daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4686 from MostInterestingBotInTheWorld/dashboard 

Dashboard Content Enhancements
patch-1
Prince Chaddha 2022-07-02 17:28:11 +05:30 committed by GitHub
parent 3dbd1364b3 d8fe1dae5c
commit a359b681e1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
38 changed files with 261 additions and 158 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
cves/2020/CVE-2020-35580.yaml
View File

@ -1,13 +1,14 @@
id: CVE-2020-35580
info:
name: SearchBlox < 9.2.2 - Local File Inclusion (LFI)
name: SearchBlox <9.2.2 - Local File Inclusion
author: daffainfo
severity: high
description: Local File Inclusion vulnerability in the FileServlet in all SearchBlox before 9.2.2 allows remote, unauthenticated users to read arbitrary files from the operating system via a /searchblox/servlet/FileServlet?col=url= request. Additionally, this may be used to read the contents of the SearchBlox configuration file (e.g., searchblox/WEB-INF/config.xml), which contains both the Super Admin API key and the base64 encoded SHA1 password hashes of other SearchBlox users.
description: SearchBlox prior to version 9.2.2 is susceptible to local file inclusion in FileServlet that allows remote, unauthenticated users to read arbitrary files from the operating system via a /searchblox/servlet/FileServlet?col=url= request. Additionally, this may be used to read the contents of the SearchBlox configuration file (e.g., searchblox/WEB-INF/config.xml), which contains both the Super Admin API key and the base64 encoded SHA1 password hashes of other SearchBlox users.
reference:
- https://hateshape.github.io/general/2021/05/11/CVE-2020-35580.html
- https://developer.searchblox.com/docs/getting-started-with-searchblox
- https://nvd.nist.gov/vuln/detail/CVE-2020-35580
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -22,6 +23,8 @@ requests:
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
part: body
# Enhanced by mp on 2022/06/28

10
cves/2020/CVE-2020-35598.yaml
View File

@ -1,20 +1,20 @@
id: CVE-2020-35598
info:
name: Advanced Comment System 1.0 - Path Traversal
name: Advanced Comment System 1.0 - Local File Inclusion
author: daffainfo
severity: high
description: ACS Advanced Comment System 1.0 is affected by Directory Traversal via an advanced_component_system/index.php?ACS_path=..%2f URI.
description: ACS Advanced Comment System 1.0 is affected by local file inclusion via an advanced_component_system/index.php?ACS_path=..%2f URI.
reference:
- https://www.exploit-db.com/exploits/49343
- https://www.cvedetails.com/cve/CVE-2020-35598
- https://seclists.org/fulldisclosure/2020/Dec/13
- https://nvd.nist.gov/vuln/detail/CVE-2020-35598
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2020-35598
cwe-id: CWE-22
tags: cve,cve2020,lfi
tags: cve,cve2020,lfi,acs
requests:
- method: GET
@ -31,3 +31,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/06/28

6
cves/2020/CVE-2020-35736.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2020-35736
info:
name: GateOne 1.1 - Arbitrary File Retrieval
name: GateOne 1.1 - Local File Inclusion
author: pikpikcu
severity: high
description: GateOne 1.1 allows arbitrary file retrieval without authentication via /downloads/.. directory traversal because os.path.join is incorrectly used.
description: GateOne 1.1 allows arbitrary file retrieval without authentication via /downloads/.. local file inclusion because os.path.join is incorrectly used.
reference:
- https://github.com/liftoff/GateOne/issues/747
- https://nvd.nist.gov/vuln/detail/CVE-2020-35736
@ -30,3 +30,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/06/28

8
cves/2020/CVE-2020-35749.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2020-35749
info:
name: Simple Job Board < 2.9.4 -Arbitrary File Retrieval (Authenticated)
name: WordPress Simple Job Board <2.9.4 - Local File Inclusion
author: cckuailong
severity: high
description: The plugin does not validate the sjb_file parameter when viewing a resume, allowing authenticated user with the download_resume capability (such as HR users) to download arbitrary files from the web-server via a path traversal attack.
description: WordPress Simple Job Board prior to version 2.9.4 is vulnerable to arbitrary file retrieval vulnerabilities because it does not validate the sjb_file parameter when viewing a resume, allowing an authenticated user with the download_resume capability (such as HR users) to download arbitrary files from the web-server via local file inclusion.
reference:
- https://wpscan.com/vulnerability/eed3bd69-2faf-4bc9-915c-c36211ef9e2d
- https://nvd.nist.gov/vuln/detail/CVE-2020-35749
@ -27,9 +27,11 @@ requests:
Cookie: wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
GET /wp-admin/post.php?post=372&action=edit&sjb_file=../../../../etc/passwd HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
@ -40,3 +42,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/06/28

20
cves/2020/CVE-2020-4463.yaml
View File

@ -1,12 +1,12 @@
id: CVE-2020-4463
info:
name: IBM Maximo Asset Management Information Disclosure via XXE
name: IBM Maximo Asset Management Information Disclosure - XML External Entity Injection
author: dwisiswant0
severity: high
description: |
IBM Maximo Asset Management is vulnerable to an
XML External Entity Injection (XXE) attack when processing XML data.
XML external entity injection (XXE) attack when processing XML data.
A remote attacker could exploit this vulnerability to expose
sensitive information or consume memory resources.
reference:
@ -14,6 +14,7 @@ info:
- https://github.com/Ibonok/CVE-2020-4463
- https://exchange.xforce.ibmcloud.com/vulnerabilities/181484
- https://www.ibm.com/support/pages/node/6253953
- https://nvd.nist.gov/vuln/detail/CVE-2020-4463
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
cvss-score: 8.2
@ -33,14 +34,19 @@ requests:
</max:QueryMXPERSON>
headers:
Content-Type: application/xml
matchers-condition: and
matchers:
- type: word
words:
- "application/xml"
part: header
- type: word
part: body
words:
- "QueryMXPERSONResponse"
- "MXPERSONSet"
part: body
- type: word
part: header
words:
- "application/xml"
# Enhanced by mp on 2022/06/28

19
cves/2020/CVE-2020-5410.yaml
View File

@ -1,13 +1,13 @@
id: CVE-2020-5410
info:
name: Directory Traversal in Spring Cloud Config Server
name: Spring Cloud Config Server - Local File Inclusion
author: mavericknerd
severity: high
description: Spring Cloud Config, versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server
module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack.
description: Spring Cloud Config Server versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user or attacker can send a request using a specially crafted URL that can lead to a local file inclusion attack.
reference:
- https://tanzu.vmware.com/security/cve-2020-5410
- https://nvd.nist.gov/vuln/detail/CVE-2020-5410
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -19,12 +19,17 @@ requests:
- method: GET
path:
- "{{BaseURL}}/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23foo/development"
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- type: status
status:
- 200
- type: regex
regex:
- "root:.*:0:0:"
part: body
# Enhanced by mp on 2022/06/28

9
cves/2020/CVE-2020-5776.yaml
View File

@ -1,12 +1,13 @@
id: CVE-2020-5776
info:
name: Cross Site Request Forgery (CSRF) in MAGMI (Magento Mass Importer) Plugin
name: MAGMI - Cross-Site Request Forgery
author: dwisiswant0
severity: high
description: Currently, all versions of MAGMI are vulnerable to CSRF due to the lack of CSRF tokens. RCE (via phpcli command) is possible in the event that a CSRF is leveraged against an existing admin session for MAGMI.
description: MAGMI (Magento Mass Importer) is vulnerable to cross-site request forgery (CSRF) due to a lack of CSRF tokens. Remote code execution (via phpcli command) is also possible in the event that CSRF is leveraged against an existing admin session.
reference:
- https://www.tenable.com/security/research/tra-2020-51
- https://nvd.nist.gov/vuln/detail/CVE-2020-5776
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
cvss-score: 8.8
@ -45,4 +46,6 @@ requests:
condition: and
- type: status
status:
- 200
- 200
# Enhanced by mp on 2022/06/28

24
cves/2020/CVE-2020-7943.yaml
View File

@ -1,21 +1,21 @@
id: CVE-2020-7943
info:
name: Puppet Server and PuppetDB sensitive information disclosure
name: Puppet Server/PuppetDB - Sensitive Information Disclosure
author: c-sh0
severity: high
description: Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints, which may contain sensitive information
description: Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints, which may contain sensitive information when left exposed.
reference:
- https://puppet.com/security/cve/CVE-2020-7943
- https://nvd.nist.gov/vuln/detail/CVE-2020-7943
- https://tickets.puppetlabs.com/browse/PDB-4876
- https://puppet.com/security/cve/CVE-2020-7943/
- https://nvd.nist.gov/vuln/detail/CVE-2020-7943
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2020-7943
cwe-id: CWE-276
tags: cve,cve2020,puppet,exposure
tags: cve,cve2020,puppet,exposure,puppetdb
requests:
- method: GET
@ -24,16 +24,18 @@ requests:
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "trapperkeeper"
- type: word
part: header
words:
- "application/json"
- type: word
part: body
words:
- "trapperkeeper"
- type: status
status:
- 200
# Enhanced by mp on 2022/06/28

18
cves/2020/CVE-2020-8163.yaml
View File

@ -1,15 +1,16 @@
id: CVE-2020-8163
info:
name: Potential Remote Code Execution on Rails
name: Ruby on Rails <5.0.1 - Remote Code Execution
author: tim_koopmans
severity: high
description: Tests for ability to pass user parameters as local variables into partials
description: Ruby on Rails before version 5.0.1 is susceptible to remote code execution because it passes user parameters as local variables into partials.
reference:
- https://web.archive.org/web/20201029105442/https://correkt.horse/ruby/2020/08/22/CVE-2020-8163/
- https://hackerone.com/reports/304805
- https://groups.google.com/g/rubyonrails-security/c/hWuKcHyoKh0
- https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-8163
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
@ -21,12 +22,17 @@ requests:
- method: GET
path:
- "{{BaseURL}}?IO.popen(%27cat%20%2Fetc%2Fpasswd%27).read%0A%23"
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- type: status
status:
- 200
- type: regex
regex:
- "root:.*:0:0:"
part: body
# Enhanced by mp on 2022/06/28

19
cves/2020/CVE-2020-8209.yaml
View File

@ -1,39 +1,40 @@
id: CVE-2020-8209
info:
name: Citrix XenMobile Server Path Traversal
name: Citrix XenMobile Server - Local File Inclusion
author: dwisiswant0
severity: high
description: |
Improper access control in Citrix XenMobile Server 10.12 before RP2,
Citrix XenMobile Server 10.11 before RP4, Citrix XenMobile Server 10.10
before RP6 and Citrix XenMobile Server before 10.9 RP5 and leads to the ability to read arbitrary files.
Citrix XenMobile Server 10.12 before RP2, Citrix XenMobile Server 10.11 before RP4, Citrix XenMobile Server 10.10 before RP6, and Citrix XenMobile Server before 10.9 RP5 are susceptible to local file inclusion vulnerabilities.
reference:
- https://swarm.ptsecurity.com/path-traversal-on-citrix-xenmobile-server/
reference:
- https://support.citrix.com/article/CTX277457
- https://nvd.nist.gov/vuln/detail/CVE-2020-8209
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2020-8209
cwe-id: CWE-22
tags: cve,cve2020,citrix,lfi
tags: cve,cve2020,citrix,lfi,xenmobile
requests:
- method: GET
path:
- "{{BaseURL}}/jsp/help-sb-download.jsp?sbFileName=../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
part: body
- type: word
part: header
words:
- "fileDownload=true"
- "application/octet-stream"
- "attachment;"
condition: and
part: header
# Enhanced by mp on 2022/06/28

8
cves/2020/CVE-2020-8641.yaml
View File

@ -4,17 +4,17 @@ info:
name: Lotus Core CMS 1.0.1 - Local File Inclusion
author: 0x_Akoko
severity: high
description: Lotus Core CMS 1.0.1 allows authenticated Local File Inclusion of .php files via directory traversal in the index.php page_slug parameter.
description: Lotus Core CMS 1.0.1 allows authenticated local file inclusion of .php files via directory traversal in the index.php page_slug parameter.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2020-8641
- https://cxsecurity.com/issue/WLB-2020010234
- https://www.exploit-db.com/exploits/47985
- https://nvd.nist.gov/vuln/detail/CVE-2020-8641
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2020-8641
cwe-id: CWE-22
tags: cve,cve2020,lfi,lotus
tags: cve,cve2020,lfi,lotus,cms
requests:
- method: GET
@ -31,3 +31,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/06/28

2
cves/2021/CVE-2021-21311.yaml
View File

@ -31,7 +31,7 @@ requests:
- type: word
part: body
words:
- "<title>400 - Bad Request</title>"
- "&lt;title&gt;400 - Bad Request&lt;/title&gt;"
- type: status
status:

11
cves/2021/CVE-2021-32819.yaml
View File

@ -1,17 +1,16 @@
id: CVE-2021-32819
info:
name: Nodejs squirrelly template engine RCE
name: Nodejs Squirrelly - Remote Code Execution
author: pikpikcu
severity: high
description: |
Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration
options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in downstream applications. There is
currently no fix for these issues as of the publication of this CVE. The latest version of squirrelly is currently 8.0.8. For complete details refer to the referenced GHSL-2021-023.
Nodejs Squirrelly is susceptible to remote code execution. Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in downstream applications. There is currently no fix for these issues as of the publication of this CVE. The latest version of squirrelly is currently 8.0.8. For complete details refer to the referenced GHSL-2021-023.
reference:
- https://securitylab.github.com/advisories/GHSL-2021-023-squirrelly/
- https://www.linuxlz.com/aqld/2331.html
- https://blog.diefunction.io/vulnerabilities/ghsl-2021-023
- https://nvd.nist.gov/vuln/detail/CVE-2021-32819
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
cvss-score: 8.8
@ -27,4 +26,6 @@ requests:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
- "http"
# Enhanced by mp on 2022/06/30

15
cves/2021/CVE-2021-32820.yaml
View File

@ -1,14 +1,15 @@
id: CVE-2021-32820
info:
name: Express-handlebars Path Traversal
name: Express-handlebars - Local File Inclusion
author: dhiyaneshDk
severity: high
description: Express-handlebars is a Handlebars view engine for Express. Express-handlebars mixes pure template data with engine configuration options through the Express render API. More specifically, the layout parameter may trigger file disclosure vulnerabilities in downstream applications. This potential vulnerability is somewhat restricted in that only files with existing extensions (i.e., file.extension) can be included. Files that lack an extension will have .handlebars appended to them. For complete details refer to the referenced GHSL-2021-018 report. Notes in documentation have been added to help users avoid this potential information exposure vulnerability.
description: Express-handlebars is susceptible to local file inclusion because it mixes pure template data with engine configuration options through the Express render API. More specifically, the layout parameter may trigger file disclosure vulnerabilities in downstream applications. This potential vulnerability is somewhat restricted in that only files with existing extensions (i.e., file.extension) can be included. Files that lack an extension will have .handlebars appended to them. For complete details refer to the referenced GHSL-2021-018 report. Notes in documentation have been added to help users avoid this potential information exposure vulnerability.
reference:
- https://securitylab.github.com/advisories/GHSL-2021-018-express-handlebars/
- https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/CVE-2021-32820.json
- https://github.com/express-handlebars/express-handlebars/pull/163
- https://nvd.nist.gov/vuln/detail/CVE-2021-32820
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
cvss-score: 8.6
@ -23,14 +24,16 @@ requests:
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
part: body
regex:
- "root:.*:0:0:"
- "daemon:[x*]:0:0:"
- "operator:[x*]:0:0:"
part: body
condition: or
- type: status
status:
- 200
# Enhanced by mp on 2022/06/30

13
cves/2021/CVE-2021-3297.yaml
View File

@ -4,12 +4,12 @@ info:
name: Zyxel NBG2105 V1.00(AAGU.2)C0 - Authentication Bypass
author: gy741
severity: high
description: On Zyxel NBG2105 V1.00(AAGU.2)C0 devices, setting the login cookie to 1 provides administrator access.
description: Zyxel NBG2105 V1.00(AAGU.2)C0 devices are susceptible to authentication bypass vulnerabilities because setting the login cookie to 1 provides administrator access.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-3297
- https://github.com/nieldk/vulnerabilities/blob/main/zyxel%20nbg2105/Admin%20bypass
- https://www.zyxel.com/us/en/support/security_advisories.shtml
- https://www.zyxel.com/support/SupportLandingSR.shtml?c=gb&l=en&kbid=M-01490&md=NBG2105
- https://nvd.nist.gov/vuln/detail/CVE-2021-3297
classification:
cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.8
@ -26,9 +26,6 @@ requests:
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
@ -36,3 +33,9 @@ requests:
- "Firmware Version"
- "Firmware Build Time"
condition: and
- type: status
status:
- 200
# Enhanced by mp on 2022/06/30

7
cves/2021/CVE-2021-33544.yaml
View File

@ -1,14 +1,15 @@
id: CVE-2021-33544
info:
name: Geutebruck RCE
name: Geutebruck - Remote Command Injection
author: gy741
severity: high
description: Multiple vulnerabilities in the web-based management interface of Geutebruck could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
description: Geutebruck is susceptible to multiple vulnerabilities its web-based management interface that could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
reference:
- https://www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/
- https://www.randorisec.fr/fr/udp-technology-ip-camera-vulnerabilities/
- https://us-cert.cisa.gov/ics/advisories/icsa-21-208-03
- https://nvd.nist.gov/vuln/detail/CVE-2021-33544
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.2
@ -28,3 +29,5 @@ requests:
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
# Enhanced by mp on 2022/06/30

8
cves/2021/CVE-2021-34805.yaml
View File

@ -4,12 +4,12 @@ info:
name: FAUST iServer 9.0.018.018.4 - Local File Inclusion
author: 0x_Akoko
severity: high
description: An issue was discovered in FAUST iServer before 9.0.019.019.7. For each URL request, it accesses the corresponding .fau file on the operating system without preventing %2e%2e%5c directory traversal.
description: FAUST iServer before 9.0.019.019.7 is susceptible to local file inclusion because for each URL request it accesses the corresponding .fau file on the operating system without preventing %2e%2e%5c directory traversal.
reference:
- https://cxsecurity.com/issue/WLB-2022010120
- https://www.cvedetails.com/cve/CVE-2021-34805
- http://packetstormsecurity.com/files/165701/FAUST-iServer-9.0.018.018.4-Local-File-Inclusion.html
- http://www.land-software.de/lfs.fau?prj=iweb&dn=faust+iserver
- https://nvd.nist.gov/vuln/detail/CVE-2021-34805
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -34,4 +34,6 @@ requests:
- type: status
status:
- 200
- 200
# Enhanced by mp on 2022/06/30

10
cves/2021/CVE-2021-36748.yaml
View File

@ -1,15 +1,15 @@
id: CVE-2021-36748
info:
name: PrestaHome Blog for PrestaShop - SQL Injection
name: PrestaHome Blog for PrestaShop <1.7.8 - SQL Injection
author: whoever
severity: high
description: Blog for PrestaShop by PrestaHome < 1.7.8 is vulnerable to a SQL injection (blind) via sb_category parameter.
description: PrestaHome Blog for PrestaShop prior to version 1.7.8 is vulnerable to a SQL injection (blind) via the sb_category parameter.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-36748
- https://blog.sorcery.ie/posts/ph_simpleblog_sqli/
- https://alysum5.promokit.eu/promokit/documentation/blog/
- https://blog.sorcery.ie
- https://nvd.nist.gov/vuln/detail/CVE-2021-36748
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -36,4 +36,6 @@ requests:
- 'contains(body_1, "prestashop")'
- "contains(tolower(all_headers_2), 'index.php?controller=404')"
- "len(body_2) == 0"
condition: and
condition: and
# Enhanced by mp on 2022/06/30

17
cves/2021/CVE-2021-37589.yaml
View File

@ -1,23 +1,23 @@
id: CVE-2021-37589
info:
name: Virtua Software Cobrança - Firebird Blind SQL Injection
name: Virtua Software Cobranca <12R - Blind SQL Injection
author: princechaddha
severity: high
description: |
Virtua Cobranca before 12R allows SQL Injection on the login page.
Virtua Cobranca before 12R allows blind SQL injection on the login page.
reference:
- https://github.com/luca-regne/my-cves/tree/main/CVE-2021-37589
- https://www.virtuasoftware.com.br/
- https://nvd.nist.gov/vuln/detail/CVE-2021-37589
- https://www.virtuasoftware.com.br/conteudo.php?content=downloads&lang=pt-br
- https://nvd.nist.gov/vuln/detail/CVE-2021-37589
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2021-37589
cwe-id: CWE-89
metadata:
verified: true
shodan-query: http.favicon.hash:876876147
verified: "true"
tags: cve,cve2021,virtua,sqli
requests:
@ -47,12 +47,15 @@ requests:
req-condition: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- "status_code_2 == 500 && status_code_3 == 200"
- type: dsl
dsl:
- 'contains(body_3, "Os parametros não estão informados corretamente")'
- 'contains(body_3, "O CNPJ dos parametro não está informado corretamente")'
condition: or
- type: dsl
dsl:
- "status_code_2 == 500 && status_code_3 == 200"
# Enhanced by mp on 2022/06/30

10
cves/2021/CVE-2021-39312.yaml
View File

@ -1,22 +1,22 @@
id: CVE-2021-39312
info:
name: True Ranker < 2.2.4 - Unauthenticated Arbitrary File Access via Path Traversal
name: WordPress True Ranker <2.2.4 - Local File Inclusion
author: DhiyaneshDK
severity: high
description: The plugin allows arbitrary files, including sensitive configuration files such as wp-config.php, to be accessed via the src parameter found in the ~/admin/vendor/datatables/examples/resources/examples.php file.
description: WordPress True Ranker before version 2.2.4 allows sensitive configuration files such as wp-config.php, to be accessed via the src parameter found in the ~/admin/vendor/datatables/examples/resources/examples.php file via local file inclusion.
reference:
- https://wpscan.com/vulnerability/d48e723c-e3d1-411e-ab8e-629fe1606c79
- https://nvd.nist.gov/vuln/detail/CVE-2021-39312
- https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39312
- https://plugins.trac.wordpress.org/browser/seo-local-rank/tags/2.2.2/admin/vendor/datatables/examples/resources/examples.php
- https://nvd.nist.gov/vuln/detail/CVE-2021-39312
remediation: Fixed in version 2.2.4
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2021-39312
cwe-id: CWE-22,CWE-22
tags: lfi,wp,wordpress,wp-plugin,unauth,lfr,cve,cve2021
tags: cve,cve2021,lfi,wp,wordpress,wp-plugin,unauth,lfr
requests:
- raw:
@ -40,3 +40,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/06/30

9
cves/2021/CVE-2021-39316.yaml
View File

@ -1,21 +1,22 @@
id: CVE-2021-39316
info:
name: Wordpress DZS Zoomsounds <= 6.50 - Arbitrary File Retrieval
name: WordPress DZS Zoomsounds <=6.50 - Local File Inclusion
author: daffainfo
severity: high
description: The Zoomsounds plugin <= 6.45 for WordPress allows arbitrary files, including sensitive configuration files such as wp-config.php, to be downloaded via the `dzsap_download` action using a directory traversal in the `link` parameter.
description: WordPress Zoomsounds plugin 6.45 and earlier allows arbitrary files, including sensitive configuration files such as wp-config.php, to be downloaded via the `dzsap_download` action using directory traversal in the `link` parameter.
reference:
- https://wpscan.com/vulnerability/d2d60cf7-e4d3-42b6-8dfe-7809f87547bd
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39316
- https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39316
- http://packetstormsecurity.com/files/165146/WordPress-DZS-Zoomsounds-6.45-Arbitrary-File-Read.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-39316
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2021-39316
cwe-id: CWE-22
tags: wordpress,cve2021,cve,lfi,wp-plugin,zoomsounds
tags: cve,cve2021,wp,wordpress,lfi,wp-plugin,zoomsounds
requests:
- method: GET
@ -32,3 +33,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/06/30

6
cves/2021/CVE-2021-40149.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2021-40149
info:
name: Reolink E1 Zoom Camera - Rsa Key Information Disclosure
name: Reolink E1 Zoom Camera <=3.0.0.716 - Private Key Disclosure
author: For3stCo1d
severity: high
description: |
Reolink E1 Zoom Camera versions 3.0.0.716 and below suffer from a private key disclosure vulnerability.
Reolink E1 Zoom Camera versions 3.0.0.716 and below suffer from a private key (RSA) disclosure vulnerability.
reference:
- https://dl.packetstormsecurity.net/2206-exploits/reolinke1key-disclose.txt
- https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2021-40149.txt
@ -33,3 +33,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/06/30

10
cves/2021/CVE-2021-40822.yaml
View File

@ -1,15 +1,15 @@
id: CVE-2021-40822
info:
name: Geoserver - SSRF
name: Geoserver - Server-Side Request Forgery
author: For3stCo1d
severity: high
description: GeoServer through 2.18.5 and 2.19.x through 2.19.2 allows SSRF via the option for setting a proxy host.
description: GeoServer through 2.18.5 and 2.19.x through 2.19.2 allows server-side request forgery via the option for setting a proxy host.
reference:
- https://gccybermonks.com/posts/cve-2021-40822/
- https://github.com/geoserver/geoserver/compare/2.19.2...2.19.3
- https://nvd.nist.gov/vuln/detail/CVE-2021-40822
- https://github.com/geoserver/geoserver/releases
- https://nvd.nist.gov/vuln/detail/CVE-2021-40822
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -18,7 +18,7 @@ info:
metadata:
fofa-query: app="GeoServer"
verified: "true"
tags: cve2021,ssrf,geoserver,cve
tags: cve,cve2021,ssrf,geoserver
requests:
- raw:
@ -43,3 +43,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/06/30

12
cves/2021/CVE-2021-41282.yaml
View File

@ -1,13 +1,17 @@
id: CVE-2021-41282
info:
name: pfSense Arbitrary File Write to RCE
name: pfSense - Arbitrary File Write
author: cckuailong
severity: high
description: diag_routes.php in pfSense 2.5.2 allows sed data injection. Authenticated users are intended to be able to view data about the routes set in the firewall. The data is retrieved by executing the netstat utility, and then its output is parsed via the sed utility. Although the common protection mechanisms against command injection (i.e., the usage of the escapeshellarg function for the arguments) are used, it is still possible to inject sed-specific code and write an arbitrary file in an arbitrary location.
description: |
diag_routes.php in pfSense 2.5.2 allows sed data injection. Authenticated users are intended to be able to view data about the routes set in the firewall. The data is retrieved by executing the netstat utility, and then its output is parsed via the sed utility. Although the common protection mechanisms against command injection (e.g., the usage of the escapeshellarg function for the arguments) are used, it is still possible to inject sed-specific code and write an arbitrary file in an arbitrary location.
remediation: |
Upgrade to pfSense CE software version 2.6.0 or later, or pfSense Plus software version 22.01 or later.
reference:
- https://www.shielder.it/advisories/pfsense-remote-command-execution/
- https://www.rapid7.com/db/modules/exploit/unix/http/pfsense_diag_routes_webshell/
- https://docs.netgate.com/downloads/pfSense-SA-22_02.webgui.asc
- https://nvd.nist.gov/vuln/detail/CVE-2021-41282
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
@ -52,4 +56,6 @@ requests:
dsl:
- "contains(body, 'c3959e8a43f1b39b0d1255961685a238')"
- "status_code==200"
condition: and
condition: and
# Enhanced by cs 06/30/2022

12
cves/2021/CVE-2021-44103.yaml → cves/2021/CVE-2021-42192.yaml
View File

@ -1,18 +1,18 @@
id: CVE-2021-44103
id: CVE-2021-42192
info:
name: KOGA 0.14.9 - Privilege Escalation
name: KONGA 0.14.9 - Privilege Escalation
author: rschio
severity: high
description: Vertical Privilege Escalation in KONGA 0.14.9 allows attackers to higher privilege users to full administration access. The attack vector is a crafted condition, as demonstrated by the /api/user/{ID} at ADMIN parameter.
description: KONGA 0.14.9 allows attackers to set higher privilege users to full administration access. The attack vector is a crafted condition, as demonstrated by the /api/user/{ID} at ADMIN parameter.
reference:
- http://n0hat.blogspot.com/2021/11/konga-0149-privilege-escalation-exploit.html
- https://www.exploit-db.com/exploits/50521
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44103
- hhttps://nvd.nist.gov/vuln/detail/CVE-2021-42192
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2021-44103
cve-id: CVE-2021-42192
cwe-id: CWE-269
tags: cve,cve2021,konga,authenticated
@ -77,3 +77,5 @@ requests:
group: 1
regex:
- '"token":"(.*)"'
# Enhanced by mp on 2022/06/30

12
cves/2021/CVE-2021-45968.yaml
View File

@ -1,16 +1,16 @@
id: CVE-2021-45968
info:
name: Pascom CPS Path Traversal
name: Pascom CPS - Local File Inclusion
author: dwisiswant0
severity: high
description: |
Pascom version packaged with Cloud Phone System (CPS)
versions before 7.20 contains a known path traversal issue
Pascom packaged with Cloud Phone System (CPS) versions before 7.20 contain a known local file inclusion vulnerability.
reference:
- https://kerbit.io/research/read/blog/4
- https://www.pascom.net/doc/en/release-notes/
- https://tutorialboy24.blogspot.com/2022/03/the-story-of-3-bugs-that-lead-to.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-45968
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -37,5 +37,7 @@ requests:
- type: dsl
dsl:
- "status_code_2 != status_code_1"
- "contains(body_2, 'pascom GmbH &amp; Co KG') || contains(body_3, 'pascom GmbH &amp; Co KG')" # Verifying CMS
condition: and
- "contains(body_2, 'pascom GmbH & Co KG') || contains(body_3, 'pascom GmbH & Co KG')" # Verifying CMS
condition: and
# Enhanced by mp on 2022/06/29

8
cves/2021/CVE-2021-46381.yaml
View File

@ -4,17 +4,17 @@ info:
name: D-Link DAP-1620 - Local File Inclusion
author: 0x_Akoko
severity: high
description: Local File Inclusion due to path traversal in D-Link DAP-1620 leads to unauthorized internal files reading [/etc/passwd] and [/etc/shadow].
description: D-Link DAP-1620 is susceptible to local file Inclusion due to path traversal that can lead to unauthorized internal files reading [/etc/passwd] and [/etc/shadow].
reference:
- https://drive.google.com/drive/folders/19OP09msw8l7CJ622nkvnvnt7EKun1eCG?usp=sharing
- https://www.cvedetails.com/cve/CVE-2021-46381/
- https://www.dlink.com/en/security-bulletin/
- https://nvd.nist.gov/vuln/detail/CVE-2021-46381
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2021-46381
cwe-id: CWE-22
tags: cve,cve2021,dlink,lfi
tags: cve,cve2021,dlink,lfi,router
requests:
- method: POST
@ -28,3 +28,5 @@ requests:
part: body
regex:
- "root:.*:0:0:"
# Enhanced by mp on 2022/06/29

9
cves/2021/CVE-2021-46417.yaml
View File

@ -1,22 +1,23 @@
id: CVE-2021-46417
info:
name: Franklin Fueling Systems Colibri Controller Module - Local File Inclusion
name: Franklin Fueling Systems Colibri Controller Module 1.8.19.8580 - Local File Inclusion
author: For3stCo1d
severity: high
description: |
Insecure handling of a download function leads to disclosure of internal files due to path traversal with root privileges in Franklin Fueling Systems Colibri Controller Module 1.8.19.8580.
Franklin Fueling Systems Colibri Controller Module 1.8.19.8580 is susceptible to local file inclusion because of insecure handling of a download function that leads to disclosure of internal files due to path traversal with root privileges.
reference:
- https://packetstormsecurity.com/files/166671/Franklin-Fueling-Systems-Colibri-Controller-Module-1.8.19.8580-Local-File-Inclusion.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-46417
- https://drive.google.com/drive/folders/1Yu4aVDdrgvs-F9jP3R8Cw7qo_TC7VB-R
- http://packetstormsecurity.com/files/166610/FFS-Colibri-Controller-Module-1.8.19.8580-Directory-Traversal.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-46417
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2021-46417
cwe-id: CWE-22
metadata:
verified: true
shodan-query: http.html:"Franklin Fueling Systems"
tags: cve,cve2021,franklinfueling,lfi
@ -30,3 +31,5 @@ requests:
part: body
regex:
- "root:.*:0:0:"
# Enhanced by mp on 2022/06/29

11
cves/2022/CVE-2022-0165.yaml
View File

@ -1,18 +1,19 @@
id: CVE-2022-0165
info:
name: WordPress Page Builder KingComposer <= 2.9.6 - Open Redirect
name: WordPress Page Builder KingComposer <=2.9.6 - Open Redirect
author: akincibor
severity: high
description: The plugin does not validate the id parameter before redirecting the user to it via the kc_get_thumbn AJAX action available to both unauthenticated and authenticated users.
description: WordPress Page Builder KingComposer 2.9.6 and prior does not validate the id parameter before redirecting the user to it via the kc_get_thumbn AJAX action (which is available to both unauthenticated and authenticated users).
reference:
- https://wpscan.com/vulnerability/906d0c31-370e-46b4-af1f-e52fbddd00cb
tags: cve,cve2022,wp-plugin,redirect,wordpress
- https://nvd.nist.gov/vuln/detail/CVE-2022-0165
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
cvss-score: 8.80
cve-id: CVE-2022-0165
cwe-id: CWE-601
tags: cve,cve2022,wp-plugin,redirect,wordpress,wp
requests:
- method: GET
@ -23,4 +24,6 @@ requests:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
# Enhanced by mp on 2022/06/29

11
cves/2022/CVE-2022-1119.yaml
View File

@ -1,22 +1,22 @@
id: CVE-2022-1119
info:
name: WordPress Simple File List < 3.2.8 - Arbitrary File Retrieval
name: WordPress Simple File List <3.2.8 - Local File Inclusion
author: random-robbie
severity: high
description: |
The Wordpress plugin is vulnerable to arbitrary file retrieval via the eeFile parameter found in the ~/includes/ee-downloader.php file due to missing controls which make it possible for unauthenticated attackers retrieve arbitrary files.
WordPress Simple File List before 3.2.8 is vulnerable to local file inclusion via the eeFile parameter in the ~/includes/ee-downloader.php due to missing controls which make it possible for unauthenticated attackers retrieve arbitrary files.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2022-1119
- https://wpscan.com/vulnerability/5551038f-64fb-44d8-bea0-d2f00f04877e
- https://wpscan.com/vulnerability/075a3cc5-1970-4b64-a16f-3ec97e22b606
- https://plugins.trac.wordpress.org/browser/simple-file-list/trunk/includes/ee-downloader.php?rev=2071880
- https://nvd.nist.gov/vuln/detail/CVE-2022-1119
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2022-1119
cwe-id: CWE-22
tags: cve,cve2022,lfi,wordpress
tags: cve,cve2022,lfi,wordpress,wp,wp-plugin
requests:
- method: GET
@ -25,6 +25,7 @@ requests:
matchers-condition: and
matchers:
- type: word
part: body
words:
@ -35,3 +36,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/06/29

10
cves/2022/CVE-2022-1392.yaml
View File

@ -1,21 +1,21 @@
id: CVE-2022-1392
info:
name: Videos sync PDF <= 1.7.4 - Unauthenticated LFI
name: WordPress Videos sync PDF <=1.7.4 - Local File Inclusion
author: Veshraj
severity: high
description: The plugin does not validate the p parameter before using it in an include statement, which could lead to Local File Inclusion issues.
description: WordPress Videos sync PDF 1.7.4 and prior does not validate the p parameter before using it in an include statement, which could lead to local file inclusion.
reference:
- https://wpscan.com/vulnerability/fe3da8c1-ae21-4b70-b3f5-a7d014aa3815
- https://packetstormsecurity.com/files/166534/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1392
- https://nvd.nist.gov/vuln/detail/CVE-2022-1392
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2022-1392
metadata:
verified: true
tags: lfi,wp-plugin,cve,cve2022,wp,wordpress,unauth
tags: cve,cve2022,lfi,wp-plugin,wp,wordpress,unauth
requests:
- method: GET
@ -34,3 +34,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/06/29

12
cves/2022/CVE-2022-1713.yaml
View File

@ -1,23 +1,23 @@
id: CVE-2022-1713
info:
name: Drawio - SSRF on /proxy endpoint
name: Drawio <18.0.4 - Server-Side Request Forgery
author: pikpikcu
severity: high
description: |
SSRF on /proxy in GitHub repository jgraph/drawio prior to 18.0.4. An attacker can make a request as the server and read its contents. This can lead to a leak of sensitive information.
Drawio prior to 18.0.4 is vulnerable to server-side request forgery. An attacker can make a request as the server and read its contents. This can lead to a leak of sensitive information.
reference:
- https://huntr.dev/bounties/cad3902f-3afb-4ed2-abd0-9f96a248de11
- https://nvd.nist.gov/vuln/detail/CVE-2022-1713
- https://github.com/jgraph/drawio/commit/283d41ec80ad410d68634245cf56114bc19331ee
- https://nvd.nist.gov/vuln/detail/CVE-2022-1713
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2022-1713
cwe-id: CWE-918
metadata:
verified: true
shodan-query: http.title:"Flowchart Maker"
verified: "true"
tags: cve,cve2022,drawio,ssrf,oss
requests:
@ -31,9 +31,11 @@ requests:
- type: word
part: body
words:
- "<title>Flowchart Maker &amp; Online Diagram Software</title>"
- "<title>Flowchart Maker & Online Diagram Software</title>"
- type: word
part: header
words:
- "application/octet-stream"
# Enhanced by mp on 2022/06/29

12
cves/2022/CVE-2022-21500.yaml
View File

@ -1,24 +1,24 @@
id: CVE-2022-21500
info:
name: Oracle E-Business - Login Panel Registration Accessible
name: Oracle E-Business Suite <=12.2 - Authentication Bypass
author: 3th1c_yuk1,tess
severity: high
description: |
Vulnerability in Oracle E-Business Suite (component: Manage Proxies). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle E-Business Suite. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle E-Business Suite accessible data. Note: Authentication is required for successful attack, however the user may be self-registered.
Oracle E-Business Suite (component: Manage Proxies) 12.1 and 12.2 are susceptible to an easily exploitable vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise it by self-registering for an account. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle E-Business Suite accessible data.
reference:
- https://orwaatyat.medium.com/my-new-discovery-in-oracle-e-business-login-panel-that-allowed-to-access-for-all-employees-ed0ec4cad7ac
- https://twitter.com/GodfatherOrwa/status/1514720677173026816
- https://nvd.nist.gov/vuln/detail/CVE-2022-21500
- https://www.oracle.com/security-alerts/alert-cve-2022-21500.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-21500
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2022-21500
metadata:
verified: true
shodan-query: http.title:"Login" "X-ORACLE-DMS-ECID" 200
verified: "true"
tags: oracle,misconfig,cve,cve2022
tags: cve,cve2022,oracle,misconfig,auth-bypass
requests:
- method: GET
@ -37,3 +37,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/06/29

9
cves/2022/CVE-2022-23347.yaml
View File

@ -1,13 +1,13 @@
id: CVE-2022-23347
info:
name: BigAnt Software BigAnt Server v5.6.06 - Directory Traversal
name: BigAnt Server v5.6.06 - Local File Inclusion
author: 0x_Akoko
severity: high
description: BigAnt Software BigAnt Server v5.6.06 was discovered to be vulnerable to directory traversal attacks.
description: BigAnt Server v5.6.06 is vulnerable to local file inclusion.
reference:
- https://github.com/bzyo/cve-pocs/tree/master/CVE-2022-23347
- https://www.cvedetails.com/cve/CVE-2022-23347
- https://nvd.nist.gov/vuln/detail/CVE-2022-23347
- http://bigant.com
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
@ -15,6 +15,7 @@ info:
cve-id: CVE-2022-23347
cwe-id: CWE-22
metadata:
verified: true
shodan-query: http.html:"BigAnt"
tags: cve,cve2022,bigant,lfi
@ -36,3 +37,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/06/29

10
cves/2022/CVE-2022-24856.yaml
View File

@ -1,16 +1,18 @@
id: CVE-2022-24856
info:
name: Flyte Console < 0.52.0 - Server Side Request Forgery (SSRF)
name: Flyte Console <0.52.0 - Server-Side Request Forgery
author: pdteam
severity: high
description: |
FlyteConsole is the web user interface for the Flyte platform. FlyteConsole prior to version 0.52.0 is vulnerable to server-side request forgery (SSRF) when FlyteConsole is open to the general internet. An attacker can exploit any user of a vulnerable instance to access the internal metadata server or other unauthenticated URLs. Passing of headers to an unauthorized actor may occur. The patch for this issue deletes the entire `cors_proxy`, as this is not required for console anymore. A patch is available in FlyteConsole version 0.52.0. Disable FlyteConsole availability on the internet as a workaround.
FlyteConsole is the web user interface for the Flyte platform. FlyteConsole prior to version 0.52.0 is vulnerable to server-side request forgery when FlyteConsole is open to the general internet. An attacker can exploit any user of a vulnerable instance to access the internal metadata server or other unauthenticated URLs. Passing of headers to an unauthorized actor may occur.
remediation: |
The patch for this issue deletes the entire cors_proxy, as this is no longer required for the console. A patch is available in FlyteConsole version 0.52.0, or as a work-around disable FlyteConsole.
reference:
- https://github.com/flyteorg/flyteconsole/security/advisories/GHSA-www6-hf2v-v9m9
- https://github.com/flyteorg/flyteconsole/pull/389
- https://nvd.nist.gov/vuln/detail/CVE-2022-24856
- https://hackerone.com/reports/1540906
- https://nvd.nist.gov/vuln/detail/CVE-2022-24856
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -27,3 +29,5 @@ requests:
- type: word
words:
- "Interactsh Server"
# Enhanced by mp on 2022/06/29

8
cves/2022/CVE-2022-24900.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2022-24900
info:
name: Piano LED Visualizer 1.3 - Directory traversal
name: Piano LED Visualizer 1.3 - Local File Inclusion
author: 0x_Akoko
severity: high
description: |
Piano LED Visualizer is software that allows LED lights to light up as a person plays a piano connected to a computer. Version 1.3 and prior are vulnerable to a path traversal attack.
Piano LED Visualizer 1.3 and prior are vulnerable to local file inclusion.
reference:
- https://github.com/onlaj/Piano-LED-Visualizer/issues/350
- https://vuldb.com/?id.198714
@ -16,7 +16,7 @@ info:
cvss-score: 8.6
cve-id: CVE-2022-24900
cwe-id: CWE-610
tags: lfi,cve2022,cve,piano,iot,oss
tags: cve,cve2022,lfi,piano,iot,oss
requests:
- method: GET
@ -33,3 +33,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/06/29

8
cves/2022/CVE-2022-25216.yaml
View File

@ -1,13 +1,13 @@
id: CVE-2022-25216
info:
name: DVDFab 12 Player/PlayerFab - Arbitrary File Read
name: DVDFab 12 Player/PlayerFab - Local File Inclusion
author: 0x_Akoko
severity: high
description: An absolute path traversal vulnerability allows a remote attacker to download any file on the Windows file system for which the user account running DVDFab 12 Player (recently renamed PlayerFab) has read-access
description: DVDFab 12 Player/PlayerFab is susceptible to local file inclusion which allows a remote attacker to download any file on the Windows file system for which the user account running DVDFab 12 Player (recently renamed PlayerFab) has read-access.
reference:
- https://www.tenable.com/security/research/tra-2022-07
- https://www.cvedetails.com/cve/CVE-2022-25216
- https://nvd.nist.gov/vuln/detail/CVE-2022-25216
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -33,3 +33,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/06/29

7
cves/2022/CVE-2022-32444.yaml
View File

@ -4,10 +4,11 @@ info:
name: u5cms v8.3.5 - Open Redirect
author: 0x_Akoko
severity: medium
description: An issue was discovered in u5cms verion 8.3.5 There is a URL redirection vulnerability that can cause a user's browser to be redirected to another site via /loginsave.php.
description: |
u5cms version 8.3.5 contains a URL redirection vulnerability that can cause a user's browser to be redirected to another site via /loginsave.php.
reference:
- https://github.com/u5cms/u5cms/issues/50
- https://www.cvedetails.com/cve/CVE-2022-32444
- https://nvd.nist.gov/vuln/detail/CVE-2022-32444
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -25,3 +26,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by cs 05/30/2022