parent
a3fbef4bfc
commit
581b7a627b
|
@ -1,12 +1,17 @@
|
|||
id: CNVD-2019-19299
|
||||
|
||||
info:
|
||||
name: Zhiyuan A8 Arbitrary File Write (RCE)
|
||||
name: Zhiyuan A8 - Remote Code Execution
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
description: Zhiyuan A8 is susceptible to remote code execution because of an arbitrary file write issue.
|
||||
reference:
|
||||
- https://www.cxyzjd.com/article/guangying177/110177339
|
||||
- https://github.com/sectestt/CNVD-2019-19299
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
||||
cvss-score: 10.0
|
||||
cwe-id: CWE-77
|
||||
tags: zhiyuan,cnvd,cnvd2019,rce
|
||||
|
||||
requests:
|
||||
|
@ -45,3 +50,5 @@ requests:
|
|||
- 'contains(body_1, "htmoffice operate")'
|
||||
- 'contains(body_2, "Windows IP")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by mp on 2022/05/12
|
||||
|
|
|
@ -1,12 +1,16 @@
|
|||
id: CNVD-2019-32204
|
||||
|
||||
info:
|
||||
name: Fanwei e-cology <= 9.0 Remote Code Execution
|
||||
name: Fanwei e-cology <=9.0 - Remote Code Execution
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
description: The attacker can directly execute arbitrary commands on the target server by invoking the unauthorized access problem interface in the BeanShell component. Currently, the security patch for this vulnerability has been released. Please take protective measures as soon as possible for users who use the Fanwei e-cology OA system.
|
||||
description: Fanwei e-cology <=9.0 is susceptible to remote code execution vulnerabilities. Remote attackers can directly execute arbitrary commands on the target server by invoking the unauthorized access problem interface in the BeanShell component. Currently, the security patch for this vulnerability has been released. Please take protective measures as soon as possible for users who use the Fanwei e-cology OA system.
|
||||
reference:
|
||||
- https://blog.actorsfit.com/a?ID=01500-11a2f7e6-54b0-4a40-9a79-5c56dc6ebd51
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
||||
cvss-score: 10.0
|
||||
cwe-id: CWE-77
|
||||
tags: fanwei,cnvd,cnvd2019,rce
|
||||
|
||||
requests:
|
||||
|
@ -22,3 +26,5 @@ requests:
|
|||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
||||
# Enhanced by mp on 2022/05/12
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CNVD-2020-62422
|
||||
|
||||
info:
|
||||
name: Seeyon readfile(CNVD-2020-62422)
|
||||
name: Seeyon - Arbitrary File Retrieval
|
||||
author: pikpikcu
|
||||
severity: medium
|
||||
reference:
|
||||
|
|
|
@ -1,11 +1,16 @@
|
|||
id: CNVD-2020-68596
|
||||
|
||||
info:
|
||||
name: WeiPHP 5.0 Path Traversal
|
||||
name: WeiPHP 5.0 - Path Traversal
|
||||
author: pikpikcu
|
||||
severity: critical
|
||||
description: WeiPHP 5.0 is susceptible to directory traversal attacks.
|
||||
severity: high
|
||||
reference:
|
||||
- http://wiki.peiqi.tech/PeiQi_Wiki/CMS%E6%BC%8F%E6%B4%9E/Weiphp/Weiphp5.0%20%E5%89%8D%E5%8F%B0%E6%96%87%E4%BB%B6%E4%BB%BB%E6%84%8F%E8%AF%BB%E5%8F%96%20CNVD-2020-68596.html
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
|
||||
cvss-score: 8.6
|
||||
cwe-id: CWE-22
|
||||
tags: weiphp,lfi,cnvd,cnvd2020
|
||||
|
||||
requests:
|
||||
|
@ -41,3 +46,5 @@ requests:
|
|||
- WeiPHP
|
||||
- DB_PREFIX
|
||||
condition: and
|
||||
|
||||
# Enhanced by mp on 2022/05/12
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CNVD-2021-01931
|
||||
|
||||
info:
|
||||
name: Ruoyi Management System Arbitrary File Download
|
||||
name: Ruoyi Management System - Arbitrary File Retrieval
|
||||
author: daffainfo,ritikchaddha
|
||||
severity: high
|
||||
reference:
|
||||
|
|
|
@ -1,11 +1,16 @@
|
|||
id: CNVD-2021-09650
|
||||
|
||||
info:
|
||||
name: Ruijie EWEB Gateway Platform Command Execution
|
||||
name: Ruijie EWEB Gateway Platform - Remote Command Injection
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
description: Ruijie EWEB Gateway Platform is susceptible to remote command injection attacks.
|
||||
reference:
|
||||
- http://j0j0xsec.top/2021/04/22/%E9%94%90%E6%8D%B7EWEB%E7%BD%91%E5%85%B3%E5%B9%B3%E5%8F%B0%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E/
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
||||
cvss-score: 10.0
|
||||
cwe-id: CWE-77
|
||||
tags: ruijie,cnvd,cnvd2021,rce
|
||||
|
||||
requests:
|
||||
|
@ -23,3 +28,5 @@ requests:
|
|||
name: http
|
||||
words:
|
||||
- "http"
|
||||
|
||||
# Enhanced by mp on 2022/05/12
|
||||
|
|
|
@ -4,9 +4,14 @@ info:
|
|||
name: eYouMail - Remote Code Execution
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
description: eYouMail is susceptible to a remote code execution vulnerability.
|
||||
reference:
|
||||
- https://github.com/ltfafei/my_POC/blob/master/CNVD-2021-26422_eYouMail/CNVD-2021-26422_eYouMail_RCE_POC.py
|
||||
- https://github.com/EdgeSecurityTeam/Vulnerability/blob/main/%E4%BA%BF%E9%82%AE%E9%82%AE%E4%BB%B6%E7%B3%BB%E7%BB%9F%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20(CNVD-2021-26422).md
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
||||
cvss-score: 10.0
|
||||
cwe-id: CWE-77
|
||||
tags: eyoumail,rce,cnvd,cnvd2021
|
||||
|
||||
requests:
|
||||
|
@ -27,3 +32,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/12
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CNVD-2021-28277
|
||||
|
||||
info:
|
||||
name: Landray-OA Arbitrary File Download
|
||||
name: Landray-OA Arbitrary - Arbitrary File Retrieval
|
||||
author: pikpikcu,daffainfo
|
||||
severity: high
|
||||
reference:
|
||||
|
|
|
@ -1,14 +1,19 @@
|
|||
id: CNVD-2022-03672
|
||||
|
||||
info:
|
||||
name: Sunflower Simple and Personal edition RCE
|
||||
name: Sunflower Simple and Personal - Remote Code Execution
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
description: Sunflower Simple and Personal is susceptible to a remote code execution vulnerability.
|
||||
reference:
|
||||
- https://www.1024sou.com/article/741374.html
|
||||
- https://copyfuture.com/blogs-details/202202192249158884
|
||||
- https://www.cnvd.org.cn/flaw/show/CNVD-2022-10270
|
||||
- https://www.cnvd.org.cn/flaw/show/CNVD-2022-03672
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
||||
cvss-score: 10.0
|
||||
cwe-id: CWE-77
|
||||
tags: cnvd,cnvd2020,sunflower,rce
|
||||
|
||||
requests:
|
||||
|
@ -40,3 +45,5 @@ requests:
|
|||
- "contains(body_1, 'verify_string')"
|
||||
- "contains(body_2, 'Windows IP')"
|
||||
condition: and
|
||||
|
||||
# Enhanced by mp on 2022/05/12
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
id: CVE-2007-4504
|
||||
|
||||
info:
|
||||
name: Joomla! Component RSfiles 1.0.2 - 'path' File Download
|
||||
name: Joomla! Component RSfiles <=1.0.2 - Arbitrary File Retrieval
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in index.php in the RSfiles component (com_rsfiles) 1.0.2 and earlier for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the path parameter in a files.display action.
|
||||
description: An arbitrary file retrieval vulnerability in index.php in the RSfiles component (com_rsfiles) <=1.0.2 for Joomla! allows remote attackers to arbitrarily read files via a .. (dot dot) in the path parameter in a files.display action.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/4307
|
||||
- https://www.cvedetails.com/cve/CVE-2007-4504
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2010-0696
|
||||
|
||||
info:
|
||||
name: Joomla! Component Jw_allVideos - Arbitrary File Download
|
||||
name: Joomla! Component Jw_allVideos - Arbitrary File Retrieval
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: A directory traversal vulnerability in includes/download.php in the JoomlaWorks AllVideos (Jw_allVideos) plugin 3.0 through 3.2 for Joomla! allows remote attackers to read arbitrary files via a ./../.../ (modified dot dot) in the file parameter.
|
||||
|
@ -25,4 +25,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/02/13
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
id: CVE-2010-2122
|
||||
|
||||
info:
|
||||
name: Joomla! Component simpledownload 0.9.5 - Local File Disclosure
|
||||
name: Joomla! Component simpledownload <=0.9.5 - Arbitrary File Retrieval
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: A directory traversal vulnerability in the SimpleDownload (com_simpledownload) component before 0.9.6 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
|
||||
description: A directory traversal vulnerability in the SimpleDownload (com_simpledownload) component before 0.9.6 for Joomla! allows remote attackers to retrieve arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/12623
|
||||
- https://www.cvedetails.com/cve/CVE-2010-2122
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2010-3203
|
||||
|
||||
info:
|
||||
name: Joomla! Component PicSell 1.0 - Local File Disclosure
|
||||
name: Joomla! Component PicSell 1.0 - Arbitrary File Retrieval
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: A directory traversal vulnerability in the PicSell (com_picsell) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the dflink parameter in a prevsell dwnfree action to index.php.
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
id: CVE-2015-4694
|
||||
|
||||
info:
|
||||
name: WordPress Zip Attachments <= 1.1.4 - Arbitrary File Download
|
||||
name: WordPress Zip Attachments <= 1.1.4 - Arbitrary File Retrieval
|
||||
author: 0x_Akoko
|
||||
severity: high
|
||||
description: WordPress zip-attachments plugin allows arbitrary file downloads because it does not check the download path of the requested file.
|
||||
description: WordPress zip-attachments plugin allows arbitrary file retrieval as it does not check the download path of the requested file.
|
||||
reference:
|
||||
- https://wordpress.org/plugins/zip-attachments/#developers
|
||||
- https://wpscan.com/vulnerability/8047
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2017-11512
|
||||
|
||||
info:
|
||||
name: ManageEngine ServiceDesk - Unauthenticated Arbitrary File Download
|
||||
name: ManageEngine ServiceDesk - Arbitrary File Retrieval
|
||||
author: 0x_Akoko
|
||||
severity: high
|
||||
description: |
|
||||
The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file downloads due to improper restrictions of the pathname used in the name parameter for the download-snapshot URL. An unauthenticated remote attacker can use this vulnerability to download arbitrary files.
|
||||
The ManageEngine ServiceDesk 9.3.9328 is vulnerable to an arbitrary file retrieval due to improper restrictions of the pathname used in the name parameter for the download-snapshot path. An unauthenticated remote attacker can use this vulnerability to download arbitrary files.
|
||||
reference:
|
||||
- https://exploit.kitploit.com/2017/11/manageengine-servicedesk-cve-2017-11512.html
|
||||
- https://www.cvedetails.com/cve/CVE-2017-11512
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2017-15363
|
||||
|
||||
info:
|
||||
name: Typo3 Restler Extension - Local File Disclosure
|
||||
name: TYPO3 Restler - Arbitrary File Retrieval
|
||||
author: 0x_Akoko
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in public/examples/resources/getsource.php in Luracast Restler through 3.0.0, as used in the restler extension before 1.7.1 for TYPO3, allows remote attackers to read arbitrary files via the file parameter.
|
||||
|
|
|
@ -5,7 +5,7 @@ info:
|
|||
author: thomas_from_offensity,geeknik
|
||||
severity: critical
|
||||
description: |
|
||||
Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 contains a buffer overflow vulnearbility in the ScStoragePathFromUrl function in the WebDAV service that could allow remote attackers to execute arbitrary code via a long header beginning with "If <http://" in a PROPFIND request.
|
||||
Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 contains a buffer overflow vulnerability in the ScStoragePathFromUrl function in the WebDAV service that could allow remote attackers to execute arbitrary code via a long header beginning with "If <http://" in a PROPFIND request.
|
||||
reference:
|
||||
- https://blog.0patch.com/2017/03/0patching-immortal-cve-2017-7269.html
|
||||
- https://github.com/danigargu/explodingcan/blob/master/explodingcan.py
|
||||
|
|
|
@ -6,7 +6,7 @@ id: CVE-2017-7615
|
|||
# MantisBT before 1.3.10, 2.2.4, and 2.3.1, that can be downloaded on reference[1].
|
||||
|
||||
info:
|
||||
name: CVE-2017-7615
|
||||
name: MantisBT <=2.30 - Arbitrary Password Reset and Unauthenticated Admin Access
|
||||
author: bp0lr,dwisiswant0
|
||||
severity: high
|
||||
description: MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.php.
|
||||
|
|
|
@ -1,15 +1,16 @@
|
|||
id: CVE-2017-9841
|
||||
|
||||
info:
|
||||
name: PHPUnit < 4.8.28 and 5.x - 5.63 Arbitrary Code Execution
|
||||
name: PHPUnit - Remote Code Execution
|
||||
author: Random_Robbie,pikpikcu
|
||||
severity: critical
|
||||
description: Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI
|
||||
description: PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring via Util/PHP/eval-stdin.php , as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.
|
||||
reference:
|
||||
- https://github.com/cyberharsh/Php-unit-CVE-2017-9841
|
||||
- https://github.com/RandomRobbieBF/phpunit-brute
|
||||
- https://thephp.cc/articles/phpunit-a-security-risk
|
||||
- https://twitter.com/sec715/status/1411517028012158976
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2017-9841
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -72,3 +73,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/12
|
||||
|
|
|
@ -1,14 +1,15 @@
|
|||
id: CVE-2018-0127
|
||||
|
||||
info:
|
||||
name: Cisco RV132W and RV134W Router Information Disclosure
|
||||
name: Cisco RV132W/RV134W Router - Information Disclosure
|
||||
author: jrolf
|
||||
severity: critical
|
||||
description: A vulnerability in the web interface of Cisco RV132W ADSL2+ Wireless-N VPN Routers and Cisco RV134W VDSL2 Wireless-AC VPN Routers could allow an unauthenticated, remote attacker to view configuration parameters for an affected device, which could lead to the disclosure of confidential information.
|
||||
description: Cisco RV132W ADSL2+ Wireless-N VPN Routers and Cisco RV134W VDSL2 Wireless-AC VPN Routers could allow an unauthenticated, remote attacker to view configuration parameters for an affected device via the web interface, which could lead to the disclosure of confidential information.
|
||||
reference:
|
||||
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180207-rv13x_2
|
||||
- http://www.securitytracker.com/id/1040345
|
||||
- http://www.securityfocus.com/bid/102969
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-0127
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -35,3 +36,5 @@ requests:
|
|||
- "MDM"
|
||||
- "cisco"
|
||||
- "admin"
|
||||
|
||||
# Enhanced by mp on 2022/05/12
|
||||
|
|
|
@ -1,9 +1,10 @@
|
|||
id: CVE-2018-1000226
|
||||
|
||||
info:
|
||||
name: Cobbler versions 2.6.11+, (2.0.0+ or older versions) - Authentication Bypass
|
||||
name: Cobbler - Authentication Bypass
|
||||
author: c-sh0
|
||||
severity: critical
|
||||
description: Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ and possibly even older versions, may be vulnerable to an authentication bypass vulnerability in XMLRPC API (/cobbler_api) that can result in privilege escalation, data manipulation or exfiltration, and LDAP credential harvesting. This attack appear to be exploitable via "network connectivity". Taking advantage of improper validation of security tokens in API endpoints. Please note this is a different issue than CVE-2018-10931.
|
||||
reference:
|
||||
- https://github.com/cobbler/cobbler/issues/1916
|
||||
- https://movermeyer.com/2018-08-02-privilege-escalation-exploits-in-cobblers-api/
|
||||
|
@ -58,3 +59,5 @@ requests:
|
|||
part: body
|
||||
regex:
|
||||
- "(.*[a-zA-Z0-9].+==)</string></value>"
|
||||
|
||||
# Enhanced by mp on 2022/05/12
|
||||
|
|
|
@ -1,13 +1,13 @@
|
|||
id: CVE-2018-1000861
|
||||
|
||||
info:
|
||||
name: Jenkins 2.138 Remote Command Execution
|
||||
name: Jenkins - Remote Command Injection
|
||||
author: dhiyaneshDK,pikpikcu
|
||||
severity: critical
|
||||
description: A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows
|
||||
attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.
|
||||
description: Jenkins 2.153 and earlier and LTS 2.138.3 and earlier are susceptible to a remote command injection via stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.
|
||||
reference:
|
||||
- https://github.com/vulhub/vulhub/tree/master/jenkins/CVE-2018-1000861
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000861
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -31,3 +31,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/12
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
id: CVE-2018-10562
|
||||
|
||||
info:
|
||||
name: Dasan GPON Devices - Remote Code Execution (Unauthenticated)
|
||||
name: Dasan GPON Devices - Remote Code Execution
|
||||
author: gy741
|
||||
severity: critical
|
||||
description: An issue was discovered on Dasan GPON home routers. Command Injection can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping
|
||||
description: Dasan GPON home routers are susceptible to command injection which can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping
|
||||
results in /tmp and transmits them to the user when the user revisits /diag.html, it's quite simple to execute commands and retrieve their output.
|
||||
reference:
|
||||
- https://www.vpnmentor.com/blog/critical-vulnerability-gpon-router
|
||||
|
@ -37,3 +37,5 @@ requests:
|
|||
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||
words:
|
||||
- "http"
|
||||
|
||||
# Enhanced by mp on 2022/05/12
|
||||
|
|
|
@ -4,11 +4,11 @@ info:
|
|||
name: Eaton Intelligent Power Manager 1.6 - Directory Traversal
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
description: Local file inclusion in Eaton Intelligent Power Manager v1.6 allows an attacker to include a file, it can lead to sensitive information disclosure, denial of service and code execution.
|
||||
description: Eaton Intelligent Power Manager v1.6 allows an attacker to include a file via directory traversal, which can lead to sensitive information disclosure, denial of service and code execution.
|
||||
reference:
|
||||
- https://github.com/EmreOvunc/Eaton-Intelligent-Power-Manager-Local-File-Inclusion
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-12031
|
||||
- https://www.exploit-db.com/exploits/48614
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-12031
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -33,3 +33,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/12
|
||||
|
|
|
@ -1,19 +1,17 @@
|
|||
id: CVE-2018-1207
|
||||
|
||||
info:
|
||||
name: Dell iDRAC7 and iDRAC8 Devices Code Injection/RCE
|
||||
name: Dell iDRAC7/8 Devices - Remote Code Injection
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
description: |
|
||||
This template supports the detection part only.
|
||||
|
||||
Dell EMC iDRAC7/iDRAC8, versions prior to 2.52.52.52, contain CGI injection vulnerability
|
||||
Dell EMC iDRAC7/iDRAC8, versions prior to 2.52.52.52, contain a CGI injection vulnerability
|
||||
which could be used to execute remote code. A remote unauthenticated attacker may
|
||||
potentially be able to use CGI variables to execute remote code.
|
||||
|
||||
https://github.com/KraudSecurity/Exploits/blob/master/CVE-2018-1207/CVE-2018-1207.py
|
||||
reference:
|
||||
- https://downloads.dell.com/solutions/dell-management-solution-resources/iDRAC_CVE%201207_1211_1000116.pdf
|
||||
- https://github.com/KraudSecurity/Exploits/blob/master/CVE-2018-1207/CVE-2018-1207.py
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-1207
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -30,3 +28,5 @@ requests:
|
|||
words:
|
||||
- "calling init: /lib/"
|
||||
part: response
|
||||
|
||||
# Enhanced by mp on 2022/05/12
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2018-12300
|
||||
|
||||
info:
|
||||
name: Seagate NAS OS 4.3.15.1 - Open redirect
|
||||
name: Seagate NAS OS 4.3.15.1 - Open Redirect
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: Arbitrary Redirect in echo-server.html in Seagate NAS OS version 4.3.15.1 allows attackers to disclose information in the Referer header via the 'state' URL parameter.
|
||||
|
|
|
@ -1,12 +1,13 @@
|
|||
id: CVE-2018-12634
|
||||
|
||||
info:
|
||||
name: Exposed CirCarLife System Log
|
||||
name: CirCarLife Scada <4.3 - System Log Exposure
|
||||
author: geeknik
|
||||
severity: critical
|
||||
description: CirCarLife is an internet-connected electric vehicle charging station
|
||||
description: CirCarLife Scada before 4.3 allows remote attackers to obtain sensitive information via a direct request for the html/log or services/system/info.html URI. CirCarLife is an internet-connected electric vehicle charging station.
|
||||
reference:
|
||||
- https://circontrol.com/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-12634
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -33,3 +34,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/12
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2018-1273
|
||||
|
||||
info:
|
||||
name: Spring Data Commons Unauthenticated RCE
|
||||
name: Spring Data Commons - Remote Code Execution
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
description: |
|
||||
|
@ -42,3 +42,5 @@ requests:
|
|||
- "\\[(font|extension|file)s\\]"
|
||||
condition: or
|
||||
part: body
|
||||
|
||||
# Enhanced by mp on 2022/05/12
|
||||
|
|
|
@ -1,14 +1,14 @@
|
|||
id: CVE-2018-13379
|
||||
|
||||
info:
|
||||
name: FortiOS - Credentials Disclosure
|
||||
name: Fortinet FortiOS - Credentials Disclosure
|
||||
author: organiccrap
|
||||
severity: critical
|
||||
description: An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0
|
||||
to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.
|
||||
description: Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests due to improper limitation of a pathname to a restricted directory (path traversal).
|
||||
reference:
|
||||
- https://fortiguard.com/advisory/FG-IR-18-384
|
||||
- https://www.fortiguard.com/psirt/FG-IR-20-233
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -24,3 +24,5 @@ requests:
|
|||
- type: word
|
||||
words:
|
||||
- "var fgt_lang"
|
||||
|
||||
# Enhanced by mp on 2022/05/12
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2018-13980
|
||||
|
||||
info:
|
||||
name: Zeta Producer Desktop CMS 14.2.0 - Local File Disclosure
|
||||
name: Zeta Producer Desktop CMS 14.2.0 - Arbitrary File Retrieval
|
||||
author: wisnupramoedya
|
||||
severity: medium
|
||||
description: The websites that were built from Zeta Producer Desktop CMS before 14.2.1 are vulnerable to unauthenticated file disclosure if the plugin "filebrowser" is installed, because of assets/php/filebrowser/filebrowser.main.php?file=../ directory traversal.
|
||||
|
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: VelotiSmart Wifi - Directory Traversal
|
||||
author: 0x_Akoko
|
||||
severity: critical
|
||||
description: The uc-http service 1.0.0 on VelotiSmart WiFi B-380 camera devices allows Directory Traversal, as demonstrated by /../../etc/passwd on TCP port 80.
|
||||
description: VelotiSmart WiFi B-380 camera devices allow directory traversal via the uc-http service 1.0.0, as demonstrated by /../../etc/passwd on TCP port 80.
|
||||
reference:
|
||||
- https://medium.com/@s1kr10s/velotismart-0day-ca5056bcdcac
|
||||
- https://www.exploit-db.com/exploits/45030
|
||||
|
@ -31,3 +31,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/12
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
id: CVE-2018-14916
|
||||
|
||||
info:
|
||||
name: Loytec LGATE-902 Directory Traversal
|
||||
name: Loytec LGATE-902 <6.4.2 - Local File Inclusion
|
||||
author: 0x_Akoko
|
||||
severity: critical
|
||||
description: Loytec LGATE-902 versions prior to 6.4.2 suffer from cross site scripting, arbitrary file deletion, and directory traversal vulnerabilities.
|
||||
description: Loytec LGATE-902 versions prior to 6.4.2 suffers from a local file inclusion vulnerability.
|
||||
reference:
|
||||
- https://packetstormsecurity.com/files/152453/Loytec-LGATE-902-XSS-Traversal-File-Deletion.html
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-14916
|
||||
|
@ -30,3 +30,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/12
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
id: CVE-2018-15517
|
||||
|
||||
info:
|
||||
name: D-LINK Central WifiManager Server-Side Request Forgery
|
||||
name: D-Link Central WifiManager - Server-Side Request Forgery
|
||||
author: gy741
|
||||
severity: high
|
||||
description: D-LINK Central WifiManager is susceptible to server-side request forgery. The MailConnect feature on D-Link Central WiFiManager CWM-100 1.03 r0098 devices is intended to check a connection to an SMTP
|
||||
description: D-Link Central WifiManager is susceptible to server-side request forgery. The MailConnect feature on D-Link Central WiFiManager CWM-100 1.03 r0098 devices is intended to check a connection to an SMTP
|
||||
server but actually allows outbound TCP to any port on any IP address, as demonstrated by an index.php/System/MailConnect/host/127.0.0.1/port/22/secure/ URI. This can undermine accountability of where scan or
|
||||
connections actually came from and or bypass the FW etc. This can be automated via script or using a browser.
|
||||
reference:
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2018-16167
|
||||
|
||||
info:
|
||||
name: LogonTracer 1.2.0 - Remote Code Execution (Unauthenticated)
|
||||
name: LogonTracer <=1.2.0 - Remote Command Injection
|
||||
author: gy741
|
||||
severity: critical
|
||||
description: LogonTracer 1.2.0 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors.
|
||||
|
@ -30,3 +30,5 @@ requests:
|
|||
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||
words:
|
||||
- "http"
|
||||
|
||||
# Enhanced by mp on 2022/05/12
|
||||
|
|
|
@ -1,14 +1,15 @@
|
|||
id: CVE-2018-16763
|
||||
|
||||
info:
|
||||
name: fuelCMS 1.4.1 - Remote Code Execution
|
||||
name: FUEL CMS 1.4.1 - Remote Code Execution
|
||||
author: pikpikcu
|
||||
severity: critical
|
||||
description: FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code Execution.
|
||||
description: FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/47138
|
||||
- https://www.getfuelcms.com/
|
||||
- https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-16763
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -30,3 +31,5 @@ requests:
|
|||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
||||
# Enhanced by mp on 2022/05/12
|
||||
|
|
|
@ -1,13 +1,13 @@
|
|||
id: CVE-2018-16836
|
||||
|
||||
info:
|
||||
name: Rubedo CMS 3.4.0 - Directory Traversal
|
||||
name: Rubedo CMS <=3.4.0 - Directory Traversal
|
||||
author: 0x_Akoko
|
||||
severity: critical
|
||||
description: Rubedo through 3.4.0 contains a Directory Traversal vulnerability in the theme component, allowing unauthenticated attackers to read and execute arbitrary files outside of the service root path, as
|
||||
demonstrated by a /theme/default/img/%2e%2e/..//etc/passwd URI.
|
||||
description: Rubedo CMS through 3.4.0 contains a directory traversal vulnerability in the theme component, allowing unauthenticated attackers to read and execute arbitrary files outside of the service root path, as demonstrated by a /theme/default/img/%2e%2e/..//etc/passwd URI.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/45385
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-16836
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -29,3 +29,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/13
|
||||
|
|
|
@ -1,14 +1,13 @@
|
|||
id: CVE-2018-17246
|
||||
|
||||
info:
|
||||
name: Kibana Local File Inclusion
|
||||
name: Kibana - Local File Inclusion
|
||||
author: princechaddha
|
||||
severity: critical
|
||||
description: Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute
|
||||
javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
|
||||
description: Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute JavaScript which could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-17246
|
||||
- https://github.com/vulhub/vulhub/blob/master/kibana/CVE-2018-17246/README.md
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-17246
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -38,3 +37,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 500
|
||||
|
||||
# Enhanced by mp on 2022/05/13
|
||||
|
|
|
@ -1,13 +1,14 @@
|
|||
id: CVE-2018-17431
|
||||
|
||||
info:
|
||||
name: Comodo Unified Threat Management Web Console 2.7.0 - RCE
|
||||
name: Comodo Unified Threat Management Web Console - Remote Code Execution
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
description: Comodo Firewall & Central Manager (UTM) All Release before 2.7.0 & 1.5.0 Remote Code Execution (Web Shell based)
|
||||
description: Comodo Firewall & Central Manager (UTM) All Release before 2.7.0 & 1.5.0 are susceptible to a web shell based remote code execution vulnerability.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/48825
|
||||
- https://secure.comodo.com/home/purchase.php?pid=106&license=try&track=9276&af=9276
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-17431
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -36,3 +37,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/13
|
||||
|
|
|
@ -1,11 +1,10 @@
|
|||
id: CVE-2018-18925
|
||||
|
||||
info:
|
||||
name: Gogs - Remote Code Execution (CVE-2018-18925)
|
||||
name: Gogs (Go Git Service) 0.11.66 - Remote Code Execution
|
||||
author: princechaddha
|
||||
severity: critical
|
||||
description: Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related
|
||||
to session ID handling in the go-macaron/session code for Macaron.
|
||||
description: Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron.
|
||||
reference:
|
||||
- https://www.anquanke.com/post/id/163575
|
||||
- https://github.com/vulhub/vulhub/tree/master/gogs/CVE-2018-18925
|
||||
|
@ -15,7 +14,7 @@ info:
|
|||
cvss-score: 9.8
|
||||
cve-id: CVE-2018-18925
|
||||
cwe-id: CWE-384
|
||||
remediation: This issue will be fixed by updating to the latest version of Gogs
|
||||
remediation: This issue will be fixed by updating to the latest version of Gogs.
|
||||
tags: cve,cve2018,gogs,lfi,rce
|
||||
|
||||
requests:
|
||||
|
@ -35,3 +34,5 @@ requests:
|
|||
- type: dsl
|
||||
dsl:
|
||||
- 'status_code_1 == 500 && status_code_2 == 200 && contains(body_2, "<meta name=\"author\" content=\"Gogs\" />")'
|
||||
|
||||
# Enhanced by mp on 2022/05/13
|
||||
|
|
|
@ -1,13 +1,13 @@
|
|||
id: CVE-2018-20985
|
||||
|
||||
info:
|
||||
name: WordPress Plugin WP Payeezy Pay 2.97 - Local File Inclusion
|
||||
name: WordPress Payeezy Pay <=2.97 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
description: WordPress Plugin WP Payeezy Pay is prone to a local file inclusion vulnerability because it fails to sufficiently verify user-supplied input. Exploiting this issue may allow an attacker to obtain sensitive
|
||||
information that could aid in further attacks. WordPress Plugin WP Payeezy Pay version 2.97 is vulnerable; prior versions are also affected.
|
||||
description: WordPress Plugin WP Payeezy Pay is prone to a local file inclusion vulnerability because it fails to sufficiently verify user-supplied input. Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks. WordPress Plugin WP Payeezy Pay version 2.97 is vulnerable; prior versions are also affected.
|
||||
reference:
|
||||
- https://www.pluginvulnerabilities.com/2018/12/06/our-improved-proactive-monitoring-has-now-caught-a-local-file-inclusion-lfi-vulnerability-as-well/
|
||||
- https://wordpress.org/plugins/wp-payeezy-pay/#developers
|
||||
- https://www.cvedetails.com/cve/CVE-2018-20985/
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
|
@ -35,3 +35,6 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
|
||||
# Enhanced by mp on 2022/05/13
|
||||
|
|
|
@ -1,13 +1,15 @@
|
|||
id: CVE-2018-2894
|
||||
|
||||
info:
|
||||
name: Oracle WebLogic RCE
|
||||
name: Oracle WebLogic Server - Remote Code Execution
|
||||
author: geeknik,pdteam
|
||||
severity: critical
|
||||
description: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server.
|
||||
description: |
|
||||
The Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS - Web Services) is susceptible to a remote code execution vulnerability that is easily exploitable and could allow unauthenticated attackers with network access via HTTP to compromise the server. Supported versions that are affected are 12.1.3.0, 12.2.1.2 and 12.2.1.3.
|
||||
reference:
|
||||
- https://blog.detectify.com/2018/11/14/technical-explanation-of-cve-2018-2894-oracle-weblogic-rce/
|
||||
- https://github.com/vulhub/vulhub/tree/fda47b97c7d2809660a4471539cd0e6dbf8fac8c/weblogic/CVE-2018-2894
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-2894
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -90,3 +92,5 @@ requests:
|
|||
- type: word
|
||||
words:
|
||||
- "26ec00a3a03f6bfc5226fd121567bb58" # MD5 (CVE-2018-2894)
|
||||
|
||||
# Enhanced by mp on 2022/05/13
|
||||
|
|
|
@ -1,14 +1,13 @@
|
|||
id: CVE-2018-3810
|
||||
|
||||
info:
|
||||
name: WordPress Smart Google Code Inserter Authentication Bypass
|
||||
name: Oturia WordPress Smart Google Code Inserter <3.5 - Authentication Bypass
|
||||
author: princechaddha
|
||||
severity: critical
|
||||
description: Authentication Bypass vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to insert arbitrary JavaScript or HTML code (via the sgcgoogleanalytic
|
||||
parameter) that runs on all pages served by WordPress. The saveGoogleCode() function in smartgooglecode.php does not check if the current request is made by an authorized user, thus allowing any unauthenticated
|
||||
user to successfully update the inserted code.
|
||||
description: Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to insert arbitrary JavaScript or HTML code (via the sgcgoogleanalytic parameter) that runs on all pages served by WordPress. The saveGoogleCode() function in smartgooglecode.php does not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update the inserted code.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/43420
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-3810
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -44,3 +43,6 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
|
||||
# Enhanced by mp on 2022/05/13
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
id: CVE-2018-6008
|
||||
|
||||
info:
|
||||
name: Joomla! Component Jtag Members Directory 5.3.7 - Arbitrary File Download
|
||||
name: Joomla! Component Jtag Members Directory 5.3.7 - Arbitrary File Retrieval
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Arbitrary File Download exists in the Jtag Members Directory 5.3.7 component for Joomla! via the download_file parameter.
|
||||
description: Arbitrary file retrieval exists in the Jtag Members Directory 5.3.7 component for Joomla! via the download_file parameter.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/43913
|
||||
- https://www.cvedetails.com/cve/CVE-2018-6008
|
||||
|
|
|
@ -1,13 +1,13 @@
|
|||
id: CVE-2018-7600
|
||||
|
||||
info:
|
||||
name: Drupal Drupalgeddon 2 RCE
|
||||
name: Drupal - Remote Code Execution
|
||||
author: pikpikcu
|
||||
severity: critical
|
||||
description: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or
|
||||
common module configurations.
|
||||
description: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
|
||||
reference:
|
||||
- https://github.com/vulhub/vulhub/tree/master/drupal/CVE-2018-7600
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-7600
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -60,3 +60,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/13
|
||||
|
|
|
@ -1,11 +1,10 @@
|
|||
id: CVE-2018-7602
|
||||
|
||||
info:
|
||||
name: Drupal Remote Code Execution Vulnerability
|
||||
name: Drupal - Remote Code Execution
|
||||
author: princechaddha
|
||||
severity: critical
|
||||
description: A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result
|
||||
in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.
|
||||
description: Drupal 7.x and 8.x contain a remote code execution vulnerability that exists within multiple subsystems. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.
|
||||
reference:
|
||||
- https://github.com/vulhub/vulhub/blob/master/drupal/CVE-2018-7602/drupa7-CVE-2018-7602.py
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-7602
|
||||
|
@ -74,3 +73,5 @@ requests:
|
|||
group: 1
|
||||
regex:
|
||||
- '<input type="hidden" name="form_build_id" value="(.*)" />'
|
||||
|
||||
# Enhanced by mp on 2022/05/13
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2018-7662
|
||||
|
||||
info:
|
||||
name: CouchCMS <= 2.0 - Full Path Disclosure
|
||||
name: CouchCMS <= 2.0 - Path Disclosure
|
||||
author: ritikchaddha
|
||||
severity: medium
|
||||
description: CouchCMS <= 2.0 allows remote attackers to discover the full path via a direct request to includes/mysql2i/mysql2i.func.php or addons/phpmailer/phpmailer.php.
|
||||
|
|
|
@ -4,8 +4,7 @@ info:
|
|||
name: PrismaWEB - Credentials Disclosure
|
||||
author: gy741
|
||||
severity: critical
|
||||
description: The vulnerability exists due to the disclosure of hard-coded credentials allowing an attacker to effectively bypass authentication of PrismaWEB with administrator privileges. The credentials can be
|
||||
disclosed by simply navigating to the login_par.js JavaScript page that holds the username and password for the management interface that are being used via the Login() function in /scripts/functions_cookie.js script.
|
||||
description: PrismaWEB is susceptible to credential disclosure. The vulnerability exists due to the disclosure of hard-coded credentials allowing an attacker to effectively bypass authentication of PrismaWEB with administrator privileges. The credentials can be disclosed by simply navigating to the login_par.js JavaScript page that holds the username and password for the management interface that are being used via the Login() function in /scripts/functions_cookie.js script.
|
||||
reference:
|
||||
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5453.php
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-9161
|
||||
|
@ -33,3 +32,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/13
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2018-9205
|
||||
|
||||
info:
|
||||
name: Drupal avatar_uploader v7.x-1.0-beta8 Local File Inclusion
|
||||
name: Drupal avatar_uploader v7.x-1.0-beta8 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: In avatar_uploader v7.x-1.0-beta8 the view.php program doesn't restrict file paths, allowing unauthenticated users to retrieve arbitrary files.
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2019-16123
|
||||
|
||||
info:
|
||||
name: PilusCart <= 1.4.1 - Local File Disclosure
|
||||
name: PilusCart <= 1.4.1 - Arbitrary File Retrieval
|
||||
author: 0x_Akoko
|
||||
severity: high
|
||||
description: PilusCart versions 1.4.1 and below suffers from a file disclosure vulnerability.
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2019-16759
|
||||
|
||||
info:
|
||||
name: vBulletin v5.0.0-v5.5.4 Remote Command Execution
|
||||
name: vBulletin v5.0.0-v5.5.4 - Remote Command Execution
|
||||
author: madrobot
|
||||
severity: critical
|
||||
description: vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.
|
||||
|
|
|
@ -1,11 +1,10 @@
|
|||
id: CVE-2019-17506
|
||||
|
||||
info:
|
||||
name: DLINK DIR-868L & DIR-817LW Info Leak
|
||||
name: D-Link DIR-868L & DIR-817LW - Information Disclosure
|
||||
author: pikpikcu
|
||||
severity: critical
|
||||
description: There are some web interfaces without authentication requirements on D-Link DIR-868L B1-2.03 and DIR-817LW A1-1.04 routers. An attacker can get the router's username and password (and other information)
|
||||
via a DEVICE.ACCOUNT value for SERVICES in conjunction with AUTHORIZED_GROUP=1%0a to getcfg.php. This could be used to control the router remotely.
|
||||
description: There are some web interfaces without authentication requirements on D-Link DIR-868L B1-2.03 and DIR-817LW A1-1.04 routers. An attacker can get the router's username and password (and other information) via a DEVICE.ACCOUNT value for SERVICES in conjunction with AUTHORIZED_GROUP=1%0a to getcfg.php. This could be used to control the router remotely.
|
||||
reference:
|
||||
- https://github.com/dahua966/Routers-vuls/blob/master/DIR-868/name%26passwd.py
|
||||
classification:
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
id: CVE-2019-19908
|
||||
|
||||
info:
|
||||
name: phpMyChat-Plus XSS
|
||||
name: phpMyChat-Plus - Cross-Site Scripting
|
||||
author: madrobot
|
||||
severity: medium
|
||||
description: phpMyChat-Plus 1.98 is vulnerable to reflected XSS via JavaScript injection into the password reset URL. In the URL, the pmc_username parameter to pass_reset.php is vulnerable.
|
||||
description: phpMyChat-Plus 1.98 is vulnerable to reflected cross-site scripting (XSS) via JavaScript injection into the password reset URL. In the URL, the pmc_username parameter to pass_reset.php is vulnerable.
|
||||
reference:
|
||||
- https://cinzinga.github.io/CVE-2019-19908/
|
||||
classification:
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
id: CVE-2019-19985
|
||||
|
||||
info:
|
||||
name: WordPress Plugin Email Subscribers & Newsletters 4.2.2 - Unauthenticated File Download
|
||||
name: WordPress Email Subscribers & Newsletters <4.2.2 - Arbitrary File Retrieval
|
||||
author: KBA@SOGETI_ESEC,madrobot,dwisiswant0
|
||||
severity: medium
|
||||
description: The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed unauthenticated file download with user information disclosure.
|
||||
description: The WordPress plugin Email Subscribers & Newsletters before 4.2.3 contains a flaw that allows unauthenticated file download and user information disclosure.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/48698
|
||||
classification:
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2019-20141
|
||||
|
||||
info:
|
||||
name: Neon Dashboard - XSS Reflected
|
||||
name: Neon Dashboard - Cross-Site Scripting
|
||||
author: knassar702
|
||||
severity: medium
|
||||
description: An XSS issue was discovered in the Laborator Neon theme 2.0 for WordPress via the data/autosuggest-remote.php q parameter.
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2019-3912
|
||||
|
||||
info:
|
||||
name: LabKey Server < 18.3.0 - Open redirect
|
||||
name: LabKey Server < 18.3.0 - Open Redirect
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: An open redirect vulnerability in LabKey Server Community Edition before 18.3.0-61806.763 via the /__r1/ returnURL parameter allows an unauthenticated remote attacker to redirect users to arbitrary web sites.
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2019-9955
|
||||
|
||||
info:
|
||||
name: Zyxel Reflected Cross-site Scripting
|
||||
name: Zyxel - Reflected Cross-site Scripting
|
||||
author: pdteam
|
||||
severity: medium
|
||||
description: On Zyxel ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200-VPN, ZyWALL 110, ZyWALL 310, ZyWALL 1100 devices, the security
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2020-18268
|
||||
|
||||
info:
|
||||
name: Z-BlogPHP 1.5.2 Open redirect
|
||||
name: Z-BlogPHP 1.5.2 - Open Redirect
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: Open Redirect in Z-BlogPHP v1.5.2 and earlier allows remote attackers to obtain sensitive information via the "redirect" parameter in the component "zb_system/cmd.php."
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2020-22840
|
||||
|
||||
info:
|
||||
name: b2evolution CMS Open redirect
|
||||
name: b2evolution CMS - Open Redirect
|
||||
author: geeknik
|
||||
severity: medium
|
||||
description: Open redirect vulnerability in b2evolution CMS version prior to 6.11.6 allows an attacker to perform malicious open redirects to an attacker controlled resource via redirect_to parameter in email_passthrough.php.
|
||||
|
|
|
@ -1,11 +1,10 @@
|
|||
id: CVE-2020-24391
|
||||
|
||||
info:
|
||||
name: Mongo-Express Remote Code Execution
|
||||
name: Mongo-Express - Remote Code Execution
|
||||
author: leovalcante
|
||||
severity: critical
|
||||
description: Mongo-Express before 1.0.0 is susceptible to remote code execution because it uses safer-eval to validate user supplied javascript. Unfortunately safer-eval sandboxing capabilities are easily bypassed
|
||||
leading to remote code execution in the context of the node server.
|
||||
description: Mongo-Express before 1.0.0 is susceptible to remote code execution because it uses safer-eval to validate user supplied javascript. Unfortunately safer-eval sandboxing capabilities are easily bypassed leading to remote code execution in the context of the node server.
|
||||
reference:
|
||||
- https://securitylab.github.com/advisories/GHSL-2020-131-mongo-express/
|
||||
- https://github.com/mongo-express/mongo-express/commit/3a26b079e7821e0e209c3ee0cc2ae15ad467b91a
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2020-24550
|
||||
|
||||
info:
|
||||
name: CVE-2020-24550
|
||||
name: EpiServer <13.2.7 - Open Redirect
|
||||
author: dhiyaneshDK
|
||||
severity: medium
|
||||
description: An Open Redirect vulnerability in EpiServer Find before 13.2.7 allows an attacker to redirect users to untrusted websites via the _t_redirect parameter in a crafted URL, such as a /find_v2/_click URL.
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2020-24579
|
||||
|
||||
info:
|
||||
name: DLINK DSL 2888a RCE
|
||||
name: D-Link DSL 2888a - Remote Command Execution
|
||||
author: pikpikcu
|
||||
severity: high
|
||||
description: An issue was discovered on D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55. An unauthenticated attacker could bypass authentication to access authenticated pages and functionality.
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
id: CVE-2020-25495
|
||||
|
||||
info:
|
||||
name: SCO Openserver 5.0.7 - 'section' Reflected XSS
|
||||
name: SCO Openserver 5.0.7 - 'section' Cross-Site scripting
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: A reflected Cross-site scripting (XSS) vulnerability in Xinuo (formerly SCO) Openserver version 5 and 6 allows remote attackers to inject arbitrary web script or HTML tag via the parameter 'section'.
|
||||
description: A reflected cross-site scripting (XSS) vulnerability in Xinuo (formerly SCO) Openserver version 5 and 6 allows remote attackers to inject arbitrary web script or HTML tag via the parameter 'section'.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/49300
|
||||
classification:
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2020-29453
|
||||
|
||||
info:
|
||||
name: Jira Server Pre-Auth Limited Arbitrary File Read
|
||||
name: Jira Server Pre-Auth - Arbitrary File Retrieval (WEB-INF, META-INF)
|
||||
author: dwisiswant0
|
||||
severity: medium
|
||||
description: The CachingResourceDownloadRewriteRule class in Jira Server and Jira Data Center allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check.
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2020-3452
|
||||
|
||||
info:
|
||||
name: CVE-2020-3452
|
||||
name: Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) - Arbitrary File Retrieval
|
||||
author: pdteam
|
||||
severity: high
|
||||
description: |
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
id: CVE-2020-35736
|
||||
|
||||
info:
|
||||
name: GateOne Arbitrary File Download
|
||||
name: GateOne 1.1 - Arbitrary File Retrieval
|
||||
author: pikpikcu
|
||||
severity: high
|
||||
description: GateOne 1.1 allows arbitrary file download without authentication via /downloads/.. directory traversal because os.path.join is misused.
|
||||
description: GateOne 1.1 allows arbitrary file retrieval without authentication via /downloads/.. directory traversal because os.path.join is incorrectly used.
|
||||
reference:
|
||||
- https://github.com/liftoff/GateOne/issues/747
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-35736
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2020-35749
|
||||
|
||||
info:
|
||||
name: Simple Job Board < 2.9.4 - Authenticated Path Traversal Leading to Arbitrary File Download
|
||||
name: Simple Job Board < 2.9.4 -Arbitrary File Retrieval (Authenticated)
|
||||
author: cckuailong
|
||||
severity: high
|
||||
description: The plugin does not validate the sjb_file parameter when viewing a resume, allowing authenticated user with the download_resume capability (such as HR users) to download arbitrary files from the web-server
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2020-36365
|
||||
|
||||
info:
|
||||
name: Smartstore < 4.1.0 - Open redirect
|
||||
name: Smartstore < 4.1.0 - Open Redirect
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: Smartstore (aka SmartStoreNET) before 4.1.0 allows CommonController.ClearCache, ClearDatabaseCache, RestartApplication, and ScheduleTaskController.Edit open redirect.
|
||||
|
|
|
@ -5,7 +5,7 @@ info:
|
|||
author: veshraj
|
||||
severity: medium
|
||||
description: |
|
||||
The theme does not sanitise and escape the cbi parameter before outputing it back in the response via the cb_s_a AJAX action, leading to a Reflected Cross-Site Scripting
|
||||
The 15Zine Wordpress theme does not sanitize the cbi parameter before including it in the HTTP response via the cb_s_a AJAX action, leading to a reflected cross-site scripting.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/d1dbc6d7-7488-40c2-bc38-0674ea5b3c95
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36510
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
id: CVE-2020-9054
|
||||
|
||||
info:
|
||||
name: ZyXEL NAS Firmware 5.21- Remote Code Execution
|
||||
name: Zyxel NAS Firmware 5.21- Remote Code Execution
|
||||
author: dhiyaneshDk
|
||||
severity: critical
|
||||
description: "Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user, ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any ZyXEL device that is reachable from the client system. Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2."
|
||||
description: "Multiple Zyxel network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. Zyxel NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the Zyxel device. Although the web server does not run as the root user, Zyyxel devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. By sending a specially-crafted HTTP POST or GET request to a vulnerable Zyyxel device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any Zyyxel device that is reachable from the client system. Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 Zyyxel has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2."
|
||||
reference:
|
||||
- https://krebsonsecurity.com/2020/02/zyxel-fixes-0day-in-network-storage-devices/
|
||||
- https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml
|
||||
|
|
|
@ -1,11 +1,10 @@
|
|||
id: CVE-2020-9490
|
||||
|
||||
info:
|
||||
name: CVE-2020-9490
|
||||
name: Apache HTTP Server 2.4.20-2.4.43 - HTTP/2 Cache-Digest DoS
|
||||
author: philippedelteil
|
||||
severity: high
|
||||
description: Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource
|
||||
afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.
|
||||
description: Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.
|
||||
reference:
|
||||
- https://httpd.apache.org/security/vulnerabilities_24.html
|
||||
- https://bugs.chromium.org/p/project-zero/issues/detail?id=2030
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
id: CVE-2021-21816
|
||||
|
||||
info:
|
||||
name: D-LINK DIR-3040 - Syslog Information Disclosure
|
||||
name: D-Link DIR-3040 - Syslog Information Disclosure
|
||||
author: gy741
|
||||
severity: medium
|
||||
description: An information disclosure vulnerability exists in the Syslog functionality of D-LINK DIR-3040 1.13B03. A specially crafted network request can lead to the disclosure of sensitive information. An attacker
|
||||
description: An information disclosure vulnerability exists in the Syslog functionality of D-Link DIR-3040 1.13B03. A specially crafted network request can lead to the disclosure of sensitive information. An attacker
|
||||
can send an HTTP request to trigger this vulnerability.
|
||||
reference:
|
||||
- https://talosintelligence.com/vulnerability_reports/TALOS-2021-1281
|
||||
|
|
|
@ -1,10 +1,9 @@
|
|||
id: CVE-2021-24997
|
||||
|
||||
info:
|
||||
name: CVE-2021-24997
|
||||
name: Wordpress Guppy <=1.1 - User ID Disclosure
|
||||
author: Evan Rubinstein
|
||||
description: Instances of the Guppy Wordpress extension up to 1.1 are vulnerable to an API disclosure vulnerability which allows remote unauthenticated attackrs to obtain all user IDs, and then use that information
|
||||
to make API requests to either get messages sent between users, or send messages posing as one user to another.
|
||||
description: Instances of the Guppy Wordpress extension up to 1.1 are vulnerable to an API disclosure vulnerability which allows remote unauthenticated attackrs to obtain all user IDs, and then use that information to make API requests to either get messages sent between users, or send messages posing as one user to another.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/50540
|
||||
- https://patchstack.com/database/vulnerability/wp-guppy/wordpress-wp-guppy-plugin-1-2-sensitive-information-disclosure-vulnerability
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2021-25118
|
||||
|
||||
info:
|
||||
name: Yoast SEO < 17.3 - Unauthenticated Full Path Disclosure
|
||||
name: Yoast SEO < 17.3 - Path Disclosure
|
||||
author: DhiyaneshDK
|
||||
severity: medium
|
||||
description: The plugin discloses the full internal path of featured images in posts via the wp/v2/posts REST endpoints which could help an attacker identify other vulnerabilities or help during the exploitation of other identified vulnerabilities.
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2021-30151
|
||||
|
||||
info:
|
||||
name: CVE-2021-30151
|
||||
name: Sidekiq 5.1.3 and 6.x-6.2.0 - Cross-Site Scripting
|
||||
author: DhiyaneshDk
|
||||
severity: medium
|
||||
description: Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue name of the live-poll feature when Internet Explorer is used.
|
||||
|
|
|
@ -1,11 +1,10 @@
|
|||
id: CVE-2021-39316
|
||||
|
||||
info:
|
||||
name: DZS Zoomsounds < 6.50 - Unauthenticated Arbitrary File Download
|
||||
name: Wordpress DZS Zoomsounds <= 6.50 - Arbitrary File Retrieval
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: The Zoomsounds plugin <= 6.45 for WordPress allows arbitrary files, including sensitive configuration files such as wp-config.php, to be downloaded via the `dzsap_download` action using directory traversal
|
||||
in the `link` parameter.
|
||||
description: The Zoomsounds plugin <= 6.45 for WordPress allows arbitrary files, including sensitive configuration files such as wp-config.php, to be downloaded via the `dzsap_download` action using a directory traversal in the `link` parameter.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/d2d60cf7-e4d3-42b6-8dfe-7809f87547bd
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39316
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2021-41293
|
||||
|
||||
info:
|
||||
name: ECOA Building Automation System - Local File Disclosure
|
||||
name: ECOA Building Automation System - Arbitrary File Retrieval
|
||||
author: 0x_Akoko
|
||||
severity: high
|
||||
description: The ECOA BAS controller suffers from an arbitrary file disclosure vulnerability. Using the 'fname' POST parameter in viewlog.jsp, attackers can disclose arbitrary files on the affected device and disclose
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2022-0540
|
||||
|
||||
info:
|
||||
name: Atlassian Jira - Authentication bypass in Seraph
|
||||
name: Atlassian Jira Seraph- Authentication Bypass
|
||||
author: DhiyaneshDK
|
||||
severity: critical
|
||||
description: |
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2022-1119
|
||||
|
||||
info:
|
||||
name: WordPress Simple File List < 3.2.8 - Unauthenticated Arbitrary File Download
|
||||
name: WordPress Simple File List < 3.2.8 - Arbitrary File Retrieval
|
||||
author: random-robbie
|
||||
severity: high
|
||||
description: |
|
||||
The plugin is vulnerable to Arbitrary File Download via the eeFile parameter found in the ~/includes/ee-downloader.php file due to missing controls which makes it possible unauthenticated attackers to supply a path to a file that will subsequently be downloaded
|
||||
The Wordpress plugin is vulnerable to arbitrary file retrieval via the eeFile parameter found in the ~/includes/ee-downloader.php file due to missing controls which make it possible for unauthenticated attackers retrieve arbitrary files.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-1119
|
||||
- https://wpscan.com/vulnerability/5551038f-64fb-44d8-bea0-d2f00f04877e
|
||||
|
|
|
@ -5,10 +5,12 @@ info:
|
|||
author: veshraj
|
||||
severity: medium
|
||||
description: |
|
||||
The plugin does not sanitise and escape some parameters before outputting them back in attributes, leading to a Reflected Cross-Site Scripting.
|
||||
The Gwyn's Imagemap Selector Wordpresss plugin does not sanitize the id and class parameters before returning them back in attributes, leading to a Reflected Cross-Site Scripting.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/641be9f6-2f74-4386-b16e-4b9488f0d2a9
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1221
|
||||
classification:
|
||||
cve-id: CVE-2022-1221
|
||||
metadata:
|
||||
verified: true
|
||||
tags: xss,wordpress,wp-plugin,wp,cve,cve2022
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: gogs-login
|
||||
|
||||
info:
|
||||
name: Sign In - Gogs
|
||||
name: Gogs (Go Git Service) - Sign In Page
|
||||
author: dhiyaneshDK
|
||||
severity: info
|
||||
metadata:
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: zyxel-vmg1312b10d-login
|
||||
|
||||
info:
|
||||
name: ZYXEL VMG1312-B10D Login Detect
|
||||
name: Zyxel VMG1312-B10D - Login Detection
|
||||
author: princechaddha
|
||||
severity: info
|
||||
metadata:
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: zyxel-vsg1432b101-login
|
||||
|
||||
info:
|
||||
name: ZYXEL VSG1432-B101 Login Detect
|
||||
name: Zyxel VSG1432-B101 - Login Detection
|
||||
author: princechaddha
|
||||
severity: info
|
||||
metadata:
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: gogs-install-exposure
|
||||
|
||||
info:
|
||||
name: Gogs install exposure
|
||||
name: Gogs (Go Git Service) - Install Exposure
|
||||
author: dhiyaneshDk
|
||||
severity: high
|
||||
tags: gogs,exposure
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: window-name-domxss
|
||||
|
||||
info:
|
||||
name: window.name DOM XSS
|
||||
name: window.name - DOM Cross-Site Scripting
|
||||
author: pdteam
|
||||
severity: medium
|
||||
reference:
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: aem-setpreferences-xss
|
||||
|
||||
info:
|
||||
name: AEM setPreferences XSS
|
||||
name: AEM setPreferences - Cross-Site Scripting
|
||||
author: zinminphy0,dhiyaneshDK
|
||||
severity: medium
|
||||
reference:
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: akamai-arl-xss
|
||||
|
||||
info:
|
||||
name: Open Akamai ARL XSS
|
||||
name: Open Akamai ARL - Cross-Site Scripting
|
||||
author: pdteam
|
||||
severity: medium
|
||||
reference:
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: ampps-dirlisting
|
||||
|
||||
info:
|
||||
name: AMPPS by Softaculous - Directory Listing Enabled
|
||||
name: AMPPS by Softaculous - Directory Listing
|
||||
author: deFr0ggy
|
||||
severity: info
|
||||
tags: panel,ampps,softaculous,misconfig
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: dlink-file-read
|
||||
|
||||
info:
|
||||
name: D-Link Arbitrary File Read
|
||||
name: D-Link - Arbitrary File Retrieval
|
||||
author: dhiyaneshDK
|
||||
severity: high
|
||||
reference:
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: moodle-filter-jmol-xss
|
||||
|
||||
info:
|
||||
name: Moodle filter_jmol - XSS
|
||||
name: Moodle filter_jmol - Cross-Site Scripting
|
||||
author: madrobot
|
||||
severity: medium
|
||||
description: Cross-site scripting on Moodle.
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: moodle-xss
|
||||
|
||||
info:
|
||||
name: Moodle redirect_uri Reflected XSS
|
||||
name: Moodle redirect_uri - Cross-Site Scripting
|
||||
author: hackergautam
|
||||
severity: medium
|
||||
description: XSS in moodle via redirect_uri parameter
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: netsweeper-rxss
|
||||
|
||||
info:
|
||||
name: Netsweeper 4.0.9 - Cross Site Scripting Injection
|
||||
name: Netsweeper 4.0.9 - Cross-Site Scripting
|
||||
author: daffainfo
|
||||
severity: medium
|
||||
reference:
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: oracle-ebs-xss
|
||||
|
||||
info:
|
||||
name: Oracle EBS XSS
|
||||
name: Oracle EBS - Cross-Site Scripting
|
||||
author: dhiyaneshDk
|
||||
severity: medium
|
||||
reference:
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
id: bems-api-lfi
|
||||
|
||||
info:
|
||||
name: Longjing Technology BEMS API 1.21 - Remote Arbitrary File Download
|
||||
name: Longjing Technology BEMS API 1.21 - Arbitrary File Retrieval
|
||||
author: gy741
|
||||
severity: high
|
||||
description: The application suffers from an unauthenticated arbitrary file download vulnerability. Input passed through the fileName parameter through downloads endpoint is not properly verified before being used to download files. This can be exploited to disclose the contents of arbitrary and sensitive files through directory traversal attacks.
|
||||
description: The application suffers from an unauthenticated arbitrary file retrieval vulnerability. Input passed through the fileName parameter through the downloads API endpoint is not properly verified before being used to download files. This can be exploited to disclose the contents of arbitrary and sensitive files through directory traversal attacks.
|
||||
reference:
|
||||
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5657.php
|
||||
tags: lfi
|
||||
|
|
|
@ -1,14 +1,16 @@
|
|||
id: ecsimagingpacs-rce
|
||||
|
||||
info:
|
||||
name: ECSIMAGING PACS 6.21.5 - Remote code execution
|
||||
name: ECSIMAGING PACS <= 6.21.5 - Command Execution and Local File Inclusion
|
||||
author: ritikchaddha
|
||||
severity: critical
|
||||
description: ECSIMAGING PACS Application in 6.21.5 and bellow suffers from a OS Injection vulnerability. The parameter `file` on the webpage /showfile.php can be exploited with simple OS injection to gain root access. www-data user has sudo NOPASSWD access
|
||||
description: ECSIMAGING PACS Application 6.21.5 and below suffer from a command injection vulnerability and a local file include vulnerability. The 'file' parameter on the page /showfile.php can be exploited to perform command execution or local file inclusion. Often on ECSIMAGING PACS, the www-data user has sudo NOPASSWD access.
|
||||
reference: https://www.exploit-db.com/exploits/49388
|
||||
metadata:
|
||||
verified: false
|
||||
tags: ecsimagingpacs,rce
|
||||
classification:
|
||||
cwe-id: CWE-78
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
@ -24,3 +26,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by cs 05/12/2022
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
id: eyelock-nano-lfd
|
||||
|
||||
info:
|
||||
name: EyeLock nano NXT 3.5 - Local File Disclosure
|
||||
name: EyeLock nano NXT 3.5 - Arbitrary File Retrieval
|
||||
author: geeknik
|
||||
severity: high
|
||||
description: EyeLock nano NXT suffers from a file disclosure vulnerability when input passed through the 'path' parameter to 'logdownload.php' script is not properly verified before being used to read files. This
|
||||
description: EyeLock nano NXT suffers from a file retrieval vulnerability when input passed through the 'path' parameter to 'logdownload.php' script is not properly verified before being used to read files. This
|
||||
can be exploited to disclose contents of files from local resources.
|
||||
reference:
|
||||
- https://www.zeroscience.mk/codes/eyelock_lfd.txt
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: java-melody-xss
|
||||
|
||||
info:
|
||||
name: JavaMelody Monitoring XSS
|
||||
name: JavaMelody Monitoring - Cross-Site Scripting
|
||||
author: kailashbohara
|
||||
severity: medium
|
||||
description: Reflected cross site scripting (XSS) in JavaMelody monitoring.
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
id: kafdrop-xss
|
||||
|
||||
info:
|
||||
name: KafDrop XSS
|
||||
name: KafDrop - Cross-Site Scripting
|
||||
author: dhiyaneshDk
|
||||
severity: medium
|
||||
description: A vulnerability in KafDrop allows remote unauthenticated attackers to inject arbitrary HTML and/or Javascript into the response returned by the server.
|
||||
description: A vulnerability in KafDrop allows remote unauthenticated attackers to inject arbitrary HTML and/or JavaScript into the response returned by the server.
|
||||
reference:
|
||||
- https://github.com/HomeAdvisor/Kafdrop/issues/12
|
||||
tags: kafdrop,xss
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
id: kyocera-m2035dn-lfi
|
||||
|
||||
info:
|
||||
name: Kyocera Command Center RX ECOSYS M2035dn - Directory Traversal File Disclosure (Unauthenticated)
|
||||
name: Kyocera Command Center RX ECOSYS M2035dn - Arbitrary File Retrieval
|
||||
author: 0x_Akoko
|
||||
severity: high
|
||||
description: Kyocera Command Center RX ECOSYS M2035dn - Directory Traversal File Disclosure (Unauthenticated)
|
||||
description: Kyocera Command Center RX ECOSYS M2035dn - Unauthenticated arbitrary file retrieval.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/50738
|
||||
- https://www.kyoceradocumentsolutions.com/asia/en/products/business-application/command-center-rx.html
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
id: microstrategy-ssrf
|
||||
|
||||
info:
|
||||
name: MicroStrategy tinyurl - BSSRF
|
||||
name: MicroStrategy tinyurl - Server-Side Request Forgery (Blind)
|
||||
author: organiccrap
|
||||
severity: high
|
||||
description: Blind server-side request forgery vulnerability on MicroStrategy URL shortener.
|
||||
description: Blind server-side (SSRF) request forgery vulnerability on MicroStrategy URL shortener.
|
||||
reference:
|
||||
- https://medium.com/@win3zz/how-i-made-31500-by-submitting-a-bug-to-facebook-d31bb046e204
|
||||
tags: microstrategy,ssrf
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: nginx-module-vts-xss
|
||||
|
||||
info:
|
||||
name: Nginx virtual host traffic status module XSS
|
||||
name: Nginx Virtual Host Traffic Status Module - Cross-Site Scripting
|
||||
author: madrobot
|
||||
severity: medium
|
||||
tags: nginx,xss,status
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue