diff --git a/cves/2021/CVE-2021-33044.yaml b/cves/2021/CVE-2021-33044.yaml index 09217ac1d6..c3764dd5b0 100644 --- a/cves/2021/CVE-2021-33044.yaml +++ b/cves/2021/CVE-2021-33044.yaml @@ -1,10 +1,10 @@ id: CVE-2021-33044 info: - name: Dahua IPC/VTH/VTO devices Authentication Bypass + name: Dahua IPC/VTH/VTO - Authentication Bypass author: gy741 severity: critical - description: The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets. + description: Some Dahua products contain an authentication bypass during the login process. Attackers can bypass device identity authentication by constructing malicious data packets. reference: - https://github.com/dorkerdevil/CVE-2021-33044 - https://nvd.nist.gov/vuln/detail/CVE-2021-33044 @@ -53,3 +53,5 @@ requests: part: body regex: - ',"result":true,"session":"([a-z]+)"\}' + +# Enhanced by cs on 2022/06/01 diff --git a/null b/null deleted file mode 100644 index 4b19777eb3..0000000000 --- a/null +++ /dev/null @@ -1,40 +0,0 @@ -id: CVE-2019-12583 - -info: - name: Zyxel ZyWall UAG/USG - Missing ACL Guest Account Generator - author: n-thumann - severity: critical - description: Missing Access Control in the "Free Time" component of several Zyxel UAG, USG, and ZyWall devices allows a remote attacker to generate guest accounts by directly accessing the account generator. This can lead to unauthorised network access or Denial of Service. - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2019-12583 - - https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.shtml - - https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generator-xss/ - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H - cvss-score: 9.1 - cve-id: CVE-2019-12583 - cwe-id: CWE-425 - tags: cve,cve2019,zyxel,zywall - - -requests: - - method: GET - path: - - "{{BaseURL}}" - - "{{BaseURL}}/free_time.cgi" - - req-condition: true - matchers-condition: and - matchers: - - type: dsl - dsl: - - "contains(body_1, 'zyFunction.js')" - - "!contains(body_1, '/free_time_transaction.cgi')" - - "!contains(body_2, '/free_time_failed.cgi?err_msg=The Free Time feature is disabled at this time.')" - condition: and - - - type: status - status: - - 200 - -# Enhanced by cs on 2022/06/01