parent
bf7d533b26
commit
5eb6b79331
|
@ -1,13 +1,19 @@
|
|||
id: CNVD-2020-46552
|
||||
|
||||
info:
|
||||
name: Sangfor EDR Tool - Remote Code Execution
|
||||
name: Sangfor EDR - Remote Code Execution
|
||||
author: ritikchaddha
|
||||
severity: critical
|
||||
description: There is a RCE vulnerability in Sangfor Endpoint Monitoring and Response Platform (EDR). An attacker could exploit this vulnerability by constructing an HTTP request, and an attacker who successfully exploited this vulnerability could execute arbitrary commands on the target host.
|
||||
description: Sangfor Endpoint Monitoring and Response Platform (EDR) contains a remote code execution vulnerability. An attacker could exploit this vulnerability by constructing an HTTP request which could execute arbitrary commands on the target host.
|
||||
reference:
|
||||
- https://www.modb.pro/db/144475
|
||||
- https://blog.csdn.net/bigblue00/article/details/108434009
|
||||
- https://cn-sec.com/archives/721509.html
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
||||
cvss-score: 10.0
|
||||
cve-id:
|
||||
cwe-id: CWE-77
|
||||
tags: cnvd,cnvd2020,sangfor,rce
|
||||
|
||||
requests:
|
||||
|
@ -23,3 +29,5 @@ requests:
|
|||
- 'contains(body, "Log Helper")'
|
||||
- 'status_code == 200'
|
||||
condition: and
|
||||
|
||||
# Enhanced by mp on 2022/05/18
|
||||
|
|
|
@ -4,12 +4,12 @@ info:
|
|||
name: Tiki Wiki CMS Groupware 5.2 - Local File Inclusion
|
||||
author: 0x_akoko
|
||||
severity: critical
|
||||
description: Tiki Wiki CMS Groupware 5.2 has Local File Inclusion
|
||||
description: Tiki Wiki CMS Groupware 5.2 is susceptible to a local file inclusion vulnerability.
|
||||
reference:
|
||||
- https://dl.packetstormsecurity.net/1009-exploits/tikiwiki52-lfi.txt
|
||||
- https://www.cvedetails.com/cve/CVE-2010-4239
|
||||
- https://www.openwall.com/lists/oss-security/2010/11/22/9
|
||||
- https://security-tracker.debian.org/tracker/CVE-2010-4239
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2010-4239
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -30,3 +30,5 @@ requests:
|
|||
- "fonts"
|
||||
- "extensions"
|
||||
condition: and
|
||||
|
||||
# Enhanced by mp on 2022/05/18
|
||||
|
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: NCBI ToolBox - Directory Traversal
|
||||
author: 0x_Akoko
|
||||
severity: critical
|
||||
description: A path traversal vulnerability exists in viewcgi.c in the 2.0.7 through 2.2.26 legacy versions of the NCBI ToolBox, which may result in reading of arbitrary files (i.e., significant information disclosure) or file deletion via the nph-viewgif.cgi query string.
|
||||
description: NCBI ToolBox 2.0.7 through 2.2.26 legacy versions contain a path traversal vulnerability via viewcgi.cgi which may result in reading of arbitrary files (i.e., significant information disclosure) or file deletion via the nph-viewgif.cgi query string.
|
||||
reference:
|
||||
- https://github.com/grymer/CVE/blob/master/CVE-2018-16716.md
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-16716
|
||||
|
@ -29,3 +29,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/18
|
||||
|
|
|
@ -6,11 +6,10 @@ info:
|
|||
severity: critical
|
||||
description: Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation when evaluated on raw user input in tag attributes, which may lead to remote code execution.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-0230
|
||||
- https://cwiki.apache.org/confluence/display/WW/S2-059
|
||||
- https://www.tenable.com/blog/cve-2019-0230-apache-struts-potential-remote-code-execution-vulnerability
|
||||
- https://cwiki.apache.org/confluence/display/ww/s2-059
|
||||
- http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-0230
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
|
|
@ -6,6 +6,7 @@ info:
|
|||
severity: critical
|
||||
description: D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565 contain an unauthenticated remote code execution vulnerability. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these issues also affected; DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-16920
|
||||
- https://github.com/pwnhacker0x18/CVE-2019-16920-MassPwn3r
|
||||
- https://fortiguard.com/zeroday/FG-VD-19-117
|
||||
- https://www.seebug.org/vuldb/ssvid-98079
|
||||
|
|
|
@ -7,10 +7,10 @@ info:
|
|||
description: |
|
||||
WordPress Contact Form 7 before 1.3.3.3 allows unrestricted file upload and remote code execution by setting supported_type to php% and uploading a .php% file.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-12800
|
||||
- https://github.com/amartinsec/CVE-2020-12800
|
||||
- https://packetstormsecurity.com/files/157951/WordPress-Drag-And-Drop-Multi-File-Uploader-Remote-Code-Execution.html
|
||||
- https://wordpress.org/plugins/drag-and-drop-multiple-file-upload-contact-form-7/#developers
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-12800
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
|
|
@ -12,9 +12,9 @@ info:
|
|||
reference:
|
||||
- https://securityboulevard.com/2020/11/apache-unomi-cve-2020-13942-rce-vulnerabilities-discovered/
|
||||
- https://twitter.com/chybeta/status/1328912309440311297
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-13942
|
||||
- http://unomi.apache.org./security/cve-2020-13942.txt
|
||||
- https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118@%3Cusers.unomi.apache.org%3E
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-13942
|
||||
remediation: Apache Unomi users should upgrade to 1.5.2 or later.
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
|
|
|
@ -1,13 +1,14 @@
|
|||
id: CVE-2021-25281
|
||||
|
||||
info:
|
||||
name: SaltStack wheel_async unauth access
|
||||
name: SaltStack Salt <3002.5 - Auth Bypass
|
||||
author: madrobot
|
||||
severity: critical
|
||||
description: The SaltAPI does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.
|
||||
description: SaltStack Salt before 3002.5 does not honor eauth credentials for the wheel_async client, allowing attackers to remotely run any wheel modules on the master.
|
||||
reference:
|
||||
- http://hackdig.com/02/hack-283902.htm
|
||||
- https://dozer.nz/posts/saltapi-vulns
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-25281
|
||||
- https://github.com/saltstack/salt/releases
|
||||
- https://www.saltstack.com/blog/active-saltstack-cve-announced-2021-jan-21/
|
||||
classification:
|
||||
|
@ -41,3 +42,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/17
|
||||
|
|
|
@ -1,13 +1,10 @@
|
|||
id: CVE-2021-26084
|
||||
|
||||
info:
|
||||
name: Confluence Server OGNL injection - RCE
|
||||
name: Confluence Server - Remote Code Execution
|
||||
author: dhiyaneshDk,philippedelteil
|
||||
severity: critical
|
||||
description: In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary
|
||||
code on a Confluence Server or Data Center instance. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if 'Allow people to sign up to create their account' is enabled.
|
||||
To check whether this is enabled go to COG > User Management > User Signup Options. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from
|
||||
version 7.12.0 before 7.12.5.
|
||||
description: Confluence Server and Data Center contain an OGNL injection vulnerability that could allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if 'Allow people to sign up to create their account' is enabled. To check whether this is enabled go to COG > User Management > User Signup Options.
|
||||
reference:
|
||||
- https://jira.atlassian.com/browse/CONFSERVER-67940
|
||||
- https://github.com/httpvoid/CVE-Reverse/tree/master/CVE-2021-26084
|
||||
|
@ -58,3 +55,5 @@ requests:
|
|||
part: body
|
||||
words:
|
||||
- 'value="aaaa{140592=null}'
|
||||
|
||||
# Enhanced by mp on 2022/05/17
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2021-26295
|
||||
|
||||
info:
|
||||
name: Apache OFBiz RMI Deserialization - Remote Code Execution
|
||||
name: Apache OFBiz <17.12.06 - Arbitrary Code Execution
|
||||
author: madrobot
|
||||
severity: critical
|
||||
description: |
|
||||
|
@ -11,6 +11,8 @@ info:
|
|||
- https://packetstormsecurity.com/files/162104/Apache-OFBiz-SOAP-Java-Deserialization.html
|
||||
- https://github.com/zhzyker/exphub/tree/master/ofbiz
|
||||
- https://lists.apache.org/thread.html/r3c1802eaf34aa78a61b4e8e044c214bc94accbd28a11f3a276586a31%40%3Cuser.ofbiz.apache.org%3E
|
||||
- https://lists.apache.org/thread.html/r6e4579c4ebf7efeb462962e359501c6ca4045687f12212551df2d607@%3Cnotifications.ofbiz.apache.org%3E
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-26295
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -51,8 +53,11 @@ requests:
|
|||
part: body
|
||||
words:
|
||||
- "errorMessage"
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "OFBiz.Visitor="
|
||||
|
||||
# Enhanced by mp on 2022/05/17
|
||||
|
|
|
@ -1,13 +1,14 @@
|
|||
id: CVE-2021-27132
|
||||
|
||||
info:
|
||||
name: CRLF Injection - Sercomm VD625
|
||||
name: Sercomm VD625 Smart Modems - CRLF Injection
|
||||
author: geeknik
|
||||
severity: critical
|
||||
description: Sercomm AGCOMBO VD625 Smart Modems with firmware version AGSOT_2.1.0 are vulnerable to CRLF Injection via the Content-Disposition header - https://cybertuz.com/blog/post/crlf-injection-CVE-2021-27132
|
||||
description: Sercomm AGCOMBO VD625 Smart Modems with firmware version AGSOT_2.1.0 are vulnerable to Carriage Return Line Feed (CRLF) injection via the Content-Disposition header.
|
||||
reference:
|
||||
- https://cybertuz.com/blog/post/crlf-injection-CVE-2021-27132
|
||||
- http://sercomm.com
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-27132
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -35,3 +36,5 @@ requests:
|
|||
- "X-XSS-Protection:0"
|
||||
part: header
|
||||
condition: and
|
||||
|
||||
# Enhanced by mp on 2022/05/17
|
||||
|
|
|
@ -1,13 +1,13 @@
|
|||
id: CVE-2021-27561
|
||||
|
||||
info:
|
||||
name: YeaLink DM PreAuth RCE
|
||||
name: YeaLink DM 3.6.0.20 - Remote Command Injection
|
||||
author: shifacyclewala,hackergautam
|
||||
severity: critical
|
||||
description: A malicious actor can trigger Unauthenticated Remote Code Execution
|
||||
description: Yealink Device Management (DM) 3.6.0.20 allows command injection as root via the /sm/api/v1/firewall/zone/services URI, without authentication.
|
||||
reference:
|
||||
- https://ssd-disclosure.com/ssd-advisory-yealink-dm-pre-auth-root-level-rce/
|
||||
- https://ssd-disclosure.com/?p=4688
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-27561
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -43,3 +43,5 @@ requests:
|
|||
- type: regex
|
||||
regex:
|
||||
- "(u|g)id=.*"
|
||||
|
||||
# Enhanced by mp on 2022/05/17
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
id: CVE-2021-27651
|
||||
|
||||
info:
|
||||
name: Pega Infinity Authentication bypass
|
||||
name: Pega Infinity - Authentication Bypass
|
||||
author: idealphase
|
||||
severity: critical
|
||||
description: In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks.
|
||||
description: Pega Infinity versions 8.2.1 through 8.5.2 contain an authentication bypass vulnerability because the password reset functionality for local accounts can be used to bypass local authentication checks.
|
||||
reference:
|
||||
- https://github.com/samwcyo/CVE-2021-27651-PoC/blob/main/RCE.md
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-27651
|
||||
|
@ -45,3 +45,5 @@ requests:
|
|||
regex:
|
||||
- 'Pega 8\.(?:2\.[1-9]|3\.[0-9]|4\.[0-9]|5\.[0-2])'
|
||||
part: body
|
||||
|
||||
# Enhanced by mp on 2022/05/17
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2021-27850
|
||||
|
||||
info:
|
||||
name: Apache Tapestry - Arbitrary class download
|
||||
name: Apache Tapestry - Remote Code Execution
|
||||
author: pdteam
|
||||
severity: critical
|
||||
description: |
|
||||
A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. The vulnerability I have found is a bypass of the fix for CVE-2019-0195. Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL.
|
||||
Apache Tapestry contains a critical unauthenticated remote code execution vulnerability. Affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. Note that this vulnerability is a bypass of the fix for CVE-2019-0195. Before that fix it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-27850
|
||||
- https://lists.apache.org/thread.html/r237ff7f286bda31682c254550c1ebf92b0ec61329b32fbeb2d1c8751%40%3Cusers.tapestry.apache.org%3E
|
||||
|
@ -56,3 +56,5 @@ requests:
|
|||
- 'webtools'
|
||||
part: body
|
||||
condition: and
|
||||
|
||||
# Enhanced by mp on 2022/05/17
|
||||
|
|
|
@ -1,10 +1,11 @@
|
|||
id: CVE-2021-27905
|
||||
|
||||
info:
|
||||
name: Apache Solr <= 8.8.1 SSRF
|
||||
name: Apache Solr <=8.8.1 - Server-Side Request Forgery
|
||||
author: hackergautam
|
||||
severity: critical
|
||||
description: The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2.
|
||||
description: Apache Solr versions 8.8.1 and prior contain a server-side request forgery vulnerability. The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter.
|
||||
remediation: This issue is resolved in Apache Solr 8.8.2 and later.
|
||||
reference:
|
||||
- https://www.anquanke.com/post/id/238201
|
||||
- https://ubuntu.com/security/CVE-2021-27905
|
||||
|
@ -44,3 +45,5 @@ requests:
|
|||
words:
|
||||
- '<str name="status">OK</str>'
|
||||
part: body
|
||||
|
||||
# Enhanced by mp on 2022/05/17
|
||||
|
|
|
@ -1,11 +1,10 @@
|
|||
id: CVE-2021-27931
|
||||
|
||||
info:
|
||||
name: LumisXP Blind XXE
|
||||
name: LumisXP <10.0.0 - Blind XML External Entity Attack
|
||||
author: alph4byt3
|
||||
severity: critical
|
||||
description: LumisXP (aka Lumis Experience Platform) before 10.0.0 allows unauthenticated blind XXE via an API request to PageControllerXml.jsp. One can send a request crafted with an XXE payload and achieve outcomes
|
||||
such as reading local server files or denial of service.
|
||||
description: LumisXP (aka Lumis Experience Platform) before 10.0.0 allows unauthenticated blind XML external entity (XXE) attacks via an API request to PageControllerXml.jsp. One can send a request crafted with an XXE payload and achieve outcomes such as reading local server files or denial of service.
|
||||
reference:
|
||||
- https://github.com/sl4cky/LumisXP-XXE---POC/blob/main/poc.txt
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-27931
|
||||
|
@ -36,3 +35,5 @@ requests:
|
|||
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||
words:
|
||||
- "http"
|
||||
|
||||
# Enhanced by mp on 2022/05/17
|
||||
|
|
|
@ -1,15 +1,14 @@
|
|||
id: CVE-2021-28918
|
||||
|
||||
info:
|
||||
name: Netmask NPM Package SSRF
|
||||
name: Netmask NPM Package - Server-Side Request Forgery
|
||||
author: johnjhacking
|
||||
severity: critical
|
||||
description: Improper input validation of octal strings in netmask npm package allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.
|
||||
description: Netmask NPM Package is susceptible to server-side request forgery because of improper input validation of octal strings in netmask npm package. This allows unauthenticated remote attackers to perform indeterminate SSRF, remote file inclusion, and local file inclusion attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.
|
||||
reference:
|
||||
- https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-28918
|
||||
- https://github.com/advisories/GHSA-pch5-whg9-qr2r
|
||||
- https://github.com/rs/node-netmask
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-28918
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
|
||||
cvss-score: 9.1
|
||||
|
@ -37,3 +36,5 @@ requests:
|
|||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
||||
# Enhanced by mp on 2022/05/17
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
id: CVE-2021-29203
|
||||
|
||||
info:
|
||||
name: HPE Edgeline Infrastructure Manager v1.21 Authentication Bypass
|
||||
name: HPE Edgeline Infrastructure Manager <1.22 - Authentication Bypass
|
||||
author: madrobot
|
||||
severity: critical
|
||||
description: A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software, prior to version 1.22. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gaining privileged access, causing denial of service, and changing the configuration. HPE has released a software update to resolve the vulnerability in the HPE Edgeline Infrastructure Manager.
|
||||
description: HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software, prior to version 1.22 contains an authentication bypass vulnerability which could be remotely exploited to bypass remote authentication and possibly lead to execution of arbitrary commands, gaining privileged access, causing denial of service, and changing the configuration.
|
||||
reference:
|
||||
- https://www.tenable.com/security/research/tra-2021-15
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-29203
|
||||
|
@ -52,3 +52,5 @@ requests:
|
|||
part: body
|
||||
words:
|
||||
- "Base.1.0.Created"
|
||||
|
||||
# Enhanced by mp on 2022/05/17
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2021-29441
|
||||
|
||||
info:
|
||||
name: Nacos prior to 1.4.1 Authentication Bypass
|
||||
name: Nacos <1.4.1 - Authentication Bypass
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
description: |
|
||||
|
@ -56,3 +56,5 @@ requests:
|
|||
words:
|
||||
- "application/json"
|
||||
part: header
|
||||
|
||||
# Enhanced by mp on 2022/05/17
|
||||
|
|
|
@ -1,13 +1,14 @@
|
|||
id: CVE-2021-30461
|
||||
|
||||
info:
|
||||
name: VoipMonitor Pre-Auth-RCE
|
||||
name: VoipMonitor <24.61 - Remote Code Execution
|
||||
author: shifacyclewala,hackergautam
|
||||
severity: critical
|
||||
description: Use of user supplied data, arriving via web interface allows remote unauthenticated users to trigger a remote PHP code execution vulnerability in VoIPmonitor.
|
||||
description: |
|
||||
VoipMonitor prior to 24.61 is susceptible to remote code execution vulnerabilities because of its use of user supplied data via its web interface, allowing remote unauthenticated users to trigger a remote PHP code execution vulnerability.
|
||||
reference:
|
||||
- https://ssd-disclosure.com/ssd-advisory-voipmonitor-unauth-rce/
|
||||
- https://ssd-disclosure.com/ssd-advisory--voipmonitor-unauth-rce
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-30461
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -39,3 +40,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/17
|
||||
|
|
|
@ -1,14 +1,14 @@
|
|||
id: CVE-2021-3129
|
||||
|
||||
info:
|
||||
name: Laravel <= v8.4.2 Debug Mode - Remote Code Execution
|
||||
name: Laravel with Ignition <= v8.4.2 Debug Mode - Remote Code Execution
|
||||
author: z3bd,pdteam
|
||||
severity: critical
|
||||
description: Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
|
||||
description: Laravel version 8.4.2 and before with Ignition before 2.5.2 allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
|
||||
reference:
|
||||
- https://www.ambionics.io/blog/laravel-debug-rce
|
||||
- https://github.com/vulhub/vulhub/tree/master/laravel/CVE-2021-3129
|
||||
- https://github.com/facade/ignition/pull/334
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-3129
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -84,3 +84,5 @@ requests:
|
|||
- type: regex
|
||||
regex:
|
||||
- "(u|g)id=.*"
|
||||
|
||||
# Enhanced by mp on 2022/05/17
|
||||
|
|
|
@ -1,10 +1,11 @@
|
|||
id: CVE-2021-31856
|
||||
|
||||
info:
|
||||
name: Layer5 Meshery 0.5.2 SQLi
|
||||
name: Layer5 Meshery 0.5.2 - SQL Injection
|
||||
author: princechaddha
|
||||
severity: critical
|
||||
description: A SQL Injection vulnerability in the REST API in Layer5 Meshery 0.5.2 allows an attacker to execute arbitrary SQL commands via the /experimental/patternfiles endpoint (order parameter in GetMesheryPatterns in models/meshery_pattern_persister.go).
|
||||
description: Layer5 Meshery 0.5.2 contains a SQL injection vulnerability in the REST API that allows an attacker to execute arbitrary SQL commands via the /experimental/patternfiles endpoint (order parameter in GetMesheryPatterns
|
||||
in models/meshery_pattern_persister.go).
|
||||
reference:
|
||||
- https://github.com/ssst0n3/CVE-2021-31856
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-31856
|
||||
|
@ -33,3 +34,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/17
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
id: CVE-2021-32172
|
||||
|
||||
info:
|
||||
name: Maian Cart 3.8 preauth RCE
|
||||
name: Maian Cart <=3.8 - Remote Code Execution
|
||||
author: pdteam
|
||||
severity: critical
|
||||
description: A severe vulnerability has been kindly reported to me by security advisor DreyAnd. The issue concerns the elFinder file manager plugin in Maian Cart and it affects all versions from 3.0 to 3.8.
|
||||
description: Maian Cart 3.0 to 3.8 via the elFinder file manager plugin contains a remote code execution vulnerability.
|
||||
reference:
|
||||
- https://dreyand.github.io/maian-cart-rce/
|
||||
- https://github.com/DreyAnd/maian-cart-rce
|
||||
|
@ -53,3 +53,5 @@ requests:
|
|||
- 'contains(body_3, "{{randstr_1}}")'
|
||||
- "status_code_3 == 200"
|
||||
condition: and
|
||||
|
||||
# Enhanced by mp on 2022/05/18
|
||||
|
|
|
@ -1,15 +1,15 @@
|
|||
id: CVE-2021-32305
|
||||
|
||||
info:
|
||||
name: Websvn 2.6.0 - Remote Code Execution (Unauthenticated)
|
||||
name: Websvn <2.6.1 - Remote Code Execution
|
||||
author: gy741
|
||||
severity: critical
|
||||
description: WebSVN before 2.6.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the search parameter.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-32305
|
||||
- https://packetstormsecurity.com/files/163225/Websvn-2.6.0-Remote-Code-Execution.html
|
||||
- https://github.com/websvnphp/websvn/pull/142
|
||||
- http://packetstormsecurity.com/files/163225/Websvn-2.6.0-Remote-Code-Execution.html
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-32305
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -30,3 +30,5 @@ requests:
|
|||
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||
words:
|
||||
- "http"
|
||||
|
||||
# Enhanced by mp on 2022/05/18
|
||||
|
|
|
@ -1,14 +1,15 @@
|
|||
id: CVE-2021-33221
|
||||
|
||||
info:
|
||||
name: CommScope Ruckus IoT Controller Unauthenticated Service Details
|
||||
name: CommScope Ruckus IoT Controller - Information Disclosure
|
||||
author: geeknik
|
||||
severity: critical
|
||||
description: A 'service details' API endpoint discloses system and configuration information to an attacker without requiring authentication. This information includes DNS and NTP servers that the devices use for time and host resolution. It also includes the internal hostname and IoT Controller version. A fully configured device in production may leak other, more sensitive information (API keys and tokens).
|
||||
description: CommScope Ruckus IoT Controller is susceptible to information disclosure vulnerabilities because a 'service details' API endpoint discloses system and configuration information to an attacker without requiring authentication. This information includes DNS and NTP servers that the devices use for time and host resolution. It also includes the internal hostname and IoT Controller version. A fully configured device in production may leak other, more sensitive information (API keys and tokens).
|
||||
reference:
|
||||
- https://www.commscope.com/globalassets/digizuite/917216-faq-security-advisory-id-20210525-v1-0.pdf
|
||||
- http://seclists.org/fulldisclosure/2021/May/72
|
||||
- https://korelogic.com/advisories.html
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33221
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -38,3 +39,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/18
|
||||
|
|
|
@ -1,16 +1,16 @@
|
|||
id: CVE-2021-33357
|
||||
|
||||
info:
|
||||
name: RaspAP <= 2.6.5 - Remote Code Execution
|
||||
name: RaspAP <=2.6.5 - Remote Command Injection
|
||||
author: pikpikcu,pdteam
|
||||
severity: critical
|
||||
description: |
|
||||
RaspAP 2.6 to 2.6.5 in the "iface" GET parameter in /ajax/networking/get_netcfg.php, when the "iface" parameter value contains special characters such as ";" which enables an unauthenticated attacker to execute arbitrary OS commands.
|
||||
RaspAP 2.6 to 2.6.5 allows unauthenticated attackers to execute arbitrary OS commands via the "iface" GET parameter in /ajax/networking/get_netcfg.php, when the "iface" parameter value contains special characters such as ";".
|
||||
reference:
|
||||
- https://checkmarx.com/blog/chained-raspap-vulnerabilities-grant-root-level-access/
|
||||
- https://gist.github.com/omriinbar/52c000c02a6992c6ce68d531195f69cf
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-33357
|
||||
- https://github.com/RaspAP/raspap-webgui
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-33357
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -40,3 +40,5 @@ requests:
|
|||
group: 1
|
||||
regex:
|
||||
- 'GET \/([a-z-]+) HTTP'
|
||||
|
||||
# Enhanced by mp on 2022/05/18
|
||||
|
|
|
@ -1,15 +1,16 @@
|
|||
id: CVE-2021-33564
|
||||
|
||||
info:
|
||||
name: Argument Injection in Ruby Dragonfly
|
||||
name: Ruby Dragonfly <1.4.0 - Remote Code Execution
|
||||
author: 0xsapra
|
||||
severity: critical
|
||||
description: An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility.
|
||||
description: Ruby Dragonfly before 1.4.0 contains an argument injection vulnerability that allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility.
|
||||
reference:
|
||||
- https://zxsecurity.co.nz/research/argunment-injection-ruby-dragonfly/
|
||||
- https://github.com/markevans/dragonfly/compare/v1.3.0...v1.4.0
|
||||
- https://github.com/markevans/dragonfly/commit/25399297bb457f7fcf8e3f91e85945b255b111b5
|
||||
- https://github.com/mlr0p/CVE-2021-33564
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-33564
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -31,3 +32,5 @@ requests:
|
|||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
||||
# Enhanced by mp on 2022/05/18
|
||||
|
|
|
@ -1,13 +1,11 @@
|
|||
id: CVE-2021-3378
|
||||
|
||||
info:
|
||||
name: FortiLogger Unauthenticated Arbitrary File Upload
|
||||
name: FortiLogger 4.4.2.2 - Arbitrary File Upload
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
description: |
|
||||
This template detects an unauthenticated arbitrary file upload
|
||||
via insecure POST request. It has been tested on version 4.4.2.2 in
|
||||
Windows 10 Enterprise.
|
||||
FortiLogger 4.4.2.2 is affected by arbitrary file upload issues. Attackers can send a "Content-Type: image/png" header to Config/SaveUploadedHotspotLogoFile and then Assets/temp/hotspot/img/logohotspot.asp.
|
||||
reference:
|
||||
- https://erberkan.github.io/2021/cve-2021-3378/
|
||||
- https://github.com/erberkan/fortilogger_arbitrary_fileupload
|
||||
|
@ -59,3 +57,5 @@ requests:
|
|||
- "ASP.NET"
|
||||
condition: and
|
||||
part: header
|
||||
|
||||
# Enhanced by mp on 2022/05/18
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2021-36356
|
||||
|
||||
info:
|
||||
name: Kramer VIAware RCE
|
||||
name: Kramer VIAware - Remote Code Execution
|
||||
author: gy741
|
||||
severity: critical
|
||||
description: KRAMER VIAware through August 2021 allows remote attackers to execute arbitrary code because ajaxPages/writeBrowseFilePathAjax.php accepts arbitrary executable pathnames.
|
||||
|
@ -35,3 +35,5 @@ requests:
|
|||
part: interactsh_protocol
|
||||
words:
|
||||
- "http"
|
||||
|
||||
# Enhanced by mp on 2022/05/18
|
||||
|
|
|
@ -10,6 +10,7 @@ info:
|
|||
- https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/
|
||||
- https://github.com/horizon3ai/CVE-2021-44077
|
||||
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/manageengine_servicedesk_plus_cve_2021_44077.rb
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-44077
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -31,3 +32,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/18
|
||||
|
|
|
@ -4,17 +4,19 @@ info:
|
|||
name: Zoho ManageEngine Desktop Central - Remote Code Execution
|
||||
author: Adam Crosser
|
||||
severity: critical
|
||||
description: Zoho Desktop Central contains an authentication bypass vulnerability that could allow an attacker to execute arbitrary code in the Desktop Central MSP server.
|
||||
description: Zoho ManageEngine Desktop Central contains an authentication bypass vulnerability that could allow an attacker to execute arbitrary code in the Desktop Central MSP server.
|
||||
reference:
|
||||
- https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/cisa-adds-13-known-exploited-vulnerabilities-catalog
|
||||
- https://srcincite.io/blog/2022/01/20/zohowned-a-critical-authentication-bypass-on-zoho-manageengine-desktop-central.html
|
||||
- https://attackerkb.com/topics/rJw4DFI2RQ/cve-2021-44515/rapid7-analysis
|
||||
- https://pitstop.manageengine.com/portal/en/community/topic/an-authentication-bypass-vulnerability-identified-and-fixed-in-desktop-central-and-desktop-central-msp
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-44515
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2021-44515
|
||||
cwe-id: CWE-287
|
||||
remediation: For Enterprise builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For Enterprise builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. For MSP builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For MSP builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3.
|
||||
tags: cve,cve2021,cisa,zoho,rce,manageengine
|
||||
|
||||
requests:
|
||||
|
@ -38,3 +40,5 @@ requests:
|
|||
part: header
|
||||
words:
|
||||
- "UEMJSESSIONID="
|
||||
|
||||
# Enhanced by mp on 2022/05/18
|
||||
|
|
|
@ -1,15 +1,15 @@
|
|||
id: CVE-2021-46422
|
||||
|
||||
info:
|
||||
name: SDT-CW3B1 1.1.0 - OS command injection
|
||||
name: SDT-CW3B1 1.1.0 - OS Command Injection
|
||||
author: badboycxcc
|
||||
severity: critical
|
||||
description: |
|
||||
Telesquare SDT-CW3B1 1.1.0 is affected by an OS command injection vulnerability that allows a remote attacker to execute OS commands without any authentication.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/50936
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46422
|
||||
- https://drive.google.com/drive/folders/1YJlVlb4SlTEGONzIjiMwd2P7ucP_Pm7T?usp=sharing
|
||||
- https://drive.google.com/drive/folders/1YJlVlb4SlTEGONzIjiMwd2P7ucP_Pm7T?
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-46422
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -32,3 +32,5 @@ requests:
|
|||
part: body
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
||||
# Enhanced by mp on 2022/05/18
|
||||
|
|
|
@ -1,15 +1,15 @@
|
|||
id: CVE-2021-46424
|
||||
|
||||
info:
|
||||
name: TLR-2005KSH - Arbitrary File Delete
|
||||
name: Telesquare TLR-2005KSH 1.0.0 - Arbitrary File Delete
|
||||
author: gy741
|
||||
severity: critical
|
||||
description: Telesquare TLR-2005KSH 1.0.0 is affected by an arbitrary file deletion vulnerability that allows a remote attacker to delete any file, even system internal files, via a DELETE request.
|
||||
reference:
|
||||
- https://dl.packetstormsecurity.net/2205-exploits/tlr2005ksh-filedelete.txt
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-46424
|
||||
- https://drive.google.com/drive/folders/1_e3eJ8fzhCWnCkoRpbLoyQecuKkPR4OD?usp=sharing
|
||||
- http://packetstormsecurity.com/files/167127/TLR-2005KSH-Arbitrary-File-Delete.html
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-46424
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
|
||||
cvss-score: 9.1
|
||||
|
@ -40,3 +40,5 @@ requests:
|
|||
- type: dsl
|
||||
dsl:
|
||||
- "status_code_1 == 200 && status_code_2 == 204 && status_code_3 == 404"
|
||||
|
||||
# Enhanced by mp on 2022/05/18
|
||||
|
|
|
@ -1,16 +1,16 @@
|
|||
id: CVE-2022-0482
|
||||
|
||||
info:
|
||||
name: Easy!Appointments Broken Access Control
|
||||
name: Easy!Appointments <1.4.3 - Broken Access Control
|
||||
author: francescocarlucci,opencirt
|
||||
severity: critical
|
||||
description: |
|
||||
Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository alextselegidis/easyappointments prior to 1.4.3.
|
||||
Easy!Appointments prior to 1.4.3 allows exposure of Private Personal Information to an unauthorized actor via the GitHub repository alextselegidis/easyappointments.
|
||||
reference:
|
||||
- https://huntr.dev/bounties/2fe771ef-b615-45ef-9b4d-625978042e26/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-0482
|
||||
- https://github.com/alextselegidis/easyappointments
|
||||
- https://opencirt.com/hacking/securing-easy-appointments-cve-2022-0482/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-0482
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
|
||||
cvss-score: 9.1
|
||||
|
@ -53,3 +53,5 @@ requests:
|
|||
- '"appointments":'
|
||||
- '"unavailables":'
|
||||
condition: and
|
||||
|
||||
# Enhanced by mp on 2022/05/18
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2022-0540
|
||||
|
||||
info:
|
||||
name: Atlassian Jira Seraph- Authentication Bypass
|
||||
name: Atlassian Jira Seraph - Authentication Bypass
|
||||
author: DhiyaneshDK
|
||||
severity: critical
|
||||
description: |
|
||||
A vulnerability in Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request. This affects Atlassian Jira Server and Data Center versions before 8.13.18, versions 8.14.0 and later before 8.20.6, and versions 8.21.0 and later before 8.22.0. This also affects Atlassian Jira Service Management Server and Data Center versions before 4.13.18, versions 4.14.0 and later before 4.20.6, and versions 4.21.0 and later before 4.22.0.
|
||||
Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request. This affects Atlassian Jira Server and Data Center versions before 8.13.18, versions 8.14.0 and later before 8.20.6, and versions 8.21.0 and later before 8.22.0. This also affects Atlassian Jira Service Management Server and Data Center versions before 4.13.18, versions 4.14.0 and later before 4.20.6, and versions 4.21.0 and later before 4.22.0.
|
||||
reference:
|
||||
- https://blog.viettelcybersecurity.com/cve-2022-0540-authentication-bypass-in-seraph/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-0540
|
||||
|
@ -34,3 +34,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/18
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2022-0543
|
||||
|
||||
info:
|
||||
name: Redis Sandbox Escape RCE
|
||||
name: Redis Sandbox Escape - Remote Code Execution
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
description: |
|
||||
|
@ -9,8 +9,6 @@ info:
|
|||
vulnerability was introduced by Debian and Ubuntu Redis packages that
|
||||
insufficiently sanitized the Lua environment. The maintainers failed to
|
||||
disable the package interface, allowing attackers to load arbitrary libraries.
|
||||
|
||||
Taken from rapid7/metasploit-framework#16504.
|
||||
reference:
|
||||
- https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce
|
||||
- https://attackerkb.com/topics/wyA1c1HIC8/cve-2022-0543/rapid7-analysis#rapid7-analysis
|
||||
|
@ -37,3 +35,5 @@ network:
|
|||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
||||
# Enhanced by mp on 2022/05/18
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
id: CVE-2022-0591
|
||||
|
||||
info:
|
||||
name: Formcraft3 < 3.8.28 - Unauthenticated SSRF
|
||||
name: Formcraft3 <3.8.28 - Server-Side Request Forgery
|
||||
author: Akincibor
|
||||
severity: critical
|
||||
description: The plugin does not validate the URL parameter in the formcraft3_get AJAX action, leading to SSRF issues exploitable by unauthenticated users.
|
||||
description: Formcraft3 before version 3.8.2 does not validate the URL parameter in the formcraft3_get AJAX action, leading to server-side request forgery issues exploitable by unauthenticated users.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/b5303e63-d640-4178-9237-d0f524b13d47
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-0591
|
||||
|
@ -25,3 +25,5 @@ requests:
|
|||
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||
words:
|
||||
- "http"
|
||||
|
||||
# Enhanced by mp on 2022/05/18
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
id: CVE-2022-1020
|
||||
|
||||
info:
|
||||
name: Woo Product Table < 3.1.2 - Unauthenticated Arbitrary Function Call
|
||||
name: WordPress WooCommerce <3.1.2 - Arbitrary Function Call
|
||||
author: Akincibor
|
||||
severity: critical
|
||||
description: The Product Table for WooCommerce (wooproducttable) WordPress plugin before 3.1.2 does not have authorisation and CSRF checks in the wpt_admin_update_notice_option AJAX action (available to both unauthenticated and authenticated users), as well as does not validate the callback parameter, allowing unauthenticated attackers to call arbitrary functions with either none or one user controlled argument
|
||||
description: WordPress WooCommerce plugin before 3.1.2 does not have authorisation and CSRF checks in the wpt_admin_update_notice_option AJAX action (available to both unauthenticated and authenticated users), as well as does not validate the callback parameter, allowing unauthenticated attackers to call arbitrary functions with either none or one user controlled argument.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/04fe89b3-8ad1-482f-a96d-759d1d3a0dd5
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-1020
|
||||
|
@ -42,3 +42,5 @@ requests:
|
|||
group: 1
|
||||
regex:
|
||||
- '>PHP Version <\/td><td class="v">([0-9.]+)'
|
||||
|
||||
# Enhanced by mp on 2022/05/18
|
||||
|
|
|
@ -11,6 +11,8 @@ info:
|
|||
reference:
|
||||
- https://wpscan.com/vulnerability/faff9484-9fc7-4300-bdad-9cd8a30a9a4e
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1597
|
||||
classification:
|
||||
cve-id: CVE-2022-1598
|
||||
metadata:
|
||||
verified: true
|
||||
google-dork: inurl:/wp-content/plugins/wpqa
|
||||
|
|
|
@ -4,7 +4,8 @@ info:
|
|||
name: Wavlink Wn535g3 - POST XSS
|
||||
author: For3stCo1d
|
||||
severity: high
|
||||
description: WAVLINK WN535 G3 was discovered to contain a cross-site scripting (XSS) vulnerability via the hostname parameter at /cgi-bin/login.cgi.
|
||||
description: |
|
||||
WAVLINK WN535 G3 was discovered to contain a cross-site scripting (XSS) vulnerability via the hostname parameter at /cgi-bin/login.cgi.
|
||||
reference:
|
||||
- https://github.com/badboycxcc/XSS-CVE-2022-30489
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-30489
|
||||
|
@ -12,6 +13,8 @@ info:
|
|||
metadata:
|
||||
shodan-query: http.title:"Wi-Fi APP Login"
|
||||
verified: "true"
|
||||
classification:
|
||||
cve-id: CVE-2022-30489
|
||||
tags: xss,cve2022,wavlink,cve,router,iot
|
||||
|
||||
requests:
|
||||
|
|
|
@ -13,6 +13,8 @@ info:
|
|||
- https://www.zyxel.com/support/Zyxel-security-advisory-for-OS-command-injection-vulnerability-of-firewalls.shtml
|
||||
metadata:
|
||||
shodan-query: title:"USG FLEX 100","USG FLEX 100w","USG FLEX 200","USG FLEX 500","USG FLEX 700","USG FLEX 50","USG FLEX 50w","ATP100","ATP200","ATP500","ATP700"
|
||||
classification:
|
||||
cve-id: CVE-2022-30525
|
||||
tags: rce,zyxel,cve,cve2022,firewall,unauth
|
||||
|
||||
requests:
|
||||
|
|
|
@ -3,7 +3,7 @@ id: yonyou-ufida-nc-workflow
|
|||
info:
|
||||
name: Yonyou Ufida NC Security Checks
|
||||
author: Arm!tage
|
||||
description: A simple workflow that runs all yonyou ufida nc related nuclei templates on a given target.
|
||||
description: A simple workflow that runs all Yonyou Network Technology Co. (Ufida) NC related nuclei templates on a given target.
|
||||
|
||||
workflows:
|
||||
- template: technologies/fingerprinthub-web-fingerprints.yaml
|
||||
|
|
Loading…
Reference in New Issue