From 3c012b137d147ca0369a5f249add6ea04651b219 Mon Sep 17 00:00:00 2001
From: Sullo <sullo@cirt.net>
Date: Thu, 30 Sep 2021 15:35:17 -0400
Subject: [PATCH 01/11] Break CVE-2016-4975 into its own template

---
 cves/2016/CVE-2016-4975.yml                 | 25 +++++++++++++++++++++
 vulnerabilities/generic/crlf-injection.yaml |  1 -
 2 files changed, 25 insertions(+), 1 deletion(-)
 create mode 100644 cves/2016/CVE-2016-4975.yml

diff --git a/cves/2016/CVE-2016-4975.yml b/cves/2016/CVE-2016-4975.yml
new file mode 100644
index 0000000000..bdbee8848e
--- /dev/null
+++ b/cves/2016/CVE-2016-4975.yml
@@ -0,0 +1,25 @@
+id: CVE-2016-4975
+
+info:
+  name: Apache mod_userdir CRLF injection
+  author: melbadry9,nadino,xElkomy,sullo
+  severity: low
+  description: Apache CRLF injection allowing HTTP response splitting attacks on sites using mod_userdir.
+  tags: crlf,generic,cves,cve2016
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.1
+    cve-id: CVE-2016-4975
+    cwe-id: CWE-93
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/~user/%0D%0ASet-Cookie:crlfinjection"
+
+    stop-at-first-match: true
+    matchers:
+      - type: regex
+        regex:
+          - '(?m)^(?:Set-Cookie\s*?:(?:\s*?|.*?;\s*?))(crlfinjection=crlfinjection)(?:\s*?)(?:$|;)'
+        part: header
diff --git a/vulnerabilities/generic/crlf-injection.yaml b/vulnerabilities/generic/crlf-injection.yaml
index b06abf0aa2..2fe6563ca0 100644
--- a/vulnerabilities/generic/crlf-injection.yaml
+++ b/vulnerabilities/generic/crlf-injection.yaml
@@ -16,7 +16,6 @@ requests:
       - "{{BaseURL}}/%0ASet-Cookie:crlfinjection=crlfinjection"
       - "{{BaseURL}}/%3F%0DSet-Cookie%3Acrlfinjection=crlfinjection"
       - "{{BaseURL}}/%0ASet-Cookie%3Acrlfinjection/.."  # Apache
-      - "{{BaseURL}}/~user/%0D%0ASet-Cookie:crlfinjection"  # CVE-2016-4975
       - "{{BaseURL}}/?Page=%0D%0ASet-Cookie:crlfinjection=crlfinjection&_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&callback=%0D%0ASet-Cookie:crlfinjection=crlfinjection&checkout_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&content=%0D%0ASet-Cookie:crlfinjection=crlfinjection&continue=%0D%0ASet-Cookie:crlfinjection=crlfinjection&continueTo=%0D%0ASet-Cookie:crlfinjection=crlfinjection&counturl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&data=%0D%0ASet-Cookie:crlfinjection=crlfinjection&dest=%0D%0ASet-Cookie:crlfinjection=crlfinjection&dest_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&dir=%0D%0ASet-Cookie:crlfinjection=crlfinjection&document=%0D%0ASet-Cookie:crlfinjection=crlfinjection&domain=%0D%0ASet-Cookie:crlfinjection=crlfinjection&done=%0D%0ASet-Cookie:crlfinjection=crlfinjection&download=%0D%0ASet-Cookie:crlfinjection=crlfinjection&feed=%0D%0ASet-Cookie:crlfinjection=crlfinjection&file=%0D%0ASet-Cookie:crlfinjection=crlfinjection&host=%0D%0ASet-Cookie:crlfinjection=crlfinjection&html=%0D%0ASet-Cookie:crlfinjection=crlfinjection&http=%0D%0ASet-Cookie:crlfinjection=crlfinjection&https=%0D%0ASet-Cookie:crlfinjection=crlfinjection&image=%0D%0ASet-Cookie:crlfinjection=crlfinjection&image_src=%0D%0ASet-Cookie:crlfinjection=crlfinjection&image_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&imageurl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&include=%0D%0ASet-Cookie:crlfinjection=crlfinjection&media=%0D%0ASet-Cookie:crlfinjection=crlfinjection&navigation=%0D%0ASet-Cookie:crlfinjection=crlfinjection&next=%0D%0ASet-Cookie:crlfinjection=crlfinjection&open=%0D%0ASet-Cookie:crlfinjection=crlfinjection&out=%0D%0ASet-Cookie:crlfinjection=crlfinjection&page=%0D%0ASet-Cookie:crlfinjection=crlfinjection&page_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&pageurl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&path=%0D%0ASet-Cookie:crlfinjection=crlfinjection&picture=%0D%0ASet-Cookie:crlfinjection=crlfinjection&port=%0D%0ASet-Cookie:crlfinjection=crlfinjection&proxy=%0D%0ASet-Cookie:crlfinjection=crlfinjection&redir=%0D%0ASet-Cookie:crlfinjection=crlfinjection&redirect=%0D%0ASet-Cookie:crlfinjection=crlfinjection&redirectUri&redirectUrl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&reference=%0D%0ASet-Cookie:crlfinjection=crlfinjection&referrer=%0D%0ASet-Cookie:crlfinjection=crlfinjection&req=%0D%0ASet-Cookie:crlfinjection=crlfinjection&request=%0D%0ASet-Cookie:crlfinjection=crlfinjection&retUrl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&return=%0D%0ASet-Cookie:crlfinjection=crlfinjection&returnTo=%0D%0ASet-Cookie:crlfinjection=crlfinjection&return_path=%0D%0ASet-Cookie:crlfinjection=crlfinjection&return_to=%0D%0ASet-Cookie:crlfinjection=crlfinjection&rurl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&show=%0D%0ASet-Cookie:crlfinjection=crlfinjection&site=%0D%0ASet-Cookie:crlfinjection=crlfinjection&source=%0D%0ASet-Cookie:crlfinjection=crlfinjection&src=%0D%0ASet-Cookie:crlfinjection=crlfinjection&target=%0D%0ASet-Cookie:crlfinjection=crlfinjection&to=%0D%0ASet-Cookie:crlfinjection=crlfinjection&uri=%0D%0ASet-Cookie:crlfinjection=crlfinjection&url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&val=%0D%0ASet-Cookie:crlfinjection=crlfinjection&validate=%0D%0ASet-Cookie:crlfinjection=crlfinjection&view=%0D%0ASet-Cookie:crlfinjection=crlfinjection&window=%0D%0ASet-Cookie:crlfinjection=crlfinjection&redirect_to=%0D%0ASet-Cookie:crlfinjection=crlfinjection"
       - "{{BaseURL}}/?Test=%0D%0ASet-Cookie:crlfinjection=crlfinjection"
 

From d34e6c1145647903642c273b1a44705e2a69b79b Mon Sep 17 00:00:00 2001
From: Sullo <sullo@cirt.net>
Date: Thu, 30 Sep 2021 15:38:59 -0400
Subject: [PATCH 02/11] Add information for CVE-2010-1870

---
 vulnerabilities/lsoft/listserv_maestro_rce.yaml | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/vulnerabilities/lsoft/listserv_maestro_rce.yaml b/vulnerabilities/lsoft/listserv_maestro_rce.yaml
index 56b6d5f00f..75e15e4977 100644
--- a/vulnerabilities/lsoft/listserv_maestro_rce.yaml
+++ b/vulnerabilities/lsoft/listserv_maestro_rce.yaml
@@ -1,14 +1,19 @@
-id: maestro-unauth-rce
+id: CVE-2010-1870
 
 info:
   name: ListSERV Maestro <= 9.0-8 RCE
   author: b0yd
   severity: info
-  description: CVE-2010-1870 Struts based OGNL remote code execution in ListSERV Maestro before and including version 9.0-8.
+  description: Struts-based OGNL remote code execution in ListSERV Maestro before and including version 9.0-8.
   reference:
     - https://www.securifera.com/advisories/sec-2020-0001/
     - https://packetstormsecurity.com/files/159643/listservmaestro-exec.txt
-  tags: rce,listserv,ognl
+  tags: rce,listserv,ognl,cves,cve2010
+  classification:
+    cvss-metrics: AV:N/AC:L/Au:N/C:N/I:P/A:N
+    cvss-score: 5.0
+    cve-id: CVE-2010-1870
+    cwe-id: CWE-917
 
 requests:
   - method: GET
@@ -22,4 +27,4 @@ requests:
           - 'LISTSERV Maestro\s+9\.0-[123456780]'
           - 'LISTSERV Maestro\s+[5678]'
           - 'Administration Hub 9\.0-[123456780]'
-          - 'Administration Hub [5678]'
\ No newline at end of file
+          - 'Administration Hub [5678]'

From 7adfd01163a12ec99a526c6cf9dc6cc667cb1a65 Mon Sep 17 00:00:00 2001
From: Sullo <sullo@cirt.net>
Date: Thu, 30 Sep 2021 15:39:45 -0400
Subject: [PATCH 03/11] Moving listserv_maestro_rce.yaml to cves folder

---
 .../listserv_maestro_rce.yaml => cves/2010/CVE-2010-1870.yaml     | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename vulnerabilities/lsoft/listserv_maestro_rce.yaml => cves/2010/CVE-2010-1870.yaml (100%)

diff --git a/vulnerabilities/lsoft/listserv_maestro_rce.yaml b/cves/2010/CVE-2010-1870.yaml
similarity index 100%
rename from vulnerabilities/lsoft/listserv_maestro_rce.yaml
rename to cves/2010/CVE-2010-1870.yaml

From 37920b7a888956f88d0b1bd2151a77c95404df9b Mon Sep 17 00:00:00 2001
From: Sullo <sullo@cirt.net>
Date: Thu, 30 Sep 2021 15:42:07 -0400
Subject: [PATCH 04/11] Add CVE information

---
 network/openssh5.3-detect.yaml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/network/openssh5.3-detect.yaml b/network/openssh5.3-detect.yaml
index 1bfb60d273..a43f9a10b5 100644
--- a/network/openssh5.3-detect.yaml
+++ b/network/openssh5.3-detect.yaml
@@ -1,15 +1,20 @@
-id: openssh5.3-detect
+id: CVE-2016-6210
 
 info:
   name: OpenSSH 5.3 Detection
   author: iamthefrogy
-  severity: low
+  severity: medium
   tags: network,openssh
   description: OpenSSH 5.3 is vulnerable to username enumeration and DoS vulnerabilities.
   reference:
     - http://seclists.org/fulldisclosure/2016/Jul/51
     - https://security-tracker.debian.org/tracker/CVE-2016-6210
     - http://openwall.com/lists/oss-security/2016/08/01/2
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 5.9
+    cve-id: CVE-2016-6210
+    cwe-id: CWE-200
 
 network:
   - host:

From 0c4dd95bf65ebd5237b10c8c91993d3200e1aede Mon Sep 17 00:00:00 2001
From: Sullo <sullo@cirt.net>
Date: Thu, 30 Sep 2021 15:43:00 -0400
Subject: [PATCH 05/11] Move openssh5.3-detect.yaml to
 cves/2016/CVE-2016-6210.yaml

---
 network/openssh5.3-detect.yaml => cves/2016/CVE-2016-6210.yaml | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename network/openssh5.3-detect.yaml => cves/2016/CVE-2016-6210.yaml (100%)

diff --git a/network/openssh5.3-detect.yaml b/cves/2016/CVE-2016-6210.yaml
similarity index 100%
rename from network/openssh5.3-detect.yaml
rename to cves/2016/CVE-2016-6210.yaml

From a28eb3f3e99ecec5b276ab2b232ddd597002cd03 Mon Sep 17 00:00:00 2001
From: Sullo <sullo@cirt.net>
Date: Thu, 30 Sep 2021 15:48:27 -0400
Subject: [PATCH 06/11] Add information for CVE-2001-1473

---
 network/deprecated-sshv1-detection.yaml | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/network/deprecated-sshv1-detection.yaml b/network/deprecated-sshv1-detection.yaml
index c8dbbcea18..558f27f83f 100644
--- a/network/deprecated-sshv1-detection.yaml
+++ b/network/deprecated-sshv1-detection.yaml
@@ -1,14 +1,19 @@
-id: deprecated-sshv1-detection
+id: CVE-2001-1473
 
 info:
   name: Deprecated SSHv1 Protocol Detection
   author: iamthefrogy
-  severity: medium
-  tags: network,ssh,openssh
+  severity: high
+  tags: network,ssh,openssh,cves,cves2001
   description: SSHv1 is deprecated and has known cryptographic issues.
   reference:
     - https://www.kb.cert.org/vuls/id/684820
     - https://nvd.nist.gov/vuln/detail/CVE-2001-1473
+  classification:
+    cvss-metrics: 7.4
+    cvss-score: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
+    cve-id: CVE-2001-1473
+    cwe-id: CWE-310
 
 network:
   - host:

From f1f6fbe26f62768a709f04840c061a3adb4e0d63 Mon Sep 17 00:00:00 2001
From: Sullo <sullo@cirt.net>
Date: Thu, 30 Sep 2021 15:49:47 -0400
Subject: [PATCH 07/11] Move deprecated-sshv1-detection.yaml to
 2001/CVE-2001-1473.yaml

---
 .../2001/CVE-2001-1473.yaml                                       | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename network/deprecated-sshv1-detection.yaml => cves/2001/CVE-2001-1473.yaml (100%)

diff --git a/network/deprecated-sshv1-detection.yaml b/cves/2001/CVE-2001-1473.yaml
similarity index 100%
rename from network/deprecated-sshv1-detection.yaml
rename to cves/2001/CVE-2001-1473.yaml

From 9f04b0abd8b2e82cb0e31b0f9316ec47de8c6d83 Mon Sep 17 00:00:00 2001
From: Sullo <sullo@cirt.net>
Date: Thu, 30 Sep 2021 15:56:52 -0400
Subject: [PATCH 08/11] Fix field names vs values

---
 cves/2001/CVE-2001-1473.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cves/2001/CVE-2001-1473.yaml b/cves/2001/CVE-2001-1473.yaml
index 558f27f83f..476fa47cd5 100644
--- a/cves/2001/CVE-2001-1473.yaml
+++ b/cves/2001/CVE-2001-1473.yaml
@@ -10,8 +10,8 @@ info:
     - https://www.kb.cert.org/vuls/id/684820
     - https://nvd.nist.gov/vuln/detail/CVE-2001-1473
   classification:
-    cvss-metrics: 7.4
-    cvss-score: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
+    cvss-score: 7.4
+    cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
     cve-id: CVE-2001-1473
     cwe-id: CWE-310
 

From 1c9238b972db54c8c25cbfe8614de936319f942d Mon Sep 17 00:00:00 2001
From: Sandeep Singh <sandeep@projectdiscovery.io>
Date: Fri, 1 Oct 2021 01:33:50 +0530
Subject: [PATCH 09/11] Rename CVE-2016-4975.yml to CVE-2016-4975.yaml

---
 cves/2016/{CVE-2016-4975.yml => CVE-2016-4975.yaml} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename cves/2016/{CVE-2016-4975.yml => CVE-2016-4975.yaml} (100%)

diff --git a/cves/2016/CVE-2016-4975.yml b/cves/2016/CVE-2016-4975.yaml
similarity index 100%
rename from cves/2016/CVE-2016-4975.yml
rename to cves/2016/CVE-2016-4975.yaml

From 974493daaaddaa46f46754f8dfb62b653f4d2baa Mon Sep 17 00:00:00 2001
From: Sandeep Singh <sandeep@projectdiscovery.io>
Date: Fri, 1 Oct 2021 01:34:54 +0530
Subject: [PATCH 10/11] Update CVE-2016-4975.yaml

---
 cves/2016/CVE-2016-4975.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/cves/2016/CVE-2016-4975.yaml b/cves/2016/CVE-2016-4975.yaml
index bdbee8848e..1bc031521f 100644
--- a/cves/2016/CVE-2016-4975.yaml
+++ b/cves/2016/CVE-2016-4975.yaml
@@ -17,7 +17,6 @@ requests:
     path:
       - "{{BaseURL}}/~user/%0D%0ASet-Cookie:crlfinjection"
 
-    stop-at-first-match: true
     matchers:
       - type: regex
         regex:

From 1bc4c2dffb4eddc66c1b30aaf34684cc1ea6e15e Mon Sep 17 00:00:00 2001
From: Sullo <sullo@cirt.net>
Date: Thu, 30 Sep 2021 17:16:15 -0400
Subject: [PATCH 11/11] add cve classification

---
 cves/2013/CVE-2013-7240.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/cves/2013/CVE-2013-7240.yaml b/cves/2013/CVE-2013-7240.yaml
index 35cf6180ea..2b8df419a9 100644
--- a/cves/2013/CVE-2013-7240.yaml
+++ b/cves/2013/CVE-2013-7240.yaml
@@ -9,6 +9,11 @@ info:
     - https://www.exploit-db.com/exploits/38936
     - https://nvd.nist.gov/vuln/detail/CVE-2013-7240
   tags: cve,cve2013,wordpress,wp-plugin,lfi
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2013-7240
+    cwe-id: CWE-22
 
 requests:
   - method: GET