diff --git a/cnvd/2019/CNVD-2019-19299.yaml b/cnvd/2019/CNVD-2019-19299.yaml index 86ad86ae1f..114cc01a3b 100644 --- a/cnvd/2019/CNVD-2019-19299.yaml +++ b/cnvd/2019/CNVD-2019-19299.yaml @@ -1,12 +1,17 @@ id: CNVD-2019-19299 info: - name: Zhiyuan A8 Arbitrary File Write (RCE) + name: Zhiyuan A8 - Remote Code Execution author: daffainfo severity: critical + description: Zhiyuan A8 is susceptible to remote code execution because of an arbitrary file write issue. reference: - https://www.cxyzjd.com/article/guangying177/110177339 - https://github.com/sectestt/CNVD-2019-19299 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10.0 + cwe-id: CWE-77 tags: zhiyuan,cnvd,cnvd2019,rce requests: @@ -45,3 +50,5 @@ requests: - 'contains(body_1, "htmoffice operate")' - 'contains(body_2, "Windows IP")' condition: and + +# Enhanced by mp on 2022/05/12 diff --git a/cnvd/2019/CNVD-2019-32204.yaml b/cnvd/2019/CNVD-2019-32204.yaml index f85de55b08..ec365a5f8c 100644 --- a/cnvd/2019/CNVD-2019-32204.yaml +++ b/cnvd/2019/CNVD-2019-32204.yaml @@ -1,12 +1,16 @@ id: CNVD-2019-32204 info: - name: Fanwei e-cology <= 9.0 Remote Code Execution + name: Fanwei e-cology <=9.0 - Remote Code Execution author: daffainfo severity: critical - description: The attacker can directly execute arbitrary commands on the target server by invoking the unauthorized access problem interface in the BeanShell component. Currently, the security patch for this vulnerability has been released. Please take protective measures as soon as possible for users who use the Fanwei e-cology OA system. + description: Fanwei e-cology <=9.0 is susceptible to remote code execution vulnerabilities. Remote attackers can directly execute arbitrary commands on the target server by invoking the unauthorized access problem interface in the BeanShell component. Currently, the security patch for this vulnerability has been released. Please take protective measures as soon as possible for users who use the Fanwei e-cology OA system. reference: - https://blog.actorsfit.com/a?ID=01500-11a2f7e6-54b0-4a40-9a79-5c56dc6ebd51 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10.0 + cwe-id: CWE-77 tags: fanwei,cnvd,cnvd2019,rce requests: @@ -22,3 +26,5 @@ requests: - type: regex regex: - "root:.*:0:0:" + +# Enhanced by mp on 2022/05/12 diff --git a/cnvd/2020/CNVD-2020-62422.yaml b/cnvd/2020/CNVD-2020-62422.yaml index ba3c739d17..0194c6d8b8 100644 --- a/cnvd/2020/CNVD-2020-62422.yaml +++ b/cnvd/2020/CNVD-2020-62422.yaml @@ -1,7 +1,7 @@ id: CNVD-2020-62422 info: - name: Seeyon readfile(CNVD-2020-62422) + name: Seeyon - Arbitrary File Retrieval author: pikpikcu severity: medium reference: @@ -29,4 +29,4 @@ requests: part: body words: - "ctpDataSource.password" - condition: and \ No newline at end of file + condition: and diff --git a/cnvd/2020/CNVD-2020-68596.yaml b/cnvd/2020/CNVD-2020-68596.yaml index 8294f8519b..b1d96de058 100644 --- a/cnvd/2020/CNVD-2020-68596.yaml +++ b/cnvd/2020/CNVD-2020-68596.yaml @@ -1,11 +1,16 @@ id: CNVD-2020-68596 info: - name: WeiPHP 5.0 Path Traversal + name: WeiPHP 5.0 - Path Traversal author: pikpikcu - severity: critical + description: WeiPHP 5.0 is susceptible to directory traversal attacks. + severity: high reference: - http://wiki.peiqi.tech/PeiQi_Wiki/CMS%E6%BC%8F%E6%B4%9E/Weiphp/Weiphp5.0%20%E5%89%8D%E5%8F%B0%E6%96%87%E4%BB%B6%E4%BB%BB%E6%84%8F%E8%AF%BB%E5%8F%96%20CNVD-2020-68596.html + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N + cvss-score: 8.6 + cwe-id: CWE-22 tags: weiphp,lfi,cnvd,cnvd2020 requests: @@ -41,3 +46,5 @@ requests: - WeiPHP - DB_PREFIX condition: and + +# Enhanced by mp on 2022/05/12 diff --git a/cnvd/2021/CNVD-2021-01931.yaml b/cnvd/2021/CNVD-2021-01931.yaml index 40ff5da4f2..af7aa8ed08 100644 --- a/cnvd/2021/CNVD-2021-01931.yaml +++ b/cnvd/2021/CNVD-2021-01931.yaml @@ -1,7 +1,7 @@ id: CNVD-2021-01931 info: - name: Ruoyi Management System Arbitrary File Download + name: Ruoyi Management System - Arbitrary File Retrieval author: daffainfo,ritikchaddha severity: high reference: diff --git a/cnvd/2021/CNVD-2021-09650.yaml b/cnvd/2021/CNVD-2021-09650.yaml index 8c24b28302..528666e80d 100644 --- a/cnvd/2021/CNVD-2021-09650.yaml +++ b/cnvd/2021/CNVD-2021-09650.yaml @@ -1,11 +1,16 @@ id: CNVD-2021-09650 info: - name: Ruijie EWEB Gateway Platform Command Execution + name: Ruijie EWEB Gateway Platform - Remote Command Injection author: daffainfo severity: critical + description: Ruijie EWEB Gateway Platform is susceptible to remote command injection attacks. reference: - http://j0j0xsec.top/2021/04/22/%E9%94%90%E6%8D%B7EWEB%E7%BD%91%E5%85%B3%E5%B9%B3%E5%8F%B0%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10.0 + cwe-id: CWE-77 tags: ruijie,cnvd,cnvd2021,rce requests: @@ -23,3 +28,5 @@ requests: name: http words: - "http" + +# Enhanced by mp on 2022/05/12 diff --git a/cnvd/2021/CNVD-2021-26422.yaml b/cnvd/2021/CNVD-2021-26422.yaml index e159383415..8ceb9e5c8d 100644 --- a/cnvd/2021/CNVD-2021-26422.yaml +++ b/cnvd/2021/CNVD-2021-26422.yaml @@ -4,9 +4,14 @@ info: name: eYouMail - Remote Code Execution author: daffainfo severity: critical + description: eYouMail is susceptible to a remote code execution vulnerability. reference: - https://github.com/ltfafei/my_POC/blob/master/CNVD-2021-26422_eYouMail/CNVD-2021-26422_eYouMail_RCE_POC.py - https://github.com/EdgeSecurityTeam/Vulnerability/blob/main/%E4%BA%BF%E9%82%AE%E9%82%AE%E4%BB%B6%E7%B3%BB%E7%BB%9F%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20(CNVD-2021-26422).md + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10.0 + cwe-id: CWE-77 tags: eyoumail,rce,cnvd,cnvd2021 requests: @@ -27,3 +32,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/05/12 diff --git a/cnvd/2021/CNVD-2021-28277.yaml b/cnvd/2021/CNVD-2021-28277.yaml index 5be02217e6..1277253402 100644 --- a/cnvd/2021/CNVD-2021-28277.yaml +++ b/cnvd/2021/CNVD-2021-28277.yaml @@ -1,7 +1,7 @@ id: CNVD-2021-28277 info: - name: Landray-OA Arbitrary File Download + name: Landray-OA Arbitrary - Arbitrary File Retrieval author: pikpikcu,daffainfo severity: high reference: @@ -41,4 +41,4 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 diff --git a/cnvd/2022/CNVD-2022-03672.yaml b/cnvd/2022/CNVD-2022-03672.yaml index 400f7dc2ad..b3e9de9132 100644 --- a/cnvd/2022/CNVD-2022-03672.yaml +++ b/cnvd/2022/CNVD-2022-03672.yaml @@ -1,14 +1,19 @@ id: CNVD-2022-03672 info: - name: Sunflower Simple and Personal edition RCE + name: Sunflower Simple and Personal - Remote Code Execution author: daffainfo severity: critical + description: Sunflower Simple and Personal is susceptible to a remote code execution vulnerability. reference: - https://www.1024sou.com/article/741374.html - https://copyfuture.com/blogs-details/202202192249158884 - https://www.cnvd.org.cn/flaw/show/CNVD-2022-10270 - https://www.cnvd.org.cn/flaw/show/CNVD-2022-03672 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10.0 + cwe-id: CWE-77 tags: cnvd,cnvd2020,sunflower,rce requests: @@ -40,3 +45,5 @@ requests: - "contains(body_1, 'verify_string')" - "contains(body_2, 'Windows IP')" condition: and + +# Enhanced by mp on 2022/05/12 diff --git a/cves/2007/CVE-2007-4504.yaml b/cves/2007/CVE-2007-4504.yaml index 1f7016cd9f..44ac9a5200 100644 --- a/cves/2007/CVE-2007-4504.yaml +++ b/cves/2007/CVE-2007-4504.yaml @@ -1,10 +1,10 @@ id: CVE-2007-4504 info: - name: Joomla! Component RSfiles 1.0.2 - 'path' File Download + name: Joomla! Component RSfiles <=1.0.2 - Arbitrary File Retrieval author: daffainfo severity: high - description: Directory traversal vulnerability in index.php in the RSfiles component (com_rsfiles) 1.0.2 and earlier for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the path parameter in a files.display action. + description: An arbitrary file retrieval vulnerability in index.php in the RSfiles component (com_rsfiles) <=1.0.2 for Joomla! allows remote attackers to arbitrarily read files via a .. (dot dot) in the path parameter in a files.display action. reference: - https://www.exploit-db.com/exploits/4307 - https://www.cvedetails.com/cve/CVE-2007-4504 diff --git a/cves/2010/CVE-2010-0696.yaml b/cves/2010/CVE-2010-0696.yaml index a73a43ea84..011cddc99d 100644 --- a/cves/2010/CVE-2010-0696.yaml +++ b/cves/2010/CVE-2010-0696.yaml @@ -1,7 +1,7 @@ id: CVE-2010-0696 info: - name: Joomla! Component Jw_allVideos - Arbitrary File Download + name: Joomla! Component Jw_allVideos - Arbitrary File Retrieval author: daffainfo severity: high description: A directory traversal vulnerability in includes/download.php in the JoomlaWorks AllVideos (Jw_allVideos) plugin 3.0 through 3.2 for Joomla! allows remote attackers to read arbitrary files via a ./../.../ (modified dot dot) in the file parameter. @@ -25,4 +25,5 @@ requests: - type: status status: - 200 + # Enhanced by mp on 2022/02/13 diff --git a/cves/2010/CVE-2010-2122.yaml b/cves/2010/CVE-2010-2122.yaml index 2042183974..ed2f24987f 100644 --- a/cves/2010/CVE-2010-2122.yaml +++ b/cves/2010/CVE-2010-2122.yaml @@ -1,10 +1,10 @@ id: CVE-2010-2122 info: - name: Joomla! Component simpledownload 0.9.5 - Local File Disclosure + name: Joomla! Component simpledownload <=0.9.5 - Arbitrary File Retrieval author: daffainfo severity: high - description: A directory traversal vulnerability in the SimpleDownload (com_simpledownload) component before 0.9.6 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the SimpleDownload (com_simpledownload) component before 0.9.6 for Joomla! allows remote attackers to retrieve arbitrary files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12623 - https://www.cvedetails.com/cve/CVE-2010-2122 diff --git a/cves/2010/CVE-2010-3203.yaml b/cves/2010/CVE-2010-3203.yaml index 4c7856343b..8ab1009b02 100644 --- a/cves/2010/CVE-2010-3203.yaml +++ b/cves/2010/CVE-2010-3203.yaml @@ -1,7 +1,7 @@ id: CVE-2010-3203 info: - name: Joomla! Component PicSell 1.0 - Local File Disclosure + name: Joomla! Component PicSell 1.0 - Arbitrary File Retrieval author: daffainfo severity: high description: A directory traversal vulnerability in the PicSell (com_picsell) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the dflink parameter in a prevsell dwnfree action to index.php. diff --git a/cves/2015/CVE-2015-4694.yaml b/cves/2015/CVE-2015-4694.yaml index f2e7c8e099..f116177a76 100644 --- a/cves/2015/CVE-2015-4694.yaml +++ b/cves/2015/CVE-2015-4694.yaml @@ -1,10 +1,10 @@ id: CVE-2015-4694 info: - name: WordPress Zip Attachments <= 1.1.4 - Arbitrary File Download + name: WordPress Zip Attachments <= 1.1.4 - Arbitrary File Retrieval author: 0x_Akoko severity: high - description: WordPress zip-attachments plugin allows arbitrary file downloads because it does not check the download path of the requested file. + description: WordPress zip-attachments plugin allows arbitrary file retrieval as it does not check the download path of the requested file. reference: - https://wordpress.org/plugins/zip-attachments/#developers - https://wpscan.com/vulnerability/8047 diff --git a/cves/2017/CVE-2017-11512.yaml b/cves/2017/CVE-2017-11512.yaml index 279dc4e183..d5a5f7edbf 100644 --- a/cves/2017/CVE-2017-11512.yaml +++ b/cves/2017/CVE-2017-11512.yaml @@ -1,11 +1,11 @@ id: CVE-2017-11512 info: - name: ManageEngine ServiceDesk - Unauthenticated Arbitrary File Download + name: ManageEngine ServiceDesk - Arbitrary File Retrieval author: 0x_Akoko severity: high description: | - The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file downloads due to improper restrictions of the pathname used in the name parameter for the download-snapshot URL. An unauthenticated remote attacker can use this vulnerability to download arbitrary files. + The ManageEngine ServiceDesk 9.3.9328 is vulnerable to an arbitrary file retrieval due to improper restrictions of the pathname used in the name parameter for the download-snapshot path. An unauthenticated remote attacker can use this vulnerability to download arbitrary files. reference: - https://exploit.kitploit.com/2017/11/manageengine-servicedesk-cve-2017-11512.html - https://www.cvedetails.com/cve/CVE-2017-11512 diff --git a/cves/2017/CVE-2017-15363.yaml b/cves/2017/CVE-2017-15363.yaml index 4349f108ff..1118798c3b 100644 --- a/cves/2017/CVE-2017-15363.yaml +++ b/cves/2017/CVE-2017-15363.yaml @@ -1,7 +1,7 @@ id: CVE-2017-15363 info: - name: Typo3 Restler Extension - Local File Disclosure + name: TYPO3 Restler - Arbitrary File Retrieval author: 0x_Akoko severity: high description: Directory traversal vulnerability in public/examples/resources/getsource.php in Luracast Restler through 3.0.0, as used in the restler extension before 1.7.1 for TYPO3, allows remote attackers to read arbitrary files via the file parameter. diff --git a/cves/2017/CVE-2017-7269.yaml b/cves/2017/CVE-2017-7269.yaml index d7bda567cc..c3897f688a 100644 --- a/cves/2017/CVE-2017-7269.yaml +++ b/cves/2017/CVE-2017-7269.yaml @@ -5,7 +5,7 @@ info: author: thomas_from_offensity,geeknik severity: critical description: | - Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 contains a buffer overflow vulnearbility in the ScStoragePathFromUrl function in the WebDAV service that could allow remote attackers to execute arbitrary code via a long header beginning with "If " + +# Enhanced by mp on 2022/05/12 diff --git a/cves/2018/CVE-2018-1000861.yaml b/cves/2018/CVE-2018-1000861.yaml index d5d14211b8..8194ae8495 100644 --- a/cves/2018/CVE-2018-1000861.yaml +++ b/cves/2018/CVE-2018-1000861.yaml @@ -1,13 +1,13 @@ id: CVE-2018-1000861 info: - name: Jenkins 2.138 Remote Command Execution + name: Jenkins - Remote Command Injection author: dhiyaneshDK,pikpikcu severity: critical - description: A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows - attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way. + description: Jenkins 2.153 and earlier and LTS 2.138.3 and earlier are susceptible to a remote command injection via stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way. reference: - https://github.com/vulhub/vulhub/tree/master/jenkins/CVE-2018-1000861 + - https://nvd.nist.gov/vuln/detail/CVE-2018-1000861 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 @@ -31,3 +31,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/05/12 diff --git a/cves/2018/CVE-2018-10562.yaml b/cves/2018/CVE-2018-10562.yaml index 469063f4ce..b66f95704a 100644 --- a/cves/2018/CVE-2018-10562.yaml +++ b/cves/2018/CVE-2018-10562.yaml @@ -1,10 +1,10 @@ id: CVE-2018-10562 info: - name: Dasan GPON Devices - Remote Code Execution (Unauthenticated) + name: Dasan GPON Devices - Remote Code Execution author: gy741 severity: critical - description: An issue was discovered on Dasan GPON home routers. Command Injection can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping + description: Dasan GPON home routers are susceptible to command injection which can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping results in /tmp and transmits them to the user when the user revisits /diag.html, it's quite simple to execute commands and retrieve their output. reference: - https://www.vpnmentor.com/blog/critical-vulnerability-gpon-router @@ -37,3 +37,5 @@ requests: part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" + +# Enhanced by mp on 2022/05/12 diff --git a/cves/2018/CVE-2018-12031.yaml b/cves/2018/CVE-2018-12031.yaml index 6be7ac0dd7..4e98b1fb1d 100644 --- a/cves/2018/CVE-2018-12031.yaml +++ b/cves/2018/CVE-2018-12031.yaml @@ -4,11 +4,11 @@ info: name: Eaton Intelligent Power Manager 1.6 - Directory Traversal author: daffainfo severity: critical - description: Local file inclusion in Eaton Intelligent Power Manager v1.6 allows an attacker to include a file, it can lead to sensitive information disclosure, denial of service and code execution. + description: Eaton Intelligent Power Manager v1.6 allows an attacker to include a file via directory traversal, which can lead to sensitive information disclosure, denial of service and code execution. reference: - https://github.com/EmreOvunc/Eaton-Intelligent-Power-Manager-Local-File-Inclusion - - https://nvd.nist.gov/vuln/detail/CVE-2018-12031 - https://www.exploit-db.com/exploits/48614 + - https://nvd.nist.gov/vuln/detail/CVE-2018-12031 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 @@ -33,3 +33,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/05/12 diff --git a/cves/2018/CVE-2018-1207.yaml b/cves/2018/CVE-2018-1207.yaml index 0bbeab8144..62b9881bd4 100644 --- a/cves/2018/CVE-2018-1207.yaml +++ b/cves/2018/CVE-2018-1207.yaml @@ -1,19 +1,17 @@ id: CVE-2018-1207 info: - name: Dell iDRAC7 and iDRAC8 Devices Code Injection/RCE + name: Dell iDRAC7/8 Devices - Remote Code Injection author: dwisiswant0 severity: critical description: | - This template supports the detection part only. - - Dell EMC iDRAC7/iDRAC8, versions prior to 2.52.52.52, contain CGI injection vulnerability + Dell EMC iDRAC7/iDRAC8, versions prior to 2.52.52.52, contain a CGI injection vulnerability which could be used to execute remote code. A remote unauthenticated attacker may potentially be able to use CGI variables to execute remote code. - - https://github.com/KraudSecurity/Exploits/blob/master/CVE-2018-1207/CVE-2018-1207.py reference: - https://downloads.dell.com/solutions/dell-management-solution-resources/iDRAC_CVE%201207_1211_1000116.pdf + - https://github.com/KraudSecurity/Exploits/blob/master/CVE-2018-1207/CVE-2018-1207.py + - https://nvd.nist.gov/vuln/detail/CVE-2018-1207 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 @@ -30,3 +28,5 @@ requests: words: - "calling init: /lib/" part: response + +# Enhanced by mp on 2022/05/12 diff --git a/cves/2018/CVE-2018-12300.yaml b/cves/2018/CVE-2018-12300.yaml index 90ff0b0135..53736ed55a 100644 --- a/cves/2018/CVE-2018-12300.yaml +++ b/cves/2018/CVE-2018-12300.yaml @@ -1,7 +1,7 @@ id: CVE-2018-12300 info: - name: Seagate NAS OS 4.3.15.1 - Open redirect + name: Seagate NAS OS 4.3.15.1 - Open Redirect author: 0x_Akoko severity: medium description: Arbitrary Redirect in echo-server.html in Seagate NAS OS version 4.3.15.1 allows attackers to disclose information in the Referer header via the 'state' URL parameter. diff --git a/cves/2018/CVE-2018-12634.yaml b/cves/2018/CVE-2018-12634.yaml index c70ccfedb9..edc2910da7 100644 --- a/cves/2018/CVE-2018-12634.yaml +++ b/cves/2018/CVE-2018-12634.yaml @@ -1,12 +1,13 @@ id: CVE-2018-12634 info: - name: Exposed CirCarLife System Log + name: CirCarLife Scada <4.3 - System Log Exposure author: geeknik severity: critical - description: CirCarLife is an internet-connected electric vehicle charging station + description: CirCarLife Scada before 4.3 allows remote attackers to obtain sensitive information via a direct request for the html/log or services/system/info.html URI. CirCarLife is an internet-connected electric vehicle charging station. reference: - https://circontrol.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2018-12634 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 @@ -33,3 +34,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/05/12 diff --git a/cves/2018/CVE-2018-1273.yaml b/cves/2018/CVE-2018-1273.yaml index 8e19b457a9..657424e411 100644 --- a/cves/2018/CVE-2018-1273.yaml +++ b/cves/2018/CVE-2018-1273.yaml @@ -1,7 +1,7 @@ id: CVE-2018-1273 info: - name: Spring Data Commons Unauthenticated RCE + name: Spring Data Commons - Remote Code Execution author: dwisiswant0 severity: critical description: | @@ -42,3 +42,5 @@ requests: - "\\[(font|extension|file)s\\]" condition: or part: body + +# Enhanced by mp on 2022/05/12 diff --git a/cves/2018/CVE-2018-13379.yaml b/cves/2018/CVE-2018-13379.yaml index 0091d7ef30..3ad6d6e608 100644 --- a/cves/2018/CVE-2018-13379.yaml +++ b/cves/2018/CVE-2018-13379.yaml @@ -1,14 +1,14 @@ id: CVE-2018-13379 info: - name: FortiOS - Credentials Disclosure + name: Fortinet FortiOS - Credentials Disclosure author: organiccrap severity: critical - description: An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 - to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests. + description: Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests due to improper limitation of a pathname to a restricted directory (path traversal). reference: - https://fortiguard.com/advisory/FG-IR-18-384 - https://www.fortiguard.com/psirt/FG-IR-20-233 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 @@ -24,3 +24,5 @@ requests: - type: word words: - "var fgt_lang" + +# Enhanced by mp on 2022/05/12 diff --git a/cves/2018/CVE-2018-13980.yaml b/cves/2018/CVE-2018-13980.yaml index 5f74b55601..9d12a07112 100644 --- a/cves/2018/CVE-2018-13980.yaml +++ b/cves/2018/CVE-2018-13980.yaml @@ -1,7 +1,7 @@ id: CVE-2018-13980 info: - name: Zeta Producer Desktop CMS 14.2.0 - Local File Disclosure + name: Zeta Producer Desktop CMS 14.2.0 - Arbitrary File Retrieval author: wisnupramoedya severity: medium description: The websites that were built from Zeta Producer Desktop CMS before 14.2.1 are vulnerable to unauthenticated file disclosure if the plugin "filebrowser" is installed, because of assets/php/filebrowser/filebrowser.main.php?file=../ directory traversal. diff --git a/cves/2018/CVE-2018-14064.yaml b/cves/2018/CVE-2018-14064.yaml index 50015d4823..d8cf45f3a7 100644 --- a/cves/2018/CVE-2018-14064.yaml +++ b/cves/2018/CVE-2018-14064.yaml @@ -4,7 +4,7 @@ info: name: VelotiSmart Wifi - Directory Traversal author: 0x_Akoko severity: critical - description: The uc-http service 1.0.0 on VelotiSmart WiFi B-380 camera devices allows Directory Traversal, as demonstrated by /../../etc/passwd on TCP port 80. + description: VelotiSmart WiFi B-380 camera devices allow directory traversal via the uc-http service 1.0.0, as demonstrated by /../../etc/passwd on TCP port 80. reference: - https://medium.com/@s1kr10s/velotismart-0day-ca5056bcdcac - https://www.exploit-db.com/exploits/45030 @@ -31,3 +31,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/05/12 diff --git a/cves/2018/CVE-2018-14916.yaml b/cves/2018/CVE-2018-14916.yaml index 95da4dba55..e4673b98bb 100644 --- a/cves/2018/CVE-2018-14916.yaml +++ b/cves/2018/CVE-2018-14916.yaml @@ -1,10 +1,10 @@ id: CVE-2018-14916 info: - name: Loytec LGATE-902 Directory Traversal + name: Loytec LGATE-902 <6.4.2 - Local File Inclusion author: 0x_Akoko severity: critical - description: Loytec LGATE-902 versions prior to 6.4.2 suffer from cross site scripting, arbitrary file deletion, and directory traversal vulnerabilities. + description: Loytec LGATE-902 versions prior to 6.4.2 suffers from a local file inclusion vulnerability. reference: - https://packetstormsecurity.com/files/152453/Loytec-LGATE-902-XSS-Traversal-File-Deletion.html - https://nvd.nist.gov/vuln/detail/CVE-2018-14916 @@ -30,3 +30,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/05/12 diff --git a/cves/2018/CVE-2018-15517.yaml b/cves/2018/CVE-2018-15517.yaml index c3c291ce89..08b7fb93d4 100644 --- a/cves/2018/CVE-2018-15517.yaml +++ b/cves/2018/CVE-2018-15517.yaml @@ -1,10 +1,10 @@ id: CVE-2018-15517 info: - name: D-LINK Central WifiManager Server-Side Request Forgery + name: D-Link Central WifiManager - Server-Side Request Forgery author: gy741 severity: high - description: D-LINK Central WifiManager is susceptible to server-side request forgery. The MailConnect feature on D-Link Central WiFiManager CWM-100 1.03 r0098 devices is intended to check a connection to an SMTP + description: D-Link Central WifiManager is susceptible to server-side request forgery. The MailConnect feature on D-Link Central WiFiManager CWM-100 1.03 r0098 devices is intended to check a connection to an SMTP server but actually allows outbound TCP to any port on any IP address, as demonstrated by an index.php/System/MailConnect/host/127.0.0.1/port/22/secure/ URI. This can undermine accountability of where scan or connections actually came from and or bypass the FW etc. This can be automated via script or using a browser. reference: diff --git a/cves/2018/CVE-2018-16167.yaml b/cves/2018/CVE-2018-16167.yaml index 079592a817..926b4dd68b 100644 --- a/cves/2018/CVE-2018-16167.yaml +++ b/cves/2018/CVE-2018-16167.yaml @@ -1,7 +1,7 @@ id: CVE-2018-16167 info: - name: LogonTracer 1.2.0 - Remote Code Execution (Unauthenticated) + name: LogonTracer <=1.2.0 - Remote Command Injection author: gy741 severity: critical description: LogonTracer 1.2.0 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors. @@ -30,3 +30,5 @@ requests: part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" + +# Enhanced by mp on 2022/05/12 diff --git a/cves/2018/CVE-2018-16763.yaml b/cves/2018/CVE-2018-16763.yaml index 07e5d545ba..d12fec7ba7 100644 --- a/cves/2018/CVE-2018-16763.yaml +++ b/cves/2018/CVE-2018-16763.yaml @@ -1,14 +1,15 @@ id: CVE-2018-16763 info: - name: fuelCMS 1.4.1 - Remote Code Execution + name: FUEL CMS 1.4.1 - Remote Code Execution author: pikpikcu severity: critical - description: FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code Execution. + description: FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. reference: - https://www.exploit-db.com/exploits/47138 - https://www.getfuelcms.com/ - https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1 + - https://nvd.nist.gov/vuln/detail/CVE-2018-16763 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 @@ -30,3 +31,5 @@ requests: - type: regex regex: - "root:.*:0:0:" + +# Enhanced by mp on 2022/05/12 diff --git a/cves/2018/CVE-2018-16836.yaml b/cves/2018/CVE-2018-16836.yaml index 87e87bd4aa..6557b09070 100644 --- a/cves/2018/CVE-2018-16836.yaml +++ b/cves/2018/CVE-2018-16836.yaml @@ -1,13 +1,13 @@ id: CVE-2018-16836 info: - name: Rubedo CMS 3.4.0 - Directory Traversal + name: Rubedo CMS <=3.4.0 - Directory Traversal author: 0x_Akoko severity: critical - description: Rubedo through 3.4.0 contains a Directory Traversal vulnerability in the theme component, allowing unauthenticated attackers to read and execute arbitrary files outside of the service root path, as - demonstrated by a /theme/default/img/%2e%2e/..//etc/passwd URI. + description: Rubedo CMS through 3.4.0 contains a directory traversal vulnerability in the theme component, allowing unauthenticated attackers to read and execute arbitrary files outside of the service root path, as demonstrated by a /theme/default/img/%2e%2e/..//etc/passwd URI. reference: - https://www.exploit-db.com/exploits/45385 + - https://nvd.nist.gov/vuln/detail/CVE-2018-16836 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 @@ -29,3 +29,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/05/13 diff --git a/cves/2018/CVE-2018-17246.yaml b/cves/2018/CVE-2018-17246.yaml index 52c604d738..8a33e82710 100644 --- a/cves/2018/CVE-2018-17246.yaml +++ b/cves/2018/CVE-2018-17246.yaml @@ -1,14 +1,13 @@ id: CVE-2018-17246 info: - name: Kibana Local File Inclusion + name: Kibana - Local File Inclusion author: princechaddha severity: critical - description: Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute - javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. + description: Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute JavaScript which could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. reference: - - https://nvd.nist.gov/vuln/detail/CVE-2018-17246 - https://github.com/vulhub/vulhub/blob/master/kibana/CVE-2018-17246/README.md + - https://nvd.nist.gov/vuln/detail/CVE-2018-17246 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 @@ -38,3 +37,5 @@ requests: - type: status status: - 500 + +# Enhanced by mp on 2022/05/13 diff --git a/cves/2018/CVE-2018-17431.yaml b/cves/2018/CVE-2018-17431.yaml index 30b1f39e38..ae4fdebaa3 100644 --- a/cves/2018/CVE-2018-17431.yaml +++ b/cves/2018/CVE-2018-17431.yaml @@ -1,13 +1,14 @@ id: CVE-2018-17431 info: - name: Comodo Unified Threat Management Web Console 2.7.0 - RCE + name: Comodo Unified Threat Management Web Console - Remote Code Execution author: dwisiswant0 severity: critical - description: Comodo Firewall & Central Manager (UTM) All Release before 2.7.0 & 1.5.0 Remote Code Execution (Web Shell based) + description: Comodo Firewall & Central Manager (UTM) All Release before 2.7.0 & 1.5.0 are susceptible to a web shell based remote code execution vulnerability. reference: - https://www.exploit-db.com/exploits/48825 - https://secure.comodo.com/home/purchase.php?pid=106&license=try&track=9276&af=9276 + - https://nvd.nist.gov/vuln/detail/CVE-2018-17431 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 @@ -35,4 +36,6 @@ requests: part: body - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/05/13 diff --git a/cves/2018/CVE-2018-18925.yaml b/cves/2018/CVE-2018-18925.yaml index c79c196fe2..cff6c60e67 100644 --- a/cves/2018/CVE-2018-18925.yaml +++ b/cves/2018/CVE-2018-18925.yaml @@ -1,11 +1,10 @@ id: CVE-2018-18925 info: - name: Gogs - Remote Code Execution (CVE-2018-18925) + name: Gogs (Go Git Service) 0.11.66 - Remote Code Execution author: princechaddha severity: critical - description: Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related - to session ID handling in the go-macaron/session code for Macaron. + description: Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron. reference: - https://www.anquanke.com/post/id/163575 - https://github.com/vulhub/vulhub/tree/master/gogs/CVE-2018-18925 @@ -15,7 +14,7 @@ info: cvss-score: 9.8 cve-id: CVE-2018-18925 cwe-id: CWE-384 - remediation: This issue will be fixed by updating to the latest version of Gogs + remediation: This issue will be fixed by updating to the latest version of Gogs. tags: cve,cve2018,gogs,lfi,rce requests: @@ -35,3 +34,5 @@ requests: - type: dsl dsl: - 'status_code_1 == 500 && status_code_2 == 200 && contains(body_2, "")' + +# Enhanced by mp on 2022/05/13 diff --git a/cves/2018/CVE-2018-20985.yaml b/cves/2018/CVE-2018-20985.yaml index 1566a653dc..4da57ce3f1 100644 --- a/cves/2018/CVE-2018-20985.yaml +++ b/cves/2018/CVE-2018-20985.yaml @@ -1,13 +1,13 @@ id: CVE-2018-20985 info: - name: WordPress Plugin WP Payeezy Pay 2.97 - Local File Inclusion + name: WordPress Payeezy Pay <=2.97 - Local File Inclusion author: daffainfo severity: critical - description: WordPress Plugin WP Payeezy Pay is prone to a local file inclusion vulnerability because it fails to sufficiently verify user-supplied input. Exploiting this issue may allow an attacker to obtain sensitive - information that could aid in further attacks. WordPress Plugin WP Payeezy Pay version 2.97 is vulnerable; prior versions are also affected. + description: WordPress Plugin WP Payeezy Pay is prone to a local file inclusion vulnerability because it fails to sufficiently verify user-supplied input. Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks. WordPress Plugin WP Payeezy Pay version 2.97 is vulnerable; prior versions are also affected. reference: - https://www.pluginvulnerabilities.com/2018/12/06/our-improved-proactive-monitoring-has-now-caught-a-local-file-inclusion-lfi-vulnerability-as-well/ + - https://wordpress.org/plugins/wp-payeezy-pay/#developers - https://www.cvedetails.com/cve/CVE-2018-20985/ classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H @@ -35,3 +35,6 @@ requests: - type: status status: - 200 + + +# Enhanced by mp on 2022/05/13 diff --git a/cves/2018/CVE-2018-2894.yaml b/cves/2018/CVE-2018-2894.yaml index 698150de04..ce5ace24c1 100644 --- a/cves/2018/CVE-2018-2894.yaml +++ b/cves/2018/CVE-2018-2894.yaml @@ -1,13 +1,15 @@ id: CVE-2018-2894 info: - name: Oracle WebLogic RCE + name: Oracle WebLogic Server - Remote Code Execution author: geeknik,pdteam severity: critical - description: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. + description: | + The Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS - Web Services) is susceptible to a remote code execution vulnerability that is easily exploitable and could allow unauthenticated attackers with network access via HTTP to compromise the server. Supported versions that are affected are 12.1.3.0, 12.2.1.2 and 12.2.1.3. reference: - https://blog.detectify.com/2018/11/14/technical-explanation-of-cve-2018-2894-oracle-weblogic-rce/ - https://github.com/vulhub/vulhub/tree/fda47b97c7d2809660a4471539cd0e6dbf8fac8c/weblogic/CVE-2018-2894 + - https://nvd.nist.gov/vuln/detail/CVE-2018-2894 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 @@ -90,3 +92,5 @@ requests: - type: word words: - "26ec00a3a03f6bfc5226fd121567bb58" # MD5 (CVE-2018-2894) + +# Enhanced by mp on 2022/05/13 diff --git a/cves/2018/CVE-2018-3810.yaml b/cves/2018/CVE-2018-3810.yaml index e906d11418..4602a84822 100644 --- a/cves/2018/CVE-2018-3810.yaml +++ b/cves/2018/CVE-2018-3810.yaml @@ -1,14 +1,13 @@ id: CVE-2018-3810 info: - name: WordPress Smart Google Code Inserter Authentication Bypass + name: Oturia WordPress Smart Google Code Inserter <3.5 - Authentication Bypass author: princechaddha severity: critical - description: Authentication Bypass vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to insert arbitrary JavaScript or HTML code (via the sgcgoogleanalytic - parameter) that runs on all pages served by WordPress. The saveGoogleCode() function in smartgooglecode.php does not check if the current request is made by an authorized user, thus allowing any unauthenticated - user to successfully update the inserted code. + description: Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to insert arbitrary JavaScript or HTML code (via the sgcgoogleanalytic parameter) that runs on all pages served by WordPress. The saveGoogleCode() function in smartgooglecode.php does not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update the inserted code. reference: - https://www.exploit-db.com/exploits/43420 + - https://nvd.nist.gov/vuln/detail/CVE-2018-3810 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 @@ -44,3 +43,6 @@ requests: - type: status status: - 200 + + +# Enhanced by mp on 2022/05/13 diff --git a/cves/2018/CVE-2018-6008.yaml b/cves/2018/CVE-2018-6008.yaml index 60ee965e86..f13dbcb2c2 100644 --- a/cves/2018/CVE-2018-6008.yaml +++ b/cves/2018/CVE-2018-6008.yaml @@ -1,10 +1,10 @@ id: CVE-2018-6008 info: - name: Joomla! Component Jtag Members Directory 5.3.7 - Arbitrary File Download + name: Joomla! Component Jtag Members Directory 5.3.7 - Arbitrary File Retrieval author: daffainfo severity: high - description: Arbitrary File Download exists in the Jtag Members Directory 5.3.7 component for Joomla! via the download_file parameter. + description: Arbitrary file retrieval exists in the Jtag Members Directory 5.3.7 component for Joomla! via the download_file parameter. reference: - https://www.exploit-db.com/exploits/43913 - https://www.cvedetails.com/cve/CVE-2018-6008 diff --git a/cves/2018/CVE-2018-7600.yaml b/cves/2018/CVE-2018-7600.yaml index 55918f1b04..fec50a358e 100644 --- a/cves/2018/CVE-2018-7600.yaml +++ b/cves/2018/CVE-2018-7600.yaml @@ -1,13 +1,13 @@ id: CVE-2018-7600 info: - name: Drupal Drupalgeddon 2 RCE + name: Drupal - Remote Code Execution author: pikpikcu severity: critical - description: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or - common module configurations. + description: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations. reference: - https://github.com/vulhub/vulhub/tree/master/drupal/CVE-2018-7600 + - https://nvd.nist.gov/vuln/detail/CVE-2018-7600 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 @@ -60,3 +60,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/05/13 diff --git a/cves/2018/CVE-2018-7602.yaml b/cves/2018/CVE-2018-7602.yaml index d628ce24ba..6964122f03 100644 --- a/cves/2018/CVE-2018-7602.yaml +++ b/cves/2018/CVE-2018-7602.yaml @@ -1,11 +1,10 @@ id: CVE-2018-7602 info: - name: Drupal Remote Code Execution Vulnerability + name: Drupal - Remote Code Execution author: princechaddha severity: critical - description: A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result - in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild. + description: Drupal 7.x and 8.x contain a remote code execution vulnerability that exists within multiple subsystems. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild. reference: - https://github.com/vulhub/vulhub/blob/master/drupal/CVE-2018-7602/drupa7-CVE-2018-7602.py - https://nvd.nist.gov/vuln/detail/CVE-2018-7602 @@ -74,3 +73,5 @@ requests: group: 1 regex: - '' + +# Enhanced by mp on 2022/05/13 diff --git a/cves/2018/CVE-2018-7662.yaml b/cves/2018/CVE-2018-7662.yaml index 14742e7d0e..c2cfc5117d 100644 --- a/cves/2018/CVE-2018-7662.yaml +++ b/cves/2018/CVE-2018-7662.yaml @@ -1,7 +1,7 @@ id: CVE-2018-7662 info: - name: CouchCMS <= 2.0 - Full Path Disclosure + name: CouchCMS <= 2.0 - Path Disclosure author: ritikchaddha severity: medium description: CouchCMS <= 2.0 allows remote attackers to discover the full path via a direct request to includes/mysql2i/mysql2i.func.php or addons/phpmailer/phpmailer.php. diff --git a/cves/2018/CVE-2018-9161.yaml b/cves/2018/CVE-2018-9161.yaml index 2d6099ae02..d07f2b5e66 100644 --- a/cves/2018/CVE-2018-9161.yaml +++ b/cves/2018/CVE-2018-9161.yaml @@ -4,8 +4,7 @@ info: name: PrismaWEB - Credentials Disclosure author: gy741 severity: critical - description: The vulnerability exists due to the disclosure of hard-coded credentials allowing an attacker to effectively bypass authentication of PrismaWEB with administrator privileges. The credentials can be - disclosed by simply navigating to the login_par.js JavaScript page that holds the username and password for the management interface that are being used via the Login() function in /scripts/functions_cookie.js script. + description: PrismaWEB is susceptible to credential disclosure. The vulnerability exists due to the disclosure of hard-coded credentials allowing an attacker to effectively bypass authentication of PrismaWEB with administrator privileges. The credentials can be disclosed by simply navigating to the login_par.js JavaScript page that holds the username and password for the management interface that are being used via the Login() function in /scripts/functions_cookie.js script. reference: - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5453.php - https://nvd.nist.gov/vuln/detail/CVE-2018-9161 @@ -33,3 +32,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/05/13 diff --git a/cves/2018/CVE-2018-9205.yaml b/cves/2018/CVE-2018-9205.yaml index 11d98cafcc..4c8ae5e70c 100644 --- a/cves/2018/CVE-2018-9205.yaml +++ b/cves/2018/CVE-2018-9205.yaml @@ -1,7 +1,7 @@ id: CVE-2018-9205 info: - name: Drupal avatar_uploader v7.x-1.0-beta8 Local File Inclusion + name: Drupal avatar_uploader v7.x-1.0-beta8 - Local File Inclusion author: daffainfo severity: high description: In avatar_uploader v7.x-1.0-beta8 the view.php program doesn't restrict file paths, allowing unauthenticated users to retrieve arbitrary files. diff --git a/cves/2019/CVE-2019-16123.yaml b/cves/2019/CVE-2019-16123.yaml index 60bc21c9cb..891b8933e6 100644 --- a/cves/2019/CVE-2019-16123.yaml +++ b/cves/2019/CVE-2019-16123.yaml @@ -1,7 +1,7 @@ id: CVE-2019-16123 info: - name: PilusCart <= 1.4.1 - Local File Disclosure + name: PilusCart <= 1.4.1 - Arbitrary File Retrieval author: 0x_Akoko severity: high description: PilusCart versions 1.4.1 and below suffers from a file disclosure vulnerability. diff --git a/cves/2019/CVE-2019-16759.yaml b/cves/2019/CVE-2019-16759.yaml index 2b48847efd..bf741b806c 100644 --- a/cves/2019/CVE-2019-16759.yaml +++ b/cves/2019/CVE-2019-16759.yaml @@ -1,7 +1,7 @@ id: CVE-2019-16759 info: - name: vBulletin v5.0.0-v5.5.4 Remote Command Execution + name: vBulletin v5.0.0-v5.5.4 - Remote Command Execution author: madrobot severity: critical description: vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request. diff --git a/cves/2019/CVE-2019-17506.yaml b/cves/2019/CVE-2019-17506.yaml index 31ca656175..4fadfcfacf 100644 --- a/cves/2019/CVE-2019-17506.yaml +++ b/cves/2019/CVE-2019-17506.yaml @@ -1,11 +1,10 @@ id: CVE-2019-17506 info: - name: DLINK DIR-868L & DIR-817LW Info Leak + name: D-Link DIR-868L & DIR-817LW - Information Disclosure author: pikpikcu severity: critical - description: There are some web interfaces without authentication requirements on D-Link DIR-868L B1-2.03 and DIR-817LW A1-1.04 routers. An attacker can get the router's username and password (and other information) - via a DEVICE.ACCOUNT value for SERVICES in conjunction with AUTHORIZED_GROUP=1%0a to getcfg.php. This could be used to control the router remotely. + description: There are some web interfaces without authentication requirements on D-Link DIR-868L B1-2.03 and DIR-817LW A1-1.04 routers. An attacker can get the router's username and password (and other information) via a DEVICE.ACCOUNT value for SERVICES in conjunction with AUTHORIZED_GROUP=1%0a to getcfg.php. This could be used to control the router remotely. reference: - https://github.com/dahua966/Routers-vuls/blob/master/DIR-868/name%26passwd.py classification: diff --git a/cves/2019/CVE-2019-19908.yaml b/cves/2019/CVE-2019-19908.yaml index afefa998c7..6a278ed7a0 100644 --- a/cves/2019/CVE-2019-19908.yaml +++ b/cves/2019/CVE-2019-19908.yaml @@ -1,10 +1,10 @@ id: CVE-2019-19908 info: - name: phpMyChat-Plus XSS + name: phpMyChat-Plus - Cross-Site Scripting author: madrobot severity: medium - description: phpMyChat-Plus 1.98 is vulnerable to reflected XSS via JavaScript injection into the password reset URL. In the URL, the pmc_username parameter to pass_reset.php is vulnerable. + description: phpMyChat-Plus 1.98 is vulnerable to reflected cross-site scripting (XSS) via JavaScript injection into the password reset URL. In the URL, the pmc_username parameter to pass_reset.php is vulnerable. reference: - https://cinzinga.github.io/CVE-2019-19908/ classification: diff --git a/cves/2019/CVE-2019-19985.yaml b/cves/2019/CVE-2019-19985.yaml index 832bbf7c41..ab25c58a3d 100644 --- a/cves/2019/CVE-2019-19985.yaml +++ b/cves/2019/CVE-2019-19985.yaml @@ -1,10 +1,10 @@ id: CVE-2019-19985 info: - name: WordPress Plugin Email Subscribers & Newsletters 4.2.2 - Unauthenticated File Download + name: WordPress Email Subscribers & Newsletters <4.2.2 - Arbitrary File Retrieval author: KBA@SOGETI_ESEC,madrobot,dwisiswant0 severity: medium - description: The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed unauthenticated file download with user information disclosure. + description: The WordPress plugin Email Subscribers & Newsletters before 4.2.3 contains a flaw that allows unauthenticated file download and user information disclosure. reference: - https://www.exploit-db.com/exploits/48698 classification: @@ -37,4 +37,4 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 diff --git a/cves/2019/CVE-2019-20141.yaml b/cves/2019/CVE-2019-20141.yaml index 43ec04b5be..9e3ef70432 100644 --- a/cves/2019/CVE-2019-20141.yaml +++ b/cves/2019/CVE-2019-20141.yaml @@ -1,7 +1,7 @@ id: CVE-2019-20141 info: - name: Neon Dashboard - XSS Reflected + name: Neon Dashboard - Cross-Site Scripting author: knassar702 severity: medium description: An XSS issue was discovered in the Laborator Neon theme 2.0 for WordPress via the data/autosuggest-remote.php q parameter. @@ -30,4 +30,4 @@ requests: - type: word words: - "text/html" - part: header \ No newline at end of file + part: header diff --git a/cves/2019/CVE-2019-3912.yaml b/cves/2019/CVE-2019-3912.yaml index 568b41377e..def2a63d29 100644 --- a/cves/2019/CVE-2019-3912.yaml +++ b/cves/2019/CVE-2019-3912.yaml @@ -1,7 +1,7 @@ id: CVE-2019-3912 info: - name: LabKey Server < 18.3.0 - Open redirect + name: LabKey Server < 18.3.0 - Open Redirect author: 0x_Akoko severity: medium description: An open redirect vulnerability in LabKey Server Community Edition before 18.3.0-61806.763 via the /__r1/ returnURL parameter allows an unauthenticated remote attacker to redirect users to arbitrary web sites. diff --git a/cves/2019/CVE-2019-9955.yaml b/cves/2019/CVE-2019-9955.yaml index f6f733783a..7489a0c820 100644 --- a/cves/2019/CVE-2019-9955.yaml +++ b/cves/2019/CVE-2019-9955.yaml @@ -1,7 +1,7 @@ id: CVE-2019-9955 info: - name: Zyxel Reflected Cross-site Scripting + name: Zyxel - Reflected Cross-site Scripting author: pdteam severity: medium description: On Zyxel ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200-VPN, ZyWALL 110, ZyWALL 310, ZyWALL 1100 devices, the security diff --git a/cves/2020/CVE-2020-18268.yaml b/cves/2020/CVE-2020-18268.yaml index 6952e2c78c..4b2fb2686d 100644 --- a/cves/2020/CVE-2020-18268.yaml +++ b/cves/2020/CVE-2020-18268.yaml @@ -1,7 +1,7 @@ id: CVE-2020-18268 info: - name: Z-BlogPHP 1.5.2 Open redirect + name: Z-BlogPHP 1.5.2 - Open Redirect author: 0x_Akoko severity: medium description: Open Redirect in Z-BlogPHP v1.5.2 and earlier allows remote attackers to obtain sensitive information via the "redirect" parameter in the component "zb_system/cmd.php." diff --git a/cves/2020/CVE-2020-22840.yaml b/cves/2020/CVE-2020-22840.yaml index 8d9da7a121..a642e28b21 100644 --- a/cves/2020/CVE-2020-22840.yaml +++ b/cves/2020/CVE-2020-22840.yaml @@ -1,7 +1,7 @@ id: CVE-2020-22840 info: - name: b2evolution CMS Open redirect + name: b2evolution CMS - Open Redirect author: geeknik severity: medium description: Open redirect vulnerability in b2evolution CMS version prior to 6.11.6 allows an attacker to perform malicious open redirects to an attacker controlled resource via redirect_to parameter in email_passthrough.php. diff --git a/cves/2020/CVE-2020-24391.yaml b/cves/2020/CVE-2020-24391.yaml index 97c0b1f998..d0bc0cf514 100644 --- a/cves/2020/CVE-2020-24391.yaml +++ b/cves/2020/CVE-2020-24391.yaml @@ -1,11 +1,10 @@ id: CVE-2020-24391 info: - name: Mongo-Express Remote Code Execution + name: Mongo-Express - Remote Code Execution author: leovalcante severity: critical - description: Mongo-Express before 1.0.0 is susceptible to remote code execution because it uses safer-eval to validate user supplied javascript. Unfortunately safer-eval sandboxing capabilities are easily bypassed - leading to remote code execution in the context of the node server. + description: Mongo-Express before 1.0.0 is susceptible to remote code execution because it uses safer-eval to validate user supplied javascript. Unfortunately safer-eval sandboxing capabilities are easily bypassed leading to remote code execution in the context of the node server. reference: - https://securitylab.github.com/advisories/GHSL-2020-131-mongo-express/ - https://github.com/mongo-express/mongo-express/commit/3a26b079e7821e0e209c3ee0cc2ae15ad467b91a diff --git a/cves/2020/CVE-2020-24550.yaml b/cves/2020/CVE-2020-24550.yaml index 173fe2c0d3..b7eecbd3ea 100644 --- a/cves/2020/CVE-2020-24550.yaml +++ b/cves/2020/CVE-2020-24550.yaml @@ -1,7 +1,7 @@ id: CVE-2020-24550 info: - name: CVE-2020-24550 + name: EpiServer <13.2.7 - Open Redirect author: dhiyaneshDK severity: medium description: An Open Redirect vulnerability in EpiServer Find before 13.2.7 allows an attacker to redirect users to untrusted websites via the _t_redirect parameter in a crafted URL, such as a /find_v2/_click URL. diff --git a/cves/2020/CVE-2020-24579.yaml b/cves/2020/CVE-2020-24579.yaml index abb9b6e04b..57a6a48383 100644 --- a/cves/2020/CVE-2020-24579.yaml +++ b/cves/2020/CVE-2020-24579.yaml @@ -1,7 +1,7 @@ id: CVE-2020-24579 info: - name: DLINK DSL 2888a RCE + name: D-Link DSL 2888a - Remote Command Execution author: pikpikcu severity: high description: An issue was discovered on D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55. An unauthenticated attacker could bypass authentication to access authenticated pages and functionality. diff --git a/cves/2020/CVE-2020-25495.yaml b/cves/2020/CVE-2020-25495.yaml index b9465d25c0..f3a93f9bfe 100644 --- a/cves/2020/CVE-2020-25495.yaml +++ b/cves/2020/CVE-2020-25495.yaml @@ -1,10 +1,10 @@ id: CVE-2020-25495 info: - name: SCO Openserver 5.0.7 - 'section' Reflected XSS + name: SCO Openserver 5.0.7 - 'section' Cross-Site scripting author: 0x_Akoko severity: medium - description: A reflected Cross-site scripting (XSS) vulnerability in Xinuo (formerly SCO) Openserver version 5 and 6 allows remote attackers to inject arbitrary web script or HTML tag via the parameter 'section'. + description: A reflected cross-site scripting (XSS) vulnerability in Xinuo (formerly SCO) Openserver version 5 and 6 allows remote attackers to inject arbitrary web script or HTML tag via the parameter 'section'. reference: - https://www.exploit-db.com/exploits/49300 classification: diff --git a/cves/2020/CVE-2020-29453.yaml b/cves/2020/CVE-2020-29453.yaml index b8f5f954e6..67ed1506e4 100644 --- a/cves/2020/CVE-2020-29453.yaml +++ b/cves/2020/CVE-2020-29453.yaml @@ -1,7 +1,7 @@ id: CVE-2020-29453 info: - name: Jira Server Pre-Auth Limited Arbitrary File Read + name: Jira Server Pre-Auth - Arbitrary File Retrieval (WEB-INF, META-INF) author: dwisiswant0 severity: medium description: The CachingResourceDownloadRewriteRule class in Jira Server and Jira Data Center allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check. diff --git a/cves/2020/CVE-2020-3452.yaml b/cves/2020/CVE-2020-3452.yaml index 7d146b213f..657ec3c39e 100644 --- a/cves/2020/CVE-2020-3452.yaml +++ b/cves/2020/CVE-2020-3452.yaml @@ -1,7 +1,7 @@ id: CVE-2020-3452 info: - name: CVE-2020-3452 + name: Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) - Arbitrary File Retrieval author: pdteam severity: high description: | diff --git a/cves/2020/CVE-2020-35736.yaml b/cves/2020/CVE-2020-35736.yaml index 41fd646ab8..a8705ecb15 100644 --- a/cves/2020/CVE-2020-35736.yaml +++ b/cves/2020/CVE-2020-35736.yaml @@ -1,10 +1,10 @@ id: CVE-2020-35736 info: - name: GateOne Arbitrary File Download + name: GateOne 1.1 - Arbitrary File Retrieval author: pikpikcu severity: high - description: GateOne 1.1 allows arbitrary file download without authentication via /downloads/.. directory traversal because os.path.join is misused. + description: GateOne 1.1 allows arbitrary file retrieval without authentication via /downloads/.. directory traversal because os.path.join is incorrectly used. reference: - https://github.com/liftoff/GateOne/issues/747 - https://nvd.nist.gov/vuln/detail/CVE-2020-35736 @@ -28,4 +28,4 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 diff --git a/cves/2020/CVE-2020-35749.yaml b/cves/2020/CVE-2020-35749.yaml index 6acaacc696..e8e74fcf2b 100644 --- a/cves/2020/CVE-2020-35749.yaml +++ b/cves/2020/CVE-2020-35749.yaml @@ -1,7 +1,7 @@ id: CVE-2020-35749 info: - name: Simple Job Board < 2.9.4 - Authenticated Path Traversal Leading to Arbitrary File Download + name: Simple Job Board < 2.9.4 -Arbitrary File Retrieval (Authenticated) author: cckuailong severity: high description: The plugin does not validate the sjb_file parameter when viewing a resume, allowing authenticated user with the download_resume capability (such as HR users) to download arbitrary files from the web-server diff --git a/cves/2020/CVE-2020-36365.yaml b/cves/2020/CVE-2020-36365.yaml index 1799640cac..7780f22248 100644 --- a/cves/2020/CVE-2020-36365.yaml +++ b/cves/2020/CVE-2020-36365.yaml @@ -1,7 +1,7 @@ id: CVE-2020-36365 info: - name: Smartstore < 4.1.0 - Open redirect + name: Smartstore < 4.1.0 - Open Redirect author: 0x_Akoko severity: medium description: Smartstore (aka SmartStoreNET) before 4.1.0 allows CommonController.ClearCache, ClearDatabaseCache, RestartApplication, and ScheduleTaskController.Edit open redirect. diff --git a/cves/2020/CVE-2020-36510.yaml b/cves/2020/CVE-2020-36510.yaml index 8ab9e80989..4d82785b67 100644 --- a/cves/2020/CVE-2020-36510.yaml +++ b/cves/2020/CVE-2020-36510.yaml @@ -5,7 +5,7 @@ info: author: veshraj severity: medium description: | - The theme does not sanitise and escape the cbi parameter before outputing it back in the response via the cb_s_a AJAX action, leading to a Reflected Cross-Site Scripting + The 15Zine Wordpress theme does not sanitize the cbi parameter before including it in the HTTP response via the cb_s_a AJAX action, leading to a reflected cross-site scripting. reference: - https://wpscan.com/vulnerability/d1dbc6d7-7488-40c2-bc38-0674ea5b3c95 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36510 diff --git a/cves/2020/CVE-2020-9054.yaml b/cves/2020/CVE-2020-9054.yaml index 769a806db2..3b4c8d7c25 100644 --- a/cves/2020/CVE-2020-9054.yaml +++ b/cves/2020/CVE-2020-9054.yaml @@ -1,10 +1,10 @@ id: CVE-2020-9054 info: - name: ZyXEL NAS Firmware 5.21- Remote Code Execution + name: Zyxel NAS Firmware 5.21- Remote Code Execution author: dhiyaneshDk severity: critical - description: "Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user, ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any ZyXEL device that is reachable from the client system. Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2." + description: "Multiple Zyxel network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. Zyxel NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the Zyxel device. Although the web server does not run as the root user, Zyyxel devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. By sending a specially-crafted HTTP POST or GET request to a vulnerable Zyyxel device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any Zyyxel device that is reachable from the client system. Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 Zyyxel has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2." reference: - https://krebsonsecurity.com/2020/02/zyxel-fixes-0day-in-network-storage-devices/ - https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml diff --git a/cves/2020/CVE-2020-9490.yaml b/cves/2020/CVE-2020-9490.yaml index f880e7d32d..aabdc20f55 100644 --- a/cves/2020/CVE-2020-9490.yaml +++ b/cves/2020/CVE-2020-9490.yaml @@ -1,11 +1,10 @@ id: CVE-2020-9490 info: - name: CVE-2020-9490 + name: Apache HTTP Server 2.4.20-2.4.43 - HTTP/2 Cache-Digest DoS author: philippedelteil severity: high - description: Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource - afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers. + description: Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers. reference: - https://httpd.apache.org/security/vulnerabilities_24.html - https://bugs.chromium.org/p/project-zero/issues/detail?id=2030 diff --git a/cves/2021/CVE-2021-21816.yaml b/cves/2021/CVE-2021-21816.yaml index 7a8949b76f..2edea85ba4 100644 --- a/cves/2021/CVE-2021-21816.yaml +++ b/cves/2021/CVE-2021-21816.yaml @@ -1,10 +1,10 @@ id: CVE-2021-21816 info: - name: D-LINK DIR-3040 - Syslog Information Disclosure + name: D-Link DIR-3040 - Syslog Information Disclosure author: gy741 severity: medium - description: An information disclosure vulnerability exists in the Syslog functionality of D-LINK DIR-3040 1.13B03. A specially crafted network request can lead to the disclosure of sensitive information. An attacker + description: An information disclosure vulnerability exists in the Syslog functionality of D-Link DIR-3040 1.13B03. A specially crafted network request can lead to the disclosure of sensitive information. An attacker can send an HTTP request to trigger this vulnerability. reference: - https://talosintelligence.com/vulnerability_reports/TALOS-2021-1281 diff --git a/cves/2021/CVE-2021-24997.yaml b/cves/2021/CVE-2021-24997.yaml index fa007b398c..a63de780be 100644 --- a/cves/2021/CVE-2021-24997.yaml +++ b/cves/2021/CVE-2021-24997.yaml @@ -1,10 +1,9 @@ id: CVE-2021-24997 info: - name: CVE-2021-24997 + name: Wordpress Guppy <=1.1 - User ID Disclosure author: Evan Rubinstein - description: Instances of the Guppy Wordpress extension up to 1.1 are vulnerable to an API disclosure vulnerability which allows remote unauthenticated attackrs to obtain all user IDs, and then use that information - to make API requests to either get messages sent between users, or send messages posing as one user to another. + description: Instances of the Guppy Wordpress extension up to 1.1 are vulnerable to an API disclosure vulnerability which allows remote unauthenticated attackrs to obtain all user IDs, and then use that information to make API requests to either get messages sent between users, or send messages posing as one user to another. reference: - https://www.exploit-db.com/exploits/50540 - https://patchstack.com/database/vulnerability/wp-guppy/wordpress-wp-guppy-plugin-1-2-sensitive-information-disclosure-vulnerability @@ -32,4 +31,4 @@ requests: - '"guppyUsers":' - '"userId":' - '"type":' - condition: and \ No newline at end of file + condition: and diff --git a/cves/2021/CVE-2021-25118.yaml b/cves/2021/CVE-2021-25118.yaml index b9ea12f155..e9bd5f3d07 100644 --- a/cves/2021/CVE-2021-25118.yaml +++ b/cves/2021/CVE-2021-25118.yaml @@ -1,7 +1,7 @@ id: CVE-2021-25118 info: - name: Yoast SEO < 17.3 - Unauthenticated Full Path Disclosure + name: Yoast SEO < 17.3 - Path Disclosure author: DhiyaneshDK severity: medium description: The plugin discloses the full internal path of featured images in posts via the wp/v2/posts REST endpoints which could help an attacker identify other vulnerabilities or help during the exploitation of other identified vulnerabilities. diff --git a/cves/2021/CVE-2021-30151.yaml b/cves/2021/CVE-2021-30151.yaml index 01a8c5e671..8b67e5b577 100644 --- a/cves/2021/CVE-2021-30151.yaml +++ b/cves/2021/CVE-2021-30151.yaml @@ -1,7 +1,7 @@ id: CVE-2021-30151 info: - name: CVE-2021-30151 + name: Sidekiq 5.1.3 and 6.x-6.2.0 - Cross-Site Scripting author: DhiyaneshDk severity: medium description: Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue name of the live-poll feature when Internet Explorer is used. @@ -33,4 +33,4 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 diff --git a/cves/2021/CVE-2021-39316.yaml b/cves/2021/CVE-2021-39316.yaml index cc8370a850..f2125025ea 100644 --- a/cves/2021/CVE-2021-39316.yaml +++ b/cves/2021/CVE-2021-39316.yaml @@ -1,11 +1,10 @@ id: CVE-2021-39316 info: - name: DZS Zoomsounds < 6.50 - Unauthenticated Arbitrary File Download + name: Wordpress DZS Zoomsounds <= 6.50 - Arbitrary File Retrieval author: daffainfo severity: high - description: The Zoomsounds plugin <= 6.45 for WordPress allows arbitrary files, including sensitive configuration files such as wp-config.php, to be downloaded via the `dzsap_download` action using directory traversal - in the `link` parameter. + description: The Zoomsounds plugin <= 6.45 for WordPress allows arbitrary files, including sensitive configuration files such as wp-config.php, to be downloaded via the `dzsap_download` action using a directory traversal in the `link` parameter. reference: - https://wpscan.com/vulnerability/d2d60cf7-e4d3-42b6-8dfe-7809f87547bd - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39316 @@ -30,4 +29,4 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 diff --git a/cves/2021/CVE-2021-41293.yaml b/cves/2021/CVE-2021-41293.yaml index b34135e53d..ab9790a110 100644 --- a/cves/2021/CVE-2021-41293.yaml +++ b/cves/2021/CVE-2021-41293.yaml @@ -1,7 +1,7 @@ id: CVE-2021-41293 info: - name: ECOA Building Automation System - Local File Disclosure + name: ECOA Building Automation System - Arbitrary File Retrieval author: 0x_Akoko severity: high description: The ECOA BAS controller suffers from an arbitrary file disclosure vulnerability. Using the 'fname' POST parameter in viewlog.jsp, attackers can disclose arbitrary files on the affected device and disclose diff --git a/cves/2022/CVE-2022-0540.yaml b/cves/2022/CVE-2022-0540.yaml index 29a7bf8fa1..5e0d089bbb 100644 --- a/cves/2022/CVE-2022-0540.yaml +++ b/cves/2022/CVE-2022-0540.yaml @@ -1,7 +1,7 @@ id: CVE-2022-0540 info: - name: Atlassian Jira - Authentication bypass in Seraph + name: Atlassian Jira Seraph- Authentication Bypass author: DhiyaneshDK severity: critical description: | diff --git a/cves/2022/CVE-2022-1119.yaml b/cves/2022/CVE-2022-1119.yaml index 9655352d6d..788e431fa4 100644 --- a/cves/2022/CVE-2022-1119.yaml +++ b/cves/2022/CVE-2022-1119.yaml @@ -1,11 +1,11 @@ id: CVE-2022-1119 info: - name: WordPress Simple File List < 3.2.8 - Unauthenticated Arbitrary File Download + name: WordPress Simple File List < 3.2.8 - Arbitrary File Retrieval author: random-robbie severity: high description: | - The plugin is vulnerable to Arbitrary File Download via the eeFile parameter found in the ~/includes/ee-downloader.php file due to missing controls which makes it possible unauthenticated attackers to supply a path to a file that will subsequently be downloaded + The Wordpress plugin is vulnerable to arbitrary file retrieval via the eeFile parameter found in the ~/includes/ee-downloader.php file due to missing controls which make it possible for unauthenticated attackers retrieve arbitrary files. reference: - https://nvd.nist.gov/vuln/detail/CVE-2022-1119 - https://wpscan.com/vulnerability/5551038f-64fb-44d8-bea0-d2f00f04877e diff --git a/cves/2022/CVE-2022-1221.yaml b/cves/2022/CVE-2022-1221.yaml index 1ca0d40b7e..65c2dc6a32 100644 --- a/cves/2022/CVE-2022-1221.yaml +++ b/cves/2022/CVE-2022-1221.yaml @@ -5,10 +5,12 @@ info: author: veshraj severity: medium description: | - The plugin does not sanitise and escape some parameters before outputting them back in attributes, leading to a Reflected Cross-Site Scripting. + The Gwyn's Imagemap Selector Wordpresss plugin does not sanitize the id and class parameters before returning them back in attributes, leading to a Reflected Cross-Site Scripting. reference: - https://wpscan.com/vulnerability/641be9f6-2f74-4386-b16e-4b9488f0d2a9 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1221 + classification: + cve-id: CVE-2022-1221 metadata: verified: true tags: xss,wordpress,wp-plugin,wp,cve,cve2022 diff --git a/exposed-panels/gogs-login.yaml b/exposed-panels/gogs-login.yaml index 8a378d1088..7a95d2bd06 100644 --- a/exposed-panels/gogs-login.yaml +++ b/exposed-panels/gogs-login.yaml @@ -1,7 +1,7 @@ id: gogs-login info: - name: Sign In - Gogs + name: Gogs (Go Git Service) - Sign In Page author: dhiyaneshDK severity: info metadata: diff --git a/exposed-panels/zyxel/zyxel-vmg1312b10d-login.yaml b/exposed-panels/zyxel/zyxel-vmg1312b10d-login.yaml index 59bf6a7764..7022469938 100644 --- a/exposed-panels/zyxel/zyxel-vmg1312b10d-login.yaml +++ b/exposed-panels/zyxel/zyxel-vmg1312b10d-login.yaml @@ -1,7 +1,7 @@ id: zyxel-vmg1312b10d-login info: - name: ZYXEL VMG1312-B10D Login Detect + name: Zyxel VMG1312-B10D - Login Detection author: princechaddha severity: info metadata: diff --git a/exposed-panels/zyxel/zyxel-vsg1432b101-login.yaml b/exposed-panels/zyxel/zyxel-vsg1432b101-login.yaml index 95c475ef83..b11a2c0c5f 100644 --- a/exposed-panels/zyxel/zyxel-vsg1432b101-login.yaml +++ b/exposed-panels/zyxel/zyxel-vsg1432b101-login.yaml @@ -1,7 +1,7 @@ id: zyxel-vsg1432b101-login info: - name: ZYXEL VSG1432-B101 Login Detect + name: Zyxel VSG1432-B101 - Login Detection author: princechaddha severity: info metadata: diff --git a/exposures/files/gogs-install-exposure.yaml b/exposures/files/gogs-install-exposure.yaml index a7369b2cb4..c3c6b915df 100644 --- a/exposures/files/gogs-install-exposure.yaml +++ b/exposures/files/gogs-install-exposure.yaml @@ -1,7 +1,7 @@ id: gogs-install-exposure info: - name: Gogs install exposure + name: Gogs (Go Git Service) - Install Exposure author: dhiyaneshDk severity: high tags: gogs,exposure diff --git a/headless/window-name-domxss.yaml b/headless/window-name-domxss.yaml index c8fcff19b9..7c202f7d8b 100644 --- a/headless/window-name-domxss.yaml +++ b/headless/window-name-domxss.yaml @@ -1,7 +1,7 @@ id: window-name-domxss info: - name: window.name DOM XSS + name: window.name - DOM Cross-Site Scripting author: pdteam severity: medium reference: diff --git a/misconfiguration/aem/aem-setpreferences-xss.yaml b/misconfiguration/aem/aem-setpreferences-xss.yaml index d58bb560ba..87462f5774 100644 --- a/misconfiguration/aem/aem-setpreferences-xss.yaml +++ b/misconfiguration/aem/aem-setpreferences-xss.yaml @@ -1,7 +1,7 @@ id: aem-setpreferences-xss info: - name: AEM setPreferences XSS + name: AEM setPreferences - Cross-Site Scripting author: zinminphy0,dhiyaneshDK severity: medium reference: @@ -27,4 +27,4 @@ requests: - type: status status: - - 400 \ No newline at end of file + - 400 diff --git a/misconfiguration/akamai-arl-xss.yaml b/misconfiguration/akamai-arl-xss.yaml index f447dbdb60..6a9c5fd334 100644 --- a/misconfiguration/akamai-arl-xss.yaml +++ b/misconfiguration/akamai-arl-xss.yaml @@ -1,7 +1,7 @@ id: akamai-arl-xss info: - name: Open Akamai ARL XSS + name: Open Akamai ARL - Cross-Site Scripting author: pdteam severity: medium reference: @@ -28,4 +28,4 @@ requests: - type: word part: header words: - - 'text/html' \ No newline at end of file + - 'text/html' diff --git a/misconfiguration/ampps-dirlisting.yaml b/misconfiguration/ampps-dirlisting.yaml index 995d6fb8b5..ad455130e5 100644 --- a/misconfiguration/ampps-dirlisting.yaml +++ b/misconfiguration/ampps-dirlisting.yaml @@ -1,7 +1,7 @@ id: ampps-dirlisting info: - name: AMPPS by Softaculous - Directory Listing Enabled + name: AMPPS by Softaculous - Directory Listing author: deFr0ggy severity: info tags: panel,ampps,softaculous,misconfig diff --git a/misconfiguration/d-link-arbitary-fileread.yaml b/misconfiguration/d-link-arbitary-fileread.yaml index 1528be0049..453ed0fb23 100644 --- a/misconfiguration/d-link-arbitary-fileread.yaml +++ b/misconfiguration/d-link-arbitary-fileread.yaml @@ -1,7 +1,7 @@ id: dlink-file-read info: - name: D-Link Arbitrary File Read + name: D-Link - Arbitrary File Retrieval author: dhiyaneshDK severity: high reference: diff --git a/vulnerabilities/moodle/moodle-filter-jmol-xss.yaml b/vulnerabilities/moodle/moodle-filter-jmol-xss.yaml index bf7d0f70de..4c3f3c6236 100644 --- a/vulnerabilities/moodle/moodle-filter-jmol-xss.yaml +++ b/vulnerabilities/moodle/moodle-filter-jmol-xss.yaml @@ -1,7 +1,7 @@ id: moodle-filter-jmol-xss info: - name: Moodle filter_jmol - XSS + name: Moodle filter_jmol - Cross-Site Scripting author: madrobot severity: medium description: Cross-site scripting on Moodle. @@ -28,4 +28,4 @@ requests: - type: word part: header words: - - "text/html" \ No newline at end of file + - "text/html" diff --git a/vulnerabilities/moodle/moodle-xss.yaml b/vulnerabilities/moodle/moodle-xss.yaml index 3f3938d9db..5dcfe36be5 100644 --- a/vulnerabilities/moodle/moodle-xss.yaml +++ b/vulnerabilities/moodle/moodle-xss.yaml @@ -1,7 +1,7 @@ id: moodle-xss info: - name: Moodle redirect_uri Reflected XSS + name: Moodle redirect_uri - Cross-Site Scripting author: hackergautam severity: medium description: XSS in moodle via redirect_uri parameter diff --git a/vulnerabilities/netsweeper/netsweeper-rxss.yaml b/vulnerabilities/netsweeper/netsweeper-rxss.yaml index 2d493bd7f4..18892a3101 100644 --- a/vulnerabilities/netsweeper/netsweeper-rxss.yaml +++ b/vulnerabilities/netsweeper/netsweeper-rxss.yaml @@ -1,7 +1,7 @@ id: netsweeper-rxss info: - name: Netsweeper 4.0.9 - Cross Site Scripting Injection + name: Netsweeper 4.0.9 - Cross-Site Scripting author: daffainfo severity: medium reference: diff --git a/vulnerabilities/oracle/oracle-ebs-xss.yaml b/vulnerabilities/oracle/oracle-ebs-xss.yaml index c5252391cf..23bd3eea02 100644 --- a/vulnerabilities/oracle/oracle-ebs-xss.yaml +++ b/vulnerabilities/oracle/oracle-ebs-xss.yaml @@ -1,7 +1,7 @@ id: oracle-ebs-xss info: - name: Oracle EBS XSS + name: Oracle EBS - Cross-Site Scripting author: dhiyaneshDk severity: medium reference: diff --git a/vulnerabilities/other/bems-api-lfi.yaml b/vulnerabilities/other/bems-api-lfi.yaml index a672809b50..fa2efedbb9 100644 --- a/vulnerabilities/other/bems-api-lfi.yaml +++ b/vulnerabilities/other/bems-api-lfi.yaml @@ -1,10 +1,10 @@ id: bems-api-lfi info: - name: Longjing Technology BEMS API 1.21 - Remote Arbitrary File Download + name: Longjing Technology BEMS API 1.21 - Arbitrary File Retrieval author: gy741 severity: high - description: The application suffers from an unauthenticated arbitrary file download vulnerability. Input passed through the fileName parameter through downloads endpoint is not properly verified before being used to download files. This can be exploited to disclose the contents of arbitrary and sensitive files through directory traversal attacks. + description: The application suffers from an unauthenticated arbitrary file retrieval vulnerability. Input passed through the fileName parameter through the downloads API endpoint is not properly verified before being used to download files. This can be exploited to disclose the contents of arbitrary and sensitive files through directory traversal attacks. reference: - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5657.php tags: lfi diff --git a/vulnerabilities/other/ecsimagingpacs-rce.yaml b/vulnerabilities/other/ecsimagingpacs-rce.yaml index b102fbcffc..115478ee95 100644 --- a/vulnerabilities/other/ecsimagingpacs-rce.yaml +++ b/vulnerabilities/other/ecsimagingpacs-rce.yaml @@ -1,14 +1,16 @@ id: ecsimagingpacs-rce info: - name: ECSIMAGING PACS 6.21.5 - Remote code execution + name: ECSIMAGING PACS <= 6.21.5 - Command Execution and Local File Inclusion author: ritikchaddha severity: critical - description: ECSIMAGING PACS Application in 6.21.5 and bellow suffers from a OS Injection vulnerability. The parameter `file` on the webpage /showfile.php can be exploited with simple OS injection to gain root access. www-data user has sudo NOPASSWD access + description: ECSIMAGING PACS Application 6.21.5 and below suffer from a command injection vulnerability and a local file include vulnerability. The 'file' parameter on the page /showfile.php can be exploited to perform command execution or local file inclusion. Often on ECSIMAGING PACS, the www-data user has sudo NOPASSWD access. reference: https://www.exploit-db.com/exploits/49388 metadata: verified: false tags: ecsimagingpacs,rce + classification: + cwe-id: CWE-78 requests: - method: GET @@ -24,3 +26,5 @@ requests: - type: status status: - 200 + +# Enhanced by cs 05/12/2022 diff --git a/vulnerabilities/other/eyelock-nano-lfd.yaml b/vulnerabilities/other/eyelock-nano-lfd.yaml index 7fce23a1a5..483437d4b9 100644 --- a/vulnerabilities/other/eyelock-nano-lfd.yaml +++ b/vulnerabilities/other/eyelock-nano-lfd.yaml @@ -1,10 +1,10 @@ id: eyelock-nano-lfd info: - name: EyeLock nano NXT 3.5 - Local File Disclosure + name: EyeLock nano NXT 3.5 - Arbitrary File Retrieval author: geeknik severity: high - description: EyeLock nano NXT suffers from a file disclosure vulnerability when input passed through the 'path' parameter to 'logdownload.php' script is not properly verified before being used to read files. This + description: EyeLock nano NXT suffers from a file retrieval vulnerability when input passed through the 'path' parameter to 'logdownload.php' script is not properly verified before being used to read files. This can be exploited to disclose contents of files from local resources. reference: - https://www.zeroscience.mk/codes/eyelock_lfd.txt diff --git a/vulnerabilities/other/java-melody-xss.yaml b/vulnerabilities/other/java-melody-xss.yaml index 3899625c59..efa41edf75 100644 --- a/vulnerabilities/other/java-melody-xss.yaml +++ b/vulnerabilities/other/java-melody-xss.yaml @@ -1,7 +1,7 @@ id: java-melody-xss info: - name: JavaMelody Monitoring XSS + name: JavaMelody Monitoring - Cross-Site Scripting author: kailashbohara severity: medium description: Reflected cross site scripting (XSS) in JavaMelody monitoring. diff --git a/vulnerabilities/other/kafdrop-xss.yaml b/vulnerabilities/other/kafdrop-xss.yaml index d191b88f28..32f69bbf74 100644 --- a/vulnerabilities/other/kafdrop-xss.yaml +++ b/vulnerabilities/other/kafdrop-xss.yaml @@ -1,10 +1,10 @@ id: kafdrop-xss info: - name: KafDrop XSS + name: KafDrop - Cross-Site Scripting author: dhiyaneshDk severity: medium - description: A vulnerability in KafDrop allows remote unauthenticated attackers to inject arbitrary HTML and/or Javascript into the response returned by the server. + description: A vulnerability in KafDrop allows remote unauthenticated attackers to inject arbitrary HTML and/or JavaScript into the response returned by the server. reference: - https://github.com/HomeAdvisor/Kafdrop/issues/12 tags: kafdrop,xss diff --git a/vulnerabilities/other/kyocera-m2035dn-lfi.yaml b/vulnerabilities/other/kyocera-m2035dn-lfi.yaml index f0587dca70..35651ada5b 100644 --- a/vulnerabilities/other/kyocera-m2035dn-lfi.yaml +++ b/vulnerabilities/other/kyocera-m2035dn-lfi.yaml @@ -1,10 +1,10 @@ id: kyocera-m2035dn-lfi info: - name: Kyocera Command Center RX ECOSYS M2035dn - Directory Traversal File Disclosure (Unauthenticated) + name: Kyocera Command Center RX ECOSYS M2035dn - Arbitrary File Retrieval author: 0x_Akoko severity: high - description: Kyocera Command Center RX ECOSYS M2035dn - Directory Traversal File Disclosure (Unauthenticated) + description: Kyocera Command Center RX ECOSYS M2035dn - Unauthenticated arbitrary file retrieval. reference: - https://www.exploit-db.com/exploits/50738 - https://www.kyoceradocumentsolutions.com/asia/en/products/business-application/command-center-rx.html diff --git a/vulnerabilities/other/microstrategy-ssrf.yaml b/vulnerabilities/other/microstrategy-ssrf.yaml index 20b4e2ed73..df76c1a881 100644 --- a/vulnerabilities/other/microstrategy-ssrf.yaml +++ b/vulnerabilities/other/microstrategy-ssrf.yaml @@ -1,10 +1,10 @@ id: microstrategy-ssrf info: - name: MicroStrategy tinyurl - BSSRF + name: MicroStrategy tinyurl - Server-Side Request Forgery (Blind) author: organiccrap severity: high - description: Blind server-side request forgery vulnerability on MicroStrategy URL shortener. + description: Blind server-side (SSRF) request forgery vulnerability on MicroStrategy URL shortener. reference: - https://medium.com/@win3zz/how-i-made-31500-by-submitting-a-bug-to-facebook-d31bb046e204 tags: microstrategy,ssrf diff --git a/vulnerabilities/other/nginx-module-vts-xss.yaml b/vulnerabilities/other/nginx-module-vts-xss.yaml index 9c48e332f3..f0ca677575 100644 --- a/vulnerabilities/other/nginx-module-vts-xss.yaml +++ b/vulnerabilities/other/nginx-module-vts-xss.yaml @@ -1,7 +1,7 @@ id: nginx-module-vts-xss info: - name: Nginx virtual host traffic status module XSS + name: Nginx Virtual Host Traffic Status Module - Cross-Site Scripting author: madrobot severity: medium tags: nginx,xss,status diff --git a/vulnerabilities/other/nuuo-file-inclusion.yaml b/vulnerabilities/other/nuuo-file-inclusion.yaml index 9836361754..f577991d4f 100644 --- a/vulnerabilities/other/nuuo-file-inclusion.yaml +++ b/vulnerabilities/other/nuuo-file-inclusion.yaml @@ -1,7 +1,7 @@ id: nuuo-file-inclusion info: - name: NUUO NVRmini 2 3.0.8 Local File Disclosure + name: NUUO NVRmini 2 v3.0.8 - Atrbitary File Retrieval author: princechaddha severity: high reference: diff --git a/vulnerabilities/other/odoo-cms-redirect.yaml b/vulnerabilities/other/odoo-cms-redirect.yaml index cc3be56efb..3fecc9364a 100644 --- a/vulnerabilities/other/odoo-cms-redirect.yaml +++ b/vulnerabilities/other/odoo-cms-redirect.yaml @@ -1,12 +1,13 @@ id: odoo-cms-redirect info: - name: Odoo CMS - Open redirection all Version + name: Odoo CMS - Open Redirect author: 0x_Akoko severity: low - description: Odoo CMS - Open redirection all Version. + description: Odoo CMS - Open redirection in all versions due to Odoo's policy. reference: - https://cxsecurity.com/issue/WLB-2021020143 + - https://www.odoo.com/page/security-nonvuln-redirectors tags: odoo,redirect requests: diff --git a/vulnerabilities/other/oliver-library-lfi.yaml b/vulnerabilities/other/oliver-library-lfi.yaml index 847d04b8a5..4d3eaf3db1 100644 --- a/vulnerabilities/other/oliver-library-lfi.yaml +++ b/vulnerabilities/other/oliver-library-lfi.yaml @@ -1,10 +1,10 @@ id: oliver-library-lfi info: - name: Oliver Library Server v5 - Arbitrary File Download + name: Oliver Library Server v5 <8.00.008.053 - Arbitrary File Retrieval author: gy741 severity: high - description: An arbitrary file download vulnerability in Oliver v5 Library Server Versions < 8.00.008.053 via the FileServlet function allows for arbitrary file download by an attacker using unsanitized user supplied input. + description: An arbitrary file retrieval vulnerability in Oliver v5 Library Server Versions < 8.00.008.053 via the FileServlet function allows for arbitrary file retrieval by an attacker using unsanitized user supplied input. reference: - https://www.exploit-db.com/exploits/50599 - https://www.softlinkint.com/product/oliver/ diff --git a/vulnerabilities/other/pbootcms-database-file-download.yaml b/vulnerabilities/other/pbootcms-database-file-download.yaml index b65860d801..9781cd9421 100644 --- a/vulnerabilities/other/pbootcms-database-file-download.yaml +++ b/vulnerabilities/other/pbootcms-database-file-download.yaml @@ -1,7 +1,7 @@ id: pbootcms-database-file-download info: - name: PbootCMS v2.0.7 DB File Download + name: PbootCMS v2.0.7 - pbootcms.db File Download author: ritikchaddha severity: high reference: diff --git a/vulnerabilities/other/pmb-directory-traversal.yaml b/vulnerabilities/other/pmb-directory-traversal.yaml index 60ca1be4ab..69934ef8a1 100644 --- a/vulnerabilities/other/pmb-directory-traversal.yaml +++ b/vulnerabilities/other/pmb-directory-traversal.yaml @@ -1,10 +1,10 @@ id: pmb-directory-traversal info: - name: PMB 5.6 Directory Traversal + name: PMB 5.6 - Arbitrary File Retrieval author: geeknik severity: medium - description: The PMB Gif Image is not sanitizing the content of the 'chemin' parameter, this can in turn be used to a Local File Disclosure. + description: The PMB Gif Image is not sanitizing the content of the 'chemin' parameter, wchi can be used for local file retrieval. reference: - https://packetstormsecurity.com/files/160072/PMB-5.6-Local-File-Disclosure-Directory-Traversal.html tags: lfi diff --git a/vulnerabilities/other/pmb-local-file-disclosure.yaml b/vulnerabilities/other/pmb-local-file-disclosure.yaml index 64775b42b1..b67c0f99da 100644 --- a/vulnerabilities/other/pmb-local-file-disclosure.yaml +++ b/vulnerabilities/other/pmb-local-file-disclosure.yaml @@ -1,7 +1,7 @@ id: pmb-local-file-disclosure info: - name: PMB 5.6 - 'chemin' Local File Disclosure + name: PMB 5.6 - getgif.php Arbitrary File Retrieval author: dhiyaneshDk severity: high reference: diff --git a/vulnerabilities/other/wems-manager-xss.yaml b/vulnerabilities/other/wems-manager-xss.yaml index d974e51e47..951a568d3d 100644 --- a/vulnerabilities/other/wems-manager-xss.yaml +++ b/vulnerabilities/other/wems-manager-xss.yaml @@ -1,7 +1,7 @@ id: wems-manager-xss info: - name: WEMS Enterprise Manager XSS + name: WEMS Enterprise Manager - Cross-Site Scripting author: pikpikcu severity: medium description: A vulnerability in WEMS Enterprise Manager allows remote attackers to inject arbitrary Javascript into the response return by the server by sending it to the '/guest/users/forgotten' endpoint and the @@ -26,4 +26,4 @@ requests: - type: word words: - "text/html" - part: header \ No newline at end of file + part: header diff --git a/vulnerabilities/wordpress/admin-word-count-column-lfi.yaml b/vulnerabilities/wordpress/admin-word-count-column-lfi.yaml index 2a331438d4..fd86eaf40f 100644 --- a/vulnerabilities/wordpress/admin-word-count-column-lfi.yaml +++ b/vulnerabilities/wordpress/admin-word-count-column-lfi.yaml @@ -1,7 +1,7 @@ id: admin-word-count-column-lfi info: - name: Admin word count column 2.2 - Unauthenticated Local File Download + name: Admin word count column 2.2 - Arbitrary File Retrieval author: daffainfo,Splint3r7 severity: high reference: diff --git a/vulnerabilities/wordpress/aspose-file-download.yaml b/vulnerabilities/wordpress/aspose-file-download.yaml index 2ba41f16fb..2c4b91c5d4 100644 --- a/vulnerabilities/wordpress/aspose-file-download.yaml +++ b/vulnerabilities/wordpress/aspose-file-download.yaml @@ -1,10 +1,10 @@ id: aspose-file-download info: - name: Aspose Cloud eBook Generator - File Download + name: Wordpress Aspose Cloud eBook Generator - Arbitrary File Retrieval author: 0x_Akoko severity: high - description: The Aspose Cloud eBook Generator WordPress plugin was affected by a File Download security vulnerability. + description: The Aspose Cloud eBook Generator WordPress plugin is affected by an arbitrary file retrieval vulnerability. reference: - https://wpscan.com/vulnerability/7866 tags: wordpress,wp-plugin,lfi,aspose,ebook diff --git a/vulnerabilities/wordpress/aspose-ie-file-download.yaml b/vulnerabilities/wordpress/aspose-ie-file-download.yaml index 095211f5e4..ae52c36233 100644 --- a/vulnerabilities/wordpress/aspose-ie-file-download.yaml +++ b/vulnerabilities/wordpress/aspose-ie-file-download.yaml @@ -1,10 +1,10 @@ id: aspose-ie-file-download info: - name: Wordpress Aspose Importer & Exporter v1.0 Plugin File Download + name: Wordpress Aspose Importer & Exporter v1.0 - Arbitrary File Retrieval author: 0x_Akoko severity: high - description: The Aspose importer and Exporter WordPress plugin is affected by an Arbitrary File Download security vulnerability. + description: The Aspose importer and Exporter WordPress plugin is affected by an arbitrary file retrieval vulnerability. reference: - https://packetstormsecurity.com/files/131162/ - https://wordpress.org/plugins/aspose-importer-exporter diff --git a/vulnerabilities/wordpress/aspose-pdf-file-download.yaml b/vulnerabilities/wordpress/aspose-pdf-file-download.yaml index 338fb37c0d..48c499bc3a 100644 --- a/vulnerabilities/wordpress/aspose-pdf-file-download.yaml +++ b/vulnerabilities/wordpress/aspose-pdf-file-download.yaml @@ -1,10 +1,10 @@ id: aspose-pdf-file-download info: - name: WordPress Aspose PDF Exporter File Download + name: WordPress Aspose PDF Exporter - Arbitrary File Retrieval author: 0x_Akoko severity: high - description: The Aspose.psf Exporter WordPress plugin is affected by an Arbitrary File Download security vulnerability. + description: The Aspose.psf Exporter WordPress plugin is affected by an arbitrary file retrieval vulnerability. reference: - https://packetstormsecurity.com/files/131161 - https://wordpress.org/plugins/aspose-pdf-exporter diff --git a/vulnerabilities/wordpress/aspose-words-file-download.yaml b/vulnerabilities/wordpress/aspose-words-file-download.yaml index a9187a88fa..ac80fecb8c 100644 --- a/vulnerabilities/wordpress/aspose-words-file-download.yaml +++ b/vulnerabilities/wordpress/aspose-words-file-download.yaml @@ -1,10 +1,10 @@ id: aspose-words-file-download info: - name: Aspose Words Exporter < 2.0 - Unauthenticated Arbitrary File Download + name: Aspose Words Exporter < 2.0 - Arbitrary File Retrieval author: 0x_Akoko severity: high - description: The Aspose.Words Exporter WordPress plugin is affected by an Arbitrary File Download security vulnerability. + description: The Aspose.Words Exporter WordPress plugin is affected by an arbitrary file retrieval security vulnerability. reference: - https://wpscan.com/vulnerability/7869 - https://wordpress.org/plugins/aspose-doc-exporter diff --git a/vulnerabilities/wordpress/cherry-file-download.yaml b/vulnerabilities/wordpress/cherry-file-download.yaml index c23bee2695..8ebd3cd3c1 100644 --- a/vulnerabilities/wordpress/cherry-file-download.yaml +++ b/vulnerabilities/wordpress/cherry-file-download.yaml @@ -1,11 +1,10 @@ id: cherry-file-download info: - name: Cherry Plugin < 1.2.7 - Unauthenticated Arbitrary File Download + name: Cherry Plugin < 1.2.7 - Arbitrary File Retrieval and File Upload author: 0x_Akoko severity: high - description: WordPress plugin Cherry < 1.2.7 contains an unauthenticated file upload and download vulnerability, allowing attackers to upload and download arbitrary files. This could result in attacker uploading - backdoor shell scripts or downloading the wp-config.php file. + description: WordPress plugin Cherry < 1.2.7 contains an unauthenticated file upload and download vulnerability, allowing attackers to upload and download arbitrary files. This could result in attacker uploading backdoor shell scripts or downloading the wp-config.php file. reference: - https://wpscan.com/vulnerability/90034817-dee7-40c9-80a2-1f1cd1d033ee - https://github.com/CherryFramework/cherry-plugin diff --git a/vulnerabilities/wordpress/diarise-theme-lfi.yaml b/vulnerabilities/wordpress/diarise-theme-lfi.yaml index 5afd776733..366df9bb91 100644 --- a/vulnerabilities/wordpress/diarise-theme-lfi.yaml +++ b/vulnerabilities/wordpress/diarise-theme-lfi.yaml @@ -1,10 +1,10 @@ id: diarise-theme-lfi info: - name: WordPress Diarise 1.5.9 Local File Disclosure + name: WordPress Diarise 1.5.9 - Arbitrary File Retrieval author: 0x_Akoko severity: high - description: WordPress Diarise theme version 1.5.9 suffers from a local file disclosure vulnerability. + description: WordPress Diarise theme version 1.5.9 suffers from a local file retrieval vulnerability. reference: - https://packetstormsecurity.com/files/152773/WordPress-Diarise-1.5.9-Local-File-Disclosure.html - https://cxsecurity.com/issue/WLB-2019050123 diff --git a/vulnerabilities/wordpress/flow-flow-social-stream-xss.yaml b/vulnerabilities/wordpress/flow-flow-social-stream-xss.yaml index 19cfc73b7b..af1015d333 100644 --- a/vulnerabilities/wordpress/flow-flow-social-stream-xss.yaml +++ b/vulnerabilities/wordpress/flow-flow-social-stream-xss.yaml @@ -1,7 +1,7 @@ id: flow-flow-social-stream-xss info: - name: Flow-Flow Social Stream <= 3.0.71 - Unauthenticated Reflected XSS + name: Flow-Flow Social Stream <= 3.0.71 - Cross-Site Scripting author: alph4byt3 severity: medium reference: diff --git a/vulnerabilities/wordpress/hb-audio-lfi.yaml b/vulnerabilities/wordpress/hb-audio-lfi.yaml index fe14c73834..4a0e7ea744 100644 --- a/vulnerabilities/wordpress/hb-audio-lfi.yaml +++ b/vulnerabilities/wordpress/hb-audio-lfi.yaml @@ -1,7 +1,7 @@ id: hb-audio-lfi info: - name: Wordpress Plugin HB Audio Gallery Lite - Arbitrary File Download + name: Wordpress Plugin HB Audio Gallery Lite - Arbitrary File Retrieval author: dhiyaneshDK severity: high reference: diff --git a/vulnerabilities/wordpress/nativechurch-wp-theme-lfd.yaml b/vulnerabilities/wordpress/nativechurch-wp-theme-lfd.yaml index 7bb0cdbba5..6f1dfbf9fe 100644 --- a/vulnerabilities/wordpress/nativechurch-wp-theme-lfd.yaml +++ b/vulnerabilities/wordpress/nativechurch-wp-theme-lfd.yaml @@ -1,10 +1,10 @@ id: nativechurch-wp-theme-lfd info: - name: WordPress NativeChurch Theme Arbitrary File Download + name: WordPress NativeChurch Theme - Arbitrary File Retrieval author: 0x_Akoko severity: high - description: A LFD Bug In download.php File In NativeChurch Theme And Make Site Vulnerable. + description: An arbitrary file retrieval vulnerability in the download.php file in the NativeChurch Theme allows attackers to download files from the system. reference: - https://packetstormsecurity.com/files/132297/WordPress-NativeChurch-Theme-1.0-1.5-Arbitrary-File-Download.html tags: wordpress,wp-theme,lfi diff --git a/vulnerabilities/wordpress/sniplets-xss.yaml b/vulnerabilities/wordpress/sniplets-xss.yaml index 1e4278a691..195e8e384f 100644 --- a/vulnerabilities/wordpress/sniplets-xss.yaml +++ b/vulnerabilities/wordpress/sniplets-xss.yaml @@ -1,7 +1,7 @@ id: sniplets-xss info: - name: Wordpress Plugin Sniplets - XSS + name: Wordpress Plugin Sniplets - Cross-Site Scripting author: dhiyaneshDK severity: medium description: Cross-site scripting (XSS) on Wordpress Plugin Sniplets diff --git a/vulnerabilities/wordpress/wordpress-wordfence-lfi.yaml b/vulnerabilities/wordpress/wordpress-wordfence-lfi.yaml index cc7746bd83..05bc6af882 100644 --- a/vulnerabilities/wordpress/wordpress-wordfence-lfi.yaml +++ b/vulnerabilities/wordpress/wordpress-wordfence-lfi.yaml @@ -1,7 +1,7 @@ id: wordpress-wordfence-lfi info: - name: Wordpress Plugin wordfence.7.4.5 - Local File Disclosure + name: Wordpress Wordfence 7.4.5 - Arbitrary File Retrieval author: 0x_Akoko severity: high reference: diff --git a/vulnerabilities/wordpress/wordpress-wordfence-waf-bypass-xss.yaml b/vulnerabilities/wordpress/wordpress-wordfence-waf-bypass-xss.yaml index 94a67888df..b0a50a1cfe 100644 --- a/vulnerabilities/wordpress/wordpress-wordfence-waf-bypass-xss.yaml +++ b/vulnerabilities/wordpress/wordpress-wordfence-waf-bypass-xss.yaml @@ -1,7 +1,7 @@ id: wordpress-wordfence-waf-bypass-xss info: - name: Wordfence WAF Bypass WordPress XSS + name: Wordpress Wordfence WAF - Cross-Site Scripting author: hackergautam severity: medium reference: diff --git a/vulnerabilities/wordpress/wordpress-zebra-form-xss.yaml b/vulnerabilities/wordpress/wordpress-zebra-form-xss.yaml index fff2243202..4094c066d1 100644 --- a/vulnerabilities/wordpress/wordpress-zebra-form-xss.yaml +++ b/vulnerabilities/wordpress/wordpress-zebra-form-xss.yaml @@ -1,7 +1,7 @@ id: wordpress-zebra-form-xss info: - name: Wordpress Zebra Form XSS + name: Wordpress Zebra Form - Cross-Site Scripting author: madrobot severity: medium reference: @@ -37,4 +37,4 @@ requests: - type: word words: - "text/html" - part: header \ No newline at end of file + part: header diff --git a/vulnerabilities/wordpress/wp-code-snippets-xss.yaml b/vulnerabilities/wordpress/wp-code-snippets-xss.yaml index b0c4a89491..ebf8c132fd 100644 --- a/vulnerabilities/wordpress/wp-code-snippets-xss.yaml +++ b/vulnerabilities/wordpress/wp-code-snippets-xss.yaml @@ -1,7 +1,7 @@ id: wp-code-snippets-xss info: - name: Code Snippets Wordpress Plugin - XSS + name: Code Snippets Wordpress Plugin - Cross-Site Scripting author: dhiyaneshDK severity: medium description: A reflected Cross-Site Scripting (XSS) vulnerability has been found in the Code Snippets WordPress Plugin. By using this vulnerability an attacker can inject malicious JavaScript code into the application, diff --git a/vulnerabilities/wordpress/wp-full-path-disclosure.yaml b/vulnerabilities/wordpress/wp-full-path-disclosure.yaml index 1fc892990b..979bcb56a4 100644 --- a/vulnerabilities/wordpress/wp-full-path-disclosure.yaml +++ b/vulnerabilities/wordpress/wp-full-path-disclosure.yaml @@ -1,11 +1,12 @@ id: wp-full-path-disclosure info: - name: Wordpress Full Path Disclosure + name: Wordpress - Path Disclosure author: arcc severity: info reference: - https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files + - https://core.trac.wordpress.org/ticket/38317 tags: debug,wordpress,fpd requests: diff --git a/vulnerabilities/wordpress/wp-haberadam-idor.yaml b/vulnerabilities/wordpress/wp-haberadam-idor.yaml index 9394923565..c8001614ba 100644 --- a/vulnerabilities/wordpress/wp-haberadam-idor.yaml +++ b/vulnerabilities/wordpress/wp-haberadam-idor.yaml @@ -1,7 +1,7 @@ id: wp-haberadam-idor info: - name: WordPress Themes Haberadam IDOR and Full Path Disclosure via JSON API + name: WordPress Themes Haberadam JSON API - IDOR and Path Disclosure author: pussycat0x severity: low reference: diff --git a/vulnerabilities/wordpress/wp-oxygen-theme-lfi.yaml b/vulnerabilities/wordpress/wp-oxygen-theme-lfi.yaml index 84794cc49f..2621c00a21 100644 --- a/vulnerabilities/wordpress/wp-oxygen-theme-lfi.yaml +++ b/vulnerabilities/wordpress/wp-oxygen-theme-lfi.yaml @@ -1,10 +1,10 @@ id: wp-oxygen-theme-lfi info: - name: WordPress Oxygen-Theme Themes LFI + name: WordPress Oxygen-Theme - Arbitrary File Retrieval author: 0x_Akoko severity: high - description: The WordPress Oxygen-Theme has a local file inclusion vulnerability in its 'download.php' and 'file' parameter. + description: The WordPress Oxygen-Theme has a local file retrieval vulnerability in 'file' parameter of 'download.php'. reference: - https://cxsecurity.com/issue/WLB-2019030178 tags: wordpress,wp-theme,lfi @@ -25,4 +25,4 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 diff --git a/vulnerabilities/wordpress/wp-revslider-file-download.yaml b/vulnerabilities/wordpress/wp-revslider-file-download.yaml index 812736d277..c5ea28f80a 100644 --- a/vulnerabilities/wordpress/wp-revslider-file-download.yaml +++ b/vulnerabilities/wordpress/wp-revslider-file-download.yaml @@ -1,10 +1,10 @@ id: wp-revslider-file-download info: - name: Wordpress Revslider - Unauthenticated Arbitrary File Download + name: Wordpress Revslider - Arbitrary File Retrieval author: pussycat0x severity: high - description: The Vulnerable Revslider WordPress plugin was affected by an unauthenticated download vulnerability,This could result in attacker downloading the wp-config.php file. + description: The Revslider WordPress plugin iss affected by an unauthenticated file retrieval vulnerability, which could result in attacker downloading the wp-config.php file. reference: - https://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html - https://cxsecurity.com/issue/WLB-2021090129 diff --git a/vulnerabilities/wordpress/wp-woocommerce-file-download.yaml b/vulnerabilities/wordpress/wp-woocommerce-file-download.yaml index 56218e0bae..f3d8f59e94 100644 --- a/vulnerabilities/wordpress/wp-woocommerce-file-download.yaml +++ b/vulnerabilities/wordpress/wp-woocommerce-file-download.yaml @@ -1,7 +1,7 @@ id: wp-woocommerce-file-download info: - name: WordPress WooCommerce < 1.2.7 - Unauthenticated File Download + name: WordPress WooCommerce < 1.2.7 - Arbitrary File Retrieval author: 0x_Akoko severity: high description: WordPress WooCommerce < 1.2.7 is susceptible to file download vulnerabilities. The lack of authorization checks in the handle_downloads() function hooked to admin_init() could allow unauthenticated diff --git a/workflows/gogs-workflow.yaml b/workflows/gogs-workflow.yaml index e1ab4de7a7..c5103b1456 100644 --- a/workflows/gogs-workflow.yaml +++ b/workflows/gogs-workflow.yaml @@ -1,7 +1,7 @@ id: gogs-workflow info: - name: Gogs Security Checks + name: Gogs (Go Git Service) - Security Checks author: daffainfo description: A simple workflow that runs all Gogs related nuclei templates on a given target.