Dashboard Content Enhancements (#4426)

Dashboard Content Enhancements
patch-1
MostInterestingBotInTheWorld 2022-05-18 16:58:07 -04:00 committed by GitHub
parent bf7d533b26
commit 5eb6b79331
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
42 changed files with 176 additions and 91 deletions

View File

@ -1,13 +1,19 @@
id: CNVD-2020-46552 id: CNVD-2020-46552
info: info:
name: Sangfor EDR Tool - Remote Code Execution name: Sangfor EDR - Remote Code Execution
author: ritikchaddha author: ritikchaddha
severity: critical severity: critical
description: There is a RCE vulnerability in Sangfor Endpoint Monitoring and Response Platform (EDR). An attacker could exploit this vulnerability by constructing an HTTP request, and an attacker who successfully exploited this vulnerability could execute arbitrary commands on the target host. description: Sangfor Endpoint Monitoring and Response Platform (EDR) contains a remote code execution vulnerability. An attacker could exploit this vulnerability by constructing an HTTP request which could execute arbitrary commands on the target host.
reference: reference:
- https://www.modb.pro/db/144475 - https://www.modb.pro/db/144475
- https://blog.csdn.net/bigblue00/article/details/108434009 - https://blog.csdn.net/bigblue00/article/details/108434009
- https://cn-sec.com/archives/721509.html - https://cn-sec.com/archives/721509.html
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cve-id:
cwe-id: CWE-77
tags: cnvd,cnvd2020,sangfor,rce tags: cnvd,cnvd2020,sangfor,rce
requests: requests:
@ -23,3 +29,5 @@ requests:
- 'contains(body, "Log Helper")' - 'contains(body, "Log Helper")'
- 'status_code == 200' - 'status_code == 200'
condition: and condition: and
# Enhanced by mp on 2022/05/18

View File

@ -4,12 +4,12 @@ info:
name: Tiki Wiki CMS Groupware 5.2 - Local File Inclusion name: Tiki Wiki CMS Groupware 5.2 - Local File Inclusion
author: 0x_akoko author: 0x_akoko
severity: critical severity: critical
description: Tiki Wiki CMS Groupware 5.2 has Local File Inclusion description: Tiki Wiki CMS Groupware 5.2 is susceptible to a local file inclusion vulnerability.
reference: reference:
- https://dl.packetstormsecurity.net/1009-exploits/tikiwiki52-lfi.txt - https://dl.packetstormsecurity.net/1009-exploits/tikiwiki52-lfi.txt
- https://www.cvedetails.com/cve/CVE-2010-4239
- https://www.openwall.com/lists/oss-security/2010/11/22/9 - https://www.openwall.com/lists/oss-security/2010/11/22/9
- https://security-tracker.debian.org/tracker/CVE-2010-4239 - https://security-tracker.debian.org/tracker/CVE-2010-4239
- https://nvd.nist.gov/vuln/detail/CVE-2010-4239
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8
@ -30,3 +30,5 @@ requests:
- "fonts" - "fonts"
- "extensions" - "extensions"
condition: and condition: and
# Enhanced by mp on 2022/05/18

View File

@ -4,7 +4,7 @@ info:
name: NCBI ToolBox - Directory Traversal name: NCBI ToolBox - Directory Traversal
author: 0x_Akoko author: 0x_Akoko
severity: critical severity: critical
description: A path traversal vulnerability exists in viewcgi.c in the 2.0.7 through 2.2.26 legacy versions of the NCBI ToolBox, which may result in reading of arbitrary files (i.e., significant information disclosure) or file deletion via the nph-viewgif.cgi query string. description: NCBI ToolBox 2.0.7 through 2.2.26 legacy versions contain a path traversal vulnerability via viewcgi.cgi which may result in reading of arbitrary files (i.e., significant information disclosure) or file deletion via the nph-viewgif.cgi query string.
reference: reference:
- https://github.com/grymer/CVE/blob/master/CVE-2018-16716.md - https://github.com/grymer/CVE/blob/master/CVE-2018-16716.md
- https://nvd.nist.gov/vuln/detail/CVE-2018-16716 - https://nvd.nist.gov/vuln/detail/CVE-2018-16716
@ -29,3 +29,5 @@ requests:
- type: status - type: status
status: status:
- 200 - 200
# Enhanced by mp on 2022/05/18

View File

@ -6,11 +6,10 @@ info:
severity: critical severity: critical
description: Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation when evaluated on raw user input in tag attributes, which may lead to remote code execution. description: Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation when evaluated on raw user input in tag attributes, which may lead to remote code execution.
reference: reference:
- https://nvd.nist.gov/vuln/detail/CVE-2019-0230
- https://cwiki.apache.org/confluence/display/WW/S2-059 - https://cwiki.apache.org/confluence/display/WW/S2-059
- https://www.tenable.com/blog/cve-2019-0230-apache-struts-potential-remote-code-execution-vulnerability - https://www.tenable.com/blog/cve-2019-0230-apache-struts-potential-remote-code-execution-vulnerability
- https://cwiki.apache.org/confluence/display/ww/s2-059
- http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html - http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html
- https://nvd.nist.gov/vuln/detail/CVE-2019-0230
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8

View File

@ -6,6 +6,7 @@ info:
severity: critical severity: critical
description: D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565 contain an unauthenticated remote code execution vulnerability. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these issues also affected; DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825. description: D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565 contain an unauthenticated remote code execution vulnerability. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these issues also affected; DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825.
reference: reference:
- https://nvd.nist.gov/vuln/detail/CVE-2019-16920
- https://github.com/pwnhacker0x18/CVE-2019-16920-MassPwn3r - https://github.com/pwnhacker0x18/CVE-2019-16920-MassPwn3r
- https://fortiguard.com/zeroday/FG-VD-19-117 - https://fortiguard.com/zeroday/FG-VD-19-117
- https://www.seebug.org/vuldb/ssvid-98079 - https://www.seebug.org/vuldb/ssvid-98079

View File

@ -7,10 +7,10 @@ info:
description: | description: |
WordPress Contact Form 7 before 1.3.3.3 allows unrestricted file upload and remote code execution by setting supported_type to php% and uploading a .php% file. WordPress Contact Form 7 before 1.3.3.3 allows unrestricted file upload and remote code execution by setting supported_type to php% and uploading a .php% file.
reference: reference:
- https://nvd.nist.gov/vuln/detail/CVE-2020-12800
- https://github.com/amartinsec/CVE-2020-12800 - https://github.com/amartinsec/CVE-2020-12800
- https://packetstormsecurity.com/files/157951/WordPress-Drag-And-Drop-Multi-File-Uploader-Remote-Code-Execution.html - https://packetstormsecurity.com/files/157951/WordPress-Drag-And-Drop-Multi-File-Uploader-Remote-Code-Execution.html
- https://wordpress.org/plugins/drag-and-drop-multiple-file-upload-contact-form-7/#developers - https://wordpress.org/plugins/drag-and-drop-multiple-file-upload-contact-form-7/#developers
- https://nvd.nist.gov/vuln/detail/CVE-2020-12800
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8

View File

@ -12,9 +12,9 @@ info:
reference: reference:
- https://securityboulevard.com/2020/11/apache-unomi-cve-2020-13942-rce-vulnerabilities-discovered/ - https://securityboulevard.com/2020/11/apache-unomi-cve-2020-13942-rce-vulnerabilities-discovered/
- https://twitter.com/chybeta/status/1328912309440311297 - https://twitter.com/chybeta/status/1328912309440311297
- https://nvd.nist.gov/vuln/detail/CVE-2020-13942
- http://unomi.apache.org./security/cve-2020-13942.txt - http://unomi.apache.org./security/cve-2020-13942.txt
- https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118@%3Cusers.unomi.apache.org%3E - https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118@%3Cusers.unomi.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2020-13942
remediation: Apache Unomi users should upgrade to 1.5.2 or later. remediation: Apache Unomi users should upgrade to 1.5.2 or later.
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

View File

@ -1,13 +1,14 @@
id: CVE-2021-25281 id: CVE-2021-25281
info: info:
name: SaltStack wheel_async unauth access name: SaltStack Salt <3002.5 - Auth Bypass
author: madrobot author: madrobot
severity: critical severity: critical
description: The SaltAPI does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master. description: SaltStack Salt before 3002.5 does not honor eauth credentials for the wheel_async client, allowing attackers to remotely run any wheel modules on the master.
reference: reference:
- http://hackdig.com/02/hack-283902.htm - http://hackdig.com/02/hack-283902.htm
- https://dozer.nz/posts/saltapi-vulns - https://dozer.nz/posts/saltapi-vulns
- https://nvd.nist.gov/vuln/detail/CVE-2021-25281
- https://github.com/saltstack/salt/releases - https://github.com/saltstack/salt/releases
- https://www.saltstack.com/blog/active-saltstack-cve-announced-2021-jan-21/ - https://www.saltstack.com/blog/active-saltstack-cve-announced-2021-jan-21/
classification: classification:
@ -41,3 +42,5 @@ requests:
- type: status - type: status
status: status:
- 200 - 200
# Enhanced by mp on 2022/05/17

View File

@ -1,13 +1,10 @@
id: CVE-2021-26084 id: CVE-2021-26084
info: info:
name: Confluence Server OGNL injection - RCE name: Confluence Server - Remote Code Execution
author: dhiyaneshDk,philippedelteil author: dhiyaneshDk,philippedelteil
severity: critical severity: critical
description: In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary description: Confluence Server and Data Center contain an OGNL injection vulnerability that could allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if 'Allow people to sign up to create their account' is enabled. To check whether this is enabled go to COG > User Management > User Signup Options.
code on a Confluence Server or Data Center instance. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if 'Allow people to sign up to create their account' is enabled.
To check whether this is enabled go to COG > User Management > User Signup Options. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from
version 7.12.0 before 7.12.5.
reference: reference:
- https://jira.atlassian.com/browse/CONFSERVER-67940 - https://jira.atlassian.com/browse/CONFSERVER-67940
- https://github.com/httpvoid/CVE-Reverse/tree/master/CVE-2021-26084 - https://github.com/httpvoid/CVE-Reverse/tree/master/CVE-2021-26084
@ -58,3 +55,5 @@ requests:
part: body part: body
words: words:
- 'value="aaaa{140592=null}' - 'value="aaaa{140592=null}'
# Enhanced by mp on 2022/05/17

View File

@ -1,7 +1,7 @@
id: CVE-2021-26295 id: CVE-2021-26295
info: info:
name: Apache OFBiz RMI Deserialization - Remote Code Execution name: Apache OFBiz <17.12.06 - Arbitrary Code Execution
author: madrobot author: madrobot
severity: critical severity: critical
description: | description: |
@ -11,6 +11,8 @@ info:
- https://packetstormsecurity.com/files/162104/Apache-OFBiz-SOAP-Java-Deserialization.html - https://packetstormsecurity.com/files/162104/Apache-OFBiz-SOAP-Java-Deserialization.html
- https://github.com/zhzyker/exphub/tree/master/ofbiz - https://github.com/zhzyker/exphub/tree/master/ofbiz
- https://lists.apache.org/thread.html/r3c1802eaf34aa78a61b4e8e044c214bc94accbd28a11f3a276586a31%40%3Cuser.ofbiz.apache.org%3E - https://lists.apache.org/thread.html/r3c1802eaf34aa78a61b4e8e044c214bc94accbd28a11f3a276586a31%40%3Cuser.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r6e4579c4ebf7efeb462962e359501c6ca4045687f12212551df2d607@%3Cnotifications.ofbiz.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2021-26295
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8
@ -51,8 +53,11 @@ requests:
part: body part: body
words: words:
- "errorMessage" - "errorMessage"
condition: and
- type: word - type: word
part: header part: header
words: words:
- "OFBiz.Visitor=" - "OFBiz.Visitor="
# Enhanced by mp on 2022/05/17

View File

@ -1,13 +1,14 @@
id: CVE-2021-27132 id: CVE-2021-27132
info: info:
name: CRLF Injection - Sercomm VD625 name: Sercomm VD625 Smart Modems - CRLF Injection
author: geeknik author: geeknik
severity: critical severity: critical
description: Sercomm AGCOMBO VD625 Smart Modems with firmware version AGSOT_2.1.0 are vulnerable to CRLF Injection via the Content-Disposition header - https://cybertuz.com/blog/post/crlf-injection-CVE-2021-27132 description: Sercomm AGCOMBO VD625 Smart Modems with firmware version AGSOT_2.1.0 are vulnerable to Carriage Return Line Feed (CRLF) injection via the Content-Disposition header.
reference: reference:
- https://cybertuz.com/blog/post/crlf-injection-CVE-2021-27132 - https://cybertuz.com/blog/post/crlf-injection-CVE-2021-27132
- http://sercomm.com - http://sercomm.com
- https://nvd.nist.gov/vuln/detail/CVE-2021-27132
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8
@ -35,3 +36,5 @@ requests:
- "X-XSS-Protection:0" - "X-XSS-Protection:0"
part: header part: header
condition: and condition: and
# Enhanced by mp on 2022/05/17

View File

@ -1,13 +1,13 @@
id: CVE-2021-27561 id: CVE-2021-27561
info: info:
name: YeaLink DM PreAuth RCE name: YeaLink DM 3.6.0.20 - Remote Command Injection
author: shifacyclewala,hackergautam author: shifacyclewala,hackergautam
severity: critical severity: critical
description: A malicious actor can trigger Unauthenticated Remote Code Execution description: Yealink Device Management (DM) 3.6.0.20 allows command injection as root via the /sm/api/v1/firewall/zone/services URI, without authentication.
reference: reference:
- https://ssd-disclosure.com/ssd-advisory-yealink-dm-pre-auth-root-level-rce/ - https://ssd-disclosure.com/ssd-advisory-yealink-dm-pre-auth-root-level-rce/
- https://ssd-disclosure.com/?p=4688 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-27561
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8
@ -43,3 +43,5 @@ requests:
- type: regex - type: regex
regex: regex:
- "(u|g)id=.*" - "(u|g)id=.*"
# Enhanced by mp on 2022/05/17

View File

@ -1,10 +1,10 @@
id: CVE-2021-27651 id: CVE-2021-27651
info: info:
name: Pega Infinity Authentication bypass name: Pega Infinity - Authentication Bypass
author: idealphase author: idealphase
severity: critical severity: critical
description: In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks. description: Pega Infinity versions 8.2.1 through 8.5.2 contain an authentication bypass vulnerability because the password reset functionality for local accounts can be used to bypass local authentication checks.
reference: reference:
- https://github.com/samwcyo/CVE-2021-27651-PoC/blob/main/RCE.md - https://github.com/samwcyo/CVE-2021-27651-PoC/blob/main/RCE.md
- https://nvd.nist.gov/vuln/detail/CVE-2021-27651 - https://nvd.nist.gov/vuln/detail/CVE-2021-27651
@ -45,3 +45,5 @@ requests:
regex: regex:
- 'Pega 8\.(?:2\.[1-9]|3\.[0-9]|4\.[0-9]|5\.[0-2])' - 'Pega 8\.(?:2\.[1-9]|3\.[0-9]|4\.[0-9]|5\.[0-2])'
part: body part: body
# Enhanced by mp on 2022/05/17

View File

@ -1,11 +1,11 @@
id: CVE-2021-27850 id: CVE-2021-27850
info: info:
name: Apache Tapestry - Arbitrary class download name: Apache Tapestry - Remote Code Execution
author: pdteam author: pdteam
severity: critical severity: critical
description: | description: |
A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. The vulnerability I have found is a bypass of the fix for CVE-2019-0195. Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL. Apache Tapestry contains a critical unauthenticated remote code execution vulnerability. Affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. Note that this vulnerability is a bypass of the fix for CVE-2019-0195. Before that fix it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL.
reference: reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-27850 - https://nvd.nist.gov/vuln/detail/CVE-2021-27850
- https://lists.apache.org/thread.html/r237ff7f286bda31682c254550c1ebf92b0ec61329b32fbeb2d1c8751%40%3Cusers.tapestry.apache.org%3E - https://lists.apache.org/thread.html/r237ff7f286bda31682c254550c1ebf92b0ec61329b32fbeb2d1c8751%40%3Cusers.tapestry.apache.org%3E
@ -56,3 +56,5 @@ requests:
- 'webtools' - 'webtools'
part: body part: body
condition: and condition: and
# Enhanced by mp on 2022/05/17

View File

@ -1,10 +1,11 @@
id: CVE-2021-27905 id: CVE-2021-27905
info: info:
name: Apache Solr <= 8.8.1 SSRF name: Apache Solr <=8.8.1 - Server-Side Request Forgery
author: hackergautam author: hackergautam
severity: critical severity: critical
description: The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2. description: Apache Solr versions 8.8.1 and prior contain a server-side request forgery vulnerability. The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter.
remediation: This issue is resolved in Apache Solr 8.8.2 and later.
reference: reference:
- https://www.anquanke.com/post/id/238201 - https://www.anquanke.com/post/id/238201
- https://ubuntu.com/security/CVE-2021-27905 - https://ubuntu.com/security/CVE-2021-27905
@ -44,3 +45,5 @@ requests:
words: words:
- '<str name="status">OK</str>' - '<str name="status">OK</str>'
part: body part: body
# Enhanced by mp on 2022/05/17

View File

@ -1,11 +1,10 @@
id: CVE-2021-27931 id: CVE-2021-27931
info: info:
name: LumisXP Blind XXE name: LumisXP <10.0.0 - Blind XML External Entity Attack
author: alph4byt3 author: alph4byt3
severity: critical severity: critical
description: LumisXP (aka Lumis Experience Platform) before 10.0.0 allows unauthenticated blind XXE via an API request to PageControllerXml.jsp. One can send a request crafted with an XXE payload and achieve outcomes description: LumisXP (aka Lumis Experience Platform) before 10.0.0 allows unauthenticated blind XML external entity (XXE) attacks via an API request to PageControllerXml.jsp. One can send a request crafted with an XXE payload and achieve outcomes such as reading local server files or denial of service.
such as reading local server files or denial of service.
reference: reference:
- https://github.com/sl4cky/LumisXP-XXE---POC/blob/main/poc.txt - https://github.com/sl4cky/LumisXP-XXE---POC/blob/main/poc.txt
- https://nvd.nist.gov/vuln/detail/CVE-2021-27931 - https://nvd.nist.gov/vuln/detail/CVE-2021-27931
@ -36,3 +35,5 @@ requests:
part: interactsh_protocol # Confirms the HTTP Interaction part: interactsh_protocol # Confirms the HTTP Interaction
words: words:
- "http" - "http"
# Enhanced by mp on 2022/05/17

View File

@ -1,15 +1,14 @@
id: CVE-2021-28918 id: CVE-2021-28918
info: info:
name: Netmask NPM Package SSRF name: Netmask NPM Package - Server-Side Request Forgery
author: johnjhacking author: johnjhacking
severity: critical severity: critical
description: Improper input validation of octal strings in netmask npm package allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts. description: Netmask NPM Package is susceptible to server-side request forgery because of improper input validation of octal strings in netmask npm package. This allows unauthenticated remote attackers to perform indeterminate SSRF, remote file inclusion, and local file inclusion attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.
reference: reference:
- https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md - https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md
- https://nvd.nist.gov/vuln/detail/CVE-2021-28918
- https://github.com/advisories/GHSA-pch5-whg9-qr2r - https://github.com/advisories/GHSA-pch5-whg9-qr2r
- https://github.com/rs/node-netmask - https://nvd.nist.gov/vuln/detail/CVE-2021-28918
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
cvss-score: 9.1 cvss-score: 9.1
@ -37,3 +36,5 @@ requests:
- type: regex - type: regex
regex: regex:
- "root:.*:0:0:" - "root:.*:0:0:"
# Enhanced by mp on 2022/05/17

View File

@ -1,10 +1,10 @@
id: CVE-2021-29203 id: CVE-2021-29203
info: info:
name: HPE Edgeline Infrastructure Manager v1.21 Authentication Bypass name: HPE Edgeline Infrastructure Manager <1.22 - Authentication Bypass
author: madrobot author: madrobot
severity: critical severity: critical
description: A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software, prior to version 1.22. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gaining privileged access, causing denial of service, and changing the configuration. HPE has released a software update to resolve the vulnerability in the HPE Edgeline Infrastructure Manager. description: HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software, prior to version 1.22 contains an authentication bypass vulnerability which could be remotely exploited to bypass remote authentication and possibly lead to execution of arbitrary commands, gaining privileged access, causing denial of service, and changing the configuration.
reference: reference:
- https://www.tenable.com/security/research/tra-2021-15 - https://www.tenable.com/security/research/tra-2021-15
- https://nvd.nist.gov/vuln/detail/CVE-2021-29203 - https://nvd.nist.gov/vuln/detail/CVE-2021-29203
@ -52,3 +52,5 @@ requests:
part: body part: body
words: words:
- "Base.1.0.Created" - "Base.1.0.Created"
# Enhanced by mp on 2022/05/17

View File

@ -1,7 +1,7 @@
id: CVE-2021-29441 id: CVE-2021-29441
info: info:
name: Nacos prior to 1.4.1 Authentication Bypass name: Nacos <1.4.1 - Authentication Bypass
author: dwisiswant0 author: dwisiswant0
severity: critical severity: critical
description: | description: |
@ -56,3 +56,5 @@ requests:
words: words:
- "application/json" - "application/json"
part: header part: header
# Enhanced by mp on 2022/05/17

View File

@ -1,13 +1,14 @@
id: CVE-2021-30461 id: CVE-2021-30461
info: info:
name: VoipMonitor Pre-Auth-RCE name: VoipMonitor <24.61 - Remote Code Execution
author: shifacyclewala,hackergautam author: shifacyclewala,hackergautam
severity: critical severity: critical
description: Use of user supplied data, arriving via web interface allows remote unauthenticated users to trigger a remote PHP code execution vulnerability in VoIPmonitor. description: |
VoipMonitor prior to 24.61 is susceptible to remote code execution vulnerabilities because of its use of user supplied data via its web interface, allowing remote unauthenticated users to trigger a remote PHP code execution vulnerability.
reference: reference:
- https://ssd-disclosure.com/ssd-advisory-voipmonitor-unauth-rce/ - https://ssd-disclosure.com/ssd-advisory-voipmonitor-unauth-rce/
- https://ssd-disclosure.com/ssd-advisory--voipmonitor-unauth-rce - https://nvd.nist.gov/vuln/detail/CVE-2021-30461
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8
@ -39,3 +40,5 @@ requests:
- type: status - type: status
status: status:
- 200 - 200
# Enhanced by mp on 2022/05/17

View File

@ -1,14 +1,14 @@
id: CVE-2021-3129 id: CVE-2021-3129
info: info:
name: Laravel <= v8.4.2 Debug Mode - Remote Code Execution name: Laravel with Ignition <= v8.4.2 Debug Mode - Remote Code Execution
author: z3bd,pdteam author: z3bd,pdteam
severity: critical severity: critical
description: Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2. description: Laravel version 8.4.2 and before with Ignition before 2.5.2 allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
reference: reference:
- https://www.ambionics.io/blog/laravel-debug-rce - https://www.ambionics.io/blog/laravel-debug-rce
- https://github.com/vulhub/vulhub/tree/master/laravel/CVE-2021-3129 - https://github.com/vulhub/vulhub/tree/master/laravel/CVE-2021-3129
- https://github.com/facade/ignition/pull/334 - https://nvd.nist.gov/vuln/detail/CVE-2021-3129
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8
@ -84,3 +84,5 @@ requests:
- type: regex - type: regex
regex: regex:
- "(u|g)id=.*" - "(u|g)id=.*"
# Enhanced by mp on 2022/05/17

View File

@ -1,10 +1,11 @@
id: CVE-2021-31856 id: CVE-2021-31856
info: info:
name: Layer5 Meshery 0.5.2 SQLi name: Layer5 Meshery 0.5.2 - SQL Injection
author: princechaddha author: princechaddha
severity: critical severity: critical
description: A SQL Injection vulnerability in the REST API in Layer5 Meshery 0.5.2 allows an attacker to execute arbitrary SQL commands via the /experimental/patternfiles endpoint (order parameter in GetMesheryPatterns in models/meshery_pattern_persister.go). description: Layer5 Meshery 0.5.2 contains a SQL injection vulnerability in the REST API that allows an attacker to execute arbitrary SQL commands via the /experimental/patternfiles endpoint (order parameter in GetMesheryPatterns
in models/meshery_pattern_persister.go).
reference: reference:
- https://github.com/ssst0n3/CVE-2021-31856 - https://github.com/ssst0n3/CVE-2021-31856
- https://nvd.nist.gov/vuln/detail/CVE-2021-31856 - https://nvd.nist.gov/vuln/detail/CVE-2021-31856
@ -33,3 +34,5 @@ requests:
- type: status - type: status
status: status:
- 200 - 200
# Enhanced by mp on 2022/05/17

View File

@ -1,10 +1,10 @@
id: CVE-2021-32172 id: CVE-2021-32172
info: info:
name: Maian Cart 3.8 preauth RCE name: Maian Cart <=3.8 - Remote Code Execution
author: pdteam author: pdteam
severity: critical severity: critical
description: A severe vulnerability has been kindly reported to me by security advisor DreyAnd. The issue concerns the elFinder file manager plugin in Maian Cart and it affects all versions from 3.0 to 3.8. description: Maian Cart 3.0 to 3.8 via the elFinder file manager plugin contains a remote code execution vulnerability.
reference: reference:
- https://dreyand.github.io/maian-cart-rce/ - https://dreyand.github.io/maian-cart-rce/
- https://github.com/DreyAnd/maian-cart-rce - https://github.com/DreyAnd/maian-cart-rce
@ -53,3 +53,5 @@ requests:
- 'contains(body_3, "{{randstr_1}}")' - 'contains(body_3, "{{randstr_1}}")'
- "status_code_3 == 200" - "status_code_3 == 200"
condition: and condition: and
# Enhanced by mp on 2022/05/18

View File

@ -1,15 +1,15 @@
id: CVE-2021-32305 id: CVE-2021-32305
info: info:
name: Websvn 2.6.0 - Remote Code Execution (Unauthenticated) name: Websvn <2.6.1 - Remote Code Execution
author: gy741 author: gy741
severity: critical severity: critical
description: WebSVN before 2.6.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the search parameter. description: WebSVN before 2.6.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the search parameter.
reference: reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-32305
- https://packetstormsecurity.com/files/163225/Websvn-2.6.0-Remote-Code-Execution.html - https://packetstormsecurity.com/files/163225/Websvn-2.6.0-Remote-Code-Execution.html
- https://github.com/websvnphp/websvn/pull/142 - https://github.com/websvnphp/websvn/pull/142
- http://packetstormsecurity.com/files/163225/Websvn-2.6.0-Remote-Code-Execution.html - http://packetstormsecurity.com/files/163225/Websvn-2.6.0-Remote-Code-Execution.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-32305
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8
@ -30,3 +30,5 @@ requests:
part: interactsh_protocol # Confirms the HTTP Interaction part: interactsh_protocol # Confirms the HTTP Interaction
words: words:
- "http" - "http"
# Enhanced by mp on 2022/05/18

View File

@ -1,14 +1,15 @@
id: CVE-2021-33221 id: CVE-2021-33221
info: info:
name: CommScope Ruckus IoT Controller Unauthenticated Service Details name: CommScope Ruckus IoT Controller - Information Disclosure
author: geeknik author: geeknik
severity: critical severity: critical
description: A 'service details' API endpoint discloses system and configuration information to an attacker without requiring authentication. This information includes DNS and NTP servers that the devices use for time and host resolution. It also includes the internal hostname and IoT Controller version. A fully configured device in production may leak other, more sensitive information (API keys and tokens). description: CommScope Ruckus IoT Controller is susceptible to information disclosure vulnerabilities because a 'service details' API endpoint discloses system and configuration information to an attacker without requiring authentication. This information includes DNS and NTP servers that the devices use for time and host resolution. It also includes the internal hostname and IoT Controller version. A fully configured device in production may leak other, more sensitive information (API keys and tokens).
reference: reference:
- https://www.commscope.com/globalassets/digizuite/917216-faq-security-advisory-id-20210525-v1-0.pdf - https://www.commscope.com/globalassets/digizuite/917216-faq-security-advisory-id-20210525-v1-0.pdf
- http://seclists.org/fulldisclosure/2021/May/72 - http://seclists.org/fulldisclosure/2021/May/72
- https://korelogic.com/advisories.html - https://korelogic.com/advisories.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33221
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8
@ -38,3 +39,5 @@ requests:
- type: status - type: status
status: status:
- 200 - 200
# Enhanced by mp on 2022/05/18

View File

@ -1,16 +1,16 @@
id: CVE-2021-33357 id: CVE-2021-33357
info: info:
name: RaspAP <= 2.6.5 - Remote Code Execution name: RaspAP <=2.6.5 - Remote Command Injection
author: pikpikcu,pdteam author: pikpikcu,pdteam
severity: critical severity: critical
description: | description: |
RaspAP 2.6 to 2.6.5 in the "iface" GET parameter in /ajax/networking/get_netcfg.php, when the "iface" parameter value contains special characters such as ";" which enables an unauthenticated attacker to execute arbitrary OS commands. RaspAP 2.6 to 2.6.5 allows unauthenticated attackers to execute arbitrary OS commands via the "iface" GET parameter in /ajax/networking/get_netcfg.php, when the "iface" parameter value contains special characters such as ";".
reference: reference:
- https://checkmarx.com/blog/chained-raspap-vulnerabilities-grant-root-level-access/ - https://checkmarx.com/blog/chained-raspap-vulnerabilities-grant-root-level-access/
- https://gist.github.com/omriinbar/52c000c02a6992c6ce68d531195f69cf - https://gist.github.com/omriinbar/52c000c02a6992c6ce68d531195f69cf
- https://nvd.nist.gov/vuln/detail/CVE-2021-33357
- https://github.com/RaspAP/raspap-webgui - https://github.com/RaspAP/raspap-webgui
- https://nvd.nist.gov/vuln/detail/CVE-2021-33357
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8
@ -40,3 +40,5 @@ requests:
group: 1 group: 1
regex: regex:
- 'GET \/([a-z-]+) HTTP' - 'GET \/([a-z-]+) HTTP'
# Enhanced by mp on 2022/05/18

View File

@ -1,15 +1,16 @@
id: CVE-2021-33564 id: CVE-2021-33564
info: info:
name: Argument Injection in Ruby Dragonfly name: Ruby Dragonfly <1.4.0 - Remote Code Execution
author: 0xsapra author: 0xsapra
severity: critical severity: critical
description: An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility. description: Ruby Dragonfly before 1.4.0 contains an argument injection vulnerability that allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility.
reference: reference:
- https://zxsecurity.co.nz/research/argunment-injection-ruby-dragonfly/ - https://zxsecurity.co.nz/research/argunment-injection-ruby-dragonfly/
- https://github.com/markevans/dragonfly/compare/v1.3.0...v1.4.0 - https://github.com/markevans/dragonfly/compare/v1.3.0...v1.4.0
- https://github.com/markevans/dragonfly/commit/25399297bb457f7fcf8e3f91e85945b255b111b5 - https://github.com/markevans/dragonfly/commit/25399297bb457f7fcf8e3f91e85945b255b111b5
- https://github.com/mlr0p/CVE-2021-33564 - https://github.com/mlr0p/CVE-2021-33564
- https://nvd.nist.gov/vuln/detail/CVE-2021-33564
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8
@ -31,3 +32,5 @@ requests:
- type: regex - type: regex
regex: regex:
- "root:.*:0:0:" - "root:.*:0:0:"
# Enhanced by mp on 2022/05/18

View File

@ -1,13 +1,11 @@
id: CVE-2021-3378 id: CVE-2021-3378
info: info:
name: FortiLogger Unauthenticated Arbitrary File Upload name: FortiLogger 4.4.2.2 - Arbitrary File Upload
author: dwisiswant0 author: dwisiswant0
severity: critical severity: critical
description: | description: |
This template detects an unauthenticated arbitrary file upload FortiLogger 4.4.2.2 is affected by arbitrary file upload issues. Attackers can send a "Content-Type: image/png" header to Config/SaveUploadedHotspotLogoFile and then Assets/temp/hotspot/img/logohotspot.asp.
via insecure POST request. It has been tested on version 4.4.2.2 in
Windows 10 Enterprise.
reference: reference:
- https://erberkan.github.io/2021/cve-2021-3378/ - https://erberkan.github.io/2021/cve-2021-3378/
- https://github.com/erberkan/fortilogger_arbitrary_fileupload - https://github.com/erberkan/fortilogger_arbitrary_fileupload
@ -59,3 +57,5 @@ requests:
- "ASP.NET" - "ASP.NET"
condition: and condition: and
part: header part: header
# Enhanced by mp on 2022/05/18

View File

@ -1,7 +1,7 @@
id: CVE-2021-36356 id: CVE-2021-36356
info: info:
name: Kramer VIAware RCE name: Kramer VIAware - Remote Code Execution
author: gy741 author: gy741
severity: critical severity: critical
description: KRAMER VIAware through August 2021 allows remote attackers to execute arbitrary code because ajaxPages/writeBrowseFilePathAjax.php accepts arbitrary executable pathnames. description: KRAMER VIAware through August 2021 allows remote attackers to execute arbitrary code because ajaxPages/writeBrowseFilePathAjax.php accepts arbitrary executable pathnames.
@ -35,3 +35,5 @@ requests:
part: interactsh_protocol part: interactsh_protocol
words: words:
- "http" - "http"
# Enhanced by mp on 2022/05/18

View File

@ -10,6 +10,7 @@ info:
- https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/ - https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/
- https://github.com/horizon3ai/CVE-2021-44077 - https://github.com/horizon3ai/CVE-2021-44077
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/manageengine_servicedesk_plus_cve_2021_44077.rb - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/manageengine_servicedesk_plus_cve_2021_44077.rb
- https://nvd.nist.gov/vuln/detail/CVE-2021-44077
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8
@ -31,3 +32,5 @@ requests:
- type: status - type: status
status: status:
- 200 - 200
# Enhanced by mp on 2022/05/18

View File

@ -4,17 +4,19 @@ info:
name: Zoho ManageEngine Desktop Central - Remote Code Execution name: Zoho ManageEngine Desktop Central - Remote Code Execution
author: Adam Crosser author: Adam Crosser
severity: critical severity: critical
description: Zoho Desktop Central contains an authentication bypass vulnerability that could allow an attacker to execute arbitrary code in the Desktop Central MSP server. description: Zoho ManageEngine Desktop Central contains an authentication bypass vulnerability that could allow an attacker to execute arbitrary code in the Desktop Central MSP server.
reference: reference:
- https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/cisa-adds-13-known-exploited-vulnerabilities-catalog - https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/cisa-adds-13-known-exploited-vulnerabilities-catalog
- https://srcincite.io/blog/2022/01/20/zohowned-a-critical-authentication-bypass-on-zoho-manageengine-desktop-central.html - https://srcincite.io/blog/2022/01/20/zohowned-a-critical-authentication-bypass-on-zoho-manageengine-desktop-central.html
- https://attackerkb.com/topics/rJw4DFI2RQ/cve-2021-44515/rapid7-analysis - https://attackerkb.com/topics/rJw4DFI2RQ/cve-2021-44515/rapid7-analysis
- https://pitstop.manageengine.com/portal/en/community/topic/an-authentication-bypass-vulnerability-identified-and-fixed-in-desktop-central-and-desktop-central-msp - https://pitstop.manageengine.com/portal/en/community/topic/an-authentication-bypass-vulnerability-identified-and-fixed-in-desktop-central-and-desktop-central-msp
- https://nvd.nist.gov/vuln/detail/CVE-2021-44515
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8
cve-id: CVE-2021-44515 cve-id: CVE-2021-44515
cwe-id: CWE-287 cwe-id: CWE-287
remediation: For Enterprise builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For Enterprise builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. For MSP builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For MSP builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3.
tags: cve,cve2021,cisa,zoho,rce,manageengine tags: cve,cve2021,cisa,zoho,rce,manageengine
requests: requests:
@ -38,3 +40,5 @@ requests:
part: header part: header
words: words:
- "UEMJSESSIONID=" - "UEMJSESSIONID="
# Enhanced by mp on 2022/05/18

View File

@ -1,15 +1,15 @@
id: CVE-2021-46422 id: CVE-2021-46422
info: info:
name: SDT-CW3B1 1.1.0 - OS command injection name: SDT-CW3B1 1.1.0 - OS Command Injection
author: badboycxcc author: badboycxcc
severity: critical severity: critical
description: | description: |
Telesquare SDT-CW3B1 1.1.0 is affected by an OS command injection vulnerability that allows a remote attacker to execute OS commands without any authentication. Telesquare SDT-CW3B1 1.1.0 is affected by an OS command injection vulnerability that allows a remote attacker to execute OS commands without any authentication.
reference: reference:
- https://www.exploit-db.com/exploits/50936 - https://www.exploit-db.com/exploits/50936
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46422 - https://drive.google.com/drive/folders/1YJlVlb4SlTEGONzIjiMwd2P7ucP_Pm7T?
- https://drive.google.com/drive/folders/1YJlVlb4SlTEGONzIjiMwd2P7ucP_Pm7T?usp=sharing - https://nvd.nist.gov/vuln/detail/CVE-2021-46422
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8
@ -32,3 +32,5 @@ requests:
part: body part: body
regex: regex:
- "root:.*:0:0:" - "root:.*:0:0:"
# Enhanced by mp on 2022/05/18

View File

@ -1,15 +1,15 @@
id: CVE-2021-46424 id: CVE-2021-46424
info: info:
name: TLR-2005KSH - Arbitrary File Delete name: Telesquare TLR-2005KSH 1.0.0 - Arbitrary File Delete
author: gy741 author: gy741
severity: critical severity: critical
description: Telesquare TLR-2005KSH 1.0.0 is affected by an arbitrary file deletion vulnerability that allows a remote attacker to delete any file, even system internal files, via a DELETE request. description: Telesquare TLR-2005KSH 1.0.0 is affected by an arbitrary file deletion vulnerability that allows a remote attacker to delete any file, even system internal files, via a DELETE request.
reference: reference:
- https://dl.packetstormsecurity.net/2205-exploits/tlr2005ksh-filedelete.txt - https://dl.packetstormsecurity.net/2205-exploits/tlr2005ksh-filedelete.txt
- https://nvd.nist.gov/vuln/detail/CVE-2021-46424
- https://drive.google.com/drive/folders/1_e3eJ8fzhCWnCkoRpbLoyQecuKkPR4OD?usp=sharing - https://drive.google.com/drive/folders/1_e3eJ8fzhCWnCkoRpbLoyQecuKkPR4OD?usp=sharing
- http://packetstormsecurity.com/files/167127/TLR-2005KSH-Arbitrary-File-Delete.html - http://packetstormsecurity.com/files/167127/TLR-2005KSH-Arbitrary-File-Delete.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-46424
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
cvss-score: 9.1 cvss-score: 9.1
@ -40,3 +40,5 @@ requests:
- type: dsl - type: dsl
dsl: dsl:
- "status_code_1 == 200 && status_code_2 == 204 && status_code_3 == 404" - "status_code_1 == 200 && status_code_2 == 204 && status_code_3 == 404"
# Enhanced by mp on 2022/05/18

View File

@ -1,16 +1,16 @@
id: CVE-2022-0482 id: CVE-2022-0482
info: info:
name: Easy!Appointments Broken Access Control name: Easy!Appointments <1.4.3 - Broken Access Control
author: francescocarlucci,opencirt author: francescocarlucci,opencirt
severity: critical severity: critical
description: | description: |
Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository alextselegidis/easyappointments prior to 1.4.3. Easy!Appointments prior to 1.4.3 allows exposure of Private Personal Information to an unauthorized actor via the GitHub repository alextselegidis/easyappointments.
reference: reference:
- https://huntr.dev/bounties/2fe771ef-b615-45ef-9b4d-625978042e26/ - https://huntr.dev/bounties/2fe771ef-b615-45ef-9b4d-625978042e26/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0482
- https://github.com/alextselegidis/easyappointments - https://github.com/alextselegidis/easyappointments
- https://opencirt.com/hacking/securing-easy-appointments-cve-2022-0482/ - https://opencirt.com/hacking/securing-easy-appointments-cve-2022-0482/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0482
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
cvss-score: 9.1 cvss-score: 9.1
@ -53,3 +53,5 @@ requests:
- '"appointments":' - '"appointments":'
- '"unavailables":' - '"unavailables":'
condition: and condition: and
# Enhanced by mp on 2022/05/18

View File

@ -1,11 +1,11 @@
id: CVE-2022-0540 id: CVE-2022-0540
info: info:
name: Atlassian Jira Seraph- Authentication Bypass name: Atlassian Jira Seraph - Authentication Bypass
author: DhiyaneshDK author: DhiyaneshDK
severity: critical severity: critical
description: | description: |
A vulnerability in Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request. This affects Atlassian Jira Server and Data Center versions before 8.13.18, versions 8.14.0 and later before 8.20.6, and versions 8.21.0 and later before 8.22.0. This also affects Atlassian Jira Service Management Server and Data Center versions before 4.13.18, versions 4.14.0 and later before 4.20.6, and versions 4.21.0 and later before 4.22.0. Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request. This affects Atlassian Jira Server and Data Center versions before 8.13.18, versions 8.14.0 and later before 8.20.6, and versions 8.21.0 and later before 8.22.0. This also affects Atlassian Jira Service Management Server and Data Center versions before 4.13.18, versions 4.14.0 and later before 4.20.6, and versions 4.21.0 and later before 4.22.0.
reference: reference:
- https://blog.viettelcybersecurity.com/cve-2022-0540-authentication-bypass-in-seraph/ - https://blog.viettelcybersecurity.com/cve-2022-0540-authentication-bypass-in-seraph/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0540 - https://nvd.nist.gov/vuln/detail/CVE-2022-0540
@ -34,3 +34,5 @@ requests:
- type: status - type: status
status: status:
- 200 - 200
# Enhanced by mp on 2022/05/18

View File

@ -1,7 +1,7 @@
id: CVE-2022-0543 id: CVE-2022-0543
info: info:
name: Redis Sandbox Escape RCE name: Redis Sandbox Escape - Remote Code Execution
author: dwisiswant0 author: dwisiswant0
severity: critical severity: critical
description: | description: |
@ -9,8 +9,6 @@ info:
vulnerability was introduced by Debian and Ubuntu Redis packages that vulnerability was introduced by Debian and Ubuntu Redis packages that
insufficiently sanitized the Lua environment. The maintainers failed to insufficiently sanitized the Lua environment. The maintainers failed to
disable the package interface, allowing attackers to load arbitrary libraries. disable the package interface, allowing attackers to load arbitrary libraries.
Taken from rapid7/metasploit-framework#16504.
reference: reference:
- https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce - https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce
- https://attackerkb.com/topics/wyA1c1HIC8/cve-2022-0543/rapid7-analysis#rapid7-analysis - https://attackerkb.com/topics/wyA1c1HIC8/cve-2022-0543/rapid7-analysis#rapid7-analysis
@ -37,3 +35,5 @@ network:
- type: regex - type: regex
regex: regex:
- "root:.*:0:0:" - "root:.*:0:0:"
# Enhanced by mp on 2022/05/18

View File

@ -1,10 +1,10 @@
id: CVE-2022-0591 id: CVE-2022-0591
info: info:
name: Formcraft3 < 3.8.28 - Unauthenticated SSRF name: Formcraft3 <3.8.28 - Server-Side Request Forgery
author: Akincibor author: Akincibor
severity: critical severity: critical
description: The plugin does not validate the URL parameter in the formcraft3_get AJAX action, leading to SSRF issues exploitable by unauthenticated users. description: Formcraft3 before version 3.8.2 does not validate the URL parameter in the formcraft3_get AJAX action, leading to server-side request forgery issues exploitable by unauthenticated users.
reference: reference:
- https://wpscan.com/vulnerability/b5303e63-d640-4178-9237-d0f524b13d47 - https://wpscan.com/vulnerability/b5303e63-d640-4178-9237-d0f524b13d47
- https://nvd.nist.gov/vuln/detail/CVE-2022-0591 - https://nvd.nist.gov/vuln/detail/CVE-2022-0591
@ -25,3 +25,5 @@ requests:
part: interactsh_protocol # Confirms the HTTP Interaction part: interactsh_protocol # Confirms the HTTP Interaction
words: words:
- "http" - "http"
# Enhanced by mp on 2022/05/18

View File

@ -1,10 +1,10 @@
id: CVE-2022-1020 id: CVE-2022-1020
info: info:
name: Woo Product Table < 3.1.2 - Unauthenticated Arbitrary Function Call name: WordPress WooCommerce <3.1.2 - Arbitrary Function Call
author: Akincibor author: Akincibor
severity: critical severity: critical
description: The Product Table for WooCommerce (wooproducttable) WordPress plugin before 3.1.2 does not have authorisation and CSRF checks in the wpt_admin_update_notice_option AJAX action (available to both unauthenticated and authenticated users), as well as does not validate the callback parameter, allowing unauthenticated attackers to call arbitrary functions with either none or one user controlled argument description: WordPress WooCommerce plugin before 3.1.2 does not have authorisation and CSRF checks in the wpt_admin_update_notice_option AJAX action (available to both unauthenticated and authenticated users), as well as does not validate the callback parameter, allowing unauthenticated attackers to call arbitrary functions with either none or one user controlled argument.
reference: reference:
- https://wpscan.com/vulnerability/04fe89b3-8ad1-482f-a96d-759d1d3a0dd5 - https://wpscan.com/vulnerability/04fe89b3-8ad1-482f-a96d-759d1d3a0dd5
- https://nvd.nist.gov/vuln/detail/CVE-2022-1020 - https://nvd.nist.gov/vuln/detail/CVE-2022-1020
@ -42,3 +42,5 @@ requests:
group: 1 group: 1
regex: regex:
- '>PHP Version <\/td><td class="v">([0-9.]+)' - '>PHP Version <\/td><td class="v">([0-9.]+)'
# Enhanced by mp on 2022/05/18

View File

@ -11,6 +11,8 @@ info:
reference: reference:
- https://wpscan.com/vulnerability/faff9484-9fc7-4300-bdad-9cd8a30a9a4e - https://wpscan.com/vulnerability/faff9484-9fc7-4300-bdad-9cd8a30a9a4e
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1597 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1597
classification:
cve-id: CVE-2022-1598
metadata: metadata:
verified: true verified: true
google-dork: inurl:/wp-content/plugins/wpqa google-dork: inurl:/wp-content/plugins/wpqa

View File

@ -4,7 +4,8 @@ info:
name: Wavlink Wn535g3 - POST XSS name: Wavlink Wn535g3 - POST XSS
author: For3stCo1d author: For3stCo1d
severity: high severity: high
description: WAVLINK WN535 G3 was discovered to contain a cross-site scripting (XSS) vulnerability via the hostname parameter at /cgi-bin/login.cgi. description: |
WAVLINK WN535 G3 was discovered to contain a cross-site scripting (XSS) vulnerability via the hostname parameter at /cgi-bin/login.cgi.
reference: reference:
- https://github.com/badboycxcc/XSS-CVE-2022-30489 - https://github.com/badboycxcc/XSS-CVE-2022-30489
- https://nvd.nist.gov/vuln/detail/CVE-2022-30489 - https://nvd.nist.gov/vuln/detail/CVE-2022-30489
@ -12,6 +13,8 @@ info:
metadata: metadata:
shodan-query: http.title:"Wi-Fi APP Login" shodan-query: http.title:"Wi-Fi APP Login"
verified: "true" verified: "true"
classification:
cve-id: CVE-2022-30489
tags: xss,cve2022,wavlink,cve,router,iot tags: xss,cve2022,wavlink,cve,router,iot
requests: requests:

View File

@ -13,6 +13,8 @@ info:
- https://www.zyxel.com/support/Zyxel-security-advisory-for-OS-command-injection-vulnerability-of-firewalls.shtml - https://www.zyxel.com/support/Zyxel-security-advisory-for-OS-command-injection-vulnerability-of-firewalls.shtml
metadata: metadata:
shodan-query: title:"USG FLEX 100","USG FLEX 100w","USG FLEX 200","USG FLEX 500","USG FLEX 700","USG FLEX 50","USG FLEX 50w","ATP100","ATP200","ATP500","ATP700" shodan-query: title:"USG FLEX 100","USG FLEX 100w","USG FLEX 200","USG FLEX 500","USG FLEX 700","USG FLEX 50","USG FLEX 50w","ATP100","ATP200","ATP500","ATP700"
classification:
cve-id: CVE-2022-30525
tags: rce,zyxel,cve,cve2022,firewall,unauth tags: rce,zyxel,cve,cve2022,firewall,unauth
requests: requests:

View File

@ -3,7 +3,7 @@ id: yonyou-ufida-nc-workflow
info: info:
name: Yonyou Ufida NC Security Checks name: Yonyou Ufida NC Security Checks
author: Arm!tage author: Arm!tage
description: A simple workflow that runs all yonyou ufida nc related nuclei templates on a given target. description: A simple workflow that runs all Yonyou Network Technology Co. (Ufida) NC related nuclei templates on a given target.
workflows: workflows:
- template: technologies/fingerprinthub-web-fingerprints.yaml - template: technologies/fingerprinthub-web-fingerprints.yaml