Dashboard Content Enhancements (#6965)

* Add description and enhance one where the UI failed to save properly.
dos2unix on a template

* Change cvedetails link to nvd

* make severities match

* Enhancement: cves/2015/CVE-2015-2863.yaml by md

* Enhancement: cves/2017/CVE-2017-14524.yaml by md

* Enhancement: cves/2017/CVE-2017-5638.yaml by md

* Enhancement: cves/2019/CVE-2019-16759.yaml by md

* Enhancement: cves/2021/CVE-2021-22986.yaml by md

* Enhancement: cves/2021/CVE-2021-24145.yaml by md

* Enhancement: cves/2021/CVE-2021-24145.yaml by md

* Enhancement: cves/2021/CVE-2021-24155.yaml by md

* Enhancement: cves/2021/CVE-2021-24145.yaml by md

* Enhancement: cves/2021/CVE-2021-24145.yaml by md

* Enhancement: cves/2021/CVE-2021-24347.yaml by md

* Enhancement: cves/2021/CVE-2021-25003.yaml by md

* Enhancement: cves/2021/CVE-2021-25296.yaml by md

* Enhancement: cves/2021/CVE-2021-25297.yaml by md

* Enhancement: cves/2021/CVE-2021-25296.yaml by md

* Enhancement: cves/2021/CVE-2021-25297.yaml by md

* Enhancement: cves/2021/CVE-2021-25298.yaml by md

* Enhancement: cves/2021/CVE-2021-25297.yaml by md

* Enhancement: cves/2021/CVE-2021-28151.yaml by md

* Enhancement: cves/2021/CVE-2021-30128.yaml by md

* Enhancement: cves/2022/CVE-2022-0824.yaml by md

* Enhancement: cves/2022/CVE-2022-0824.yaml by md

* Enhancement: cves/2022/CVE-2022-0885.yaml by md

* Enhancement: cves/2022/CVE-2022-21587.yaml by md

* Enhancement: cves/2022/CVE-2022-2314.yaml by md

* Enhancement: cves/2022/CVE-2022-24816.yaml by md

* Enhancement: cves/2022/CVE-2022-31499.yaml by md

* Enhancement: cves/2022/CVE-2022-21587.yaml by md

* Enhancement: cves/2021/CVE-2021-24155.yaml by md

* Enhancement: cves/2017/CVE-2017-5638.yaml by md

* Enhancement: cves/2015/CVE-2015-2863.yaml by md

* Enhancement: cves/2022/CVE-2022-33901.yaml by md

* Enhancement: cves/2022/CVE-2022-2314.yaml by md

* Enhancement: cves/2022/CVE-2022-33901.yaml by md

* Enhancement: cves/2022/CVE-2022-34753.yaml by md

* Enhancement: cves/2022/CVE-2022-39952.yaml by md

* Enhancement: cves/2022/CVE-2022-4060.yaml by md

* Enhancement: cves/2022/CVE-2022-44877.yaml by md

* Enhancement: cves/2023/CVE-2023-0669.yaml by md

* Enhancement: cves/2023/CVE-2023-26255.yaml by md

* Enhancement: cves/2023/CVE-2023-26256.yaml by md

* Enhancement: exposures/files/salesforce-credentials.yaml by md

* Enhancement: misconfiguration/hadoop-unauth-rce.yaml by md

* Enhancement: misconfiguration/installer/nopcommerce-installer.yaml by md

* Enhancement: network/backdoor/backdoored-zte.yaml by md

* Enhancement: network/detection/ibm-d2b-database-server.yaml by md

* Enhancement: network/detection/ibm-d2b-database-server.yaml by md

* Enhancement: technologies/oracle/oracle-atg-commerce.yaml by md

* Enhancement: token-spray/api-abuseipdb.yaml by md

* Enhancement: token-spray/api-abuseipdb.yaml by md

* Enhancement: token-spray/api-dbt.yaml by md

* Enhancement: vulnerabilities/avaya/avaya-aura-rce.yaml by md

* Enhancement: vulnerabilities/avaya/avaya-aura-xss.yaml by md

* Enhancement: vulnerabilities/cisco/cisco-cloudcenter-suite-rce.yaml by md

* Enhancement: vulnerabilities/froxlor-xss.yaml by md

* Enhancement: vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml by md

* Enhancement: vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml by md

* Enhancement: vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml by md

* Enhancement: vulnerabilities/opencpu/opencpu-rce.yaml by md

* Enhancement: vulnerabilities/other/academy-lms-xss.yaml by md

* Enhancement: vulnerabilities/other/caucho-resin-info-disclosure.yaml by md

* Enhancement: vulnerabilities/other/ckan-dom-based-xss.yaml by md

* Enhancement: vulnerabilities/other/couchdb-adminparty.yaml by md

* Enhancement: vulnerabilities/other/graylog-log4j.yaml by md

* Enhancement: vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml by md

* Initial cleanups for syntax errors

* dashboard gremlins

* Add log4j back to name

* Enhancement: exposures/files/salesforce-credentials.yaml by cs

* Enhancement: misconfiguration/installer/nopcommerce-installer.yaml by cs

* Enhancement: network/backdoor/backdoored-zte.yaml by cs

* Enhancement: vulnerabilities/other/couchdb-adminparty.yaml by cs

* Sev and other info tweaks

* Merge conflict

---------

Co-authored-by: sullo <sullo@cirt.net>
patch-1
MostInterestingBotInTheWorld 2023-03-27 13:46:47 -04:00 committed by GitHub
parent 8a451b6ad6
commit 301fddaeb0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
56 changed files with 327 additions and 153 deletions

View File

@ -3,13 +3,13 @@ id: CVE-2015-2863
info:
name: Kaseya Virtual System Administrator - Open Redirect
author: 0x_Akoko
severity: low
severity: medium
description: |
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 before 9.0.0.14, and 9.1 before 9.1.0.4 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
Kaseya Virtual System Administrator 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 before 9.0.0.14, and 9.1 before 9.1.0.4 are susceptible to an open redirect vulnerability. An attacker can redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
reference:
- https://github.com/pedrib/PoC/blob/3f927b957b86a91ce65b017c4b9c93d05e241592/advisories/Kaseya/kaseya-vsa-vuln.txt
- https://www.cvedetails.com/cve/CVE-2015-2863
- http://www.kb.cert.org/vuls/id/919604
- https://nvd.nist.gov/vuln/detail/CVE-2015-2863
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -29,3 +29,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)oast\.me\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2023/03/21

View File

@ -1,16 +1,16 @@
id: CVE-2015-9312
info:
name: NewStatPress <= 1.0.4 - Cross-Site Scripting
name: NewStatPress <=1.0.4 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
The NewStatPress plugin utilizes on lines 28 and 31 of the file includes/nsp_search.php several variables from the $_GET scope, without sanitation. While WordPress automatically escapes quotes on this scope, the outputs on these lines are outside of quotes, and as such can be utilized to trigger a Reflected XSS attack.
WordPress NewStatPress plugin through 1.0.4 contains a cross-site scripting vulnerability. The plugin utilizes, on lines 28 and 31 of the file "includes/nsp_search.php", several variables from the $_GET scope without sanitation. While WordPress automatically escapes quotes on this scope, the outputs on these lines are outside of quotes, and as such can be utilized to initiate a cross-site scripting attack.
reference:
- https://wpscan.com/vulnerability/46bf6c69-b612-4aee-965d-91f53f642054
- https://nvd.nist.gov/vuln/detail/CVE-2015-9312
- https://g0blin.co.uk/g0blin-00057/
- https://wordpress.org/plugins/newstatpress/#developers
- https://nvd.nist.gov/vuln/detail/CVE-2015-9312
remediation: Fixed in version 1.0.6
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

View File

@ -1,16 +1,15 @@
id: CVE-2017-14524
info:
name: OpenText Documentum Administrator 7.2.0180.0055 - Open redirect
name: OpenText Documentum Administrator 7.2.0180.0055 - Open Redirect
author: 0x_Akoko
severity: medium
description: |
Multiple open redirect vulnerabilities in OpenText Documentum Administrator 7.2.0180.0055 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks.
OpenText Documentum Administrator 7.2.0180.0055 is susceptible to multiple open redirect vulnerabilities. An attacker can redirect a user to a malicious site and potentially obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://seclists.org/fulldisclosure/2017/Sep/57
- https://nvd.nist.gov/vuln/detail/CVE-2017-14524
- https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774
- http://seclists.org/fulldisclosure/2017/Sep/57
- https://nvd.nist.gov/vuln/detail/CVE-2017-14524
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -29,3 +28,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?oast\.me(?:\s*?)$'
# Enhanced by md on 2023/03/20

View File

@ -5,7 +5,7 @@ info:
author: Random_Robbie
severity: critical
description: |
Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 is vulnerable to remote command injection attacks through incorrectly parsing an attacker's invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server.
Apache Struts 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 is susceptible to remote command injection attacks. The Jakarta Multipart parser has incorrect exception handling and error-message generation during file upload attempts, which can allow an attacker to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header. This was exploited in March 2017 with a Content-Type header containing a #cmd= string.
reference:
- https://github.com/mazen160/struts-pwn
- https://isc.sans.edu/diary/22169
@ -37,3 +37,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/03/21

View File

@ -1,15 +1,15 @@
id: CVE-2019-16759
info:
name: vBulletin v5.0.0-v5.5.4 - Remote Command Execution
name: vBulletin 5.0.0-5.5.4 - Remote Command Execution
author: madrobot
severity: critical
description: vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.
description: vBulletin 5.0.0 through 5.5.4 is susceptible to a remote command execution vulnerability via the widgetConfig parameter in an ajax/render/widget_php routestring request. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
reference:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vbulletin-remote-code-execution-cve-2020-7373/
- https://nvd.nist.gov/vuln/detail/CVE-2019-16759
- https://seclists.org/fulldisclosure/2019/Sep/31
- https://www.theregister.co.uk/2019/09/24/vbulletin_vbug_zeroday/
- https://nvd.nist.gov/vuln/detail/CVE-2019-16759
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -39,3 +39,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/03/20

View File

@ -1,13 +1,15 @@
id: CVE-2021-22986
info:
name: F5 BIG-IP iControl REST unauthenticated RCE
name: F5 iControl REST - Remote Command Execution
author: rootxharsh,iamnoooob
severity: critical
description: The iControl REST interface has an unauthenticated remote command execution vulnerability.
description: F5 iControl REST interface is susceptible to remote command execution. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. This affects BIG-IP 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3; and BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2.
reference:
- https://attackerkb.com/topics/J6pWeg5saG/k03009991-icontrol-rest-unauthenticated-remote-command-execution-vulnerability-cve-2021-22986
- https://support.f5.com/csp/article/K03009991
- http://packetstormsecurity.com/files/162059/F5-iControl-Server-Side-Request-Forgery-Remote-Command-Execution.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-22986
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -56,3 +58,5 @@ requests:
- "commandResult"
- "uid="
condition: and
# Enhanced by md on 2023/03/20

View File

@ -1,17 +1,17 @@
id: CVE-2021-24145
info:
name: Modern Events Calendar Lite < 5.16.5 - Arbitrary File Upload to RCE
name: WordPress Modern Events Calendar Lite <5.16.5 - Authenticated Arbitrary File Upload
author: theamanrawat
severity: high
description: |
Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request.
WordPress Modern Events Calendar Lite plugin before 5.16.5 is susceptible to authenticated arbitrary file upload. The plugin does not properly check the imported file, allowing PHP files to be uploaded and/or executed by an administrator or other high-privilege user using the text/csv content-type in the request. This can possibly lead to remote code execution.
reference:
- https://wpscan.com/vulnerability/f42cc26b-9aab-4824-8168-b5b8571d1610
- https://downloads.wordpress.org/plugin/modern-events-calendar-lite.5.15.5.zip
- https://github.com/dnr6419/CVE-2021-24145
- https://nvd.nist.gov/vuln/detail/CVE-2021-24145
remediation: Fixed in version 5.16.5
remediation: Fixed in version 5.16.5.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.2
@ -62,3 +62,5 @@ requests:
- status_code_3 == 200
- contains(body_3, 'CVE-2021-24145')
condition: and
# Enhanced by md on 2023/03/21

View File

@ -1,16 +1,16 @@
id: CVE-2021-24155
info:
name: Backup Guard < 1.6.0 - Authenticated Arbitrary File Upload
name: WordPress BackupGuard <1.6.0 - Authenticated Arbitrary File Upload
author: theamanrawat
severity: high
description: |
The WordPress Backup and Migrate Plugin Backup Guard WordPress plugin before 1.6.0 did not ensure that the imported files are of the SGBP format and extension, allowing high privilege users (admin+) to upload arbitrary files, including PHP ones, leading to RCE.
WordPress Backup Guard plugin before 1.6.0 is susceptible to authenticated arbitrary file upload. The plugin does not ensure that imported files are in SGBP format and extension, allowing high-privilege users to upload arbitrary files, including PHP, possibly leading to remote code execution.
reference:
- https://wpscan.com/vulnerability/d442acac-4394-45e4-b6bb-adf4a40960fb
- https://wordpress.org/plugins/backup/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24155
remediation: Fixed in version 1.6.0
remediation: Fixed in version 1.6.0.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.2
@ -75,3 +75,5 @@ requests:
regex:
- 'BG_BACKUP_STRINGS = {"nonce":"([0-9a-zA-Z]+)"};'
internal: true
# Enhanced by md on 2023/03/21

View File

@ -1,16 +1,16 @@
id: CVE-2021-24347
info:
name: SP Project & Document Manager < 4.22 - Authenticated Shell Upload
name: WordPress SP Project & Document Manager <4.22 - Authenticated Shell Upload
author: theamanrawat
severity: high
description: |
The SP Project & Document Manager WordPress plugin before 4.22 allows users to upload files, however, the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that php files could still be uploaded by changing the file extension's case, for example, from "php" to "pHP".
WordPress SP Project & Document Manager plugin before 4.22 is susceptible to authenticated shell upload. The plugin allows users to upload files; however, the plugin attempts to prevent PHP and other similar executable files from being uploaded via checking the file extension. PHP files can still be uploaded by changing the file extension's case, for example, from php to pHP.
reference:
- https://wpscan.com/vulnerability/8f6e82d5-c0e9-468e-acb8-7cd549f6a45a
- https://wordpress.org/plugins/sp-client-document-manager/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24347
remediation: Fixed in version 4.22
remediation: Fixed in version 4.22.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
@ -96,3 +96,5 @@ requests:
regex:
- 'name="cdm_upload_file_field" value="([0-9a-zA-Z]+)"'
internal: true
# Enhanced by md on 2023/03/21

View File

@ -1,11 +1,11 @@
id: CVE-2021-25003
info:
name: WPCargo < 6.9.0 - Unauthenticated Remote Code Execution
name: WordPress WPCargo Track & Trace <6.9.0 - Remote Code Execution
author: theamanrawat
severity: critical
description: |
The WPCargo Track & Trace WordPress plugin before 6.9.0 contains a file which could allow unauthenticated attackers to write a PHP file anywhere on the web server, leading to RCE.
WordPress WPCargo Track & Trace plugin before 6.9.0 is susceptible to remote code execution, The plugin contains a file which can allow an attacker to write a PHP file anywhere on the web server, leading to possible remote code execution. This can allow an attacker to execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
reference:
- https://wpscan.com/vulnerability/5c21ad35-b2fb-4a51-858f-8ffff685de4a
- https://wordpress.org/plugins/wpcargo/
@ -49,3 +49,5 @@ requests:
- "contains(body_3, md5(num))"
- "contains(body_3, 'PNG')"
condition: and
# Enhanced by md on 2023/03/21

View File

@ -1,16 +1,16 @@
id: CVE-2021-25296
info:
name: Nagios XI versions 5.5.6 to 5.7.5 - Command Injection
name: Nagios XI 5.5.6-5.7.5 - Authenticated Remote Command Injection
author: k0pak4
severity: high
description: |
Nagios XI versions 5.5.6 to 5.7.5 are affected by OS command injection. An authenticated user can gain code execution due to unsanitized URL parameters.
Nagios XI 5.5.6 through 5.7.5 is susceptible to authenticated remote command injection. There is improper sanitization of authenticated user-controlled input by a single HTTP request via the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php. This in turn can lead to remote code execution, by which an attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
reference:
- https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md
- https://github.com/rapid7/metasploit-framework/pull/17494
- https://nvd.nist.gov/vuln/detail/CVE-2021-25296
- http://nagios.com
- https://nvd.nist.gov/vuln/detail/CVE-2021-25296
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
@ -78,3 +78,5 @@ requests:
regex:
- "var nsp_str = ['\"](.*)['\"];"
internal: true
# Enhanced by md on 2023/03/21

View File

@ -1,16 +1,16 @@
id: CVE-2021-25297
info:
name: Nagios XI versions 5.5.6 to 5.7.5 - Command Injection
name: Nagios 5.5.6-5.7.5 - Authenticated Remote Command Injection
author: k0pak4
severity: high
description: |
Nagios XI versions 5.5.6 to 5.7.5 are affected by OS command injection. An authenticated user can gain code execution due to unsanitized URL parameters.
Nagios XI 5.5.6 through 5.7.5 is susceptible to authenticated remote command injection. There is improper sanitization of authenticated user-controlled input by a single HTTP request via the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php. This in turn can lead to remote code execution, by which an attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
reference:
- https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md
- https://github.com/rapid7/metasploit-framework/pull/17494
- https://nvd.nist.gov/vuln/detail/CVE-2021-25297
- http://nagios.com
- https://nvd.nist.gov/vuln/detail/CVE-2021-25297
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
@ -78,3 +78,5 @@ requests:
regex:
- "var nsp_str = ['\"](.*)['\"];"
internal: true
# Enhanced by md on 2023/03/21

View File

@ -1,16 +1,16 @@
id: CVE-2021-25298
info:
name: Nagios XI 5.5.6 to 5.7.5 - Command Injection
name: Nagios XI 5.5.6-5.7.5 - Authenticated Remote Command Injection
author: k0pak4
severity: high
description: |
Nagios XI versions 5.5.6 to 5.7.5 are affected by OS command injection. An authenticated user can gain code execution due to unsanitized URL parameters.
Nagios XI 5.5.6 through 5.7.5 is susceptible to authenticated remote command injection. There is improper sanitization of authenticated user-controlled input by a single HTTP request via the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php. This in turn can lead to remote code execution, by which an attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
reference:
- https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md
- https://github.com/rapid7/metasploit-framework/pull/17494
- https://nvd.nist.gov/vuln/detail/CVE-2021-25298
- http://nagios.com
- https://nvd.nist.gov/vuln/detail/CVE-2021-25298
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
@ -78,3 +78,5 @@ requests:
regex:
- "var nsp_str = ['\"](.*)['\"];"
internal: true
# Enhanced by md on 2023/03/21

View File

@ -5,7 +5,7 @@ info:
author: gy741
severity: high
description: |
Hongdian H8922 3.0.5 devices allow OS command injection via shell metacharacters into the ip-address (aka Destination) field to the tools.cgi ping command, which is accessible with the username guest and password guest.
Hongdian H8922 3.0.5 devices are susceptible to remote command injection via shell metacharacters into the ip-address (a/k/a Destination) field to the tools.cgi ping command, which is accessible with the username guest and password guest. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system.
reference:
- https://ssd-disclosure.com/ssd-advisory-hongdian-h8922-multiple-vulnerabilities/
- http://en.hongdian.com/Products/Details/H8922
@ -53,3 +53,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/03/21

View File

@ -4,12 +4,12 @@ info:
name: Apache OFBiz <17.12.07 - Arbitrary Code Execution
author: For3stCo1d
severity: critical
description: Apache OFBiz has unsafe deserialization prior to 17.12.07 version
description: Apache OFBiz before 17.12.07 is susceptible to arbitrary code execution via unsafe deserialization. An attacker can modify deserialized data or code without using provided accessor functions.
reference:
- https://lists.apache.org/thread.html/rbe8439b26a71fc3b429aa793c65dcc4a6e349bc7bb5010746a74fa1d@%3Ccommits.ofbiz.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2021-30128
- https://lists.apache.org/thread.html/rb3f5cd65f3ddce9b9eb4d6ea6e2919933f0f89b15953769d11003743%40%3Cdev.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rb3f5cd65f3ddce9b9eb4d6ea6e2919933f0f89b15953769d11003743@%3Cdev.ofbiz.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2021-30128
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -56,3 +56,5 @@ requests:
part: body
words:
- 'value="errorMessage"'
# Enhanced by md on 2023/03/21

View File

@ -1,15 +1,15 @@
id: CVE-2022-0824
info:
name: Webmin prior to 1.990 - Improper Access Control to Remote Code Execution
name: Webmin <1.990 - Improper Access Control
author: cckuailong
severity: high
description: Improper Access Control to Remote Code Execution in GitHub repository webmin/webmin prior to 1.990.
description: Webmin before 1.990 is susceptible to improper access control in GitHub repository webmin/webmin. This in turn can lead to remote code execution, by which an attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
reference:
- https://github.com/faisalfs10x/Webmin-CVE-2022-0824-revshell/blob/main/Webmin-revshell.py
- https://nvd.nist.gov/vuln/detail/CVE-2022-0824
- https://github.com/webmin/webmin/commit/39ea464f0c40b325decd6a5bfb7833fa4a142e38
- https://huntr.dev/bounties/d0049a96-de90-4b1a-9111-94de1044f295
- https://nvd.nist.gov/vuln/detail/CVE-2022-0824
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
@ -50,3 +50,5 @@ requests:
part: body
words:
- "Failed to write to /{{ranstr}}/index.html"
# Enhanced by md on 2023/03/21

View File

@ -1,11 +1,11 @@
id: CVE-2022-0885
info:
name: Member Hero <= 1.0.9 - Unauthenticated Remote Code Execution
name: Member Hero <=1.0.9 - Remote Code Execution
author: theamanrawat
severity: critical
description: |
The Member Hero WordPress plugin through 1.0.9 lacks authorization checks, and does not validate the a request parameter in an AJAX action, allowing unauthenticated users to call arbitrary PHP functions with no arguments.
WordPress Member Hero plugin through 1.0.9 is susceptible to remote code execution. The plugin lacks authorization checks and does not validate the a request parameter in an AJAX action, allowing an attacker to call arbitrary PHP functions with no arguments. An attacker can thus execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
reference:
- https://wpscan.com/vulnerability/8b08b72e-5584-4f25-ab73-5ab0f47412df
- https://wordpress.org/plugins/member-hero/
@ -43,3 +43,5 @@ requests:
group: 1
regex:
- '>PHP Version <\/td><td class="v">([0-9.]+)'
# Enhanced by md on 2023/03/21

View File

@ -1,11 +1,11 @@
id: CVE-2022-21587
info:
name: Oracle EBS Unauthenticated - Remote Code Execution
name: Oracle E-Business Suite 12.2.3 -12.2.11 - Remote Code Execution
author: rootxharsh,iamnoooob,pdresearch
severity: critical
description: |
Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator.
Oracle E-Business Suite 12.2.3 through 12.2.11 is susceptible to remote code execution via the Oracle Web Applications Desktop Integrator product, Upload component. An attacker with HTTP network access can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
reference:
- https://blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce/
- https://www.oracle.com/security-alerts/cpuoct2022.html
@ -14,6 +14,7 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-21587
cwe-id: CWE-94
tags: cve,cve2022,rce,oast,intrusive,oracle,ebs,unauth,kev
requests:
@ -74,3 +75,5 @@ requests:
part: body_2
words:
- Nuclei-CVE-2022-21587
# Enhanced by md on 2023/03/21

View File

@ -1,11 +1,11 @@
id: CVE-2022-2314
info:
name: VR Calendar < 2.3.2 - Unauthenticated Arbitrary Function Call
name: WordPress VR Calendar <=2.3.2 - Remote Code Execution
author: theamanrawat
severity: critical
description: |
The VR Calendar WordPress plugin through 2.3.2 lets any user execute arbitrary PHP functions on the site.
WordPress VR Calendar plugin through 2.3.2 is susceptible to remote code execution. The plugin allows any user to execute arbitrary PHP functions on the site. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
reference:
- https://wpscan.com/vulnerability/b22fe77c-844e-4c24-8023-014441cc1e82
- https://wordpress.org/plugins/vr-calendar-sync/
@ -14,6 +14,7 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-2314
cwe-id: CWE-94
metadata:
verified: "true"
tags: cve,cve2022,wordpress,wp,wp-plugin,rce,vr-calendar-sync,unauth,wpscan
@ -46,3 +47,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/03/22

View File

@ -1,16 +1,17 @@
id: CVE-2022-24816
info:
name: Geoserver Server - Code Injection
name: GeoServer <1.2.2 - Remote Code Execution
author: mukundbhuva
severity: critical
description: |
Programs using jt-jiffle, and allowing Jiffle script to be provided via network request, are susceptible to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project Version < 1.1.22.
Programs run on GeoServer before 1.2.2 which use jt-jiffle and allow Jiffle script to be provided via network request are susceptible to remote code execution. The Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects downstream GeoServer 1.1.22.
remediation: 1.2.22 contains a patch that disables the ability to inject malicious code into the resulting script. Users unable to upgrade may negate the ability to compile Jiffle scripts from the final application by removing janino-x.y.z.jar from the classpath.
reference:
- https://www.synacktiv.com/en/publications/exploiting-cve-2022-24816-a-code-injection-in-the-jt-jiffle-extension-of-geoserver.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-24816
- https://github.com/geosolutions-it/jai-ext/security/advisories/GHSA-v92f-jx6p-73rx
- https://github.com/geosolutions-it/jai-ext/commit/cb1d6565d38954676b0a366da4f965fef38da1cb
- https://nvd.nist.gov/vuln/detail/CVE-2022-24816
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -71,3 +72,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/03/21

View File

@ -1,16 +1,16 @@
id: CVE-2022-31499
info:
name: eMerge E3-Series - Command Injection
name: Nortek Linear eMerge E3-Series <0.32-08f - Remote Command Injection
author: pikpikcu
severity: critical
description: |
Nortek Linear eMerge E3-Series devices before 0.32-08f allow an unauthenticated attacker to inject OS commands via ReaderNo. NOTE: this issue exists because of an incomplete fix for CVE-2019-7256 .
Nortek Linear eMerge E3-Series devices before 0.32-08f are susceptible to remote command injection via ReaderNo. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. NOTE: this vulnerability exists because of an incomplete fix for CVE-2019-7256.
reference:
- https://packetstormsecurity.com/files/167991/Nortek-Linear-eMerge-E3-Series-Command-Injection.html
- https://github.com/omarhashem123/CVE-2022-31499
- https://nvd.nist.gov/vuln/detail/CVE-2022-31499
- http://packetstormsecurity.com/files/167991/Nortek-Linear-eMerge-E3-Series-Command-Injection.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-31499
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -36,3 +36,5 @@ requests:
- status_code == 200
- contains(body, '{\"CardNo\":false')
condition: and
# Enhanced by md on 2023/03/21

View File

@ -1,16 +1,16 @@
id: CVE-2022-33901
info:
name: MultiSafepay plugin for WooCommerce <= 4.13.1 - Unauthenticated Arbitrary File Read
name: WordPress MultiSafepay for WooCommerce <=4.13.1 - Arbitrary File Read
author: theamanrawat
severity: high
description: |
Unauthenticated Arbitrary File Read vulnerability in MultiSafepay plugin for WooCommerce plugin <= 4.13.1 at WordPress.
WordPress MultiSafepay for WooCommerce plugin through 4.13.1 contains an arbitrary file read vulnerability. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://wordpress.org/plugins/multisafepay/
- https://nvd.nist.gov/vuln/detail/CVE-2022-33901
- https://wordpress.org/plugins/multisafepay/#developers
- https://patchstack.com/database/vulnerability/multisafepay/wordpress-multisafepay-plugin-for-woocommerce-plugin-4-13-1-unauthenticated-arbitrary-file-read-vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2022-33901
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -39,3 +39,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/03/22

View File

@ -1,16 +1,16 @@
id: CVE-2022-34753
info:
name: SpaceLogic C-Bus Home Controller - Remote Code Execution
name: SpaceLogic C-Bus Home Controller <=1.31.460 - Remote Command Execution
author: gy741
severity: high
description: |
A CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause remote root exploit when the command is compromised. Affected Products SpaceLogic C-Bus Home Controller (5200WHC2), formerly known as C-Bus Wiser Homer Controller MK2 (V1.31.460 and prior)
SpaceLogic C-Bus Home Controller through 1.31.460 is susceptible to remote command execution via improper neutralization of special elements. Remote root exploit can be enabled when the command is compromised, and an attacker can potentially execute malware, obtain sensitive information, modify data, and/or gain full control without entering necessary credentials.
reference:
- https://www.zeroscience.mk/codes/SpaceLogic.txt
- https://nvd.nist.gov/vuln/detail/CVE-2022-34753
- https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-193-02_SpaceLogic-C-Bus-Home-Controller-Wiser_MK2_Security_Notification.pdf
- http://packetstormsecurity.com/files/167783/Schneider-Electric-SpaceLogic-C-Bus-Home-Controller-5200WHC2-Remote-Root.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-34753
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
@ -36,3 +36,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/03/22

View File

@ -1,16 +1,17 @@
id: CVE-2022-39952
info:
name: FortiNAC Unauthenticated Arbitrary File Write
name: Fortinet FortiNAC - Arbitrary File Write
author: dwisiswant0
severity: critical
description: |
A external control of file name or path in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP request.
Fortinet FortiNAC is susceptible to arbitrary file write. An external control of the file name or path can allow an attacker to execute unauthorized code or commands via specifically crafted HTTP request, thus making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations. Affected versions are 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, and 8.3.7.
reference:
- https://fortiguard.com/psirt/FG-IR-22-300
- https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/
- https://github.com/horizon3ai/CVE-2022-39952
remediation: Upgrade to FortiNAC version 9.4.1, 9.2.6, 9.2.6, 9.1.8, 7.2.0 or above
- https://nvd.nist.gov/vuln/detail/CVE-2022-39952
remediation: Upgrade to 9.4.1, 9.2.6, 9.2.6, 9.1.8, 7.2.0 or above.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -54,3 +55,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/03/22

View File

@ -1,11 +1,11 @@
id: CVE-2022-4060
info:
name: User Post Gallery <= 2.19 - Unauthenticated RCE
name: WordPress User Post Gallery <=2.19 - Remote Code Execution
author: theamanrawat
severity: critical
description: |
The User Post Gallery WordPress plugin through 2.19 does not limit what callback functions can be called by users, making it possible to any visitors to run code on sites running it.
WordPress User Post Gallery plugin through 2.19 is susceptible to remote code execution. The plugin does not limit which callback functions can be called by users, making it possible for an attacker execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
reference:
- https://wpscan.com/vulnerability/8f982ebd-6fc5-452d-8280-42e027d01b1e
- https://wordpress.org/plugins/wp-upg/
@ -44,3 +44,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/03/22

View File

@ -1,16 +1,16 @@
id: CVE-2022-44877
info:
name: Centos Web Panel - Unauthenticated Remote Code Execution
name: CentOS Web Panel 7 <0.9.8.1147 - Remote Code Execution
author: For3stCo1d
severity: critical
description: |
RESERVED An issue in the /login/index.php component of Centos Web Panel 7 before v0.9.8.1147 allows unauthenticated attackers to execute arbitrary system commands via crafted HTTP requests.
CentOS Web Panel 7 before 0.9.8.1147 is susceptible to remote code execution via entering shell characters in the /login/index.php component. This can allow an attacker to execute arbitrary system commands via crafted HTTP requests and potentially execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
reference:
- https://twitter.com/_0xf4n9x_/status/1612068225046675457
- https://github.com/numanturle/CVE-2022-44877
- https://nvd.nist.gov/vuln/detail/CVE-2022-44877
- https://gist.github.com/numanturle/c1e82c47f4cba24cff214e904c227386
- https://nvd.nist.gov/vuln/detail/CVE-2022-44877
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -52,3 +52,5 @@ requests:
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
# Enhanced by md on 2023/03/22

View File

@ -48,3 +48,5 @@ requests:
- type: status
status:
- 500
# Enhanced by md 03/22/2023

View File

@ -1,16 +1,17 @@
id: CVE-2023-0669
info:
name: GoAnywhere MFT - Remote Code Execution (ZeroDay)
name: Fortra GoAnywhere MFT - Remote Code Execution
author: rootxharsh,iamnoooob,dhiyaneshdk,pdresearch
severity: high
description: |
Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object.
Fortra GoAnywhere MFT is susceptible to remote code execution via unsafe deserialization of an arbitrary attacker-controlled object. This stems from a pre-authentication command injection vulnerability in the License Response Servlet.
reference:
- https://frycos.github.io/vulns4free/2023/02/06/goanywhere-forgotten.html
- https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml#zerodayfeb1
- https://infosec.exchange/@briankrebs/109795710941843934
- https://www.rapid7.com/blog/post/2023/02/03/exploitation-of-goanywhere-mft-zero-day-vulnerability/
- https://nvd.nist.gov/vuln/detail/CVE-2023-0669
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.2
@ -45,4 +46,6 @@ requests:
- type: status
status:
- 500
- 500
# Enhanced by md on 2023/03/22

View File

@ -1,15 +1,15 @@
id: CVE-2023-26255
info:
name: STAGIL Navigation for Jira - Menu & Themes - Local File Inclusion
name: STAGIL Navigation for Jira Menu & Themes <2.0.52 - Local File Inclusion
author: DhiyaneshDK
severity: high
description: |
An unauthenticated path traversal vulnerability affects the "STAGIL Navigation for Jira - Menu & Themes" plugin before 2.0.52 for Jira. By modifying the fileName parameter to the snjCustomDesignConfig endpoint, it is possible to traverse and read the file system.
STAGIL Navigation for Jira Menu & Themes plugin before 2.0.52 is susceptible to local file inclusion via modifying the fileName parameter to the snjCustomDesignConfig endpoint. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can potentially allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://github.com/1nters3ct/CVEs/blob/main/CVE-2023-26255.md
- https://nvd.nist.gov/vuln/detail/CVE-2023-26255
- https://marketplace.atlassian.com/apps/1216090/stagil-navigation-for-jira-menus-themes?tab=overview&hosting=cloud
- https://nvd.nist.gov/vuln/detail/CVE-2023-26255
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -39,3 +39,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/03/22

View File

@ -1,15 +1,15 @@
id: CVE-2023-26256
info:
name: STAGIL Navigation for Jira - Menu & Themes - Local File Inclusion
name: STAGIL Navigation for Jira Menu & Themes <2.0.52 - Local File Inclusion
author: pikpikcu
severity: high
description: |
An unauthenticated path traversal vulnerability affects the "STAGIL Navigation for Jira - Menu & Themes" plugin before 2.0.52 for Jira. By modifying the fileName parameter to the snjFooterNavigationConfig endpoint, it is possible to traverse and read the file system.
STAGIL Navigation for Jira Menu & Themes plugin before 2.0.52 is susceptible to local file inclusion via modifying the fileName parameter to the snjFooterNavigationConfig endpoint. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can potentially allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://github.com/1nters3ct/CVEs/blob/main/CVE-2023-26256.md
- https://nvd.nist.gov/vuln/detail/CVE-2023-26256
- https://marketplace.atlassian.com/apps/1216090/stagil-navigation-for-jira-menus-themes?tab=overview&hosting=cloud
- https://nvd.nist.gov/vuln/detail/CVE-2023-26256
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -38,3 +38,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/03/22

View File

@ -1,7 +1,7 @@
id: oracle-cgi-printenv
info:
name: Oracle CGI Printenv - Information Disclosure
name: Oracle CGI printenv - Information Disclosure
author: DhiyaneshDk
severity: medium
description: Oracle CGI printenv component is susceptible to an information disclosure vulnerability.

View File

@ -3,7 +3,7 @@ id: proftpd-config
info:
name: ProFTPD Configuration File - Detect
author: sheikhrishad
severity: low
severity: info
description: ProFTPD configuration file was detected.
reference: http://www.proftpd.org/docs/howto/ConfigFile.html
classification:

View File

@ -1,11 +1,16 @@
id: salesforce-credentials
info:
name: Salesforce Credentials Disclosure
name: Salesforce Credentials - Detect
author: geeknik
severity: unknown
severity: high
description: Salesforce credentials information was detected.
reference:
- https://github.com/daveagp/websheets
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-200
tags: exposure,files,salesforce
requests:
@ -32,3 +37,5 @@ requests:
- type: status
status:
- 200
# Enhanced by cs on 2023/03/27

View File

@ -3,7 +3,7 @@ id: envision-gateway
info:
name: EnvisionGateway Scheduler Panel - Detect
author: dhiyaneshDK
severity: medium
severity: info
description: EnvisionGateway scheduler panel was detected.
reference:
- https://www.exploit-db.com/ghdb/7315

View File

@ -3,7 +3,7 @@ id: akamai-s3-cache-poisoning
info:
name: Akamai/Amazon S3 - Cache Poisoning
author: DhiyaneshDk
severity: medium
severity: high
description: Akamai/Amazon S3 expose a stored cross-site scripting vulnerability generated by cache poisoning capability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, which can further allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://web.archive.org/web/20230101082612/https://spyclub.tech/2022/12/14/unusual-cache-poisoning-akamai-s3/

View File

@ -1,11 +1,11 @@
id: hadoop-unauth-rce
info:
name: Apache Hadoop - Yarn ResourceManager Remote Code Execution
name: Apache Hadoop YARN ResourceManager - Remote Code Execution
author: pdteam,Couskito
severity: critical
description: |
An unauthenticated Hadoop Resource Manager was discovered, which allows remote code execution by design.
Apache Hadoop YARN ResourceManager is susceptible to remote code execution. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
reference:
- http://archive.hack.lu/2016/Wavestone%20-%20Hack.lu%202016%20-%20Hadoop%20safari%20-%20Hunting%20for%20vulnerabilities%20-%20v1.0.pdf
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/hadoop_unauth_exec.rb
@ -30,4 +30,6 @@ requests:
- type: status
status:
- 200
- 200
# Enhanced by md on 2023/03/22

View File

@ -1,12 +1,19 @@
id: nopcommerce-installer
info:
name: nopCommerce Installer Exposure
name: nopCommerce Installer - Detect
author: DhiyaneshDk
severity: high
severity: critical
description: nopCommerce installer panel was detected.
reference:
- https://www.nopcommerce.com/
metadata:
verified: true
shodan-query: html:"nopCommerce Installation"
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
cvss-score: 9.4
cwe-id: CWE-284
tags: misconfig,nopcommerce,install
requests:
@ -31,3 +38,5 @@ requests:
- type: status
status:
- 200
# Enhanced by cs on 2023/03/27

View File

@ -1,13 +1,17 @@
id: backdoored-zte
info:
name: Backdoored ZTE Routers
name: ZTE Router Panel - Detect
author: its0x08
severity: high
severity: critical
description: |
Multiple ZTE routers have a telnet hardcoded backdoor account that spawns root shell.
Multiple ZTE router panels were detected. These routers have a telnet-hardcoded backdoor account that spawns root shell.
reference:
- https://www.exploit-db.com/ghdb/7179
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cwe-id: CWE-912
metadata:
verified: true
shodan-query: http.html:"ZTE Corporation"
@ -32,3 +36,5 @@ network:
- type: regex
regex:
- '[A-Z]{1,}[0-9]{3,4}'
# Enhanced by cs on 2023/03/27

View File

@ -1,32 +1,38 @@
id: ibm-d2b-database-server
info:
name: IBM DB2 Database Server Detection
author: pussycat0x
severity: info
description: |
A Db2 server is a relational database management system (RDBMS) that delivers data to its IBM data server clients. If you plan to use a database that resides on this computer, install a Db2 server. For more information about Db2 server.
reference:
- https://nmap.org/nsedoc/scripts/db2-das-info.html
metadata:
verified: true
shodan-query: product:"IBM DB2 Database Server"
tags: network,ibm,database,db,db2
network:
- inputs:
- data: "01c2000000040000b601000053514c4442325241000100000401010005001d008800000001000080000000010900000001000040000000010900000001000040000000010800000004000040000000010400000001000040000000400400000004000040000000010400000004000040000000010400000004000040000000010400000002000040000000010400000004000040000000010000000001000040000000000400000004000080000000010400000004000080000000010400000003000080000000010400000004000080000000010800000001000040000000010400000004000040000000011000000001000080000000011000000001000080000000010400000004000040000000010900000001000040000000010900000001000080000000010400000003000080000000010000000000000000000000000104000001000080000000010000000000000000000000000000000000000000000000000000000001000040000000010000000001000040000000002020202020202020000000000000000000000000000000000100ff000000000000000000000000000000000000000000e404000000000000000000000000000000000000007f"
type: hex
host:
- "{{Hostname}}"
- "{{Host}}:50000"
matchers:
- type: word
encoding: hex
words:
- "SQLDB2RA"
- "DB2"
- "SQLJS1D"
condition: or
id: ibm-d2b-database-server
info:
name: IBM DB2 Database Server - Detect
author: pussycat0x
severity: info
description: |
IBM DB2 Database Server panel was detected.
reference:
- https://nmap.org/nsedoc/scripts/db2-das-info.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata:
verified: true
shodan-query: product:"IBM DB2 Database Server"
tags: network,ibm,database,db,db2
network:
- inputs:
- data: "01c2000000040000b601000053514c4442325241000100000401010005001d008800000001000080000000010900000001000040000000010900000001000040000000010800000004000040000000010400000001000040000000400400000004000040000000010400000004000040000000010400000004000040000000010400000002000040000000010400000004000040000000010000000001000040000000000400000004000080000000010400000004000080000000010400000003000080000000010400000004000080000000010800000001000040000000010400000004000040000000011000000001000080000000011000000001000080000000010400000004000040000000010900000001000040000000010900000001000080000000010400000003000080000000010000000000000000000000000104000001000080000000010000000000000000000000000000000000000000000000000000000001000040000000010000000001000040000000002020202020202020000000000000000000000000000000000100ff000000000000000000000000000000000000000000e404000000000000000000000000000000000000007f"
type: hex
host:
- "{{Hostname}}"
- "{{Host}}:50000"
matchers:
- type: word
encoding: hex
words:
- "SQLDB2RA"
- "DB2"
- "SQLJS1D"
condition: or
# Enhanced by md on 2023/03/22

View File

@ -1,11 +1,16 @@
id: oracle-atg-commerce
info:
name: Detects Oracle ATG Commerce
name: Oracle ATG Commerce Panel - Detect
author: Dale Clarke
severity: info
description: Oracle ATG Commerce panel was detected.
reference:
- https://docs.oracle.com/cd/E35319_01/Platform.10-2/ATGPlatformProgGuide/html/s0101introduction01.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata:
verified: true
tags: tech,oracle,atg,commerce
@ -28,3 +33,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/03/22

View File

@ -1,13 +1,17 @@
id: api-abuseipdb
info:
name: AbuseIPDB API Test
name: AbuseIPDB API - Test
author: daffainfo
severity: info
description: IP/domain/URL reputation
description: AbuseIPDB API test was conducted.
reference:
- https://docs.abuseipdb.com/
- https://github.com/daffainfo/all-about-apikey/tree/main/abuseipdb
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: token-spray,abuseipdb
self-contained: true
@ -30,3 +34,4 @@ requests:
- 'data":'
- 'ipAddress":'
condition: and

View File

@ -1,11 +1,16 @@
id: api-dbt
info:
name: dbt Cloud API Test
name: dbt Cloud API - Test
author: dwisiswant0
severity: info
description: dbt Cloud API test was conducted.
reference:
- https://docs.getdbt.com/docs/introduction
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: token-spray,dbt
self-contained: true
@ -25,3 +30,4 @@ requests:
- "Authentication credentials were not provided."
condition: or
negative: true

View File

@ -4,9 +4,14 @@ info:
name: Avaya Aura Utility Services Administration - Remote Code Execution
author: DhiyaneshDk
severity: critical
description: Avaya Aura Utility Services Administration is susceptible to remote code execution. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
reference:
- https://blog.assetnote.io/2023/02/01/rce-in-avaya-aura/
- https://download.avaya.com/css/public/documents/101076366
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cwe-id: CWE-94
metadata:
verified: "true"
shodan-query: html:"Avaya Aura"
@ -39,3 +44,5 @@ requests:
part: header_2
words:
- "text/html"
# Enhanced by md on 2023/03/22

View File

@ -1,12 +1,17 @@
id: avaya-aura-xss
info:
name: Avaya Aura Utility Services Administration - Cross Site Scripting
name: Avaya Aura Utility Services Administration - Cross-Site Scripting
author: DhiyaneshDk
severity: medium
description: Avaya Aura Utility Services Administration contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://blog.assetnote.io/2023/02/01/rce-in-avaya-aura/
- https://download.avaya.com/css/public/documents/101076366
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cwe-id: CWE-80
metadata:
verified: "true"
shodan-query: html:"Avaya Aura"
@ -35,3 +40,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/03/22

View File

@ -1,15 +1,16 @@
id: cisco-cloudcenter-suite-log4j-rce
info:
name: Cisco CloudCenter Suite - Remote Code Execution (Apache Log4j)
name: Cisco CloudCenter Suite (Log4j)- Remote Code Execution
author: pwnhxl
severity: critical
description: |
Cisco CloudCenter Suite - Remote Code Execution.
Cisco CloudCenter Suite is susceptible to remote code execution via the Apache Log4j library. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
remediation: From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
reference:
- https://logging.apache.org/log4j/2.x/security.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
- http://www.openwall.com/lists/oss-security/2021/12/10/1
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
@ -58,3 +59,5 @@ requests:
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
# Enhanced by md on 2023/03/22

View File

@ -1,7 +1,7 @@
id: cisco-vmanage-log4j
info:
name: Cisco vManage - Remote Code Execution (Apache Log4j)
name: Cisco vManage (Log4j) - Remote Code Execution
author: DhiyaneshDK
severity: critical
description: Cisco vManage is susceptible to remote code execution via the Apache Log4j framework. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. More information is available in the cisco-sa-apache-log4j-qRuKNEbd advisory.
@ -58,3 +58,5 @@ requests:
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
# Enhanced by CS 03/27/2023

View File

@ -1,11 +1,15 @@
id: froxlor-xss
info:
name: Froxlor Server Management - Cross Site Scripting
name: Froxlor Server Management - Cross-Site Scripting
author: tess
severity: medium
description: |
The user must click the forgot password link in order to execute this XSS.
Froxlor Server Management is susceptible to cross-site scripting via clicking the forgot password link. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cwe-id: CWE-80
metadata:
verified: true
shodan-query: title:"Froxlor Server Management Panel"
@ -33,3 +37,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/03/23

View File

@ -3,8 +3,12 @@ id: error-based-sql-injection
info:
name: Error based SQL injection
author: geeknik
severity: high
description: Detects the possibility of SQL injection in 29 database engines. Inspired by https://github.com/sqlmapproject/sqlmap/blob/master/data/xml/errors.xml.
severity: critical
description: Detects potential SQL injection via error strings in 29 database engines. Inspired by https://github.com/sqlmapproject/sqlmap/blob/master/data/xml/errors.xml.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cwe-id: CWE-89
tags: sqli,generic,error
requests:
@ -474,3 +478,5 @@ requests:
- "SQ200: No table "
- "Virtuoso S0002 Error"
- "\\[(Virtuoso Driver|Virtuoso iODBC Driver)\\]\\[Virtuoso Server\\]"
# Enhanced by CS 03/27/2023

View File

@ -1,11 +1,11 @@
id: jamf-log4j-jndi-rce
info:
name: JamF - Remote Code Execution (Apache Log4j)
name: JamF (Log4j) - Remote Code Execution
author: pdteam
severity: critical
description: |
JamF is susceptible to Lof4j JNDI remote code execution. JamF is the industry standard when it comes to the management of iOS devices (iPhones and iPads), macOS computers (MacBooks, iMacs, etc.), and tvOS devices (Apple TV).
JamF is susceptible to remote code execution via the Apache log4j library. Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
reference:
- https://github.com/random-robbie/jamf-log4j
- https://community.connection.com/what-is-jamf/
@ -55,3 +55,5 @@ requests:
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
# Enhanced by md on 2023/03/23

View File

@ -1,17 +1,17 @@
id: mobileiron-log4j-jndi-rce
info:
name: Ivanti MobileIron - JNDI Remote Command Execution (Apache Log4j)
name: Ivanti MobileIron (Log4j) - Remote Code Execution
author: meme-lord
severity: critical
description: Ivanti MobileIron Apache Log4j2 <=2.14.1 JNDI in features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
description: Ivanti MobileIron is susceptible to remote code execution via the Apache Log4j2 library. Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
remediation: From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
reference:
- https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
- https://www.lunasec.io/docs/blog/log4j-zero-day/
- https://www.zdnet.com/article/mobileiron-customers-urged-to-patch-systems-due-to-potential-log4j-exploitation/
- https://logging.apache.org/log4j/2.x/security.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
remediation: Upgrade to version 2.14.2 or higher of MobileIron. If this is not possible, several Log4j exploit workarounds are available.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
@ -54,3 +54,5 @@ requests:
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
# Enhanced by md on 2023/03/23

View File

@ -1,11 +1,11 @@
id: opencpu-rce
info:
name: OpenCPU RCE
name: OpenCPU - Remote Code Execution
author: wa1tf0rme
severity: critical
description: |
Checks for RCE in OpenCPU instance
Check for remote code execution via OpenCPU was conducted.
reference:
- https://pulsesecurity.co.nz/articles/R-Shells
- https://github.com/opencpu/opencpu/
@ -40,4 +40,6 @@ requests:
- type: regex
group: 1
regex:
- \(([a-z-]+)\)
- \(([a-z-]+)\)
# Enhanced by md on 2023/03/23

View File

@ -1,14 +1,18 @@
id: academy-lms-xss
info:
name: Academy LMS 5.11 - Cross Site Scripting
name: Academy Learning Management System 5.11 - Cross-Site Scripting
author: arafatansari
severity: medium
description: |
Academy Learning Management System contains a reflected cross-site scripting vulnerability via the Search parameter.
Academy Learning Management System 5.11 contains a cross-site scripting vulnerability via the Search parameter. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://packetstormsecurity.com/files/170514/Academy-LMS-5.11-Cross-Site-Scripting.html
- https://vulners.com/packetstorm/PACKETSTORM:170514
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cwe-id: CWE-80
metadata:
verified: "true"
shodan-query: http.html:"Academy LMS"
@ -36,3 +40,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/03/23

View File

@ -1,11 +1,16 @@
id: caucho-resin-info-disclosure
info:
name: Caucho Resin Information Disclosure
name: Caucho Resin - Information Disclosure
author: pikpikcu
severity: info
description: Caucho Resin contains an information disclosure vulnerability. The application does not properly sanitize user-supplied input. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://www.exploit-db.com/exploits/27888
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: exposure,resin,caucho,edb
requests:
@ -26,3 +31,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/03/23

View File

@ -1,10 +1,10 @@
id: ckan-dom-based-xss
info:
name: Ckan - DOM Cross-Site Scripting
name: CKAN - DOM Cross-Site Scripting
author: dhiyaneshDk
severity: high
description: Ckan contains a cross-site scripting vulnerability in the document object model via the previous version of the jQuery Sparkle library. An attacker can execute arbitrary script and thus can steal cookie-based authentication credentials and launch other attacks.
description: CKAN contains a cross-site scripting vulnerability in the document object model via the previous version of the jQuery Sparkle library. An attacker can execute arbitrary script and thus steal cookie-based authentication credentials and launch other attacks.
reference:
- https://github.com/ckan/ckan/blob/b9e45e2723d4abd70fa72b16ec4a0bebc795c56b/ckan/public/base/javascript/view-filters.js#L27
- https://security.snyk.io/vuln/SNYK-PYTHON-CKAN-42010
@ -44,3 +44,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2023/03/23

View File

@ -1,10 +1,16 @@
id: couchdb-adminparty
info:
name: CouchDB Admin Party
name: CouchDB Admin Default - Detect
author: organiccrap
severity: high
description: Requests made against CouchDB are done in the context of an admin user.
description: CouchDB is susceptible to requests in the context of an admin user.
reference:
- https://docs.couchdb.org/en/stable/intro/security.html#authentication-database
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cwe-id: CWE-200
tags: couchdb
requests:
@ -26,3 +32,5 @@ requests:
- offset
part: body
condition: and
# Enhanced by cs on 2023/03/27

View File

@ -1,10 +1,10 @@
id: graylog-log4j
info:
name: Graylog - Remote Code Execution (Apache Log4j)
name: Graylog (Log4j) - Remote Code Execution
author: DhiyaneshDK
severity: critical
description: Graylog is susceptible to remote code execution via the Apache Log4j 2 library prior to 2.15.0 by recording its own log information, specifically with specially crafted values sent as user input.
description: Graylog is susceptible to remote code execution via the Apache Log4j 2 library prior to 2.15.0 by recording its own log information, specifically with specially crafted values sent as user input. Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
reference:
- https://www.graylog.org/post/graylog-update-for-log4j
- https://logging.apache.org/log4j/2.x/security.html
@ -60,3 +60,5 @@ requests:
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
# Enhanced by md on 2023/03/23