Merge pull request #1333 from nrathaus/master

Descriptions and References
patch-1
Sandeep Singh 2021-04-22 18:38:23 +05:30 committed by GitHub
commit 8faeadf432
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
18 changed files with 49 additions and 9 deletions

View File

@ -4,6 +4,10 @@ info:
author: CasperGN author: CasperGN
severity: medium severity: medium
tags: cve,cve2005 tags: cve,cve2005
description: Lotus Domino R5 and R6 WebMail, with "Generate HTML for all fields" enabled, stores sensitive data from names.nsf in hidden form fields, which allows remote attackers to read the HTML source to obtain sensitive information such as (1) the password hash in the HTTPPassword field, (2) the password change date in the HTTPPasswordChangeDate field, (3) the client platform in the ClntPltfrm field, (4) the client machine name in the ClntMachine field, and (5) the client Lotus Domino release in the ClntBld field, a different vulnerability than CVE-2005-2696.
reference: |
- http://www.cybsec.com/vuln/default_configuration_information_disclosure_lotus_domino.pdf
- https://www.exploit-db.com/exploits/39495
requests: requests:
- method: GET - method: GET

View File

@ -4,6 +4,7 @@ info:
name: Apache Struts2 S2-001 RCE name: Apache Struts2 S2-001 RCE
author: pikpikcu author: pikpikcu
severity: critical severity: critical
description: Struts support in OpenSymphony XWork before 1.2.3, and 2.x before 2.0.4, as used in WebWork and Apache Struts, recursively evaluates all input as an Object-Graph Navigation Language (OGNL) expression when altSyntax is enabled, which allows remote attackers to cause a denial of service (infinite loop) or execute arbitrary code via form input beginning with a "%{" sequence and ending with a "}" character.
reference: https://www.guildhab.top/?p=2326 reference: https://www.guildhab.top/?p=2326
tags: cve,cve2007,apache,rce,struts tags: cve,cve2007,apache,rce,struts

View File

@ -4,6 +4,8 @@ info:
name: AppServ Open Project 2.5.10 and earlier XSS name: AppServ Open Project 2.5.10 and earlier XSS
author: unstabl3 author: unstabl3
severity: medium severity: medium
description: Cross-site scripting (XSS) vulnerability in index.php in AppServ Open Project 2.5.10 and earlier allows remote attackers to inject arbitrary web script or HTML via the appservlang parameter.
reference: https://exchange.xforce.ibmcloud.com/vulnerabilities/42546
tags: cve,cve2008,xss tags: cve,cve2008,xss
requests: requests:

View File

@ -3,6 +3,8 @@ info:
name: CMSimple 3.1 - Local File Inclusion name: CMSimple 3.1 - Local File Inclusion
author: pussycat0x author: pussycat0x
severity: high severity: high
description: |
Directory traversal vulnerability in cmsimple/cms.php in CMSimple 3.1, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the sl parameter to index.php. NOTE: this can be leveraged for remote file execution by including adm.php and then invoking the upload action. NOTE: on 20080601, the vendor patched 3.1 without changing the version number.
reference: https://www.exploit-db.com/exploits/5700 reference: https://www.exploit-db.com/exploits/5700
tags: cve,cve2008,lfi tags: cve,cve2008,lfi
requests: requests:

View File

@ -4,7 +4,10 @@ info:
name: Adobe ColdFusion 8.0/8.0.1/9.0/9.0.1 LFI name: Adobe ColdFusion 8.0/8.0.1/9.0/9.0.1 LFI
author: pikpikcu author: pikpikcu
severity: high severity: high
reference: https://github.com/vulhub/vulhub/tree/master/coldfusion/CVE-2010-2861 description: Multiple directory traversal vulnerabilities in the administrator console in Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read arbitrary files via the locale parameter to (1) CFIDE/administrator/settings/mappings.cfm, (2) logging/settings.cfm, (3) datasources/index.cfm, (4) j2eepackaging/editarchive.cfm, and (5) enter.cfm in CFIDE/administrator/.
reference: |
- https://github.com/vulhub/vulhub/tree/master/coldfusion/CVE-2010-2861
- http://www.adobe.com/support/security/bulletins/apsb10-18.html
tags: cve,cve2010,coldfusion,lfi tags: cve,cve2010,coldfusion,lfi
requests: requests:

View File

@ -4,10 +4,11 @@ info:
name: Majordomo2 - SMTP/HTTP Directory Traversal name: Majordomo2 - SMTP/HTTP Directory Traversal
author: pikpikcu author: pikpikcu
severity: high severity: high
description: Directory traversal vulnerability in the _list_file_get function in lib/Majordomo.pm in Majordomo 2 before 20110131 allows remote attackers to read arbitrary files via .. (dot dot) sequences in the help command, as demonstrated using (1) a crafted email and (2) cgi-bin/mj_wwwusr in the web interface.
reference: | reference: |
- https://www.exploit-db.com/exploits/16103 - https://www.exploit-db.com/exploits/16103
- https://nvd.nist.gov/vuln/detail/CVE-2011-0063 - https://nvd.nist.gov/vuln/detail/CVE-2011-0063
- https://nvd.nist.gov/vuln/detail/CVE-2011-0049 - http://www.kb.cert.org/vuls/id/363726
tags: cve,cve2011,majordomo2,lfi tags: cve,cve2011,majordomo2,lfi
requests: requests:

View File

@ -4,6 +4,7 @@ info:
name: Apache Struts2 S2-008 RCE name: Apache Struts2 S2-008 RCE
author: pikpikcu author: pikpikcu
severity: critical severity: critical
description: The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.
reference: https://blog.csdn.net/weixin_43416469/article/details/113850545 reference: https://blog.csdn.net/weixin_43416469/article/details/113850545
tags: cve,cve2012,apache,rce,struts tags: cve,cve2012,apache,rce,struts

View File

@ -4,7 +4,8 @@ info:
name: Apache Struts2 S2-012 RCE name: Apache Struts2 S2-012 RCE
author: pikpikcu author: pikpikcu
severity: critical severity: critical
reference: https://nvd.nist.gov/vuln/detail/CVE-2013-1965 description: Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.
reference: http://struts.apache.org/development/2.x/docs/s2-012.html
tags: cve,cve2013,apache,rce,struts tags: cve,cve2013,apache,rce,struts
requests: requests:

View File

@ -5,6 +5,7 @@ info:
author: exploitation & @dwisiswant0 author: exploitation & @dwisiswant0
severity: critical severity: critical
description: In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code. description: In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.
reference: http://struts.apache.org/release/2.3.x/docs/s2-016.html
tags: cve,cve2013,rce,struts,apache tags: cve,cve2013,rce,struts,apache
requests: requests:

View File

@ -4,7 +4,11 @@ info:
name: ElasticSearch v1.1.1/1.2 RCE name: ElasticSearch v1.1.1/1.2 RCE
author: pikpikcu author: pikpikcu
severity: critical severity: critical
reference: https://github.com/vulhub/vulhub/tree/master/elasticsearch/CVE-2014-3120 description: |
The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine.
reference: |
- https://github.com/vulhub/vulhub/tree/master/elasticsearch/CVE-2014-3120
- https://www.elastic.co/blog/logstash-1-4-3-released
tags: cve,cve2014,elastic,rce tags: cve,cve2014,elastic,rce
requests: requests:

View File

@ -4,7 +4,12 @@ info:
author: princechaddha author: princechaddha
severity: high severity: high
description: The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys. description: The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.
reference: https://www.cvedetails.com/cve/CVE-2014-3704/ reference: |
- https://www.drupal.org/SA-CORE-2014-005
- http://www.exploit-db.com/exploits/34984
- http://www.exploit-db.com/exploits/34992
- http://www.exploit-db.com/exploits/34993
- http://www.exploit-db.com/exploits/35150
tags: cve,cve2014,drupal,sqli tags: cve,cve2014,drupal,sqli
requests: requests:

View File

@ -5,6 +5,9 @@ info:
author: pentest_swissky author: pentest_swissky
severity: high severity: high
description: Attempts to exploit the "shellshock" vulnerability (CVE-2014-6271 and CVE-2014-7169) in web applications description: Attempts to exploit the "shellshock" vulnerability (CVE-2014-6271 and CVE-2014-7169) in web applications
reference: |
- http://www.kb.cert.org/vuls/id/252743
- http://www.us-cert.gov/ncas/alerts/TA14-268A
tags: cve,cve2014,rce tags: cve,cve2014,rce
requests: requests:

View File

@ -4,7 +4,10 @@ info:
name: ElasticSearch 1.4.0/1.4.2 RCE name: ElasticSearch 1.4.0/1.4.2 RCE
author: pikpikcu author: pikpikcu
severity: critical severity: critical
reference: https://blog.csdn.net/JiangBuLiu/article/details/94457980 description: The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.
reference: |
- https://blog.csdn.net/JiangBuLiu/article/details/94457980
- http://www.elasticsearch.com/blog/elasticsearch-1-4-3-1-3-8-released/
tags: cve,cve2015,elastic,rce tags: cve,cve2015,elastic,rce
requests: requests:

View File

@ -4,7 +4,10 @@ info:
name: Eclipse Jetty Remote Leakage name: Eclipse Jetty Remote Leakage
author: pikpikcu author: pikpikcu
severity: medium severity: medium
reference: https://nvd.nist.gov/vuln/detail/CVE-2015-2080 reference: |
- https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md
- https://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html
- http://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.html
description: | description: |
The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak

View File

@ -5,7 +5,7 @@ info:
author: pdteam author: pdteam
severity: high severity: high
description: Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors. description: Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors.
reference: https://nvd.nist.gov/vuln/detail/CVE-2015-3337 reference: https://www.exploit-db.com/exploits/37054/
tags: cve,cve2015,elastic,lfi tags: cve,cve2015,elastic,lfi
requests: requests:

View File

@ -3,6 +3,7 @@ info:
name: Wordpress 4.6 Remote Code Execution name: Wordpress 4.6 Remote Code Execution
author: princechaddha author: princechaddha
severity: high severity: high
description: The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.
reference: https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html reference: https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html
tags: wordpress,cve,cve2016,rce tags: wordpress,cve,cve2016,rce

View File

@ -4,7 +4,11 @@ info:
name: Apache S2-032 Struts RCE name: Apache S2-032 Struts RCE
author: dhiyaneshDK author: dhiyaneshDK
severity: high severity: high
reference: https://cwiki.apache.org/confluence/display/WW/S2-032 description: |
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.
reference: |
- https://cwiki.apache.org/confluence/display/WW/S2-032
- https://struts.apache.org/docs/s2-032.html
tags: cve,cve2016,struts,rce,apache tags: cve,cve2016,struts,rce,apache
requests: requests:

View File

@ -4,6 +4,7 @@ info:
name: Trend Micro Threat Discovery Appliance Auth Bypass via Directory Traversal name: Trend Micro Threat Discovery Appliance Auth Bypass via Directory Traversal
author: dwisiswant0 author: dwisiswant0
severity: critical severity: critical
description: On the Trend Micro Threat Discovery Appliance 2.6.1062r1, directory traversal when processing a session_id cookie allows a remote, unauthenticated attacker to delete arbitrary files as root. This can be used to bypass authentication or cause a DoS.
reference: https://gist.github.com/malerisch/5de8b408443ee9253b3954a62a8d97b4 reference: https://gist.github.com/malerisch/5de8b408443ee9253b3954a62a8d97b4
tags: cve,cve2016,lfi tags: cve,cve2016,lfi