Dashboard Content Enhancements (#6965)

* Add description and enhance one where the UI failed to save properly.
dos2unix on a template

* Change cvedetails link to nvd

* make severities match

* Enhancement: cves/2015/CVE-2015-2863.yaml by md

* Enhancement: cves/2017/CVE-2017-14524.yaml by md

* Enhancement: cves/2017/CVE-2017-5638.yaml by md

* Enhancement: cves/2019/CVE-2019-16759.yaml by md

* Enhancement: cves/2021/CVE-2021-22986.yaml by md

* Enhancement: cves/2021/CVE-2021-24145.yaml by md

* Enhancement: cves/2021/CVE-2021-24145.yaml by md

* Enhancement: cves/2021/CVE-2021-24155.yaml by md

* Enhancement: cves/2021/CVE-2021-24145.yaml by md

* Enhancement: cves/2021/CVE-2021-24145.yaml by md

* Enhancement: cves/2021/CVE-2021-24347.yaml by md

* Enhancement: cves/2021/CVE-2021-25003.yaml by md

* Enhancement: cves/2021/CVE-2021-25296.yaml by md

* Enhancement: cves/2021/CVE-2021-25297.yaml by md

* Enhancement: cves/2021/CVE-2021-25296.yaml by md

* Enhancement: cves/2021/CVE-2021-25297.yaml by md

* Enhancement: cves/2021/CVE-2021-25298.yaml by md

* Enhancement: cves/2021/CVE-2021-25297.yaml by md

* Enhancement: cves/2021/CVE-2021-28151.yaml by md

* Enhancement: cves/2021/CVE-2021-30128.yaml by md

* Enhancement: cves/2022/CVE-2022-0824.yaml by md

* Enhancement: cves/2022/CVE-2022-0824.yaml by md

* Enhancement: cves/2022/CVE-2022-0885.yaml by md

* Enhancement: cves/2022/CVE-2022-21587.yaml by md

* Enhancement: cves/2022/CVE-2022-2314.yaml by md

* Enhancement: cves/2022/CVE-2022-24816.yaml by md

* Enhancement: cves/2022/CVE-2022-31499.yaml by md

* Enhancement: cves/2022/CVE-2022-21587.yaml by md

* Enhancement: cves/2021/CVE-2021-24155.yaml by md

* Enhancement: cves/2017/CVE-2017-5638.yaml by md

* Enhancement: cves/2015/CVE-2015-2863.yaml by md

* Enhancement: cves/2022/CVE-2022-33901.yaml by md

* Enhancement: cves/2022/CVE-2022-2314.yaml by md

* Enhancement: cves/2022/CVE-2022-33901.yaml by md

* Enhancement: cves/2022/CVE-2022-34753.yaml by md

* Enhancement: cves/2022/CVE-2022-39952.yaml by md

* Enhancement: cves/2022/CVE-2022-4060.yaml by md

* Enhancement: cves/2022/CVE-2022-44877.yaml by md

* Enhancement: cves/2023/CVE-2023-0669.yaml by md

* Enhancement: cves/2023/CVE-2023-26255.yaml by md

* Enhancement: cves/2023/CVE-2023-26256.yaml by md

* Enhancement: exposures/files/salesforce-credentials.yaml by md

* Enhancement: misconfiguration/hadoop-unauth-rce.yaml by md

* Enhancement: misconfiguration/installer/nopcommerce-installer.yaml by md

* Enhancement: network/backdoor/backdoored-zte.yaml by md

* Enhancement: network/detection/ibm-d2b-database-server.yaml by md

* Enhancement: network/detection/ibm-d2b-database-server.yaml by md

* Enhancement: technologies/oracle/oracle-atg-commerce.yaml by md

* Enhancement: token-spray/api-abuseipdb.yaml by md

* Enhancement: token-spray/api-abuseipdb.yaml by md

* Enhancement: token-spray/api-dbt.yaml by md

* Enhancement: vulnerabilities/avaya/avaya-aura-rce.yaml by md

* Enhancement: vulnerabilities/avaya/avaya-aura-xss.yaml by md

* Enhancement: vulnerabilities/cisco/cisco-cloudcenter-suite-rce.yaml by md

* Enhancement: vulnerabilities/froxlor-xss.yaml by md

* Enhancement: vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml by md

* Enhancement: vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml by md

* Enhancement: vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml by md

* Enhancement: vulnerabilities/opencpu/opencpu-rce.yaml by md

* Enhancement: vulnerabilities/other/academy-lms-xss.yaml by md

* Enhancement: vulnerabilities/other/caucho-resin-info-disclosure.yaml by md

* Enhancement: vulnerabilities/other/ckan-dom-based-xss.yaml by md

* Enhancement: vulnerabilities/other/couchdb-adminparty.yaml by md

* Enhancement: vulnerabilities/other/graylog-log4j.yaml by md

* Enhancement: vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml by md

* Initial cleanups for syntax errors

* dashboard gremlins

* Add log4j back to name

* Enhancement: exposures/files/salesforce-credentials.yaml by cs

* Enhancement: misconfiguration/installer/nopcommerce-installer.yaml by cs

* Enhancement: network/backdoor/backdoored-zte.yaml by cs

* Enhancement: vulnerabilities/other/couchdb-adminparty.yaml by cs

* Sev and other info tweaks

* Merge conflict

---------

Co-authored-by: sullo <sullo@cirt.net>
patch-1
MostInterestingBotInTheWorld 2023-03-27 13:46:47 -04:00 committed by GitHub
parent 8a451b6ad6
commit 301fddaeb0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
56 changed files with 327 additions and 153 deletions

View File

@ -3,13 +3,13 @@ id: CVE-2015-2863
info: info:
name: Kaseya Virtual System Administrator - Open Redirect name: Kaseya Virtual System Administrator - Open Redirect
author: 0x_Akoko author: 0x_Akoko
severity: low severity: medium
description: | description: |
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 before 9.0.0.14, and 9.1 before 9.1.0.4 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. Kaseya Virtual System Administrator 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 before 9.0.0.14, and 9.1 before 9.1.0.4 are susceptible to an open redirect vulnerability. An attacker can redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
reference: reference:
- https://github.com/pedrib/PoC/blob/3f927b957b86a91ce65b017c4b9c93d05e241592/advisories/Kaseya/kaseya-vsa-vuln.txt - https://github.com/pedrib/PoC/blob/3f927b957b86a91ce65b017c4b9c93d05e241592/advisories/Kaseya/kaseya-vsa-vuln.txt
- https://www.cvedetails.com/cve/CVE-2015-2863
- http://www.kb.cert.org/vuls/id/919604 - http://www.kb.cert.org/vuls/id/919604
- https://nvd.nist.gov/vuln/detail/CVE-2015-2863
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1 cvss-score: 6.1
@ -29,3 +29,5 @@ requests:
part: header part: header
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)oast\.me\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)oast\.me\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2023/03/21

View File

@ -5,12 +5,12 @@ info:
author: r3Y3r53 author: r3Y3r53
severity: medium severity: medium
description: | description: |
The NewStatPress plugin utilizes on lines 28 and 31 of the file includes/nsp_search.php several variables from the $_GET scope, without sanitation. While WordPress automatically escapes quotes on this scope, the outputs on these lines are outside of quotes, and as such can be utilized to trigger a Reflected XSS attack. WordPress NewStatPress plugin through 1.0.4 contains a cross-site scripting vulnerability. The plugin utilizes, on lines 28 and 31 of the file "includes/nsp_search.php", several variables from the $_GET scope without sanitation. While WordPress automatically escapes quotes on this scope, the outputs on these lines are outside of quotes, and as such can be utilized to initiate a cross-site scripting attack.
reference: reference:
- https://wpscan.com/vulnerability/46bf6c69-b612-4aee-965d-91f53f642054 - https://wpscan.com/vulnerability/46bf6c69-b612-4aee-965d-91f53f642054
- https://nvd.nist.gov/vuln/detail/CVE-2015-9312
- https://g0blin.co.uk/g0blin-00057/ - https://g0blin.co.uk/g0blin-00057/
- https://wordpress.org/plugins/newstatpress/#developers - https://wordpress.org/plugins/newstatpress/#developers
- https://nvd.nist.gov/vuln/detail/CVE-2015-9312
remediation: Fixed in version 1.0.6 remediation: Fixed in version 1.0.6
classification: classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

View File

@ -1,16 +1,15 @@
id: CVE-2017-14524 id: CVE-2017-14524
info: info:
name: OpenText Documentum Administrator 7.2.0180.0055 - Open redirect name: OpenText Documentum Administrator 7.2.0180.0055 - Open Redirect
author: 0x_Akoko author: 0x_Akoko
severity: medium severity: medium
description: | description: |
Multiple open redirect vulnerabilities in OpenText Documentum Administrator 7.2.0180.0055 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks. OpenText Documentum Administrator 7.2.0180.0055 is susceptible to multiple open redirect vulnerabilities. An attacker can redirect a user to a malicious site and potentially obtain sensitive information, modify data, and/or execute unauthorized operations.
reference: reference:
- https://seclists.org/fulldisclosure/2017/Sep/57 - https://seclists.org/fulldisclosure/2017/Sep/57
- https://nvd.nist.gov/vuln/detail/CVE-2017-14524
- https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774 - https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774
- http://seclists.org/fulldisclosure/2017/Sep/57 - https://nvd.nist.gov/vuln/detail/CVE-2017-14524
classification: classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1 cvss-score: 6.1
@ -29,3 +28,5 @@ requests:
part: header part: header
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?oast\.me(?:\s*?)$' - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?oast\.me(?:\s*?)$'
# Enhanced by md on 2023/03/20

View File

@ -5,7 +5,7 @@ info:
author: Random_Robbie author: Random_Robbie
severity: critical severity: critical
description: | description: |
Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 is vulnerable to remote command injection attacks through incorrectly parsing an attacker's invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server. Apache Struts 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 is susceptible to remote command injection attacks. The Jakarta Multipart parser has incorrect exception handling and error-message generation during file upload attempts, which can allow an attacker to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header. This was exploited in March 2017 with a Content-Type header containing a #cmd= string.
reference: reference:
- https://github.com/mazen160/struts-pwn - https://github.com/mazen160/struts-pwn
- https://isc.sans.edu/diary/22169 - https://isc.sans.edu/diary/22169
@ -37,3 +37,5 @@ requests:
- type: status - type: status
status: status:
- 200 - 200
# Enhanced by md on 2023/03/21

View File

@ -1,15 +1,15 @@
id: CVE-2019-16759 id: CVE-2019-16759
info: info:
name: vBulletin v5.0.0-v5.5.4 - Remote Command Execution name: vBulletin 5.0.0-5.5.4 - Remote Command Execution
author: madrobot author: madrobot
severity: critical severity: critical
description: vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request. description: vBulletin 5.0.0 through 5.5.4 is susceptible to a remote command execution vulnerability via the widgetConfig parameter in an ajax/render/widget_php routestring request. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
reference: reference:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vbulletin-remote-code-execution-cve-2020-7373/ - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vbulletin-remote-code-execution-cve-2020-7373/
- https://nvd.nist.gov/vuln/detail/CVE-2019-16759
- https://seclists.org/fulldisclosure/2019/Sep/31 - https://seclists.org/fulldisclosure/2019/Sep/31
- https://www.theregister.co.uk/2019/09/24/vbulletin_vbug_zeroday/ - https://www.theregister.co.uk/2019/09/24/vbulletin_vbug_zeroday/
- https://nvd.nist.gov/vuln/detail/CVE-2019-16759
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8
@ -39,3 +39,5 @@ requests:
- type: status - type: status
status: status:
- 200 - 200
# Enhanced by md on 2023/03/20

View File

@ -1,13 +1,15 @@
id: CVE-2021-22986 id: CVE-2021-22986
info: info:
name: F5 BIG-IP iControl REST unauthenticated RCE name: F5 iControl REST - Remote Command Execution
author: rootxharsh,iamnoooob author: rootxharsh,iamnoooob
severity: critical severity: critical
description: The iControl REST interface has an unauthenticated remote command execution vulnerability. description: F5 iControl REST interface is susceptible to remote command execution. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. This affects BIG-IP 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3; and BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2.
reference: reference:
- https://attackerkb.com/topics/J6pWeg5saG/k03009991-icontrol-rest-unauthenticated-remote-command-execution-vulnerability-cve-2021-22986 - https://attackerkb.com/topics/J6pWeg5saG/k03009991-icontrol-rest-unauthenticated-remote-command-execution-vulnerability-cve-2021-22986
- https://support.f5.com/csp/article/K03009991 - https://support.f5.com/csp/article/K03009991
- http://packetstormsecurity.com/files/162059/F5-iControl-Server-Side-Request-Forgery-Remote-Command-Execution.html - http://packetstormsecurity.com/files/162059/F5-iControl-Server-Side-Request-Forgery-Remote-Command-Execution.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-22986
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8
@ -56,3 +58,5 @@ requests:
- "commandResult" - "commandResult"
- "uid=" - "uid="
condition: and condition: and
# Enhanced by md on 2023/03/20

View File

@ -1,17 +1,17 @@
id: CVE-2021-24145 id: CVE-2021-24145
info: info:
name: Modern Events Calendar Lite < 5.16.5 - Arbitrary File Upload to RCE name: WordPress Modern Events Calendar Lite <5.16.5 - Authenticated Arbitrary File Upload
author: theamanrawat author: theamanrawat
severity: high severity: high
description: | description: |
Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request. WordPress Modern Events Calendar Lite plugin before 5.16.5 is susceptible to authenticated arbitrary file upload. The plugin does not properly check the imported file, allowing PHP files to be uploaded and/or executed by an administrator or other high-privilege user using the text/csv content-type in the request. This can possibly lead to remote code execution.
reference: reference:
- https://wpscan.com/vulnerability/f42cc26b-9aab-4824-8168-b5b8571d1610 - https://wpscan.com/vulnerability/f42cc26b-9aab-4824-8168-b5b8571d1610
- https://downloads.wordpress.org/plugin/modern-events-calendar-lite.5.15.5.zip - https://downloads.wordpress.org/plugin/modern-events-calendar-lite.5.15.5.zip
- https://github.com/dnr6419/CVE-2021-24145 - https://github.com/dnr6419/CVE-2021-24145
- https://nvd.nist.gov/vuln/detail/CVE-2021-24145 - https://nvd.nist.gov/vuln/detail/CVE-2021-24145
remediation: Fixed in version 5.16.5 remediation: Fixed in version 5.16.5.
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.2 cvss-score: 7.2
@ -62,3 +62,5 @@ requests:
- status_code_3 == 200 - status_code_3 == 200
- contains(body_3, 'CVE-2021-24145') - contains(body_3, 'CVE-2021-24145')
condition: and condition: and
# Enhanced by md on 2023/03/21

View File

@ -1,16 +1,16 @@
id: CVE-2021-24155 id: CVE-2021-24155
info: info:
name: Backup Guard < 1.6.0 - Authenticated Arbitrary File Upload name: WordPress BackupGuard <1.6.0 - Authenticated Arbitrary File Upload
author: theamanrawat author: theamanrawat
severity: high severity: high
description: | description: |
The WordPress Backup and Migrate Plugin Backup Guard WordPress plugin before 1.6.0 did not ensure that the imported files are of the SGBP format and extension, allowing high privilege users (admin+) to upload arbitrary files, including PHP ones, leading to RCE. WordPress Backup Guard plugin before 1.6.0 is susceptible to authenticated arbitrary file upload. The plugin does not ensure that imported files are in SGBP format and extension, allowing high-privilege users to upload arbitrary files, including PHP, possibly leading to remote code execution.
reference: reference:
- https://wpscan.com/vulnerability/d442acac-4394-45e4-b6bb-adf4a40960fb - https://wpscan.com/vulnerability/d442acac-4394-45e4-b6bb-adf4a40960fb
- https://wordpress.org/plugins/backup/ - https://wordpress.org/plugins/backup/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24155 - https://nvd.nist.gov/vuln/detail/CVE-2021-24155
remediation: Fixed in version 1.6.0 remediation: Fixed in version 1.6.0.
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.2 cvss-score: 7.2
@ -75,3 +75,5 @@ requests:
regex: regex:
- 'BG_BACKUP_STRINGS = {"nonce":"([0-9a-zA-Z]+)"};' - 'BG_BACKUP_STRINGS = {"nonce":"([0-9a-zA-Z]+)"};'
internal: true internal: true
# Enhanced by md on 2023/03/21

View File

@ -1,16 +1,16 @@
id: CVE-2021-24347 id: CVE-2021-24347
info: info:
name: SP Project & Document Manager < 4.22 - Authenticated Shell Upload name: WordPress SP Project & Document Manager <4.22 - Authenticated Shell Upload
author: theamanrawat author: theamanrawat
severity: high severity: high
description: | description: |
The SP Project & Document Manager WordPress plugin before 4.22 allows users to upload files, however, the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that php files could still be uploaded by changing the file extension's case, for example, from "php" to "pHP". WordPress SP Project & Document Manager plugin before 4.22 is susceptible to authenticated shell upload. The plugin allows users to upload files; however, the plugin attempts to prevent PHP and other similar executable files from being uploaded via checking the file extension. PHP files can still be uploaded by changing the file extension's case, for example, from php to pHP.
reference: reference:
- https://wpscan.com/vulnerability/8f6e82d5-c0e9-468e-acb8-7cd549f6a45a - https://wpscan.com/vulnerability/8f6e82d5-c0e9-468e-acb8-7cd549f6a45a
- https://wordpress.org/plugins/sp-client-document-manager/ - https://wordpress.org/plugins/sp-client-document-manager/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24347 - https://nvd.nist.gov/vuln/detail/CVE-2021-24347
remediation: Fixed in version 4.22 remediation: Fixed in version 4.22.
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8 cvss-score: 8.8
@ -96,3 +96,5 @@ requests:
regex: regex:
- 'name="cdm_upload_file_field" value="([0-9a-zA-Z]+)"' - 'name="cdm_upload_file_field" value="([0-9a-zA-Z]+)"'
internal: true internal: true
# Enhanced by md on 2023/03/21

View File

@ -1,11 +1,11 @@
id: CVE-2021-25003 id: CVE-2021-25003
info: info:
name: WPCargo < 6.9.0 - Unauthenticated Remote Code Execution name: WordPress WPCargo Track & Trace <6.9.0 - Remote Code Execution
author: theamanrawat author: theamanrawat
severity: critical severity: critical
description: | description: |
The WPCargo Track & Trace WordPress plugin before 6.9.0 contains a file which could allow unauthenticated attackers to write a PHP file anywhere on the web server, leading to RCE. WordPress WPCargo Track & Trace plugin before 6.9.0 is susceptible to remote code execution, The plugin contains a file which can allow an attacker to write a PHP file anywhere on the web server, leading to possible remote code execution. This can allow an attacker to execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
reference: reference:
- https://wpscan.com/vulnerability/5c21ad35-b2fb-4a51-858f-8ffff685de4a - https://wpscan.com/vulnerability/5c21ad35-b2fb-4a51-858f-8ffff685de4a
- https://wordpress.org/plugins/wpcargo/ - https://wordpress.org/plugins/wpcargo/
@ -49,3 +49,5 @@ requests:
- "contains(body_3, md5(num))" - "contains(body_3, md5(num))"
- "contains(body_3, 'PNG')" - "contains(body_3, 'PNG')"
condition: and condition: and
# Enhanced by md on 2023/03/21

View File

@ -1,16 +1,16 @@
id: CVE-2021-25296 id: CVE-2021-25296
info: info:
name: Nagios XI versions 5.5.6 to 5.7.5 - Command Injection name: Nagios XI 5.5.6-5.7.5 - Authenticated Remote Command Injection
author: k0pak4 author: k0pak4
severity: high severity: high
description: | description: |
Nagios XI versions 5.5.6 to 5.7.5 are affected by OS command injection. An authenticated user can gain code execution due to unsanitized URL parameters. Nagios XI 5.5.6 through 5.7.5 is susceptible to authenticated remote command injection. There is improper sanitization of authenticated user-controlled input by a single HTTP request via the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php. This in turn can lead to remote code execution, by which an attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
reference: reference:
- https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md - https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md
- https://github.com/rapid7/metasploit-framework/pull/17494 - https://github.com/rapid7/metasploit-framework/pull/17494
- https://nvd.nist.gov/vuln/detail/CVE-2021-25296
- http://nagios.com - http://nagios.com
- https://nvd.nist.gov/vuln/detail/CVE-2021-25296
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8 cvss-score: 8.8
@ -78,3 +78,5 @@ requests:
regex: regex:
- "var nsp_str = ['\"](.*)['\"];" - "var nsp_str = ['\"](.*)['\"];"
internal: true internal: true
# Enhanced by md on 2023/03/21

View File

@ -1,16 +1,16 @@
id: CVE-2021-25297 id: CVE-2021-25297
info: info:
name: Nagios XI versions 5.5.6 to 5.7.5 - Command Injection name: Nagios 5.5.6-5.7.5 - Authenticated Remote Command Injection
author: k0pak4 author: k0pak4
severity: high severity: high
description: | description: |
Nagios XI versions 5.5.6 to 5.7.5 are affected by OS command injection. An authenticated user can gain code execution due to unsanitized URL parameters. Nagios XI 5.5.6 through 5.7.5 is susceptible to authenticated remote command injection. There is improper sanitization of authenticated user-controlled input by a single HTTP request via the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php. This in turn can lead to remote code execution, by which an attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
reference: reference:
- https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md - https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md
- https://github.com/rapid7/metasploit-framework/pull/17494 - https://github.com/rapid7/metasploit-framework/pull/17494
- https://nvd.nist.gov/vuln/detail/CVE-2021-25297
- http://nagios.com - http://nagios.com
- https://nvd.nist.gov/vuln/detail/CVE-2021-25297
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8 cvss-score: 8.8
@ -78,3 +78,5 @@ requests:
regex: regex:
- "var nsp_str = ['\"](.*)['\"];" - "var nsp_str = ['\"](.*)['\"];"
internal: true internal: true
# Enhanced by md on 2023/03/21

View File

@ -1,16 +1,16 @@
id: CVE-2021-25298 id: CVE-2021-25298
info: info:
name: Nagios XI 5.5.6 to 5.7.5 - Command Injection name: Nagios XI 5.5.6-5.7.5 - Authenticated Remote Command Injection
author: k0pak4 author: k0pak4
severity: high severity: high
description: | description: |
Nagios XI versions 5.5.6 to 5.7.5 are affected by OS command injection. An authenticated user can gain code execution due to unsanitized URL parameters. Nagios XI 5.5.6 through 5.7.5 is susceptible to authenticated remote command injection. There is improper sanitization of authenticated user-controlled input by a single HTTP request via the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php. This in turn can lead to remote code execution, by which an attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
reference: reference:
- https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md - https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md
- https://github.com/rapid7/metasploit-framework/pull/17494 - https://github.com/rapid7/metasploit-framework/pull/17494
- https://nvd.nist.gov/vuln/detail/CVE-2021-25298
- http://nagios.com - http://nagios.com
- https://nvd.nist.gov/vuln/detail/CVE-2021-25298
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8 cvss-score: 8.8
@ -78,3 +78,5 @@ requests:
regex: regex:
- "var nsp_str = ['\"](.*)['\"];" - "var nsp_str = ['\"](.*)['\"];"
internal: true internal: true
# Enhanced by md on 2023/03/21

View File

@ -5,7 +5,7 @@ info:
author: gy741 author: gy741
severity: high severity: high
description: | description: |
Hongdian H8922 3.0.5 devices allow OS command injection via shell metacharacters into the ip-address (aka Destination) field to the tools.cgi ping command, which is accessible with the username guest and password guest. Hongdian H8922 3.0.5 devices are susceptible to remote command injection via shell metacharacters into the ip-address (a/k/a Destination) field to the tools.cgi ping command, which is accessible with the username guest and password guest. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system.
reference: reference:
- https://ssd-disclosure.com/ssd-advisory-hongdian-h8922-multiple-vulnerabilities/ - https://ssd-disclosure.com/ssd-advisory-hongdian-h8922-multiple-vulnerabilities/
- http://en.hongdian.com/Products/Details/H8922 - http://en.hongdian.com/Products/Details/H8922
@ -53,3 +53,5 @@ requests:
- type: status - type: status
status: status:
- 200 - 200
# Enhanced by md on 2023/03/21

View File

@ -4,12 +4,12 @@ info:
name: Apache OFBiz <17.12.07 - Arbitrary Code Execution name: Apache OFBiz <17.12.07 - Arbitrary Code Execution
author: For3stCo1d author: For3stCo1d
severity: critical severity: critical
description: Apache OFBiz has unsafe deserialization prior to 17.12.07 version description: Apache OFBiz before 17.12.07 is susceptible to arbitrary code execution via unsafe deserialization. An attacker can modify deserialized data or code without using provided accessor functions.
reference: reference:
- https://lists.apache.org/thread.html/rbe8439b26a71fc3b429aa793c65dcc4a6e349bc7bb5010746a74fa1d@%3Ccommits.ofbiz.apache.org%3E - https://lists.apache.org/thread.html/rbe8439b26a71fc3b429aa793c65dcc4a6e349bc7bb5010746a74fa1d@%3Ccommits.ofbiz.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2021-30128
- https://lists.apache.org/thread.html/rb3f5cd65f3ddce9b9eb4d6ea6e2919933f0f89b15953769d11003743%40%3Cdev.ofbiz.apache.org%3E - https://lists.apache.org/thread.html/rb3f5cd65f3ddce9b9eb4d6ea6e2919933f0f89b15953769d11003743%40%3Cdev.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rb3f5cd65f3ddce9b9eb4d6ea6e2919933f0f89b15953769d11003743@%3Cdev.ofbiz.apache.org%3E - https://lists.apache.org/thread.html/rb3f5cd65f3ddce9b9eb4d6ea6e2919933f0f89b15953769d11003743@%3Cdev.ofbiz.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2021-30128
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8
@ -56,3 +56,5 @@ requests:
part: body part: body
words: words:
- 'value="errorMessage"' - 'value="errorMessage"'
# Enhanced by md on 2023/03/21

View File

@ -1,15 +1,15 @@
id: CVE-2022-0824 id: CVE-2022-0824
info: info:
name: Webmin prior to 1.990 - Improper Access Control to Remote Code Execution name: Webmin <1.990 - Improper Access Control
author: cckuailong author: cckuailong
severity: high severity: high
description: Improper Access Control to Remote Code Execution in GitHub repository webmin/webmin prior to 1.990. description: Webmin before 1.990 is susceptible to improper access control in GitHub repository webmin/webmin. This in turn can lead to remote code execution, by which an attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
reference: reference:
- https://github.com/faisalfs10x/Webmin-CVE-2022-0824-revshell/blob/main/Webmin-revshell.py - https://github.com/faisalfs10x/Webmin-CVE-2022-0824-revshell/blob/main/Webmin-revshell.py
- https://nvd.nist.gov/vuln/detail/CVE-2022-0824
- https://github.com/webmin/webmin/commit/39ea464f0c40b325decd6a5bfb7833fa4a142e38 - https://github.com/webmin/webmin/commit/39ea464f0c40b325decd6a5bfb7833fa4a142e38
- https://huntr.dev/bounties/d0049a96-de90-4b1a-9111-94de1044f295 - https://huntr.dev/bounties/d0049a96-de90-4b1a-9111-94de1044f295
- https://nvd.nist.gov/vuln/detail/CVE-2022-0824
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8 cvss-score: 8.8
@ -50,3 +50,5 @@ requests:
part: body part: body
words: words:
- "Failed to write to /{{ranstr}}/index.html" - "Failed to write to /{{ranstr}}/index.html"
# Enhanced by md on 2023/03/21

View File

@ -1,11 +1,11 @@
id: CVE-2022-0885 id: CVE-2022-0885
info: info:
name: Member Hero <= 1.0.9 - Unauthenticated Remote Code Execution name: Member Hero <=1.0.9 - Remote Code Execution
author: theamanrawat author: theamanrawat
severity: critical severity: critical
description: | description: |
The Member Hero WordPress plugin through 1.0.9 lacks authorization checks, and does not validate the a request parameter in an AJAX action, allowing unauthenticated users to call arbitrary PHP functions with no arguments. WordPress Member Hero plugin through 1.0.9 is susceptible to remote code execution. The plugin lacks authorization checks and does not validate the a request parameter in an AJAX action, allowing an attacker to call arbitrary PHP functions with no arguments. An attacker can thus execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
reference: reference:
- https://wpscan.com/vulnerability/8b08b72e-5584-4f25-ab73-5ab0f47412df - https://wpscan.com/vulnerability/8b08b72e-5584-4f25-ab73-5ab0f47412df
- https://wordpress.org/plugins/member-hero/ - https://wordpress.org/plugins/member-hero/
@ -43,3 +43,5 @@ requests:
group: 1 group: 1
regex: regex:
- '>PHP Version <\/td><td class="v">([0-9.]+)' - '>PHP Version <\/td><td class="v">([0-9.]+)'
# Enhanced by md on 2023/03/21

View File

@ -1,11 +1,11 @@
id: CVE-2022-21587 id: CVE-2022-21587
info: info:
name: Oracle EBS Unauthenticated - Remote Code Execution name: Oracle E-Business Suite 12.2.3 -12.2.11 - Remote Code Execution
author: rootxharsh,iamnoooob,pdresearch author: rootxharsh,iamnoooob,pdresearch
severity: critical severity: critical
description: | description: |
Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. Oracle E-Business Suite 12.2.3 through 12.2.11 is susceptible to remote code execution via the Oracle Web Applications Desktop Integrator product, Upload component. An attacker with HTTP network access can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
reference: reference:
- https://blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce/ - https://blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce/
- https://www.oracle.com/security-alerts/cpuoct2022.html - https://www.oracle.com/security-alerts/cpuoct2022.html
@ -14,6 +14,7 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8
cve-id: CVE-2022-21587 cve-id: CVE-2022-21587
cwe-id: CWE-94
tags: cve,cve2022,rce,oast,intrusive,oracle,ebs,unauth,kev tags: cve,cve2022,rce,oast,intrusive,oracle,ebs,unauth,kev
requests: requests:
@ -74,3 +75,5 @@ requests:
part: body_2 part: body_2
words: words:
- Nuclei-CVE-2022-21587 - Nuclei-CVE-2022-21587
# Enhanced by md on 2023/03/21

View File

@ -1,11 +1,11 @@
id: CVE-2022-2314 id: CVE-2022-2314
info: info:
name: VR Calendar < 2.3.2 - Unauthenticated Arbitrary Function Call name: WordPress VR Calendar <=2.3.2 - Remote Code Execution
author: theamanrawat author: theamanrawat
severity: critical severity: critical
description: | description: |
The VR Calendar WordPress plugin through 2.3.2 lets any user execute arbitrary PHP functions on the site. WordPress VR Calendar plugin through 2.3.2 is susceptible to remote code execution. The plugin allows any user to execute arbitrary PHP functions on the site. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
reference: reference:
- https://wpscan.com/vulnerability/b22fe77c-844e-4c24-8023-014441cc1e82 - https://wpscan.com/vulnerability/b22fe77c-844e-4c24-8023-014441cc1e82
- https://wordpress.org/plugins/vr-calendar-sync/ - https://wordpress.org/plugins/vr-calendar-sync/
@ -14,6 +14,7 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8
cve-id: CVE-2022-2314 cve-id: CVE-2022-2314
cwe-id: CWE-94
metadata: metadata:
verified: "true" verified: "true"
tags: cve,cve2022,wordpress,wp,wp-plugin,rce,vr-calendar-sync,unauth,wpscan tags: cve,cve2022,wordpress,wp,wp-plugin,rce,vr-calendar-sync,unauth,wpscan
@ -46,3 +47,5 @@ requests:
- type: status - type: status
status: status:
- 200 - 200
# Enhanced by md on 2023/03/22

View File

@ -1,16 +1,17 @@
id: CVE-2022-24816 id: CVE-2022-24816
info: info:
name: Geoserver Server - Code Injection name: GeoServer <1.2.2 - Remote Code Execution
author: mukundbhuva author: mukundbhuva
severity: critical severity: critical
description: | description: |
Programs using jt-jiffle, and allowing Jiffle script to be provided via network request, are susceptible to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project Version < 1.1.22. Programs run on GeoServer before 1.2.2 which use jt-jiffle and allow Jiffle script to be provided via network request are susceptible to remote code execution. The Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects downstream GeoServer 1.1.22.
remediation: 1.2.22 contains a patch that disables the ability to inject malicious code into the resulting script. Users unable to upgrade may negate the ability to compile Jiffle scripts from the final application by removing janino-x.y.z.jar from the classpath.
reference: reference:
- https://www.synacktiv.com/en/publications/exploiting-cve-2022-24816-a-code-injection-in-the-jt-jiffle-extension-of-geoserver.html - https://www.synacktiv.com/en/publications/exploiting-cve-2022-24816-a-code-injection-in-the-jt-jiffle-extension-of-geoserver.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-24816
- https://github.com/geosolutions-it/jai-ext/security/advisories/GHSA-v92f-jx6p-73rx - https://github.com/geosolutions-it/jai-ext/security/advisories/GHSA-v92f-jx6p-73rx
- https://github.com/geosolutions-it/jai-ext/commit/cb1d6565d38954676b0a366da4f965fef38da1cb - https://github.com/geosolutions-it/jai-ext/commit/cb1d6565d38954676b0a366da4f965fef38da1cb
- https://nvd.nist.gov/vuln/detail/CVE-2022-24816
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8
@ -71,3 +72,5 @@ requests:
- type: status - type: status
status: status:
- 200 - 200
# Enhanced by md on 2023/03/21

View File

@ -1,16 +1,16 @@
id: CVE-2022-31499 id: CVE-2022-31499
info: info:
name: eMerge E3-Series - Command Injection name: Nortek Linear eMerge E3-Series <0.32-08f - Remote Command Injection
author: pikpikcu author: pikpikcu
severity: critical severity: critical
description: | description: |
Nortek Linear eMerge E3-Series devices before 0.32-08f allow an unauthenticated attacker to inject OS commands via ReaderNo. NOTE: this issue exists because of an incomplete fix for CVE-2019-7256 . Nortek Linear eMerge E3-Series devices before 0.32-08f are susceptible to remote command injection via ReaderNo. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. NOTE: this vulnerability exists because of an incomplete fix for CVE-2019-7256.
reference: reference:
- https://packetstormsecurity.com/files/167991/Nortek-Linear-eMerge-E3-Series-Command-Injection.html - https://packetstormsecurity.com/files/167991/Nortek-Linear-eMerge-E3-Series-Command-Injection.html
- https://github.com/omarhashem123/CVE-2022-31499 - https://github.com/omarhashem123/CVE-2022-31499
- https://nvd.nist.gov/vuln/detail/CVE-2022-31499
- http://packetstormsecurity.com/files/167991/Nortek-Linear-eMerge-E3-Series-Command-Injection.html - http://packetstormsecurity.com/files/167991/Nortek-Linear-eMerge-E3-Series-Command-Injection.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-31499
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8
@ -36,3 +36,5 @@ requests:
- status_code == 200 - status_code == 200
- contains(body, '{\"CardNo\":false') - contains(body, '{\"CardNo\":false')
condition: and condition: and
# Enhanced by md on 2023/03/21

View File

@ -1,16 +1,16 @@
id: CVE-2022-33901 id: CVE-2022-33901
info: info:
name: MultiSafepay plugin for WooCommerce <= 4.13.1 - Unauthenticated Arbitrary File Read name: WordPress MultiSafepay for WooCommerce <=4.13.1 - Arbitrary File Read
author: theamanrawat author: theamanrawat
severity: high severity: high
description: | description: |
Unauthenticated Arbitrary File Read vulnerability in MultiSafepay plugin for WooCommerce plugin <= 4.13.1 at WordPress. WordPress MultiSafepay for WooCommerce plugin through 4.13.1 contains an arbitrary file read vulnerability. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference: reference:
- https://wordpress.org/plugins/multisafepay/ - https://wordpress.org/plugins/multisafepay/
- https://nvd.nist.gov/vuln/detail/CVE-2022-33901
- https://wordpress.org/plugins/multisafepay/#developers - https://wordpress.org/plugins/multisafepay/#developers
- https://patchstack.com/database/vulnerability/multisafepay/wordpress-multisafepay-plugin-for-woocommerce-plugin-4-13-1-unauthenticated-arbitrary-file-read-vulnerability - https://patchstack.com/database/vulnerability/multisafepay/wordpress-multisafepay-plugin-for-woocommerce-plugin-4-13-1-unauthenticated-arbitrary-file-read-vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2022-33901
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5 cvss-score: 7.5
@ -39,3 +39,5 @@ requests:
- type: status - type: status
status: status:
- 200 - 200
# Enhanced by md on 2023/03/22

View File

@ -1,16 +1,16 @@
id: CVE-2022-34753 id: CVE-2022-34753
info: info:
name: SpaceLogic C-Bus Home Controller - Remote Code Execution name: SpaceLogic C-Bus Home Controller <=1.31.460 - Remote Command Execution
author: gy741 author: gy741
severity: high severity: high
description: | description: |
A CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause remote root exploit when the command is compromised. Affected Products SpaceLogic C-Bus Home Controller (5200WHC2), formerly known as C-Bus Wiser Homer Controller MK2 (V1.31.460 and prior) SpaceLogic C-Bus Home Controller through 1.31.460 is susceptible to remote command execution via improper neutralization of special elements. Remote root exploit can be enabled when the command is compromised, and an attacker can potentially execute malware, obtain sensitive information, modify data, and/or gain full control without entering necessary credentials.
reference: reference:
- https://www.zeroscience.mk/codes/SpaceLogic.txt - https://www.zeroscience.mk/codes/SpaceLogic.txt
- https://nvd.nist.gov/vuln/detail/CVE-2022-34753
- https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-193-02_SpaceLogic-C-Bus-Home-Controller-Wiser_MK2_Security_Notification.pdf - https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-193-02_SpaceLogic-C-Bus-Home-Controller-Wiser_MK2_Security_Notification.pdf
- http://packetstormsecurity.com/files/167783/Schneider-Electric-SpaceLogic-C-Bus-Home-Controller-5200WHC2-Remote-Root.html - http://packetstormsecurity.com/files/167783/Schneider-Electric-SpaceLogic-C-Bus-Home-Controller-5200WHC2-Remote-Root.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-34753
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8 cvss-score: 8.8
@ -36,3 +36,5 @@ requests:
- type: status - type: status
status: status:
- 200 - 200
# Enhanced by md on 2023/03/22

View File

@ -1,16 +1,17 @@
id: CVE-2022-39952 id: CVE-2022-39952
info: info:
name: FortiNAC Unauthenticated Arbitrary File Write name: Fortinet FortiNAC - Arbitrary File Write
author: dwisiswant0 author: dwisiswant0
severity: critical severity: critical
description: | description: |
A external control of file name or path in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP request. Fortinet FortiNAC is susceptible to arbitrary file write. An external control of the file name or path can allow an attacker to execute unauthorized code or commands via specifically crafted HTTP request, thus making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations. Affected versions are 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, and 8.3.7.
reference: reference:
- https://fortiguard.com/psirt/FG-IR-22-300 - https://fortiguard.com/psirt/FG-IR-22-300
- https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/ - https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/
- https://github.com/horizon3ai/CVE-2022-39952 - https://github.com/horizon3ai/CVE-2022-39952
remediation: Upgrade to FortiNAC version 9.4.1, 9.2.6, 9.2.6, 9.1.8, 7.2.0 or above - https://nvd.nist.gov/vuln/detail/CVE-2022-39952
remediation: Upgrade to 9.4.1, 9.2.6, 9.2.6, 9.1.8, 7.2.0 or above.
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8
@ -54,3 +55,5 @@ requests:
- type: status - type: status
status: status:
- 200 - 200
# Enhanced by md on 2023/03/22

View File

@ -1,11 +1,11 @@
id: CVE-2022-4060 id: CVE-2022-4060
info: info:
name: User Post Gallery <= 2.19 - Unauthenticated RCE name: WordPress User Post Gallery <=2.19 - Remote Code Execution
author: theamanrawat author: theamanrawat
severity: critical severity: critical
description: | description: |
The User Post Gallery WordPress plugin through 2.19 does not limit what callback functions can be called by users, making it possible to any visitors to run code on sites running it. WordPress User Post Gallery plugin through 2.19 is susceptible to remote code execution. The plugin does not limit which callback functions can be called by users, making it possible for an attacker execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
reference: reference:
- https://wpscan.com/vulnerability/8f982ebd-6fc5-452d-8280-42e027d01b1e - https://wpscan.com/vulnerability/8f982ebd-6fc5-452d-8280-42e027d01b1e
- https://wordpress.org/plugins/wp-upg/ - https://wordpress.org/plugins/wp-upg/
@ -44,3 +44,5 @@ requests:
- type: status - type: status
status: status:
- 200 - 200
# Enhanced by md on 2023/03/22

View File

@ -1,16 +1,16 @@
id: CVE-2022-44877 id: CVE-2022-44877
info: info:
name: Centos Web Panel - Unauthenticated Remote Code Execution name: CentOS Web Panel 7 <0.9.8.1147 - Remote Code Execution
author: For3stCo1d author: For3stCo1d
severity: critical severity: critical
description: | description: |
RESERVED An issue in the /login/index.php component of Centos Web Panel 7 before v0.9.8.1147 allows unauthenticated attackers to execute arbitrary system commands via crafted HTTP requests. CentOS Web Panel 7 before 0.9.8.1147 is susceptible to remote code execution via entering shell characters in the /login/index.php component. This can allow an attacker to execute arbitrary system commands via crafted HTTP requests and potentially execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
reference: reference:
- https://twitter.com/_0xf4n9x_/status/1612068225046675457 - https://twitter.com/_0xf4n9x_/status/1612068225046675457
- https://github.com/numanturle/CVE-2022-44877 - https://github.com/numanturle/CVE-2022-44877
- https://nvd.nist.gov/vuln/detail/CVE-2022-44877
- https://gist.github.com/numanturle/c1e82c47f4cba24cff214e904c227386 - https://gist.github.com/numanturle/c1e82c47f4cba24cff214e904c227386
- https://nvd.nist.gov/vuln/detail/CVE-2022-44877
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8
@ -52,3 +52,5 @@ requests:
group: 1 group: 1
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
# Enhanced by md on 2023/03/22

View File

@ -48,3 +48,5 @@ requests:
- type: status - type: status
status: status:
- 500 - 500
# Enhanced by md 03/22/2023

View File

@ -1,16 +1,17 @@
id: CVE-2023-0669 id: CVE-2023-0669
info: info:
name: GoAnywhere MFT - Remote Code Execution (ZeroDay) name: Fortra GoAnywhere MFT - Remote Code Execution
author: rootxharsh,iamnoooob,dhiyaneshdk,pdresearch author: rootxharsh,iamnoooob,dhiyaneshdk,pdresearch
severity: high severity: high
description: | description: |
Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. Fortra GoAnywhere MFT is susceptible to remote code execution via unsafe deserialization of an arbitrary attacker-controlled object. This stems from a pre-authentication command injection vulnerability in the License Response Servlet.
reference: reference:
- https://frycos.github.io/vulns4free/2023/02/06/goanywhere-forgotten.html - https://frycos.github.io/vulns4free/2023/02/06/goanywhere-forgotten.html
- https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml#zerodayfeb1 - https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml#zerodayfeb1
- https://infosec.exchange/@briankrebs/109795710941843934 - https://infosec.exchange/@briankrebs/109795710941843934
- https://www.rapid7.com/blog/post/2023/02/03/exploitation-of-goanywhere-mft-zero-day-vulnerability/ - https://www.rapid7.com/blog/post/2023/02/03/exploitation-of-goanywhere-mft-zero-day-vulnerability/
- https://nvd.nist.gov/vuln/detail/CVE-2023-0669
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.2 cvss-score: 7.2
@ -46,3 +47,5 @@ requests:
- type: status - type: status
status: status:
- 500 - 500
# Enhanced by md on 2023/03/22

View File

@ -1,15 +1,15 @@
id: CVE-2023-26255 id: CVE-2023-26255
info: info:
name: STAGIL Navigation for Jira - Menu & Themes - Local File Inclusion name: STAGIL Navigation for Jira Menu & Themes <2.0.52 - Local File Inclusion
author: DhiyaneshDK author: DhiyaneshDK
severity: high severity: high
description: | description: |
An unauthenticated path traversal vulnerability affects the "STAGIL Navigation for Jira - Menu & Themes" plugin before 2.0.52 for Jira. By modifying the fileName parameter to the snjCustomDesignConfig endpoint, it is possible to traverse and read the file system. STAGIL Navigation for Jira Menu & Themes plugin before 2.0.52 is susceptible to local file inclusion via modifying the fileName parameter to the snjCustomDesignConfig endpoint. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can potentially allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference: reference:
- https://github.com/1nters3ct/CVEs/blob/main/CVE-2023-26255.md - https://github.com/1nters3ct/CVEs/blob/main/CVE-2023-26255.md
- https://nvd.nist.gov/vuln/detail/CVE-2023-26255
- https://marketplace.atlassian.com/apps/1216090/stagil-navigation-for-jira-menus-themes?tab=overview&hosting=cloud - https://marketplace.atlassian.com/apps/1216090/stagil-navigation-for-jira-menus-themes?tab=overview&hosting=cloud
- https://nvd.nist.gov/vuln/detail/CVE-2023-26255
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5 cvss-score: 7.5
@ -39,3 +39,5 @@ requests:
- type: status - type: status
status: status:
- 200 - 200
# Enhanced by md on 2023/03/22

View File

@ -1,15 +1,15 @@
id: CVE-2023-26256 id: CVE-2023-26256
info: info:
name: STAGIL Navigation for Jira - Menu & Themes - Local File Inclusion name: STAGIL Navigation for Jira Menu & Themes <2.0.52 - Local File Inclusion
author: pikpikcu author: pikpikcu
severity: high severity: high
description: | description: |
An unauthenticated path traversal vulnerability affects the "STAGIL Navigation for Jira - Menu & Themes" plugin before 2.0.52 for Jira. By modifying the fileName parameter to the snjFooterNavigationConfig endpoint, it is possible to traverse and read the file system. STAGIL Navigation for Jira Menu & Themes plugin before 2.0.52 is susceptible to local file inclusion via modifying the fileName parameter to the snjFooterNavigationConfig endpoint. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can potentially allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference: reference:
- https://github.com/1nters3ct/CVEs/blob/main/CVE-2023-26256.md - https://github.com/1nters3ct/CVEs/blob/main/CVE-2023-26256.md
- https://nvd.nist.gov/vuln/detail/CVE-2023-26256
- https://marketplace.atlassian.com/apps/1216090/stagil-navigation-for-jira-menus-themes?tab=overview&hosting=cloud - https://marketplace.atlassian.com/apps/1216090/stagil-navigation-for-jira-menus-themes?tab=overview&hosting=cloud
- https://nvd.nist.gov/vuln/detail/CVE-2023-26256
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5 cvss-score: 7.5
@ -38,3 +38,5 @@ requests:
- type: status - type: status
status: status:
- 200 - 200
# Enhanced by md on 2023/03/22

View File

@ -1,7 +1,7 @@
id: oracle-cgi-printenv id: oracle-cgi-printenv
info: info:
name: Oracle CGI Printenv - Information Disclosure name: Oracle CGI printenv - Information Disclosure
author: DhiyaneshDk author: DhiyaneshDk
severity: medium severity: medium
description: Oracle CGI printenv component is susceptible to an information disclosure vulnerability. description: Oracle CGI printenv component is susceptible to an information disclosure vulnerability.

View File

@ -3,7 +3,7 @@ id: proftpd-config
info: info:
name: ProFTPD Configuration File - Detect name: ProFTPD Configuration File - Detect
author: sheikhrishad author: sheikhrishad
severity: low severity: info
description: ProFTPD configuration file was detected. description: ProFTPD configuration file was detected.
reference: http://www.proftpd.org/docs/howto/ConfigFile.html reference: http://www.proftpd.org/docs/howto/ConfigFile.html
classification: classification:

View File

@ -1,11 +1,16 @@
id: salesforce-credentials id: salesforce-credentials
info: info:
name: Salesforce Credentials Disclosure name: Salesforce Credentials - Detect
author: geeknik author: geeknik
severity: unknown severity: high
description: Salesforce credentials information was detected.
reference: reference:
- https://github.com/daveagp/websheets - https://github.com/daveagp/websheets
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-200
tags: exposure,files,salesforce tags: exposure,files,salesforce
requests: requests:
@ -32,3 +37,5 @@ requests:
- type: status - type: status
status: status:
- 200 - 200
# Enhanced by cs on 2023/03/27

View File

@ -3,7 +3,7 @@ id: envision-gateway
info: info:
name: EnvisionGateway Scheduler Panel - Detect name: EnvisionGateway Scheduler Panel - Detect
author: dhiyaneshDK author: dhiyaneshDK
severity: medium severity: info
description: EnvisionGateway scheduler panel was detected. description: EnvisionGateway scheduler panel was detected.
reference: reference:
- https://www.exploit-db.com/ghdb/7315 - https://www.exploit-db.com/ghdb/7315

View File

@ -3,7 +3,7 @@ id: akamai-s3-cache-poisoning
info: info:
name: Akamai/Amazon S3 - Cache Poisoning name: Akamai/Amazon S3 - Cache Poisoning
author: DhiyaneshDk author: DhiyaneshDk
severity: medium severity: high
description: Akamai/Amazon S3 expose a stored cross-site scripting vulnerability generated by cache poisoning capability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, which can further allow the attacker to steal cookie-based authentication credentials and launch other attacks. description: Akamai/Amazon S3 expose a stored cross-site scripting vulnerability generated by cache poisoning capability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, which can further allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference: reference:
- https://web.archive.org/web/20230101082612/https://spyclub.tech/2022/12/14/unusual-cache-poisoning-akamai-s3/ - https://web.archive.org/web/20230101082612/https://spyclub.tech/2022/12/14/unusual-cache-poisoning-akamai-s3/

View File

@ -1,11 +1,11 @@
id: hadoop-unauth-rce id: hadoop-unauth-rce
info: info:
name: Apache Hadoop - Yarn ResourceManager Remote Code Execution name: Apache Hadoop YARN ResourceManager - Remote Code Execution
author: pdteam,Couskito author: pdteam,Couskito
severity: critical severity: critical
description: | description: |
An unauthenticated Hadoop Resource Manager was discovered, which allows remote code execution by design. Apache Hadoop YARN ResourceManager is susceptible to remote code execution. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
reference: reference:
- http://archive.hack.lu/2016/Wavestone%20-%20Hack.lu%202016%20-%20Hadoop%20safari%20-%20Hunting%20for%20vulnerabilities%20-%20v1.0.pdf - http://archive.hack.lu/2016/Wavestone%20-%20Hack.lu%202016%20-%20Hadoop%20safari%20-%20Hunting%20for%20vulnerabilities%20-%20v1.0.pdf
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/hadoop_unauth_exec.rb - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/hadoop_unauth_exec.rb
@ -31,3 +31,5 @@ requests:
- type: status - type: status
status: status:
- 200 - 200
# Enhanced by md on 2023/03/22

View File

@ -1,12 +1,19 @@
id: nopcommerce-installer id: nopcommerce-installer
info: info:
name: nopCommerce Installer Exposure name: nopCommerce Installer - Detect
author: DhiyaneshDk author: DhiyaneshDk
severity: high severity: critical
description: nopCommerce installer panel was detected.
reference:
- https://www.nopcommerce.com/
metadata: metadata:
verified: true verified: true
shodan-query: html:"nopCommerce Installation" shodan-query: html:"nopCommerce Installation"
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
cvss-score: 9.4
cwe-id: CWE-284
tags: misconfig,nopcommerce,install tags: misconfig,nopcommerce,install
requests: requests:
@ -31,3 +38,5 @@ requests:
- type: status - type: status
status: status:
- 200 - 200
# Enhanced by cs on 2023/03/27

View File

@ -1,13 +1,17 @@
id: backdoored-zte id: backdoored-zte
info: info:
name: Backdoored ZTE Routers name: ZTE Router Panel - Detect
author: its0x08 author: its0x08
severity: high severity: critical
description: | description: |
Multiple ZTE routers have a telnet hardcoded backdoor account that spawns root shell. Multiple ZTE router panels were detected. These routers have a telnet-hardcoded backdoor account that spawns root shell.
reference: reference:
- https://www.exploit-db.com/ghdb/7179 - https://www.exploit-db.com/ghdb/7179
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cwe-id: CWE-912
metadata: metadata:
verified: true verified: true
shodan-query: http.html:"ZTE Corporation" shodan-query: http.html:"ZTE Corporation"
@ -32,3 +36,5 @@ network:
- type: regex - type: regex
regex: regex:
- '[A-Z]{1,}[0-9]{3,4}' - '[A-Z]{1,}[0-9]{3,4}'
# Enhanced by cs on 2023/03/27

View File

@ -1,13 +1,17 @@
id: ibm-d2b-database-server id: ibm-d2b-database-server
info: info:
name: IBM DB2 Database Server Detection name: IBM DB2 Database Server - Detect
author: pussycat0x author: pussycat0x
severity: info severity: info
description: | description: |
A Db2 server is a relational database management system (RDBMS) that delivers data to its IBM data server clients. If you plan to use a database that resides on this computer, install a Db2 server. For more information about Db2 server. IBM DB2 Database Server panel was detected.
reference: reference:
- https://nmap.org/nsedoc/scripts/db2-das-info.html - https://nmap.org/nsedoc/scripts/db2-das-info.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata: metadata:
verified: true verified: true
shodan-query: product:"IBM DB2 Database Server" shodan-query: product:"IBM DB2 Database Server"
@ -30,3 +34,5 @@ network:
- "DB2" - "DB2"
- "SQLJS1D" - "SQLJS1D"
condition: or condition: or
# Enhanced by md on 2023/03/22

View File

@ -1,11 +1,16 @@
id: oracle-atg-commerce id: oracle-atg-commerce
info: info:
name: Detects Oracle ATG Commerce name: Oracle ATG Commerce Panel - Detect
author: Dale Clarke author: Dale Clarke
severity: info severity: info
description: Oracle ATG Commerce panel was detected.
reference: reference:
- https://docs.oracle.com/cd/E35319_01/Platform.10-2/ATGPlatformProgGuide/html/s0101introduction01.html - https://docs.oracle.com/cd/E35319_01/Platform.10-2/ATGPlatformProgGuide/html/s0101introduction01.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata: metadata:
verified: true verified: true
tags: tech,oracle,atg,commerce tags: tech,oracle,atg,commerce
@ -28,3 +33,5 @@ requests:
- type: status - type: status
status: status:
- 200 - 200
# Enhanced by md on 2023/03/22

View File

@ -1,13 +1,17 @@
id: api-abuseipdb id: api-abuseipdb
info: info:
name: AbuseIPDB API Test name: AbuseIPDB API - Test
author: daffainfo author: daffainfo
severity: info severity: info
description: IP/domain/URL reputation description: AbuseIPDB API test was conducted.
reference: reference:
- https://docs.abuseipdb.com/ - https://docs.abuseipdb.com/
- https://github.com/daffainfo/all-about-apikey/tree/main/abuseipdb - https://github.com/daffainfo/all-about-apikey/tree/main/abuseipdb
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: token-spray,abuseipdb tags: token-spray,abuseipdb
self-contained: true self-contained: true
@ -30,3 +34,4 @@ requests:
- 'data":' - 'data":'
- 'ipAddress":' - 'ipAddress":'
condition: and condition: and

View File

@ -1,11 +1,16 @@
id: api-dbt id: api-dbt
info: info:
name: dbt Cloud API Test name: dbt Cloud API - Test
author: dwisiswant0 author: dwisiswant0
severity: info severity: info
description: dbt Cloud API test was conducted.
reference: reference:
- https://docs.getdbt.com/docs/introduction - https://docs.getdbt.com/docs/introduction
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: token-spray,dbt tags: token-spray,dbt
self-contained: true self-contained: true
@ -25,3 +30,4 @@ requests:
- "Authentication credentials were not provided." - "Authentication credentials were not provided."
condition: or condition: or
negative: true negative: true

View File

@ -4,9 +4,14 @@ info:
name: Avaya Aura Utility Services Administration - Remote Code Execution name: Avaya Aura Utility Services Administration - Remote Code Execution
author: DhiyaneshDk author: DhiyaneshDk
severity: critical severity: critical
description: Avaya Aura Utility Services Administration is susceptible to remote code execution. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
reference: reference:
- https://blog.assetnote.io/2023/02/01/rce-in-avaya-aura/ - https://blog.assetnote.io/2023/02/01/rce-in-avaya-aura/
- https://download.avaya.com/css/public/documents/101076366 - https://download.avaya.com/css/public/documents/101076366
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cwe-id: CWE-94
metadata: metadata:
verified: "true" verified: "true"
shodan-query: html:"Avaya Aura" shodan-query: html:"Avaya Aura"
@ -39,3 +44,5 @@ requests:
part: header_2 part: header_2
words: words:
- "text/html" - "text/html"
# Enhanced by md on 2023/03/22

View File

@ -1,12 +1,17 @@
id: avaya-aura-xss id: avaya-aura-xss
info: info:
name: Avaya Aura Utility Services Administration - Cross Site Scripting name: Avaya Aura Utility Services Administration - Cross-Site Scripting
author: DhiyaneshDk author: DhiyaneshDk
severity: medium severity: medium
description: Avaya Aura Utility Services Administration contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference: reference:
- https://blog.assetnote.io/2023/02/01/rce-in-avaya-aura/ - https://blog.assetnote.io/2023/02/01/rce-in-avaya-aura/
- https://download.avaya.com/css/public/documents/101076366 - https://download.avaya.com/css/public/documents/101076366
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cwe-id: CWE-80
metadata: metadata:
verified: "true" verified: "true"
shodan-query: html:"Avaya Aura" shodan-query: html:"Avaya Aura"
@ -35,3 +40,5 @@ requests:
- type: status - type: status
status: status:
- 200 - 200
# Enhanced by md on 2023/03/22

View File

@ -1,15 +1,16 @@
id: cisco-cloudcenter-suite-log4j-rce id: cisco-cloudcenter-suite-log4j-rce
info: info:
name: Cisco CloudCenter Suite - Remote Code Execution (Apache Log4j) name: Cisco CloudCenter Suite (Log4j)- Remote Code Execution
author: pwnhxl author: pwnhxl
severity: critical severity: critical
description: | description: |
Cisco CloudCenter Suite - Remote Code Execution. Cisco CloudCenter Suite is susceptible to remote code execution via the Apache Log4j library. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
remediation: From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
reference: reference:
- https://logging.apache.org/log4j/2.x/security.html - https://logging.apache.org/log4j/2.x/security.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
- http://www.openwall.com/lists/oss-security/2021/12/10/1 - http://www.openwall.com/lists/oss-security/2021/12/10/1
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10 cvss-score: 10
@ -58,3 +59,5 @@ requests:
group: 1 group: 1
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
# Enhanced by md on 2023/03/22

View File

@ -1,7 +1,7 @@
id: cisco-vmanage-log4j id: cisco-vmanage-log4j
info: info:
name: Cisco vManage - Remote Code Execution (Apache Log4j) name: Cisco vManage (Log4j) - Remote Code Execution
author: DhiyaneshDK author: DhiyaneshDK
severity: critical severity: critical
description: Cisco vManage is susceptible to remote code execution via the Apache Log4j framework. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. More information is available in the cisco-sa-apache-log4j-qRuKNEbd advisory. description: Cisco vManage is susceptible to remote code execution via the Apache Log4j framework. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. More information is available in the cisco-sa-apache-log4j-qRuKNEbd advisory.
@ -58,3 +58,5 @@ requests:
group: 1 group: 1
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
# Enhanced by CS 03/27/2023

View File

@ -1,11 +1,15 @@
id: froxlor-xss id: froxlor-xss
info: info:
name: Froxlor Server Management - Cross Site Scripting name: Froxlor Server Management - Cross-Site Scripting
author: tess author: tess
severity: medium severity: medium
description: | description: |
The user must click the forgot password link in order to execute this XSS. Froxlor Server Management is susceptible to cross-site scripting via clicking the forgot password link. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cwe-id: CWE-80
metadata: metadata:
verified: true verified: true
shodan-query: title:"Froxlor Server Management Panel" shodan-query: title:"Froxlor Server Management Panel"
@ -33,3 +37,5 @@ requests:
- type: status - type: status
status: status:
- 200 - 200
# Enhanced by md on 2023/03/23

View File

@ -3,8 +3,12 @@ id: error-based-sql-injection
info: info:
name: Error based SQL injection name: Error based SQL injection
author: geeknik author: geeknik
severity: high severity: critical
description: Detects the possibility of SQL injection in 29 database engines. Inspired by https://github.com/sqlmapproject/sqlmap/blob/master/data/xml/errors.xml. description: Detects potential SQL injection via error strings in 29 database engines. Inspired by https://github.com/sqlmapproject/sqlmap/blob/master/data/xml/errors.xml.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cwe-id: CWE-89
tags: sqli,generic,error tags: sqli,generic,error
requests: requests:
@ -474,3 +478,5 @@ requests:
- "SQ200: No table " - "SQ200: No table "
- "Virtuoso S0002 Error" - "Virtuoso S0002 Error"
- "\\[(Virtuoso Driver|Virtuoso iODBC Driver)\\]\\[Virtuoso Server\\]" - "\\[(Virtuoso Driver|Virtuoso iODBC Driver)\\]\\[Virtuoso Server\\]"
# Enhanced by CS 03/27/2023

View File

@ -1,11 +1,11 @@
id: jamf-log4j-jndi-rce id: jamf-log4j-jndi-rce
info: info:
name: JamF - Remote Code Execution (Apache Log4j) name: JamF (Log4j) - Remote Code Execution
author: pdteam author: pdteam
severity: critical severity: critical
description: | description: |
JamF is susceptible to Lof4j JNDI remote code execution. JamF is the industry standard when it comes to the management of iOS devices (iPhones and iPads), macOS computers (MacBooks, iMacs, etc.), and tvOS devices (Apple TV). JamF is susceptible to remote code execution via the Apache log4j library. Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
reference: reference:
- https://github.com/random-robbie/jamf-log4j - https://github.com/random-robbie/jamf-log4j
- https://community.connection.com/what-is-jamf/ - https://community.connection.com/what-is-jamf/
@ -55,3 +55,5 @@ requests:
group: 1 group: 1
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
# Enhanced by md on 2023/03/23

View File

@ -1,17 +1,17 @@
id: mobileiron-log4j-jndi-rce id: mobileiron-log4j-jndi-rce
info: info:
name: Ivanti MobileIron - JNDI Remote Command Execution (Apache Log4j) name: Ivanti MobileIron (Log4j) - Remote Code Execution
author: meme-lord author: meme-lord
severity: critical severity: critical
description: Ivanti MobileIron Apache Log4j2 <=2.14.1 JNDI in features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. description: Ivanti MobileIron is susceptible to remote code execution via the Apache Log4j2 library. Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
remediation: From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
reference: reference:
- https://github.com/advisories/GHSA-jfh8-c2jp-5v3q - https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
- https://www.lunasec.io/docs/blog/log4j-zero-day/ - https://www.lunasec.io/docs/blog/log4j-zero-day/
- https://www.zdnet.com/article/mobileiron-customers-urged-to-patch-systems-due-to-potential-log4j-exploitation/ - https://www.zdnet.com/article/mobileiron-customers-urged-to-patch-systems-due-to-potential-log4j-exploitation/
- https://logging.apache.org/log4j/2.x/security.html - https://logging.apache.org/log4j/2.x/security.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228 - https://nvd.nist.gov/vuln/detail/CVE-2021-44228
remediation: Upgrade to version 2.14.2 or higher of MobileIron. If this is not possible, several Log4j exploit workarounds are available.
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10 cvss-score: 10
@ -54,3 +54,5 @@ requests:
group: 1 group: 1
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
# Enhanced by md on 2023/03/23

View File

@ -1,11 +1,11 @@
id: opencpu-rce id: opencpu-rce
info: info:
name: OpenCPU RCE name: OpenCPU - Remote Code Execution
author: wa1tf0rme author: wa1tf0rme
severity: critical severity: critical
description: | description: |
Checks for RCE in OpenCPU instance Check for remote code execution via OpenCPU was conducted.
reference: reference:
- https://pulsesecurity.co.nz/articles/R-Shells - https://pulsesecurity.co.nz/articles/R-Shells
- https://github.com/opencpu/opencpu/ - https://github.com/opencpu/opencpu/
@ -41,3 +41,5 @@ requests:
group: 1 group: 1
regex: regex:
- \(([a-z-]+)\) - \(([a-z-]+)\)
# Enhanced by md on 2023/03/23

View File

@ -1,14 +1,18 @@
id: academy-lms-xss id: academy-lms-xss
info: info:
name: Academy LMS 5.11 - Cross Site Scripting name: Academy Learning Management System 5.11 - Cross-Site Scripting
author: arafatansari author: arafatansari
severity: medium severity: medium
description: | description: |
Academy Learning Management System contains a reflected cross-site scripting vulnerability via the Search parameter. Academy Learning Management System 5.11 contains a cross-site scripting vulnerability via the Search parameter. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference: reference:
- https://packetstormsecurity.com/files/170514/Academy-LMS-5.11-Cross-Site-Scripting.html - https://packetstormsecurity.com/files/170514/Academy-LMS-5.11-Cross-Site-Scripting.html
- https://vulners.com/packetstorm/PACKETSTORM:170514 - https://vulners.com/packetstorm/PACKETSTORM:170514
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cwe-id: CWE-80
metadata: metadata:
verified: "true" verified: "true"
shodan-query: http.html:"Academy LMS" shodan-query: http.html:"Academy LMS"
@ -36,3 +40,5 @@ requests:
- type: status - type: status
status: status:
- 200 - 200
# Enhanced by md on 2023/03/23

View File

@ -1,11 +1,16 @@
id: caucho-resin-info-disclosure id: caucho-resin-info-disclosure
info: info:
name: Caucho Resin Information Disclosure name: Caucho Resin - Information Disclosure
author: pikpikcu author: pikpikcu
severity: info severity: info
description: Caucho Resin contains an information disclosure vulnerability. The application does not properly sanitize user-supplied input. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference: reference:
- https://www.exploit-db.com/exploits/27888 - https://www.exploit-db.com/exploits/27888
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: exposure,resin,caucho,edb tags: exposure,resin,caucho,edb
requests: requests:
@ -26,3 +31,5 @@ requests:
- type: status - type: status
status: status:
- 200 - 200
# Enhanced by md on 2023/03/23

View File

@ -1,10 +1,10 @@
id: ckan-dom-based-xss id: ckan-dom-based-xss
info: info:
name: Ckan - DOM Cross-Site Scripting name: CKAN - DOM Cross-Site Scripting
author: dhiyaneshDk author: dhiyaneshDk
severity: high severity: high
description: Ckan contains a cross-site scripting vulnerability in the document object model via the previous version of the jQuery Sparkle library. An attacker can execute arbitrary script and thus can steal cookie-based authentication credentials and launch other attacks. description: CKAN contains a cross-site scripting vulnerability in the document object model via the previous version of the jQuery Sparkle library. An attacker can execute arbitrary script and thus steal cookie-based authentication credentials and launch other attacks.
reference: reference:
- https://github.com/ckan/ckan/blob/b9e45e2723d4abd70fa72b16ec4a0bebc795c56b/ckan/public/base/javascript/view-filters.js#L27 - https://github.com/ckan/ckan/blob/b9e45e2723d4abd70fa72b16ec4a0bebc795c56b/ckan/public/base/javascript/view-filters.js#L27
- https://security.snyk.io/vuln/SNYK-PYTHON-CKAN-42010 - https://security.snyk.io/vuln/SNYK-PYTHON-CKAN-42010
@ -44,3 +44,5 @@ requests:
- type: status - type: status
status: status:
- 200 - 200
# Enhanced by md on 2023/03/23

View File

@ -1,10 +1,16 @@
id: couchdb-adminparty id: couchdb-adminparty
info: info:
name: CouchDB Admin Party name: CouchDB Admin Default - Detect
author: organiccrap author: organiccrap
severity: high severity: high
description: Requests made against CouchDB are done in the context of an admin user. description: CouchDB is susceptible to requests in the context of an admin user.
reference:
- https://docs.couchdb.org/en/stable/intro/security.html#authentication-database
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cwe-id: CWE-200
tags: couchdb tags: couchdb
requests: requests:
@ -26,3 +32,5 @@ requests:
- offset - offset
part: body part: body
condition: and condition: and
# Enhanced by cs on 2023/03/27

View File

@ -1,10 +1,10 @@
id: graylog-log4j id: graylog-log4j
info: info:
name: Graylog - Remote Code Execution (Apache Log4j) name: Graylog (Log4j) - Remote Code Execution
author: DhiyaneshDK author: DhiyaneshDK
severity: critical severity: critical
description: Graylog is susceptible to remote code execution via the Apache Log4j 2 library prior to 2.15.0 by recording its own log information, specifically with specially crafted values sent as user input. description: Graylog is susceptible to remote code execution via the Apache Log4j 2 library prior to 2.15.0 by recording its own log information, specifically with specially crafted values sent as user input. Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
reference: reference:
- https://www.graylog.org/post/graylog-update-for-log4j - https://www.graylog.org/post/graylog-update-for-log4j
- https://logging.apache.org/log4j/2.x/security.html - https://logging.apache.org/log4j/2.x/security.html
@ -60,3 +60,5 @@ requests:
group: 1 group: 1
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
# Enhanced by md on 2023/03/23