Dashboard Content Enhancements (#4456)

Dashboard Content Enhancements

cves/2022/CVE-2022-0346.yaml

@@ -6,6 +6,8 @@ info:
   severity: high
   description: |
     The plugin does not validate a parameter which can be set to an arbitrary value, thus causing XSS via error message or RCE if allow_url_include is turned on.
+  classification:
+    cve-id: CVE-2022-0346
   reference:
     - https://wpscan.com/vulnerability/4b339390-d71a-44e0-8682-51a12bd2bfe6
     - https://wordpress.org/plugins/www-xml-sitemap-generator-org/

cves/2022/CVE-2022-1040.yaml

@@ -1,11 +1,11 @@
 id: CVE-2022-1040
 
 info:
-  name: Sophos Firewall - RCE
+  name: Sophos Firewall <=18.5 MR3 - Remote Code Execution
   author: For3stCo1d
   severity: critical
   description: |
-    An authentication bypass vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v18.5 MR3 and older.
+    Sophos Firewall version v18.5 MR3 and older contains an authentication bypass vulnerability in the User Portal and Webadmin which could allow a remote attacker to execute code.
   reference:
     - https://github.com/killvxk/CVE-2022-1040
     - https://github.com/CronUp/Vulnerabilidades/blob/main/CVE-2022-1040_checker
@@ -17,9 +17,9 @@ info:
     cve-id: CVE-2022-1040
     cwe-id: CWE-287
   metadata:
-    shodan-query: http.title:"Sophos"
     verified: true
-  tags: cve,cve2022,sophos,firewall,auth-bypass
+    shodan-query: http.title:"Sophos"
+  tags: cve,cve2022,sophos,firewall,auth-bypass,rce
 
 requests:
   - method: POST
@@ -44,3 +44,5 @@ requests:
       - type: status
         status:
           - 200
+
+# Enhanced by mp on 2022/05/19

cves/2022/CVE-2022-1388.yaml

@@ -5,9 +5,7 @@ info:
   author: dwisiswant0,Ph33r
   severity: critical
   description: |
-    This F5 BIG-IP vulnerability can allow an unauthenticated attacker
+    F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, may allow undisclosed requests to bypass iControl REST authentication.
-    with network access to the BIG-IP system through the management
-    port and/or self IP addresses to execute arbitrary system commands.
   reference:
     - https://twitter.com/GossiTheDog/status/1523566937414193153
     - https://www.horizon3.ai/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive/
@@ -19,8 +17,8 @@ info:
     cve-id: CVE-2022-1388
     cwe-id: CWE-306
   metadata:
+    verified: true
     shodan-query: http.title:"BIG-IP®-+Redirect" +"Server"
-    verified: "true"
   tags: f5,bigip,cve,cve2022,rce,mirai
 
 variables:
@@ -64,3 +62,5 @@ requests:
           - "commandResult"
           - "8831-2202-EVC"
         condition: and
+
+# Enhanced by mp on 2022/05/19

cves/2022/CVE-2022-22954.yaml

@@ -1,14 +1,16 @@
 id: CVE-2022-22954
 
 info:
-  name: VMware Workspace ONE Access - Freemarker SSTI
+  name: VMware Workspace ONE Access - Server-Side Template Injection
   author: sherlocksecurity
   severity: critical
-  description: An unauthenticated attacker with network access could exploit this vulnerability by sending a specially crafted request to a vulnerable VMware Workspace ONE or Identity Manager. Successful exploitation could result in remote code execution by exploiting a server-side template injection flaw.
+  description: |
+    VMware Workspace ONE Access is susceptible to a remote code execution vulnerability due to a server-side template injection flaw. An unauthenticated attacker with network access could exploit this vulnerability by sending a specially crafted request to a vulnerable VMware Workspace ONE or Identity Manager.
   reference:
     - https://www.tenable.com/blog/vmware-patches-multiple-vulnerabilities-in-workspace-one-vmsa-2022-0011
     - https://www.vmware.com/security/advisories/VMSA-2022-0011.html
     - http://packetstormsecurity.com/files/166935/VMware-Workspace-ONE-Access-Template-Injection-Command-Execution.html
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-22954
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
     cvss-score: 9.8
@@ -26,9 +28,12 @@ requests:
     matchers-condition: and
     matchers:
       - type: word
+        part: body
         words:
           - "Authorization context is not valid"
 
       - type: status
         status:
           - 400
+
+# Enhanced by mp on 2022/05/19

cves/2022/CVE-2022-22963.yaml

@@ -1,17 +1,18 @@
 id: CVE-2022-22963
 
 info:
-  name: Spring Cloud Function SPEL RCE
+  name: Spring Cloud - Remote Code Execution
   author: Mr-xn,Adam Crosser
   severity: critical
   description: |
-    In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
+    Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions are susceptible to remote code execution vulnerabilities. When using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
   reference:
     - https://github.com/spring-cloud/spring-cloud-function/commit/0e89ee27b2e76138c16bcba6f4bca906c4f3744f
     - https://github.com/cckuailong/spring-cloud-function-SpEL-RCE
     - https://tanzu.vmware.com/security/cve-2022-22963
     - https://nsfocusglobal.com/spring-cloud-function-spel-expression-injection-vulnerability-alert/
     - https://github.com/vulhub/vulhub/tree/scf-spel/spring/spring-cloud-function-spel-injection
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-22963
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
     cvss-score: 9.8
@@ -41,3 +42,5 @@ requests:
       - type: status
         status:
           - 500
+
+# Enhanced by mp on 2022/05/19

cves/2022/CVE-2022-22965.yaml

@@ -1,7 +1,7 @@
 id: CVE-2022-22965
 
 info:
-  name: Spring Framework RCE via Data Binding on JDK 9+ (Spring4Shell)
+  name: Spring Framework - Remote Code Execution
   author: justmumu,arall,dhiyaneshDK,akincibor
   severity: critical
   description: A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
@@ -11,12 +11,13 @@ info:
     - https://twitter.com/RandoriAttack/status/1509298490106593283
     - https://mp.weixin.qq.com/s/kgw-O4Hsd9r2vfme3Y2Ynw
     - https://twitter.com/_0xf4n9x_/status/1509935429365100546
-  remediation: 5.3.x users should upgrade to 5.3.18+, 5.2.x users should upgrade to 5.2.20+.
+    - https://nvd.nist.gov/vuln/detail/cve-2022-22965
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
     cvss-score: 9.8
     cve-id: CVE-2022-22965
     cwe-id: CWE-94
+  remediation: 5.3.x users should upgrade to 5.3.18+, 5.2.x users should upgrade to 5.2.20+.
   tags: cve,cve2022,rce,spring,injection,oast,intrusive
 
 requests:
@@ -24,19 +25,6 @@ requests:
     path:
       - "{{BaseURL}}/?class.module.classLoader.resources.context.configFile=https://{{interactsh-url}}&class.module.classLoader.resources.context.configFile.content.aaa=xxx"
 
-    matchers-condition: and
-    matchers:
-      - type: word
-        part: interactsh_protocol # Confirms the HTTP Interaction
-        words:
-          - "http"
-
-      - type: word
-        part: interactsh_request
-        words:
-          - "User-Agent: Java"
-        case-insensitive: true
-
   - method: POST
     path:
       - "{{BaseURL}}"
@@ -59,3 +47,5 @@ requests:
         words:
           - "User-Agent: Java"
         case-insensitive: true
+
+# Enhanced by mp on 2022/05/19

cves/2022/CVE-2022-26148.yaml

@@ -1,14 +1,15 @@
 id: CVE-2022-26148
 
 info:
-  name: Grafana Zabbix Integration - Credential Disclosure
+  name: Grafana & Zabbix Integration - Credential Disclosure
   author: Geekby
   severity: critical
-  description: An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in api_jsonrpc.php to discover the Zabbix account password and URL address.
+  description: |
+    Grafana through 7.3.4, when integrated with Zabbix, contains a credential disclosure vulnerability. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in api_jsonrpc.php to discover the Zabbix account password and URL address.
   reference:
-    - https://nvd.nist.gov/vuln/detail/CVE-2022-26148
     - https://2k8.org/post-319.html
     - https://security.netapp.com/advisory/ntap-20220425-0005/
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-26148
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
     cvss-score: 9.8
@@ -16,7 +17,7 @@ info:
   metadata:
     fofa-query: app="Grafana"
     shodan-query: title:"Grafana"
-  tags: cve,cve2022,grafana,zabbix
+  tags: cve,cve2022,grafana,zabbix,exposure
 
 requests:
   - method: GET
@@ -51,3 +52,5 @@ requests:
           - '"password":"(.*?)"'
           - '"username":"(.*?)"'
           - '"url":"([a-z:/0-9.]+)\/api_jsonrpc\.php'
+
+# Enhanced by mp on 2022/05/19

cves/2022/CVE-2022-26352.yaml

@@ -1,13 +1,14 @@
 id: CVE-2022-26352
 
 info:
-  name: DotCMS Arbitrary File Upload
+  name: DotCMS - Arbitrary File Upload
   author: h1ei1
   severity: critical
-  description: There is an arbitrary file upload vulnerability in the /api/content/ path of the DotCMS management system, and attackers can upload malicious Trojans to obtain server permissions.
+  description: DotCMS management system contains an arbitrary file upload vulnerability via the /api/content/ path which can allow attackers to upload malicious Trojans to obtain server permissions.
   reference:
     - https://blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce/
     - https://github.com/h1ei1/POC/tree/main/CVE-2022-26352
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26352
   classification:
     cve-id: CVE-2022-26352
   tags: cve,cve2022,rce,dotcms
@@ -39,3 +40,5 @@ requests:
           - 'contains(body_2, "CVE-2022-26352")'
           - 'status_code_2 == 200'
         condition: and
+
+# Enhanced by mp on 2022/05/19

cves/2022/CVE-2022-29303.yaml

@@ -10,9 +10,11 @@ info:
     - https://www.exploit-db.com/exploits/50940
     - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29303
     - https://drive.google.com/drive/folders/1tGr-WExbpfvhRg31XCoaZOFLWyt3r60g?usp=sharing
+  classification:
+    cve-id: CVE-2022-29303
   metadata:
+    verified: true
     shodan-query: http.html:"SolarView Compact"
-    verified: "true"
   tags: cve,cve2022,rce,injection
 
 variables:

cves/2022/CVE-2022-29464.yaml

@@ -1,15 +1,16 @@
 id: CVE-2022-29464
 
 info:
-  name: WSO2 Management - Unrestricted Arbitrary File Upload & Remote Code Execution
+  name: WSO2 Management - Arbitrary File Upload & Remote Code Execution
   author: luci,dhiyaneshDk
   severity: critical
-  description: Certain WSO2 products allow unrestricted file upload with resultant remote code execution. This affects WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0; and WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0.
+  description: |
+    Certain WSO2 products allow unrestricted file upload with resultant remote code execution. This affects WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0; and WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0.
   reference:
     - https://shanesec.github.io/2022/04/21/Wso2-Vul-Analysis-cve-2022-29464/
     - https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1738
-    - https://nvd.nist.gov/vuln/detail/CVE-2022-29464
     - https://github.com/hakivvi/CVE-2022-29464
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-29464
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
     cvss-score: 9.8
@@ -43,3 +44,5 @@ requests:
       - type: dsl
         dsl:
           - "contains(body_2, 'WSO2-RCE-CVE-2022-29464')"
+
+# Enhanced by mp on 2022/05/19

cves/2022/CVE-2022-30525.yaml

@@ -1,16 +1,16 @@
 id: CVE-2022-30525
 
 info:
-  name: Zyxel Firewall - Unauthenticated RCE
+  name: Zyxel Firewall - OS Command Injection
   author: h1ei1,prajiteshsingh
   severity: critical
   description: |
-    The vulnerability affects Zyxel firewalls that support Zero Touch Provisioning (ZTP), including the ATP Series, VPN Series, and USG FLEX Series (including USG20-VPN and USG20W-VPN), allowing an unauthenticated remote attacker to target the affected device as nobody Execute arbitrary code as a user on.
+    An OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, are susceptible to a command injection vulnerability which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.
   reference:
     - https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/
     - https://github.com/rapid7/metasploit-framework/pull/16563
-    - https://nvd.nist.gov/vuln/detail/CVE-2022-30525
     - https://www.zyxel.com/support/Zyxel-security-advisory-for-OS-command-injection-vulnerability-of-firewalls.shtml
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-30525
   classification:
     cve-id: CVE-2022-30525
   metadata:
@@ -36,3 +36,5 @@ requests:
       - type: status
         status:
           - 500
+
+# Enhanced by mp on 2022/05/19

exposures/configs/laravel-env.yaml

@@ -1,12 +1,19 @@
 id: laravel-env
 
 info:
-  name: Laravel .env file accessible
+  name: Laravel - Sensitive Information Disclosure
   author: pxmme1337,dwisiswant0,geeknik,emenalf,adrianmf
-  severity: critical
+  severity: high
-  description: Laravel uses the .env file to store sensitive information like database credentials and tokens. It should not be publicly accessible.
+  description: |
+    A Laravel .env file was discovered, which stores sensitive information like database credentials and tokens. It should not be publicly accessible.
   reference:
     - https://laravel.com/docs/master/configuration#environment-configuration
+    - https://stackoverflow.com/questions/38331397/how-to-protect-env-file-in-laravel
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
+    cvss-score: 8.3
+    cve-id:
+    cwe-id: CWE-522
   tags: config,exposure,laravel
 
 requests:
@@ -37,6 +44,7 @@ requests:
     matchers-condition: and
     matchers:
       - type: regex
+        part: body
         regex:
           - "(?mi)^APP_(NAME|ENV|KEY|DEBUG|URL|PASSWORD)="
           - "(?mi)^DB_(HOST|PASSWORD|DATABASE)="
@@ -45,3 +53,5 @@ requests:
       - type: status
         status:
           - 200
+
+# Enhanced by mp on 2022/05/19

exposures/configs/phpinfo.yaml

@@ -3,6 +3,10 @@ id: phpinfo-files
 info:
   name: phpinfo Disclosure
   author: pdteam,daffainfo,meme-lord,dhiyaneshDK
+  description: |
+    A "PHP Info" page was found. The output of the phpinfo() command can reveal detailed PHP environment information.
+  remediation: |
+    Remove PHP Info pages from publicly accessible sites, or restrict access to authorized users only.
   severity: low
   tags: config,exposure,phpinfo
 
@@ -32,6 +36,7 @@ requests:
     matchers-condition: and
     matchers:
       - type: word
+        part: body
         words:
           - "PHP Extension"
           - "PHP Version"

file/electron/node-integration-enabled.yaml

@@ -1,14 +1,15 @@
 id: node-integration-enabled
 
 info:
-  name: Node Integration Enabled
+  name: Electron Applications - Cross-Site Scripting & Remote Code Execution
   author: me9187
   severity: critical
+  description: |
+    Electron Applications is susceptible to remote code execution by way of cross-site scripting via nodeIntegration  by calling require('child_process').exec('COMMAND');.
   reference:
     - https://blog.yeswehack.com/yeswerhackers/exploitation/pentesting-electron-applications/
     - https://book.hacktricks.xyz/pentesting/pentesting-web/xss-to-rce-electron-desktop-apps
   tags: electron,file,nodejs
-  # nodeIntegration in Electron Applications means you can turn XSS into RCE by calling require('child_process').exec('COMMAND');
 
 file:
   - extensions:
@@ -19,3 +20,5 @@ file:
       - type: word
         words:
           - "nodeIntegration: true"
+
+# Enhanced by mp on 2022/05/19

fuzzing/wordpress-weak-credentials.yaml

@@ -1,9 +1,18 @@
 id: wordpress-weak-credentials
 
 info:
-  name: WordPress Weak Credentials
+  name: WordPress - Weak Credentials
   author: evolutionsec
   severity: critical
+  description: |
+    Weak WordPress Credentials were discovered.
+  reference:
+    - https://www.wpwhitesecurity.com/strong-wordpress-passwords-wpscan/
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
+    cvss-score: 5.8
+    cve-id:
+    cwe-id: CWE-522
   tags: wordpress,default-login,fuzz
 
 requests:
@@ -22,16 +31,20 @@ requests:
       passwords: helpers/wordlists/wp-passwords.txt
     threads: 50
     attack: clusterbomb
+
     stop-at-first-match: true
     matchers-condition: and
     matchers:
-      - type: status
-        status:
-          - 302
 
       - type: word
+        part: header
         words:
           - '/wp-admin'
           - 'wordpress_logged_in'
         condition: and
-        part: header
+
+      - type: status
+        status:
+          - 302
+
+# Enhanced by mp on 2022/05/19

iot/qvisdvr-deserialization-rce.yaml

@@ -4,8 +4,15 @@ info:
   name: QVISDVR JSF Deserialization - Remote Code Execution
   author: me9187
   severity: critical
+  description: |
+    QVISDVR Java-Deserialization was discovered, which could allow remote code execution.
   reference:
     - https://twitter.com/Me9187/status/1414606876575162373
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+    cvss-score: 10.0
+    cve-id:
+    cwe-id: CWE-77
   tags: qvisdvr,rce,deserialization,jsf,iot
 
 requests:
@@ -33,11 +40,14 @@ requests:
 
     matchers-condition: and
     matchers:
-      - type: status
-        status:
-          - 500
 
       - type: word
         part: interactsh_protocol
         words:
           - http
+
+      - type: status
+        status:
+          - 500
+
+# Enhanced by mp on 2022/05/19

misconfiguration/http-missing-security-headers.yaml

@@ -4,7 +4,8 @@ info:
   name: HTTP Missing Security Headers
   author: socketz,geeknik,G4L1T0,convisoappsec,kurohost,dawid-czarnecki,forgedhallpass
   severity: info
-  description: It searches for missing security headers, but obviously, could be so less generic and could be useless for Bug Bounty.
+  description: |
+    This template searches for missing HTTP security headers. The impact of these missing headers can vary.
   tags: misconfig,generic
 
 requests:

misconfiguration/jupyter-ipython-unauth.yaml

@@ -1,11 +1,15 @@
 id: jupyter-ipython-unauth
 
 info:
-  name: Jupyter ipython Unauth
+  name: Jupyter ipython - Authorization Bypass
   author: pentest_swissky
   severity: critical
-  description: Unauthenticated access to Jupyter instance
+  description: Jupyter was able to be accessed without authentication.
-  tags: unauth
+  classification:
+    cvss-score: 10.0
+    cvss-metrics: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+    cwe-id: CWE-288
+  tags: unauth,jupyter
 
 requests:
   - method: GET
@@ -22,3 +26,5 @@ requests:
           - ipython/static/components
           - ipython/kernelspecs
         part: body
+
+# Enhanced by mp on 2022/05/20

misconfiguration/kubernetes/kubernetes-pods.yaml

@@ -1,11 +1,12 @@
 id: kubernetes-pods-api
 
 info:
-  name: Kubernetes Pods API
+  name: Kubernetes Pods - API Discovery & Remote Code Execution
   author: ilovebinbash,geeknik,0xtavian
   severity: critical
-  description: When the service port is available, anyone can execute commands inside the container. See https://github.com/officialhocc/Kubernetes-Kubelet-RCE for inspiration.
+  description: A Kubernetes Pods API was discovered. When the service port is available, unauthenticated users can execute commands inside the container.
   reference:
+    - https://github.com/officialhocc/Kubernetes-Kubelet-RCE
     - https://blog.binaryedge.io/2018/12/06/kubernetes-being-hijacked-worldwide/
   tags: k8,unauth,kubernetes,devops
 
@@ -29,3 +30,5 @@ requests:
       - type: status
         status:
           - 200
+
+# Enhanced by mp on 2022/05/20

misconfiguration/laravel-debug-enabled.yaml

@@ -4,7 +4,10 @@ info:
   name: Laravel Debug Enabled
   author: notsoevilweasel
   severity: medium
-  description: Laravel with APP_DEBUG set to true is prone to show verbose errors.
+  description: |
+    Laravel with APP_DEBUG set to true is prone to show verbose errors.
+  remediation: |
+    Disable Laravel's debug mode by setting APP_DEBUG to false.
   tags: debug,laravel,misconfig
 
 requests:
@@ -15,6 +18,7 @@ requests:
     matchers-condition: and
     matchers:
       - type: word
+        part: body
         words:
           - can_execute_commands
 

misconfiguration/misconfigured-docker.yaml

@@ -1,9 +1,10 @@
 id: misconfigured-docker
 
 info:
-  name: Misconfigured Docker on Default Port
+  name: Docker Container - Misconfiguration Exposure
   author: dhiyaneshDK
   severity: critical
+  description: A Docker container misconfiguration was discovered. The Docker daemon can listen for Docker Engine API requests via three different types of Socket - unix, tcp, and fd. With tcp enabled, the default setup provides un-encrypted and un-authenticated direct access to the Docker daemon. It is conventional to use port 2375 for un-encrypted, and port 2376 for encrypted communication with the daemon.
   reference:
     - https://madhuakula.com/content/attacking-and-auditing-docker-containers-using-opensource/attacking-docker-containers/misconfiguration.html
   tags: docker,unauth,devops
@@ -25,3 +26,5 @@ requests:
       - type: status
         status:
           - 200
+
+# Enhanced by mp on 2022/05/20

misconfiguration/springboot/springboot-heapdump.yaml

@@ -1,10 +1,12 @@
 id: springboot-heapdump
 
 info:
-  name: Detect Springboot Heapdump Actuator
+  name: Spring Boot Actuator - Heap Dump Detection
   author: that_juan_,dwisiswant0,wdahlenb
   severity: critical
-  description: Environment variables and HTTP requests can be found in the HPROF
+  description: A Spring Boot Actuator heap dump was detected. A heap dump is a snapshot of JVM memory, which could expose environment variables and HTTP requests.
+  reference:
+    - https://github.com/pyn3rd/Spring-Boot-Vulnerability
   tags: springboot,exposure
 
 requests:
@@ -28,3 +30,5 @@ requests:
       - type: status
         status:
           - 200
+
+# Enhanced by mp on 2022/05/20

misconfiguration/unauthenticated-nacos-access.yaml

@@ -1,11 +1,13 @@
 id: unauthenticated-nacos-access
 
 info:
-  name: Unauthenticated Nacos access v1.x
+  name: Nacos 1.x - Authentication Bypass
   author: taielab,pikpikcu
   severity: critical
+  description: "Nacos 1.x was discovered. A default Nacos instance needs to modify the application.properties configuration file or add the JVM startup variable Dnacos.core.auth.enabled=true to enable the authentication function (reference: https://nacos.io/en-us/docs/auth.html). But authentication can still be bypassed under certain circumstances and any interface can be called as in the following example that can add a new user (POST https://127.0.0.1:8848/nacos/v1/auth/users?username=test&password=test). That user can then log in to the console to access, modify, and add data."
   reference:
     - https://github.com/alibaba/nacos/issues/4593
+    - https://nacos.io/en-us/docs/auth.html
   tags: nacos,unauth
 
 requests:
@@ -34,3 +36,5 @@ requests:
       - type: status
         status:
           - 200
+
+# Enhanced by mp on 2022/05/20

ssl/deprecated-tls.yaml

@@ -1,11 +1,15 @@
 id: deprecated-tls
 
 info:
-  name: Deprecated TLS Detection (inferior to TLS 1.2)
+  name: Deprecated TLS Detection (TLS 1.1 or SSLv3)
   author: righettod
   severity: info
   reference:
     - https://ssl-config.mozilla.org/#config=intermediate
+  description: |
+    Both TLS 1.1 and SSLv3 are deprecated in favor of stronger encryption.
+  remediation: |
+    Update the web server's TLS configuration to disable TLS 1.1 and SSLv3.
   metadata:
     shodan-query: ssl.version:sslv2 ssl.version:sslv3 ssl.version:tlsv1 ssl.version:tlsv1.1
   tags: ssl

vulnerabilities/laravel/laravel-ignition-xss.yaml

@@ -4,6 +4,10 @@ info:
   name: Laravel Ignition XSS
   author: 0x_Akoko
   severity: medium
+  description: |
+    Laravel's Ignition contains a cross-site scripting vulnerability when debug mode is enabled.
+  remediation: |
+    Disable Laravel's debug mode by setting APP_DEBUG to false.
   reference:
     - https://www.acunetix.com/vulnerabilities/web/laravel-ignition-reflected-cross-site-scripting/
     - https://github.com/facade/ignition/issues/273
@@ -21,11 +25,11 @@ requests:
         words:
           - "Undefined index: --><svg onload=alert(document.domain)> in file"
 
-      - type: status
-        status:
-          - 500
-
       - type: word
         part: header
         words:
           - "text/html"
+
+      - type: status
+        status:
+          - 500