From f55bb45e75961269e3836db1596315b8aa11af29 Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Tue, 27 Apr 2021 14:02:08 +0300 Subject: [PATCH 01/11] Give some description --- vulnerabilities/wordpress/wordpress-rce-simplefilelist.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vulnerabilities/wordpress/wordpress-rce-simplefilelist.yaml b/vulnerabilities/wordpress/wordpress-rce-simplefilelist.yaml index 4224ce939d..6bae5ac645 100644 --- a/vulnerabilities/wordpress/wordpress-rce-simplefilelist.yaml +++ b/vulnerabilities/wordpress/wordpress-rce-simplefilelist.yaml @@ -5,6 +5,8 @@ info: author: princechaddha severity: critical reference: https://wpscan.com/vulnerability/10192 + description: | + The Simple File List WordPress plugin was found to be vulnerable to an unauthenticated arbitrary file upload leading to remote code execution. The Python exploit first uploads a file containing PHP code but with a png image file extension. A second request is sent to move (rename) the png file to a PHP file. tags: wordpress,wp-plugin,rce requests: From 1f2b2d05c10ae49ed0dc6c3f6e4e3edb345637f4 Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Tue, 27 Apr 2021 16:09:27 +0300 Subject: [PATCH 02/11] False positive in the matcher, the content of the file has: "= 5.3.1 =" in it, not just a number on its own in addition, it has "1. ... something" in it causing FP --- cves/2020/CVE-2020-35489.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2020/CVE-2020-35489.yaml b/cves/2020/CVE-2020-35489.yaml index 38c6fb3ae6..82d8a2fef0 100644 --- a/cves/2020/CVE-2020-35489.yaml +++ b/cves/2020/CVE-2020-35489.yaml @@ -26,5 +26,5 @@ requests: - type: regex regex: - - '^([0-4]\.|5\.[0-2]\.|5\.3\.[0-1]$)' + - '^= ([0-4]\.[0-9\.]+|5\.[0-2]|5\.[0-2]\.[0-9]+|5\.3\.[0-1]) =' part: body \ No newline at end of file From 9ece07bf9a22f6b8ad130a5d0981d339996c3133 Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Wed, 28 Apr 2021 14:00:15 +0300 Subject: [PATCH 03/11] Provide reference --- vulnerabilities/other/rce-via-java-deserialization.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vulnerabilities/other/rce-via-java-deserialization.yaml b/vulnerabilities/other/rce-via-java-deserialization.yaml index 371c70b4ae..a9c0f9ff65 100644 --- a/vulnerabilities/other/rce-via-java-deserialization.yaml +++ b/vulnerabilities/other/rce-via-java-deserialization.yaml @@ -4,6 +4,8 @@ info: author: uhnysh severity: critical tags: java,rce + + reference: https://www.synopsys.com/blogs/software-security/mitigate-java-deserialization-vulnerability-jboss/ # This can only be used to detect the vuln, please make sure to run ysoserial over the URLs to verify. From ad9314acdc98880f36689e9d0f4be3c75bd2f1d2 Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Wed, 28 Apr 2021 14:17:47 +0300 Subject: [PATCH 04/11] Provide references to the problem (in eclipse site) and how it was fixed (and Jenkins upstream bugs related to this) --- vulnerabilities/jenkins/jenkins-asyncpeople.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/vulnerabilities/jenkins/jenkins-asyncpeople.yaml b/vulnerabilities/jenkins/jenkins-asyncpeople.yaml index c98cc86557..fbf32774eb 100644 --- a/vulnerabilities/jenkins/jenkins-asyncpeople.yaml +++ b/vulnerabilities/jenkins/jenkins-asyncpeople.yaml @@ -5,6 +5,11 @@ info: author: nadino severity: info tags: jenkins + reference: | + - https://bugs.eclipse.org/bugs/show_bug.cgi?id=564944 + - https://issues.jenkins.io/browse/JENKINS-30107 + - https://issues.jenkins.io/browse/JENKINS-18884 + - https://issues.jenkins.io/browse/JENKINS-26469 requests: - method: GET From ecb436df3e8eb80a16fe9ba02cf71ec61d5ee898 Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Wed, 28 Apr 2021 15:07:39 +0300 Subject: [PATCH 05/11] Those aren't really regexes --- vulnerabilities/other/vpms-auth-bypass.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/vulnerabilities/other/vpms-auth-bypass.yaml b/vulnerabilities/other/vpms-auth-bypass.yaml index 0ba70b06af..610c0e676f 100644 --- a/vulnerabilities/other/vpms-auth-bypass.yaml +++ b/vulnerabilities/other/vpms-auth-bypass.yaml @@ -24,8 +24,8 @@ requests: matchers-condition: and matchers: - - type: regex - regex: + - type: word + words: - "LAGOS PARKER" - "Login Successfully" - "location.href = 'index.php';" From 91b6b1b17596196ce097966b01fc2b333cc2c052 Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Thu, 29 Apr 2021 08:57:39 +0300 Subject: [PATCH 06/11] Make references visible --- vulnerabilities/other/wems-manager-xss.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/vulnerabilities/other/wems-manager-xss.yaml b/vulnerabilities/other/wems-manager-xss.yaml index 2851b9d3ec..6678db4095 100644 --- a/vulnerabilities/other/wems-manager-xss.yaml +++ b/vulnerabilities/other/wems-manager-xss.yaml @@ -6,9 +6,9 @@ info: severity: medium tags: xss - # Source - # https://packetstormsecurity.com/files/155777/WEMS-Enterprise-Manager-2.58-Cross-Site-Scripting.html - # https://github.com/pikpikcu/nuclei-templates/blob/master/vulnerabilities/wems-enterprise-xss.yaml + reference: | + - https://packetstormsecurity.com/files/155777/WEMS-Enterprise-Manager-2.58-Cross-Site-Scripting.html + - https://github.com/pikpikcu/nuclei-templates/blob/master/vulnerabilities/wems-enterprise-xss.yaml requests: - method: GET From a7de9915c73c97ed287de0a953d3e67229ca3536 Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Thu, 29 Apr 2021 08:58:02 +0300 Subject: [PATCH 07/11] Removed self-reference --- vulnerabilities/other/wems-manager-xss.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/vulnerabilities/other/wems-manager-xss.yaml b/vulnerabilities/other/wems-manager-xss.yaml index 6678db4095..b3f7b4ace4 100644 --- a/vulnerabilities/other/wems-manager-xss.yaml +++ b/vulnerabilities/other/wems-manager-xss.yaml @@ -8,7 +8,6 @@ info: reference: | - https://packetstormsecurity.com/files/155777/WEMS-Enterprise-Manager-2.58-Cross-Site-Scripting.html - - https://github.com/pikpikcu/nuclei-templates/blob/master/vulnerabilities/wems-enterprise-xss.yaml requests: - method: GET From 25a38d34ec45b3b109bbf760074019236826f93e Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Thu, 29 Apr 2021 09:11:35 +0300 Subject: [PATCH 08/11] Missing 's' --- vulnerabilities/jenkins/unauthenticated-jenkin-dashboard.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vulnerabilities/jenkins/unauthenticated-jenkin-dashboard.yaml b/vulnerabilities/jenkins/unauthenticated-jenkin-dashboard.yaml index 4729b7ea93..009d85a125 100644 --- a/vulnerabilities/jenkins/unauthenticated-jenkin-dashboard.yaml +++ b/vulnerabilities/jenkins/unauthenticated-jenkin-dashboard.yaml @@ -1,7 +1,7 @@ id: unaunthenticated-jenkin info: - name: Unauthenticated Jenkin Dashboard + name: Unauthenticated Jenkins Dashboard author: dhiyaneshDK severity: high tags: jenkins From 574135de9ae5ecbd85e6f18fa9df7f3638eb1f2f Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Thu, 29 Apr 2021 09:12:56 +0300 Subject: [PATCH 09/11] Expose reference --- vulnerabilities/vmware/vmware-vcenter-lfi.yaml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/vulnerabilities/vmware/vmware-vcenter-lfi.yaml b/vulnerabilities/vmware/vmware-vcenter-lfi.yaml index 98fd1d7ad5..c990d11794 100644 --- a/vulnerabilities/vmware/vmware-vcenter-lfi.yaml +++ b/vulnerabilities/vmware/vmware-vcenter-lfi.yaml @@ -4,13 +4,11 @@ info: name: VMware vCenter Unauthenticated Arbitrary File Read author: dwisiswant0 severity: high - reference: https://kb.vmware.com/s/article/7960893 + reference: | + - https://kb.vmware.com/s/article/7960893 + - https://twitter.com/ptswarm/status/1316016337550938122 tags: vmware,lfi - # Reference:- - # https://twitter.com/ptswarm/status/1316016337550938122 - # https://kb.vmware.com/s/article/7960893 - requests: - payloads: path: From f898e4b539548fe0e9de09d78df4d46e65a074d1 Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Thu, 29 Apr 2021 09:20:58 +0300 Subject: [PATCH 10/11] Correct product name --- vulnerabilities/other/tpshop-directory-traversal.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vulnerabilities/other/tpshop-directory-traversal.yaml b/vulnerabilities/other/tpshop-directory-traversal.yaml index a072a0cbe9..47af9e5038 100644 --- a/vulnerabilities/other/tpshop-directory-traversal.yaml +++ b/vulnerabilities/other/tpshop-directory-traversal.yaml @@ -1,7 +1,7 @@ id: tpshop-directory-traversal info: - name: Tpshop Directory Traversal + name: TPshop Directory Traversal author: pikpikcu severity: high reference: https://mp.weixin.qq.com/s/3MkN4ZuUYpP2GgPbTzrxbA From cc9d4eddf1dcfc078e2240566dd8d2dc52eac244 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Sat, 1 May 2021 17:22:03 +0530 Subject: [PATCH 11/11] Update rce-via-java-deserialization.yaml --- vulnerabilities/other/rce-via-java-deserialization.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/vulnerabilities/other/rce-via-java-deserialization.yaml b/vulnerabilities/other/rce-via-java-deserialization.yaml index a9c0f9ff65..558d7d240b 100644 --- a/vulnerabilities/other/rce-via-java-deserialization.yaml +++ b/vulnerabilities/other/rce-via-java-deserialization.yaml @@ -4,7 +4,6 @@ info: author: uhnysh severity: critical tags: java,rce - reference: https://www.synopsys.com/blogs/software-security/mitigate-java-deserialization-vulnerability-jboss/ # This can only be used to detect the vuln, please make sure to run ysoserial over the URLs to verify.