Dashboard Content Enhancements (#4381)

Dashboard Content Enhancements
patch-1
MostInterestingBotInTheWorld 2022-05-13 16:26:43 -04:00 committed by GitHub
parent a3fbef4bfc
commit 581b7a627b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
128 changed files with 317 additions and 222 deletions

View File

@ -1,12 +1,17 @@
id: CNVD-2019-19299
info:
name: Zhiyuan A8 Arbitrary File Write (RCE)
name: Zhiyuan A8 - Remote Code Execution
author: daffainfo
severity: critical
description: Zhiyuan A8 is susceptible to remote code execution because of an arbitrary file write issue.
reference:
- https://www.cxyzjd.com/article/guangying177/110177339
- https://github.com/sectestt/CNVD-2019-19299
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cwe-id: CWE-77
tags: zhiyuan,cnvd,cnvd2019,rce
requests:
@ -45,3 +50,5 @@ requests:
- 'contains(body_1, "htmoffice operate")'
- 'contains(body_2, "Windows IP")'
condition: and
# Enhanced by mp on 2022/05/12

View File

@ -1,12 +1,16 @@
id: CNVD-2019-32204
info:
name: Fanwei e-cology <= 9.0 Remote Code Execution
name: Fanwei e-cology <=9.0 - Remote Code Execution
author: daffainfo
severity: critical
description: The attacker can directly execute arbitrary commands on the target server by invoking the unauthorized access problem interface in the BeanShell component. Currently, the security patch for this vulnerability has been released. Please take protective measures as soon as possible for users who use the Fanwei e-cology OA system.
description: Fanwei e-cology <=9.0 is susceptible to remote code execution vulnerabilities. Remote attackers can directly execute arbitrary commands on the target server by invoking the unauthorized access problem interface in the BeanShell component. Currently, the security patch for this vulnerability has been released. Please take protective measures as soon as possible for users who use the Fanwei e-cology OA system.
reference:
- https://blog.actorsfit.com/a?ID=01500-11a2f7e6-54b0-4a40-9a79-5c56dc6ebd51
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cwe-id: CWE-77
tags: fanwei,cnvd,cnvd2019,rce
requests:
@ -22,3 +26,5 @@ requests:
- type: regex
regex:
- "root:.*:0:0:"
# Enhanced by mp on 2022/05/12

View File

@ -1,7 +1,7 @@
id: CNVD-2020-62422
info:
name: Seeyon readfile(CNVD-2020-62422)
name: Seeyon - Arbitrary File Retrieval
author: pikpikcu
severity: medium
reference:

View File

@ -1,11 +1,16 @@
id: CNVD-2020-68596
info:
name: WeiPHP 5.0 Path Traversal
name: WeiPHP 5.0 - Path Traversal
author: pikpikcu
severity: critical
description: WeiPHP 5.0 is susceptible to directory traversal attacks.
severity: high
reference:
- http://wiki.peiqi.tech/PeiQi_Wiki/CMS%E6%BC%8F%E6%B4%9E/Weiphp/Weiphp5.0%20%E5%89%8D%E5%8F%B0%E6%96%87%E4%BB%B6%E4%BB%BB%E6%84%8F%E8%AF%BB%E5%8F%96%20CNVD-2020-68596.html
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
cvss-score: 8.6
cwe-id: CWE-22
tags: weiphp,lfi,cnvd,cnvd2020
requests:
@ -41,3 +46,5 @@ requests:
- WeiPHP
- DB_PREFIX
condition: and
# Enhanced by mp on 2022/05/12

View File

@ -1,7 +1,7 @@
id: CNVD-2021-01931
info:
name: Ruoyi Management System Arbitrary File Download
name: Ruoyi Management System - Arbitrary File Retrieval
author: daffainfo,ritikchaddha
severity: high
reference:

View File

@ -1,11 +1,16 @@
id: CNVD-2021-09650
info:
name: Ruijie EWEB Gateway Platform Command Execution
name: Ruijie EWEB Gateway Platform - Remote Command Injection
author: daffainfo
severity: critical
description: Ruijie EWEB Gateway Platform is susceptible to remote command injection attacks.
reference:
- http://j0j0xsec.top/2021/04/22/%E9%94%90%E6%8D%B7EWEB%E7%BD%91%E5%85%B3%E5%B9%B3%E5%8F%B0%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E/
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cwe-id: CWE-77
tags: ruijie,cnvd,cnvd2021,rce
requests:
@ -23,3 +28,5 @@ requests:
name: http
words:
- "http"
# Enhanced by mp on 2022/05/12

View File

@ -4,9 +4,14 @@ info:
name: eYouMail - Remote Code Execution
author: daffainfo
severity: critical
description: eYouMail is susceptible to a remote code execution vulnerability.
reference:
- https://github.com/ltfafei/my_POC/blob/master/CNVD-2021-26422_eYouMail/CNVD-2021-26422_eYouMail_RCE_POC.py
- https://github.com/EdgeSecurityTeam/Vulnerability/blob/main/%E4%BA%BF%E9%82%AE%E9%82%AE%E4%BB%B6%E7%B3%BB%E7%BB%9F%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20(CNVD-2021-26422).md
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cwe-id: CWE-77
tags: eyoumail,rce,cnvd,cnvd2021
requests:
@ -27,3 +32,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/05/12

View File

@ -1,7 +1,7 @@
id: CNVD-2021-28277
info:
name: Landray-OA Arbitrary File Download
name: Landray-OA Arbitrary - Arbitrary File Retrieval
author: pikpikcu,daffainfo
severity: high
reference:

View File

@ -1,14 +1,19 @@
id: CNVD-2022-03672
info:
name: Sunflower Simple and Personal edition RCE
name: Sunflower Simple and Personal - Remote Code Execution
author: daffainfo
severity: critical
description: Sunflower Simple and Personal is susceptible to a remote code execution vulnerability.
reference:
- https://www.1024sou.com/article/741374.html
- https://copyfuture.com/blogs-details/202202192249158884
- https://www.cnvd.org.cn/flaw/show/CNVD-2022-10270
- https://www.cnvd.org.cn/flaw/show/CNVD-2022-03672
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cwe-id: CWE-77
tags: cnvd,cnvd2020,sunflower,rce
requests:
@ -40,3 +45,5 @@ requests:
- "contains(body_1, 'verify_string')"
- "contains(body_2, 'Windows IP')"
condition: and
# Enhanced by mp on 2022/05/12

View File

@ -1,10 +1,10 @@
id: CVE-2007-4504
info:
name: Joomla! Component RSfiles 1.0.2 - 'path' File Download
name: Joomla! Component RSfiles <=1.0.2 - Arbitrary File Retrieval
author: daffainfo
severity: high
description: Directory traversal vulnerability in index.php in the RSfiles component (com_rsfiles) 1.0.2 and earlier for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the path parameter in a files.display action.
description: An arbitrary file retrieval vulnerability in index.php in the RSfiles component (com_rsfiles) <=1.0.2 for Joomla! allows remote attackers to arbitrarily read files via a .. (dot dot) in the path parameter in a files.display action.
reference:
- https://www.exploit-db.com/exploits/4307
- https://www.cvedetails.com/cve/CVE-2007-4504

View File

@ -1,7 +1,7 @@
id: CVE-2010-0696
info:
name: Joomla! Component Jw_allVideos - Arbitrary File Download
name: Joomla! Component Jw_allVideos - Arbitrary File Retrieval
author: daffainfo
severity: high
description: A directory traversal vulnerability in includes/download.php in the JoomlaWorks AllVideos (Jw_allVideos) plugin 3.0 through 3.2 for Joomla! allows remote attackers to read arbitrary files via a ./../.../ (modified dot dot) in the file parameter.
@ -25,4 +25,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/13

View File

@ -1,10 +1,10 @@
id: CVE-2010-2122
info:
name: Joomla! Component simpledownload 0.9.5 - Local File Disclosure
name: Joomla! Component simpledownload <=0.9.5 - Arbitrary File Retrieval
author: daffainfo
severity: high
description: A directory traversal vulnerability in the SimpleDownload (com_simpledownload) component before 0.9.6 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in the SimpleDownload (com_simpledownload) component before 0.9.6 for Joomla! allows remote attackers to retrieve arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12623
- https://www.cvedetails.com/cve/CVE-2010-2122

View File

@ -1,7 +1,7 @@
id: CVE-2010-3203
info:
name: Joomla! Component PicSell 1.0 - Local File Disclosure
name: Joomla! Component PicSell 1.0 - Arbitrary File Retrieval
author: daffainfo
severity: high
description: A directory traversal vulnerability in the PicSell (com_picsell) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the dflink parameter in a prevsell dwnfree action to index.php.

View File

@ -1,10 +1,10 @@
id: CVE-2015-4694
info:
name: WordPress Zip Attachments <= 1.1.4 - Arbitrary File Download
name: WordPress Zip Attachments <= 1.1.4 - Arbitrary File Retrieval
author: 0x_Akoko
severity: high
description: WordPress zip-attachments plugin allows arbitrary file downloads because it does not check the download path of the requested file.
description: WordPress zip-attachments plugin allows arbitrary file retrieval as it does not check the download path of the requested file.
reference:
- https://wordpress.org/plugins/zip-attachments/#developers
- https://wpscan.com/vulnerability/8047

View File

@ -1,11 +1,11 @@
id: CVE-2017-11512
info:
name: ManageEngine ServiceDesk - Unauthenticated Arbitrary File Download
name: ManageEngine ServiceDesk - Arbitrary File Retrieval
author: 0x_Akoko
severity: high
description: |
The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file downloads due to improper restrictions of the pathname used in the name parameter for the download-snapshot URL. An unauthenticated remote attacker can use this vulnerability to download arbitrary files.
The ManageEngine ServiceDesk 9.3.9328 is vulnerable to an arbitrary file retrieval due to improper restrictions of the pathname used in the name parameter for the download-snapshot path. An unauthenticated remote attacker can use this vulnerability to download arbitrary files.
reference:
- https://exploit.kitploit.com/2017/11/manageengine-servicedesk-cve-2017-11512.html
- https://www.cvedetails.com/cve/CVE-2017-11512

View File

@ -1,7 +1,7 @@
id: CVE-2017-15363
info:
name: Typo3 Restler Extension - Local File Disclosure
name: TYPO3 Restler - Arbitrary File Retrieval
author: 0x_Akoko
severity: high
description: Directory traversal vulnerability in public/examples/resources/getsource.php in Luracast Restler through 3.0.0, as used in the restler extension before 1.7.1 for TYPO3, allows remote attackers to read arbitrary files via the file parameter.

View File

@ -5,7 +5,7 @@ info:
author: thomas_from_offensity,geeknik
severity: critical
description: |
Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 contains a buffer overflow vulnearbility in the ScStoragePathFromUrl function in the WebDAV service that could allow remote attackers to execute arbitrary code via a long header beginning with "If <http://" in a PROPFIND request.
Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 contains a buffer overflow vulnerability in the ScStoragePathFromUrl function in the WebDAV service that could allow remote attackers to execute arbitrary code via a long header beginning with "If <http://" in a PROPFIND request.
reference:
- https://blog.0patch.com/2017/03/0patching-immortal-cve-2017-7269.html
- https://github.com/danigargu/explodingcan/blob/master/explodingcan.py

View File

@ -6,7 +6,7 @@ id: CVE-2017-7615
# MantisBT before 1.3.10, 2.2.4, and 2.3.1, that can be downloaded on reference[1].
info:
name: CVE-2017-7615
name: MantisBT <=2.30 - Arbitrary Password Reset and Unauthenticated Admin Access
author: bp0lr,dwisiswant0
severity: high
description: MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.php.

View File

@ -1,15 +1,16 @@
id: CVE-2017-9841
info:
name: PHPUnit < 4.8.28 and 5.x - 5.63 Arbitrary Code Execution
name: PHPUnit - Remote Code Execution
author: Random_Robbie,pikpikcu
severity: critical
description: Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI
description: PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring via Util/PHP/eval-stdin.php , as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.
reference:
- https://github.com/cyberharsh/Php-unit-CVE-2017-9841
- https://github.com/RandomRobbieBF/phpunit-brute
- https://thephp.cc/articles/phpunit-a-security-risk
- https://twitter.com/sec715/status/1411517028012158976
- https://nvd.nist.gov/vuln/detail/CVE-2017-9841
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -72,3 +73,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/05/12

View File

@ -1,14 +1,15 @@
id: CVE-2018-0127
info:
name: Cisco RV132W and RV134W Router Information Disclosure
name: Cisco RV132W/RV134W Router - Information Disclosure
author: jrolf
severity: critical
description: A vulnerability in the web interface of Cisco RV132W ADSL2+ Wireless-N VPN Routers and Cisco RV134W VDSL2 Wireless-AC VPN Routers could allow an unauthenticated, remote attacker to view configuration parameters for an affected device, which could lead to the disclosure of confidential information.
description: Cisco RV132W ADSL2+ Wireless-N VPN Routers and Cisco RV134W VDSL2 Wireless-AC VPN Routers could allow an unauthenticated, remote attacker to view configuration parameters for an affected device via the web interface, which could lead to the disclosure of confidential information.
reference:
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180207-rv13x_2
- http://www.securitytracker.com/id/1040345
- http://www.securityfocus.com/bid/102969
- https://nvd.nist.gov/vuln/detail/CVE-2018-0127
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -35,3 +36,5 @@ requests:
- "MDM"
- "cisco"
- "admin"
# Enhanced by mp on 2022/05/12

View File

@ -1,9 +1,10 @@
id: CVE-2018-1000226
info:
name: Cobbler versions 2.6.11+, (2.0.0+ or older versions) - Authentication Bypass
name: Cobbler - Authentication Bypass
author: c-sh0
severity: critical
description: Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ and possibly even older versions, may be vulnerable to an authentication bypass vulnerability in XMLRPC API (/cobbler_api) that can result in privilege escalation, data manipulation or exfiltration, and LDAP credential harvesting. This attack appear to be exploitable via "network connectivity". Taking advantage of improper validation of security tokens in API endpoints. Please note this is a different issue than CVE-2018-10931.
reference:
- https://github.com/cobbler/cobbler/issues/1916
- https://movermeyer.com/2018-08-02-privilege-escalation-exploits-in-cobblers-api/
@ -58,3 +59,5 @@ requests:
part: body
regex:
- "(.*[a-zA-Z0-9].+==)</string></value>"
# Enhanced by mp on 2022/05/12

View File

@ -1,13 +1,13 @@
id: CVE-2018-1000861
info:
name: Jenkins 2.138 Remote Command Execution
name: Jenkins - Remote Command Injection
author: dhiyaneshDK,pikpikcu
severity: critical
description: A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows
attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.
description: Jenkins 2.153 and earlier and LTS 2.138.3 and earlier are susceptible to a remote command injection via stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.
reference:
- https://github.com/vulhub/vulhub/tree/master/jenkins/CVE-2018-1000861
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000861
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -31,3 +31,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/05/12

View File

@ -1,10 +1,10 @@
id: CVE-2018-10562
info:
name: Dasan GPON Devices - Remote Code Execution (Unauthenticated)
name: Dasan GPON Devices - Remote Code Execution
author: gy741
severity: critical
description: An issue was discovered on Dasan GPON home routers. Command Injection can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping
description: Dasan GPON home routers are susceptible to command injection which can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping
results in /tmp and transmits them to the user when the user revisits /diag.html, it's quite simple to execute commands and retrieve their output.
reference:
- https://www.vpnmentor.com/blog/critical-vulnerability-gpon-router
@ -37,3 +37,5 @@ requests:
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
# Enhanced by mp on 2022/05/12

View File

@ -4,11 +4,11 @@ info:
name: Eaton Intelligent Power Manager 1.6 - Directory Traversal
author: daffainfo
severity: critical
description: Local file inclusion in Eaton Intelligent Power Manager v1.6 allows an attacker to include a file, it can lead to sensitive information disclosure, denial of service and code execution.
description: Eaton Intelligent Power Manager v1.6 allows an attacker to include a file via directory traversal, which can lead to sensitive information disclosure, denial of service and code execution.
reference:
- https://github.com/EmreOvunc/Eaton-Intelligent-Power-Manager-Local-File-Inclusion
- https://nvd.nist.gov/vuln/detail/CVE-2018-12031
- https://www.exploit-db.com/exploits/48614
- https://nvd.nist.gov/vuln/detail/CVE-2018-12031
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -33,3 +33,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/05/12

View File

@ -1,19 +1,17 @@
id: CVE-2018-1207
info:
name: Dell iDRAC7 and iDRAC8 Devices Code Injection/RCE
name: Dell iDRAC7/8 Devices - Remote Code Injection
author: dwisiswant0
severity: critical
description: |
This template supports the detection part only.
Dell EMC iDRAC7/iDRAC8, versions prior to 2.52.52.52, contain CGI injection vulnerability
Dell EMC iDRAC7/iDRAC8, versions prior to 2.52.52.52, contain a CGI injection vulnerability
which could be used to execute remote code. A remote unauthenticated attacker may
potentially be able to use CGI variables to execute remote code.
https://github.com/KraudSecurity/Exploits/blob/master/CVE-2018-1207/CVE-2018-1207.py
reference:
- https://downloads.dell.com/solutions/dell-management-solution-resources/iDRAC_CVE%201207_1211_1000116.pdf
- https://github.com/KraudSecurity/Exploits/blob/master/CVE-2018-1207/CVE-2018-1207.py
- https://nvd.nist.gov/vuln/detail/CVE-2018-1207
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -30,3 +28,5 @@ requests:
words:
- "calling init: /lib/"
part: response
# Enhanced by mp on 2022/05/12

View File

@ -1,7 +1,7 @@
id: CVE-2018-12300
info:
name: Seagate NAS OS 4.3.15.1 - Open redirect
name: Seagate NAS OS 4.3.15.1 - Open Redirect
author: 0x_Akoko
severity: medium
description: Arbitrary Redirect in echo-server.html in Seagate NAS OS version 4.3.15.1 allows attackers to disclose information in the Referer header via the 'state' URL parameter.

View File

@ -1,12 +1,13 @@
id: CVE-2018-12634
info:
name: Exposed CirCarLife System Log
name: CirCarLife Scada <4.3 - System Log Exposure
author: geeknik
severity: critical
description: CirCarLife is an internet-connected electric vehicle charging station
description: CirCarLife Scada before 4.3 allows remote attackers to obtain sensitive information via a direct request for the html/log or services/system/info.html URI. CirCarLife is an internet-connected electric vehicle charging station.
reference:
- https://circontrol.com/
- https://nvd.nist.gov/vuln/detail/CVE-2018-12634
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -33,3 +34,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/05/12

View File

@ -1,7 +1,7 @@
id: CVE-2018-1273
info:
name: Spring Data Commons Unauthenticated RCE
name: Spring Data Commons - Remote Code Execution
author: dwisiswant0
severity: critical
description: |
@ -42,3 +42,5 @@ requests:
- "\\[(font|extension|file)s\\]"
condition: or
part: body
# Enhanced by mp on 2022/05/12

View File

@ -1,14 +1,14 @@
id: CVE-2018-13379
info:
name: FortiOS - Credentials Disclosure
name: Fortinet FortiOS - Credentials Disclosure
author: organiccrap
severity: critical
description: An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0
to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.
description: Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests due to improper limitation of a pathname to a restricted directory (path traversal).
reference:
- https://fortiguard.com/advisory/FG-IR-18-384
- https://www.fortiguard.com/psirt/FG-IR-20-233
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -24,3 +24,5 @@ requests:
- type: word
words:
- "var fgt_lang"
# Enhanced by mp on 2022/05/12

View File

@ -1,7 +1,7 @@
id: CVE-2018-13980
info:
name: Zeta Producer Desktop CMS 14.2.0 - Local File Disclosure
name: Zeta Producer Desktop CMS 14.2.0 - Arbitrary File Retrieval
author: wisnupramoedya
severity: medium
description: The websites that were built from Zeta Producer Desktop CMS before 14.2.1 are vulnerable to unauthenticated file disclosure if the plugin "filebrowser" is installed, because of assets/php/filebrowser/filebrowser.main.php?file=../ directory traversal.

View File

@ -4,7 +4,7 @@ info:
name: VelotiSmart Wifi - Directory Traversal
author: 0x_Akoko
severity: critical
description: The uc-http service 1.0.0 on VelotiSmart WiFi B-380 camera devices allows Directory Traversal, as demonstrated by /../../etc/passwd on TCP port 80.
description: VelotiSmart WiFi B-380 camera devices allow directory traversal via the uc-http service 1.0.0, as demonstrated by /../../etc/passwd on TCP port 80.
reference:
- https://medium.com/@s1kr10s/velotismart-0day-ca5056bcdcac
- https://www.exploit-db.com/exploits/45030
@ -31,3 +31,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/05/12

View File

@ -1,10 +1,10 @@
id: CVE-2018-14916
info:
name: Loytec LGATE-902 Directory Traversal
name: Loytec LGATE-902 <6.4.2 - Local File Inclusion
author: 0x_Akoko
severity: critical
description: Loytec LGATE-902 versions prior to 6.4.2 suffer from cross site scripting, arbitrary file deletion, and directory traversal vulnerabilities.
description: Loytec LGATE-902 versions prior to 6.4.2 suffers from a local file inclusion vulnerability.
reference:
- https://packetstormsecurity.com/files/152453/Loytec-LGATE-902-XSS-Traversal-File-Deletion.html
- https://nvd.nist.gov/vuln/detail/CVE-2018-14916
@ -30,3 +30,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/05/12

View File

@ -1,10 +1,10 @@
id: CVE-2018-15517
info:
name: D-LINK Central WifiManager Server-Side Request Forgery
name: D-Link Central WifiManager - Server-Side Request Forgery
author: gy741
severity: high
description: D-LINK Central WifiManager is susceptible to server-side request forgery. The MailConnect feature on D-Link Central WiFiManager CWM-100 1.03 r0098 devices is intended to check a connection to an SMTP
description: D-Link Central WifiManager is susceptible to server-side request forgery. The MailConnect feature on D-Link Central WiFiManager CWM-100 1.03 r0098 devices is intended to check a connection to an SMTP
server but actually allows outbound TCP to any port on any IP address, as demonstrated by an index.php/System/MailConnect/host/127.0.0.1/port/22/secure/ URI. This can undermine accountability of where scan or
connections actually came from and or bypass the FW etc. This can be automated via script or using a browser.
reference:

View File

@ -1,7 +1,7 @@
id: CVE-2018-16167
info:
name: LogonTracer 1.2.0 - Remote Code Execution (Unauthenticated)
name: LogonTracer <=1.2.0 - Remote Command Injection
author: gy741
severity: critical
description: LogonTracer 1.2.0 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors.
@ -30,3 +30,5 @@ requests:
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
# Enhanced by mp on 2022/05/12

View File

@ -1,14 +1,15 @@
id: CVE-2018-16763
info:
name: fuelCMS 1.4.1 - Remote Code Execution
name: FUEL CMS 1.4.1 - Remote Code Execution
author: pikpikcu
severity: critical
description: FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code Execution.
description: FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter.
reference:
- https://www.exploit-db.com/exploits/47138
- https://www.getfuelcms.com/
- https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
- https://nvd.nist.gov/vuln/detail/CVE-2018-16763
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -30,3 +31,5 @@ requests:
- type: regex
regex:
- "root:.*:0:0:"
# Enhanced by mp on 2022/05/12

View File

@ -1,13 +1,13 @@
id: CVE-2018-16836
info:
name: Rubedo CMS 3.4.0 - Directory Traversal
name: Rubedo CMS <=3.4.0 - Directory Traversal
author: 0x_Akoko
severity: critical
description: Rubedo through 3.4.0 contains a Directory Traversal vulnerability in the theme component, allowing unauthenticated attackers to read and execute arbitrary files outside of the service root path, as
demonstrated by a /theme/default/img/%2e%2e/..//etc/passwd URI.
description: Rubedo CMS through 3.4.0 contains a directory traversal vulnerability in the theme component, allowing unauthenticated attackers to read and execute arbitrary files outside of the service root path, as demonstrated by a /theme/default/img/%2e%2e/..//etc/passwd URI.
reference:
- https://www.exploit-db.com/exploits/45385
- https://nvd.nist.gov/vuln/detail/CVE-2018-16836
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -29,3 +29,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/05/13

View File

@ -1,14 +1,13 @@
id: CVE-2018-17246
info:
name: Kibana Local File Inclusion
name: Kibana - Local File Inclusion
author: princechaddha
severity: critical
description: Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute
javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
description: Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute JavaScript which could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2018-17246
- https://github.com/vulhub/vulhub/blob/master/kibana/CVE-2018-17246/README.md
- https://nvd.nist.gov/vuln/detail/CVE-2018-17246
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -38,3 +37,5 @@ requests:
- type: status
status:
- 500
# Enhanced by mp on 2022/05/13

View File

@ -1,13 +1,14 @@
id: CVE-2018-17431
info:
name: Comodo Unified Threat Management Web Console 2.7.0 - RCE
name: Comodo Unified Threat Management Web Console - Remote Code Execution
author: dwisiswant0
severity: critical
description: Comodo Firewall & Central Manager (UTM) All Release before 2.7.0 & 1.5.0 Remote Code Execution (Web Shell based)
description: Comodo Firewall & Central Manager (UTM) All Release before 2.7.0 & 1.5.0 are susceptible to a web shell based remote code execution vulnerability.
reference:
- https://www.exploit-db.com/exploits/48825
- https://secure.comodo.com/home/purchase.php?pid=106&license=try&track=9276&af=9276
- https://nvd.nist.gov/vuln/detail/CVE-2018-17431
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -36,3 +37,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/05/13

View File

@ -1,11 +1,10 @@
id: CVE-2018-18925
info:
name: Gogs - Remote Code Execution (CVE-2018-18925)
name: Gogs (Go Git Service) 0.11.66 - Remote Code Execution
author: princechaddha
severity: critical
description: Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related
to session ID handling in the go-macaron/session code for Macaron.
description: Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron.
reference:
- https://www.anquanke.com/post/id/163575
- https://github.com/vulhub/vulhub/tree/master/gogs/CVE-2018-18925
@ -15,7 +14,7 @@ info:
cvss-score: 9.8
cve-id: CVE-2018-18925
cwe-id: CWE-384
remediation: This issue will be fixed by updating to the latest version of Gogs
remediation: This issue will be fixed by updating to the latest version of Gogs.
tags: cve,cve2018,gogs,lfi,rce
requests:
@ -35,3 +34,5 @@ requests:
- type: dsl
dsl:
- 'status_code_1 == 500 && status_code_2 == 200 && contains(body_2, "<meta name=\"author\" content=\"Gogs\" />")'
# Enhanced by mp on 2022/05/13

View File

@ -1,13 +1,13 @@
id: CVE-2018-20985
info:
name: WordPress Plugin WP Payeezy Pay 2.97 - Local File Inclusion
name: WordPress Payeezy Pay <=2.97 - Local File Inclusion
author: daffainfo
severity: critical
description: WordPress Plugin WP Payeezy Pay is prone to a local file inclusion vulnerability because it fails to sufficiently verify user-supplied input. Exploiting this issue may allow an attacker to obtain sensitive
information that could aid in further attacks. WordPress Plugin WP Payeezy Pay version 2.97 is vulnerable; prior versions are also affected.
description: WordPress Plugin WP Payeezy Pay is prone to a local file inclusion vulnerability because it fails to sufficiently verify user-supplied input. Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks. WordPress Plugin WP Payeezy Pay version 2.97 is vulnerable; prior versions are also affected.
reference:
- https://www.pluginvulnerabilities.com/2018/12/06/our-improved-proactive-monitoring-has-now-caught-a-local-file-inclusion-lfi-vulnerability-as-well/
- https://wordpress.org/plugins/wp-payeezy-pay/#developers
- https://www.cvedetails.com/cve/CVE-2018-20985/
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
@ -35,3 +35,6 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/05/13

View File

@ -1,13 +1,15 @@
id: CVE-2018-2894
info:
name: Oracle WebLogic RCE
name: Oracle WebLogic Server - Remote Code Execution
author: geeknik,pdteam
severity: critical
description: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server.
description: |
The Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS - Web Services) is susceptible to a remote code execution vulnerability that is easily exploitable and could allow unauthenticated attackers with network access via HTTP to compromise the server. Supported versions that are affected are 12.1.3.0, 12.2.1.2 and 12.2.1.3.
reference:
- https://blog.detectify.com/2018/11/14/technical-explanation-of-cve-2018-2894-oracle-weblogic-rce/
- https://github.com/vulhub/vulhub/tree/fda47b97c7d2809660a4471539cd0e6dbf8fac8c/weblogic/CVE-2018-2894
- https://nvd.nist.gov/vuln/detail/CVE-2018-2894
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -90,3 +92,5 @@ requests:
- type: word
words:
- "26ec00a3a03f6bfc5226fd121567bb58" # MD5 (CVE-2018-2894)
# Enhanced by mp on 2022/05/13

View File

@ -1,14 +1,13 @@
id: CVE-2018-3810
info:
name: WordPress Smart Google Code Inserter Authentication Bypass
name: Oturia WordPress Smart Google Code Inserter <3.5 - Authentication Bypass
author: princechaddha
severity: critical
description: Authentication Bypass vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to insert arbitrary JavaScript or HTML code (via the sgcgoogleanalytic
parameter) that runs on all pages served by WordPress. The saveGoogleCode() function in smartgooglecode.php does not check if the current request is made by an authorized user, thus allowing any unauthenticated
user to successfully update the inserted code.
description: Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to insert arbitrary JavaScript or HTML code (via the sgcgoogleanalytic parameter) that runs on all pages served by WordPress. The saveGoogleCode() function in smartgooglecode.php does not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update the inserted code.
reference:
- https://www.exploit-db.com/exploits/43420
- https://nvd.nist.gov/vuln/detail/CVE-2018-3810
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -44,3 +43,6 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/05/13

View File

@ -1,10 +1,10 @@
id: CVE-2018-6008
info:
name: Joomla! Component Jtag Members Directory 5.3.7 - Arbitrary File Download
name: Joomla! Component Jtag Members Directory 5.3.7 - Arbitrary File Retrieval
author: daffainfo
severity: high
description: Arbitrary File Download exists in the Jtag Members Directory 5.3.7 component for Joomla! via the download_file parameter.
description: Arbitrary file retrieval exists in the Jtag Members Directory 5.3.7 component for Joomla! via the download_file parameter.
reference:
- https://www.exploit-db.com/exploits/43913
- https://www.cvedetails.com/cve/CVE-2018-6008

View File

@ -1,13 +1,13 @@
id: CVE-2018-7600
info:
name: Drupal Drupalgeddon 2 RCE
name: Drupal - Remote Code Execution
author: pikpikcu
severity: critical
description: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or
common module configurations.
description: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
reference:
- https://github.com/vulhub/vulhub/tree/master/drupal/CVE-2018-7600
- https://nvd.nist.gov/vuln/detail/CVE-2018-7600
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -60,3 +60,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/05/13

View File

@ -1,11 +1,10 @@
id: CVE-2018-7602
info:
name: Drupal Remote Code Execution Vulnerability
name: Drupal - Remote Code Execution
author: princechaddha
severity: critical
description: A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result
in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.
description: Drupal 7.x and 8.x contain a remote code execution vulnerability that exists within multiple subsystems. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.
reference:
- https://github.com/vulhub/vulhub/blob/master/drupal/CVE-2018-7602/drupa7-CVE-2018-7602.py
- https://nvd.nist.gov/vuln/detail/CVE-2018-7602
@ -74,3 +73,5 @@ requests:
group: 1
regex:
- '<input type="hidden" name="form_build_id" value="(.*)" />'
# Enhanced by mp on 2022/05/13

View File

@ -1,7 +1,7 @@
id: CVE-2018-7662
info:
name: CouchCMS <= 2.0 - Full Path Disclosure
name: CouchCMS <= 2.0 - Path Disclosure
author: ritikchaddha
severity: medium
description: CouchCMS <= 2.0 allows remote attackers to discover the full path via a direct request to includes/mysql2i/mysql2i.func.php or addons/phpmailer/phpmailer.php.

View File

@ -4,8 +4,7 @@ info:
name: PrismaWEB - Credentials Disclosure
author: gy741
severity: critical
description: The vulnerability exists due to the disclosure of hard-coded credentials allowing an attacker to effectively bypass authentication of PrismaWEB with administrator privileges. The credentials can be
disclosed by simply navigating to the login_par.js JavaScript page that holds the username and password for the management interface that are being used via the Login() function in /scripts/functions_cookie.js script.
description: PrismaWEB is susceptible to credential disclosure. The vulnerability exists due to the disclosure of hard-coded credentials allowing an attacker to effectively bypass authentication of PrismaWEB with administrator privileges. The credentials can be disclosed by simply navigating to the login_par.js JavaScript page that holds the username and password for the management interface that are being used via the Login() function in /scripts/functions_cookie.js script.
reference:
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5453.php
- https://nvd.nist.gov/vuln/detail/CVE-2018-9161
@ -33,3 +32,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/05/13

View File

@ -1,7 +1,7 @@
id: CVE-2018-9205
info:
name: Drupal avatar_uploader v7.x-1.0-beta8 Local File Inclusion
name: Drupal avatar_uploader v7.x-1.0-beta8 - Local File Inclusion
author: daffainfo
severity: high
description: In avatar_uploader v7.x-1.0-beta8 the view.php program doesn't restrict file paths, allowing unauthenticated users to retrieve arbitrary files.

View File

@ -1,7 +1,7 @@
id: CVE-2019-16123
info:
name: PilusCart <= 1.4.1 - Local File Disclosure
name: PilusCart <= 1.4.1 - Arbitrary File Retrieval
author: 0x_Akoko
severity: high
description: PilusCart versions 1.4.1 and below suffers from a file disclosure vulnerability.

View File

@ -1,7 +1,7 @@
id: CVE-2019-16759
info:
name: vBulletin v5.0.0-v5.5.4 Remote Command Execution
name: vBulletin v5.0.0-v5.5.4 - Remote Command Execution
author: madrobot
severity: critical
description: vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.

View File

@ -1,11 +1,10 @@
id: CVE-2019-17506
info:
name: DLINK DIR-868L & DIR-817LW Info Leak
name: D-Link DIR-868L & DIR-817LW - Information Disclosure
author: pikpikcu
severity: critical
description: There are some web interfaces without authentication requirements on D-Link DIR-868L B1-2.03 and DIR-817LW A1-1.04 routers. An attacker can get the router's username and password (and other information)
via a DEVICE.ACCOUNT value for SERVICES in conjunction with AUTHORIZED_GROUP=1%0a to getcfg.php. This could be used to control the router remotely.
description: There are some web interfaces without authentication requirements on D-Link DIR-868L B1-2.03 and DIR-817LW A1-1.04 routers. An attacker can get the router's username and password (and other information) via a DEVICE.ACCOUNT value for SERVICES in conjunction with AUTHORIZED_GROUP=1%0a to getcfg.php. This could be used to control the router remotely.
reference:
- https://github.com/dahua966/Routers-vuls/blob/master/DIR-868/name%26passwd.py
classification:

View File

@ -1,10 +1,10 @@
id: CVE-2019-19908
info:
name: phpMyChat-Plus XSS
name: phpMyChat-Plus - Cross-Site Scripting
author: madrobot
severity: medium
description: phpMyChat-Plus 1.98 is vulnerable to reflected XSS via JavaScript injection into the password reset URL. In the URL, the pmc_username parameter to pass_reset.php is vulnerable.
description: phpMyChat-Plus 1.98 is vulnerable to reflected cross-site scripting (XSS) via JavaScript injection into the password reset URL. In the URL, the pmc_username parameter to pass_reset.php is vulnerable.
reference:
- https://cinzinga.github.io/CVE-2019-19908/
classification:

View File

@ -1,10 +1,10 @@
id: CVE-2019-19985
info:
name: WordPress Plugin Email Subscribers & Newsletters 4.2.2 - Unauthenticated File Download
name: WordPress Email Subscribers & Newsletters <4.2.2 - Arbitrary File Retrieval
author: KBA@SOGETI_ESEC,madrobot,dwisiswant0
severity: medium
description: The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed unauthenticated file download with user information disclosure.
description: The WordPress plugin Email Subscribers & Newsletters before 4.2.3 contains a flaw that allows unauthenticated file download and user information disclosure.
reference:
- https://www.exploit-db.com/exploits/48698
classification:

View File

@ -1,7 +1,7 @@
id: CVE-2019-20141
info:
name: Neon Dashboard - XSS Reflected
name: Neon Dashboard - Cross-Site Scripting
author: knassar702
severity: medium
description: An XSS issue was discovered in the Laborator Neon theme 2.0 for WordPress via the data/autosuggest-remote.php q parameter.

View File

@ -1,7 +1,7 @@
id: CVE-2019-3912
info:
name: LabKey Server < 18.3.0 - Open redirect
name: LabKey Server < 18.3.0 - Open Redirect
author: 0x_Akoko
severity: medium
description: An open redirect vulnerability in LabKey Server Community Edition before 18.3.0-61806.763 via the /__r1/ returnURL parameter allows an unauthenticated remote attacker to redirect users to arbitrary web sites.

View File

@ -1,7 +1,7 @@
id: CVE-2019-9955
info:
name: Zyxel Reflected Cross-site Scripting
name: Zyxel - Reflected Cross-site Scripting
author: pdteam
severity: medium
description: On Zyxel ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200-VPN, ZyWALL 110, ZyWALL 310, ZyWALL 1100 devices, the security

View File

@ -1,7 +1,7 @@
id: CVE-2020-18268
info:
name: Z-BlogPHP 1.5.2 Open redirect
name: Z-BlogPHP 1.5.2 - Open Redirect
author: 0x_Akoko
severity: medium
description: Open Redirect in Z-BlogPHP v1.5.2 and earlier allows remote attackers to obtain sensitive information via the "redirect" parameter in the component "zb_system/cmd.php."

View File

@ -1,7 +1,7 @@
id: CVE-2020-22840
info:
name: b2evolution CMS Open redirect
name: b2evolution CMS - Open Redirect
author: geeknik
severity: medium
description: Open redirect vulnerability in b2evolution CMS version prior to 6.11.6 allows an attacker to perform malicious open redirects to an attacker controlled resource via redirect_to parameter in email_passthrough.php.

View File

@ -1,11 +1,10 @@
id: CVE-2020-24391
info:
name: Mongo-Express Remote Code Execution
name: Mongo-Express - Remote Code Execution
author: leovalcante
severity: critical
description: Mongo-Express before 1.0.0 is susceptible to remote code execution because it uses safer-eval to validate user supplied javascript. Unfortunately safer-eval sandboxing capabilities are easily bypassed
leading to remote code execution in the context of the node server.
description: Mongo-Express before 1.0.0 is susceptible to remote code execution because it uses safer-eval to validate user supplied javascript. Unfortunately safer-eval sandboxing capabilities are easily bypassed leading to remote code execution in the context of the node server.
reference:
- https://securitylab.github.com/advisories/GHSL-2020-131-mongo-express/
- https://github.com/mongo-express/mongo-express/commit/3a26b079e7821e0e209c3ee0cc2ae15ad467b91a

View File

@ -1,7 +1,7 @@
id: CVE-2020-24550
info:
name: CVE-2020-24550
name: EpiServer <13.2.7 - Open Redirect
author: dhiyaneshDK
severity: medium
description: An Open Redirect vulnerability in EpiServer Find before 13.2.7 allows an attacker to redirect users to untrusted websites via the _t_redirect parameter in a crafted URL, such as a /find_v2/_click URL.

View File

@ -1,7 +1,7 @@
id: CVE-2020-24579
info:
name: DLINK DSL 2888a RCE
name: D-Link DSL 2888a - Remote Command Execution
author: pikpikcu
severity: high
description: An issue was discovered on D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55. An unauthenticated attacker could bypass authentication to access authenticated pages and functionality.

View File

@ -1,10 +1,10 @@
id: CVE-2020-25495
info:
name: SCO Openserver 5.0.7 - 'section' Reflected XSS
name: SCO Openserver 5.0.7 - 'section' Cross-Site scripting
author: 0x_Akoko
severity: medium
description: A reflected Cross-site scripting (XSS) vulnerability in Xinuo (formerly SCO) Openserver version 5 and 6 allows remote attackers to inject arbitrary web script or HTML tag via the parameter 'section'.
description: A reflected cross-site scripting (XSS) vulnerability in Xinuo (formerly SCO) Openserver version 5 and 6 allows remote attackers to inject arbitrary web script or HTML tag via the parameter 'section'.
reference:
- https://www.exploit-db.com/exploits/49300
classification:

View File

@ -1,7 +1,7 @@
id: CVE-2020-29453
info:
name: Jira Server Pre-Auth Limited Arbitrary File Read
name: Jira Server Pre-Auth - Arbitrary File Retrieval (WEB-INF, META-INF)
author: dwisiswant0
severity: medium
description: The CachingResourceDownloadRewriteRule class in Jira Server and Jira Data Center allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check.

View File

@ -1,7 +1,7 @@
id: CVE-2020-3452
info:
name: CVE-2020-3452
name: Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) - Arbitrary File Retrieval
author: pdteam
severity: high
description: |

View File

@ -1,10 +1,10 @@
id: CVE-2020-35736
info:
name: GateOne Arbitrary File Download
name: GateOne 1.1 - Arbitrary File Retrieval
author: pikpikcu
severity: high
description: GateOne 1.1 allows arbitrary file download without authentication via /downloads/.. directory traversal because os.path.join is misused.
description: GateOne 1.1 allows arbitrary file retrieval without authentication via /downloads/.. directory traversal because os.path.join is incorrectly used.
reference:
- https://github.com/liftoff/GateOne/issues/747
- https://nvd.nist.gov/vuln/detail/CVE-2020-35736

View File

@ -1,7 +1,7 @@
id: CVE-2020-35749
info:
name: Simple Job Board < 2.9.4 - Authenticated Path Traversal Leading to Arbitrary File Download
name: Simple Job Board < 2.9.4 -Arbitrary File Retrieval (Authenticated)
author: cckuailong
severity: high
description: The plugin does not validate the sjb_file parameter when viewing a resume, allowing authenticated user with the download_resume capability (such as HR users) to download arbitrary files from the web-server

View File

@ -1,7 +1,7 @@
id: CVE-2020-36365
info:
name: Smartstore < 4.1.0 - Open redirect
name: Smartstore < 4.1.0 - Open Redirect
author: 0x_Akoko
severity: medium
description: Smartstore (aka SmartStoreNET) before 4.1.0 allows CommonController.ClearCache, ClearDatabaseCache, RestartApplication, and ScheduleTaskController.Edit open redirect.

View File

@ -5,7 +5,7 @@ info:
author: veshraj
severity: medium
description: |
The theme does not sanitise and escape the cbi parameter before outputing it back in the response via the cb_s_a AJAX action, leading to a Reflected Cross-Site Scripting
The 15Zine Wordpress theme does not sanitize the cbi parameter before including it in the HTTP response via the cb_s_a AJAX action, leading to a reflected cross-site scripting.
reference:
- https://wpscan.com/vulnerability/d1dbc6d7-7488-40c2-bc38-0674ea5b3c95
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36510

View File

@ -1,10 +1,10 @@
id: CVE-2020-9054
info:
name: ZyXEL NAS Firmware 5.21- Remote Code Execution
name: Zyxel NAS Firmware 5.21- Remote Code Execution
author: dhiyaneshDk
severity: critical
description: "Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user, ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any ZyXEL device that is reachable from the client system. Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2."
description: "Multiple Zyxel network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. Zyxel NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the Zyxel device. Although the web server does not run as the root user, Zyyxel devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. By sending a specially-crafted HTTP POST or GET request to a vulnerable Zyyxel device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any Zyyxel device that is reachable from the client system. Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 Zyyxel has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2."
reference:
- https://krebsonsecurity.com/2020/02/zyxel-fixes-0day-in-network-storage-devices/
- https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml

View File

@ -1,11 +1,10 @@
id: CVE-2020-9490
info:
name: CVE-2020-9490
name: Apache HTTP Server 2.4.20-2.4.43 - HTTP/2 Cache-Digest DoS
author: philippedelteil
severity: high
description: Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource
afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.
description: Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.
reference:
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://bugs.chromium.org/p/project-zero/issues/detail?id=2030

View File

@ -1,10 +1,10 @@
id: CVE-2021-21816
info:
name: D-LINK DIR-3040 - Syslog Information Disclosure
name: D-Link DIR-3040 - Syslog Information Disclosure
author: gy741
severity: medium
description: An information disclosure vulnerability exists in the Syslog functionality of D-LINK DIR-3040 1.13B03. A specially crafted network request can lead to the disclosure of sensitive information. An attacker
description: An information disclosure vulnerability exists in the Syslog functionality of D-Link DIR-3040 1.13B03. A specially crafted network request can lead to the disclosure of sensitive information. An attacker
can send an HTTP request to trigger this vulnerability.
reference:
- https://talosintelligence.com/vulnerability_reports/TALOS-2021-1281

View File

@ -1,10 +1,9 @@
id: CVE-2021-24997
info:
name: CVE-2021-24997
name: Wordpress Guppy <=1.1 - User ID Disclosure
author: Evan Rubinstein
description: Instances of the Guppy Wordpress extension up to 1.1 are vulnerable to an API disclosure vulnerability which allows remote unauthenticated attackrs to obtain all user IDs, and then use that information
to make API requests to either get messages sent between users, or send messages posing as one user to another.
description: Instances of the Guppy Wordpress extension up to 1.1 are vulnerable to an API disclosure vulnerability which allows remote unauthenticated attackrs to obtain all user IDs, and then use that information to make API requests to either get messages sent between users, or send messages posing as one user to another.
reference:
- https://www.exploit-db.com/exploits/50540
- https://patchstack.com/database/vulnerability/wp-guppy/wordpress-wp-guppy-plugin-1-2-sensitive-information-disclosure-vulnerability

View File

@ -1,7 +1,7 @@
id: CVE-2021-25118
info:
name: Yoast SEO < 17.3 - Unauthenticated Full Path Disclosure
name: Yoast SEO < 17.3 - Path Disclosure
author: DhiyaneshDK
severity: medium
description: The plugin discloses the full internal path of featured images in posts via the wp/v2/posts REST endpoints which could help an attacker identify other vulnerabilities or help during the exploitation of other identified vulnerabilities.

View File

@ -1,7 +1,7 @@
id: CVE-2021-30151
info:
name: CVE-2021-30151
name: Sidekiq 5.1.3 and 6.x-6.2.0 - Cross-Site Scripting
author: DhiyaneshDk
severity: medium
description: Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue name of the live-poll feature when Internet Explorer is used.

View File

@ -1,11 +1,10 @@
id: CVE-2021-39316
info:
name: DZS Zoomsounds < 6.50 - Unauthenticated Arbitrary File Download
name: Wordpress DZS Zoomsounds <= 6.50 - Arbitrary File Retrieval
author: daffainfo
severity: high
description: The Zoomsounds plugin <= 6.45 for WordPress allows arbitrary files, including sensitive configuration files such as wp-config.php, to be downloaded via the `dzsap_download` action using directory traversal
in the `link` parameter.
description: The Zoomsounds plugin <= 6.45 for WordPress allows arbitrary files, including sensitive configuration files such as wp-config.php, to be downloaded via the `dzsap_download` action using a directory traversal in the `link` parameter.
reference:
- https://wpscan.com/vulnerability/d2d60cf7-e4d3-42b6-8dfe-7809f87547bd
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39316

View File

@ -1,7 +1,7 @@
id: CVE-2021-41293
info:
name: ECOA Building Automation System - Local File Disclosure
name: ECOA Building Automation System - Arbitrary File Retrieval
author: 0x_Akoko
severity: high
description: The ECOA BAS controller suffers from an arbitrary file disclosure vulnerability. Using the 'fname' POST parameter in viewlog.jsp, attackers can disclose arbitrary files on the affected device and disclose

View File

@ -1,7 +1,7 @@
id: CVE-2022-0540
info:
name: Atlassian Jira - Authentication bypass in Seraph
name: Atlassian Jira Seraph- Authentication Bypass
author: DhiyaneshDK
severity: critical
description: |

View File

@ -1,11 +1,11 @@
id: CVE-2022-1119
info:
name: WordPress Simple File List < 3.2.8 - Unauthenticated Arbitrary File Download
name: WordPress Simple File List < 3.2.8 - Arbitrary File Retrieval
author: random-robbie
severity: high
description: |
The plugin is vulnerable to Arbitrary File Download via the eeFile parameter found in the ~/includes/ee-downloader.php file due to missing controls which makes it possible unauthenticated attackers to supply a path to a file that will subsequently be downloaded
The Wordpress plugin is vulnerable to arbitrary file retrieval via the eeFile parameter found in the ~/includes/ee-downloader.php file due to missing controls which make it possible for unauthenticated attackers retrieve arbitrary files.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2022-1119
- https://wpscan.com/vulnerability/5551038f-64fb-44d8-bea0-d2f00f04877e

View File

@ -5,10 +5,12 @@ info:
author: veshraj
severity: medium
description: |
The plugin does not sanitise and escape some parameters before outputting them back in attributes, leading to a Reflected Cross-Site Scripting.
The Gwyn's Imagemap Selector Wordpresss plugin does not sanitize the id and class parameters before returning them back in attributes, leading to a Reflected Cross-Site Scripting.
reference:
- https://wpscan.com/vulnerability/641be9f6-2f74-4386-b16e-4b9488f0d2a9
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1221
classification:
cve-id: CVE-2022-1221
metadata:
verified: true
tags: xss,wordpress,wp-plugin,wp,cve,cve2022

View File

@ -1,7 +1,7 @@
id: gogs-login
info:
name: Sign In - Gogs
name: Gogs (Go Git Service) - Sign In Page
author: dhiyaneshDK
severity: info
metadata:

View File

@ -1,7 +1,7 @@
id: zyxel-vmg1312b10d-login
info:
name: ZYXEL VMG1312-B10D Login Detect
name: Zyxel VMG1312-B10D - Login Detection
author: princechaddha
severity: info
metadata:

View File

@ -1,7 +1,7 @@
id: zyxel-vsg1432b101-login
info:
name: ZYXEL VSG1432-B101 Login Detect
name: Zyxel VSG1432-B101 - Login Detection
author: princechaddha
severity: info
metadata:

View File

@ -1,7 +1,7 @@
id: gogs-install-exposure
info:
name: Gogs install exposure
name: Gogs (Go Git Service) - Install Exposure
author: dhiyaneshDk
severity: high
tags: gogs,exposure

View File

@ -1,7 +1,7 @@
id: window-name-domxss
info:
name: window.name DOM XSS
name: window.name - DOM Cross-Site Scripting
author: pdteam
severity: medium
reference:

View File

@ -1,7 +1,7 @@
id: aem-setpreferences-xss
info:
name: AEM setPreferences XSS
name: AEM setPreferences - Cross-Site Scripting
author: zinminphy0,dhiyaneshDK
severity: medium
reference:

View File

@ -1,7 +1,7 @@
id: akamai-arl-xss
info:
name: Open Akamai ARL XSS
name: Open Akamai ARL - Cross-Site Scripting
author: pdteam
severity: medium
reference:

View File

@ -1,7 +1,7 @@
id: ampps-dirlisting
info:
name: AMPPS by Softaculous - Directory Listing Enabled
name: AMPPS by Softaculous - Directory Listing
author: deFr0ggy
severity: info
tags: panel,ampps,softaculous,misconfig

View File

@ -1,7 +1,7 @@
id: dlink-file-read
info:
name: D-Link Arbitrary File Read
name: D-Link - Arbitrary File Retrieval
author: dhiyaneshDK
severity: high
reference:

View File

@ -1,7 +1,7 @@
id: moodle-filter-jmol-xss
info:
name: Moodle filter_jmol - XSS
name: Moodle filter_jmol - Cross-Site Scripting
author: madrobot
severity: medium
description: Cross-site scripting on Moodle.

View File

@ -1,7 +1,7 @@
id: moodle-xss
info:
name: Moodle redirect_uri Reflected XSS
name: Moodle redirect_uri - Cross-Site Scripting
author: hackergautam
severity: medium
description: XSS in moodle via redirect_uri parameter

View File

@ -1,7 +1,7 @@
id: netsweeper-rxss
info:
name: Netsweeper 4.0.9 - Cross Site Scripting Injection
name: Netsweeper 4.0.9 - Cross-Site Scripting
author: daffainfo
severity: medium
reference:

View File

@ -1,7 +1,7 @@
id: oracle-ebs-xss
info:
name: Oracle EBS XSS
name: Oracle EBS - Cross-Site Scripting
author: dhiyaneshDk
severity: medium
reference:

View File

@ -1,10 +1,10 @@
id: bems-api-lfi
info:
name: Longjing Technology BEMS API 1.21 - Remote Arbitrary File Download
name: Longjing Technology BEMS API 1.21 - Arbitrary File Retrieval
author: gy741
severity: high
description: The application suffers from an unauthenticated arbitrary file download vulnerability. Input passed through the fileName parameter through downloads endpoint is not properly verified before being used to download files. This can be exploited to disclose the contents of arbitrary and sensitive files through directory traversal attacks.
description: The application suffers from an unauthenticated arbitrary file retrieval vulnerability. Input passed through the fileName parameter through the downloads API endpoint is not properly verified before being used to download files. This can be exploited to disclose the contents of arbitrary and sensitive files through directory traversal attacks.
reference:
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5657.php
tags: lfi

View File

@ -1,14 +1,16 @@
id: ecsimagingpacs-rce
info:
name: ECSIMAGING PACS 6.21.5 - Remote code execution
name: ECSIMAGING PACS <= 6.21.5 - Command Execution and Local File Inclusion
author: ritikchaddha
severity: critical
description: ECSIMAGING PACS Application in 6.21.5 and bellow suffers from a OS Injection vulnerability. The parameter `file` on the webpage /showfile.php can be exploited with simple OS injection to gain root access. www-data user has sudo NOPASSWD access
description: ECSIMAGING PACS Application 6.21.5 and below suffer from a command injection vulnerability and a local file include vulnerability. The 'file' parameter on the page /showfile.php can be exploited to perform command execution or local file inclusion. Often on ECSIMAGING PACS, the www-data user has sudo NOPASSWD access.
reference: https://www.exploit-db.com/exploits/49388
metadata:
verified: false
tags: ecsimagingpacs,rce
classification:
cwe-id: CWE-78
requests:
- method: GET
@ -24,3 +26,5 @@ requests:
- type: status
status:
- 200
# Enhanced by cs 05/12/2022

View File

@ -1,10 +1,10 @@
id: eyelock-nano-lfd
info:
name: EyeLock nano NXT 3.5 - Local File Disclosure
name: EyeLock nano NXT 3.5 - Arbitrary File Retrieval
author: geeknik
severity: high
description: EyeLock nano NXT suffers from a file disclosure vulnerability when input passed through the 'path' parameter to 'logdownload.php' script is not properly verified before being used to read files. This
description: EyeLock nano NXT suffers from a file retrieval vulnerability when input passed through the 'path' parameter to 'logdownload.php' script is not properly verified before being used to read files. This
can be exploited to disclose contents of files from local resources.
reference:
- https://www.zeroscience.mk/codes/eyelock_lfd.txt

View File

@ -1,7 +1,7 @@
id: java-melody-xss
info:
name: JavaMelody Monitoring XSS
name: JavaMelody Monitoring - Cross-Site Scripting
author: kailashbohara
severity: medium
description: Reflected cross site scripting (XSS) in JavaMelody monitoring.

View File

@ -1,10 +1,10 @@
id: kafdrop-xss
info:
name: KafDrop XSS
name: KafDrop - Cross-Site Scripting
author: dhiyaneshDk
severity: medium
description: A vulnerability in KafDrop allows remote unauthenticated attackers to inject arbitrary HTML and/or Javascript into the response returned by the server.
description: A vulnerability in KafDrop allows remote unauthenticated attackers to inject arbitrary HTML and/or JavaScript into the response returned by the server.
reference:
- https://github.com/HomeAdvisor/Kafdrop/issues/12
tags: kafdrop,xss

View File

@ -1,10 +1,10 @@
id: kyocera-m2035dn-lfi
info:
name: Kyocera Command Center RX ECOSYS M2035dn - Directory Traversal File Disclosure (Unauthenticated)
name: Kyocera Command Center RX ECOSYS M2035dn - Arbitrary File Retrieval
author: 0x_Akoko
severity: high
description: Kyocera Command Center RX ECOSYS M2035dn - Directory Traversal File Disclosure (Unauthenticated)
description: Kyocera Command Center RX ECOSYS M2035dn - Unauthenticated arbitrary file retrieval.
reference:
- https://www.exploit-db.com/exploits/50738
- https://www.kyoceradocumentsolutions.com/asia/en/products/business-application/command-center-rx.html

View File

@ -1,10 +1,10 @@
id: microstrategy-ssrf
info:
name: MicroStrategy tinyurl - BSSRF
name: MicroStrategy tinyurl - Server-Side Request Forgery (Blind)
author: organiccrap
severity: high
description: Blind server-side request forgery vulnerability on MicroStrategy URL shortener.
description: Blind server-side (SSRF) request forgery vulnerability on MicroStrategy URL shortener.
reference:
- https://medium.com/@win3zz/how-i-made-31500-by-submitting-a-bug-to-facebook-d31bb046e204
tags: microstrategy,ssrf

View File

@ -1,7 +1,7 @@
id: nginx-module-vts-xss
info:
name: Nginx virtual host traffic status module XSS
name: Nginx Virtual Host Traffic Status Module - Cross-Site Scripting
author: madrobot
severity: medium
tags: nginx,xss,status

Some files were not shown because too many files have changed in this diff Show More