commit
9779aa81a4
|
@ -4,7 +4,7 @@ info:
|
|||
name: Zoho manageengine Arbitrary Reflected XSS
|
||||
author: pikpikcu
|
||||
severity: medium
|
||||
description: reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows remote attackers to inject arbitrary web script or HTML via the parameter 'operation' to /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet.
|
||||
description: A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows remote attackers to inject arbitrary web script or HTML via the parameter 'operation' to /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet.
|
||||
reference:
|
||||
- https://github.com/unh3x/just4cve/issues/10
|
||||
- http://packetstormsecurity.com/files/148635/Zoho-ManageEngine-13-13790-build-XSS-File-Read-File-Deletion.html
|
||||
|
|
|
@ -3,7 +3,7 @@ id: CVE-2021-41773
|
|||
info:
|
||||
name: Apache 2.4.49 - Path Traversal and Remote Code Execution
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
severity: high
|
||||
description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
|
||||
reference:
|
||||
- https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782
|
||||
|
@ -12,6 +12,11 @@ info:
|
|||
- https://twitter.com/h4x0r_dz/status/1445401960371429381
|
||||
- https://github.com/blasty/CVE-2021-41773
|
||||
tags: cve,cve2021,lfi,rce,apache,misconfig
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 7.50
|
||||
cve-id: CVE-2021-41773
|
||||
cwe-id: CWE-22
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
|
|
@ -5,6 +5,7 @@ info:
|
|||
author: gy741
|
||||
severity: medium
|
||||
reference: https://www.exploit-db.com/exploits/48384
|
||||
description: A vulnerability in Netis allows remote unauthenticated users to disclose the WiFi password of the remote device.
|
||||
tags: netis,exposure
|
||||
|
||||
requests:
|
||||
|
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: Nginx Merge Slashes Path Traversal
|
||||
author: dhiyaneshDk
|
||||
severity: medium
|
||||
description: A vulnerability in the remote Nginx server could cause the server to merge slashslash together causing what should have protected the web site from a directory traversal vulnerability into a vulnerable server.
|
||||
reference:
|
||||
- https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/nginx-merge-slashes-path-traversal.json
|
||||
- https://medium.com/appsflyer/nginx-may-be-protecting-your-applications-from-traversal-attacks-without-you-even-knowing-b08f882fd43d
|
||||
|
|
|
@ -4,9 +4,9 @@ info:
|
|||
name: openSIS 5.1 - 'ajax.php' Local File Inclusion
|
||||
author: pikpikcu
|
||||
severity: high
|
||||
description: An attacker can exploit a vulnerability in openSIS to obtain potentially sensitive information and execute arbitrary local scripts in the context of the Web server process. This may allow the attacker to compromise the application and computer; other attacks are also possible.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/38039
|
||||
- https://www.securityfocus.com/bid/56598/info
|
||||
tags: opensis,lfi
|
||||
|
||||
requests:
|
||||
|
|
Loading…
Reference in New Issue