diff --git a/cnvd/2020/CNVD-2020-46552.yaml b/cnvd/2020/CNVD-2020-46552.yaml index 690f94e80f..02a98ac205 100644 --- a/cnvd/2020/CNVD-2020-46552.yaml +++ b/cnvd/2020/CNVD-2020-46552.yaml @@ -1,13 +1,19 @@ id: CNVD-2020-46552 + info: - name: Sangfor EDR Tool - Remote Code Execution + name: Sangfor EDR - Remote Code Execution author: ritikchaddha severity: critical - description: There is a RCE vulnerability in Sangfor Endpoint Monitoring and Response Platform (EDR). An attacker could exploit this vulnerability by constructing an HTTP request, and an attacker who successfully exploited this vulnerability could execute arbitrary commands on the target host. + description: Sangfor Endpoint Monitoring and Response Platform (EDR) contains a remote code execution vulnerability. An attacker could exploit this vulnerability by constructing an HTTP request which could execute arbitrary commands on the target host. reference: - https://www.modb.pro/db/144475 - https://blog.csdn.net/bigblue00/article/details/108434009 - https://cn-sec.com/archives/721509.html + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10.0 + cve-id: + cwe-id: CWE-77 tags: cnvd,cnvd2020,sangfor,rce requests: @@ -23,3 +29,5 @@ requests: - 'contains(body, "Log Helper")' - 'status_code == 200' condition: and + +# Enhanced by mp on 2022/05/18 diff --git a/cves/2010/CVE-2010-4239.yaml b/cves/2010/CVE-2010-4239.yaml index 5018ed8d56..c2b4d8c476 100644 --- a/cves/2010/CVE-2010-4239.yaml +++ b/cves/2010/CVE-2010-4239.yaml @@ -4,12 +4,12 @@ info: name: Tiki Wiki CMS Groupware 5.2 - Local File Inclusion author: 0x_akoko severity: critical - description: Tiki Wiki CMS Groupware 5.2 has Local File Inclusion + description: Tiki Wiki CMS Groupware 5.2 is susceptible to a local file inclusion vulnerability. reference: - https://dl.packetstormsecurity.net/1009-exploits/tikiwiki52-lfi.txt - - https://www.cvedetails.com/cve/CVE-2010-4239 - https://www.openwall.com/lists/oss-security/2010/11/22/9 - https://security-tracker.debian.org/tracker/CVE-2010-4239 + - https://nvd.nist.gov/vuln/detail/CVE-2010-4239 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 @@ -30,3 +30,5 @@ requests: - "fonts" - "extensions" condition: and + +# Enhanced by mp on 2022/05/18 diff --git a/cves/2018/CVE-2018-16716.yaml b/cves/2018/CVE-2018-16716.yaml index 5a027e89ea..b74af567f1 100644 --- a/cves/2018/CVE-2018-16716.yaml +++ b/cves/2018/CVE-2018-16716.yaml @@ -4,7 +4,7 @@ info: name: NCBI ToolBox - Directory Traversal author: 0x_Akoko severity: critical - description: A path traversal vulnerability exists in viewcgi.c in the 2.0.7 through 2.2.26 legacy versions of the NCBI ToolBox, which may result in reading of arbitrary files (i.e., significant information disclosure) or file deletion via the nph-viewgif.cgi query string. + description: NCBI ToolBox 2.0.7 through 2.2.26 legacy versions contain a path traversal vulnerability via viewcgi.cgi which may result in reading of arbitrary files (i.e., significant information disclosure) or file deletion via the nph-viewgif.cgi query string. reference: - https://github.com/grymer/CVE/blob/master/CVE-2018-16716.md - https://nvd.nist.gov/vuln/detail/CVE-2018-16716 @@ -29,3 +29,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/05/18 diff --git a/cves/2019/CVE-2019-0230.yaml b/cves/2019/CVE-2019-0230.yaml index 0f043c53dd..071708b088 100644 --- a/cves/2019/CVE-2019-0230.yaml +++ b/cves/2019/CVE-2019-0230.yaml @@ -6,11 +6,10 @@ info: severity: critical description: Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation when evaluated on raw user input in tag attributes, which may lead to remote code execution. reference: + - https://nvd.nist.gov/vuln/detail/CVE-2019-0230 - https://cwiki.apache.org/confluence/display/WW/S2-059 - https://www.tenable.com/blog/cve-2019-0230-apache-struts-potential-remote-code-execution-vulnerability - - https://cwiki.apache.org/confluence/display/ww/s2-059 - http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html - - https://nvd.nist.gov/vuln/detail/CVE-2019-0230 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 diff --git a/cves/2019/CVE-2019-16920.yaml b/cves/2019/CVE-2019-16920.yaml index 16cdedbd86..72a8c222a8 100644 --- a/cves/2019/CVE-2019-16920.yaml +++ b/cves/2019/CVE-2019-16920.yaml @@ -6,6 +6,7 @@ info: severity: critical description: D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565 contain an unauthenticated remote code execution vulnerability. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these issues also affected; DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825. reference: + - https://nvd.nist.gov/vuln/detail/CVE-2019-16920 - https://github.com/pwnhacker0x18/CVE-2019-16920-MassPwn3r - https://fortiguard.com/zeroday/FG-VD-19-117 - https://www.seebug.org/vuldb/ssvid-98079 diff --git a/cves/2020/CVE-2020-12800.yaml b/cves/2020/CVE-2020-12800.yaml index bc29d6d558..78797b30fb 100644 --- a/cves/2020/CVE-2020-12800.yaml +++ b/cves/2020/CVE-2020-12800.yaml @@ -7,10 +7,10 @@ info: description: | WordPress Contact Form 7 before 1.3.3.3 allows unrestricted file upload and remote code execution by setting supported_type to php% and uploading a .php% file. reference: + - https://nvd.nist.gov/vuln/detail/CVE-2020-12800 - https://github.com/amartinsec/CVE-2020-12800 - https://packetstormsecurity.com/files/157951/WordPress-Drag-And-Drop-Multi-File-Uploader-Remote-Code-Execution.html - https://wordpress.org/plugins/drag-and-drop-multiple-file-upload-contact-form-7/#developers - - https://nvd.nist.gov/vuln/detail/CVE-2020-12800 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 diff --git a/cves/2020/CVE-2020-13942.yaml b/cves/2020/CVE-2020-13942.yaml index 9142e38fd2..c7148c6357 100644 --- a/cves/2020/CVE-2020-13942.yaml +++ b/cves/2020/CVE-2020-13942.yaml @@ -12,9 +12,9 @@ info: reference: - https://securityboulevard.com/2020/11/apache-unomi-cve-2020-13942-rce-vulnerabilities-discovered/ - https://twitter.com/chybeta/status/1328912309440311297 + - https://nvd.nist.gov/vuln/detail/CVE-2020-13942 - http://unomi.apache.org./security/cve-2020-13942.txt - https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118@%3Cusers.unomi.apache.org%3E - - https://nvd.nist.gov/vuln/detail/CVE-2020-13942 remediation: Apache Unomi users should upgrade to 1.5.2 or later. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H diff --git a/cves/2021/CVE-2021-25281.yaml b/cves/2021/CVE-2021-25281.yaml index c08ebf20ae..8a2c51684d 100644 --- a/cves/2021/CVE-2021-25281.yaml +++ b/cves/2021/CVE-2021-25281.yaml @@ -1,13 +1,14 @@ id: CVE-2021-25281 info: - name: SaltStack wheel_async unauth access + name: SaltStack Salt <3002.5 - Auth Bypass author: madrobot severity: critical - description: The SaltAPI does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master. + description: SaltStack Salt before 3002.5 does not honor eauth credentials for the wheel_async client, allowing attackers to remotely run any wheel modules on the master. reference: - http://hackdig.com/02/hack-283902.htm - https://dozer.nz/posts/saltapi-vulns + - https://nvd.nist.gov/vuln/detail/CVE-2021-25281 - https://github.com/saltstack/salt/releases - https://www.saltstack.com/blog/active-saltstack-cve-announced-2021-jan-21/ classification: @@ -41,3 +42,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/05/17 diff --git a/cves/2021/CVE-2021-26084.yaml b/cves/2021/CVE-2021-26084.yaml index 961844bbd9..258235b1d3 100644 --- a/cves/2021/CVE-2021-26084.yaml +++ b/cves/2021/CVE-2021-26084.yaml @@ -1,13 +1,10 @@ id: CVE-2021-26084 info: - name: Confluence Server OGNL injection - RCE + name: Confluence Server - Remote Code Execution author: dhiyaneshDk,philippedelteil severity: critical - description: In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary - code on a Confluence Server or Data Center instance. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if 'Allow people to sign up to create their account' is enabled. - To check whether this is enabled go to COG > User Management > User Signup Options. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from - version 7.12.0 before 7.12.5. + description: Confluence Server and Data Center contain an OGNL injection vulnerability that could allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if 'Allow people to sign up to create their account' is enabled. To check whether this is enabled go to COG > User Management > User Signup Options. reference: - https://jira.atlassian.com/browse/CONFSERVER-67940 - https://github.com/httpvoid/CVE-Reverse/tree/master/CVE-2021-26084 @@ -58,3 +55,5 @@ requests: part: body words: - 'value="aaaa{140592=null}' + +# Enhanced by mp on 2022/05/17 diff --git a/cves/2021/CVE-2021-26295.yaml b/cves/2021/CVE-2021-26295.yaml index 7242d4d998..39cc8c8c22 100644 --- a/cves/2021/CVE-2021-26295.yaml +++ b/cves/2021/CVE-2021-26295.yaml @@ -1,7 +1,7 @@ id: CVE-2021-26295 info: - name: Apache OFBiz RMI Deserialization - Remote Code Execution + name: Apache OFBiz <17.12.06 - Arbitrary Code Execution author: madrobot severity: critical description: | @@ -11,6 +11,8 @@ info: - https://packetstormsecurity.com/files/162104/Apache-OFBiz-SOAP-Java-Deserialization.html - https://github.com/zhzyker/exphub/tree/master/ofbiz - https://lists.apache.org/thread.html/r3c1802eaf34aa78a61b4e8e044c214bc94accbd28a11f3a276586a31%40%3Cuser.ofbiz.apache.org%3E + - https://lists.apache.org/thread.html/r6e4579c4ebf7efeb462962e359501c6ca4045687f12212551df2d607@%3Cnotifications.ofbiz.apache.org%3E + - https://nvd.nist.gov/vuln/detail/CVE-2021-26295 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 @@ -51,8 +53,11 @@ requests: part: body words: - "errorMessage" + condition: and - type: word part: header words: - - "OFBiz.Visitor=" \ No newline at end of file + - "OFBiz.Visitor=" + +# Enhanced by mp on 2022/05/17 diff --git a/cves/2021/CVE-2021-27132.yaml b/cves/2021/CVE-2021-27132.yaml index d61addb02a..7f46e618ad 100644 --- a/cves/2021/CVE-2021-27132.yaml +++ b/cves/2021/CVE-2021-27132.yaml @@ -1,13 +1,14 @@ id: CVE-2021-27132 info: - name: CRLF Injection - Sercomm VD625 + name: Sercomm VD625 Smart Modems - CRLF Injection author: geeknik severity: critical - description: Sercomm AGCOMBO VD625 Smart Modems with firmware version AGSOT_2.1.0 are vulnerable to CRLF Injection via the Content-Disposition header - https://cybertuz.com/blog/post/crlf-injection-CVE-2021-27132 + description: Sercomm AGCOMBO VD625 Smart Modems with firmware version AGSOT_2.1.0 are vulnerable to Carriage Return Line Feed (CRLF) injection via the Content-Disposition header. reference: - https://cybertuz.com/blog/post/crlf-injection-CVE-2021-27132 - http://sercomm.com + - https://nvd.nist.gov/vuln/detail/CVE-2021-27132 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 @@ -35,3 +36,5 @@ requests: - "X-XSS-Protection:0" part: header condition: and + +# Enhanced by mp on 2022/05/17 diff --git a/cves/2021/CVE-2021-27561.yaml b/cves/2021/CVE-2021-27561.yaml index 1af1a16437..67b8a7ad90 100644 --- a/cves/2021/CVE-2021-27561.yaml +++ b/cves/2021/CVE-2021-27561.yaml @@ -1,13 +1,13 @@ id: CVE-2021-27561 info: - name: YeaLink DM PreAuth RCE + name: YeaLink DM 3.6.0.20 - Remote Command Injection author: shifacyclewala,hackergautam severity: critical - description: A malicious actor can trigger Unauthenticated Remote Code Execution + description: Yealink Device Management (DM) 3.6.0.20 allows command injection as root via the /sm/api/v1/firewall/zone/services URI, without authentication. reference: - https://ssd-disclosure.com/ssd-advisory-yealink-dm-pre-auth-root-level-rce/ - - https://ssd-disclosure.com/?p=4688 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-27561 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 @@ -43,3 +43,5 @@ requests: - type: regex regex: - "(u|g)id=.*" + +# Enhanced by mp on 2022/05/17 diff --git a/cves/2021/CVE-2021-27651.yaml b/cves/2021/CVE-2021-27651.yaml index 6d16b1cda9..12c81fa998 100644 --- a/cves/2021/CVE-2021-27651.yaml +++ b/cves/2021/CVE-2021-27651.yaml @@ -1,10 +1,10 @@ id: CVE-2021-27651 info: - name: Pega Infinity Authentication bypass + name: Pega Infinity - Authentication Bypass author: idealphase severity: critical - description: In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks. + description: Pega Infinity versions 8.2.1 through 8.5.2 contain an authentication bypass vulnerability because the password reset functionality for local accounts can be used to bypass local authentication checks. reference: - https://github.com/samwcyo/CVE-2021-27651-PoC/blob/main/RCE.md - https://nvd.nist.gov/vuln/detail/CVE-2021-27651 @@ -44,4 +44,6 @@ requests: - type: regex regex: - 'Pega 8\.(?:2\.[1-9]|3\.[0-9]|4\.[0-9]|5\.[0-2])' - part: body \ No newline at end of file + part: body + +# Enhanced by mp on 2022/05/17 diff --git a/cves/2021/CVE-2021-27850.yaml b/cves/2021/CVE-2021-27850.yaml index fa26bfb893..913394f5e4 100644 --- a/cves/2021/CVE-2021-27850.yaml +++ b/cves/2021/CVE-2021-27850.yaml @@ -1,11 +1,11 @@ id: CVE-2021-27850 info: - name: Apache Tapestry - Arbitrary class download + name: Apache Tapestry - Remote Code Execution author: pdteam severity: critical description: | - A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. The vulnerability I have found is a bypass of the fix for CVE-2019-0195. Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL. + Apache Tapestry contains a critical unauthenticated remote code execution vulnerability. Affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. Note that this vulnerability is a bypass of the fix for CVE-2019-0195. Before that fix it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL. reference: - https://nvd.nist.gov/vuln/detail/CVE-2021-27850 - https://lists.apache.org/thread.html/r237ff7f286bda31682c254550c1ebf92b0ec61329b32fbeb2d1c8751%40%3Cusers.tapestry.apache.org%3E @@ -56,3 +56,5 @@ requests: - 'webtools' part: body condition: and + +# Enhanced by mp on 2022/05/17 diff --git a/cves/2021/CVE-2021-27905.yaml b/cves/2021/CVE-2021-27905.yaml index cd24cb57d8..7cca79cf62 100644 --- a/cves/2021/CVE-2021-27905.yaml +++ b/cves/2021/CVE-2021-27905.yaml @@ -1,10 +1,11 @@ id: CVE-2021-27905 info: - name: Apache Solr <= 8.8.1 SSRF + name: Apache Solr <=8.8.1 - Server-Side Request Forgery author: hackergautam severity: critical - description: The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2. + description: Apache Solr versions 8.8.1 and prior contain a server-side request forgery vulnerability. The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. + remediation: This issue is resolved in Apache Solr 8.8.2 and later. reference: - https://www.anquanke.com/post/id/238201 - https://ubuntu.com/security/CVE-2021-27905 @@ -43,4 +44,6 @@ requests: - type: word words: - 'OK' - part: body \ No newline at end of file + part: body + +# Enhanced by mp on 2022/05/17 diff --git a/cves/2021/CVE-2021-27931.yaml b/cves/2021/CVE-2021-27931.yaml index 2c8b3c0896..a426c5d084 100644 --- a/cves/2021/CVE-2021-27931.yaml +++ b/cves/2021/CVE-2021-27931.yaml @@ -1,11 +1,10 @@ id: CVE-2021-27931 info: - name: LumisXP Blind XXE + name: LumisXP <10.0.0 - Blind XML External Entity Attack author: alph4byt3 severity: critical - description: LumisXP (aka Lumis Experience Platform) before 10.0.0 allows unauthenticated blind XXE via an API request to PageControllerXml.jsp. One can send a request crafted with an XXE payload and achieve outcomes - such as reading local server files or denial of service. + description: LumisXP (aka Lumis Experience Platform) before 10.0.0 allows unauthenticated blind XML external entity (XXE) attacks via an API request to PageControllerXml.jsp. One can send a request crafted with an XXE payload and achieve outcomes such as reading local server files or denial of service. reference: - https://github.com/sl4cky/LumisXP-XXE---POC/blob/main/poc.txt - https://nvd.nist.gov/vuln/detail/CVE-2021-27931 @@ -36,3 +35,5 @@ requests: part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" + +# Enhanced by mp on 2022/05/17 diff --git a/cves/2021/CVE-2021-28918.yaml b/cves/2021/CVE-2021-28918.yaml index 433d761f0d..6b8216e23c 100644 --- a/cves/2021/CVE-2021-28918.yaml +++ b/cves/2021/CVE-2021-28918.yaml @@ -1,15 +1,14 @@ id: CVE-2021-28918 info: - name: Netmask NPM Package SSRF + name: Netmask NPM Package - Server-Side Request Forgery author: johnjhacking severity: critical - description: Improper input validation of octal strings in netmask npm package allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts. + description: Netmask NPM Package is susceptible to server-side request forgery because of improper input validation of octal strings in netmask npm package. This allows unauthenticated remote attackers to perform indeterminate SSRF, remote file inclusion, and local file inclusion attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts. reference: - https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md - - https://nvd.nist.gov/vuln/detail/CVE-2021-28918 - https://github.com/advisories/GHSA-pch5-whg9-qr2r - - https://github.com/rs/node-netmask + - https://nvd.nist.gov/vuln/detail/CVE-2021-28918 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N cvss-score: 9.1 @@ -37,3 +36,5 @@ requests: - type: regex regex: - "root:.*:0:0:" + +# Enhanced by mp on 2022/05/17 diff --git a/cves/2021/CVE-2021-29203.yaml b/cves/2021/CVE-2021-29203.yaml index 8fd26b6280..2189884675 100644 --- a/cves/2021/CVE-2021-29203.yaml +++ b/cves/2021/CVE-2021-29203.yaml @@ -1,10 +1,10 @@ id: CVE-2021-29203 info: - name: HPE Edgeline Infrastructure Manager v1.21 Authentication Bypass + name: HPE Edgeline Infrastructure Manager <1.22 - Authentication Bypass author: madrobot severity: critical - description: A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software, prior to version 1.22. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gaining privileged access, causing denial of service, and changing the configuration. HPE has released a software update to resolve the vulnerability in the HPE Edgeline Infrastructure Manager. + description: HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software, prior to version 1.22 contains an authentication bypass vulnerability which could be remotely exploited to bypass remote authentication and possibly lead to execution of arbitrary commands, gaining privileged access, causing denial of service, and changing the configuration. reference: - https://www.tenable.com/security/research/tra-2021-15 - https://nvd.nist.gov/vuln/detail/CVE-2021-29203 @@ -52,3 +52,5 @@ requests: part: body words: - "Base.1.0.Created" + +# Enhanced by mp on 2022/05/17 diff --git a/cves/2021/CVE-2021-29441.yaml b/cves/2021/CVE-2021-29441.yaml index 35d7facf94..7ff1c835a5 100644 --- a/cves/2021/CVE-2021-29441.yaml +++ b/cves/2021/CVE-2021-29441.yaml @@ -1,7 +1,7 @@ id: CVE-2021-29441 info: - name: Nacos prior to 1.4.1 Authentication Bypass + name: Nacos <1.4.1 - Authentication Bypass author: dwisiswant0 severity: critical description: | @@ -55,4 +55,6 @@ requests: - type: word words: - "application/json" - part: header \ No newline at end of file + part: header + +# Enhanced by mp on 2022/05/17 diff --git a/cves/2021/CVE-2021-30461.yaml b/cves/2021/CVE-2021-30461.yaml index 16812b85f1..5d82257613 100644 --- a/cves/2021/CVE-2021-30461.yaml +++ b/cves/2021/CVE-2021-30461.yaml @@ -1,13 +1,14 @@ id: CVE-2021-30461 info: - name: VoipMonitor Pre-Auth-RCE + name: VoipMonitor <24.61 - Remote Code Execution author: shifacyclewala,hackergautam severity: critical - description: Use of user supplied data, arriving via web interface allows remote unauthenticated users to trigger a remote PHP code execution vulnerability in VoIPmonitor. + description: | + VoipMonitor prior to 24.61 is susceptible to remote code execution vulnerabilities because of its use of user supplied data via its web interface, allowing remote unauthenticated users to trigger a remote PHP code execution vulnerability. reference: - https://ssd-disclosure.com/ssd-advisory-voipmonitor-unauth-rce/ - - https://ssd-disclosure.com/ssd-advisory--voipmonitor-unauth-rce + - https://nvd.nist.gov/vuln/detail/CVE-2021-30461 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 @@ -39,3 +40,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/05/17 diff --git a/cves/2021/CVE-2021-3129.yaml b/cves/2021/CVE-2021-3129.yaml index 3f89bea6c8..d3581dd7e3 100644 --- a/cves/2021/CVE-2021-3129.yaml +++ b/cves/2021/CVE-2021-3129.yaml @@ -1,14 +1,14 @@ id: CVE-2021-3129 info: - name: Laravel <= v8.4.2 Debug Mode - Remote Code Execution + name: Laravel with Ignition <= v8.4.2 Debug Mode - Remote Code Execution author: z3bd,pdteam severity: critical - description: Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2. + description: Laravel version 8.4.2 and before with Ignition before 2.5.2 allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2. reference: - https://www.ambionics.io/blog/laravel-debug-rce - https://github.com/vulhub/vulhub/tree/master/laravel/CVE-2021-3129 - - https://github.com/facade/ignition/pull/334 + - https://nvd.nist.gov/vuln/detail/CVE-2021-3129 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 @@ -84,3 +84,5 @@ requests: - type: regex regex: - "(u|g)id=.*" + +# Enhanced by mp on 2022/05/17 diff --git a/cves/2021/CVE-2021-31856.yaml b/cves/2021/CVE-2021-31856.yaml index 91032dcfc2..e087dac85d 100644 --- a/cves/2021/CVE-2021-31856.yaml +++ b/cves/2021/CVE-2021-31856.yaml @@ -1,10 +1,11 @@ id: CVE-2021-31856 info: - name: Layer5 Meshery 0.5.2 SQLi + name: Layer5 Meshery 0.5.2 - SQL Injection author: princechaddha severity: critical - description: A SQL Injection vulnerability in the REST API in Layer5 Meshery 0.5.2 allows an attacker to execute arbitrary SQL commands via the /experimental/patternfiles endpoint (order parameter in GetMesheryPatterns in models/meshery_pattern_persister.go). + description: Layer5 Meshery 0.5.2 contains a SQL injection vulnerability in the REST API that allows an attacker to execute arbitrary SQL commands via the /experimental/patternfiles endpoint (order parameter in GetMesheryPatterns + in models/meshery_pattern_persister.go). reference: - https://github.com/ssst0n3/CVE-2021-31856 - https://nvd.nist.gov/vuln/detail/CVE-2021-31856 @@ -33,3 +34,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/05/17 diff --git a/cves/2021/CVE-2021-32172.yaml b/cves/2021/CVE-2021-32172.yaml index 71b8fb8464..e5bbb54bfc 100644 --- a/cves/2021/CVE-2021-32172.yaml +++ b/cves/2021/CVE-2021-32172.yaml @@ -1,10 +1,10 @@ id: CVE-2021-32172 info: - name: Maian Cart 3.8 preauth RCE + name: Maian Cart <=3.8 - Remote Code Execution author: pdteam severity: critical - description: A severe vulnerability has been kindly reported to me by security advisor DreyAnd. The issue concerns the elFinder file manager plugin in Maian Cart and it affects all versions from 3.0 to 3.8. + description: Maian Cart 3.0 to 3.8 via the elFinder file manager plugin contains a remote code execution vulnerability. reference: - https://dreyand.github.io/maian-cart-rce/ - https://github.com/DreyAnd/maian-cart-rce @@ -53,3 +53,5 @@ requests: - 'contains(body_3, "{{randstr_1}}")' - "status_code_3 == 200" condition: and + +# Enhanced by mp on 2022/05/18 diff --git a/cves/2021/CVE-2021-32305.yaml b/cves/2021/CVE-2021-32305.yaml index 79b097e71f..45fb64b4ce 100644 --- a/cves/2021/CVE-2021-32305.yaml +++ b/cves/2021/CVE-2021-32305.yaml @@ -1,15 +1,15 @@ id: CVE-2021-32305 info: - name: Websvn 2.6.0 - Remote Code Execution (Unauthenticated) + name: Websvn <2.6.1 - Remote Code Execution author: gy741 severity: critical description: WebSVN before 2.6.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the search parameter. reference: - - https://nvd.nist.gov/vuln/detail/CVE-2021-32305 - https://packetstormsecurity.com/files/163225/Websvn-2.6.0-Remote-Code-Execution.html - https://github.com/websvnphp/websvn/pull/142 - http://packetstormsecurity.com/files/163225/Websvn-2.6.0-Remote-Code-Execution.html + - https://nvd.nist.gov/vuln/detail/CVE-2021-32305 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 @@ -30,3 +30,5 @@ requests: part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" + +# Enhanced by mp on 2022/05/18 diff --git a/cves/2021/CVE-2021-33221.yaml b/cves/2021/CVE-2021-33221.yaml index a4294e5273..3b6825a4ed 100644 --- a/cves/2021/CVE-2021-33221.yaml +++ b/cves/2021/CVE-2021-33221.yaml @@ -1,14 +1,15 @@ id: CVE-2021-33221 info: - name: CommScope Ruckus IoT Controller Unauthenticated Service Details + name: CommScope Ruckus IoT Controller - Information Disclosure author: geeknik severity: critical - description: A 'service details' API endpoint discloses system and configuration information to an attacker without requiring authentication. This information includes DNS and NTP servers that the devices use for time and host resolution. It also includes the internal hostname and IoT Controller version. A fully configured device in production may leak other, more sensitive information (API keys and tokens). + description: CommScope Ruckus IoT Controller is susceptible to information disclosure vulnerabilities because a 'service details' API endpoint discloses system and configuration information to an attacker without requiring authentication. This information includes DNS and NTP servers that the devices use for time and host resolution. It also includes the internal hostname and IoT Controller version. A fully configured device in production may leak other, more sensitive information (API keys and tokens). reference: - https://www.commscope.com/globalassets/digizuite/917216-faq-security-advisory-id-20210525-v1-0.pdf - http://seclists.org/fulldisclosure/2021/May/72 - https://korelogic.com/advisories.html + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33221 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 @@ -38,3 +39,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/05/18 diff --git a/cves/2021/CVE-2021-33357.yaml b/cves/2021/CVE-2021-33357.yaml index a29bf15f9b..cb52ddd4ea 100644 --- a/cves/2021/CVE-2021-33357.yaml +++ b/cves/2021/CVE-2021-33357.yaml @@ -1,16 +1,16 @@ id: CVE-2021-33357 info: - name: RaspAP <= 2.6.5 - Remote Code Execution + name: RaspAP <=2.6.5 - Remote Command Injection author: pikpikcu,pdteam severity: critical description: | - RaspAP 2.6 to 2.6.5 in the "iface" GET parameter in /ajax/networking/get_netcfg.php, when the "iface" parameter value contains special characters such as ";" which enables an unauthenticated attacker to execute arbitrary OS commands. + RaspAP 2.6 to 2.6.5 allows unauthenticated attackers to execute arbitrary OS commands via the "iface" GET parameter in /ajax/networking/get_netcfg.php, when the "iface" parameter value contains special characters such as ";". reference: - https://checkmarx.com/blog/chained-raspap-vulnerabilities-grant-root-level-access/ - https://gist.github.com/omriinbar/52c000c02a6992c6ce68d531195f69cf - - https://nvd.nist.gov/vuln/detail/CVE-2021-33357 - https://github.com/RaspAP/raspap-webgui + - https://nvd.nist.gov/vuln/detail/CVE-2021-33357 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 @@ -39,4 +39,6 @@ requests: part: interactsh_request group: 1 regex: - - 'GET \/([a-z-]+) HTTP' \ No newline at end of file + - 'GET \/([a-z-]+) HTTP' + +# Enhanced by mp on 2022/05/18 diff --git a/cves/2021/CVE-2021-33564.yaml b/cves/2021/CVE-2021-33564.yaml index e99d537b51..f8c09008f5 100644 --- a/cves/2021/CVE-2021-33564.yaml +++ b/cves/2021/CVE-2021-33564.yaml @@ -1,15 +1,16 @@ id: CVE-2021-33564 info: - name: Argument Injection in Ruby Dragonfly + name: Ruby Dragonfly <1.4.0 - Remote Code Execution author: 0xsapra severity: critical - description: An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility. + description: Ruby Dragonfly before 1.4.0 contains an argument injection vulnerability that allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility. reference: - https://zxsecurity.co.nz/research/argunment-injection-ruby-dragonfly/ - https://github.com/markevans/dragonfly/compare/v1.3.0...v1.4.0 - https://github.com/markevans/dragonfly/commit/25399297bb457f7fcf8e3f91e85945b255b111b5 - https://github.com/mlr0p/CVE-2021-33564 + - https://nvd.nist.gov/vuln/detail/CVE-2021-33564 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 @@ -31,3 +32,5 @@ requests: - type: regex regex: - "root:.*:0:0:" + +# Enhanced by mp on 2022/05/18 diff --git a/cves/2021/CVE-2021-3378.yaml b/cves/2021/CVE-2021-3378.yaml index f44e50ac50..8ae13590a4 100644 --- a/cves/2021/CVE-2021-3378.yaml +++ b/cves/2021/CVE-2021-3378.yaml @@ -1,13 +1,11 @@ id: CVE-2021-3378 info: - name: FortiLogger Unauthenticated Arbitrary File Upload + name: FortiLogger 4.4.2.2 - Arbitrary File Upload author: dwisiswant0 severity: critical description: | - This template detects an unauthenticated arbitrary file upload - via insecure POST request. It has been tested on version 4.4.2.2 in - Windows 10 Enterprise. + FortiLogger 4.4.2.2 is affected by arbitrary file upload issues. Attackers can send a "Content-Type: image/png" header to Config/SaveUploadedHotspotLogoFile and then Assets/temp/hotspot/img/logohotspot.asp. reference: - https://erberkan.github.io/2021/cve-2021-3378/ - https://github.com/erberkan/fortilogger_arbitrary_fileupload @@ -58,4 +56,6 @@ requests: - "text/plain" - "ASP.NET" condition: and - part: header \ No newline at end of file + part: header + +# Enhanced by mp on 2022/05/18 diff --git a/cves/2021/CVE-2021-36356.yaml b/cves/2021/CVE-2021-36356.yaml index 1bcb597522..af120b662f 100644 --- a/cves/2021/CVE-2021-36356.yaml +++ b/cves/2021/CVE-2021-36356.yaml @@ -1,7 +1,7 @@ id: CVE-2021-36356 info: - name: Kramer VIAware RCE + name: Kramer VIAware - Remote Code Execution author: gy741 severity: critical description: KRAMER VIAware through August 2021 allows remote attackers to execute arbitrary code because ajaxPages/writeBrowseFilePathAjax.php accepts arbitrary executable pathnames. @@ -35,3 +35,5 @@ requests: part: interactsh_protocol words: - "http" + +# Enhanced by mp on 2022/05/18 diff --git a/cves/2021/CVE-2021-44077.yaml b/cves/2021/CVE-2021-44077.yaml index 0f49c0e028..a3fb47f535 100644 --- a/cves/2021/CVE-2021-44077.yaml +++ b/cves/2021/CVE-2021-44077.yaml @@ -10,6 +10,7 @@ info: - https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/ - https://github.com/horizon3ai/CVE-2021-44077 - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/manageengine_servicedesk_plus_cve_2021_44077.rb + - https://nvd.nist.gov/vuln/detail/CVE-2021-44077 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 @@ -30,4 +31,6 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/05/18 diff --git a/cves/2021/CVE-2021-44515.yaml b/cves/2021/CVE-2021-44515.yaml index 339271db14..040d2b7fb9 100644 --- a/cves/2021/CVE-2021-44515.yaml +++ b/cves/2021/CVE-2021-44515.yaml @@ -4,17 +4,19 @@ info: name: Zoho ManageEngine Desktop Central - Remote Code Execution author: Adam Crosser severity: critical - description: Zoho Desktop Central contains an authentication bypass vulnerability that could allow an attacker to execute arbitrary code in the Desktop Central MSP server. + description: Zoho ManageEngine Desktop Central contains an authentication bypass vulnerability that could allow an attacker to execute arbitrary code in the Desktop Central MSP server. reference: - https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/cisa-adds-13-known-exploited-vulnerabilities-catalog - https://srcincite.io/blog/2022/01/20/zohowned-a-critical-authentication-bypass-on-zoho-manageengine-desktop-central.html - https://attackerkb.com/topics/rJw4DFI2RQ/cve-2021-44515/rapid7-analysis - https://pitstop.manageengine.com/portal/en/community/topic/an-authentication-bypass-vulnerability-identified-and-fixed-in-desktop-central-and-desktop-central-msp + - https://nvd.nist.gov/vuln/detail/CVE-2021-44515 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-44515 cwe-id: CWE-287 + remediation: For Enterprise builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For Enterprise builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. For MSP builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For MSP builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. tags: cve,cve2021,cisa,zoho,rce,manageengine requests: @@ -37,4 +39,6 @@ requests: - type: word part: header words: - - "UEMJSESSIONID=" \ No newline at end of file + - "UEMJSESSIONID=" + +# Enhanced by mp on 2022/05/18 diff --git a/cves/2021/CVE-2021-46422.yaml b/cves/2021/CVE-2021-46422.yaml index b696388cd7..33aa2439bb 100644 --- a/cves/2021/CVE-2021-46422.yaml +++ b/cves/2021/CVE-2021-46422.yaml @@ -1,15 +1,15 @@ id: CVE-2021-46422 info: - name: SDT-CW3B1 1.1.0 - OS command injection + name: SDT-CW3B1 1.1.0 - OS Command Injection author: badboycxcc severity: critical description: | Telesquare SDT-CW3B1 1.1.0 is affected by an OS command injection vulnerability that allows a remote attacker to execute OS commands without any authentication. reference: - https://www.exploit-db.com/exploits/50936 - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46422 - - https://drive.google.com/drive/folders/1YJlVlb4SlTEGONzIjiMwd2P7ucP_Pm7T?usp=sharing + - https://drive.google.com/drive/folders/1YJlVlb4SlTEGONzIjiMwd2P7ucP_Pm7T? + - https://nvd.nist.gov/vuln/detail/CVE-2021-46422 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 @@ -32,3 +32,5 @@ requests: part: body regex: - "root:.*:0:0:" + +# Enhanced by mp on 2022/05/18 diff --git a/cves/2021/CVE-2021-46424.yaml b/cves/2021/CVE-2021-46424.yaml index b38d876e56..1ff5eb9003 100644 --- a/cves/2021/CVE-2021-46424.yaml +++ b/cves/2021/CVE-2021-46424.yaml @@ -1,15 +1,15 @@ id: CVE-2021-46424 info: - name: TLR-2005KSH - Arbitrary File Delete + name: Telesquare TLR-2005KSH 1.0.0 - Arbitrary File Delete author: gy741 severity: critical description: Telesquare TLR-2005KSH 1.0.0 is affected by an arbitrary file deletion vulnerability that allows a remote attacker to delete any file, even system internal files, via a DELETE request. reference: - https://dl.packetstormsecurity.net/2205-exploits/tlr2005ksh-filedelete.txt - - https://nvd.nist.gov/vuln/detail/CVE-2021-46424 - https://drive.google.com/drive/folders/1_e3eJ8fzhCWnCkoRpbLoyQecuKkPR4OD?usp=sharing - http://packetstormsecurity.com/files/167127/TLR-2005KSH-Arbitrary-File-Delete.html + - https://nvd.nist.gov/vuln/detail/CVE-2021-46424 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H cvss-score: 9.1 @@ -40,3 +40,5 @@ requests: - type: dsl dsl: - "status_code_1 == 200 && status_code_2 == 204 && status_code_3 == 404" + +# Enhanced by mp on 2022/05/18 diff --git a/cves/2022/CVE-2022-0482.yaml b/cves/2022/CVE-2022-0482.yaml index b450d39490..9e6755261d 100644 --- a/cves/2022/CVE-2022-0482.yaml +++ b/cves/2022/CVE-2022-0482.yaml @@ -1,16 +1,16 @@ id: CVE-2022-0482 info: - name: Easy!Appointments Broken Access Control + name: Easy!Appointments <1.4.3 - Broken Access Control author: francescocarlucci,opencirt severity: critical description: | - Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository alextselegidis/easyappointments prior to 1.4.3. + Easy!Appointments prior to 1.4.3 allows exposure of Private Personal Information to an unauthorized actor via the GitHub repository alextselegidis/easyappointments. reference: - https://huntr.dev/bounties/2fe771ef-b615-45ef-9b4d-625978042e26/ - - https://nvd.nist.gov/vuln/detail/CVE-2022-0482 - https://github.com/alextselegidis/easyappointments - https://opencirt.com/hacking/securing-easy-appointments-cve-2022-0482/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-0482 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N cvss-score: 9.1 @@ -53,3 +53,5 @@ requests: - '"appointments":' - '"unavailables":' condition: and + +# Enhanced by mp on 2022/05/18 diff --git a/cves/2022/CVE-2022-0540.yaml b/cves/2022/CVE-2022-0540.yaml index 7b42b0d945..0300df4213 100644 --- a/cves/2022/CVE-2022-0540.yaml +++ b/cves/2022/CVE-2022-0540.yaml @@ -1,11 +1,11 @@ id: CVE-2022-0540 info: - name: Atlassian Jira Seraph- Authentication Bypass + name: Atlassian Jira Seraph - Authentication Bypass author: DhiyaneshDK severity: critical description: | - A vulnerability in Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request. This affects Atlassian Jira Server and Data Center versions before 8.13.18, versions 8.14.0 and later before 8.20.6, and versions 8.21.0 and later before 8.22.0. This also affects Atlassian Jira Service Management Server and Data Center versions before 4.13.18, versions 4.14.0 and later before 4.20.6, and versions 4.21.0 and later before 4.22.0. + Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request. This affects Atlassian Jira Server and Data Center versions before 8.13.18, versions 8.14.0 and later before 8.20.6, and versions 8.21.0 and later before 8.22.0. This also affects Atlassian Jira Service Management Server and Data Center versions before 4.13.18, versions 4.14.0 and later before 4.20.6, and versions 4.21.0 and later before 4.22.0. reference: - https://blog.viettelcybersecurity.com/cve-2022-0540-authentication-bypass-in-seraph/ - https://nvd.nist.gov/vuln/detail/CVE-2022-0540 @@ -34,3 +34,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/05/18 diff --git a/cves/2022/CVE-2022-0543.yaml b/cves/2022/CVE-2022-0543.yaml index 3c48491df2..8db0488010 100644 --- a/cves/2022/CVE-2022-0543.yaml +++ b/cves/2022/CVE-2022-0543.yaml @@ -1,7 +1,7 @@ id: CVE-2022-0543 info: - name: Redis Sandbox Escape RCE + name: Redis Sandbox Escape - Remote Code Execution author: dwisiswant0 severity: critical description: | @@ -9,8 +9,6 @@ info: vulnerability was introduced by Debian and Ubuntu Redis packages that insufficiently sanitized the Lua environment. The maintainers failed to disable the package interface, allowing attackers to load arbitrary libraries. - - Taken from rapid7/metasploit-framework#16504. reference: - https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce - https://attackerkb.com/topics/wyA1c1HIC8/cve-2022-0543/rapid7-analysis#rapid7-analysis @@ -37,3 +35,5 @@ network: - type: regex regex: - "root:.*:0:0:" + +# Enhanced by mp on 2022/05/18 diff --git a/cves/2022/CVE-2022-0591.yaml b/cves/2022/CVE-2022-0591.yaml index 63be423ad1..6f32f5bea4 100644 --- a/cves/2022/CVE-2022-0591.yaml +++ b/cves/2022/CVE-2022-0591.yaml @@ -1,10 +1,10 @@ id: CVE-2022-0591 info: - name: Formcraft3 < 3.8.28 - Unauthenticated SSRF + name: Formcraft3 <3.8.28 - Server-Side Request Forgery author: Akincibor severity: critical - description: The plugin does not validate the URL parameter in the formcraft3_get AJAX action, leading to SSRF issues exploitable by unauthenticated users. + description: Formcraft3 before version 3.8.2 does not validate the URL parameter in the formcraft3_get AJAX action, leading to server-side request forgery issues exploitable by unauthenticated users. reference: - https://wpscan.com/vulnerability/b5303e63-d640-4178-9237-d0f524b13d47 - https://nvd.nist.gov/vuln/detail/CVE-2022-0591 @@ -25,3 +25,5 @@ requests: part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" + +# Enhanced by mp on 2022/05/18 diff --git a/cves/2022/CVE-2022-1020.yaml b/cves/2022/CVE-2022-1020.yaml index 4205dd83ae..5527072978 100644 --- a/cves/2022/CVE-2022-1020.yaml +++ b/cves/2022/CVE-2022-1020.yaml @@ -1,10 +1,10 @@ id: CVE-2022-1020 info: - name: Woo Product Table < 3.1.2 - Unauthenticated Arbitrary Function Call + name: WordPress WooCommerce <3.1.2 - Arbitrary Function Call author: Akincibor severity: critical - description: The Product Table for WooCommerce (wooproducttable) WordPress plugin before 3.1.2 does not have authorisation and CSRF checks in the wpt_admin_update_notice_option AJAX action (available to both unauthenticated and authenticated users), as well as does not validate the callback parameter, allowing unauthenticated attackers to call arbitrary functions with either none or one user controlled argument + description: WordPress WooCommerce plugin before 3.1.2 does not have authorisation and CSRF checks in the wpt_admin_update_notice_option AJAX action (available to both unauthenticated and authenticated users), as well as does not validate the callback parameter, allowing unauthenticated attackers to call arbitrary functions with either none or one user controlled argument. reference: - https://wpscan.com/vulnerability/04fe89b3-8ad1-482f-a96d-759d1d3a0dd5 - https://nvd.nist.gov/vuln/detail/CVE-2022-1020 @@ -42,3 +42,5 @@ requests: group: 1 regex: - '>PHP Version <\/td>([0-9.]+)' + +# Enhanced by mp on 2022/05/18 diff --git a/cves/2022/CVE-2022-1598.yaml b/cves/2022/CVE-2022-1598.yaml index 3c18f4887e..22e863a639 100644 --- a/cves/2022/CVE-2022-1598.yaml +++ b/cves/2022/CVE-2022-1598.yaml @@ -11,6 +11,8 @@ info: reference: - https://wpscan.com/vulnerability/faff9484-9fc7-4300-bdad-9cd8a30a9a4e - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1597 + classification: + cve-id: CVE-2022-1598 metadata: verified: true google-dork: inurl:/wp-content/plugins/wpqa diff --git a/cves/2022/CVE-2022-30489.yaml b/cves/2022/CVE-2022-30489.yaml index 4895fbdb09..e8a55ffaef 100644 --- a/cves/2022/CVE-2022-30489.yaml +++ b/cves/2022/CVE-2022-30489.yaml @@ -4,7 +4,8 @@ info: name: Wavlink Wn535g3 - POST XSS author: For3stCo1d severity: high - description: WAVLINK WN535 G3 was discovered to contain a cross-site scripting (XSS) vulnerability via the hostname parameter at /cgi-bin/login.cgi. + description: | + WAVLINK WN535 G3 was discovered to contain a cross-site scripting (XSS) vulnerability via the hostname parameter at /cgi-bin/login.cgi. reference: - https://github.com/badboycxcc/XSS-CVE-2022-30489 - https://nvd.nist.gov/vuln/detail/CVE-2022-30489 @@ -12,6 +13,8 @@ info: metadata: shodan-query: http.title:"Wi-Fi APP Login" verified: "true" + classification: + cve-id: CVE-2022-30489 tags: xss,cve2022,wavlink,cve,router,iot requests: diff --git a/cves/2022/CVE-2022-30525.yaml b/cves/2022/CVE-2022-30525.yaml index 0ad6622783..26f6610bda 100644 --- a/cves/2022/CVE-2022-30525.yaml +++ b/cves/2022/CVE-2022-30525.yaml @@ -13,6 +13,8 @@ info: - https://www.zyxel.com/support/Zyxel-security-advisory-for-OS-command-injection-vulnerability-of-firewalls.shtml metadata: shodan-query: title:"USG FLEX 100","USG FLEX 100w","USG FLEX 200","USG FLEX 500","USG FLEX 700","USG FLEX 50","USG FLEX 50w","ATP100","ATP200","ATP500","ATP700" + classification: + cve-id: CVE-2022-30525 tags: rce,zyxel,cve,cve2022,firewall,unauth requests: diff --git a/workflows/yonyou-nc-workflow.yaml b/workflows/yonyou-nc-workflow.yaml index 4d0e27a715..e725d45706 100644 --- a/workflows/yonyou-nc-workflow.yaml +++ b/workflows/yonyou-nc-workflow.yaml @@ -3,11 +3,11 @@ id: yonyou-ufida-nc-workflow info: name: Yonyou Ufida NC Security Checks author: Arm!tage - description: A simple workflow that runs all yonyou ufida nc related nuclei templates on a given target. + description: A simple workflow that runs all Yonyou Network Technology Co. (Ufida) NC related nuclei templates on a given target. workflows: - template: technologies/fingerprinthub-web-fingerprints.yaml matchers: - name: yonyou-ism subtemplates: - - tags: yonyou \ No newline at end of file + - tags: yonyou