daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Dashboard Content Enhancements (#4268) 

Dashboard Content Enhancements
patch-1
MostInterestingBotInTheWorld 2022-04-29 15:58:07 -04:00 committed by GitHub
parent cda9ed0480
commit 44520223c1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
65 changed files with 321 additions and 239 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
cves/2014/CVE-2014-8682.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2014-8682
info:
name: Gogs - 'users'/'repos' '?q' SQL Injection
name: Gogs (Go Git Service) - SQL Injection
author: dhiyaneshDK,daffainfo
severity: high
description: Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to (1) api/v1/repos/search, which is not properly handled in models/repo.go, or (2) api/v1/users/search, which is not properly handled in models/user.go.
@ -40,4 +40,4 @@ requests:
status:
- 200
# Enhanced by mp on 2022/02/25
# Enhanced by mp on 2022/04/26

4
cves/2015/CVE-2015-3224.yaml
View File

@ -11,6 +11,8 @@ info:
- https://nvd.nist.gov/vuln/detail/CVE-2015-3224
tags: cve,cve2015,rce,rails,ruby
description: "request.rb in Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request."
classification:
cve-id: CVE-2015-3224
requests:
- method: GET
@ -36,4 +38,4 @@ requests:
- "data-remote-path="
- "data-session-id="
case-insensitive: true
condition: or
condition: or

11
cves/2017/CVE-2017-12629.yaml
View File

@ -1,18 +1,15 @@
id: CVE-2017-12629
info:
name: Apache Solr <= 7.1 XML entity injection
name: Apache Solr <= 7.1 - XML Entity Injection
author: dwisiswant0
severity: critical
description: Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener
class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external entity expansion vulnerability occurs in the XML Query Parser which is available, by default, for any query
request with parameters deftype=xmlparser and can be exploited to upload malicious data to the /upload request handler or as Blind XXE using ftp wrapper in order to read arbitrary local files from the Solr server.
Note also that the second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr.
description: "Apache Solr with Apache Lucene before 7.1 is susceptible to remote code execution by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external entity expansion vulnerability occurs in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser and can be exploited to upload malicious data to the /upload request handler or as Blind XXE using ftp wrapper in order to read arbitrary local files from the Solr server. Note also that the second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr."
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2017-12629
- https://twitter.com/honoki/status/1298636315613974532
- https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-XXE
- https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-RCE
- https://nvd.nist.gov/vuln/detail/CVE-2017-12629
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -43,3 +40,5 @@ requests:
group: 1
regex:
- '"name"\:"(.*?)"'
# Enhanced by mp on 2022/04/26

6
cves/2017/CVE-2017-12794.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2017-12794
info:
name: Django debug page XSS
name: Django Debug Page - Cross-Site Scripting
author: pikpikcu
severity: medium
description: |
In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings.
Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5 has HTML autoescaping disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allows a cross-site scripting attack. This vulnerability shouldn't affect most production sites since run with "DEBUG = True" is not on by default (which is what makes the page visible).
reference:
- https://twitter.com/sec715/status/1406779605055270914
- https://nvd.nist.gov/vuln/detail/CVE-2017-12794
@ -36,3 +36,5 @@ requests:
words:
- "text/html"
part: header
# Enhanced by mp on 2022/04/26

6
cves/2017/CVE-2017-14537.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2017-14537
info:
name: Trixbox 2.8.0 Path Traversal
name: Trixbox 2.8.0 - Path Traversal
author: pikpikcu
severity: medium
description: Trixbox 2.8.0.4 is susceptible to path traversal via the xajaxargs array parameter to /maint/index.php?packages or the lang parameter to /maint/modules/home/index.php.
description: "Trixbox 2.8.0.4 is susceptible to path traversal via the xajaxargs array parameter to /maint/index.php?packages or the lang parameter to /maint/modules/home/index.php."
reference:
- https://secur1tyadvisory.wordpress.com/2018/02/13/trixbox-multiple-path-traversal-vulnerabilities-cve-2017-14537/
- https://nvd.nist.gov/vuln/detail/CVE-2017-14537
@ -48,4 +48,4 @@ requests:
- "root:.*:0:0:"
part: body
# Enhanced by mp on 2022/04/01
# Enhanced by mp on 2022/04/26

8
cves/2017/CVE-2017-15287.yaml
View File

@ -1,13 +1,15 @@
id: CVE-2017-15287
info:
name: Dreambox WebControl Reflected XSS
name: Dreambox WebControl 2.0.0 - Cross-Site Scripting
author: pikpikcu
severity: medium
description: There is XSS in the BouquetEditor WebPlugin for Dream Multimedia Dreambox devices, as demonstrated by the "Name des Bouquets" field, or the file parameter to the /file URI.
description: |
Dream Multimedia Dreambox devices via their WebControl component are vulnerable to reflected cross-site scripting, as demonstrated by the "Name des Bouquets" field, or the file parameter to the /file URI.
reference:
- https://fireshellsecurity.team/assets/pdf/Vulnerability-XSS-Dreambox.pdf
- https://www.exploit-db.com/exploits/42986/
- https://nvd.nist.gov/vuln/detail/CVE-2017-15287
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -26,3 +28,5 @@ requests:
- type: word
words:
- 'Unknown command: <script>alert(document.cookie)</script>'
# Enhanced by mp on 2022/04/26

10
cves/2017/CVE-2017-15944.yaml
View File

@ -1,13 +1,15 @@
id: CVE-2017-15944
info:
name: PreAuth RCE on Palo Alto GlobalProtect
name: Palo Alto Network PAN-OS - Remote Code Execution
author: emadshanab,milo2012
severity: critical
description: Palo Alto Networks PAN-OS before 6.1.19, 7.0.x before 7.0.19, 7.1.x before 7.1.14, and 8.0.x before 8.0.6 allows remote attackers to execute arbitrary code via vectors involving the management interface.
description: Palo Alto Network PAN-OS and Panorama before 6.1.19, 7.0.x before 7.0.19, 7.1.x before 7.1.14, and 8.0.x before 8.0.6 allows remote attackers to execute arbitrary code via vectors involving the management interface.
reference:
- https://www.exploit-db.com/exploits/43342
- https://security.paloaltonetworks.com/CVE-2017-15944
- http://blog.orange.tw/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html
- https://nvd.nist.gov/vuln/detail/CVE-2017-15944
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -30,4 +32,6 @@ requests:
- type: status
status:
- 200
- 200
# Enhanced by mp on 2022/04/26

5
cves/2017/CVE-2017-16806.yaml
View File

@ -4,7 +4,7 @@ info:
name: Ulterius Server < 1.9.5.0 - Directory Traversal
author: geeknik
severity: high
description: Ulterius before 1.9.5.0 allows HTTP server directory traversal via the process function in RemoteTaskServer/WebServer/HttpServer.cs.
description: "Ulterius Server before 1.9.5.0 allows HTTP server directory traversal via the process function in RemoteTaskServer/WebServer/HttpServer.cs."
reference:
- https://www.exploit-db.com/exploits/43141
- https://nvd.nist.gov/vuln/detail/CVE-2017-16806
@ -33,4 +33,5 @@ requests:
condition: or
part: body
# Enhanced by mp on 2022/04/20
# Enhanced by mp on 2022/04/26

7
cves/2017/CVE-2017-5638.yaml
View File

@ -1,12 +1,13 @@
id: CVE-2017-5638
info:
name: Apache Struts2 RCE
name: Apache Struts 2 - Remote Command Execution
author: Random_Robbie
severity: critical
description: Struts is vulnerable to remote command injection attacks through incorrectly parsing an attacker's invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server.
description: Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 is vulnerable to remote command injection attacks through incorrectly parsing an attacker's invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server.
reference:
- https://github.com/mazen160/struts-pwn
- https://nvd.nist.gov/vuln/detail/CVE-2017-5638
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
@ -28,3 +29,5 @@ requests:
words:
- "X-Hacker: Bounty Plz"
part: header
# Enhanced by mp on 2022/04/26

10
cves/2017/CVE-2017-7921.yaml
View File

@ -1,16 +1,14 @@
id: CVE-2017-7921
info:
name: Hikvision Authentication Bypass
name: Hikvision - Authentication Bypass
author: princechaddha
severity: critical
description: An Improper Authentication issue was discovered in Hikvision DS-2CD2xx2F-I Series V5.2.0 build 140721 to V5.4.0 build 160530, DS-2CD2xx0F-I Series V5.2.0 build 140721 to V5.4.0 Build 160401, DS-2CD2xx2FWD
Series V5.3.1 build 150410 to V5.4.4 Build 161125, DS-2CD4x2xFWD Series V5.2.0 build 140721 to V5.4.0 Build 160414, DS-2CD4xx5 Series V5.2.0 build 140721 to V5.4.0 Build 160421, DS-2DFx Series V5.2.0 build 140805
to V5.4.5 Build 160928, and DS-2CD63xx Series V5.0.9 build 140305 to V5.3.5 Build 160106 devices. The improper authentication vulnerability occurs when an application does not adequately or correctly authenticate
users. This may allow a malicious user to escalate his or her privileges on the system and gain access to sensitive information.
description: Hikvision DS-2CD2xx2F-I Series V5.2.0 build 140721 to V5.4.0 build 160530, DS-2CD2xx0F-I Series V5.2.0 build 140721 to V5.4.0 Build 160401, DS-2CD2xx2FWD Series V5.3.1 build 150410 to V5.4.4 Build 161125, DS-2CD4x2xFWD Series V5.2.0 build 140721 to V5.4.0 Build 160414, DS-2CD4xx5 Series V5.2.0 build 140721 to V5.4.0 Build 160421, DS-2DFx Series V5.2.0 build 140805 to V5.4.5 Build 160928, and DS-2CD63xx Series V5.0.9 build 140305 to V5.3.5 Build 160106 devices contain an improper authentication issue. The improper authentication vulnerability occurs when an application does not adequately or correctly authenticate users. This may allow a malicious user to escalate his or her privileges on the system and gain access to sensitive information.
reference:
- http://www.hikvision.com/us/about_10805.html
- https://ics-cert.us-cert.gov/advisories/ICSA-17-124-01
- https://nvd.nist.gov/vuln/detail/CVE-2017-7921
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
@ -34,3 +32,5 @@ requests:
words:
- "application/xml"
part: header
# Enhanced by mp on 2022/04/26

7
cves/2017/CVE-2017-9822.yaml
View File

@ -1,12 +1,13 @@
id: CVE-2017-9822
info:
name: DotNetNuke Cookie Deserialization Remote Code Execution (RCE)
name: DotNetNuke 5.0.0 - 9.3.0 - Cookie Deserialization Remote Code Execution
author: milo2012
severity: high
description: DotNetNuke (DNN) versions between 5.0.0 - 9.3.0 are affected to deserialization vulnerability that leads to Remote Code Execution (RCE)
description: DotNetNuke (DNN) versions between 5.0.0 - 9.3.0 are affected by a deserialization vulnerability that leads to remote code execution.
reference:
- https://github.com/murataydemir/CVE-2017-9822
- https://nvd.nist.gov/vuln/detail/CVE-2017-9822
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
@ -35,3 +36,5 @@ requests:
- type: status
status:
- 404
# Enhanced by mp on 2022/04/26

4
cves/2018/CVE-2018-10201.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2018-10201
info:
name: Ncomputing vSPace Pro 10 and 11 Directory Traversal
name: Ncomputing vSPace Pro 10 and 11 - Directory Traversal
author: 0x_akoko
severity: high
description: Ncomputing vSpace Pro versions 10 and 11 suffer from a directory traversal vulnerability.
@ -32,3 +32,5 @@ requests:
- "fonts"
- "extensions"
condition: and
# Enhanced by mp on 2022/04/26

8
cves/2018/CVE-2018-10818.yaml
View File

@ -1,14 +1,14 @@
id: CVE-2018-10818
info:
name: LG NAS Devices - Remote Code Execution (Unauthenticated)
name: LG NAS Devices - Remote Code Execution
author: gy741
severity: critical
description: The vulnerability (CVE-2018-10818) is a pre-auth remote command injection vulnerability found in the majority of LG NAS devices. You cannot simply log in with any random username and password. However,
there lies a command injection vulnerability in the "password" parameter.
description: LG NAS devices contain a pre-auth remote command injection via the "password" parameter.
reference:
- https://www.vpnmentor.com/blog/critical-vulnerability-found-majority-lg-nas-devices/
- https://medium.com/@0x616163/lg-n1a1-unauthenticated-remote-command-injection-cve-2018-14839-9d2cf760e247
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10818
classification:
cve-id: CVE-2018-10818
tags: cve,cve2018,lg-nas,rce,oast,injection
@ -39,3 +39,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/04/26

5
cves/2018/CVE-2018-11784.yaml
View File

@ -1,12 +1,13 @@
id: CVE-2018-11784
info:
name: Apache Tomcat Open Redirect
name: Apache Tomcat - Open Redirect
author: geeknik
severity: medium
description: Apache Tomcat versions prior to 9.0.12, 8.5.34, and 7.0.91 are prone to an open-redirection vulnerability because it fails to properly sanitize user-supplied input.
reference:
- https://lists.apache.org/thread.html/23134c9b5a23892a205dc140cdd8c9c0add233600f76b313dda6bd75@%3Cannounce.tomcat.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2018-11784
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
cvss-score: 4.3
@ -24,3 +25,5 @@ requests:
regex:
- "(?m)^(L|l)ocation: (((http|https):)?//(www.)?)?example.com"
part: header
# Enhanced by mp on 2022/04/26

6
cves/2018/CVE-2018-12054.yaml
View File

@ -4,10 +4,10 @@ info:
name: Schools Alert Management Script - Arbitrary File Read
author: wisnupramoedya
severity: high
description: Arbitrary File Read exists in PHP Scripts Mall Schools Alert Management Script via the f parameter in img.php, aka absolute path traversal.
description: "Schools Alert Management Script is susceptible to an arbitrary file read vulnerability via the f parameter in img.php, aka absolute path traversal."
reference:
- https://www.exploit-db.com/exploits/44874
- https://www.cvedetails.com/cve/CVE-2018-12054
- https://nvd.nist.gov/vuln/detail/CVE-2018-12054
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -30,3 +30,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/04/26

4
cves/2018/CVE-2018-14931.yaml
View File

@ -4,7 +4,7 @@ info:
name: Polarisft Intellect Core Banking Software Version 9.7.1 - Open Redirect
author: 0x_Akoko
severity: low
description: An issue was discovered in the Core and Portal modules in Polaris FT Intellect Core Banking 9.7.1. An open redirect exists via a /IntellectMain.jsp?IntellectSystem= URI.
description: "Polarisft Intellect Core Banking Software Version 9.7.1 is susceptible to an open redirect issue in the Core and Portal modules via the /IntellectMain.jsp?IntellectSystem= URI."
reference:
- https://neetech18.blogspot.com/2019/03/polaris-intellect-core-banking-software_31.html
- https://www.cvedetails.com/cve/CVE-2018-14931
@ -26,3 +26,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by mp on 2022/04/26

6
cves/2018/CVE-2018-16283.yaml
View File

@ -4,10 +4,10 @@ info:
name: WordPress Plugin Wechat Broadcast 1.2.0 - Local File Inclusion
author: 0x240x23elu
severity: critical
description: The Wechat Broadcast plugin 1.2.0 and earlier for WordPress allows Directory Traversal via the Image.php url parameter.
description: WordPress Wechat Broadcast plugin 1.2.0 and earlier allows Directory Traversal via the Image.php url parameter.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2018-16283
- https://www.exploit-db.com/exploits/45438
- https://nvd.nist.gov/vuln/detail/CVE-2018-16283
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -25,3 +25,5 @@ requests:
regex:
- "root:.*:0:0:"
part: body
# Enhanced by mp on 2022/04/26

10
cves/2019/CVE-2019-17558.yaml
View File

@ -1,14 +1,12 @@
id: CVE-2019-17558
info:
name: Apache Solr 8.3.0 - Remote Code Execution via Velocity Template
name: Apache Solr <=8.3.1 - Remote Code Execution
author: pikpikcu,madrobot
severity: high
description: Apache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remote Code Execution through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset `velocity/`
directory or as a parameter. A user defined configset could contain renderable, potentially malicious, templates. Parameter provided templates are disabled by default, but can be enabled by setting `params.resource.loader.enabled`
by defining a response writer with that setting set to `true`. Defining a response writer requires configuration API access. Solr 8.4 removed the params resource loader entirely, and only enables the configset-provided
template rendering when the configset is `trusted` (has been uploaded by an authenticated user).
description: "Apache Solr versions 5.0.0 to 8.3.1 are vulnerable to remote code execution vulnerabilities through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset `velocity/ directory or as a parameter. A user defined configset could contain renderable, potentially malicious, templates. Parameter provided templates are disabled by default, but can be enabled by setting `params.resource.loader.enabled by defining a response writer with that setting set to `true`. Defining a response writer requires configuration API access. Solr 8.4 removed the params resource loader entirely, and only enables the configset-provided template rendering when the configset is `trusted` (has been uploaded by an authenticated user)."
reference:
- https://issues.apache.org/jira/browse/SOLR-13971
- https://nvd.nist.gov/vuln/detail/CVE-2019-17558
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
@ -62,3 +60,5 @@ requests:
group: 1
regex:
- '"name"\:"(.*?)"'
# Enhanced by mp on 2022/04/27

8
cves/2020/CVE-2020-14092.yaml
View File

@ -1,12 +1,14 @@
id: CVE-2020-14092
info:
name: WordPress Payment Form For Paypal Pro Unauthenticated SQL Injection
name: WordPress PayPal Pro <1.1.65- SQL Injection
author: princechaddha
severity: critical
description: WordPress Payment Form For Paypal Pro 'query' parameter allows for any unauthenticated user to perform SQL queries with result output to a web page in JSON format.
description: "WordPress PayPal Pro plugin before 1.1.65 is susceptible to SQL injection via the 'query' parameter which allows for any unauthenticated user to perform SQL queries with the results output to a web page in JSON format."
reference:
- https://wpscan.com/vulnerability/10287
- https://wordpress.dwbooster.com/forms/payment-form-for-paypal-pro
- https://nvd.nist.gov/vuln/detail/CVE-2020-14092
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -37,3 +39,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/04/27

8
cves/2020/CVE-2020-14882.yaml
View File

@ -1,16 +1,17 @@
id: CVE-2020-14882
info:
name: Oracle Weblogic Pre-Auth Remote Command Execution
name: Oracle Weblogic Server - Remote Command Execution
author: dwisiswant0
severity: critical
description: An easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle WebLogic Server.
description: Oracle WebLogic Server contains an easily exploitable remote command execution vulnerability which allows unauthenticated attackers with network access via HTTP to compromise the server.
reference:
- https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://twitter.com/jas502n/status/1321416053050667009
- https://youtu.be/JFVDOIL0YtA
- https://github.com/jas502n/CVE-2020-14882#eg
- https://nvd.nist.gov/vuln/detail/CVE-2020-14882
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -34,4 +35,5 @@ requests:
words:
- "http"
# Enhanced by mp on 2022/02/08
# Enhanced by mp on 2022/04/27

4
cves/2020/CVE-2020-15148.yaml
View File

@ -4,7 +4,7 @@ info:
name: Yii 2 < 2.0.38 - Remote Code Execution
author: pikpikcu
severity: critical
description: Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input.
description: "Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input."
reference:
- https://blog.csdn.net/xuandao_ahfengren/article/details/111259943
- https://github.com/nosafer/nosafer.github.io/blob/227a05f5eff69d32a027f15d6106c6d735124659/docs/Web%E5%AE%89%E5%85%A8/Yii2/%EF%BC%88CVE-2020-15148%EF%BC%89Yii2%E6%A1%86%E6%9E%B6%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E.md
@ -33,4 +33,4 @@ requests:
status:
- 500
# Enhanced by mp on 2022/04/19
# Enhanced by mp on 2022/04/27

9
cves/2020/CVE-2020-15227.yaml
View File

@ -1,16 +1,15 @@
id: CVE-2020-15227
info:
name: Nette Framework RCE
name: Nette Framework - Remote Code Execution
author: becivells
severity: critical
description: Nette versions before 2.0.19, 2.1.13, 2.2.10, 2.3.14, 2.4.16, 3.0.6 are vulnerable to an code injection attack by passing specially formed parameters to URL that may possibly leading to RCE. Nette
is a PHP/Composer MVC Framework.
description: "Nette Framework versions before 2.0.19, 2.1.13, 2.2.10, 2.3.14, 2.4.16, and 3.0.6 are vulnerable to a code injection attack via specially formed parameters being passed to a URL. Nette is a PHP/Composer MVC Framework."
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2020-15227
- https://github.com/nette/application/security/advisories/GHSA-8gv3-3j7f-wg94
- https://www.pwnwiki.org/index.php?title=CVE-2020-15227_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E#
- https://github.com/Mr-xn/Penetration_Testing_POC/blob/02546075f378a9effeb6426fc17beb66b6d5c8ee/books/Nette%E6%A1%86%E6%9E%B6%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C(CVE-2020-15227).md
- https://nvd.nist.gov/vuln/detail/CVE-2020-15227
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -33,3 +32,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/04/27

8
cves/2020/CVE-2020-15505.yaml
View File

@ -6,16 +6,16 @@ id: CVE-2020-15505
# it will return a 403 or 500 internal server error. Reference[3].
info:
name: RCE in MobileIron Core & Connector <= v10.6 & Sentry <= v9.8
name: MobileIron Core & Connector <= v10.6 & Sentry <= v9.8 - Remote Code Execution
author: dwisiswant0
severity: critical
description: |
A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0; and Sentry versions 9.7.2 and earlier, and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier that allows remote attackers to execute arbitrary code via unspecified vectors.
description: "A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0; and Sentry versions 9.7.2 and earlier, and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier contain a vulnerability that allows remote attackers to execute arbitrary code via unspecified vectors."
reference:
- https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html
- https://github.com/iamnoooob/CVE-Reverse/tree/master/CVE-2020-15505
- https://github.com/iamnoooob/CVE-Reverse/blob/master/CVE-2020-15505/hessian.py#L10
- https://github.com/orangetw/JNDI-Injection-Bypass
- https://nvd.nist.gov/vuln/detail/CVE-2020-15505
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -41,3 +41,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/04/27

8
cves/2020/CVE-2020-15568.yaml
View File

@ -1,13 +1,13 @@
id: CVE-2020-15568
info:
name: TerraMaster TOS v4.1.24 RCE
name: TerraMaster TOS <.1.29 - Remote Code Execution
author: pikpikcu
severity: critical
description: TerraMaster TOS before 4.1.29 has Invalid Parameter Checking that leads to code injection as root. This is a dynamic class method invocation vulnerability in include/exportUser.php, in which an attacker
can trigger a call to the exec method with (for example) OS commands in the opt parameter.
description: "TerraMaster TOS before 4.1.29 has invalid parameter checking that leads to code injection as root. This is a dynamic class method invocation vulnerability in include/exportUser.php, in which an attacker can trigger a call to the exec method with (for example) OS commands in the opt parameter."
reference:
- https://ssd-disclosure.com/ssd-advisory-terramaster-os-exportuser-php-remote-code-execution/
- https://nvd.nist.gov/vuln/detail/CVE-2020-15568
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -36,3 +36,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/04/27

14
cves/2020/CVE-2020-16846.yaml
View File

@ -1,17 +1,15 @@
id: CVE-2020-16846
info:
name: SaltStack Shell Injection
name: SaltStack <=3002 - Shell Injection
author: dwisiswant0
severity: critical
description: |
SaltStack Salt through 3002. Sending crafted web requests to the Salt API,
with the SSH client enabled, can result in shell injection.
This template supports the detection part only. See references.
description: SaltStack Salt through 3002 allows an unauthenticated user with network access to the Salt API to use shell injections to run code on the Salt-API using the SSH client.
reference:
- https://saltproject.io/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/
- https://mp.weixin.qq.com/s/R8qw_lWizGyeJS0jOcYXag
- https://github.com/vulhub/vulhub/tree/master/saltstack/CVE-2020-16846
- https://nvd.nist.gov/vuln/detail/CVE-2020-16846
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -38,4 +36,6 @@ requests:
- type: word
words:
- "An unexpected error occurred"
part: body
part: body
# Enhanced by mp on 2022/04/27

8
cves/2020/CVE-2020-17456.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2020-17456
info:
name: Seowon SLC-130 And SLR-120S - Unauthenticated Remote Code Execution
name: SEOWON INTECH SLC-130 & SLR-120S - Unauthenticated Remote Code Execution
author: gy741,edoardottt
severity: critical
description: SEOWON INTECH SLC-130 And SLR-120S devices allow Remote Code Execution via the ipAddr parameter to the system_log.cgi page.
description: "SEOWON INTECH SLC-130 and SLR-120S devices allow remote code execution via the ipAddr parameter to the system_log.cgi page."
reference:
- https://maj0rmil4d.github.io/Seowon-SlC-130-And-SLR-120S-Exploit/
- https://nvd.nist.gov/vuln/detail/CVE-2020-17456
@ -47,4 +47,6 @@ requests:
- type: status
status:
- 200
- 200
# Enhanced by mp on 2022/04/27

7
cves/2020/CVE-2020-17496.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2020-17496
info:
name: vBulletin Pre-Auth Remote Command Execution
name: vBulletin 5.5.4 - 5.6.2- Remote Command Execution
author: pussycat0x
severity: critical
description: 'vBulletin versions 5.5.4 through 5.6.2 allow remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759.'
description: "vBulletin versions 5.5.4 through 5.6.2 allow remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759."
reference:
- https://www.tenable.com/blog/zero-day-remote-code-execution-vulnerability-in-vbulletin-disclosed
- https://nvd.nist.gov/vuln/detail/CVE-2020-17496
@ -34,4 +34,5 @@ requests:
status:
- 200
# Enhanced by mp on 2022/04/01
# Enhanced by mp on 2022/04/27

5
cves/2020/CVE-2020-17506.yaml
View File

@ -1,12 +1,13 @@
id: CVE-2020-17506
info:
name: Artica Web Proxy 4.30 Authentication Bypass
name: Artica Web Proxy 4.30 - Authentication Bypass/SQL Injection
author: dwisiswant0
severity: critical
description: Artica Web Proxy 4.30.00000000 allows remote attacker to bypass privilege detection and gain web backend administrator privileges through SQL injection of the apikey parameter in fw.login.php.
reference:
- https://blog.max0x4141.com/post/artica_proxy/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17506
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -40,3 +41,5 @@ requests:
- type: kval
kval:
- "PHPSESSID"
# Enhanced by mp on 2022/04/27

8
cves/2020/CVE-2020-17530.yaml
View File

@ -1,16 +1,16 @@
id: CVE-2020-17530
info:
name: Apache Struts RCE
name: Apache Struts 2.0.0-2.5.25 - Remote Code Execution
author: pikpikcu
severity: critical
description: |
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.
description: Apache Struts 2.0.0 through Struts 2.5.25 is susceptible to remote code execution because forced OGNL evaluation, when evaluated on raw user input in tag attributes, may allow it.
reference:
- http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html
- http://jvn.jp/en/jp/JVN43969166/index.html
- https://cwiki.apache.org/confluence/display/WW/S2-061
- https://security.netapp.com/advisory/ntap-20210115-0005/
- https://nvd.nist.gov/vuln/detail/CVE-2020-17530
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -29,3 +29,5 @@ requests:
regex:
- "root:.*:0:0:"
part: body
# Enhanced by mp on 2022/04/27

14
cves/2020/CVE-2020-1938.yaml
View File

@ -1,19 +1,13 @@
id: CVE-2020-1938
info:
name: Ghostcat - Apache Tomcat AJP File Read/Inclusion Vulnerability
name: Ghostcat - Apache Tomcat - AJP File Read/Inclusion Vulnerability
author: milo2012
severity: critical
description: When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar
HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped
with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability
report identified a mechanism that allowed - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload
and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made
remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector
that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31
to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.
description: When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.
reference:
- https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487
- https://nvd.nist.gov/vuln/detail/CVE-2020-1938
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -35,3 +29,5 @@ network:
- type: word
words:
- "See the NOTICE file distributed with"
# Enhanced by mp on 2022/04/27

8
cves/2020/CVE-2020-19625.yaml
View File

@ -1,12 +1,14 @@
id: CVE-2020-19625
info:
name: Gridx 1.3 RCE
name: Gridx 1.3 - Remote Code Execution
author: geeknik
severity: critical
description: Remote Code Execution vulnerability in tests/support/stores/test_grid_filter.php in oria gridx 1.3, allows remote attackers to execute arbitrary code, via crafted value to the $query parameter.
description: |
Gridx 1.3 is susceptible to remote code execution via tests/support/stores/test_grid_filter.php, which allows remote attackers to execute arbitrary code via crafted values submitted to the $query parameter.
reference:
- https://github.com/oria/gridx/issues/433
- https://nvd.nist.gov/vuln/detail/CVE-2020-19625
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -34,3 +36,5 @@ requests:
group: 1
regex:
- '<h1 class=\"p\">PHP Version ([0-9.]+)<\/h1>'
# Enhanced by mp on 2022/04/27

6
cves/2020/CVE-2020-20982.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2020-20982
info:
name: Shadoweb Wdja v1.5.1 xss
name: shadoweb wdja v1.5.1 - Cross-Site Scripting
author: pikpikcu
severity: critical
description: Cross Site Scripting (XSS) vulnerability in shadoweb wdja v1.5.1, allows attackers to execute arbitrary code and gain escalated privileges, via the backurl parameter to /php/passport/index.php.
description: "shadoweb wdja v1.5.1 is susceptible to cross-site scripting because it allows attackers to execute arbitrary code and gain escalated privileges via the backurl parameter to /php/passport/index.php."
reference:
- https://github.com/shadoweb/wdja/issues/1
- https://nvd.nist.gov/vuln/detail/CVE-2020-20982
@ -33,3 +33,5 @@ requests:
part: header
words:
- 'text/html'
# Enhanced by mp on 2022/04/27

4
cves/2020/CVE-2020-21224.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2020-21224
info:
name: Inspur ClusterEngine V4.0 Remote Code Execution
name: Inspur ClusterEngine 4.0 - Remote Code Execution
author: pikpikcu
severity: critical
description: Inspur ClusterEngine V4.0 is suscptible to a remote code execution vulnerability. A remote attacker can send a malicious login packet to the control server.
@ -38,4 +38,4 @@ requests:
status:
- 200
# Enhanced by mp on 2022/03/27
# Enhanced by mp on 2022/04/28

8
cves/2020/CVE-2020-3187.yaml
View File

@ -1,15 +1,15 @@
id: CVE-2020-3187
info:
name: CVE-2020-3187
name: Cisco Adaptive Security Appliance Software/Cisco Firepower Threat Defense - Directory Traversal
author: KareemSe1im
severity: critical
description: A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to
conduct directory traversal attacks and obtain read and delete access to sensitive files on a targeted system.
description: Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software are susceptible to directory traversal vulnerabilities that could allow an unauthenticated, remote attacker to obtain read and delete access to sensitive files on a targeted system.
reference:
- https://twitter.com/aboul3la/status/1286809567989575685
- http://packetstormsecurity.com/files/158648/Cisco-Adaptive-Security-Appliance-Software-9.7-Arbitrary-File-Deletion.html
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-path-JE3azWw43
- https://nvd.nist.gov/vuln/detail/CVE-2020-3187
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
cvss-score: 9.1
@ -33,3 +33,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/04/28

56
cves/2020/CVE-2020-35338.yaml
View File

@ -1,34 +1,36 @@
id: CVE-2020-35338
id: CVE-2020-35338
info:
author: Jeya Seelan
severity: critical
name: Wireless Multiplex Terminal Playout Server <=20.2.8 - Default Credential Detection
description: Wireless Multiplex Terminal Playout Server <=20.2.8 has a default account with a password of pokon available via its web administrative interface.
reference:
- https://jeyaseelans.medium.com/cve-2020-35338-9e841f48defa
- https://nvd.nist.gov/vuln/detail/CVE-2020-35338
tags: cve,cve2020,wmt,default-login
info:
author: Jeya Seelan
severity: critical
name: Default Credentials of WMT Server
description: The Web Administrative Interface in Mobile Viewpoint Wireless Multiplex Terminal (WMT) Playout Server 20.2.8 and earlier has a default account with a password of pokon.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2020-35338
- https://jeyaseelans.medium.com/cve-2020-35338-9e841f48defa
tags: cve,cve2020,wmt,default-login
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
cve-id: CVE-2020-35338
cwe-id: CWE-798
requests:
- method: GET
path:
- "{{BaseURL}}/server/"
headers:
Authorization: "Basic OnBva29u"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "<title>WMT Server playout"
requests:
- method: GET
path:
- "{{BaseURL}}/server/"
headers:
Authorization: "Basic OnBva29u"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "<title>WMT Server playout"
# Enhanced by mp on 2022/04/28

9
cves/2020/CVE-2020-35476.yaml
View File

@ -1,12 +1,13 @@
id: CVE-2020-35476
info:
name: OpenTSDB 2.4.0 Remote Code Execution
name: OpenTSDB <= 2.4.0 - Remote Code Execution
author: pikpikcu
severity: critical
description: A remote code execution vulnerability occurs in OpenTSDB through 2.4.0 via command injection in the yrange parameter. The yrange value is written to a gnuplot file in the /tmp directory.
description: "OpenTSDB through 2.4.0 and earlier is susceptible to remote code execution via the yrange parameter written to a gnuplot file in the /tmp directory."
reference:
- https://github.com/OpenTSDB/opentsdb/issues/2051
- https://nvd.nist.gov/vuln/detail/CVE-2020-35476
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -35,4 +36,6 @@ requests:
- type: word
words:
- application/json
part: header
part: header
# Enhanced by mp on 2022/04/28

6
cves/2020/CVE-2020-35489.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2020-35489
info:
name: WordPress Contact Form 7 Plugin - Unrestricted File Upload
name: WordPress Contact Form 7 - Unrestricted File Upload
author: soyelmago
severity: critical
description: The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters.
description: WordPress Contact Form 7 before 5.3.2 allows unrestricted file upload and remote code execution because a filename may contain special characters.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2020-35489
classification:
@ -48,3 +48,5 @@ requests:
- type: dsl
dsl:
- compare_versions(version, '< 5.3.2')
# Enhanced by mp on 2022/04/28

8
cves/2020/CVE-2020-35713.yaml
View File

@ -1,12 +1,14 @@
id: CVE-2020-35713
info:
name: Linksys RE6500 Pre-Auth RCE
name: Belkin Linksys RE6500 <1.0.012.001 - Remote Command Execution
author: gy741
severity: critical
description: Belkin LINKSYS RE6500 devices before 1.0.012.001 allow remote attackers to execute arbitrary commands or set a new password via shell metacharacters to the goform/setSysAdm page.
description: "Belkin LINKSYS RE6500 devices before 1.0.012.001 allow remote attackers to execute arbitrary commands or set a new password via shell metacharacters to the goform/setSysAdm page."
reference:
- https://downloads.linksys.com/support/assets/releasenotes/ExternalReleaseNotes_RE6500_1.0.012.001.txt
- https://resolverblog.blogspot.com/2020/07/linksys-re6500-unauthenticated-rce-full.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-35713
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -30,3 +32,5 @@ requests:
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
# Enhanced by mp on 2022/04/28

21
cves/2020/CVE-2020-35729.yaml
View File

@ -1,24 +1,13 @@
id: CVE-2020-35729
info:
name: Klog Server Unauthenticated Command Injection
name: Klog Server <=2.41- Unauthenticated Command Injection
author: dwisiswant0
severity: critical
description: |
This template exploits an unauthenticated command injection vulnerability
in Klog Server versions 2.4.1 and prior.
The `authenticate.php` file uses the `user` HTTP POST parameter in a call
to the `shell_exec()` PHP function without appropriate input validation,
allowing arbitrary command execution as the apache user.
The sudo configuration permits the apache user to execute any command
as root without providing a password, resulting in privileged command
execution as root.
Originated from Metasploit module, copyright (c) space-r7.
description: "Klog Server 2.4.1 and prior is susceptible to an unauthenticated command injection vulnerability. The `authenticate.php` file uses the `user` HTTP POST parameter in a call to the `shell_exec()` PHP function without appropriate input validation, allowing arbitrary command execution as the apache user. The sudo configuration permits the Apache user to execute any command as root without providing a password, resulting in privileged command execution as root. Originated from Metasploit module, copyright (c) space-r7."
reference:
- https://docs.unsafe-inline.com/0day/klog-server-unauthentication-command-injection
- https://nvd.nist.gov/vuln/detail/CVE-2020-35729
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -34,4 +23,6 @@ requests:
matchers:
- type: word
words:
- "poc-testing" # from Base64 decoding payload
- "poc-testing" # from Base64 decoding payload
# Enhanced by mp on 2022/04/28

9
cves/2020/CVE-2020-35846.yaml
View File

@ -1,14 +1,13 @@
id: CVE-2020-35846
info:
name: Cockpit prior to 0.12.0 NoSQL injection in /auth/check
name: Agentejo Cockpit < 0.11.2 NoSQL Injection
author: dwisiswant0
severity: critical
description: |
Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function.
The $eq operator matches documents where the value of a field equals the specified value.
description: "Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function. The $eq operator matches documents where the value of a field equals the specified value."
reference:
- https://swarm.ptsecurity.com/rce-cockpit-cms/
- https://nvd.nist.gov/vuln/detail/CVE-2020-35846
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -43,3 +42,5 @@ requests:
part: body
words:
- "password_verify() expects parameter"
# Enhanced by mp on 2022/04/28

8
cves/2020/CVE-2020-35847.yaml
View File

@ -1,11 +1,10 @@
id: CVE-2020-35847
info:
name: Cockpit prior to 0.12.0 NoSQL injection in /auth/resetpassword
name: Agentejo Cockpit <0.11.2 NoSQL Injection
author: dwisiswant0
severity: critical
description: |
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function of the Auth controller.
description: "Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function of the Auth controller."
reference:
- https://swarm.ptsecurity.com/rce-cockpit-cms/
- https://nvd.nist.gov/vuln/detail/CVE-2020-35847
@ -35,4 +34,5 @@ requests:
regex:
- 'string\([0-9]{1,3}\)(\s)?"([A-Za-z0-9]+)"'
# Enhanced by mp on 2022/04/04
# Enhanced by mp on 2022/04/28

9
cves/2020/CVE-2020-35848.yaml
View File

@ -1,12 +1,11 @@
id: CVE-2020-35848
info:
name: Cockpit <0.12.0 NoSQL Injection
name: Agentejo Cockpit <0.12.0 - NoSQL Injection
author: dwisiswant0
severity: critical
description: |
newpassword method of the Auth controller,
which is responsible for displaying the user password reset form.
description: "Agentejo Cockpit prior to 0.12.0 is vulnerable to NoSQL Injection via the
newpassword method of the Auth controller, which is responsible for displaying the user password reset form."
reference:
- https://swarm.ptsecurity.com/rce-cockpit-cms/
- https://nvd.nist.gov/vuln/detail/CVE-2020-35848
@ -36,4 +35,4 @@ requests:
regex:
- 'string\([0-9]{1,3}\)(\s)?"rp-([a-f0-9-]+)"'
# Enhanced by mp on 2022/04/08
# Enhanced by mp on 2022/04/28

10
cves/2020/CVE-2020-35951.yaml
View File

@ -1,13 +1,13 @@
id: CVE-2020-35951
info:
name: Wordpress Quiz and Survey Master Arbitrary File Deletion
name: Wordpress Quiz and Survey Master <7.0.1 - Arbitrary File Deletion
author: princechaddha
severity: critical
description: |
An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress. It allows users to delete arbitrary files such as wp-config.php file, which could effectively take a site offline and allow an attacker to reinstall with a WordPress instance under their control. This occurred via qsm_remove_file_fd_question, which allowed unauthenticated deletions (even though it was only intended for a person to delete their own quiz-answer files).
description: "Wordpress Quiz and Survey Master <7.0.1 allows users to delete arbitrary files such as wp-config.php file, which could effectively take a site offline and allow an attacker to reinstall with a WordPress instance under their control. This occurred via qsm_remove_file_fd_question, which allowed unauthenticated deletions (even though it was only intended for a person to delete their own quiz-answer files)."
reference:
- https://www.wordfence.com/blog/2020/08/critical-vulnerabilities-patched-in-quiz-and-survey-master-plugin/
- https://nvd.nist.gov/vuln/detail/CVE-2020-35951
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H
cvss-score: 9.9
@ -65,4 +65,6 @@ requests:
- type: dsl
dsl:
- "contains((body_1), '# Quiz And Survey Master') && status_code_4==301 && !contains((body_4), '# Quiz And Survey Master')"
- "contains((body_1), '# Quiz And Survey Master') && status_code_4==301 && !contains((body_4), '# Quiz And Survey Master')"
# Enhanced by mp on 2022/04/28

8
cves/2020/CVE-2020-36112.yaml
View File

@ -1,14 +1,14 @@
id: CVE-2020-36112
info:
name: CSE Bookstore 1.0 SQL Injection
name: CSE Bookstore 1.0 - SQL Injection
author: geeknik
severity: critical
description: CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php. A successful exploitation of this vulnerability
will lead to an attacker dumping the entire database.
description: "CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php. A successful exploitation of this vulnerability will lead to an attacker dumping the entire database."
reference:
- https://www.exploit-db.com/exploits/49314
- https://www.tenable.com/cve/CVE-2020-36112
- https://nvd.nist.gov/vuln/detail/CVE-2020-36112
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -29,3 +29,5 @@ requests:
- "get book price failed! You have an error in your SQL syntax"
- "Can't retrieve data You have an error in your SQL syntax"
condition: or
# Enhanced by mp on 2022/04/28

8
cves/2020/CVE-2020-5307.yaml
View File

@ -1,13 +1,13 @@
id: CVE-2020-5307
info:
name: Dairy Farm Shop Management System - SQL Injection
name: PHPGurukul Dairy Farm Shop Management System 1.0 - SQL Injection
author: gy741
severity: critical
description: PHPGurukul Dairy Farm Shop Management System 1.0 is vulnerable to SQL injection, as demonstrated by the username parameter in index.php, the category and CategoryCode parameters in add-category.php,
the CompanyName parameter in add-company.php, and the ProductName and ProductPrice parameters in add-product.php.
description: "PHPGurukul Dairy Farm Shop Management System 1.0 is vulnerable to SQL injection, as demonstrated by the username parameter in index.php, the category and CategoryCode parameters in add-category.php, the CompanyName parameter in add-company.php, and the ProductName and ProductPrice parameters in add-product.php."
reference:
- https://cinzinga.com/CVE-2020-5307-5308/
- https://nvd.nist.gov/vuln/detail/CVE-2020-5307
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -34,3 +34,5 @@ requests:
- type: status
status:
- 302
# Enhanced by mp on 2022/04/28

7
cves/2020/CVE-2020-5777.yaml
View File

@ -1,12 +1,13 @@
id: CVE-2020-5777
info:
name: Remote Auth Bypass in MAGMI (Magento Mass Importer) Plugin <= v0.7.23
name: Magento Mass Importer <0.7.24 - Remote Auth Bypass
author: dwisiswant0
severity: critical
description: MAGMI versions prior to 0.7.24 are vulnerable to a remote authentication bypass due to allowing default credentials in the event there is a database connection failure.
description: "Magento Mass Importer (aka MAGMI) versions prior to 0.7.24 are vulnerable to a remote authentication bypass due to allowing default credentials in the event there is a database connection failure."
reference:
- https://github.com/dweeves/magmi-git/blob/18bd9ec905c90bfc9eaed0c2bf2d3525002e33b9/magmi/inc/magmi_auth.php#L35
- https://nvd.nist.gov/vuln/detail/CVE-2020-5777
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -30,3 +31,5 @@ requests:
- type: status
status:
- 503
# Enhanced by mp on 2022/04/28

7
cves/2020/CVE-2020-5847.yaml
View File

@ -1,12 +1,13 @@
id: CVE-2020-5847
info:
name: UnRaid Remote Code Execution
name: UnRaid <=6.80 - Remote Code Execution
author: madrobot
severity: critical
description: A vulnerability in UnRaid allows remote unauthenticated attackers to execute arbitrary code.
description: UnRaid <=6.80 allows remote unauthenticated attackers to execute arbitrary code.
reference:
- https://sysdream.com/news/lab/2020-02-06-cve-2020-5847-cve-2020-5849-unraid-6-8-0-unauthenticated-remote-code-execution-as-root/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5847
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -29,3 +30,5 @@ requests:
- "PHP Extension"
- "PHP Version"
condition: and
# Enhanced by mp on 2022/04/28

8
cves/2020/CVE-2020-5902.yaml
View File

@ -1,11 +1,10 @@
id: CVE-2020-5902
info:
name: F5 BIG-IP TMUI RCE
name: F5 BIG-IP TMUI - Remote Code Execution
author: madrobot,dwisiswant0,ringo
severity: critical
description: In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility,
has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
description: F5 BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
reference:
- http://packetstormsecurity.com/files/158333/BIG-IP-TMUI-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/158334/BIG-IP-TMUI-Remote-Code-Execution.html
@ -18,6 +17,7 @@ info:
- https://swarm.ptsecurity.com/rce-in-f5-big-ip/
- https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/
- https://www.kb.cert.org/vuls/id/290915
- https://nvd.nist.gov/vuln/detail/CVE-2020-5902
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -78,3 +78,5 @@ requests:
- type: word
words:
- "h3ll0_w0Rld"
# Enhanced by mp on 2022/04/28

8
cves/2020/CVE-2020-6207.yaml
View File

@ -1,11 +1,10 @@
id: CVE-2020-6207
info:
name: SAP Solution Manager remote unauthorized OS commands execution
name: SAP Solution Manager 7.2 - Remote Command Execution
author: _generic_human_
severity: critical
description: |
SAP Solution Manager (SolMan) running version 7.2 has CVE-2020-6207 vulnerability within the SAP EEM servlet (tc~smd~agent~application~eem). The vulnerability occurs due to missing authentication checks when submitting SOAP requests to the /EemAdminService/EemAdmin page to get information about connected SMDAgents, send HTTP request (SSRF), and execute OS commands on connected SMDAgent.
description: "SAP Solution Manager (SolMan) running version 7.2 has a remote command execution vulnerability within the SAP EEM servlet (tc~smd~agent~application~eem). The vulnerability occurs due to missing authentication checks when submitting SOAP requests to the /EemAdminService/EemAdmin page to get information about connected SMDAgents, send HTTP request (SSRF), and execute OS commands on connected SMDAgent."
reference:
- https://launchpad.support.sap.com/#/notes/2890213
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=540935305
@ -13,6 +12,7 @@ info:
- https://github.com/chipik/SAP_EEM_CVE-2020-6207
- https://www.rapid7.com/db/modules/auxiliary/admin/sap/cve_2020_6207_solman_rce/
- https://www.rapid7.com/db/modules/exploit/multi/sap/cve_2020_6207_solman_rs/
- https://nvd.nist.gov/vuln/detail/CVE-2020-6207
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -51,3 +51,5 @@ requests:
- "SAP NetWeaver Application Server"
part: header
condition: and
# Enhanced by mp on 2022/04/29

8
cves/2020/CVE-2020-6287.yaml
View File

@ -1,16 +1,16 @@
id: CVE-2020-6287
info:
name: SAP NetWeaver - Remote Admin addition
name: SAP NetWeaver AS JAVA 7.30-7.50 - Remote Admin Addition
author: dwisiswant0
severity: critical
description: |
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.
description: "SAP NetWeaver AS JAVA (LM Configuration Wizard), versions 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system."
reference:
- https://launchpad.support.sap.com/#/notes/2934135
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675
- https://www.onapsis.com/recon-sap-cyber-security-vulnerability
- https://github.com/chipik/SAP_RECON
- https://nvd.nist.gov/vuln/detail/CVE-2020-6287
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
@ -51,3 +51,5 @@ requests:
- "text/xml"
- "SAP NetWeaver Application Server"
part: header
# Enhanced by mp on 2022/04/29

6
cves/2020/CVE-2020-6637.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2020-6637
info:
name: OpenSIS v7.3 unauthenticated SQL Injection
name: OpenSIS 7.3 - SQL Injection
author: pikpikcu
severity: critical
description: OpenSIS Community Edition version 7.3 is vulnerable to SQL injection via the USERNAME parameter of index.php.
description: "OpenSIS Community Edition version 7.3 is vulnerable to SQL injection via the USERNAME parameter of index.php."
reference:
- https://cinzinga.com/CVE-2020-6637/
- https://nvd.nist.gov/vuln/detail/CVE-2020-6637
@ -44,4 +44,4 @@ requests:
status:
- 200
# Enhanced by mp on 2022/04/08
# Enhanced by mp on 2022/04/29

9
cves/2020/CVE-2020-7136.yaml
View File

@ -1,12 +1,11 @@
id: CVE-2020-7136
info:
name: HPE Smart Update Manager - Remote Unauthorized Access
name: HPE Smart Update Manager < 8.5.6 - Remote Unauthorized Access
author: gy741
severity: critical
description: A security vulnerability in HPE Smart Update Manager (SUM) prior to version 8.5.6 could allow remote unauthorized access. Hewlett Packard Enterprise has provided a software update to resolve this vulnerability
in HPE Smart Update Manager (SUM) prior to 8.5.6. Please visit the HPE Support Center at https://support.hpe.com/hpesc/public/home to download the latest version of HPE Smart Update Manager (SUM). Download the
latest version of HPE Smart Update Manager (SUM) or download the latest Service Pack For ProLiant (SPP).
description: HPE Smart Update Manager (SUM) prior to version 8.5.6 could allow remote unauthorized access.
remediation: Hewlett Packard Enterprise has provided a software update to resolve this vulnerability in HPE Smart Update Manager (SUM) prior to 8.5.6. Please visit the HPE Support Center at https://support.hpe.com/hpesc/public/home to download the latest version of HPE Smart Update Manager (SUM). Download the latest version of HPE Smart Update Manager (SUM) or download the latest Service Pack For ProLiant (SPP).
reference:
- https://www.tenable.com/security/research/tra-2020-02
- https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=emr_na-hpesbmu03997en_us
@ -49,3 +48,5 @@ requests:
part: body
regex:
- '"sessionId":"([a-z0-9.]+)"'
# Enhanced by mp on 2022/04/29

9
cves/2020/CVE-2020-7209.yaml
View File

@ -1,16 +1,18 @@
id: CVE-2020-7209
info:
name: LinuxKI Toolset 6.01 Remote Command Execution
name: LinuxKI Toolset <= 6.01 - Remote Command Execution
author: dwisiswant0
severity: critical
description: LinuxKI v6.0-1 and earlier are vulnerable to a remote code execution. This is resolved in release 6.0-2.
description: LinuxKI v6.0-1 and earlier are vulnerable to remote code execution.
remediation: This is resolved in release 6.0-2.
reference:
- http://packetstormsecurity.com/files/157739/HP-LinuxKI-6.01-Remote-Command-Injection.html
- http://packetstormsecurity.com/files/158025/LinuxKI-Toolset-6.01-Remote-Command-Execution.html
- https://github.com/HewlettPackard/LinuxKI/releases/tag/v6.0-2
- https://github.com/HewlettPackard/LinuxKI/commit/10bef483d92a85a13a59ca65a288818e92f80d78
- https://www.hpe.com/us/en/home.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-7209
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -28,3 +30,6 @@ requests:
regex:
- "root:.*:0:0:"
part: body
# Enhanced by mp on 2022/04/29

9
cves/2020/CVE-2020-7247.yaml
View File

@ -1,12 +1,11 @@
id: CVE-2020-7247
info:
name: OpenSMTPD 6.4.0 - 6.6.1 Remote Code Execution
name: OpenSMTPD 6.4.0-6.6.1 - Remote Code Execution
author: princechaddha
severity: critical
description: OpenSMTPD versions 6.4.0 - 6.6.1 are susceptible to remote code execution. smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute
arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect
return value upon failure of input validation.
description: |
OpenSMTPD versions 6.4.0 - 6.6.1 are susceptible to remote code execution. smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.
reference:
- https://www.openwall.com/lists/oss-security/2020/01/28/3
- https://nvd.nist.gov/vuln/detail/CVE-2020-7247
@ -48,4 +47,4 @@ network:
words:
- "Message accepted for delivery"
# Enhanced by mp on 2022/04/04
# Enhanced by mp on 2022/04/29

6
cves/2020/CVE-2020-7796.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2020-7796
info:
name: Zimbra Collaboration Suite (ZCS) - Server-Side Request Forgery
name: Zimbra Collaboration Suite < 8.8.15 Patch 7 - Server-Side Request Forgery
author: gy741
severity: critical
description: Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 is susceptible to server-side request forgery when WebEx zimlet is installed and zimlet JSP is enabled.
description: "Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 is susceptible to server-side request forgery when WebEx zimlet is installed and zimlet JSP is enabled."
reference:
- https://www.adminxe.com/2183.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-7796
@ -27,4 +27,4 @@ requests:
words:
- "http"
# Enhanced by mp on 2022/04/19
# Enhanced by mp on 2022/04/29

7
cves/2020/CVE-2020-7961.yaml
View File

@ -1,14 +1,15 @@
id: CVE-2020-7961
info:
name: Liferay Portal Unauthenticated RCE
name: Liferay Portal Unauthenticated < 7.2.1 CE GA2 - Remote Code Execution
author: dwisiswant0
severity: critical
description: Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).
description: Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).
reference:
- https://www.synacktiv.com/en/publications/how-to-exploit-liferay-cve-2020-7961-quick-journey-to-poc.html
- https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html
- https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271
- https://nvd.nist.gov/vuln/detail/CVE-2020-7961
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -51,3 +52,5 @@ requests:
regex:
- "Microsoft Windows (.*)"
- "Distributor ID: (.*)"
# Enhanced by mp on 2022/04/29

7
cves/2020/CVE-2020-7980.yaml
View File

@ -1,11 +1,10 @@
id: CVE-2020-7980
info:
name: Satellian Intellian Aptus Web <= 1.24 RCE
name: Satellian Intellian Aptus Web <= 1.24 - Remote Command Execution
author: ritikchaddha
severity: critical
description: 'Intellian Aptus Web 1.24 allows remote attackers to execute arbitrary OS commands via the Q field within JSON data to the cgi-bin/libagent.cgi URI. NOTE: a valid sid cookie for a login to the intellian
default account might be needed.'
description: "Intellian Aptus Web 1.24 allows remote attackers to execute arbitrary OS commands via the Q field within JSON data to the cgi-bin/libagent.cgi URI. NOTE: a valid sid cookie for a login to the intellian default account might be needed."
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2020-7980
classification:
@ -38,3 +37,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/04/29

2
cves/2020/CVE-2020-8193.yaml
View File

@ -55,7 +55,7 @@ requests:
Content-Type: application/xml
X-NITRO-USER: oY39DXzQ
X-NITRO-PASS: ZuU9Y9c1
rand_key: §randkey§
rand_key: {{randkey}}
<clipermission></clipermission>

11
cves/2020/CVE-2020-8515.yaml
View File

@ -1,14 +1,15 @@
id: CVE-2020-8515
info:
name: DrayTek pre-auth RCE
name: DrayTek - Remote Code Execution
author: pikpikcu
severity: critical
description: DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters
to the cgi-bin/mainfunction.cgi URI. This issue has been fixed in Vigor3900/2960/300B v1.5.1.
description: "DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI."
remediation: This issue has been fixed in Vigor3900/2960/300B v1.5.1.
reference:
- https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-(cve-2020-8515)
- https://blog.netlab.360.com/two-zero-days-are-targeting-draytek-broadband-cpe-devices-en/
- https://nvd.nist.gov/vuln/detail/CVE-2020-8515
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -33,4 +34,6 @@ requests:
- type: status
status:
- 200
- 200
# Enhanced by mp on 2022/04/29

7
cves/2020/CVE-2020-8771.yaml
View File

@ -1,12 +1,13 @@
id: CVE-2020-8771
info:
name: WordPress WP Time Capsule Authentication Bypass
name: WordPress Time Capsule < 1.21.16 - Authentication Bypass
author: princechaddha
severity: critical
description: The Time Capsule plugin before 1.21.16 for WordPress has an authentication bypass. Any request containing IWP_JSON_PREFIX causes the client to be logged in as the first account on the list of administrator accounts.
description: "WordPress Time Capsule plugin before 1.21.16 for WordPress has an authentication bypass. Any request containing IWP_JSON_PREFIX causes the client to be logged in as the first account on the list of administrator accounts."
reference:
- https://github.com/SECFORCE/WPTimeCapsulePOC
- https://nvd.nist.gov/vuln/detail/CVE-2020-8771
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -54,3 +55,5 @@ requests:
part: header
regex:
- "wordpress_[a-z0-9]+=([A-Za-z0-9%]+)"
# Enhanced by mp on 2022/04/29

17
cves/2020/CVE-2020-9054.yaml
View File

@ -1,23 +1,14 @@
id: CVE-2020-9054
info:
name: ZyXEL NAS RCE
name: ZyXEL NAS Firmware 5.21- Remote Code Execution
author: dhiyaneshDk
severity: critical
description: |
Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device.
ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it.
If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device.
Although the web server does not run as the root user, ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges.
As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges.
By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device.
This may happen by directly connecting to a device if it is directly exposed to an attacker.
However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices.
For example, simply visiting a website can result in the compromise of any ZyXEL device that is reachable from the client system.
Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2
description: "Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user, ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any ZyXEL device that is reachable from the client system. Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2."
reference:
- https://krebsonsecurity.com/2020/02/zyxel-fixes-0day-in-network-storage-devices/
- https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml
- https://nvd.nist.gov/vuln/detail/CVE-2020-9054
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -38,3 +29,5 @@ requests:
- type: regex
regex:
- "root:.*:0:0:"
# Enhanced by mp on 2022/04/29

6
cves/2021/CVE-2021-1497.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2021-1497
info:
name: Cisco HyperFlex HX Data Platform RCE
name: Cisco HyperFlex HX Data Platform - Remote Command Execution
author: gy741
severity: critical
description: Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
description: Cisco HyperFlex HX contains multiple vulnerabilities in the web-based management interface that could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
reference:
- https://swarm.ptsecurity.com/cisco-hyperflex-how-we-got-rce-through-login-form-and-other-findings/
- https://nvd.nist.gov/vuln/detail/CVE-2021-1497
@ -44,4 +44,4 @@ requests:
words:
- "http"
# Enhanced by cs on 2022/02/16
# Enhanced by mp on 2022/04/29

6
cves/2021/CVE-2021-1498.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2021-1498
info:
name: Cisco HyperFlex HX Data Platform RCE
name: Cisco HyperFlex HX Data Platform - Remote Command Execution
author: gy741
severity: critical
description: Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
description: Cisco HyperFlex HX contains multiple vulnerabilities in the web-based management interface that could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
reference:
- https://swarm.ptsecurity.com/cisco-hyperflex-how-we-got-rce-through-login-form-and-other-findings/
- https://nvd.nist.gov/vuln/detail/CVE-2021-1498
@ -40,3 +40,5 @@ requests:
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
# Enhanced by mp on 2022/04/29

15
cves/2021/CVE-2021-20038.yaml
View File

@ -1,19 +1,14 @@
id: CVE-2021-20038
info:
name: SonicWall SMA100 Stack BoF to Unauthenticated RCE
name: SonicWall SMA100 Stack - Buffer Overflow/Remote Code Execution
author: dwisiswant0, jbaines-r7
severity: critical
description: |
A Stack-based buffer overflow vulnerability in SMA100
Apache httpd server's mod_cgi module environment variables
allows a remote unauthenticated attacker to potentially
execute code as a 'nobody' user in the appliance.
This vulnerability affected SMA 200, 210, 400, 410 and 500v
appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv,
10.2.1.2-24sv and earlier versions.
description: "A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a 'nobody' user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions."
reference:
- https://attackerkb.com/topics/QyXRC1wbvC/cve-2021-20038/rapid7-analysis
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026
- https://nvd.nist.gov/vuln/detail/CVE-2021-20038
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -40,3 +35,5 @@ requests:
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
# Enhanced by mp on 2022/04/29

5
cves/2021/CVE-2021-40542.yaml
View File

@ -1,10 +1,11 @@
id: CVE-2021-40542
info:
name: Opensis-Classic 8.0 Reflected Cross-Site Scripting
name: Opensis-Classic 8.0 - Reflected Cross-Site Scripting
author: alph4byt3
severity: medium
description: Opensis-Classic Version 8.0 is affected by cross-site scripting. An unauthenticated user can inject and execute JavaScript code through the link_url parameter in Ajax_url_encode.php.
description: |
Opensis-Classic Version 8.0 is affected by cross-site scripting. An unauthenticated user can inject and execute JavaScript code through the link_url parameter in Ajax_url_encode.php.
reference:
- https://github.com/OS4ED/openSIS-Classic/issues/189
- https://nvd.nist.gov/vuln/detail/CVE-2021-40542