misc updates

cves/2017/CVE-2017-15944.yaml

@@ -8,11 +8,11 @@ info:
     - https://www.exploit-db.com/exploits/43342
     - http://blog.orange.tw/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html
   severity: critical
-  tags: cve,cve2017,rce,vpn,paloalto,globalprotect
   classification:
     cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
     cvss-score: 9.80
     cve-id: CVE-2017-15944
+  tags: cve,cve2017,rce,vpn,panos,globalprotect
 
 requests:
   - raw:
@@ -24,9 +24,9 @@ requests:
     matchers-condition: and
     matchers:
       - type: word
+        part: body
         words:
           - "@start@Success@end@"
-        part: body
 
       - type: status
         status:

cves/2018/CVE-2018-10141.yaml

@@ -2,16 +2,16 @@ id: CVE-2018-10141
 
 info:
   name: GlobalProtect Login page XSS
+  severity: medium
   author: dhiyaneshDk
   description: GlobalProtect Portal Login page in Palo Alto Networks PAN-OS before 8.1.4 allows an unauthenticated attacker to inject arbitrary JavaScript or HTML.
-  severity: medium
   reference: https://nvd.nist.gov/vuln/detail/CVE-2018-10141
-  tags: globalprotect,xss,cve,cve2018,vpn
   classification:
     cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
     cvss-score: 6.10
     cve-id: CVE-2018-10141
     cwe-id: CWE-79
+  tags: cve,cve2018,panos,vpn,globalprotect,xss
 
 requests:
   - method: GET
@@ -21,14 +21,14 @@ requests:
     matchers-condition: and
     matchers:
       - type: word
+        part: body
         words:
           - 'var valueUser = "j";-alert(1)-"x";'
-        part: body
 
       - type: word
+        part: header
         words:
           - "text/html"
-        part: header
 
       - type: status
         status:

default-logins/paloalto/panos-default-login.yaml

@@ -6,7 +6,7 @@ info:
   severity: high
   description: Default Login of admin:admin on Palo Alto Networks PAN-OS application.
   reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/getting-started/integrate-the-firewall-into-your-management-network/perform-initial-configuration.html#:~:text=By%20default%2C%20the%20firewall%20has,with%20other%20firewall%20configuration%20tasks.
-  tags: paloalto,panos,default-login
+  tags: panos,default-login
 
 requests:
   - raw:
@@ -17,19 +17,19 @@ requests:
 
         user={{username}}&passwd={{password}}&challengePwd=&ok=Login
 
+    attack: pitchfork
     payloads:
       username:
         - admin
       password:
         - admin
-    attack: pitchfork
 
     matchers-condition: and
     matchers:
       - type: word
+        part: header
         words:
           - "Set-Cookie: PHPSESSID"
-        part: header
 
       - type: word
         words:

exposed-panels/globalprotect-panel.yaml

@@ -4,7 +4,7 @@ info:
   name: PaloAlto Networks GlobalProtect Panel
   author: organiccrap
   severity: info
-  tags: panel
+  tags: panel,panos
 
 requests:
   - method: GET
@@ -12,6 +12,7 @@ requests:
       - "{{BaseURL}}/global-protect/login.esp"
       - "{{BaseURL}}/sslmgr"
 
+    stop-at-first-match: true
     matchers:
       - type: word
         words: