer-panel-detect.yaml
View File

@ -1,11 +1,16 @@
id: adminer-panel-fuzz
id: adminer-panel-detect
info:
name: Adminer Login Panel Fuzz
name: Adminer Login Panel - Detect
author: random_robbie,meme-lord
severity: info
description: Adminer login panel was detected.
reference:
- https://blog.sorcery.ie/posts/adminer/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: fuzz,adminer,login
# <= 4.2.4 can have unauthenticated RCE via SQLite driver
@ -46,3 +51,5 @@ requests:
group: 1
regex:
- '<span class="version">([0-9.]+)'
# Enhanced by md on 2023/03/08

10
exposed-panels/kubeview-dashboard.yaml
View File

@ -1,11 +1,15 @@
id: kubeview-dashboard
info:
name: KubeView Dashboard Exposure
name: KubeView Dashboard - Detect
author: ja1sh
severity: low
description: |
An attacker can detect the public instance of a KubeView dashboard
KubeView dashboard was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata:
verified: "true"
shodan-query: http.favicon.hash:-379154636
@ -26,3 +30,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/03/07

6
exposed-panels/nsq-admin-panel.yaml
View File

@ -1,10 +1,10 @@
id: nsq-admin-panel
info:
name: NSQ Admin Panel Exposure
name: NSQ Admin Panel - Detect
author: random-robbie
severity: medium
description: NSQ unauthenticated admin panel detect.
description: NSQ admin panel was detected.
reference:
- https://nsq.io/components/nsqd.html
classification:
@ -37,3 +37,5 @@ requests:
group: 1
regex:
- "nsqadmin/v([0-9.]+)"
# Enhanced by md on 2023/02/22

14
exposed-panels/signet-explorer-dashboard.yaml
View File

@ -1,10 +1,16 @@
id: signet-explorer-dashboard
info:
name: Signet Explorer Dashboard
name: Signet Explorer Dashboard - Detect
author: ritikchaddha
severity: low
description: Signet Explorer Dashboard detect to explore full Bitcoin ecosystem.
severity: info
description: Signet Explorer Dashboard was detected.
reference:
- https://github.com/mempool/mempool
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata:
verified: true
shodan-query: html:"mempool-space" || title:"Signet Explorer"
@ -28,3 +34,5 @@ requests:
- type: status
status:
- 200
# Enhanced by cs on 2023/03/17

4
exposures/backups/zip-backup-files.yaml
View File

@ -23,8 +23,8 @@ requests:
- "{{RDN}}" # example.com
- "{{DN}}" # example
- "{{SD}}" # www
- "{{date_time('%Y')}}" #2023
- "ROOT" #tomcat
- "{{date_time('%Y')}}" # 2023
- "ROOT" # tomcat
- "wwwroot"
- "htdocs"
- "www"

9
exposures/configs/kyan-credential-exposure.yaml
View File

@ -1,11 +1,16 @@
id: kyan-credential-exposure
info:
name: Kyan network monitoring device account and password exposure
name: Kyan Network Login Panel - Detect
author: pikpikcu
severity: medium
description: Kyan Network login panel was detected. Password and other credential theft is possible via accessing this panel.
reference:
- https://mp.weixin.qq.com/s/6phWjDrGG0pCpGuCdLusIg
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cwe-id: CWE-200
tags: kyan,exposure,config,network
requests:
@ -30,3 +35,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/02/22

10
exposures/configs/magento-config-disclosure.yaml
View File

@ -1,13 +1,17 @@
id: magento-config-disclosure
info:
name: Magento - Config Disclosure
name: Magento Configuration Panel - Detect
author: ptonewreckin,danigoland,geeknik
severity: high
description: |
Misconfigured instances of Magento may disclose usernames, passwords, and database configurations via /app/etc/local.xml
Magento configuration panel was detected. Misconfigured instances of Magento may disclose usernames, passwords, and database configurations via /app/etc/local.xml.
reference:
- https://github.com/ptonewreckin/cmsDetector/blob/master/signatures/magento.py
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-200
metadata:
verified: true
shodan-query: http.component:"Magento"
@ -47,3 +51,5 @@ requests:
- "/config/global/resources/default_setup/connection/username"
- "/config/global/resources/default_setup/connection/password"
- "/config/global/resources/default_setup/connection/dbname"
# Enhanced by cs on 2023/02/23

11
exposures/configs/nagios-status-page.yaml
View File

@ -1,11 +1,16 @@
id: nagios-status-page
info:
name: Nagios Current Status Page
name: Nagios Current Status Page - Detect
author: dhiyaneshDk
severity: low
severity: medium
description: Nagios current status page was detected.
reference:
- https://www.exploit-db.com/ghdb/6918
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cwe-id: CWE-200
tags: exposure,nagios,status,edb
requests:
@ -19,3 +24,5 @@ requests:
- type: word
words:
- Current Network Status
# Enhanced by cs on 2023/02/23

12
exposures/configs/opcache-status-exposure.yaml
View File

@ -1,9 +1,15 @@
id: opcache-status-exposure
info:
name: OPcache Status Exposure
name: OPcache Status Page - Detect
author: pdteam
severity: low
severity: medium
description: OPcache status page was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cwe-id: CWE-200
reference: https://www.php.net/manual/en/book.opcache.php
tags: config,exposure,status
requests:
@ -19,3 +25,5 @@ requests:
- "<th>opcache_hit_rate</th>"
condition: and
part: body
# Enhanced by md on 2023/02/22

9
exposures/configs/oracle-cgi-printenv.yaml
View File

@ -1,11 +1,16 @@
id: oracle-cgi-printenv
info:
name: Oracle CGI printenv - Information Disclosure
name: Oracle CGI Printenv - Information Disclosure
author: DhiyaneshDk
severity: medium
description: Oracle CGI printenv component is susceptible to an information disclosure vulnerability.
reference:
- https://github.com/ilmila/J2EEScan/blob/master/src/main/java/burp/j2ee/issues/impl/OracleCGIPrintEnv.java
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cwe-id: CWE-200
tags: exposure,oracle,config
requests:
@ -28,3 +33,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/02/22

11
exposures/configs/oracle-ebs-credentials.yaml
View File

@ -1,13 +1,18 @@
id: oracle-ebs-credentials
info:
name: Oracle EBS Credentials Disclosure
name: Oracle E-Business System Credentials Page - Detect
author: dhiyaneshDk
severity: medium
severity: high
description: Oracle E-Business System credentials page was detected.
reference:
- https://www.blackhat.com/docs/us-16/materials/us-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4.pdf
- https://www.blackhat.com/docs/us-16/materials/us-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite.pdf
- http://www.davidlitchfield.com/AssessingOraclee-BusinessSuite11i.pdf
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-200
tags: config,exposure,oracle
requests:
@ -31,3 +36,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/02/22

7
exposures/configs/ovpn-config-exposed.yaml
View File

@ -1,9 +1,12 @@
id: ovpn-config-exposed
info:
name: OVPN Config Download
name: OVPN Configuration Download Page - Detect
author: tess
severity: low
description: OVPS configuration download page was detected.
classification:
cwe-id: CWE-200
metadata:
verified: "true"
shodan-query: http.title:"OVPN Config Download"
@ -28,3 +31,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/02/22

10
exposures/configs/perl-status.yaml
View File

@ -1,9 +1,15 @@
id: perl-status
info:
name: Apache mod_perl Status Page Exposure
name: Apache Mod_perl Status Page - Detect
author: pdteam
severity: medium
description: Apache mod_perl status page was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cwe-id: CWE-200
reference: https://perl.apache.org/
tags: config,exposure,apache,status
requests:
@ -16,3 +22,5 @@ requests:
- "<title>Apache2::Status"
- "Perl version"
condition: and
# Enhanced by md on 2023/02/22

14
exposures/configs/php-fpm-config.yaml
View File

@ -1,9 +1,15 @@
id: php-fpm-config
info:
name: PHP-FPM Config file disclosure
name: PHP-FPM Configuration Page - Detect
author: sheikhrishad
severity: low
severity: info
description: PHP-FPM configuration page was detected.
reference: https://www.php.net/manual/en/install.fpm.php
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: config,exposure,php
requests:
@ -21,4 +27,6 @@ requests:
- type: status
status:
- 200
- 200
# Enhanced by md on 2023/02/22

13
exposures/configs/phpinfo-files.yaml
View File

@ -1,13 +1,14 @@
id: phpinfo-files
info:
name: phpinfo Disclosure
name: PHPinfo Page - Detect
author: pdteam,daffainfo,meme-lord,dhiyaneshDK,wabafet
description: |
A "PHP Info" page was found. The output of the phpinfo() command can reveal detailed PHP environment information.
remediation: |
Remove PHP Info pages from publicly accessible sites, or restrict access to authorized users only.
severity: low
description: |
PHPinfo page was detected. The output of the phpinfo() command can reveal sensitive and detailed PHP environment information.
remediation: Remove PHP Info pages from publicly accessible sites, or restrict access to authorized users only.
classification:
cwe-id: CWE-200
tags: config,exposure,phpinfo
requests:
@ -55,3 +56,5 @@ requests:
group: 1
regex:
- '>PHP Version <\/td><td class="v">([0-9.]+)'
# Enhanced by md on 2023/02/22

12
exposures/configs/phpstan-config.yaml
View File

@ -1,9 +1,15 @@
id: phpstan-config
info:
name: PHPStan Configuration Exposure
name: PHPStan Configuration Page - Detect
author: DhiyaneshDK
severity: low
severity: info
description: PHPStan configuration page was detected.
reference: https://phpstan.org/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata:
verified: true
shodan-query: html:"phpstan.neon"
@ -30,3 +36,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/02/22

11
exposures/configs/plesk-stat.yaml
View File

@ -1,9 +1,14 @@
id: plesk-stat
info:
name: Plesk-stat (Log analyzer)
name: Webalizer Log Analyzer Configuration - Detect
author: th3.d1p4k
severity: low
severity: medium
description: Webalizer log analyzer configuration was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cwe-id: CWE-200
reference:
- http://www.webalizer.org
tags: config,exposure,plesk
@ -32,3 +37,5 @@ requests:
- 'webstat-ssl'
- 'webstat'
condition: or
# Enhanced by md on 2023/02/22

12
exposures/configs/pre-commit-config.yaml
View File

@ -1,9 +1,15 @@
id: pre-commit-config
info:
name: Pre Commit Configuration File Exposure
name: Pre-commit Configuration File - Detect
author: DhiyaneshDk
severity: low
severity: info
description: Pre-commit configuration file was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
reference: https://pre-commit.com/
metadata:
verified: true
tags: exposure,devops,config,cicd
@ -28,3 +34,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/02/22

12
exposures/configs/proftpd-config.yaml
View File

@ -1,9 +1,15 @@
id: proftpd-config
info:
name: ProFTPD Config file disclosure
name: ProFTPD Configuration File - Detect
author: sheikhrishad
severity: low
description: ProFTPD configuration file was detected.
reference: http://www.proftpd.org/docs/howto/ConfigFile.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: config,exposure,proftpd
requests:
@ -21,4 +27,6 @@ requests:
- type: status
status:
- 200
- 200
# Enhanced by cs on 2023/02/24

11
exposures/configs/prometheus-metrics.yaml
View File

@ -1,9 +1,14 @@
id: prometheus-metrics
info:
name: Exposed Prometheus metrics
name: Prometheus Metrics - Detect
author: dhiyaneshDK, philippedelteil
severity: low
severity: medium
description: Prometheus metrics page was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cwe-id: CWE-200
reference:
- https://github.com/prometheus/prometheus
- https://hackerone.com/reports/1026196
@ -27,3 +32,5 @@ requests:
- type: status
status:
- 200
# Enhanced by cs on 2023/03/02

12
exposures/configs/proxy-wpad-exposure.yaml
View File

@ -1,9 +1,15 @@
id: proxy-wpad-exposure
info:
name: Proxy WPAD Configuration Exposure
name: Web Proxy Auto-Discovery Configuration File - Detect
author: DhiyaneshDk
severity: low
severity: info
description: Web Proxy Auto-Discovery configuration file was detected.
reference: https://en.wikipedia.org/wiki/Web_Proxy_Auto-Discovery_Protocol
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata:
verified: true
shodan-query: html:"wpad.dat"
@ -26,3 +32,5 @@ requests:
- type: status
status:
- 200
# Enhanced by cs on 2023/03/02

14
exposures/configs/pubspec-config.yaml
View File

@ -1,9 +1,17 @@
id: pubspec-config
info:
name: Pubspec YAML Configuration File Exposure
name: Pubspec YAML Configuration File - Detect
author: DhiyaneshDk
severity: low
severity: info
description: Pubspec YAML configuration file was detected.
reference:
- https://docs.flutter.dev/development/tools/pubspec
- https://xeladu.medium.com/the-flutter-pubspec-yaml-in-detail-eee5729d9df7
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata:
verified: true
shodan-query: html:"pubspec.yaml"
@ -29,3 +37,5 @@ requests:
- type: status
status:
- 200
# Enhanced by cs on 2023/03/02

14
exposures/configs/rails-database-config.yaml
View File

@ -1,9 +1,15 @@
id: rails-database-config
info:
name: Ruby-on-Rails Database Configuration Exposure
name: Ruby on Rails Database Configuration File - Detect
author: pdteam,geeknik
severity: low
severity: high
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-200
description: Ruby on Rails database configuration file was detected, which may contain database credentials.
reference: https://guides.rubyonrails.org/configuring.html#configuring-a-database
tags: config,exposure,rails
requests:
@ -23,4 +29,6 @@ requests:
- type: status
status:
- 200
- 200
# Enhanced by cs on 2023/03/02

12
exposures/configs/redis-config.yaml
View File

@ -1,10 +1,16 @@
id: redis-config
info:
name: Redis Configuration File Exposure
name: Redis Configuration File - Detect
author: geeknik
severity: medium
reference: https://redis.io/docs/manual/config/
description: Redis configuration file was detected.
reference:
- https://redis.io/docs/manual/config/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cwe-id: CWE-200
metadata:
verified: true
shodan-query: html:"redis.conf"
@ -33,3 +39,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/02/23

13
exposures/configs/robomongo-credential.yaml
View File

@ -1,10 +1,15 @@
id: robomongo-credential
info:
name: MongoDB credential disclosure
name: RoboMongo Configuration File - Detect
author: geeknik
severity: high
description: MongoDB credentials file used by RoboMongo
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-200
description: A MongoDB credentials file used by RoboMongo was detected.
reference: https://robomongo.org/
tags: mongodb,robomongo,disclosure,config
requests:
@ -30,4 +35,6 @@ requests:
- type: status
status:
- 200
- 200
# Enhanced by cs on 2023/03/02

10
exposures/configs/ruijie-information-disclosure.yaml
View File

@ -1,10 +1,16 @@
id: ruijie-information-disclosure
info:
name: Ruijie Information Disclosure
name: Ruijie Login Panel - Detect
author: pikpikcu
severity: high
description: Ruijie login panel was detected and leaks authentication credentials.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-200
reference:
- https://www.ruijienetworks.com/
- https://www.cnblogs.com/cHr1s/p/14499858.html
tags: ruijie,config,exposure
@ -25,3 +31,5 @@ requests:
- type: status
status:
- 200
# Enhanced by cs on 2023/03/02

11
exposures/configs/ruijie-nbr1300g-exposure.yaml
View File

@ -1,12 +1,17 @@
id: ruijie-nbr1300g-exposure
info:
name: Ruijie NBR1300G Cli Password Leak
name: Ruijie NBR1300G Cli Password Leak - Detect
author: pikpikcu
severity: medium
severity: high
description: Ruijie NBR1300G CLI password leak vulnerability was detected.
reference:
- http://wiki.peiqi.tech/PeiQi_Wiki/%E7%BD%91%E7%BB%9C%E8%AE%BE%E5%A4%87%E6%BC%8F%E6%B4%9E/%E9%94%90%E6%8D%B7/%E9%94%90%E6%8D%B7NBR%201300G%E8%B7%AF%E7%94%B1%E5%99%A8%20%E8%B6%8A%E6%9D%83CLI%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html
- https://www.ruijienetworks.com
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-200
tags: ruijie,exposure
requests:
@ -28,3 +33,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/02/23

7
exposures/configs/ruijie-phpinfo.yaml
View File

@ -1,9 +1,12 @@
id: ruijie-phpinfo
info:
name: Ruijie Phpinfo
name: Ruijie Phpinfo Configuration - Detect
author: pikpikcu
severity: low
description: Ruijie phpinfo configuration was detected.
classification:
cwe-id: CWE-200
reference:
- https://github.com/PeiQi0/PeiQi-WIKI-POC/blob/PeiQi/PeiQi_Wiki/%E7%BD%91%E7%BB%9C%E8%AE%BE%E5%A4%87%E6%BC%8F%E6%B4%9E/%E9%94%90%E6%8D%B7/%E9%94%90%E6%8D%B7EG%E6%98%93%E7%BD%91%E5%85%B3%20phpinfo.view.php%20%E4%BF%A1%E6%81%AF%E6%B3%84%E9%9C%B2%E6%BC%8F%E6%B4%9E.md
tags: phpinfo,rujjie,config,exposure,ruijie
@ -24,3 +27,5 @@ requests:
- type: status
status:
- 200
# Enhanced by cs on 2023/03/02

11
exposures/configs/s3cfg-config.yaml
View File

@ -1,9 +1,14 @@
id: s3cfg-config
info:
name: S3CFG Configuration - File Exposure
name: S3CFG Configuration - Detect
author: geeknik,DhiyaneshDK
severity: unknown
severity: high
description: S3CFG configuration file was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-200
reference:
- https://s3tools.org/kb/item14.htm
tags: amazon,s3,exposure,config
@ -30,3 +35,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/02/23

11
exposures/configs/saia-web-server-info.yaml
View File

@ -1,9 +1,14 @@
id: saia-web-server
info:
name: Saia PCD Web-Server
name: Saia PCD Web-Server Configuration Page - Detect
author: DhiyaneshDk
severity: low
severity: info
description: Saia PCD Web-Server configuration page was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
reference:
- https://www.exploit-db.com/ghdb/6865
tags: edb,config,exposure
@ -23,3 +28,5 @@ requests:
- type: status
status:
- 200
# Enhanced by cs on 2023/03/02

9
exposures/configs/server-private-keys.yaml
View File

@ -1,9 +1,14 @@
id: server-private-keys
info:
name: Detect Private SSL, SSH, TLS, and JWT Keys
name: SSL/SSH/TLS/JWT Keys - Detect
author: geeknik,R12W4N
severity: high
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-200
description: Private SSL, SSH, TLS, and JWT keys were detected.
tags: config,exposure
requests:
@ -70,3 +75,5 @@ requests:
- '!contains(body_2, "<html")'
- '!contains(body_2, "<HTML")'
condition: and
# Enhanced by cs on 2023/03/02

9
exposures/configs/sftp-config-exposure.yaml
View File

@ -1,9 +1,14 @@
id: sftp-config-exposure
info:
name: SFTP Config File Disclosure
name: SFTP Configuration File - Detect
author: geeknik
severity: high
description: SFTP configuration file was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-200
reference:
- https://blog.sucuri.net/2012/11/psa-sftpftp-password-exposure-via-sftp-config-json.html
- https://www.acunetix.com/vulnerabilities/web/sftp-ftp-credentials-exposure/
@ -31,3 +36,5 @@ requests:
- type: status
status:
- 200
# Enhanced by cs on 2023/03/02

11
exposures/configs/sftp-credentials-exposure.yaml
View File

@ -1,9 +1,14 @@
id: sftp-credentials-exposure
info:
name: SFTP credentials exposure
name: SFTP Credentials - Detect
author: sheikhrishad
severity: medium
severity: high
description: SFTP credentials were detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-200
tags: config,ftp,exposure
requests:
@ -24,3 +29,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/02/23

10
exposures/configs/sftp-deployment-config.yaml
View File

@ -1,11 +1,15 @@
id: sftp-deployment-config
info:
name: Atom Package SFTP - Deployment Configuration Disclosure
name: Atom SFTP Configuration File - Detect
author: geeknik
severity: high
description: |
Created by sftp-deployment for Atom, contains server details and credentials
Atom SFTP deployment configuration file was detected. File contains server details and credentials.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-200
reference:
- https://atom.io/packages/sftp-deployment
metadata:
@ -31,3 +35,5 @@ requests:
- type: status
status:
- 200
# Enhanced by cs on 2023/03/02

11
exposures/configs/ssh-authorized-keys.yaml
View File

@ -1,9 +1,14 @@
id: ssh-authorized-keys
info:
name: SSH Authorized Keys
name: SSH Authorized Keys File - Detect
author: geeknik
severity: low
severity: medium
description: SSH authorized keys file was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cwe-id: CWE-200
reference:
- https://www.ssh.com/academy/ssh/authorized-key
tags: config,exposure,ssh
@ -27,3 +32,5 @@ requests:
- type: status
status:
- 200
# Enhanced by cs on 2023/03/02

11
exposures/configs/ssh-known-hosts.yaml
View File

@ -1,9 +1,14 @@
id: ssh-known-hosts
info:
name: SSH Known Hosts
name: SSH Known Hosts File - Detect
author: geeknik
severity: low
severity: info
description: SSH known hosts file was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
reference:
- https://datacadamia.com/ssh/known_hosts
tags: config,exposure,ssh
@ -27,3 +32,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/02/23

9
exposures/configs/stestr-config.yaml
View File

@ -1,12 +1,17 @@
id: stestr-config
info:
name: Stestr Configuration File Exposure
name: Stestr Configuration File - Detect
author: Hardik-Solanki
severity: info
description: Stestr configuration file was detected.
reference:
- https://github.com/maurosoria/dirsearch/blob/master/db/dicc.txt
- https://stestr.readthedocs.io/en/latest/MANUAL.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata:
verified: true
github-query: filename:stestr.conf
@ -29,3 +34,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/02/23

17
exposures/configs/svnserve-config.yaml
View File

@ -1,9 +1,18 @@
id: svnserve-config
info:
name: svnserve config file disclosure
name: Svnserve Configuration File - Detect
author: sheikhrishad
severity: low
severity: info
description: Svnserve configuration file was detected.
reference: https://linux.die.net/man/8/svnserve
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata:
verified: "true"
google-query: intext:"configuration of the svnserve daemon"
tags: config,exposure,svnserve
requests:
@ -19,4 +28,6 @@ requests:
- type: status
status:
- 200
- 200
# Enhanced by cs on 2023/03/02

10
exposures/configs/symfony-database-config.yaml
View File

@ -1,9 +1,15 @@
id: symfony-database-config
info:
name: Symfony Database Configuration Exposure
name: Symfony Database Configuration File - Detect
author: pdteam,geeknik
severity: high
description: Symfony database configuration file was detected and may contain database credentials.
reference: https://symfony.com/legacy/doc/reference/1_3/en/07-Databases
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-200
tags: config,exposure,symfony
requests:
@ -26,3 +32,5 @@ requests:
- "param:"
condition: and
part: body
# Enhanced by md on 2023/02/23

10
exposures/configs/symfony-profiler.yaml
View File

@ -1,12 +1,18 @@
id: symfony-profiler
info:
name: Symfony Profiler
name: Symfony Profiler - Detect
author: pdteam
severity: high
description: Symfony profiler was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-200
metadata:
verified: true
shodan-query: http.html:"symfony Profiler"
reference: https://symfony.com/doc/current/profiler.html
tags: config,exposure,symfony
requests:
@ -21,3 +27,5 @@ requests:
part: body
words:
- "Symfony Profiler"
# Enhanced by cs on 2023/03/02

9
exposures/configs/symfony-security-config.yaml
View File

@ -1,12 +1,17 @@
id: symfony-security-config
info:
name: Symfony Security Configuration Exposure
name: Symfony Security Configuration File - Detect
author: dahse89
severity: info
description: Symfony security configuration file was detected.
reference:
- https://symfony2-document.readthedocs.io/en/latest/book/security.html
- https://symfony.com/doc/current/reference/configuration/security.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: config,exposure,symfony
requests:
@ -28,3 +33,5 @@ requests:
- "access_control:"
condition: and
part: body
# Enhanced by md on 2023/02/23

11
exposures/configs/tox-ini.yaml
View File

@ -1,9 +1,14 @@
id: tox-ini
info:
name: tox.ini File Exposure
name: Tox Configuration File - Detect
author: geeknik
severity: low
severity: info
description: Tox configuration file was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
reference: https://tox.wiki/en/latest/config.html
metadata:
verified: true
@ -32,3 +37,5 @@ requests:
- type: status
status:
- 200
# Enhanced by cs on 2023/03/02

10
exposures/configs/ventrilo-config.yaml
View File

@ -1,11 +1,15 @@
id: ventrilo-config
info:
name: Ventrilo Configuration File
name: Ventrilo Configuration File - Detect
author: geeknik
severity: high
description: |
It discloses the AdminPassword and Password of the application.
Ventrilo configuration file was detected, The file discloses the application's Adminpassword and Password.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-200
reference:
- https://www.ventrilo.com/setup.php
metadata:
@ -34,3 +38,5 @@ requests:
- type: status
status:
- 200
# Enhanced by cs on 2023/03/02

12
exposures/configs/web-config.yaml
View File

@ -1,10 +1,16 @@
id: web-config
info:
name: Web Config file
name: Web Configuration File - Detect
author: Yash Anand @yashanand155,DhiyaneshDK
severity: info
reference: https://github.com/imhunterand/ApachSAL/blob/main/assets/exploits.json
description: Web configuration file was detected.
reference:
- https://github.com/imhunterand/ApachSAL/blob/main/assets/exploits.json
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: config,exposure
requests:
@ -24,3 +30,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/02/24

12
exposures/configs/webpack-config.yaml
View File

@ -1,10 +1,14 @@
id: webpack-config
info:
name: webpack config disclosure
name: Webpack Configuration File - Detect
author: ambassify
severity: info
description: A lot of web projects use webpack these days to bundle their project to publish it online - this file holds various metadata relevant to the project.
description: Webpack configuration file was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata:
shodan-query: html:"webpack.config.js"
tags: config,exposure
@ -31,4 +35,6 @@ requests:
- type: status
status:
- 200
- 200
# Enhanced by md on 2023/02/24

11
exposures/configs/websheets-config.yaml
View File

@ -1,9 +1,14 @@
id: websheets-config
info:
name: Websheets Config File Exposure
name: Websheets Configuration File - Detect
author: geeknik
severity: low
severity: high
description: Websheets configuration file was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-200
reference:
- https://github.com/daveagp/websheets
metadata:
@ -28,3 +33,5 @@ requests:
- type: status
status:
- 200
# Enhanced by cs on 2023/03/02

12
exposures/configs/wgetrc-config.yaml
View File

@ -1,9 +1,15 @@
id: wgetrc-config
info:
name: Wgetrc Configuration File Exposure
name: Wgetrc Configuration File - Detect
author: DhiyaneshDK
severity: medium
severity: info
description: Wgetrc configuration file was detected.
reference: https://www.gnu.org/software/wget/manual/html_node/Wgetrc-Commands.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata:
verified: true
shodan-query: html:".wgetrc"
@ -31,3 +37,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/02/24

14
exposures/configs/xprober-service.yaml
View File

@ -1,10 +1,16 @@
id: xprober-service
info:
name: X Prober server information leakage
name: X Prober Server - Information Disclosure
author: pdteam
severity: low
severity: medium
description: X Prober Server information disclosure was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cwe-id: CWE-200
reference:
- https://github.com/kmvan/x-prober
- https://twitter.com/bugbounty_tips/status/1339984643517423616
tags: config,exposure
@ -17,4 +23,6 @@ requests:
words:
- '"appName":"X Prober"'
- '<title>X Prober'
condition: and
condition: and
# Enhanced by cs on 2023/03/02

9
exposures/files/db-xml-file.yaml
View File

@ -1,9 +1,14 @@
id: db-xml-file
info:
name: db.xml File Exposure
name: db.xml File - Detect
author: tess
severity: medium
description: db.xml file was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cwe-id: CWE-200
metadata:
verified: true
tags: misconfig,db,files,exposure
@ -28,3 +33,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/03/07

9
exposures/files/dbeaver-database-connections.yaml
View File

@ -1,11 +1,16 @@
id: dbeaver-database-connections
info:
name: DBeaver Database Connections
name: DBeaver Database Connections - Detect
author: geeknik
severity: info
description: DBeaver database connections were detected.
reference:
- https://dbeaver.com/docs/wiki/Admin-Manage-Connections/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata:
verified: true
tags: dbeaver,files,exposure
@ -27,3 +32,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/03/07

10
exposures/files/jetbrains-webservers.yaml
View File

@ -1,13 +1,17 @@
id: jetbrains-webservers
info:
name: Jetbrains WebServers File Exposure
name: JetBrains WebServers File - Detect
author: geeknik
severity: info
description: |
Created by Jetbrains IDEs, contains webserver credentials with encoded passwords.
JetBrains webservers file was detected. The file contains webserver credentials with encoded passwords.
reference:
- https://www.exploit-db.com/ghdb/6648
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata:
verified: true
google-query: intitle:"index of" "WebServers.xml"
@ -41,3 +45,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/03/07

9
exposures/files/redmine-config.yaml
View File

@ -1,11 +1,16 @@
id: redmine-config
info:
name: Redmine Configuration
name: Redmine Configuration File - Detect
author: DhiyaneshDK
severity: high
description: Redmine configuration file was detected.
reference:
- https://www.exploit-db.com/ghdb/5803
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-200
metadata:
verified: true
google-query: intitle:"index of" configuration.yml
@ -40,3 +45,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/03/07

10
exposures/files/sensitive-storage-exposure.yaml
View File

@ -1,12 +1,16 @@
id: sensitive-storage-data-expose
info:
name: Sensitive Storage Data Exposed
name: Sensitive Storage Data - Detect
author: pussycat0x
severity: medium
description: Searches for sensitive keys file,logs,debugbar,app.
description: A generic search for 'storage' in sensitive key files, file names, logs, etc., returned a match.
reference:
- https://www.exploit-db.com/ghdb/6304
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cwe-id: CWE-200
tags: expose,listing,config,logs,storage,edb,files
requests:
@ -32,3 +36,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/03/07

7
exposures/logs/fastcgi-echo.yaml
View File

@ -1,11 +1,12 @@
id: fastcgi-echo
info:
name: Fastcgi Echo Endpoint Exposure
name: FastCGI Echo Endpoint Script - Detect
author: powerexploit
severity: info
description: |
FastCGI module delivered with the Apache httpd server that is incorporated into the Oracle Application Server.FastCGI echo programs (echo and echo2) should be always removed or disabled in all Oracle Application Servers implementations as they can provide information at an attacker
FastCGI echo endpoint script was detected, which lists several kinds of sensitive information such as port numbers, server software versions, port numbers, and IP addresses.
remediation: Remove or disable FastCGI module delivered with the Apache httpd server which is incorporated into the Oracle Application Server.FastCGI echo programs (echo and echo2).
reference:
- https://www.exploit-db.com/ghdb/183
- https://www.integrigy.com/oracle-application-server-fastcgi-echo-vulnerability-reports
@ -34,3 +35,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/03/07

5
exposures/logs/struts-problem-report.yaml
View File

@ -1,9 +1,10 @@
id: struts-problem-report
info:
name: Apache Struts in Dev Mode
name: Apache Struts Dev Mode - Detect
author: dhiyaneshDK
severity: low
description: Multiple Apache Struts applications were detected in dev-mode.
reference:
- https://www.exploit-db.com/ghdb/4278
tags: struts,debug,edb,exposure,apache
@ -22,3 +23,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/03/07

11
fuzzing/iis-shortname.yaml
View File

@ -1,13 +1,18 @@
id: iis-shortname
info:
name: iis-shortname
name: IIS - Short Name Detect
author: nodauf
severity: info
description: When IIS uses an old .Net Framework it's possible to enumeration folder with the symbol ~.
description: A website running via IIS on an old .net framework contains a get request vulnerability. Using the the tilde character "~" in the request, an attacker can locate short names of files and folders not normally visible.
reference:
- https://github.com/lijiejie/IIS_shortname_Scanner
- https://www.exploit-db.com/exploits/19525
- http://soroush.secproject.com/blog/2012/06/microsoft-iis-tilde-character-vulnerabilityfeature-short-filefolder-name-disclosure/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: fuzz,edb
requests:
@ -41,3 +46,5 @@ requests:
- type: dsl
dsl:
- "status_code_1!=404 && status_code_2 == 404 || status_code_3 != 404 && status_code_4 == 404"
# Enhanced by md on 2023/03/08

10
fuzzing/linux-lfi-fuzzing.yaml
View File

@ -1,10 +1,14 @@
id: linux-lfi-fuzzing
info:
name: Linux based LFI Fuzzing
name: Linux - Local File Inclusion Fuzzing
author: geeknik,unstabl3,pentest_swissky,sushantkamble,0xSmiley
severity: high
description: Fuzzes for /etc/passwd on passed URLs
description: Multiple fuzzes for /etc/passwd on passed URLs were conducted, leading to multiple instances of local file inclusion vulnerability.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-200
tags: linux,lfi,fuzz
requests:
@ -38,3 +42,5 @@ requests:
regex:
- "root:.*:0:0:"
part: body
# Enhanced by md on 2023/03/08

Some files were not shown because too many files have changed in this diff Show More