Merge pull request #1127 from nrathaus/master

Prettify tests

cves/2020/CVE-2020-10547.yaml

@@ -3,7 +3,10 @@ info:
   name: rConfig 3.9.4 SQLi
   author: madrobot
   severity: high
-  reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10547
+  description: rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
+  reference:
+    https://github.com/theguly/exploits/blob/master/CVE-2020-10547.py
+    https://theguly.github.io/2020/09/rconfig-3.9.4-multiple-vulnerabilities/
   tags: cve,cve2020,rconfig,sqli
 
 requests:

cves/2020/CVE-2020-11034.yaml

@@ -4,6 +4,7 @@ info:
   name: GLPI v.9.4.6 - Open redirect
   author: pikpikcu
   severity: low
+  description: In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp. This is fixed in version 9.4.6.
   reference: |
    - https://github.com/glpi-project/glpi/security/advisories/GHSA-gxv6-xq9q-37hg
    - https://github.com/glpi-project/glpi/archive/9.4.6.zip

cves/2020/CVE-2020-4463.yaml

@@ -10,7 +10,7 @@ info:
     A remote attacker could exploit this vulnerability to expose
     sensitive information or consume memory resources.
 
-    References:
+  references: |
     - https://www.ibm.com/support/pages/security-bulletin-ibm-maximo-asset-management-vulnerable-information-disclosure-cve-2020-4463
     - https://github.com/Ibonok/CVE-2020-4463
   tags: cve,cve2020,ibm,xxe

cves/2020/CVE-2020-5284.yaml

@@ -4,7 +4,11 @@ info:
   name: Next.js .next/ limited path traversal
   author: Harsh & Rahul & dwisiswant0
   severity: medium
+  description: Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2.
   tags: cve,cve2020,nextjs,lfi
+  reference:
+    https://github.com/zeit/next.js/releases/tag/v9.3.2
+    https://github.com/zeit/next.js/security/advisories/GHSA-fq77-7p7r-83rj
 
 requests:
   - method: GET

cves/2020/CVE-2020-5410.yaml

@@ -4,6 +4,8 @@ info:
   name: Directory Traversal in Spring Cloud Config Server
   author: mavericknerd
   severity: high
+  description: Spring Cloud Config, versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack.
+  reference: https://tanzu.vmware.com/security/cve-2020-5410
   tags: cve,cve2020,lfi,springcloud
 
 requests:

cves/2020/CVE-2020-5412.yaml

@@ -6,6 +6,7 @@ info:
   severity: medium
   description: Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user, or attacker, can send a request to other servers that should not be exposed publicly.
   tags: cve,cve2020,ssrf,springcloud
+  reference: https://tanzu.vmware.com/security/cve-2020-5412
 
 requests:
   - method: GET

cves/2020/CVE-2020-9047.yaml

@@ -16,8 +16,10 @@ info:
     download and run a malicious executable that
     could allow OS command injection on the system.
 
-    Source/References:
+  reference: |
     - https://github.com/norrismw/CVE-2020-9047
+    - https://www.johnsoncontrols.com/cyber-solutions/security-advisories
+    - https://www.us-cert.gov/ics/advisories/ICSA-20-170-01
   tags: cve,cve2020,rce
 
 requests: