daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Dashboard Content Enhancements (#4426) 

Dashboard Content Enhancements
patch-1
MostInterestingBotInTheWorld 2022-05-18 16:58:07 -04:00 committed by GitHub
parent bf7d533b26
commit 5eb6b79331
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
42 changed files with 176 additions and 91 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
cnvd/2020/CNVD-2020-46552.yaml
View File

@ -1,13 +1,19 @@
id: CNVD-2020-46552
info:
name: Sangfor EDR Tool - Remote Code Execution
name: Sangfor EDR - Remote Code Execution
author: ritikchaddha
severity: critical
description: There is a RCE vulnerability in Sangfor Endpoint Monitoring and Response Platform (EDR). An attacker could exploit this vulnerability by constructing an HTTP request, and an attacker who successfully exploited this vulnerability could execute arbitrary commands on the target host.
description: Sangfor Endpoint Monitoring and Response Platform (EDR) contains a remote code execution vulnerability. An attacker could exploit this vulnerability by constructing an HTTP request which could execute arbitrary commands on the target host.
reference:
- https://www.modb.pro/db/144475
- https://blog.csdn.net/bigblue00/article/details/108434009
- https://cn-sec.com/archives/721509.html
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cve-id:
cwe-id: CWE-77
tags: cnvd,cnvd2020,sangfor,rce
requests:
@ -23,3 +29,5 @@ requests:
- 'contains(body, "Log Helper")'
- 'status_code == 200'
condition: and
# Enhanced by mp on 2022/05/18

6
cves/2010/CVE-2010-4239.yaml
View File

@ -4,12 +4,12 @@ info:
name: Tiki Wiki CMS Groupware 5.2 - Local File Inclusion
author: 0x_akoko
severity: critical
description: Tiki Wiki CMS Groupware 5.2 has Local File Inclusion
description: Tiki Wiki CMS Groupware 5.2 is susceptible to a local file inclusion vulnerability.
reference:
- https://dl.packetstormsecurity.net/1009-exploits/tikiwiki52-lfi.txt
- https://www.cvedetails.com/cve/CVE-2010-4239
- https://www.openwall.com/lists/oss-security/2010/11/22/9
- https://security-tracker.debian.org/tracker/CVE-2010-4239
- https://nvd.nist.gov/vuln/detail/CVE-2010-4239
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -30,3 +30,5 @@ requests:
- "fonts"
- "extensions"
condition: and
# Enhanced by mp on 2022/05/18

4
cves/2018/CVE-2018-16716.yaml
View File

@ -4,7 +4,7 @@ info:
name: NCBI ToolBox - Directory Traversal
author: 0x_Akoko
severity: critical
description: A path traversal vulnerability exists in viewcgi.c in the 2.0.7 through 2.2.26 legacy versions of the NCBI ToolBox, which may result in reading of arbitrary files (i.e., significant information disclosure) or file deletion via the nph-viewgif.cgi query string.
description: NCBI ToolBox 2.0.7 through 2.2.26 legacy versions contain a path traversal vulnerability via viewcgi.cgi which may result in reading of arbitrary files (i.e., significant information disclosure) or file deletion via the nph-viewgif.cgi query string.
reference:
- https://github.com/grymer/CVE/blob/master/CVE-2018-16716.md
- https://nvd.nist.gov/vuln/detail/CVE-2018-16716
@ -29,3 +29,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/05/18

3
cves/2019/CVE-2019-0230.yaml
View File

@ -6,11 +6,10 @@ info:
severity: critical
description: Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation when evaluated on raw user input in tag attributes, which may lead to remote code execution.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2019-0230
- https://cwiki.apache.org/confluence/display/WW/S2-059
- https://www.tenable.com/blog/cve-2019-0230-apache-struts-potential-remote-code-execution-vulnerability
- https://cwiki.apache.org/confluence/display/ww/s2-059
- http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html
- https://nvd.nist.gov/vuln/detail/CVE-2019-0230
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8

1
cves/2019/CVE-2019-16920.yaml
View File

@ -6,6 +6,7 @@ info:
severity: critical
description: D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565 contain an unauthenticated remote code execution vulnerability. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these issues also affected; DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2019-16920
- https://github.com/pwnhacker0x18/CVE-2019-16920-MassPwn3r
- https://fortiguard.com/zeroday/FG-VD-19-117
- https://www.seebug.org/vuldb/ssvid-98079

2
cves/2020/CVE-2020-12800.yaml
View File

@ -7,10 +7,10 @@ info:
description: |
WordPress Contact Form 7 before 1.3.3.3 allows unrestricted file upload and remote code execution by setting supported_type to php% and uploading a .php% file.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2020-12800
- https://github.com/amartinsec/CVE-2020-12800
- https://packetstormsecurity.com/files/157951/WordPress-Drag-And-Drop-Multi-File-Uploader-Remote-Code-Execution.html
- https://wordpress.org/plugins/drag-and-drop-multiple-file-upload-contact-form-7/#developers
- https://nvd.nist.gov/vuln/detail/CVE-2020-12800
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8

2
cves/2020/CVE-2020-13942.yaml
View File

@ -12,9 +12,9 @@ info:
reference:
- https://securityboulevard.com/2020/11/apache-unomi-cve-2020-13942-rce-vulnerabilities-discovered/
- https://twitter.com/chybeta/status/1328912309440311297
- https://nvd.nist.gov/vuln/detail/CVE-2020-13942
- http://unomi.apache.org./security/cve-2020-13942.txt
- https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118@%3Cusers.unomi.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2020-13942
remediation: Apache Unomi users should upgrade to 1.5.2 or later.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7
cves/2021/CVE-2021-25281.yaml
View File

@ -1,13 +1,14 @@
id: CVE-2021-25281
info:
name: SaltStack wheel_async unauth access
name: SaltStack Salt <3002.5 - Auth Bypass
author: madrobot
severity: critical
description: The SaltAPI does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.
description: SaltStack Salt before 3002.5 does not honor eauth credentials for the wheel_async client, allowing attackers to remotely run any wheel modules on the master.
reference:
- http://hackdig.com/02/hack-283902.htm
- https://dozer.nz/posts/saltapi-vulns
- https://nvd.nist.gov/vuln/detail/CVE-2021-25281
- https://github.com/saltstack/salt/releases
- https://www.saltstack.com/blog/active-saltstack-cve-announced-2021-jan-21/
classification:
@ -41,3 +42,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/05/17

9
cves/2021/CVE-2021-26084.yaml
View File

@ -1,13 +1,10 @@
id: CVE-2021-26084
info:
name: Confluence Server OGNL injection - RCE
name: Confluence Server - Remote Code Execution
author: dhiyaneshDk,philippedelteil
severity: critical
description: In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary
code on a Confluence Server or Data Center instance. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if 'Allow people to sign up to create their account' is enabled.
To check whether this is enabled go to COG > User Management > User Signup Options. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from
version 7.12.0 before 7.12.5.
description: Confluence Server and Data Center contain an OGNL injection vulnerability that could allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if 'Allow people to sign up to create their account' is enabled. To check whether this is enabled go to COG > User Management > User Signup Options.
reference:
- https://jira.atlassian.com/browse/CONFSERVER-67940
- https://github.com/httpvoid/CVE-Reverse/tree/master/CVE-2021-26084
@ -58,3 +55,5 @@ requests:
part: body
words:
- 'value="aaaa{140592=null}'
# Enhanced by mp on 2022/05/17

9
cves/2021/CVE-2021-26295.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2021-26295
info:
name: Apache OFBiz RMI Deserialization - Remote Code Execution
name: Apache OFBiz <17.12.06 - Arbitrary Code Execution
author: madrobot
severity: critical
description: |
@ -11,6 +11,8 @@ info:
- https://packetstormsecurity.com/files/162104/Apache-OFBiz-SOAP-Java-Deserialization.html
- https://github.com/zhzyker/exphub/tree/master/ofbiz
- https://lists.apache.org/thread.html/r3c1802eaf34aa78a61b4e8e044c214bc94accbd28a11f3a276586a31%40%3Cuser.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r6e4579c4ebf7efeb462962e359501c6ca4045687f12212551df2d607@%3Cnotifications.ofbiz.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2021-26295
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -51,8 +53,11 @@ requests:
part: body
words:
- "errorMessage"
condition: and
- type: word
part: header
words:
- "OFBiz.Visitor="
- "OFBiz.Visitor="
# Enhanced by mp on 2022/05/17

7
cves/2021/CVE-2021-27132.yaml
View File

@ -1,13 +1,14 @@
id: CVE-2021-27132
info:
name: CRLF Injection - Sercomm VD625
name: Sercomm VD625 Smart Modems - CRLF Injection
author: geeknik
severity: critical
description: Sercomm AGCOMBO VD625 Smart Modems with firmware version AGSOT_2.1.0 are vulnerable to CRLF Injection via the Content-Disposition header - https://cybertuz.com/blog/post/crlf-injection-CVE-2021-27132
description: Sercomm AGCOMBO VD625 Smart Modems with firmware version AGSOT_2.1.0 are vulnerable to Carriage Return Line Feed (CRLF) injection via the Content-Disposition header.
reference:
- https://cybertuz.com/blog/post/crlf-injection-CVE-2021-27132
- http://sercomm.com
- https://nvd.nist.gov/vuln/detail/CVE-2021-27132
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -35,3 +36,5 @@ requests:
- "X-XSS-Protection:0"
part: header
condition: and
# Enhanced by mp on 2022/05/17

8
cves/2021/CVE-2021-27561.yaml
View File

@ -1,13 +1,13 @@
id: CVE-2021-27561
info:
name: YeaLink DM PreAuth RCE
name: YeaLink DM 3.6.0.20 - Remote Command Injection
author: shifacyclewala,hackergautam
severity: critical
description: A malicious actor can trigger Unauthenticated Remote Code Execution
description: Yealink Device Management (DM) 3.6.0.20 allows command injection as root via the /sm/api/v1/firewall/zone/services URI, without authentication.
reference:
- https://ssd-disclosure.com/ssd-advisory-yealink-dm-pre-auth-root-level-rce/
- https://ssd-disclosure.com/?p=4688
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-27561
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -43,3 +43,5 @@ requests:
- type: regex
regex:
- "(u|g)id=.*"
# Enhanced by mp on 2022/05/17

8
cves/2021/CVE-2021-27651.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2021-27651
info:
name: Pega Infinity Authentication bypass
name: Pega Infinity - Authentication Bypass
author: idealphase
severity: critical
description: In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks.
description: Pega Infinity versions 8.2.1 through 8.5.2 contain an authentication bypass vulnerability because the password reset functionality for local accounts can be used to bypass local authentication checks.
reference:
- https://github.com/samwcyo/CVE-2021-27651-PoC/blob/main/RCE.md
- https://nvd.nist.gov/vuln/detail/CVE-2021-27651
@ -44,4 +44,6 @@ requests:
- type: regex
regex:
- 'Pega 8\.(?:2\.[1-9]|3\.[0-9]|4\.[0-9]|5\.[0-2])'
part: body
part: body
# Enhanced by mp on 2022/05/17

6
cves/2021/CVE-2021-27850.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2021-27850
info:
name: Apache Tapestry - Arbitrary class download
name: Apache Tapestry - Remote Code Execution
author: pdteam
severity: critical
description: |
A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. The vulnerability I have found is a bypass of the fix for CVE-2019-0195. Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL.
Apache Tapestry contains a critical unauthenticated remote code execution vulnerability. Affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. Note that this vulnerability is a bypass of the fix for CVE-2019-0195. Before that fix it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-27850
- https://lists.apache.org/thread.html/r237ff7f286bda31682c254550c1ebf92b0ec61329b32fbeb2d1c8751%40%3Cusers.tapestry.apache.org%3E
@ -56,3 +56,5 @@ requests:
- 'webtools'
part: body
condition: and
# Enhanced by mp on 2022/05/17

9
cves/2021/CVE-2021-27905.yaml
View File

@ -1,10 +1,11 @@
id: CVE-2021-27905
info:
name: Apache Solr <= 8.8.1 SSRF
name: Apache Solr <=8.8.1 - Server-Side Request Forgery
author: hackergautam
severity: critical
description: The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2.
description: Apache Solr versions 8.8.1 and prior contain a server-side request forgery vulnerability. The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter.
remediation: This issue is resolved in Apache Solr 8.8.2 and later.
reference:
- https://www.anquanke.com/post/id/238201
- https://ubuntu.com/security/CVE-2021-27905
@ -43,4 +44,6 @@ requests:
- type: word
words:
- '<str name="status">OK</str>'
part: body
part: body
# Enhanced by mp on 2022/05/17

7
cves/2021/CVE-2021-27931.yaml
View File

@ -1,11 +1,10 @@
id: CVE-2021-27931
info:
name: LumisXP Blind XXE
name: LumisXP <10.0.0 - Blind XML External Entity Attack
author: alph4byt3
severity: critical
description: LumisXP (aka Lumis Experience Platform) before 10.0.0 allows unauthenticated blind XXE via an API request to PageControllerXml.jsp. One can send a request crafted with an XXE payload and achieve outcomes
such as reading local server files or denial of service.
description: LumisXP (aka Lumis Experience Platform) before 10.0.0 allows unauthenticated blind XML external entity (XXE) attacks via an API request to PageControllerXml.jsp. One can send a request crafted with an XXE payload and achieve outcomes such as reading local server files or denial of service.
reference:
- https://github.com/sl4cky/LumisXP-XXE---POC/blob/main/poc.txt
- https://nvd.nist.gov/vuln/detail/CVE-2021-27931
@ -36,3 +35,5 @@ requests:
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
# Enhanced by mp on 2022/05/17

9
cves/2021/CVE-2021-28918.yaml
View File

@ -1,15 +1,14 @@
id: CVE-2021-28918
info:
name: Netmask NPM Package SSRF
name: Netmask NPM Package - Server-Side Request Forgery
author: johnjhacking
severity: critical
description: Improper input validation of octal strings in netmask npm package allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.
description: Netmask NPM Package is susceptible to server-side request forgery because of improper input validation of octal strings in netmask npm package. This allows unauthenticated remote attackers to perform indeterminate SSRF, remote file inclusion, and local file inclusion attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.
reference:
- https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md
- https://nvd.nist.gov/vuln/detail/CVE-2021-28918
- https://github.com/advisories/GHSA-pch5-whg9-qr2r
- https://github.com/rs/node-netmask
- https://nvd.nist.gov/vuln/detail/CVE-2021-28918
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
cvss-score: 9.1
@ -37,3 +36,5 @@ requests:
- type: regex
regex:
- "root:.*:0:0:"
# Enhanced by mp on 2022/05/17

6
cves/2021/CVE-2021-29203.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2021-29203
info:
name: HPE Edgeline Infrastructure Manager v1.21 Authentication Bypass
name: HPE Edgeline Infrastructure Manager <1.22 - Authentication Bypass
author: madrobot
severity: critical
description: A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software, prior to version 1.22. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gaining privileged access, causing denial of service, and changing the configuration. HPE has released a software update to resolve the vulnerability in the HPE Edgeline Infrastructure Manager.
description: HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software, prior to version 1.22 contains an authentication bypass vulnerability which could be remotely exploited to bypass remote authentication and possibly lead to execution of arbitrary commands, gaining privileged access, causing denial of service, and changing the configuration.
reference:
- https://www.tenable.com/security/research/tra-2021-15
- https://nvd.nist.gov/vuln/detail/CVE-2021-29203
@ -52,3 +52,5 @@ requests:
part: body
words:
- "Base.1.0.Created"
# Enhanced by mp on 2022/05/17

6
cves/2021/CVE-2021-29441.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2021-29441
info:
name: Nacos prior to 1.4.1 Authentication Bypass
name: Nacos <1.4.1 - Authentication Bypass
author: dwisiswant0
severity: critical
description: |
@ -55,4 +55,6 @@ requests:
- type: word
words:
- "application/json"
part: header
part: header
# Enhanced by mp on 2022/05/17

9
cves/2021/CVE-2021-30461.yaml
View File

@ -1,13 +1,14 @@
id: CVE-2021-30461
info:
name: VoipMonitor Pre-Auth-RCE
name: VoipMonitor <24.61 - Remote Code Execution
author: shifacyclewala,hackergautam
severity: critical
description: Use of user supplied data, arriving via web interface allows remote unauthenticated users to trigger a remote PHP code execution vulnerability in VoIPmonitor.
description: |
VoipMonitor prior to 24.61 is susceptible to remote code execution vulnerabilities because of its use of user supplied data via its web interface, allowing remote unauthenticated users to trigger a remote PHP code execution vulnerability.
reference:
- https://ssd-disclosure.com/ssd-advisory-voipmonitor-unauth-rce/
- https://ssd-disclosure.com/ssd-advisory--voipmonitor-unauth-rce
- https://nvd.nist.gov/vuln/detail/CVE-2021-30461
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -39,3 +40,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/05/17

8
cves/2021/CVE-2021-3129.yaml
View File

@ -1,14 +1,14 @@
id: CVE-2021-3129
info:
name: Laravel <= v8.4.2 Debug Mode - Remote Code Execution
name: Laravel with Ignition <= v8.4.2 Debug Mode - Remote Code Execution
author: z3bd,pdteam
severity: critical
description: Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
description: Laravel version 8.4.2 and before with Ignition before 2.5.2 allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
reference:
- https://www.ambionics.io/blog/laravel-debug-rce
- https://github.com/vulhub/vulhub/tree/master/laravel/CVE-2021-3129
- https://github.com/facade/ignition/pull/334
- https://nvd.nist.gov/vuln/detail/CVE-2021-3129
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -84,3 +84,5 @@ requests:
- type: regex
regex:
- "(u|g)id=.*"
# Enhanced by mp on 2022/05/17

7
cves/2021/CVE-2021-31856.yaml
View File

@ -1,10 +1,11 @@
id: CVE-2021-31856
info:
name: Layer5 Meshery 0.5.2 SQLi
name: Layer5 Meshery 0.5.2 - SQL Injection
author: princechaddha
severity: critical
description: A SQL Injection vulnerability in the REST API in Layer5 Meshery 0.5.2 allows an attacker to execute arbitrary SQL commands via the /experimental/patternfiles endpoint (order parameter in GetMesheryPatterns in models/meshery_pattern_persister.go).
description: Layer5 Meshery 0.5.2 contains a SQL injection vulnerability in the REST API that allows an attacker to execute arbitrary SQL commands via the /experimental/patternfiles endpoint (order parameter in GetMesheryPatterns
in models/meshery_pattern_persister.go).
reference:
- https://github.com/ssst0n3/CVE-2021-31856
- https://nvd.nist.gov/vuln/detail/CVE-2021-31856
@ -33,3 +34,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/05/17

6
cves/2021/CVE-2021-32172.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2021-32172
info:
name: Maian Cart 3.8 preauth RCE
name: Maian Cart <=3.8 - Remote Code Execution
author: pdteam
severity: critical
description: A severe vulnerability has been kindly reported to me by security advisor DreyAnd. The issue concerns the elFinder file manager plugin in Maian Cart and it affects all versions from 3.0 to 3.8.
description: Maian Cart 3.0 to 3.8 via the elFinder file manager plugin contains a remote code execution vulnerability.
reference:
- https://dreyand.github.io/maian-cart-rce/
- https://github.com/DreyAnd/maian-cart-rce
@ -53,3 +53,5 @@ requests:
- 'contains(body_3, "{{randstr_1}}")'
- "status_code_3 == 200"
condition: and
# Enhanced by mp on 2022/05/18

6
cves/2021/CVE-2021-32305.yaml
View File

@ -1,15 +1,15 @@
id: CVE-2021-32305
info:
name: Websvn 2.6.0 - Remote Code Execution (Unauthenticated)
name: Websvn <2.6.1 - Remote Code Execution
author: gy741
severity: critical
description: WebSVN before 2.6.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the search parameter.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-32305
- https://packetstormsecurity.com/files/163225/Websvn-2.6.0-Remote-Code-Execution.html
- https://github.com/websvnphp/websvn/pull/142
- http://packetstormsecurity.com/files/163225/Websvn-2.6.0-Remote-Code-Execution.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-32305
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -30,3 +30,5 @@ requests:
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
# Enhanced by mp on 2022/05/18

7
cves/2021/CVE-2021-33221.yaml
View File

@ -1,14 +1,15 @@
id: CVE-2021-33221
info:
name: CommScope Ruckus IoT Controller Unauthenticated Service Details
name: CommScope Ruckus IoT Controller - Information Disclosure
author: geeknik
severity: critical
description: A 'service details' API endpoint discloses system and configuration information to an attacker without requiring authentication. This information includes DNS and NTP servers that the devices use for time and host resolution. It also includes the internal hostname and IoT Controller version. A fully configured device in production may leak other, more sensitive information (API keys and tokens).
description: CommScope Ruckus IoT Controller is susceptible to information disclosure vulnerabilities because a 'service details' API endpoint discloses system and configuration information to an attacker without requiring authentication. This information includes DNS and NTP servers that the devices use for time and host resolution. It also includes the internal hostname and IoT Controller version. A fully configured device in production may leak other, more sensitive information (API keys and tokens).
reference:
- https://www.commscope.com/globalassets/digizuite/917216-faq-security-advisory-id-20210525-v1-0.pdf
- http://seclists.org/fulldisclosure/2021/May/72
- https://korelogic.com/advisories.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33221
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -38,3 +39,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/05/18

10
cves/2021/CVE-2021-33357.yaml
View File

@ -1,16 +1,16 @@
id: CVE-2021-33357
info:
name: RaspAP <= 2.6.5 - Remote Code Execution
name: RaspAP <=2.6.5 - Remote Command Injection
author: pikpikcu,pdteam
severity: critical
description: |
RaspAP 2.6 to 2.6.5 in the "iface" GET parameter in /ajax/networking/get_netcfg.php, when the "iface" parameter value contains special characters such as ";" which enables an unauthenticated attacker to execute arbitrary OS commands.
RaspAP 2.6 to 2.6.5 allows unauthenticated attackers to execute arbitrary OS commands via the "iface" GET parameter in /ajax/networking/get_netcfg.php, when the "iface" parameter value contains special characters such as ";".
reference:
- https://checkmarx.com/blog/chained-raspap-vulnerabilities-grant-root-level-access/
- https://gist.github.com/omriinbar/52c000c02a6992c6ce68d531195f69cf
- https://nvd.nist.gov/vuln/detail/CVE-2021-33357
- https://github.com/RaspAP/raspap-webgui
- https://nvd.nist.gov/vuln/detail/CVE-2021-33357
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -39,4 +39,6 @@ requests:
part: interactsh_request
group: 1
regex:
- 'GET \/([a-z-]+) HTTP'
- 'GET \/([a-z-]+) HTTP'
# Enhanced by mp on 2022/05/18

7
cves/2021/CVE-2021-33564.yaml
View File

@ -1,15 +1,16 @@
id: CVE-2021-33564
info:
name: Argument Injection in Ruby Dragonfly
name: Ruby Dragonfly <1.4.0 - Remote Code Execution
author: 0xsapra
severity: critical
description: An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility.
description: Ruby Dragonfly before 1.4.0 contains an argument injection vulnerability that allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility.
reference:
- https://zxsecurity.co.nz/research/argunment-injection-ruby-dragonfly/
- https://github.com/markevans/dragonfly/compare/v1.3.0...v1.4.0
- https://github.com/markevans/dragonfly/commit/25399297bb457f7fcf8e3f91e85945b255b111b5
- https://github.com/mlr0p/CVE-2021-33564
- https://nvd.nist.gov/vuln/detail/CVE-2021-33564
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -31,3 +32,5 @@ requests:
- type: regex
regex:
- "root:.*:0:0:"
# Enhanced by mp on 2022/05/18

10
cves/2021/CVE-2021-3378.yaml
View File

@ -1,13 +1,11 @@
id: CVE-2021-3378
info:
name: FortiLogger Unauthenticated Arbitrary File Upload
name: FortiLogger 4.4.2.2 - Arbitrary File Upload
author: dwisiswant0
severity: critical
description: |
This template detects an unauthenticated arbitrary file upload
via insecure POST request. It has been tested on version 4.4.2.2 in
Windows 10 Enterprise.
FortiLogger 4.4.2.2 is affected by arbitrary file upload issues. Attackers can send a "Content-Type: image/png" header to Config/SaveUploadedHotspotLogoFile and then Assets/temp/hotspot/img/logohotspot.asp.
reference:
- https://erberkan.github.io/2021/cve-2021-3378/
- https://github.com/erberkan/fortilogger_arbitrary_fileupload
@ -58,4 +56,6 @@ requests:
- "text/plain"
- "ASP.NET"
condition: and
part: header
part: header
# Enhanced by mp on 2022/05/18

4
cves/2021/CVE-2021-36356.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2021-36356
info:
name: Kramer VIAware RCE
name: Kramer VIAware - Remote Code Execution
author: gy741
severity: critical
description: KRAMER VIAware through August 2021 allows remote attackers to execute arbitrary code because ajaxPages/writeBrowseFilePathAjax.php accepts arbitrary executable pathnames.
@ -35,3 +35,5 @@ requests:
part: interactsh_protocol
words:
- "http"
# Enhanced by mp on 2022/05/18

5
cves/2021/CVE-2021-44077.yaml
View File

@ -10,6 +10,7 @@ info:
- https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/
- https://github.com/horizon3ai/CVE-2021-44077
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/manageengine_servicedesk_plus_cve_2021_44077.rb
- https://nvd.nist.gov/vuln/detail/CVE-2021-44077
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -30,4 +31,6 @@ requests:
- type: status
status:
- 200
- 200
# Enhanced by mp on 2022/05/18

8
cves/2021/CVE-2021-44515.yaml
View File

@ -4,17 +4,19 @@ info:
name: Zoho ManageEngine Desktop Central - Remote Code Execution
author: Adam Crosser
severity: critical
description: Zoho Desktop Central contains an authentication bypass vulnerability that could allow an attacker to execute arbitrary code in the Desktop Central MSP server.
description: Zoho ManageEngine Desktop Central contains an authentication bypass vulnerability that could allow an attacker to execute arbitrary code in the Desktop Central MSP server.
reference:
- https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/cisa-adds-13-known-exploited-vulnerabilities-catalog
- https://srcincite.io/blog/2022/01/20/zohowned-a-critical-authentication-bypass-on-zoho-manageengine-desktop-central.html
- https://attackerkb.com/topics/rJw4DFI2RQ/cve-2021-44515/rapid7-analysis
- https://pitstop.manageengine.com/portal/en/community/topic/an-authentication-bypass-vulnerability-identified-and-fixed-in-desktop-central-and-desktop-central-msp
- https://nvd.nist.gov/vuln/detail/CVE-2021-44515
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-44515
cwe-id: CWE-287
remediation: For Enterprise builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For Enterprise builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. For MSP builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For MSP builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3.
tags: cve,cve2021,cisa,zoho,rce,manageengine
requests:
@ -37,4 +39,6 @@ requests:
- type: word
part: header
words:
- "UEMJSESSIONID="
- "UEMJSESSIONID="
# Enhanced by mp on 2022/05/18

8
cves/2021/CVE-2021-46422.yaml
View File

@ -1,15 +1,15 @@
id: CVE-2021-46422
info:
name: SDT-CW3B1 1.1.0 - OS command injection
name: SDT-CW3B1 1.1.0 - OS Command Injection
author: badboycxcc
severity: critical
description: |
Telesquare SDT-CW3B1 1.1.0 is affected by an OS command injection vulnerability that allows a remote attacker to execute OS commands without any authentication.
reference:
- https://www.exploit-db.com/exploits/50936
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46422
- https://drive.google.com/drive/folders/1YJlVlb4SlTEGONzIjiMwd2P7ucP_Pm7T?usp=sharing
- https://drive.google.com/drive/folders/1YJlVlb4SlTEGONzIjiMwd2P7ucP_Pm7T?
- https://nvd.nist.gov/vuln/detail/CVE-2021-46422
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -32,3 +32,5 @@ requests:
part: body
regex:
- "root:.*:0:0:"
# Enhanced by mp on 2022/05/18

6
cves/2021/CVE-2021-46424.yaml
View File

@ -1,15 +1,15 @@
id: CVE-2021-46424
info:
name: TLR-2005KSH - Arbitrary File Delete
name: Telesquare TLR-2005KSH 1.0.0 - Arbitrary File Delete
author: gy741
severity: critical
description: Telesquare TLR-2005KSH 1.0.0 is affected by an arbitrary file deletion vulnerability that allows a remote attacker to delete any file, even system internal files, via a DELETE request.
reference:
- https://dl.packetstormsecurity.net/2205-exploits/tlr2005ksh-filedelete.txt
- https://nvd.nist.gov/vuln/detail/CVE-2021-46424
- https://drive.google.com/drive/folders/1_e3eJ8fzhCWnCkoRpbLoyQecuKkPR4OD?usp=sharing
- http://packetstormsecurity.com/files/167127/TLR-2005KSH-Arbitrary-File-Delete.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-46424
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
cvss-score: 9.1
@ -40,3 +40,5 @@ requests:
- type: dsl
dsl:
- "status_code_1 == 200 && status_code_2 == 204 && status_code_3 == 404"
# Enhanced by mp on 2022/05/18

8
cves/2022/CVE-2022-0482.yaml
View File

@ -1,16 +1,16 @@
id: CVE-2022-0482
info:
name: Easy!Appointments Broken Access Control
name: Easy!Appointments <1.4.3 - Broken Access Control
author: francescocarlucci,opencirt
severity: critical
description: |
Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository alextselegidis/easyappointments prior to 1.4.3.
Easy!Appointments prior to 1.4.3 allows exposure of Private Personal Information to an unauthorized actor via the GitHub repository alextselegidis/easyappointments.
reference:
- https://huntr.dev/bounties/2fe771ef-b615-45ef-9b4d-625978042e26/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0482
- https://github.com/alextselegidis/easyappointments
- https://opencirt.com/hacking/securing-easy-appointments-cve-2022-0482/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0482
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
cvss-score: 9.1
@ -53,3 +53,5 @@ requests:
- '"appointments":'
- '"unavailables":'
condition: and
# Enhanced by mp on 2022/05/18

6
cves/2022/CVE-2022-0540.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2022-0540
info:
name: Atlassian Jira Seraph- Authentication Bypass
name: Atlassian Jira Seraph - Authentication Bypass
author: DhiyaneshDK
severity: critical
description: |
A vulnerability in Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request. This affects Atlassian Jira Server and Data Center versions before 8.13.18, versions 8.14.0 and later before 8.20.6, and versions 8.21.0 and later before 8.22.0. This also affects Atlassian Jira Service Management Server and Data Center versions before 4.13.18, versions 4.14.0 and later before 4.20.6, and versions 4.21.0 and later before 4.22.0.
Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request. This affects Atlassian Jira Server and Data Center versions before 8.13.18, versions 8.14.0 and later before 8.20.6, and versions 8.21.0 and later before 8.22.0. This also affects Atlassian Jira Service Management Server and Data Center versions before 4.13.18, versions 4.14.0 and later before 4.20.6, and versions 4.21.0 and later before 4.22.0.
reference:
- https://blog.viettelcybersecurity.com/cve-2022-0540-authentication-bypass-in-seraph/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0540
@ -34,3 +34,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/05/18

6
cves/2022/CVE-2022-0543.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2022-0543
info:
name: Redis Sandbox Escape RCE
name: Redis Sandbox Escape - Remote Code Execution
author: dwisiswant0
severity: critical
description: |
@ -9,8 +9,6 @@ info:
vulnerability was introduced by Debian and Ubuntu Redis packages that
insufficiently sanitized the Lua environment. The maintainers failed to
disable the package interface, allowing attackers to load arbitrary libraries.
Taken from rapid7/metasploit-framework#16504.
reference:
- https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce
- https://attackerkb.com/topics/wyA1c1HIC8/cve-2022-0543/rapid7-analysis#rapid7-analysis
@ -37,3 +35,5 @@ network:
- type: regex
regex:
- "root:.*:0:0:"
# Enhanced by mp on 2022/05/18

6
cves/2022/CVE-2022-0591.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2022-0591
info:
name: Formcraft3 < 3.8.28 - Unauthenticated SSRF
name: Formcraft3 <3.8.28 - Server-Side Request Forgery
author: Akincibor
severity: critical
description: The plugin does not validate the URL parameter in the formcraft3_get AJAX action, leading to SSRF issues exploitable by unauthenticated users.
description: Formcraft3 before version 3.8.2 does not validate the URL parameter in the formcraft3_get AJAX action, leading to server-side request forgery issues exploitable by unauthenticated users.
reference:
- https://wpscan.com/vulnerability/b5303e63-d640-4178-9237-d0f524b13d47
- https://nvd.nist.gov/vuln/detail/CVE-2022-0591
@ -25,3 +25,5 @@ requests:
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
# Enhanced by mp on 2022/05/18

6
cves/2022/CVE-2022-1020.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2022-1020
info:
name: Woo Product Table < 3.1.2 - Unauthenticated Arbitrary Function Call
name: WordPress WooCommerce <3.1.2 - Arbitrary Function Call
author: Akincibor
severity: critical
description: The Product Table for WooCommerce (wooproducttable) WordPress plugin before 3.1.2 does not have authorisation and CSRF checks in the wpt_admin_update_notice_option AJAX action (available to both unauthenticated and authenticated users), as well as does not validate the callback parameter, allowing unauthenticated attackers to call arbitrary functions with either none or one user controlled argument
description: WordPress WooCommerce plugin before 3.1.2 does not have authorisation and CSRF checks in the wpt_admin_update_notice_option AJAX action (available to both unauthenticated and authenticated users), as well as does not validate the callback parameter, allowing unauthenticated attackers to call arbitrary functions with either none or one user controlled argument.
reference:
- https://wpscan.com/vulnerability/04fe89b3-8ad1-482f-a96d-759d1d3a0dd5
- https://nvd.nist.gov/vuln/detail/CVE-2022-1020
@ -42,3 +42,5 @@ requests:
group: 1
regex:
- '>PHP Version <\/td><td class="v">([0-9.]+)'
# Enhanced by mp on 2022/05/18

2
cves/2022/CVE-2022-1598.yaml
View File

@ -11,6 +11,8 @@ info:
reference:
- https://wpscan.com/vulnerability/faff9484-9fc7-4300-bdad-9cd8a30a9a4e
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1597
classification:
cve-id: CVE-2022-1598
metadata:
verified: true
google-dork: inurl:/wp-content/plugins/wpqa

5
cves/2022/CVE-2022-30489.yaml
View File

@ -4,7 +4,8 @@ info:
name: Wavlink Wn535g3 - POST XSS
author: For3stCo1d
severity: high
description: WAVLINK WN535 G3 was discovered to contain a cross-site scripting (XSS) vulnerability via the hostname parameter at /cgi-bin/login.cgi.
description: |
WAVLINK WN535 G3 was discovered to contain a cross-site scripting (XSS) vulnerability via the hostname parameter at /cgi-bin/login.cgi.
reference:
- https://github.com/badboycxcc/XSS-CVE-2022-30489
- https://nvd.nist.gov/vuln/detail/CVE-2022-30489
@ -12,6 +13,8 @@ info:
metadata:
shodan-query: http.title:"Wi-Fi APP Login"
verified: "true"
classification:
cve-id: CVE-2022-30489
tags: xss,cve2022,wavlink,cve,router,iot
requests:

2
cves/2022/CVE-2022-30525.yaml
View File

@ -13,6 +13,8 @@ info:
- https://www.zyxel.com/support/Zyxel-security-advisory-for-OS-command-injection-vulnerability-of-firewalls.shtml
metadata:
shodan-query: title:"USG FLEX 100","USG FLEX 100w","USG FLEX 200","USG FLEX 500","USG FLEX 700","USG FLEX 50","USG FLEX 50w","ATP100","ATP200","ATP500","ATP700"
classification:
cve-id: CVE-2022-30525
tags: rce,zyxel,cve,cve2022,firewall,unauth
requests:

4
workflows/yonyou-nc-workflow.yaml
View File

@ -3,11 +3,11 @@ id: yonyou-ufida-nc-workflow
info:
name: Yonyou Ufida NC Security Checks
author: Arm!tage
description: A simple workflow that runs all yonyou ufida nc related nuclei templates on a given target.
description: A simple workflow that runs all Yonyou Network Technology Co. (Ufida) NC related nuclei templates on a given target.
workflows:
- template: technologies/fingerprinthub-web-fingerprints.yaml
matchers:
- name: yonyou-ism
subtemplates:
- tags: yonyou
- tags: yonyou