Dashboard Content Enhancements (#6965)
* Add description and enhance one where the UI failed to save properly. dos2unix on a template * Change cvedetails link to nvd * make severities match * Enhancement: cves/2015/CVE-2015-2863.yaml by md * Enhancement: cves/2017/CVE-2017-14524.yaml by md * Enhancement: cves/2017/CVE-2017-5638.yaml by md * Enhancement: cves/2019/CVE-2019-16759.yaml by md * Enhancement: cves/2021/CVE-2021-22986.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24155.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24347.yaml by md * Enhancement: cves/2021/CVE-2021-25003.yaml by md * Enhancement: cves/2021/CVE-2021-25296.yaml by md * Enhancement: cves/2021/CVE-2021-25297.yaml by md * Enhancement: cves/2021/CVE-2021-25296.yaml by md * Enhancement: cves/2021/CVE-2021-25297.yaml by md * Enhancement: cves/2021/CVE-2021-25298.yaml by md * Enhancement: cves/2021/CVE-2021-25297.yaml by md * Enhancement: cves/2021/CVE-2021-28151.yaml by md * Enhancement: cves/2021/CVE-2021-30128.yaml by md * Enhancement: cves/2022/CVE-2022-0824.yaml by md * Enhancement: cves/2022/CVE-2022-0824.yaml by md * Enhancement: cves/2022/CVE-2022-0885.yaml by md * Enhancement: cves/2022/CVE-2022-21587.yaml by md * Enhancement: cves/2022/CVE-2022-2314.yaml by md * Enhancement: cves/2022/CVE-2022-24816.yaml by md * Enhancement: cves/2022/CVE-2022-31499.yaml by md * Enhancement: cves/2022/CVE-2022-21587.yaml by md * Enhancement: cves/2021/CVE-2021-24155.yaml by md * Enhancement: cves/2017/CVE-2017-5638.yaml by md * Enhancement: cves/2015/CVE-2015-2863.yaml by md * Enhancement: cves/2022/CVE-2022-33901.yaml by md * Enhancement: cves/2022/CVE-2022-2314.yaml by md * Enhancement: cves/2022/CVE-2022-33901.yaml by md * Enhancement: cves/2022/CVE-2022-34753.yaml by md * Enhancement: cves/2022/CVE-2022-39952.yaml by md * Enhancement: cves/2022/CVE-2022-4060.yaml by md * Enhancement: cves/2022/CVE-2022-44877.yaml by md * Enhancement: cves/2023/CVE-2023-0669.yaml by md * Enhancement: cves/2023/CVE-2023-26255.yaml by md * Enhancement: cves/2023/CVE-2023-26256.yaml by md * Enhancement: exposures/files/salesforce-credentials.yaml by md * Enhancement: misconfiguration/hadoop-unauth-rce.yaml by md * Enhancement: misconfiguration/installer/nopcommerce-installer.yaml by md * Enhancement: network/backdoor/backdoored-zte.yaml by md * Enhancement: network/detection/ibm-d2b-database-server.yaml by md * Enhancement: network/detection/ibm-d2b-database-server.yaml by md * Enhancement: technologies/oracle/oracle-atg-commerce.yaml by md * Enhancement: token-spray/api-abuseipdb.yaml by md * Enhancement: token-spray/api-abuseipdb.yaml by md * Enhancement: token-spray/api-dbt.yaml by md * Enhancement: vulnerabilities/avaya/avaya-aura-rce.yaml by md * Enhancement: vulnerabilities/avaya/avaya-aura-xss.yaml by md * Enhancement: vulnerabilities/cisco/cisco-cloudcenter-suite-rce.yaml by md * Enhancement: vulnerabilities/froxlor-xss.yaml by md * Enhancement: vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml by md * Enhancement: vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml by md * Enhancement: vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml by md * Enhancement: vulnerabilities/opencpu/opencpu-rce.yaml by md * Enhancement: vulnerabilities/other/academy-lms-xss.yaml by md * Enhancement: vulnerabilities/other/caucho-resin-info-disclosure.yaml by md * Enhancement: vulnerabilities/other/ckan-dom-based-xss.yaml by md * Enhancement: vulnerabilities/other/couchdb-adminparty.yaml by md * Enhancement: vulnerabilities/other/graylog-log4j.yaml by md * Enhancement: vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml by md * Initial cleanups for syntax errors * dashboard gremlins * Add log4j back to name * Enhancement: exposures/files/salesforce-credentials.yaml by cs * Enhancement: misconfiguration/installer/nopcommerce-installer.yaml by cs * Enhancement: network/backdoor/backdoored-zte.yaml by cs * Enhancement: vulnerabilities/other/couchdb-adminparty.yaml by cs * Sev and other info tweaks * Merge conflict --------- Co-authored-by: sullo <sullo@cirt.net>patch-1
parent
8a451b6ad6
commit
301fddaeb0
|
@ -3,13 +3,13 @@ id: CVE-2015-2863
|
||||||
info:
|
info:
|
||||||
name: Kaseya Virtual System Administrator - Open Redirect
|
name: Kaseya Virtual System Administrator - Open Redirect
|
||||||
author: 0x_Akoko
|
author: 0x_Akoko
|
||||||
severity: low
|
severity: medium
|
||||||
description: |
|
description: |
|
||||||
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 before 9.0.0.14, and 9.1 before 9.1.0.4 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
|
Kaseya Virtual System Administrator 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 before 9.0.0.14, and 9.1 before 9.1.0.4 are susceptible to an open redirect vulnerability. An attacker can redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
|
||||||
reference:
|
reference:
|
||||||
- https://github.com/pedrib/PoC/blob/3f927b957b86a91ce65b017c4b9c93d05e241592/advisories/Kaseya/kaseya-vsa-vuln.txt
|
- https://github.com/pedrib/PoC/blob/3f927b957b86a91ce65b017c4b9c93d05e241592/advisories/Kaseya/kaseya-vsa-vuln.txt
|
||||||
- https://www.cvedetails.com/cve/CVE-2015-2863
|
|
||||||
- http://www.kb.cert.org/vuls/id/919604
|
- http://www.kb.cert.org/vuls/id/919604
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2015-2863
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
cvss-score: 6.1
|
cvss-score: 6.1
|
||||||
|
@ -29,3 +29,5 @@ requests:
|
||||||
part: header
|
part: header
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)oast\.me\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)oast\.me\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/21
|
||||||
|
|
|
@ -5,12 +5,12 @@ info:
|
||||||
author: r3Y3r53
|
author: r3Y3r53
|
||||||
severity: medium
|
severity: medium
|
||||||
description: |
|
description: |
|
||||||
The NewStatPress plugin utilizes on lines 28 and 31 of the file ‘includes/nsp_search.php’ several variables from the $_GET scope, without sanitation. While WordPress automatically escapes quotes on this scope, the outputs on these lines are outside of quotes, and as such can be utilized to trigger a Reflected XSS attack.
|
WordPress NewStatPress plugin through 1.0.4 contains a cross-site scripting vulnerability. The plugin utilizes, on lines 28 and 31 of the file "includes/nsp_search.php", several variables from the $_GET scope without sanitation. While WordPress automatically escapes quotes on this scope, the outputs on these lines are outside of quotes, and as such can be utilized to initiate a cross-site scripting attack.
|
||||||
reference:
|
reference:
|
||||||
- https://wpscan.com/vulnerability/46bf6c69-b612-4aee-965d-91f53f642054
|
- https://wpscan.com/vulnerability/46bf6c69-b612-4aee-965d-91f53f642054
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2015-9312
|
|
||||||
- https://g0blin.co.uk/g0blin-00057/
|
- https://g0blin.co.uk/g0blin-00057/
|
||||||
- https://wordpress.org/plugins/newstatpress/#developers
|
- https://wordpress.org/plugins/newstatpress/#developers
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2015-9312
|
||||||
remediation: Fixed in version 1.0.6
|
remediation: Fixed in version 1.0.6
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
|
|
@ -1,16 +1,15 @@
|
||||||
id: CVE-2017-14524
|
id: CVE-2017-14524
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: OpenText Documentum Administrator 7.2.0180.0055 - Open redirect
|
name: OpenText Documentum Administrator 7.2.0180.0055 - Open Redirect
|
||||||
author: 0x_Akoko
|
author: 0x_Akoko
|
||||||
severity: medium
|
severity: medium
|
||||||
description: |
|
description: |
|
||||||
Multiple open redirect vulnerabilities in OpenText Documentum Administrator 7.2.0180.0055 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks.
|
OpenText Documentum Administrator 7.2.0180.0055 is susceptible to multiple open redirect vulnerabilities. An attacker can redirect a user to a malicious site and potentially obtain sensitive information, modify data, and/or execute unauthorized operations.
|
||||||
reference:
|
reference:
|
||||||
- https://seclists.org/fulldisclosure/2017/Sep/57
|
- https://seclists.org/fulldisclosure/2017/Sep/57
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2017-14524
|
|
||||||
- https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774
|
- https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774
|
||||||
- http://seclists.org/fulldisclosure/2017/Sep/57
|
- https://nvd.nist.gov/vuln/detail/CVE-2017-14524
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
cvss-score: 6.1
|
cvss-score: 6.1
|
||||||
|
@ -29,3 +28,5 @@ requests:
|
||||||
part: header
|
part: header
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?oast\.me(?:\s*?)$'
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?oast\.me(?:\s*?)$'
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/20
|
||||||
|
|
|
@ -5,7 +5,7 @@ info:
|
||||||
author: Random_Robbie
|
author: Random_Robbie
|
||||||
severity: critical
|
severity: critical
|
||||||
description: |
|
description: |
|
||||||
Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 is vulnerable to remote command injection attacks through incorrectly parsing an attacker's invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server.
|
Apache Struts 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 is susceptible to remote command injection attacks. The Jakarta Multipart parser has incorrect exception handling and error-message generation during file upload attempts, which can allow an attacker to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header. This was exploited in March 2017 with a Content-Type header containing a #cmd= string.
|
||||||
reference:
|
reference:
|
||||||
- https://github.com/mazen160/struts-pwn
|
- https://github.com/mazen160/struts-pwn
|
||||||
- https://isc.sans.edu/diary/22169
|
- https://isc.sans.edu/diary/22169
|
||||||
|
@ -37,3 +37,5 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/21
|
||||||
|
|
|
@ -1,15 +1,15 @@
|
||||||
id: CVE-2019-16759
|
id: CVE-2019-16759
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: vBulletin v5.0.0-v5.5.4 - Remote Command Execution
|
name: vBulletin 5.0.0-5.5.4 - Remote Command Execution
|
||||||
author: madrobot
|
author: madrobot
|
||||||
severity: critical
|
severity: critical
|
||||||
description: vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.
|
description: vBulletin 5.0.0 through 5.5.4 is susceptible to a remote command execution vulnerability via the widgetConfig parameter in an ajax/render/widget_php routestring request. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
|
||||||
reference:
|
reference:
|
||||||
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vbulletin-remote-code-execution-cve-2020-7373/
|
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vbulletin-remote-code-execution-cve-2020-7373/
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-16759
|
|
||||||
- https://seclists.org/fulldisclosure/2019/Sep/31
|
- https://seclists.org/fulldisclosure/2019/Sep/31
|
||||||
- https://www.theregister.co.uk/2019/09/24/vbulletin_vbug_zeroday/
|
- https://www.theregister.co.uk/2019/09/24/vbulletin_vbug_zeroday/
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2019-16759
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
cvss-score: 9.8
|
cvss-score: 9.8
|
||||||
|
@ -39,3 +39,5 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/20
|
||||||
|
|
|
@ -1,13 +1,15 @@
|
||||||
id: CVE-2021-22986
|
id: CVE-2021-22986
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: F5 BIG-IP iControl REST unauthenticated RCE
|
name: F5 iControl REST - Remote Command Execution
|
||||||
author: rootxharsh,iamnoooob
|
author: rootxharsh,iamnoooob
|
||||||
severity: critical
|
severity: critical
|
||||||
description: The iControl REST interface has an unauthenticated remote command execution vulnerability.
|
description: F5 iControl REST interface is susceptible to remote command execution. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. This affects BIG-IP 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3; and BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2.
|
||||||
reference:
|
reference:
|
||||||
- https://attackerkb.com/topics/J6pWeg5saG/k03009991-icontrol-rest-unauthenticated-remote-command-execution-vulnerability-cve-2021-22986
|
- https://attackerkb.com/topics/J6pWeg5saG/k03009991-icontrol-rest-unauthenticated-remote-command-execution-vulnerability-cve-2021-22986
|
||||||
- https://support.f5.com/csp/article/K03009991
|
- https://support.f5.com/csp/article/K03009991
|
||||||
- http://packetstormsecurity.com/files/162059/F5-iControl-Server-Side-Request-Forgery-Remote-Command-Execution.html
|
- http://packetstormsecurity.com/files/162059/F5-iControl-Server-Side-Request-Forgery-Remote-Command-Execution.html
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-22986
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
cvss-score: 9.8
|
cvss-score: 9.8
|
||||||
|
@ -56,3 +58,5 @@ requests:
|
||||||
- "commandResult"
|
- "commandResult"
|
||||||
- "uid="
|
- "uid="
|
||||||
condition: and
|
condition: and
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/20
|
||||||
|
|
|
@ -1,17 +1,17 @@
|
||||||
id: CVE-2021-24145
|
id: CVE-2021-24145
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Modern Events Calendar Lite < 5.16.5 - Arbitrary File Upload to RCE
|
name: WordPress Modern Events Calendar Lite <5.16.5 - Authenticated Arbitrary File Upload
|
||||||
author: theamanrawat
|
author: theamanrawat
|
||||||
severity: high
|
severity: high
|
||||||
description: |
|
description: |
|
||||||
Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request.
|
WordPress Modern Events Calendar Lite plugin before 5.16.5 is susceptible to authenticated arbitrary file upload. The plugin does not properly check the imported file, allowing PHP files to be uploaded and/or executed by an administrator or other high-privilege user using the text/csv content-type in the request. This can possibly lead to remote code execution.
|
||||||
reference:
|
reference:
|
||||||
- https://wpscan.com/vulnerability/f42cc26b-9aab-4824-8168-b5b8571d1610
|
- https://wpscan.com/vulnerability/f42cc26b-9aab-4824-8168-b5b8571d1610
|
||||||
- https://downloads.wordpress.org/plugin/modern-events-calendar-lite.5.15.5.zip
|
- https://downloads.wordpress.org/plugin/modern-events-calendar-lite.5.15.5.zip
|
||||||
- https://github.com/dnr6419/CVE-2021-24145
|
- https://github.com/dnr6419/CVE-2021-24145
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-24145
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-24145
|
||||||
remediation: Fixed in version 5.16.5
|
remediation: Fixed in version 5.16.5.
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
||||||
cvss-score: 7.2
|
cvss-score: 7.2
|
||||||
|
@ -62,3 +62,5 @@ requests:
|
||||||
- status_code_3 == 200
|
- status_code_3 == 200
|
||||||
- contains(body_3, 'CVE-2021-24145')
|
- contains(body_3, 'CVE-2021-24145')
|
||||||
condition: and
|
condition: and
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/21
|
||||||
|
|
|
@ -1,16 +1,16 @@
|
||||||
id: CVE-2021-24155
|
id: CVE-2021-24155
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Backup Guard < 1.6.0 - Authenticated Arbitrary File Upload
|
name: WordPress BackupGuard <1.6.0 - Authenticated Arbitrary File Upload
|
||||||
author: theamanrawat
|
author: theamanrawat
|
||||||
severity: high
|
severity: high
|
||||||
description: |
|
description: |
|
||||||
The WordPress Backup and Migrate Plugin – Backup Guard WordPress plugin before 1.6.0 did not ensure that the imported files are of the SGBP format and extension, allowing high privilege users (admin+) to upload arbitrary files, including PHP ones, leading to RCE.
|
WordPress Backup Guard plugin before 1.6.0 is susceptible to authenticated arbitrary file upload. The plugin does not ensure that imported files are in SGBP format and extension, allowing high-privilege users to upload arbitrary files, including PHP, possibly leading to remote code execution.
|
||||||
reference:
|
reference:
|
||||||
- https://wpscan.com/vulnerability/d442acac-4394-45e4-b6bb-adf4a40960fb
|
- https://wpscan.com/vulnerability/d442acac-4394-45e4-b6bb-adf4a40960fb
|
||||||
- https://wordpress.org/plugins/backup/
|
- https://wordpress.org/plugins/backup/
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-24155
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-24155
|
||||||
remediation: Fixed in version 1.6.0
|
remediation: Fixed in version 1.6.0.
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
||||||
cvss-score: 7.2
|
cvss-score: 7.2
|
||||||
|
@ -75,3 +75,5 @@ requests:
|
||||||
regex:
|
regex:
|
||||||
- 'BG_BACKUP_STRINGS = {"nonce":"([0-9a-zA-Z]+)"};'
|
- 'BG_BACKUP_STRINGS = {"nonce":"([0-9a-zA-Z]+)"};'
|
||||||
internal: true
|
internal: true
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/21
|
||||||
|
|
|
@ -1,16 +1,16 @@
|
||||||
id: CVE-2021-24347
|
id: CVE-2021-24347
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: SP Project & Document Manager < 4.22 - Authenticated Shell Upload
|
name: WordPress SP Project & Document Manager <4.22 - Authenticated Shell Upload
|
||||||
author: theamanrawat
|
author: theamanrawat
|
||||||
severity: high
|
severity: high
|
||||||
description: |
|
description: |
|
||||||
The SP Project & Document Manager WordPress plugin before 4.22 allows users to upload files, however, the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that php files could still be uploaded by changing the file extension's case, for example, from "php" to "pHP".
|
WordPress SP Project & Document Manager plugin before 4.22 is susceptible to authenticated shell upload. The plugin allows users to upload files; however, the plugin attempts to prevent PHP and other similar executable files from being uploaded via checking the file extension. PHP files can still be uploaded by changing the file extension's case, for example, from php to pHP.
|
||||||
reference:
|
reference:
|
||||||
- https://wpscan.com/vulnerability/8f6e82d5-c0e9-468e-acb8-7cd549f6a45a
|
- https://wpscan.com/vulnerability/8f6e82d5-c0e9-468e-acb8-7cd549f6a45a
|
||||||
- https://wordpress.org/plugins/sp-client-document-manager/
|
- https://wordpress.org/plugins/sp-client-document-manager/
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-24347
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-24347
|
||||||
remediation: Fixed in version 4.22
|
remediation: Fixed in version 4.22.
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||||
cvss-score: 8.8
|
cvss-score: 8.8
|
||||||
|
@ -96,3 +96,5 @@ requests:
|
||||||
regex:
|
regex:
|
||||||
- 'name="cdm_upload_file_field" value="([0-9a-zA-Z]+)"'
|
- 'name="cdm_upload_file_field" value="([0-9a-zA-Z]+)"'
|
||||||
internal: true
|
internal: true
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/21
|
||||||
|
|
|
@ -1,11 +1,11 @@
|
||||||
id: CVE-2021-25003
|
id: CVE-2021-25003
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: WPCargo < 6.9.0 - Unauthenticated Remote Code Execution
|
name: WordPress WPCargo Track & Trace <6.9.0 - Remote Code Execution
|
||||||
author: theamanrawat
|
author: theamanrawat
|
||||||
severity: critical
|
severity: critical
|
||||||
description: |
|
description: |
|
||||||
The WPCargo Track & Trace WordPress plugin before 6.9.0 contains a file which could allow unauthenticated attackers to write a PHP file anywhere on the web server, leading to RCE.
|
WordPress WPCargo Track & Trace plugin before 6.9.0 is susceptible to remote code execution, The plugin contains a file which can allow an attacker to write a PHP file anywhere on the web server, leading to possible remote code execution. This can allow an attacker to execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
|
||||||
reference:
|
reference:
|
||||||
- https://wpscan.com/vulnerability/5c21ad35-b2fb-4a51-858f-8ffff685de4a
|
- https://wpscan.com/vulnerability/5c21ad35-b2fb-4a51-858f-8ffff685de4a
|
||||||
- https://wordpress.org/plugins/wpcargo/
|
- https://wordpress.org/plugins/wpcargo/
|
||||||
|
@ -49,3 +49,5 @@ requests:
|
||||||
- "contains(body_3, md5(num))"
|
- "contains(body_3, md5(num))"
|
||||||
- "contains(body_3, 'PNG')"
|
- "contains(body_3, 'PNG')"
|
||||||
condition: and
|
condition: and
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/21
|
||||||
|
|
|
@ -1,16 +1,16 @@
|
||||||
id: CVE-2021-25296
|
id: CVE-2021-25296
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Nagios XI versions 5.5.6 to 5.7.5 - Command Injection
|
name: Nagios XI 5.5.6-5.7.5 - Authenticated Remote Command Injection
|
||||||
author: k0pak4
|
author: k0pak4
|
||||||
severity: high
|
severity: high
|
||||||
description: |
|
description: |
|
||||||
Nagios XI versions 5.5.6 to 5.7.5 are affected by OS command injection. An authenticated user can gain code execution due to unsanitized URL parameters.
|
Nagios XI 5.5.6 through 5.7.5 is susceptible to authenticated remote command injection. There is improper sanitization of authenticated user-controlled input by a single HTTP request via the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php. This in turn can lead to remote code execution, by which an attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
|
||||||
reference:
|
reference:
|
||||||
- https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md
|
- https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md
|
||||||
- https://github.com/rapid7/metasploit-framework/pull/17494
|
- https://github.com/rapid7/metasploit-framework/pull/17494
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-25296
|
|
||||||
- http://nagios.com
|
- http://nagios.com
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-25296
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||||
cvss-score: 8.8
|
cvss-score: 8.8
|
||||||
|
@ -78,3 +78,5 @@ requests:
|
||||||
regex:
|
regex:
|
||||||
- "var nsp_str = ['\"](.*)['\"];"
|
- "var nsp_str = ['\"](.*)['\"];"
|
||||||
internal: true
|
internal: true
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/21
|
||||||
|
|
|
@ -1,16 +1,16 @@
|
||||||
id: CVE-2021-25297
|
id: CVE-2021-25297
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Nagios XI versions 5.5.6 to 5.7.5 - Command Injection
|
name: Nagios 5.5.6-5.7.5 - Authenticated Remote Command Injection
|
||||||
author: k0pak4
|
author: k0pak4
|
||||||
severity: high
|
severity: high
|
||||||
description: |
|
description: |
|
||||||
Nagios XI versions 5.5.6 to 5.7.5 are affected by OS command injection. An authenticated user can gain code execution due to unsanitized URL parameters.
|
Nagios XI 5.5.6 through 5.7.5 is susceptible to authenticated remote command injection. There is improper sanitization of authenticated user-controlled input by a single HTTP request via the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php. This in turn can lead to remote code execution, by which an attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
|
||||||
reference:
|
reference:
|
||||||
- https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md
|
- https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md
|
||||||
- https://github.com/rapid7/metasploit-framework/pull/17494
|
- https://github.com/rapid7/metasploit-framework/pull/17494
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-25297
|
|
||||||
- http://nagios.com
|
- http://nagios.com
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-25297
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||||
cvss-score: 8.8
|
cvss-score: 8.8
|
||||||
|
@ -78,3 +78,5 @@ requests:
|
||||||
regex:
|
regex:
|
||||||
- "var nsp_str = ['\"](.*)['\"];"
|
- "var nsp_str = ['\"](.*)['\"];"
|
||||||
internal: true
|
internal: true
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/21
|
||||||
|
|
|
@ -1,16 +1,16 @@
|
||||||
id: CVE-2021-25298
|
id: CVE-2021-25298
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Nagios XI 5.5.6 to 5.7.5 - Command Injection
|
name: Nagios XI 5.5.6-5.7.5 - Authenticated Remote Command Injection
|
||||||
author: k0pak4
|
author: k0pak4
|
||||||
severity: high
|
severity: high
|
||||||
description: |
|
description: |
|
||||||
Nagios XI versions 5.5.6 to 5.7.5 are affected by OS command injection. An authenticated user can gain code execution due to unsanitized URL parameters.
|
Nagios XI 5.5.6 through 5.7.5 is susceptible to authenticated remote command injection. There is improper sanitization of authenticated user-controlled input by a single HTTP request via the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php. This in turn can lead to remote code execution, by which an attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
|
||||||
reference:
|
reference:
|
||||||
- https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md
|
- https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md
|
||||||
- https://github.com/rapid7/metasploit-framework/pull/17494
|
- https://github.com/rapid7/metasploit-framework/pull/17494
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-25298
|
|
||||||
- http://nagios.com
|
- http://nagios.com
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-25298
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||||
cvss-score: 8.8
|
cvss-score: 8.8
|
||||||
|
@ -78,3 +78,5 @@ requests:
|
||||||
regex:
|
regex:
|
||||||
- "var nsp_str = ['\"](.*)['\"];"
|
- "var nsp_str = ['\"](.*)['\"];"
|
||||||
internal: true
|
internal: true
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/21
|
||||||
|
|
|
@ -5,7 +5,7 @@ info:
|
||||||
author: gy741
|
author: gy741
|
||||||
severity: high
|
severity: high
|
||||||
description: |
|
description: |
|
||||||
Hongdian H8922 3.0.5 devices allow OS command injection via shell metacharacters into the ip-address (aka Destination) field to the tools.cgi ping command, which is accessible with the username guest and password guest.
|
Hongdian H8922 3.0.5 devices are susceptible to remote command injection via shell metacharacters into the ip-address (a/k/a Destination) field to the tools.cgi ping command, which is accessible with the username guest and password guest. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system.
|
||||||
reference:
|
reference:
|
||||||
- https://ssd-disclosure.com/ssd-advisory-hongdian-h8922-multiple-vulnerabilities/
|
- https://ssd-disclosure.com/ssd-advisory-hongdian-h8922-multiple-vulnerabilities/
|
||||||
- http://en.hongdian.com/Products/Details/H8922
|
- http://en.hongdian.com/Products/Details/H8922
|
||||||
|
@ -53,3 +53,5 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/21
|
||||||
|
|
|
@ -4,12 +4,12 @@ info:
|
||||||
name: Apache OFBiz <17.12.07 - Arbitrary Code Execution
|
name: Apache OFBiz <17.12.07 - Arbitrary Code Execution
|
||||||
author: For3stCo1d
|
author: For3stCo1d
|
||||||
severity: critical
|
severity: critical
|
||||||
description: Apache OFBiz has unsafe deserialization prior to 17.12.07 version
|
description: Apache OFBiz before 17.12.07 is susceptible to arbitrary code execution via unsafe deserialization. An attacker can modify deserialized data or code without using provided accessor functions.
|
||||||
reference:
|
reference:
|
||||||
- https://lists.apache.org/thread.html/rbe8439b26a71fc3b429aa793c65dcc4a6e349bc7bb5010746a74fa1d@%3Ccommits.ofbiz.apache.org%3E
|
- https://lists.apache.org/thread.html/rbe8439b26a71fc3b429aa793c65dcc4a6e349bc7bb5010746a74fa1d@%3Ccommits.ofbiz.apache.org%3E
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-30128
|
|
||||||
- https://lists.apache.org/thread.html/rb3f5cd65f3ddce9b9eb4d6ea6e2919933f0f89b15953769d11003743%40%3Cdev.ofbiz.apache.org%3E
|
- https://lists.apache.org/thread.html/rb3f5cd65f3ddce9b9eb4d6ea6e2919933f0f89b15953769d11003743%40%3Cdev.ofbiz.apache.org%3E
|
||||||
- https://lists.apache.org/thread.html/rb3f5cd65f3ddce9b9eb4d6ea6e2919933f0f89b15953769d11003743@%3Cdev.ofbiz.apache.org%3E
|
- https://lists.apache.org/thread.html/rb3f5cd65f3ddce9b9eb4d6ea6e2919933f0f89b15953769d11003743@%3Cdev.ofbiz.apache.org%3E
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-30128
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
cvss-score: 9.8
|
cvss-score: 9.8
|
||||||
|
@ -56,3 +56,5 @@ requests:
|
||||||
part: body
|
part: body
|
||||||
words:
|
words:
|
||||||
- 'value="errorMessage"'
|
- 'value="errorMessage"'
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/21
|
||||||
|
|
|
@ -1,15 +1,15 @@
|
||||||
id: CVE-2022-0824
|
id: CVE-2022-0824
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Webmin prior to 1.990 - Improper Access Control to Remote Code Execution
|
name: Webmin <1.990 - Improper Access Control
|
||||||
author: cckuailong
|
author: cckuailong
|
||||||
severity: high
|
severity: high
|
||||||
description: Improper Access Control to Remote Code Execution in GitHub repository webmin/webmin prior to 1.990.
|
description: Webmin before 1.990 is susceptible to improper access control in GitHub repository webmin/webmin. This in turn can lead to remote code execution, by which an attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
|
||||||
reference:
|
reference:
|
||||||
- https://github.com/faisalfs10x/Webmin-CVE-2022-0824-revshell/blob/main/Webmin-revshell.py
|
- https://github.com/faisalfs10x/Webmin-CVE-2022-0824-revshell/blob/main/Webmin-revshell.py
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-0824
|
|
||||||
- https://github.com/webmin/webmin/commit/39ea464f0c40b325decd6a5bfb7833fa4a142e38
|
- https://github.com/webmin/webmin/commit/39ea464f0c40b325decd6a5bfb7833fa4a142e38
|
||||||
- https://huntr.dev/bounties/d0049a96-de90-4b1a-9111-94de1044f295
|
- https://huntr.dev/bounties/d0049a96-de90-4b1a-9111-94de1044f295
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-0824
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||||
cvss-score: 8.8
|
cvss-score: 8.8
|
||||||
|
@ -50,3 +50,5 @@ requests:
|
||||||
part: body
|
part: body
|
||||||
words:
|
words:
|
||||||
- "Failed to write to /{{ranstr}}/index.html"
|
- "Failed to write to /{{ranstr}}/index.html"
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/21
|
||||||
|
|
|
@ -1,11 +1,11 @@
|
||||||
id: CVE-2022-0885
|
id: CVE-2022-0885
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Member Hero <= 1.0.9 - Unauthenticated Remote Code Execution
|
name: Member Hero <=1.0.9 - Remote Code Execution
|
||||||
author: theamanrawat
|
author: theamanrawat
|
||||||
severity: critical
|
severity: critical
|
||||||
description: |
|
description: |
|
||||||
The Member Hero WordPress plugin through 1.0.9 lacks authorization checks, and does not validate the a request parameter in an AJAX action, allowing unauthenticated users to call arbitrary PHP functions with no arguments.
|
WordPress Member Hero plugin through 1.0.9 is susceptible to remote code execution. The plugin lacks authorization checks and does not validate the a request parameter in an AJAX action, allowing an attacker to call arbitrary PHP functions with no arguments. An attacker can thus execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
|
||||||
reference:
|
reference:
|
||||||
- https://wpscan.com/vulnerability/8b08b72e-5584-4f25-ab73-5ab0f47412df
|
- https://wpscan.com/vulnerability/8b08b72e-5584-4f25-ab73-5ab0f47412df
|
||||||
- https://wordpress.org/plugins/member-hero/
|
- https://wordpress.org/plugins/member-hero/
|
||||||
|
@ -43,3 +43,5 @@ requests:
|
||||||
group: 1
|
group: 1
|
||||||
regex:
|
regex:
|
||||||
- '>PHP Version <\/td><td class="v">([0-9.]+)'
|
- '>PHP Version <\/td><td class="v">([0-9.]+)'
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/21
|
||||||
|
|
|
@ -1,11 +1,11 @@
|
||||||
id: CVE-2022-21587
|
id: CVE-2022-21587
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Oracle EBS Unauthenticated - Remote Code Execution
|
name: Oracle E-Business Suite 12.2.3 -12.2.11 - Remote Code Execution
|
||||||
author: rootxharsh,iamnoooob,pdresearch
|
author: rootxharsh,iamnoooob,pdresearch
|
||||||
severity: critical
|
severity: critical
|
||||||
description: |
|
description: |
|
||||||
Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator.
|
Oracle E-Business Suite 12.2.3 through 12.2.11 is susceptible to remote code execution via the Oracle Web Applications Desktop Integrator product, Upload component. An attacker with HTTP network access can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
|
||||||
reference:
|
reference:
|
||||||
- https://blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce/
|
- https://blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce/
|
||||||
- https://www.oracle.com/security-alerts/cpuoct2022.html
|
- https://www.oracle.com/security-alerts/cpuoct2022.html
|
||||||
|
@ -14,6 +14,7 @@ info:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
cvss-score: 9.8
|
cvss-score: 9.8
|
||||||
cve-id: CVE-2022-21587
|
cve-id: CVE-2022-21587
|
||||||
|
cwe-id: CWE-94
|
||||||
tags: cve,cve2022,rce,oast,intrusive,oracle,ebs,unauth,kev
|
tags: cve,cve2022,rce,oast,intrusive,oracle,ebs,unauth,kev
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
@ -74,3 +75,5 @@ requests:
|
||||||
part: body_2
|
part: body_2
|
||||||
words:
|
words:
|
||||||
- Nuclei-CVE-2022-21587
|
- Nuclei-CVE-2022-21587
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/21
|
||||||
|
|
|
@ -1,11 +1,11 @@
|
||||||
id: CVE-2022-2314
|
id: CVE-2022-2314
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: VR Calendar < 2.3.2 - Unauthenticated Arbitrary Function Call
|
name: WordPress VR Calendar <=2.3.2 - Remote Code Execution
|
||||||
author: theamanrawat
|
author: theamanrawat
|
||||||
severity: critical
|
severity: critical
|
||||||
description: |
|
description: |
|
||||||
The VR Calendar WordPress plugin through 2.3.2 lets any user execute arbitrary PHP functions on the site.
|
WordPress VR Calendar plugin through 2.3.2 is susceptible to remote code execution. The plugin allows any user to execute arbitrary PHP functions on the site. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
|
||||||
reference:
|
reference:
|
||||||
- https://wpscan.com/vulnerability/b22fe77c-844e-4c24-8023-014441cc1e82
|
- https://wpscan.com/vulnerability/b22fe77c-844e-4c24-8023-014441cc1e82
|
||||||
- https://wordpress.org/plugins/vr-calendar-sync/
|
- https://wordpress.org/plugins/vr-calendar-sync/
|
||||||
|
@ -14,6 +14,7 @@ info:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
cvss-score: 9.8
|
cvss-score: 9.8
|
||||||
cve-id: CVE-2022-2314
|
cve-id: CVE-2022-2314
|
||||||
|
cwe-id: CWE-94
|
||||||
metadata:
|
metadata:
|
||||||
verified: "true"
|
verified: "true"
|
||||||
tags: cve,cve2022,wordpress,wp,wp-plugin,rce,vr-calendar-sync,unauth,wpscan
|
tags: cve,cve2022,wordpress,wp,wp-plugin,rce,vr-calendar-sync,unauth,wpscan
|
||||||
|
@ -46,3 +47,5 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/22
|
||||||
|
|
|
@ -1,16 +1,17 @@
|
||||||
id: CVE-2022-24816
|
id: CVE-2022-24816
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Geoserver Server - Code Injection
|
name: GeoServer <1.2.2 - Remote Code Execution
|
||||||
author: mukundbhuva
|
author: mukundbhuva
|
||||||
severity: critical
|
severity: critical
|
||||||
description: |
|
description: |
|
||||||
Programs using jt-jiffle, and allowing Jiffle script to be provided via network request, are susceptible to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project Version < 1.1.22.
|
Programs run on GeoServer before 1.2.2 which use jt-jiffle and allow Jiffle script to be provided via network request are susceptible to remote code execution. The Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects downstream GeoServer 1.1.22.
|
||||||
|
remediation: 1.2.22 contains a patch that disables the ability to inject malicious code into the resulting script. Users unable to upgrade may negate the ability to compile Jiffle scripts from the final application by removing janino-x.y.z.jar from the classpath.
|
||||||
reference:
|
reference:
|
||||||
- https://www.synacktiv.com/en/publications/exploiting-cve-2022-24816-a-code-injection-in-the-jt-jiffle-extension-of-geoserver.html
|
- https://www.synacktiv.com/en/publications/exploiting-cve-2022-24816-a-code-injection-in-the-jt-jiffle-extension-of-geoserver.html
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-24816
|
|
||||||
- https://github.com/geosolutions-it/jai-ext/security/advisories/GHSA-v92f-jx6p-73rx
|
- https://github.com/geosolutions-it/jai-ext/security/advisories/GHSA-v92f-jx6p-73rx
|
||||||
- https://github.com/geosolutions-it/jai-ext/commit/cb1d6565d38954676b0a366da4f965fef38da1cb
|
- https://github.com/geosolutions-it/jai-ext/commit/cb1d6565d38954676b0a366da4f965fef38da1cb
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-24816
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
cvss-score: 9.8
|
cvss-score: 9.8
|
||||||
|
@ -71,3 +72,5 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/21
|
||||||
|
|
|
@ -1,16 +1,16 @@
|
||||||
id: CVE-2022-31499
|
id: CVE-2022-31499
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: eMerge E3-Series - Command Injection
|
name: Nortek Linear eMerge E3-Series <0.32-08f - Remote Command Injection
|
||||||
author: pikpikcu
|
author: pikpikcu
|
||||||
severity: critical
|
severity: critical
|
||||||
description: |
|
description: |
|
||||||
Nortek Linear eMerge E3-Series devices before 0.32-08f allow an unauthenticated attacker to inject OS commands via ReaderNo. NOTE: this issue exists because of an incomplete fix for CVE-2019-7256 .
|
Nortek Linear eMerge E3-Series devices before 0.32-08f are susceptible to remote command injection via ReaderNo. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. NOTE: this vulnerability exists because of an incomplete fix for CVE-2019-7256.
|
||||||
reference:
|
reference:
|
||||||
- https://packetstormsecurity.com/files/167991/Nortek-Linear-eMerge-E3-Series-Command-Injection.html
|
- https://packetstormsecurity.com/files/167991/Nortek-Linear-eMerge-E3-Series-Command-Injection.html
|
||||||
- https://github.com/omarhashem123/CVE-2022-31499
|
- https://github.com/omarhashem123/CVE-2022-31499
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-31499
|
|
||||||
- http://packetstormsecurity.com/files/167991/Nortek-Linear-eMerge-E3-Series-Command-Injection.html
|
- http://packetstormsecurity.com/files/167991/Nortek-Linear-eMerge-E3-Series-Command-Injection.html
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-31499
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
cvss-score: 9.8
|
cvss-score: 9.8
|
||||||
|
@ -36,3 +36,5 @@ requests:
|
||||||
- status_code == 200
|
- status_code == 200
|
||||||
- contains(body, '{\"CardNo\":false')
|
- contains(body, '{\"CardNo\":false')
|
||||||
condition: and
|
condition: and
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/21
|
||||||
|
|
|
@ -1,16 +1,16 @@
|
||||||
id: CVE-2022-33901
|
id: CVE-2022-33901
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: MultiSafepay plugin for WooCommerce <= 4.13.1 - Unauthenticated Arbitrary File Read
|
name: WordPress MultiSafepay for WooCommerce <=4.13.1 - Arbitrary File Read
|
||||||
author: theamanrawat
|
author: theamanrawat
|
||||||
severity: high
|
severity: high
|
||||||
description: |
|
description: |
|
||||||
Unauthenticated Arbitrary File Read vulnerability in MultiSafepay plugin for WooCommerce plugin <= 4.13.1 at WordPress.
|
WordPress MultiSafepay for WooCommerce plugin through 4.13.1 contains an arbitrary file read vulnerability. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||||
reference:
|
reference:
|
||||||
- https://wordpress.org/plugins/multisafepay/
|
- https://wordpress.org/plugins/multisafepay/
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-33901
|
|
||||||
- https://wordpress.org/plugins/multisafepay/#developers
|
- https://wordpress.org/plugins/multisafepay/#developers
|
||||||
- https://patchstack.com/database/vulnerability/multisafepay/wordpress-multisafepay-plugin-for-woocommerce-plugin-4-13-1-unauthenticated-arbitrary-file-read-vulnerability
|
- https://patchstack.com/database/vulnerability/multisafepay/wordpress-multisafepay-plugin-for-woocommerce-plugin-4-13-1-unauthenticated-arbitrary-file-read-vulnerability
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-33901
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||||
cvss-score: 7.5
|
cvss-score: 7.5
|
||||||
|
@ -39,3 +39,5 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/22
|
||||||
|
|
|
@ -1,16 +1,16 @@
|
||||||
id: CVE-2022-34753
|
id: CVE-2022-34753
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: SpaceLogic C-Bus Home Controller - Remote Code Execution
|
name: SpaceLogic C-Bus Home Controller <=1.31.460 - Remote Command Execution
|
||||||
author: gy741
|
author: gy741
|
||||||
severity: high
|
severity: high
|
||||||
description: |
|
description: |
|
||||||
A CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause remote root exploit when the command is compromised. Affected Products SpaceLogic C-Bus Home Controller (5200WHC2), formerly known as C-Bus Wiser Homer Controller MK2 (V1.31.460 and prior)
|
SpaceLogic C-Bus Home Controller through 1.31.460 is susceptible to remote command execution via improper neutralization of special elements. Remote root exploit can be enabled when the command is compromised, and an attacker can potentially execute malware, obtain sensitive information, modify data, and/or gain full control without entering necessary credentials.
|
||||||
reference:
|
reference:
|
||||||
- https://www.zeroscience.mk/codes/SpaceLogic.txt
|
- https://www.zeroscience.mk/codes/SpaceLogic.txt
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-34753
|
|
||||||
- https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-193-02_SpaceLogic-C-Bus-Home-Controller-Wiser_MK2_Security_Notification.pdf
|
- https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-193-02_SpaceLogic-C-Bus-Home-Controller-Wiser_MK2_Security_Notification.pdf
|
||||||
- http://packetstormsecurity.com/files/167783/Schneider-Electric-SpaceLogic-C-Bus-Home-Controller-5200WHC2-Remote-Root.html
|
- http://packetstormsecurity.com/files/167783/Schneider-Electric-SpaceLogic-C-Bus-Home-Controller-5200WHC2-Remote-Root.html
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-34753
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||||
cvss-score: 8.8
|
cvss-score: 8.8
|
||||||
|
@ -36,3 +36,5 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/22
|
||||||
|
|
|
@ -1,16 +1,17 @@
|
||||||
id: CVE-2022-39952
|
id: CVE-2022-39952
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: FortiNAC Unauthenticated Arbitrary File Write
|
name: Fortinet FortiNAC - Arbitrary File Write
|
||||||
author: dwisiswant0
|
author: dwisiswant0
|
||||||
severity: critical
|
severity: critical
|
||||||
description: |
|
description: |
|
||||||
A external control of file name or path in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP request.
|
Fortinet FortiNAC is susceptible to arbitrary file write. An external control of the file name or path can allow an attacker to execute unauthorized code or commands via specifically crafted HTTP request, thus making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations. Affected versions are 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, and 8.3.7.
|
||||||
reference:
|
reference:
|
||||||
- https://fortiguard.com/psirt/FG-IR-22-300
|
- https://fortiguard.com/psirt/FG-IR-22-300
|
||||||
- https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/
|
- https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/
|
||||||
- https://github.com/horizon3ai/CVE-2022-39952
|
- https://github.com/horizon3ai/CVE-2022-39952
|
||||||
remediation: Upgrade to FortiNAC version 9.4.1, 9.2.6, 9.2.6, 9.1.8, 7.2.0 or above
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-39952
|
||||||
|
remediation: Upgrade to 9.4.1, 9.2.6, 9.2.6, 9.1.8, 7.2.0 or above.
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
cvss-score: 9.8
|
cvss-score: 9.8
|
||||||
|
@ -54,3 +55,5 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/22
|
||||||
|
|
|
@ -1,11 +1,11 @@
|
||||||
id: CVE-2022-4060
|
id: CVE-2022-4060
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: User Post Gallery <= 2.19 - Unauthenticated RCE
|
name: WordPress User Post Gallery <=2.19 - Remote Code Execution
|
||||||
author: theamanrawat
|
author: theamanrawat
|
||||||
severity: critical
|
severity: critical
|
||||||
description: |
|
description: |
|
||||||
The User Post Gallery WordPress plugin through 2.19 does not limit what callback functions can be called by users, making it possible to any visitors to run code on sites running it.
|
WordPress User Post Gallery plugin through 2.19 is susceptible to remote code execution. The plugin does not limit which callback functions can be called by users, making it possible for an attacker execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
|
||||||
reference:
|
reference:
|
||||||
- https://wpscan.com/vulnerability/8f982ebd-6fc5-452d-8280-42e027d01b1e
|
- https://wpscan.com/vulnerability/8f982ebd-6fc5-452d-8280-42e027d01b1e
|
||||||
- https://wordpress.org/plugins/wp-upg/
|
- https://wordpress.org/plugins/wp-upg/
|
||||||
|
@ -44,3 +44,5 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/22
|
||||||
|
|
|
@ -1,16 +1,16 @@
|
||||||
id: CVE-2022-44877
|
id: CVE-2022-44877
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Centos Web Panel - Unauthenticated Remote Code Execution
|
name: CentOS Web Panel 7 <0.9.8.1147 - Remote Code Execution
|
||||||
author: For3stCo1d
|
author: For3stCo1d
|
||||||
severity: critical
|
severity: critical
|
||||||
description: |
|
description: |
|
||||||
RESERVED An issue in the /login/index.php component of Centos Web Panel 7 before v0.9.8.1147 allows unauthenticated attackers to execute arbitrary system commands via crafted HTTP requests.
|
CentOS Web Panel 7 before 0.9.8.1147 is susceptible to remote code execution via entering shell characters in the /login/index.php component. This can allow an attacker to execute arbitrary system commands via crafted HTTP requests and potentially execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
|
||||||
reference:
|
reference:
|
||||||
- https://twitter.com/_0xf4n9x_/status/1612068225046675457
|
- https://twitter.com/_0xf4n9x_/status/1612068225046675457
|
||||||
- https://github.com/numanturle/CVE-2022-44877
|
- https://github.com/numanturle/CVE-2022-44877
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-44877
|
|
||||||
- https://gist.github.com/numanturle/c1e82c47f4cba24cff214e904c227386
|
- https://gist.github.com/numanturle/c1e82c47f4cba24cff214e904c227386
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-44877
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
cvss-score: 9.8
|
cvss-score: 9.8
|
||||||
|
@ -52,3 +52,5 @@ requests:
|
||||||
group: 1
|
group: 1
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
|
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/22
|
||||||
|
|
|
@ -48,3 +48,5 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 500
|
- 500
|
||||||
|
|
||||||
|
# Enhanced by md 03/22/2023
|
||||||
|
|
|
@ -1,16 +1,17 @@
|
||||||
id: CVE-2023-0669
|
id: CVE-2023-0669
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: GoAnywhere MFT - Remote Code Execution (ZeroDay)
|
name: Fortra GoAnywhere MFT - Remote Code Execution
|
||||||
author: rootxharsh,iamnoooob,dhiyaneshdk,pdresearch
|
author: rootxharsh,iamnoooob,dhiyaneshdk,pdresearch
|
||||||
severity: high
|
severity: high
|
||||||
description: |
|
description: |
|
||||||
Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object.
|
Fortra GoAnywhere MFT is susceptible to remote code execution via unsafe deserialization of an arbitrary attacker-controlled object. This stems from a pre-authentication command injection vulnerability in the License Response Servlet.
|
||||||
reference:
|
reference:
|
||||||
- https://frycos.github.io/vulns4free/2023/02/06/goanywhere-forgotten.html
|
- https://frycos.github.io/vulns4free/2023/02/06/goanywhere-forgotten.html
|
||||||
- https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml#zerodayfeb1
|
- https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml#zerodayfeb1
|
||||||
- https://infosec.exchange/@briankrebs/109795710941843934
|
- https://infosec.exchange/@briankrebs/109795710941843934
|
||||||
- https://www.rapid7.com/blog/post/2023/02/03/exploitation-of-goanywhere-mft-zero-day-vulnerability/
|
- https://www.rapid7.com/blog/post/2023/02/03/exploitation-of-goanywhere-mft-zero-day-vulnerability/
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-0669
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
||||||
cvss-score: 7.2
|
cvss-score: 7.2
|
||||||
|
@ -46,3 +47,5 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 500
|
- 500
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/22
|
||||||
|
|
|
@ -1,15 +1,15 @@
|
||||||
id: CVE-2023-26255
|
id: CVE-2023-26255
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: STAGIL Navigation for Jira - Menu & Themes - Local File Inclusion
|
name: STAGIL Navigation for Jira Menu & Themes <2.0.52 - Local File Inclusion
|
||||||
author: DhiyaneshDK
|
author: DhiyaneshDK
|
||||||
severity: high
|
severity: high
|
||||||
description: |
|
description: |
|
||||||
An unauthenticated path traversal vulnerability affects the "STAGIL Navigation for Jira - Menu & Themes" plugin before 2.0.52 for Jira. By modifying the fileName parameter to the snjCustomDesignConfig endpoint, it is possible to traverse and read the file system.
|
STAGIL Navigation for Jira Menu & Themes plugin before 2.0.52 is susceptible to local file inclusion via modifying the fileName parameter to the snjCustomDesignConfig endpoint. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can potentially allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||||
reference:
|
reference:
|
||||||
- https://github.com/1nters3ct/CVEs/blob/main/CVE-2023-26255.md
|
- https://github.com/1nters3ct/CVEs/blob/main/CVE-2023-26255.md
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2023-26255
|
|
||||||
- https://marketplace.atlassian.com/apps/1216090/stagil-navigation-for-jira-menus-themes?tab=overview&hosting=cloud
|
- https://marketplace.atlassian.com/apps/1216090/stagil-navigation-for-jira-menus-themes?tab=overview&hosting=cloud
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-26255
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||||
cvss-score: 7.5
|
cvss-score: 7.5
|
||||||
|
@ -39,3 +39,5 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/22
|
||||||
|
|
|
@ -1,15 +1,15 @@
|
||||||
id: CVE-2023-26256
|
id: CVE-2023-26256
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: STAGIL Navigation for Jira - Menu & Themes - Local File Inclusion
|
name: STAGIL Navigation for Jira Menu & Themes <2.0.52 - Local File Inclusion
|
||||||
author: pikpikcu
|
author: pikpikcu
|
||||||
severity: high
|
severity: high
|
||||||
description: |
|
description: |
|
||||||
An unauthenticated path traversal vulnerability affects the "STAGIL Navigation for Jira - Menu & Themes" plugin before 2.0.52 for Jira. By modifying the fileName parameter to the snjFooterNavigationConfig endpoint, it is possible to traverse and read the file system.
|
STAGIL Navigation for Jira Menu & Themes plugin before 2.0.52 is susceptible to local file inclusion via modifying the fileName parameter to the snjFooterNavigationConfig endpoint. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can potentially allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||||
reference:
|
reference:
|
||||||
- https://github.com/1nters3ct/CVEs/blob/main/CVE-2023-26256.md
|
- https://github.com/1nters3ct/CVEs/blob/main/CVE-2023-26256.md
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2023-26256
|
|
||||||
- https://marketplace.atlassian.com/apps/1216090/stagil-navigation-for-jira-menus-themes?tab=overview&hosting=cloud
|
- https://marketplace.atlassian.com/apps/1216090/stagil-navigation-for-jira-menus-themes?tab=overview&hosting=cloud
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-26256
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||||
cvss-score: 7.5
|
cvss-score: 7.5
|
||||||
|
@ -38,3 +38,5 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/22
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
id: oracle-cgi-printenv
|
id: oracle-cgi-printenv
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Oracle CGI Printenv - Information Disclosure
|
name: Oracle CGI printenv - Information Disclosure
|
||||||
author: DhiyaneshDk
|
author: DhiyaneshDk
|
||||||
severity: medium
|
severity: medium
|
||||||
description: Oracle CGI printenv component is susceptible to an information disclosure vulnerability.
|
description: Oracle CGI printenv component is susceptible to an information disclosure vulnerability.
|
||||||
|
|
|
@ -3,7 +3,7 @@ id: proftpd-config
|
||||||
info:
|
info:
|
||||||
name: ProFTPD Configuration File - Detect
|
name: ProFTPD Configuration File - Detect
|
||||||
author: sheikhrishad
|
author: sheikhrishad
|
||||||
severity: low
|
severity: info
|
||||||
description: ProFTPD configuration file was detected.
|
description: ProFTPD configuration file was detected.
|
||||||
reference: http://www.proftpd.org/docs/howto/ConfigFile.html
|
reference: http://www.proftpd.org/docs/howto/ConfigFile.html
|
||||||
classification:
|
classification:
|
||||||
|
|
|
@ -1,11 +1,16 @@
|
||||||
id: salesforce-credentials
|
id: salesforce-credentials
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Salesforce Credentials Disclosure
|
name: Salesforce Credentials - Detect
|
||||||
author: geeknik
|
author: geeknik
|
||||||
severity: unknown
|
severity: high
|
||||||
|
description: Salesforce credentials information was detected.
|
||||||
reference:
|
reference:
|
||||||
- https://github.com/daveagp/websheets
|
- https://github.com/daveagp/websheets
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||||
|
cvss-score: 7.5
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: exposure,files,salesforce
|
tags: exposure,files,salesforce
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
@ -32,3 +37,5 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
|
# Enhanced by cs on 2023/03/27
|
||||||
|
|
|
@ -3,7 +3,7 @@ id: envision-gateway
|
||||||
info:
|
info:
|
||||||
name: EnvisionGateway Scheduler Panel - Detect
|
name: EnvisionGateway Scheduler Panel - Detect
|
||||||
author: dhiyaneshDK
|
author: dhiyaneshDK
|
||||||
severity: medium
|
severity: info
|
||||||
description: EnvisionGateway scheduler panel was detected.
|
description: EnvisionGateway scheduler panel was detected.
|
||||||
reference:
|
reference:
|
||||||
- https://www.exploit-db.com/ghdb/7315
|
- https://www.exploit-db.com/ghdb/7315
|
||||||
|
|
|
@ -3,7 +3,7 @@ id: akamai-s3-cache-poisoning
|
||||||
info:
|
info:
|
||||||
name: Akamai/Amazon S3 - Cache Poisoning
|
name: Akamai/Amazon S3 - Cache Poisoning
|
||||||
author: DhiyaneshDk
|
author: DhiyaneshDk
|
||||||
severity: medium
|
severity: high
|
||||||
description: Akamai/Amazon S3 expose a stored cross-site scripting vulnerability generated by cache poisoning capability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, which can further allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
description: Akamai/Amazon S3 expose a stored cross-site scripting vulnerability generated by cache poisoning capability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, which can further allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||||
reference:
|
reference:
|
||||||
- https://web.archive.org/web/20230101082612/https://spyclub.tech/2022/12/14/unusual-cache-poisoning-akamai-s3/
|
- https://web.archive.org/web/20230101082612/https://spyclub.tech/2022/12/14/unusual-cache-poisoning-akamai-s3/
|
||||||
|
|
|
@ -1,11 +1,11 @@
|
||||||
id: hadoop-unauth-rce
|
id: hadoop-unauth-rce
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Apache Hadoop - Yarn ResourceManager Remote Code Execution
|
name: Apache Hadoop YARN ResourceManager - Remote Code Execution
|
||||||
author: pdteam,Couskito
|
author: pdteam,Couskito
|
||||||
severity: critical
|
severity: critical
|
||||||
description: |
|
description: |
|
||||||
An unauthenticated Hadoop Resource Manager was discovered, which allows remote code execution by design.
|
Apache Hadoop YARN ResourceManager is susceptible to remote code execution. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
|
||||||
reference:
|
reference:
|
||||||
- http://archive.hack.lu/2016/Wavestone%20-%20Hack.lu%202016%20-%20Hadoop%20safari%20-%20Hunting%20for%20vulnerabilities%20-%20v1.0.pdf
|
- http://archive.hack.lu/2016/Wavestone%20-%20Hack.lu%202016%20-%20Hadoop%20safari%20-%20Hunting%20for%20vulnerabilities%20-%20v1.0.pdf
|
||||||
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/hadoop_unauth_exec.rb
|
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/hadoop_unauth_exec.rb
|
||||||
|
@ -31,3 +31,5 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/22
|
||||||
|
|
|
@ -1,12 +1,19 @@
|
||||||
id: nopcommerce-installer
|
id: nopcommerce-installer
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: nopCommerce Installer Exposure
|
name: nopCommerce Installer - Detect
|
||||||
author: DhiyaneshDk
|
author: DhiyaneshDk
|
||||||
severity: high
|
severity: critical
|
||||||
|
description: nopCommerce installer panel was detected.
|
||||||
|
reference:
|
||||||
|
- https://www.nopcommerce.com/
|
||||||
metadata:
|
metadata:
|
||||||
verified: true
|
verified: true
|
||||||
shodan-query: html:"nopCommerce Installation"
|
shodan-query: html:"nopCommerce Installation"
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
|
||||||
|
cvss-score: 9.4
|
||||||
|
cwe-id: CWE-284
|
||||||
tags: misconfig,nopcommerce,install
|
tags: misconfig,nopcommerce,install
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
@ -31,3 +38,5 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
|
# Enhanced by cs on 2023/03/27
|
||||||
|
|
|
@ -1,13 +1,17 @@
|
||||||
id: backdoored-zte
|
id: backdoored-zte
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Backdoored ZTE Routers
|
name: ZTE Router Panel - Detect
|
||||||
author: its0x08
|
author: its0x08
|
||||||
severity: high
|
severity: critical
|
||||||
description: |
|
description: |
|
||||||
Multiple ZTE routers have a telnet hardcoded backdoor account that spawns root shell.
|
Multiple ZTE router panels were detected. These routers have a telnet-hardcoded backdoor account that spawns root shell.
|
||||||
reference:
|
reference:
|
||||||
- https://www.exploit-db.com/ghdb/7179
|
- https://www.exploit-db.com/ghdb/7179
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
||||||
|
cvss-score: 10.0
|
||||||
|
cwe-id: CWE-912
|
||||||
metadata:
|
metadata:
|
||||||
verified: true
|
verified: true
|
||||||
shodan-query: http.html:"ZTE Corporation"
|
shodan-query: http.html:"ZTE Corporation"
|
||||||
|
@ -32,3 +36,5 @@ network:
|
||||||
- type: regex
|
- type: regex
|
||||||
regex:
|
regex:
|
||||||
- '[A-Z]{1,}[0-9]{3,4}'
|
- '[A-Z]{1,}[0-9]{3,4}'
|
||||||
|
|
||||||
|
# Enhanced by cs on 2023/03/27
|
||||||
|
|
|
@ -1,13 +1,17 @@
|
||||||
id: ibm-d2b-database-server
|
id: ibm-d2b-database-server
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: IBM DB2 Database Server Detection
|
name: IBM DB2 Database Server - Detect
|
||||||
author: pussycat0x
|
author: pussycat0x
|
||||||
severity: info
|
severity: info
|
||||||
description: |
|
description: |
|
||||||
A Db2 server is a relational database management system (RDBMS) that delivers data to its IBM data server clients. If you plan to use a database that resides on this computer, install a Db2 server. For more information about Db2 server.
|
IBM DB2 Database Server panel was detected.
|
||||||
reference:
|
reference:
|
||||||
- https://nmap.org/nsedoc/scripts/db2-das-info.html
|
- https://nmap.org/nsedoc/scripts/db2-das-info.html
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
metadata:
|
metadata:
|
||||||
verified: true
|
verified: true
|
||||||
shodan-query: product:"IBM DB2 Database Server"
|
shodan-query: product:"IBM DB2 Database Server"
|
||||||
|
@ -30,3 +34,5 @@ network:
|
||||||
- "DB2"
|
- "DB2"
|
||||||
- "SQLJS1D"
|
- "SQLJS1D"
|
||||||
condition: or
|
condition: or
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/22
|
||||||
|
|
|
@ -1,11 +1,16 @@
|
||||||
id: oracle-atg-commerce
|
id: oracle-atg-commerce
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Detects Oracle ATG Commerce
|
name: Oracle ATG Commerce Panel - Detect
|
||||||
author: Dale Clarke
|
author: Dale Clarke
|
||||||
severity: info
|
severity: info
|
||||||
|
description: Oracle ATG Commerce panel was detected.
|
||||||
reference:
|
reference:
|
||||||
- https://docs.oracle.com/cd/E35319_01/Platform.10-2/ATGPlatformProgGuide/html/s0101introduction01.html
|
- https://docs.oracle.com/cd/E35319_01/Platform.10-2/ATGPlatformProgGuide/html/s0101introduction01.html
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
metadata:
|
metadata:
|
||||||
verified: true
|
verified: true
|
||||||
tags: tech,oracle,atg,commerce
|
tags: tech,oracle,atg,commerce
|
||||||
|
@ -28,3 +33,5 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/22
|
||||||
|
|
|
@ -1,13 +1,17 @@
|
||||||
id: api-abuseipdb
|
id: api-abuseipdb
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: AbuseIPDB API Test
|
name: AbuseIPDB API - Test
|
||||||
author: daffainfo
|
author: daffainfo
|
||||||
severity: info
|
severity: info
|
||||||
description: IP/domain/URL reputation
|
description: AbuseIPDB API test was conducted.
|
||||||
reference:
|
reference:
|
||||||
- https://docs.abuseipdb.com/
|
- https://docs.abuseipdb.com/
|
||||||
- https://github.com/daffainfo/all-about-apikey/tree/main/abuseipdb
|
- https://github.com/daffainfo/all-about-apikey/tree/main/abuseipdb
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: token-spray,abuseipdb
|
tags: token-spray,abuseipdb
|
||||||
|
|
||||||
self-contained: true
|
self-contained: true
|
||||||
|
@ -30,3 +34,4 @@ requests:
|
||||||
- 'data":'
|
- 'data":'
|
||||||
- 'ipAddress":'
|
- 'ipAddress":'
|
||||||
condition: and
|
condition: and
|
||||||
|
|
||||||
|
|
|
@ -1,11 +1,16 @@
|
||||||
id: api-dbt
|
id: api-dbt
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: dbt Cloud API Test
|
name: dbt Cloud API - Test
|
||||||
author: dwisiswant0
|
author: dwisiswant0
|
||||||
severity: info
|
severity: info
|
||||||
|
description: dbt Cloud API test was conducted.
|
||||||
reference:
|
reference:
|
||||||
- https://docs.getdbt.com/docs/introduction
|
- https://docs.getdbt.com/docs/introduction
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: token-spray,dbt
|
tags: token-spray,dbt
|
||||||
|
|
||||||
self-contained: true
|
self-contained: true
|
||||||
|
@ -25,3 +30,4 @@ requests:
|
||||||
- "Authentication credentials were not provided."
|
- "Authentication credentials were not provided."
|
||||||
condition: or
|
condition: or
|
||||||
negative: true
|
negative: true
|
||||||
|
|
||||||
|
|
|
@ -4,9 +4,14 @@ info:
|
||||||
name: Avaya Aura Utility Services Administration - Remote Code Execution
|
name: Avaya Aura Utility Services Administration - Remote Code Execution
|
||||||
author: DhiyaneshDk
|
author: DhiyaneshDk
|
||||||
severity: critical
|
severity: critical
|
||||||
|
description: Avaya Aura Utility Services Administration is susceptible to remote code execution. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
|
||||||
reference:
|
reference:
|
||||||
- https://blog.assetnote.io/2023/02/01/rce-in-avaya-aura/
|
- https://blog.assetnote.io/2023/02/01/rce-in-avaya-aura/
|
||||||
- https://download.avaya.com/css/public/documents/101076366
|
- https://download.avaya.com/css/public/documents/101076366
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.8
|
||||||
|
cwe-id: CWE-94
|
||||||
metadata:
|
metadata:
|
||||||
verified: "true"
|
verified: "true"
|
||||||
shodan-query: html:"Avaya Aura"
|
shodan-query: html:"Avaya Aura"
|
||||||
|
@ -39,3 +44,5 @@ requests:
|
||||||
part: header_2
|
part: header_2
|
||||||
words:
|
words:
|
||||||
- "text/html"
|
- "text/html"
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/22
|
||||||
|
|
|
@ -1,12 +1,17 @@
|
||||||
id: avaya-aura-xss
|
id: avaya-aura-xss
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Avaya Aura Utility Services Administration - Cross Site Scripting
|
name: Avaya Aura Utility Services Administration - Cross-Site Scripting
|
||||||
author: DhiyaneshDk
|
author: DhiyaneshDk
|
||||||
severity: medium
|
severity: medium
|
||||||
|
description: Avaya Aura Utility Services Administration contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||||
reference:
|
reference:
|
||||||
- https://blog.assetnote.io/2023/02/01/rce-in-avaya-aura/
|
- https://blog.assetnote.io/2023/02/01/rce-in-avaya-aura/
|
||||||
- https://download.avaya.com/css/public/documents/101076366
|
- https://download.avaya.com/css/public/documents/101076366
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 5.4
|
||||||
|
cwe-id: CWE-80
|
||||||
metadata:
|
metadata:
|
||||||
verified: "true"
|
verified: "true"
|
||||||
shodan-query: html:"Avaya Aura"
|
shodan-query: html:"Avaya Aura"
|
||||||
|
@ -35,3 +40,5 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/22
|
||||||
|
|
|
@ -1,15 +1,16 @@
|
||||||
id: cisco-cloudcenter-suite-log4j-rce
|
id: cisco-cloudcenter-suite-log4j-rce
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Cisco CloudCenter Suite - Remote Code Execution (Apache Log4j)
|
name: Cisco CloudCenter Suite (Log4j)- Remote Code Execution
|
||||||
author: pwnhxl
|
author: pwnhxl
|
||||||
severity: critical
|
severity: critical
|
||||||
description: |
|
description: |
|
||||||
Cisco CloudCenter Suite - Remote Code Execution.
|
Cisco CloudCenter Suite is susceptible to remote code execution via the Apache Log4j library. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
|
||||||
|
remediation: From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
|
||||||
reference:
|
reference:
|
||||||
- https://logging.apache.org/log4j/2.x/security.html
|
- https://logging.apache.org/log4j/2.x/security.html
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
|
|
||||||
- http://www.openwall.com/lists/oss-security/2021/12/10/1
|
- http://www.openwall.com/lists/oss-security/2021/12/10/1
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
||||||
cvss-score: 10
|
cvss-score: 10
|
||||||
|
@ -58,3 +59,5 @@ requests:
|
||||||
group: 1
|
group: 1
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
|
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/22
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
id: cisco-vmanage-log4j
|
id: cisco-vmanage-log4j
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Cisco vManage - Remote Code Execution (Apache Log4j)
|
name: Cisco vManage (Log4j) - Remote Code Execution
|
||||||
author: DhiyaneshDK
|
author: DhiyaneshDK
|
||||||
severity: critical
|
severity: critical
|
||||||
description: Cisco vManage is susceptible to remote code execution via the Apache Log4j framework. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. More information is available in the cisco-sa-apache-log4j-qRuKNEbd advisory.
|
description: Cisco vManage is susceptible to remote code execution via the Apache Log4j framework. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. More information is available in the cisco-sa-apache-log4j-qRuKNEbd advisory.
|
||||||
|
@ -58,3 +58,5 @@ requests:
|
||||||
group: 1
|
group: 1
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
|
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
|
||||||
|
|
||||||
|
# Enhanced by CS 03/27/2023
|
||||||
|
|
|
@ -1,11 +1,15 @@
|
||||||
id: froxlor-xss
|
id: froxlor-xss
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Froxlor Server Management - Cross Site Scripting
|
name: Froxlor Server Management - Cross-Site Scripting
|
||||||
author: tess
|
author: tess
|
||||||
severity: medium
|
severity: medium
|
||||||
description: |
|
description: |
|
||||||
The user must click the forgot password link in order to execute this XSS.
|
Froxlor Server Management is susceptible to cross-site scripting via clicking the forgot password link. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 5.4
|
||||||
|
cwe-id: CWE-80
|
||||||
metadata:
|
metadata:
|
||||||
verified: true
|
verified: true
|
||||||
shodan-query: title:"Froxlor Server Management Panel"
|
shodan-query: title:"Froxlor Server Management Panel"
|
||||||
|
@ -33,3 +37,5 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/23
|
||||||
|
|
|
@ -3,8 +3,12 @@ id: error-based-sql-injection
|
||||||
info:
|
info:
|
||||||
name: Error based SQL injection
|
name: Error based SQL injection
|
||||||
author: geeknik
|
author: geeknik
|
||||||
severity: high
|
severity: critical
|
||||||
description: Detects the possibility of SQL injection in 29 database engines. Inspired by https://github.com/sqlmapproject/sqlmap/blob/master/data/xml/errors.xml.
|
description: Detects potential SQL injection via error strings in 29 database engines. Inspired by https://github.com/sqlmapproject/sqlmap/blob/master/data/xml/errors.xml.
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.8
|
||||||
|
cwe-id: CWE-89
|
||||||
tags: sqli,generic,error
|
tags: sqli,generic,error
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
@ -474,3 +478,5 @@ requests:
|
||||||
- "SQ200: No table "
|
- "SQ200: No table "
|
||||||
- "Virtuoso S0002 Error"
|
- "Virtuoso S0002 Error"
|
||||||
- "\\[(Virtuoso Driver|Virtuoso iODBC Driver)\\]\\[Virtuoso Server\\]"
|
- "\\[(Virtuoso Driver|Virtuoso iODBC Driver)\\]\\[Virtuoso Server\\]"
|
||||||
|
|
||||||
|
# Enhanced by CS 03/27/2023
|
||||||
|
|
|
@ -1,11 +1,11 @@
|
||||||
id: jamf-log4j-jndi-rce
|
id: jamf-log4j-jndi-rce
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: JamF - Remote Code Execution (Apache Log4j)
|
name: JamF (Log4j) - Remote Code Execution
|
||||||
author: pdteam
|
author: pdteam
|
||||||
severity: critical
|
severity: critical
|
||||||
description: |
|
description: |
|
||||||
JamF is susceptible to Lof4j JNDI remote code execution. JamF is the industry standard when it comes to the management of iOS devices (iPhones and iPads), macOS computers (MacBooks, iMacs, etc.), and tvOS devices (Apple TV).
|
JamF is susceptible to remote code execution via the Apache log4j library. Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
|
||||||
reference:
|
reference:
|
||||||
- https://github.com/random-robbie/jamf-log4j
|
- https://github.com/random-robbie/jamf-log4j
|
||||||
- https://community.connection.com/what-is-jamf/
|
- https://community.connection.com/what-is-jamf/
|
||||||
|
@ -55,3 +55,5 @@ requests:
|
||||||
group: 1
|
group: 1
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
|
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/23
|
||||||
|
|
|
@ -1,17 +1,17 @@
|
||||||
id: mobileiron-log4j-jndi-rce
|
id: mobileiron-log4j-jndi-rce
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Ivanti MobileIron - JNDI Remote Command Execution (Apache Log4j)
|
name: Ivanti MobileIron (Log4j) - Remote Code Execution
|
||||||
author: meme-lord
|
author: meme-lord
|
||||||
severity: critical
|
severity: critical
|
||||||
description: Ivanti MobileIron Apache Log4j2 <=2.14.1 JNDI in features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
|
description: Ivanti MobileIron is susceptible to remote code execution via the Apache Log4j2 library. Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
|
||||||
|
remediation: From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
|
||||||
reference:
|
reference:
|
||||||
- https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
|
- https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
|
||||||
- https://www.lunasec.io/docs/blog/log4j-zero-day/
|
- https://www.lunasec.io/docs/blog/log4j-zero-day/
|
||||||
- https://www.zdnet.com/article/mobileiron-customers-urged-to-patch-systems-due-to-potential-log4j-exploitation/
|
- https://www.zdnet.com/article/mobileiron-customers-urged-to-patch-systems-due-to-potential-log4j-exploitation/
|
||||||
- https://logging.apache.org/log4j/2.x/security.html
|
- https://logging.apache.org/log4j/2.x/security.html
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
|
||||||
remediation: Upgrade to version 2.14.2 or higher of MobileIron. If this is not possible, several Log4j exploit workarounds are available.
|
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
||||||
cvss-score: 10
|
cvss-score: 10
|
||||||
|
@ -54,3 +54,5 @@ requests:
|
||||||
group: 1
|
group: 1
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
|
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/23
|
||||||
|
|
|
@ -1,11 +1,11 @@
|
||||||
id: opencpu-rce
|
id: opencpu-rce
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: OpenCPU RCE
|
name: OpenCPU - Remote Code Execution
|
||||||
author: wa1tf0rme
|
author: wa1tf0rme
|
||||||
severity: critical
|
severity: critical
|
||||||
description: |
|
description: |
|
||||||
Checks for RCE in OpenCPU instance
|
Check for remote code execution via OpenCPU was conducted.
|
||||||
reference:
|
reference:
|
||||||
- https://pulsesecurity.co.nz/articles/R-Shells
|
- https://pulsesecurity.co.nz/articles/R-Shells
|
||||||
- https://github.com/opencpu/opencpu/
|
- https://github.com/opencpu/opencpu/
|
||||||
|
@ -41,3 +41,5 @@ requests:
|
||||||
group: 1
|
group: 1
|
||||||
regex:
|
regex:
|
||||||
- \(([a-z-]+)\)
|
- \(([a-z-]+)\)
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/23
|
||||||
|
|
|
@ -1,14 +1,18 @@
|
||||||
id: academy-lms-xss
|
id: academy-lms-xss
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Academy LMS 5.11 - Cross Site Scripting
|
name: Academy Learning Management System 5.11 - Cross-Site Scripting
|
||||||
author: arafatansari
|
author: arafatansari
|
||||||
severity: medium
|
severity: medium
|
||||||
description: |
|
description: |
|
||||||
Academy Learning Management System contains a reflected cross-site scripting vulnerability via the Search parameter.
|
Academy Learning Management System 5.11 contains a cross-site scripting vulnerability via the Search parameter. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||||
reference:
|
reference:
|
||||||
- https://packetstormsecurity.com/files/170514/Academy-LMS-5.11-Cross-Site-Scripting.html
|
- https://packetstormsecurity.com/files/170514/Academy-LMS-5.11-Cross-Site-Scripting.html
|
||||||
- https://vulners.com/packetstorm/PACKETSTORM:170514
|
- https://vulners.com/packetstorm/PACKETSTORM:170514
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 5.4
|
||||||
|
cwe-id: CWE-80
|
||||||
metadata:
|
metadata:
|
||||||
verified: "true"
|
verified: "true"
|
||||||
shodan-query: http.html:"Academy LMS"
|
shodan-query: http.html:"Academy LMS"
|
||||||
|
@ -36,3 +40,5 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/23
|
||||||
|
|
|
@ -1,11 +1,16 @@
|
||||||
id: caucho-resin-info-disclosure
|
id: caucho-resin-info-disclosure
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Caucho Resin Information Disclosure
|
name: Caucho Resin - Information Disclosure
|
||||||
author: pikpikcu
|
author: pikpikcu
|
||||||
severity: info
|
severity: info
|
||||||
|
description: Caucho Resin contains an information disclosure vulnerability. The application does not properly sanitize user-supplied input. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||||
reference:
|
reference:
|
||||||
- https://www.exploit-db.com/exploits/27888
|
- https://www.exploit-db.com/exploits/27888
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: exposure,resin,caucho,edb
|
tags: exposure,resin,caucho,edb
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
@ -26,3 +31,5 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/23
|
||||||
|
|
|
@ -1,10 +1,10 @@
|
||||||
id: ckan-dom-based-xss
|
id: ckan-dom-based-xss
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Ckan - DOM Cross-Site Scripting
|
name: CKAN - DOM Cross-Site Scripting
|
||||||
author: dhiyaneshDk
|
author: dhiyaneshDk
|
||||||
severity: high
|
severity: high
|
||||||
description: Ckan contains a cross-site scripting vulnerability in the document object model via the previous version of the jQuery Sparkle library. An attacker can execute arbitrary script and thus can steal cookie-based authentication credentials and launch other attacks.
|
description: CKAN contains a cross-site scripting vulnerability in the document object model via the previous version of the jQuery Sparkle library. An attacker can execute arbitrary script and thus steal cookie-based authentication credentials and launch other attacks.
|
||||||
reference:
|
reference:
|
||||||
- https://github.com/ckan/ckan/blob/b9e45e2723d4abd70fa72b16ec4a0bebc795c56b/ckan/public/base/javascript/view-filters.js#L27
|
- https://github.com/ckan/ckan/blob/b9e45e2723d4abd70fa72b16ec4a0bebc795c56b/ckan/public/base/javascript/view-filters.js#L27
|
||||||
- https://security.snyk.io/vuln/SNYK-PYTHON-CKAN-42010
|
- https://security.snyk.io/vuln/SNYK-PYTHON-CKAN-42010
|
||||||
|
@ -44,3 +44,5 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/23
|
||||||
|
|
|
@ -1,10 +1,16 @@
|
||||||
id: couchdb-adminparty
|
id: couchdb-adminparty
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: CouchDB Admin Party
|
name: CouchDB Admin Default - Detect
|
||||||
author: organiccrap
|
author: organiccrap
|
||||||
severity: high
|
severity: high
|
||||||
description: Requests made against CouchDB are done in the context of an admin user.
|
description: CouchDB is susceptible to requests in the context of an admin user.
|
||||||
|
reference:
|
||||||
|
- https://docs.couchdb.org/en/stable/intro/security.html#authentication-database
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
||||||
|
cvss-score: 5.3
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: couchdb
|
tags: couchdb
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
@ -26,3 +32,5 @@ requests:
|
||||||
- offset
|
- offset
|
||||||
part: body
|
part: body
|
||||||
condition: and
|
condition: and
|
||||||
|
|
||||||
|
# Enhanced by cs on 2023/03/27
|
||||||
|
|
|
@ -1,10 +1,10 @@
|
||||||
id: graylog-log4j
|
id: graylog-log4j
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Graylog - Remote Code Execution (Apache Log4j)
|
name: Graylog (Log4j) - Remote Code Execution
|
||||||
author: DhiyaneshDK
|
author: DhiyaneshDK
|
||||||
severity: critical
|
severity: critical
|
||||||
description: Graylog is susceptible to remote code execution via the Apache Log4j 2 library prior to 2.15.0 by recording its own log information, specifically with specially crafted values sent as user input.
|
description: Graylog is susceptible to remote code execution via the Apache Log4j 2 library prior to 2.15.0 by recording its own log information, specifically with specially crafted values sent as user input. Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
|
||||||
reference:
|
reference:
|
||||||
- https://www.graylog.org/post/graylog-update-for-log4j
|
- https://www.graylog.org/post/graylog-update-for-log4j
|
||||||
- https://logging.apache.org/log4j/2.x/security.html
|
- https://logging.apache.org/log4j/2.x/security.html
|
||||||
|
@ -60,3 +60,5 @@ requests:
|
||||||
group: 1
|
group: 1
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
|
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/03/23
|
||||||
|
|
Loading…
Reference in New Issue