From 4c048c4de12f3b053af3a853d16bd510ad700421 Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Thu, 22 Apr 2021 11:59:05 +0300 Subject: [PATCH 1/4] Description and reference --- cves/2005/CVE-2005-2428.yaml | 4 ++++ cves/2007/CVE-2007-4556.yaml | 1 + cves/2008/CVE-2008-2398.yaml | 2 ++ cves/2008/CVE-2008-2650.yaml | 2 ++ cves/2010/CVE-2010-2861.yaml | 5 ++++- cves/2011/CVE-2011-0049.yaml | 3 ++- 6 files changed, 15 insertions(+), 2 deletions(-) diff --git a/cves/2005/CVE-2005-2428.yaml b/cves/2005/CVE-2005-2428.yaml index e1e2107627..cb0b499e8c 100644 --- a/cves/2005/CVE-2005-2428.yaml +++ b/cves/2005/CVE-2005-2428.yaml @@ -4,6 +4,10 @@ info: author: CasperGN severity: medium tags: cve,cve2005 + description: Lotus Domino R5 and R6 WebMail, with "Generate HTML for all fields" enabled, stores sensitive data from names.nsf in hidden form fields, which allows remote attackers to read the HTML source to obtain sensitive information such as (1) the password hash in the HTTPPassword field, (2) the password change date in the HTTPPasswordChangeDate field, (3) the client platform in the ClntPltfrm field, (4) the client machine name in the ClntMachine field, and (5) the client Lotus Domino release in the ClntBld field, a different vulnerability than CVE-2005-2696. + reference: | + - http://www.cybsec.com/vuln/default_configuration_information_disclosure_lotus_domino.pdf + - https://www.exploit-db.com/exploits/39495 requests: - method: GET diff --git a/cves/2007/CVE-2007-4556.yaml b/cves/2007/CVE-2007-4556.yaml index 0d3b5af374..ad4d9e3320 100644 --- a/cves/2007/CVE-2007-4556.yaml +++ b/cves/2007/CVE-2007-4556.yaml @@ -4,6 +4,7 @@ info: name: Apache Struts2 S2-001 RCE author: pikpikcu severity: critical + description: Struts support in OpenSymphony XWork before 1.2.3, and 2.x before 2.0.4, as used in WebWork and Apache Struts, recursively evaluates all input as an Object-Graph Navigation Language (OGNL) expression when altSyntax is enabled, which allows remote attackers to cause a denial of service (infinite loop) or execute arbitrary code via form input beginning with a "%{" sequence and ending with a "}" character. reference: https://www.guildhab.top/?p=2326 tags: cve,cve2007,apache,rce,struts diff --git a/cves/2008/CVE-2008-2398.yaml b/cves/2008/CVE-2008-2398.yaml index a722a4884e..990afdc4ed 100644 --- a/cves/2008/CVE-2008-2398.yaml +++ b/cves/2008/CVE-2008-2398.yaml @@ -4,6 +4,8 @@ info: name: AppServ Open Project 2.5.10 and earlier XSS author: unstabl3 severity: medium + description: Cross-site scripting (XSS) vulnerability in index.php in AppServ Open Project 2.5.10 and earlier allows remote attackers to inject arbitrary web script or HTML via the appservlang parameter. + reference: https://exchange.xforce.ibmcloud.com/vulnerabilities/42546 tags: cve,cve2008,xss requests: diff --git a/cves/2008/CVE-2008-2650.yaml b/cves/2008/CVE-2008-2650.yaml index 68b9e4ba42..80f9e4ff6e 100644 --- a/cves/2008/CVE-2008-2650.yaml +++ b/cves/2008/CVE-2008-2650.yaml @@ -3,6 +3,8 @@ info: name: CMSimple 3.1 - Local File Inclusion author: pussycat0x severity: high + description: | + Directory traversal vulnerability in cmsimple/cms.php in CMSimple 3.1, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the sl parameter to index.php. NOTE: this can be leveraged for remote file execution by including adm.php and then invoking the upload action. NOTE: on 20080601, the vendor patched 3.1 without changing the version number. reference: https://www.exploit-db.com/exploits/5700 tags: cve,cve2008,lfi requests: diff --git a/cves/2010/CVE-2010-2861.yaml b/cves/2010/CVE-2010-2861.yaml index 5baeae6b66..1abefde474 100644 --- a/cves/2010/CVE-2010-2861.yaml +++ b/cves/2010/CVE-2010-2861.yaml @@ -4,7 +4,10 @@ info: name: Adobe ColdFusion 8.0/8.0.1/9.0/9.0.1 LFI author: pikpikcu severity: high - reference: https://github.com/vulhub/vulhub/tree/master/coldfusion/CVE-2010-2861 + description: Multiple directory traversal vulnerabilities in the administrator console in Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read arbitrary files via the locale parameter to (1) CFIDE/administrator/settings/mappings.cfm, (2) logging/settings.cfm, (3) datasources/index.cfm, (4) j2eepackaging/editarchive.cfm, and (5) enter.cfm in CFIDE/administrator/. + reference: | + - https://github.com/vulhub/vulhub/tree/master/coldfusion/CVE-2010-2861 + - http://www.adobe.com/support/security/bulletins/apsb10-18.html tags: cve,cve2010,coldfusion,lfi requests: diff --git a/cves/2011/CVE-2011-0049.yaml b/cves/2011/CVE-2011-0049.yaml index 2fe7580ae8..e5589d8f5c 100644 --- a/cves/2011/CVE-2011-0049.yaml +++ b/cves/2011/CVE-2011-0049.yaml @@ -4,10 +4,11 @@ info: name: Majordomo2 - SMTP/HTTP Directory Traversal author: pikpikcu severity: high + description: Directory traversal vulnerability in the _list_file_get function in lib/Majordomo.pm in Majordomo 2 before 20110131 allows remote attackers to read arbitrary files via .. (dot dot) sequences in the help command, as demonstrated using (1) a crafted email and (2) cgi-bin/mj_wwwusr in the web interface. reference: | - https://www.exploit-db.com/exploits/16103 - https://nvd.nist.gov/vuln/detail/CVE-2011-0063 - - https://nvd.nist.gov/vuln/detail/CVE-2011-0049 + - http://www.kb.cert.org/vuls/id/363726 tags: cve,cve2011,majordomo2,lfi requests: From 7bd3bc65b839945c86ee080fe503392b391b947f Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Thu, 22 Apr 2021 12:02:19 +0300 Subject: [PATCH 2/4] Description and references --- cves/2012/CVE-2012-0392.yaml | 1 + cves/2013/CVE-2013-1965.yaml | 3 ++- cves/2013/CVE-2013-2251.yaml | 1 + cves/2014/CVE-2014-3120.yaml | 6 +++++- cves/2014/CVE-2014-3704.yaml | 7 ++++++- cves/2014/CVE-2014-6271.yaml | 3 +++ 6 files changed, 18 insertions(+), 3 deletions(-) diff --git a/cves/2012/CVE-2012-0392.yaml b/cves/2012/CVE-2012-0392.yaml index 4c29ff061e..a0318c0e9d 100644 --- a/cves/2012/CVE-2012-0392.yaml +++ b/cves/2012/CVE-2012-0392.yaml @@ -4,6 +4,7 @@ info: name: Apache Struts2 S2-008 RCE author: pikpikcu severity: critical + description: The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method. reference: https://blog.csdn.net/weixin_43416469/article/details/113850545 tags: cve,cve2012,apache,rce,struts diff --git a/cves/2013/CVE-2013-1965.yaml b/cves/2013/CVE-2013-1965.yaml index b39b275ce9..fcfc281443 100644 --- a/cves/2013/CVE-2013-1965.yaml +++ b/cves/2013/CVE-2013-1965.yaml @@ -4,7 +4,8 @@ info: name: Apache Struts2 S2-012 RCE author: pikpikcu severity: critical - reference: https://nvd.nist.gov/vuln/detail/CVE-2013-1965 + description: Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect. + reference: http://struts.apache.org/development/2.x/docs/s2-012.html tags: cve,cve2013,apache,rce,struts requests: diff --git a/cves/2013/CVE-2013-2251.yaml b/cves/2013/CVE-2013-2251.yaml index 7bce805f94..bef95ecb02 100644 --- a/cves/2013/CVE-2013-2251.yaml +++ b/cves/2013/CVE-2013-2251.yaml @@ -5,6 +5,7 @@ info: author: exploitation & @dwisiswant0 severity: critical description: In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code. + reference: http://struts.apache.org/release/2.3.x/docs/s2-016.html tags: cve,cve2013,rce,struts,apache requests: diff --git a/cves/2014/CVE-2014-3120.yaml b/cves/2014/CVE-2014-3120.yaml index c8be48ecbd..96b6e0fc3a 100644 --- a/cves/2014/CVE-2014-3120.yaml +++ b/cves/2014/CVE-2014-3120.yaml @@ -4,7 +4,11 @@ info: name: ElasticSearch v1.1.1/1.2 RCE author: pikpikcu severity: critical - reference: https://github.com/vulhub/vulhub/tree/master/elasticsearch/CVE-2014-3120 + description: | + The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine. + reference: | + - https://github.com/vulhub/vulhub/tree/master/elasticsearch/CVE-2014-3120 + - https://www.elastic.co/blog/logstash-1-4-3-released tags: cve,cve2014,elastic,rce requests: diff --git a/cves/2014/CVE-2014-3704.yaml b/cves/2014/CVE-2014-3704.yaml index e9f2cedbf2..8c3ccfac16 100644 --- a/cves/2014/CVE-2014-3704.yaml +++ b/cves/2014/CVE-2014-3704.yaml @@ -4,7 +4,12 @@ info: author: princechaddha severity: high description: The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys. - reference: https://www.cvedetails.com/cve/CVE-2014-3704/ + reference: | + - https://www.drupal.org/SA-CORE-2014-005 + - http://www.exploit-db.com/exploits/34984 + - http://www.exploit-db.com/exploits/34992 + - http://www.exploit-db.com/exploits/34993 + - http://www.exploit-db.com/exploits/35150 tags: cve,cve2014,drupal,sqli requests: diff --git a/cves/2014/CVE-2014-6271.yaml b/cves/2014/CVE-2014-6271.yaml index 19cbb5c440..2f066e264b 100644 --- a/cves/2014/CVE-2014-6271.yaml +++ b/cves/2014/CVE-2014-6271.yaml @@ -5,6 +5,9 @@ info: author: pentest_swissky severity: high description: Attempts to exploit the "shellshock" vulnerability (CVE-2014-6271 and CVE-2014-7169) in web applications + reference: | + - http://www.kb.cert.org/vuls/id/252743 + - http://www.us-cert.gov/ncas/alerts/TA14-268A tags: cve,cve2014,rce requests: From 71645c8c5c9b716749021b2fde1d446d87ddf63c Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Thu, 22 Apr 2021 12:04:36 +0300 Subject: [PATCH 3/4] Description and references --- cves/2015/CVE-2015-1427.yaml | 5 ++++- cves/2015/CVE-2015-2080.yaml | 5 ++++- cves/2015/CVE-2015-3337.yaml | 2 +- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/cves/2015/CVE-2015-1427.yaml b/cves/2015/CVE-2015-1427.yaml index a86e4392a6..9412b721fb 100644 --- a/cves/2015/CVE-2015-1427.yaml +++ b/cves/2015/CVE-2015-1427.yaml @@ -4,7 +4,10 @@ info: name: ElasticSearch 1.4.0/1.4.2 RCE author: pikpikcu severity: critical - reference: https://blog.csdn.net/JiangBuLiu/article/details/94457980 + description: The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script. + reference: | + - https://blog.csdn.net/JiangBuLiu/article/details/94457980 + - http://www.elasticsearch.com/blog/elasticsearch-1-4-3-1-3-8-released/ tags: cve,cve2015,elastic,rce requests: diff --git a/cves/2015/CVE-2015-2080.yaml b/cves/2015/CVE-2015-2080.yaml index 483f83a4a9..a7ada141e5 100644 --- a/cves/2015/CVE-2015-2080.yaml +++ b/cves/2015/CVE-2015-2080.yaml @@ -4,7 +4,10 @@ info: name: Eclipse Jetty Remote Leakage author: pikpikcu severity: medium - reference: https://nvd.nist.gov/vuln/detail/CVE-2015-2080 + reference: | + - https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md + - https://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html + - http://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.html description: | The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak diff --git a/cves/2015/CVE-2015-3337.yaml b/cves/2015/CVE-2015-3337.yaml index faf005e404..a63020f1d0 100644 --- a/cves/2015/CVE-2015-3337.yaml +++ b/cves/2015/CVE-2015-3337.yaml @@ -5,7 +5,7 @@ info: author: pdteam severity: high description: Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors. - reference: https://nvd.nist.gov/vuln/detail/CVE-2015-3337 + reference: https://www.exploit-db.com/exploits/37054/ tags: cve,cve2015,elastic,lfi requests: From 622748c6f6a5950b5465077ce71f1e5318166c01 Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Thu, 22 Apr 2021 12:06:27 +0300 Subject: [PATCH 4/4] Description and references --- cves/2016/CVE-2016-10033.yaml | 1 + cves/2016/CVE-2016-3081.yaml | 6 +++++- cves/2016/CVE-2016-7552.yaml | 1 + 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/cves/2016/CVE-2016-10033.yaml b/cves/2016/CVE-2016-10033.yaml index cdae3cc13f..ea20f5c587 100644 --- a/cves/2016/CVE-2016-10033.yaml +++ b/cves/2016/CVE-2016-10033.yaml @@ -3,6 +3,7 @@ info: name: Wordpress 4.6 Remote Code Execution author: princechaddha severity: high + description: The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property. reference: https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html tags: wordpress,cve,cve2016,rce diff --git a/cves/2016/CVE-2016-3081.yaml b/cves/2016/CVE-2016-3081.yaml index 1e15993eb2..f81217e459 100644 --- a/cves/2016/CVE-2016-3081.yaml +++ b/cves/2016/CVE-2016-3081.yaml @@ -4,7 +4,11 @@ info: name: Apache S2-032 Struts RCE author: dhiyaneshDK severity: high - reference: https://cwiki.apache.org/confluence/display/WW/S2-032 + description: | + Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions. + reference: | + - https://cwiki.apache.org/confluence/display/WW/S2-032 + - https://struts.apache.org/docs/s2-032.html tags: cve,cve2016,struts,rce,apache requests: diff --git a/cves/2016/CVE-2016-7552.yaml b/cves/2016/CVE-2016-7552.yaml index 81306f5ee8..686d2c2635 100644 --- a/cves/2016/CVE-2016-7552.yaml +++ b/cves/2016/CVE-2016-7552.yaml @@ -4,6 +4,7 @@ info: name: Trend Micro Threat Discovery Appliance Auth Bypass via Directory Traversal author: dwisiswant0 severity: critical + description: On the Trend Micro Threat Discovery Appliance 2.6.1062r1, directory traversal when processing a session_id cookie allows a remote, unauthenticated attacker to delete arbitrary files as root. This can be used to bypass authentication or cause a DoS. reference: https://gist.github.com/malerisch/5de8b408443ee9253b3954a62a8d97b4 tags: cve,cve2016,lfi