daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Dashboard Content Enhancements (#4191) 

Dashboard Content Enhancements
patch-1
MostInterestingBotInTheWorld 2022-04-21 17:16:41 -04:00 committed by GitHub
parent 20ba9176a3
commit 31312b1c19
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
45 changed files with 302 additions and 147 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
cves/2009/CVE-2009-0545.yaml
View File

@ -3,8 +3,10 @@ id: CVE-2009-0545
info:
name: ZeroShell <= 1.0beta11 Remote Code Execution
author: geeknik
description: cgi-bin/kerbynet in ZeroShell 1.0beta11 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the type parameter in a NoAuthREQ x509List action.
reference: https://www.exploit-db.com/exploits/8023
description: "ZeroShell 1.0beta11 and earlier via cgi-bin/kerbynet allows remote attackers to execute arbitrary commands through shell metacharacters in the type parameter in a NoAuthREQ x509List action."
reference:
- https://www.exploit-db.com/exploits/8023
- https://nvd.nist.gov/vuln/detail/CVE-2009-0545
severity: critical
classification:
cve-id: CVE-2009-0545
@ -20,3 +22,5 @@ requests:
part: body
regex:
- "root:.*:0:0:"
# Enhanced by mp on 2022/04/18

10
cves/2015/CVE-2015-2080.yaml
View File

@ -1,21 +1,21 @@
id: CVE-2015-2080
info:
name: Eclipse Jetty Remote Leakage
name: Eclipse Jetty <9.2.9.v20150224 - Sensitive Information Leakage
author: pikpikcu
severity: high
description: "Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header."
reference:
- https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md
- https://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html
- http://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.html
description: |
The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak
tags: cve,cve2015,jetty
- https://nvd.nist.gov/vuln/detail/CVE-2015-2080
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
cve-id: CVE-2015-2080
cwe-id: CWE-200
tags: cve,cve2015,jetty
requests:
- method: POST
@ -33,3 +33,5 @@ requests:
words:
- "Illegal character 0x0 in state"
part: body
# Enhanced by mp on 2022/04/21

11
cves/2015/CVE-2015-9480.yaml
View File

@ -1,19 +1,19 @@
id: CVE-2015-9480
info:
name: WordPress Plugin RobotCPA 5 - Directory Traversal
name: WordPress RobotCPA 5 - Directory Traversal
author: daffainfo
severity: high
description: "The RobotCPA plugin 5 for WordPress has directory traversal via the f.php l parameter."
reference:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9480
- https://www.exploit-db.com/exploits/37252
tags: cve,cve2015,wordpress,wp-plugin,lfi
- https://nvd.nist.gov/vuln/detail/CVE-2015-9480
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
cve-id: CVE-2015-9480
cwe-id: CWE-22
description: "The RobotCPA plugin 5 for WordPress has directory traversal via the f.php l parameter."
tags: cve,cve2015,wordpress,wp-plugin,lfi
requests:
- method: GET
@ -29,3 +29,6 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/04/20

5
cves/2017/CVE-2017-10271.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2017-10271
info:
name: Oracle WebLogic Server Component Remote Command Execution
name: Oracle Fusion Middleware WebLogic Server - Remote Command Execution
author: dr_set
severity: high
description: The Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent - WLS Security) is susceptible to component deserialization remote command execution. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Unauthenticated attackers with network access via T3 can leverage this vulnerability to compromise Oracle WebLogic Server.
@ -62,4 +62,5 @@ requests:
status:
- 500
# Enhanced by mp on 2022/04/05
# Enhanced by mp on 2022/04/20

10
cves/2017/CVE-2017-16806.yaml
View File

@ -3,15 +3,17 @@ id: CVE-2017-16806
info:
name: Ulterius Server < 1.9.5.0 - Directory Traversal
author: geeknik
reference: https://www.exploit-db.com/exploits/43141
description: "Ulterius before 1.9.5.0 allows HTTP server directory traversal via the process function in RemoteTaskServer/WebServer/HttpServer.cs."
reference:
- https://www.exploit-db.com/exploits/43141
- https://nvd.nist.gov/vuln/detail/CVE-2017-16806
severity: high
tags: cve,cve2017,ulterius,traversal
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
cve-id: CVE-2017-16806
cwe-id: CWE-22
description: "The Process function in RemoteTaskServer/WebServer/HttpServer.cs in Ulterius before 1.9.5.0 allows HTTP server directory traversal."
tags: cve,cve2017,ulterius,traversal
requests:
- method: GET
@ -30,3 +32,5 @@ requests:
- "\\[(font|extension|file)s\\]"
condition: or
part: body
# Enhanced by mp on 2022/04/20

5
cves/2017/CVE-2017-3506.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2017-3506
info:
name: Oracle Weblogic Remote OS Command Execution
name: Oracle Fusion Middleware Weblogic Server - Remote OS Command Execution
author: pdteam
description: The Oracle WebLogic Server component of Oracle Fusion Middleware (Web Services) versions 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2 is susceptible to a difficult to exploit vulnerability that could allow unauthenticated attackers with network access via HTTP to compromise Oracle WebLogic Server.
severity: high
@ -45,4 +45,5 @@ requests:
words:
- "http"
# Enhanced by mp on 2022/04/05
# Enhanced by mp on 2022/04/20

11
cves/2017/CVE-2017-9805.yaml
View File

@ -1,20 +1,20 @@
id: CVE-2017-9805
info:
name: Apache Struts2 S2-052 RCE
name: Apache Struts2 S2-052 - Remote Code Execution
author: pikpikcu
severity: high
description: The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type of filtering, which can lead to Remote Code Execution when deserializing XML payloads.
remediation: Apply the appropriate patch.
description: The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type of filtering, which can lead to remote code execution when deserializing XML payloads.
reference:
- http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html
- https://struts.apache.org/docs/s2-052.html
tags: cve,cve2017,apache,rce,struts
- https://nvd.nist.gov/vuln/detail/CVE-2017-9805
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.10
cve-id: CVE-2017-9805
cwe-id: CWE-502
tags: cve,cve2017,apache,rce,struts
requests:
- method: POST
@ -95,4 +95,5 @@ requests:
status:
- 500
# Enhanced by mp on 2022/02/04
# Enhanced by mp on 2022/04/20

5
cves/2018/CVE-2018-14912.yaml
View File

@ -1,9 +1,10 @@
id: CVE-2018-14912
info:
name: cgit < 1.2.1 Directory Traversal
author: 0x_Akoko
severity: critical
description: cgit_clone_objects in CGit before 1.2.1 has a directory traversal vulnerability when `enable-http-clone=1` is not turned off, as demonstrated by a cgit/cgit.cgi/git/objects/?path=../ request.
description: "cGit < 1.2.1 via cgit_clone_objects has a directory traversal vulnerability when `enable-http-clone=1` is not turned off, as demonstrated by a cgit/cgit.cgi/git/objects/?path=../ request."
reference:
- https://cxsecurity.com/issue/WLB-2018080034
- https://nvd.nist.gov/vuln/detail/CVE-2018-14912
@ -28,3 +29,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/04/18

7
cves/2018/CVE-2018-19365.yaml
View File

@ -1,9 +1,10 @@
id: CVE-2018-19365
info:
name: Wowza Streaming Engine Manager Directory Traversal
name: Wowza Streaming Engine Manager 4.7.4.01 - Directory Traversal
author: 0x_Akoko
severity: high
description: The REST API in Wowza Streaming Engine 4.7.4.01 allows traversal of the directory structure and retrieval of a file via a remote, specifically crafted HTTP request
description: Wowza Streaming Engine 4.7.4.01 allows traversal of the directory structure and retrieval of a file via a remote, specifically crafted HTTP request to the REST API.
reference:
- https://blog.gdssecurity.com/labs/2019/2/11/wowza-streaming-engine-manager-directory-traversal-and-local.html
- https://www.cvedetails.com/cve/CVE-2018-19365
@ -29,3 +30,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/04/20

5
cves/2018/CVE-2018-2791.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2018-2791
info:
name: Oracle WebCenter Sites Cross-Site Scripting
name: Oracle Fusion Middleware WebCenter Sites - Cross-Site Scripting
author: madrobot,leovalcante
severity: high
description: The Oracle WebCenter Sites component of Oracle Fusion Middleware is susceptible to multiple instances of cross-site scripting that could allow unauthenticated attackers with network access via HTTP to compromise Oracle WebCenter Sites. Impacted versions that are affected are 11.1.1.8.0, 12.2.1.2.0 and 12.2.1.3.0. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebCenter Sites, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebCenter Sites accessible data as well as unauthorized update, insert or delete access to some of Oracle WebCenter Sites accessible data.
@ -43,4 +43,5 @@ requests:
- 'Missing translation key'
condition: and
# Enhanced by mp on 2022/04/06
# Enhanced by mp on 2022/04/20

4
cves/2018/CVE-2018-3238.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2018-3238
info:
name: Oracle WebCenter Sites 11.1.1.8.0 - Cross-Site Scripting
name: Oracle Fusion Middleware WebCenter Sites 11.1.1.8.0 - Cross-Site Scripting
author: leovalcante
severity: high
description: The Oracle WebCenter Sites 11.1.1.8.0 component of Oracle Fusion Middleware is impacted by easily exploitable cross-site scripting vulnerabilities that allow high privileged attackers with network access via HTTP to compromise Oracle WebCenter Sites.
@ -44,4 +44,4 @@ requests:
- 'Variables.cs_imagedir'
condition: and
# Enhanced by mp on 2022/04/14
# Enhanced by mp on 2022/04/20

13
cves/2018/CVE-2018-7662.yaml
View File

@ -1,17 +1,19 @@
id: CVE-2018-7662
info:
name: CouchCMS Full Path Disclosure
name: CouchCMS <= 2.0 - Full Path Disclosure
author: ritikchaddha
severity: medium
description: phpmailer.php and mysql2i.func.php disclosure the full path
reference: https://github.com/CouchCMS/CouchCMS/issues/46
tags: couchcms,fpd,cve,cve2018
description: "CouchCMS <= 2.0 allows remote attackers to discover the full path via a direct request to includes/mysql2i/mysql2i.func.php or addons/phpmailer/phpmailer.php."
reference:
- https://github.com/CouchCMS/CouchCMS/issues/46
- https://nvd.nist.gov/vuln/detail/CVE-2018-7662
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.30
cve-id: CVE-2018-7662
cwe-id: CWE-200
tags: couchcms,fpd,cve,cve2018
requests:
- method: GET
@ -35,3 +37,6 @@ requests:
- "phpmailer.php on line 10"
- "Fatal error: Call to a menber function add_event_listener() on a non-object in"
condition: and
# Enhanced by mp on 2022/04/21

10
cves/2019/CVE-2019-15713.yaml
View File

@ -1,19 +1,20 @@
id: CVE-2019-15713
info:
name: My Calendar <= 3.1.9 - Reflected Cross-Site Scripting (XSS)
name: WordPress My Calendar <= 3.1.9 - Cross-Site Scripting
author: daffainfo,dhiyaneshDk
severity: medium
description: The my-calendar plugin before 3.1.10 for WordPress has XSS. Triggered via unescaped usage of URL parameters in multiple locations presented in the public view of a site.
description: WordPress plugin My Calendar <= 3.1.9 is susceptible to reflected cross-site scripting which can be triggered via unescaped usage of URL parameters in multiple locations throughout the site.
reference:
- https://wpscan.com/vulnerability/9267
- https://wordpress.org/plugins/my-calendar/#developers
- https://nvd.nist.gov/vuln/detail/CVE-2019-15713
tags: cve,cve2019,wordpress,xss,wp-plugin
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2019-15713
cwe-id: CWE-79
tags: cve,cve2019,wordpress,xss,wp-plugin
requests:
- method: GET
@ -35,3 +36,6 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/04/21

13
cves/2019/CVE-2019-16097.yaml
View File

@ -1,19 +1,22 @@
id: CVE-2019-16097
info:
name: Harbor Enables Privilege Escalation From Zero to admin
name: Harbor <=1.82.0 - Privilege Escalation
author: pikpikcu
severity: medium
description: |
core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP.
description: "Harbor 1.7.0 through 1.8.2 is susceptible to privilege escalation via
core/api/user.go, which allows allows non-admin users to create admin accounts via the POST /api/users API when Harbor is setup with DB as an authentication backend and allows user to do self-registration."
remediation: Upgrade to v1.7.6 v1.8.3. v.1.9.0 or higher. A potential workaround without applying the fix is to configure Harbor to use a non-DB authentication backend such as LDAP.
reference:
- https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/
- https://github.com/goharbor/harbor/issues/8951
tags: cve,cve2019,intrusive,harbor
- https://nvd.nist.gov/vuln/detail/CVE-2019-16097
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
cvss-score: 6.50
cve-id: CVE-2019-16097
cwe-id: CWE-862
tags: cve,cve2019,intrusive,harbor
requests:
- method: POST
@ -38,3 +41,5 @@ requests:
- 201
- 409
condition: or
# Enhanced by mp on 2022/04/19

13
cves/2019/CVE-2019-7481.yaml
View File

@ -1,19 +1,19 @@
id: CVE-2019-7481
info:
name: sonicwall sra 4600 vpn pre-authenticated sql injection
name: SonicWall SRA 4600 VPN - SQL Injection
author: _darrenmartyn
severity: high
description: |
The SonicWall SRA 4600 VPN appliance suffers a pre-authentication SQL injection vulnerability.
description: The SonicWall SRA 4600 VPN appliance is susceptible to a pre-authentication SQL injection vulnerability.
reference:
- https://www.crowdstrike.com/blog/how-ecrime-groups-leverage-sonicwall-vulnerability-cve-2019-7481/
tags: cve,cve2019,sonicwall,sqli
- https://nvd.nist.gov/vuln/detail/CVE-2019-7481
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
cve-id: CVE-2019-7481
cwe-id: CWE-200
cwe-id: CWE-89
tags: cve,cve2019,sonicwall,sqli
requests:
- raw:
@ -31,3 +31,6 @@ requests:
words:
- "4220397236"
part: body
# Enhanced by mp on 2022/04/20

13
cves/2019/CVE-2019-8982.yaml
View File

@ -1,16 +1,19 @@
id: CVE-2019-8982
info:
name: Wavemaker Studio 6.6 LFI/SSRF
name: Wavemaker Studio 6.6 Local File Inclusion/Server-Side Request Forgery
author: madrobot
severity: critical
description: com/wavemaker/studio/StudioService.java in WaveMaker Studio 6.6 mishandles the studioService.download?method=getContent&inUrl= value, leading to disclosure of local files and SSRF.
reference: https://www.exploit-db.com/exploits/45158
tags: cve,cve2019,wavemaker,lfi,ssrf
description: "WaveMaker Studio 6.6 mishandles the studioService.download?method=getContent&inUrl= value in com/wavemaker/studio/StudioService.java, leading to disclosure of local files and server-side request forgery."
reference:
- https://www.exploit-db.com/exploits/45158
- https://nvd.nist.gov/vuln/detail/CVE-2019-8982
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
cvss-score: 9.60
cve-id: CVE-2019-8982
cwe-id: CWE-918
tags: cve,cve2019,wavemaker,lfi,ssrf
requests:
- method: GET
@ -25,3 +28,5 @@ requests:
regex:
- "root:.*:0:0:"
part: body
# Enhanced by mp on 2022/04/18

11
cves/2020/CVE-2020-10549.yaml
View File

@ -1,18 +1,20 @@
id: CVE-2020-10549
info:
name: rConfig 3.9.4 SQLi
name: rConfig <=3.9.4 - SQL Injection
author: madrobot
severity: critical
description: rConfig 3.9.4 and previous versions has unauthenticated snippets.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
description: "rConfig 3.9.4 and prior has unauthenticated snippets.inc.php SQL injection. Because nodes' passwords are stored in cleartext by default, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices."
reference:
- https://github.com/theguly/exploits/blob/master/CVE-2020-10549.py
- https://theguly.github.io/2020/09/rconfig-3.9.4-multiple-vulnerabilities/
tags: cve,cve2020,rconfig,sqli
- https://nvd.nist.gov/vuln/detail/CVE-2020-10549
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
cve-id: CVE-2020-10549
cwe-id: CWE-89,CWE-522
tags: cve,cve2020,rconfig,sqli
requests:
- method: GET
@ -27,3 +29,6 @@ requests:
words:
- "[project-discovery]"
part: body
# Enhanced by mp on 2022/04/21

4
cves/2020/CVE-2020-14883.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2020-14883
info:
name: Oracle WebLogic Server Administration Console Remote Code Execution
name: Oracle Fusion Middleware WebLogic Server Administration Console - Remote Code Execution
author: pdteam
severity: high
description: The Oracle Fusion Middleware WebLogic Server admin console in versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0 is vulnerable to an easily exploitable vulnerability that allows high privileged attackers with network access via HTTP to compromise Oracle WebLogic Server.
@ -54,4 +54,4 @@ requests:
regex:
- "(u|g)id=.*"
# Enhanced by mp on 2022/04/05
# Enhanced by mp on 2022/04/20

9
cves/2020/CVE-2020-15148.yaml
View File

@ -1,19 +1,20 @@
id: CVE-2020-15148
info:
name: Yii 2 (yiisoft/yii2) RCE
name: Yii 2 <2.0.38 - Remote Code Execution
author: pikpikcu
severity: critical
reference:
- https://blog.csdn.net/xuandao_ahfengren/article/details/111259943
- https://github.com/nosafer/nosafer.github.io/blob/227a05f5eff69d32a027f15d6106c6d735124659/docs/Web%E5%AE%89%E5%85%A8/Yii2/%EF%BC%88CVE-2020-15148%EF%BC%89Yii2%E6%A1%86%E6%9E%B6%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E.md
tags: cve,cve2020,rce,yii
description: "Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input."
remediation: Upgrade to version 2.0.38 or later. A possible workaround without upgrading is available in the linked advisory.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.00
cve-id: CVE-2020-15148
cwe-id: CWE-502
description: "Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory."
tags: cve,cve2020,rce,yii
requests:
- method: GET
@ -31,3 +32,5 @@ requests:
- type: status
status:
- 500
# Enhanced by mp on 2022/04/19

5
cves/2020/CVE-2020-24186.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2020-24186
info:
name: Unauthenticated File upload wpDiscuz WordPress plugin Remote Code Execution
name: WordPress wpDiscuz <=7.0.4 - Remote Code Execution
author: Ganofins
severity: critical
description: WordPress wpDiscuz plugin versions version 7.0 through 7.0.4 are susceptible to remote code execution. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site's server.
@ -84,4 +84,5 @@ requests:
condition: and
part: body
# Enhanced by mp on 2022/03/27
# Enhanced by mp on 2022/04/19

9
cves/2020/CVE-2020-7796.yaml
View File

@ -1,18 +1,19 @@
id: CVE-2020-7796
info:
name: Zimbra Collaboration Suite (ZCS) - SSRF
name: Zimbra Collaboration Suite (ZCS) - Server-Side Request Forgery
author: gy741
severity: critical
description: Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 allows SSRF when WebEx zimlet is installed and zimlet JSP is enabled.
description: Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 is susceptible to server-side request forgery when WebEx zimlet is installed and zimlet JSP is enabled.
reference:
- https://www.adminxe.com/2183.html
tags: cve,cve2020,zimbra,ssrf,oast
- https://nvd.nist.gov/vuln/detail/CVE-2020-7796
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
cve-id: CVE-2020-7796
cwe-id: CWE-918
tags: cve,cve2020,zimbra,ssrf,oast
requests:
- raw:
@ -25,3 +26,5 @@ requests:
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
# Enhanced by mp on 2022/04/19

9
cves/2020/CVE-2020-9757.yaml
View File

@ -1,11 +1,10 @@
id: CVE-2020-9757
info:
name: SEOmatic < 3.3.0 Server-Side Template Injection
name: Craft CMS < 3.3.0 - Server-Side Template Injection
author: dwisiswant0
severity: high
description: The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the metacontainers controller.
tags: cve,cve2020,ssti
description: "Craft CMS before 3.3.0 is susceptible to server-side template injection via the SEOmatic component that could lead to remote code execution via malformed data submitted to the metacontainers controller."
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
@ -16,6 +15,8 @@ info:
- https://github.com/giany/CVE/blob/master/CVE-2020-9757.txt
- https://github.com/nystudio107/craft-seomatic/commit/65ab659cb6c914c7ad671af1e417c0da2431f79b
- https://github.com/nystudio107/craft-seomatic/commit/a1c2cad7e126132d2442ec8ec8e9ab43df02cc0f
- https://nvd.nist.gov/vuln/detail/CVE-2020-9757
tags: cve,cve2020,ssti
requests:
- method: GET
@ -36,3 +37,5 @@ requests:
- "22344"
condition: and
part: body
# Enhanced by mp on 2022/04/20

12
cves/2021/CVE-2021-25074.yaml
View File

@ -1,17 +1,19 @@
id: CVE-2021-25074
info:
name: WebP Converter for Media < 4.0.3 - Unauthenticated Open redirect
name: WordPress WebP Converter for Media < 4.0.3 - Unauthenticated Open Redirect
author: dhiyaneshDk
severity: medium
description: The plugin contains a file (passthru.php) which does not validate the src parameter before redirecting the user to it, leading to an Open Redirect issue.
reference: https://wpscan.com/vulnerability/f3c0a155-9563-4533-97d4-03b9bac83164
tags: cve,cve2021,wordpress,redirect,wp-plugin,webpconverter
description: "WordPress WebP Converter for Media < 4.0.3 contains a file (passthru.php) which does not validate the src parameter before redirecting the user to it, leading to an open redirect issue."
reference:
- https://wpscan.com/vulnerability/f3c0a155-9563-4533-97d4-03b9bac83164
- https://nvd.nist.gov/vuln/detail/CVE-2021-25074
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2021-25074
cwe-id: CWE-601
tags: cve,cve2021,wordpress,redirect,wp-plugin,webpconverter
requests:
- method: GET
@ -23,3 +25,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by mp on 2022/04/21

9
cves/2021/CVE-2021-25112.yaml
View File

@ -1,20 +1,19 @@
id: CVE-2021-25112
info:
name: WHMCS Bridge < 6.4b - Authenticated Reflected XSS
name: WordPress WHMCS Bridge < 6.4b - Cross-Site Scripting
author: DhiyaneshDK
severity: medium
description: |
The plugin does not sanitise and escape the error parameter before outputting it back in admin dashboard, leading to a Reflected Cross-Site Scripting
description: WordPress WHMCS Bridge < 6.4b is susceptible to authenticated reflected cross-site scripting because the plugin does not sanitize and escape the error parameter before outputting it back in admin dashboard.
reference:
- https://wpscan.com/vulnerability/4aae2dd9-8d51-4633-91bc-ddb53ca3471c
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25112
tags: cve,cve2021,wordpress,xss,wp-plugin,authenticated
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2021-25112
cwe-id: CWE-79
tags: cve,cve2021,wordpress,xss,wp-plugin,authenticated
requests:
- raw:
@ -47,3 +46,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/04/21

14
vulnerabilities/wordpress/easy-social-feed.yaml → cves/2021/CVE-2021-25120.yaml
View File

@ -1,11 +1,15 @@
id: easy-social-feed
id: CVE-2021-25120
info:
name: Easy Social Feed < 6.2.7 - Reflected Cross-Site Scripting (XSS)
name: Easy Social Feed < 6.2.7 - Cross-Site Scripting
author: dhiyaneshDk
severity: medium
description: The plugin does not sanitise and escape a parameter before outputting back in an admin dashboard page, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged admin or editor.
reference: https://wpscan.com/vulnerability/6dd00198-ef9b-4913-9494-e08a95e7f9a0
description: Easy Social Feed < 6.2.7 is susceptible to reflected cross-site scripting because the plugin does not sanitize and escape a parameter before outputting it back in an admin dashboard page, leading to it being executed in the context of a logged admin or editor.
reference:
- https://wpscan.com/vulnerability/6dd00198-ef9b-4913-9494-e08a95e7f9a0
- https://www.cvedetails.com/cve/CVE-2021-25120/
classification:
cve-id: CVE-2021-25120
tags: wordpress,wp-plugin,xss,authenticated
requests:
@ -38,3 +42,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/04/21

9
cves/2021/CVE-2021-31805.yaml
View File

@ -1,18 +1,21 @@
id: CVE-2021-31805
info:
name: Apache Struts2 S2-062 - Remote Code Execution
author: taielab
severity: critical
description: The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tags attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.
description: "Apache Struts2 S2-062 is vulnerable to remote code execution. The fix issued for CVE-2020-17530 (S2-061) was incomplete, meaning some of the tag's attributes could still perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax."
remediation: Avoid using forced OGNL evaluation on untrusted user input, and/or upgrade to Struts 2.5.30 or greater which checks if expression evaluation won't lead to the double evaluation.
reference:
- https://cwiki.apache.org/confluence/display/WW/S2-062
- https://github.com/Axx8/Struts2_S2-062_CVE-2021-31805
- https://nvd.nist.gov/vuln/detail/CVE-2021-31805
tags: cve,cve2021,apache,rce,struts,struts2
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
cve-id: CVE-2021-31805
cwe-id: CWE-917
tags: cve,cve2021,apache,rce,struts,struts2
requests:
- raw:
@ -44,3 +47,5 @@ requests:
part: body
regex:
- "root:.*:0:0:"
# Enhanced by mp on 2022/04/21

11
cves/2021/CVE-2021-32682.yaml
View File

@ -1,17 +1,16 @@
id: CVE-2021-32682
info:
name: elFinder - Multiple vulnerabilities leading to RCE
name: elFinder 2.1.58 - Remote Code Execution
author: smaranchand
severity: critical
tags: cve,cve2021,elfinder,misconfig,rce,oss
description: elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration. The issues were patched in version 2.1.59. As a workaround, ensure the connector is not exposed without authentication.
description: elFinder 2.1.58 is impacted by multiple remote code execution vulnerabilities that could allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration.
reference:
- https://smaranchand.com.np/2022/01/organization-vendor-application-security/
- https://blog.sonarsource.com/elfinder-case-study-of-web-file-manager-vulnerabilities
- https://github.com/Studio-42/elFinder/security/advisories/GHSA-wph3-44rj-92pr
- https://nvd.nist.gov/vuln/detail/CVE-2021-32682
remediation: Update to elFinder 2.1.59
remediation: Update to elFinder 2.1.59 or later. As a workaround, ensure the connector is not exposed without authentication.
metadata:
github: https://github.com/Studio-42/elFinder
classification:
@ -19,6 +18,7 @@ info:
cvss-score: 9.80
cve-id: CVE-2021-32682
cwe-id: CWE-22,CWE-78,CWE-918
tags: cve,cve2021,elfinder,misconfig,rce,oss
requests:
- method: GET
@ -45,3 +45,6 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/04/19

12
cves/2021/CVE-2021-3377.yaml
View File

@ -1,19 +1,21 @@
id: CVE-2021-3377
info:
name: Ansi_up XSS
description: The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.
name: npm ansi_up v4 - Cross-Site Scripting
description: npm package ansi_up v4 is vulnerable to cross-site scripting because ANSI escape codes can be used to create HTML hyperlinks.
remediation: Upgrade to v5.0.0 or later.
reference:
- https://doyensec.com/resources/Doyensec_Advisory_ansi_up4_XSS.pdf
- https://github.com/drudru/ansi_up/commit/c8c726ed1db979bae4f257b7fa41775155ba2e27
- https://nvd.nist.gov/vuln/detail/CVE-2021-3377
author: geeknik
severity: medium
tags: cve,cve2021,xss,npm
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2021-3377
cwe-id: CWE-79
tags: cve,cve2021,xss,npm
requests:
- raw:
@ -32,4 +34,6 @@ requests:
- type: word
words:
- "com\"/onmouseover=\"alert(1)\">"
- "com\"/onmouseover=\"alert(1)\">"
# Enhanced by mp on 2022/04/21

9
cves/2021/CVE-2021-40539.yaml
View File

@ -1,22 +1,22 @@
id: CVE-2021-40539
info:
name: Zoho ManageEngine ADSelfService Plus version 6113 Unauthenticated RCE
name: Zoho ManageEngine ADSelfService Plus v6113 - Unauthenticated Remote Command Execution
author: daffainfo,pdteam
severity: critical
description: Zoho ManageEngine ADSelfService Plus version 6113 and prior are vulnerable to a REST API authentication bypass vulnerability that can lead to remote code execution.
remediation: Upgrade to ADSelfService Plus build 6114.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-40539
- https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis
- https://www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html
- https://github.com/synacktiv/CVE-2021-40539
tags: cve,cve2021,rce,ad,intrusive,manageengine
- https://nvd.nist.gov/vuln/detail/CVE-2021-40539
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
cve-id: CVE-2021-40539
cwe-id: CWE-287
tags: cve,cve2021,rce,ad,intrusive,manageengine
requests:
@ -113,4 +113,5 @@ requests:
status:
- 200
# Enhanced by mp on 2022/03/16
# Enhanced by mp on 2022/04/18

6
cves/2021/CVE-2021-40978.yaml
View File

@ -1,20 +1,20 @@
id: CVE-2021-40978
info:
name: MKdocs 1.2.2 Directory Traversal
name: MKdocs 1.2.2 - Directory Traversal
author: pikpikcu
severity: high
reference:
- https://github.com/mkdocs/mkdocs/pull/2604
- https://github.com/nisdn/CVE-2021-40978
- https://nvd.nist.gov/vuln/detail/CVE-2021-40978
tags: cve,cve2021,mkdocs,lfi
description: The MKdocs 1.2.2 built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obtain sensitive information. Note the vendor has disputed the vulnerability (see references) because the dev server must be used in an unsafe way (namely public) to have this vulnerability exploited.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
cve-id: CVE-2021-40978
cwe-id: CWE-22
tags: cve,cve2021,mkdocs,lfi
requests:
- method: GET
@ -33,4 +33,4 @@ requests:
status:
- 200
# Enhanced by mp on 2022/03/06
# Enhanced by mp on 2022/04/20

9
cves/2022/CVE-2022-23881.yaml
View File

@ -1,20 +1,20 @@
id: CVE-2022-23881
info:
name: zzzphp v2.1.0 RCE
name: ZZZCMS zzzphp 2.1.0 - Remote Code Execution
author: pikpikcu
severity: critical
description: ZZZCMS zzzphp v2.1.0 was discovered to contain a remote command execution (RCE) vulnerability via danger_key() at zzz_template.php.
description: "ZZZCMS zzzphp v2.1.0 is susceptible to a remote command execution vulnerability via danger_key() at zzz_template.php."
reference:
- https://github.com/metaStor/Vuls/blob/main/zzzcms/zzzphp%20V2.1.0%20RCE/zzzphp%20V2.1.0%20RCE.md
- http://www.zzzcms.com
- https://nvd.nist.gov/vuln/detail/CVE-2022-23881
tags: cve,cve2022,rce,zzzphp,zzzcms
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
cve-id: CVE-2022-23881
cwe-id: CWE-77
tags: cve,cve2022,rce,zzzphp,zzzcms
requests:
- raw:
@ -33,3 +33,6 @@ requests:
- type: status
status:
- 500
# Enhanced by mp on 2022/04/19

6
exposed-panels/opencast-detect.yaml
View File

@ -1,10 +1,10 @@
id: opencast-panel
info:
name: Opencast Panel Login
name: Opencast Admin Panel Discovery
author: cyllective,daffainfo
severity: info
description: The free and open source solution for automated video capture and distribution at scale.
description: An Opencast Admin panel was discovered. Opencast is a free and open source solution for automated video capture and distribution at scale.
reference: https://github.com/opencast/opencast
tags: panel,opencast
@ -23,3 +23,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/04/21

11
exposures/files/dwsync-exposure.yaml
View File

@ -1,10 +1,15 @@
id: dwsync-exposure
info:
name: Dwsync.xml Exposure
name: Dreamweaver Dwsync.xml Exposure
author: KaizenSecurity
severity: info
description: The dwsync.xml file is a file generated by Dreamweaver. Where the file contains information related to what files are in the website directory.
description: The Dreamweaver file dwsync.xml was discovered. The dwsync.xml file is a file generated by Dreamweaver which contains information related to what files are in the website directory.
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cve-id:
cwe-id: CWE-200
tags: dwsync,exposure,dreamweaver
requests:
@ -29,3 +34,5 @@ requests:
- '<dwsync>'
- '</dwsync>'
condition: and
# Enhanced by mp on 2022/04/21

6
misconfiguration/prometheus/prometheus-config.yaml
View File

@ -1,10 +1,10 @@
id: prometheus-config
info:
name: Prometheus config API endpoint
name: Prometheus Config API Endpoint Discovery
author: geeknik
severity: info
description: The config endpoint returns the loaded Prometheus configuration file. This file also contains addresses of targets and alerting/discovery services alongside the credentials required to access them. Usually, Prometheus replaces the passwords in the credentials config configuration field with the placeholder <secret> (although this still leaks the username).
description: A Prometheus config API endpoint was discovered. The config endpoint returns the loaded Prometheus configuration file along with the addresses of targets and alerting/discovery services alongside the credentials required to access them. Usually, Prometheus replaces the passwords in the credentials config configuration field with the placeholder <secret> (although this still leaks the username).
reference: https://jfrog.com/blog/dont-let-prometheus-steal-your-fire/
tags: prometheus,config
@ -30,3 +30,5 @@ requests:
part: header
words:
- 'application/json'
# Enhanced by mp on 2022/04/21

7
misconfiguration/proxy/open-proxy-internal.yaml
View File

@ -1,9 +1,9 @@
id: open-proxy-internal
info:
name: Open Proxy To Internal Network
author: sullo
severity: high
tags: exposure,config,proxy,misconfig,fuzz
description: The host is configured as a proxy which allows access to other hosts on the internal network.
remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports.
reference:
@ -14,6 +14,8 @@ info:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
cvss-score: 8.6
cwe-id: CWE-441
tags: exposure,config,proxy,misconfig,fuzz
requests:
- raw:
- |+
@ -107,4 +109,5 @@ requests:
- (!contains(body_1, "ssh")) && (contains(body_2, "ssh") || contains(body_3, "ssh")) || contains(body_4, "ssh") || contains(body_5, "ssh") || contains(body_6, "ssh") || contains(body_7, "ssh") || contains(body_8, "ssh") || contains(body_9, "ssh") || contains(body_10, "ssh") || contains(body_11, "ssh") || contains(body_12, "ssh") || contains(body_13, "ssh") || contains(body_14, "ssh") || contains(body_15, "ssh") || contains(body_16, "ssh") || contains(body_17, "ssh") || contains(body_18, "ssh") || contains(body_19, "ssh") || contains(body_20, "ssh") || contains(body_21, "ssh") || contains(body_22, "ssh") || contains(body_23, "ssh") || contains(body_24, "ssh")
- (!contains(body_1, "SSH")) && (contains(body_2, "SSH") || contains(body_3, "SSH")) || contains(body_4, "SSH") || contains(body_5, "SSH") || contains(body_6, "SSH") || contains(body_7, "SSH") || contains(body_8, "SSH") || contains(body_9, "SSH") || contains(body_10, "SSH") || contains(body_11, "SSH") || contains(body_12, "SSH") || contains(body_13, "SSH") || contains(body_14, "SSH") || contains(body_15, "SSH") || contains(body_16, "SSH") || contains(body_17, "SSH") || contains(body_18, "SSH") || contains(body_19, "SSH") || contains(body_20, "SSH") || contains(body_21, "SSH") || contains(body_22, "SSH") || contains(body_23, "SSH")
condition: or
# Enhanced by cs on 2022/02/14
# Enhanced by mp on 2022/04/21

10
misconfiguration/proxy/open-proxy-localhost.yaml
View File

@ -1,9 +1,9 @@
id: open-proxy-http-portscan
info:
name: Open Proxy to Other Web Ports on Proxy's localhost Interface
name: Open Proxy to Other Web Ports via Proxy's localhost Interface
author: sullo
severity: high
tags: exposure,config,proxy,misconfig,fuzz
description: The host is configured as a proxy which allows access to web ports on the host's internal interface.
remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports.
reference:
@ -14,6 +14,8 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
cvss-score: 8.6
cwe-id: CWE-441
tags: exposure,config,proxy,misconfig,fuzz
requests:
- raw:
- |+
@ -51,4 +53,6 @@ requests:
- (!contains(body_1, "Welcome to Windows") && !contains(body_2, "Welcome to Windows")) && (contains(body_3, "Welcome to Windows") || contains(body_4, "Welcome to Windows") || contains(body_5, "Welcome to Windows") || contains(body_6, "Welcome to Windows"))
- (!contains(body_1, "Welcome to Windows") && !contains(body_2, "Welcome to Windows")) && (contains(body_3, "Welcome to Windows") || contains(body_4, "Welcome to Windows") || contains(body_5, "Welcome to Windows") || contains(body_6, "Welcome to Windows"))
- (!contains(body_1, "It works") && !contains(body_2, "It works")) && (contains(body_3, "It works") || contains(body_4, "It works") || contains(body_5, "It works") || contains(body_6, "It works"))
# Enhanced by cs on 2022/02/14
# Enhanced by mp on 2022/04/21

7
misconfiguration/put-method-enabled.yaml
View File

@ -1,11 +1,11 @@
id: put-method-enabled
info:
name: PUT method enabled
name: PUT Method Enabled
author: xElkomy
severity: high
reference: https://portswigger.net/kb/issues/00100900_http-put-method-is-enabled
description: The PUT method is enabled on the web server, allowing for arbitrary file uploads.
description: The HTTP PUT method is normally used to upload data that is saved on the server at a user-supplied URL. If enabled, an attacker may be able to place arbitrary, and potentially malicious, content into the application. Depending on the server's configuration, this may lead to compromise of other users (by uploading client-executable scripts), compromise of the server (by uploading server-executable code), or other attacks.
tags: injection
requests:
@ -27,3 +27,6 @@ requests:
- type: dsl
dsl:
- 'contains(body_2, "{{randstr}}")'
# Enhanced by mp on 2022/04/20

2
misconfiguration/zabbix-dashboards-access.yaml
View File

@ -8,12 +8,12 @@ info:
reference:
- https://www.exploit-db.com/ghdb/5595
- https://packetstormsecurity.com/files/163657/zabbix5x-sqlxss.txt
tags: zabbix,unauth
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
cvss-score: 5.8
cve-id:
cwe-id: CWE-522
tags: zabbix,unauth
requests:
- method: GET

10
network/vnc-detect.yaml
View File

@ -3,8 +3,14 @@ info:
name: VNC Service Detection
author: pussycat0x
severity: info
description: A Virtual Network Computing (VNC) service was detected.
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cve-id:
cwe-id: CWE-200
tags: network,vnc,service
description: VNC service detection
network:
- inputs:
- data: "\r\n"
@ -22,3 +28,5 @@ network:
part: body
regex:
- "RFB ([0-9.]+)"
# Enhanced by mp on 2022/04/20

11
vulnerabilities/other/beward-ipcamera-disclosure.yaml
View File

@ -1,13 +1,18 @@
id: beward-ipcamera-disclosure
info:
name: BEWARD N100 H.264 VGA IP Camera M2.1.6 Arbitrary File Disclosure
name: BEWARD N100 H.264 VGA IP Camera M2.1.6 - Arbitrary File Disclosure
author: geeknik
severity: high
description: The N100 compact color IP camera suffers from an authenticated file disclosure vulnerability. Input passed via the READ.filePath parameter in fileread script is not properly verified before being used to read files. This can be exploited to disclose the contents of arbitrary files via absolute path or via the SendCGICMD API.
description: "The N100 compact color IP camera suffers from an authenticated file disclosure vulnerability. Input passed via the READ.filePath parameter in fileread script is not properly verified before being used to read files. This can be exploited to disclose the contents of arbitrary files via absolute path or via the SendCGICMD API."
reference:
- https://www.exploit-db.com/exploits/46320
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5511.php
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
cvss-score: 8.6
cve-id:
cwe-id: CWE-22
tags: iot,camera,disclosure
requests:
@ -26,3 +31,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/04/20

11
vulnerabilities/other/qihang-media-lfi.yaml
View File

@ -1,11 +1,16 @@
id: qihang-media-lfi
info:
name: QiHang Media Web (QH.aspx) Digital Signage 3.0.9 Arbitrary File Disclosure Vulnerability
name: QiHang Media Web (QH.aspx) Digital Signage 3.0.9 - Arbitrary File Disclosure
author: gy741
severity: high
description: The QiHang Media Web application suffers from an unauthenticated file disclosure vulnerability when input passed thru the filename parameter when using the download action or thru path parameter when using the getAll action is not properly verified before being used. This can be exploited to disclose contents of files and directories from local resources.
description: "The QiHang Media Web application suffers from an unauthenticated file disclosure vulnerability when input passed thru the filename parameter when using the download action or thru path parameter when using the getAll action is not properly verified before being used. This can be exploited to disclose contents of files and directories from local resources."
reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5581.php
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
cvss-score: 8.6
cve-id:
cwe-id: CWE-22
tags: qihang,lfi,disclosure
requests:
@ -33,3 +38,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/04/20

55
vulnerabilities/thinkphp/thinkphp-509-information-disclosure.yaml
View File

@ -1,26 +1,29 @@
id: thinkphp-509-information-disclosure
info:
name: ThinkPHP 5.0.9 Information Disclosure
author: dr_set
severity: critical
description: Verbose SQL error message reveals sensitive information including database credentials.
reference: https://github.com/vulhub/vulhub/tree/0a0bc719f9a9ad5b27854e92bc4dfa17deea25b4/thinkphp/in-sqlinjection
tags: thinkphp
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?ids[0,updatexml(0,concat(0xa,user()),0)]=1"
matchers-condition: and
matchers:
- type: word
condition: and
words:
- "SQLSTATE"
- "XPATH syntax error"
- type: status
status:
- 500
id: thinkphp-509-information-disclosure
info:
name: ThinkPHP 5.0.9 - Information Disclosure
author: dr_set
severity: critical
description: ThinkPHP 5.0.9 includes verbose SQL error message that can reveal sensitive information including database credentials.
reference: https://github.com/vulhub/vulhub/tree/0a0bc719f9a9ad5b27854e92bc4dfa17deea25b4/thinkphp/in-sqlinjection
tags: thinkphp
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?ids[0,updatexml(0,concat(0xa,user()),0)]=1"
matchers-condition: and
matchers:
- type: word
condition: and
words:
- "SQLSTATE"
- "XPATH syntax error"
- type: status
status:
- 500
# Enhanced by mp on 2022/04/20

12
vulnerabilities/wordpress/candidate-application-lfi.yaml
View File

@ -1,11 +1,16 @@
id: candidate-application-lfi
info:
name: Candidate Application Form <= 1.3 - Unauthenticated Arbitrary File Download
name: WordPress Candidate Application Form <= 1.3 - Local File Inclusion
author: dhiyaneshDK
severity: high
description: The code in downloadpdffile.php does not do any sanity checks, allowing a remote attacker to download sensitive system files.
description: "WordPress Candidate Application Form <= 1.3 is susceptible to arbitrary file downloads because the code in downloadpdffile.php does not do any sanity checks."
reference: https://wpscan.com/vulnerability/446233e9-33b3-4024-9b7d-63f9bb1dafe0
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
cvss-score: 8.6
cve-id:
cwe-id: CWE-22
tags: wordpress,wp-plugin,lfi,wp
requests:
@ -22,3 +27,6 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/04/21

9
vulnerabilities/wordpress/cherry-file-download.yaml
View File

@ -4,10 +4,15 @@ info:
name: Cherry Plugin < 1.2.7 - Unauthenticated Arbitrary File Download
author: 0x_Akoko
severity: high
description: The cherry plugin WordPress plugin was affected by an unauthenticated file upload and download vulnerability, allowing attackers to upload and download arbitrary files. This could result in attacker uploading backdoor shell scripts or downloading the wp-config.php file.
description: "WordPress plugin Cherry < 1.2.7 contains an unauthenticated file upload and download vulnerability, allowing attackers to upload and download arbitrary files. This could result in attacker uploading backdoor shell scripts or downloading the wp-config.php file."
reference:
- https://wpscan.com/vulnerability/90034817-dee7-40c9-80a2-1f1cd1d033ee
- https://github.com/CherryFramework/cherry-plugin
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
cvss-score: 8.6
cve-id:
cwe-id: CWE-22
tags: wordpress,wp-plugin,lfi
requests:
@ -27,3 +32,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/04/21

11
vulnerabilities/wordpress/cherry-lfi.yaml
View File

@ -1,13 +1,18 @@
id: cherry-lfi
info:
name: Cherry Plugin < 1.2.7 - Unauthenticated Arbitrary File Upload and Download
name: WordPress Cherry < 1.2.7 - Unauthenticated Arbitrary File Upload and Download
author: dhiyaneshDK
severity: high
description: The cherry plugin WordPress plugin was affected by an unauthenticated file upload and download vulnerability, allowing attackers to upload and download arbitrary files. This could result in attacker uploading backdoor shell scripts or downloading the wp-config.php file.
description: "WordPress plugin Cherry < 1.2.7 has a vulnerability which enables an attacker to upload files directly to the server. This could result in attacker uploading backdoor shell scripts or downloading the wp-config.php file."
reference:
- https://wpscan.com/vulnerability/90034817-dee7-40c9-80a2-1f1cd1d033ee
- https://support.alertlogic.com/hc/en-us/articles/115003048083-06-19-17-WordPress-CMS-Cherry-Plugin-Arbitrary-File-Upload-RCE
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
cvss-score: 8.6
cve-id:
cwe-id: CWE-22
tags: wordpress,wp-plugin,lfi,wp
requests:
@ -27,3 +32,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/04/21