daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Dashboard Content Enhancements (#4819) 

Dashboard Content Enhancements
patch-1
MostInterestingBotInTheWorld 2022-07-26 09:45:11 -04:00 committed by GitHub
parent 1d46aaea83
commit c5a7d79f5a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
164 changed files with 876 additions and 371 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
cnvd/2020/CNVD-2020-23735.yaml
View File

@ -1,12 +1,16 @@
id: CNVD-2020-23735
info:
name: Xxunchi Local File read
name: Xxunchi CMS - Local File Inclusion
author: princechaddha
severity: medium
description: Xunyou cms has an arbitrary file reading vulnerability. Attackers can use vulnerabilities to obtain sensitive information.
description: Xunyou CMS is vulnerable to local file inclusion. Attackers can use vulnerabilities to obtain sensitive information.
reference:
- https://www.cnvd.org.cn/flaw/show/2025171
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-22
tags: xunchi,lfi,cnvd,cnvd2020
requests:
@ -26,3 +30,5 @@ requests:
- "NzbwpQSdbY06Dngnoteo2wdgiekm7j4N"
- "display_errors"
condition: and
# Enhanced by mp on 2022/07/22

5
cnvd/2020/CNVD-2020-62422.yaml
View File

@ -1,9 +1,10 @@
id: CNVD-2020-62422
info:
name: Seeyon - Arbitrary File Retrieval
name: Seeyon - Local File Inclusion
author: pikpikcu
severity: medium
description: Seeyon is vulnerable to local file inclusion.
reference:
- https://blog.csdn.net/m0_46257936/article/details/113150699
tags: lfi,cnvd,cnvd2020,seeyon
@ -30,3 +31,5 @@ requests:
words:
- "ctpDataSource.password"
condition: and
# Enhanced by mp on 2022/07/22

7
cves/2008/CVE-2008-5587.yaml
View File

@ -1,15 +1,16 @@
id: CVE-2008-5587
info:
name: phpPgAdmin 4.2.1 - '_language' Local File Inclusion
name: phpPgAdmin <=4.2.1 - Local File Inclusion
author: dhiyaneshDK
severity: medium
description: Directory traversal vulnerability in libraries/lib.inc.php in phpPgAdmin 4.2.1 and earlier, when register_globals is enabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the _language parameter to index.php.
description: phpPgAdmin 4.2.1 is vulnerable to local file inclusion in libraries/lib.inc.php when register globals is enabled. Remote attackers can read arbitrary files via a .. (dot dot) in the _language parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/7363
- http://web.archive.org/web/20210121184707/https://www.securityfocus.com/bid/32670/
- http://web.archive.org/web/20160520063306/http://secunia.com/advisories/33014
- http://web.archive.org/web/20151104173853/http://secunia.com/advisories/33263
- https://nvd.nist.gov/vuln/detail/CVE-2008-5587
classification:
cve-id: CVE-2008-5587
metadata:
@ -31,3 +32,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/22

2
cves/2009/CVE-2009-1151.yaml
View File

@ -13,7 +13,7 @@ info:
- https://nvd.nist.gov/vuln/detail/CVE-2009-1151
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cvss-score: 10.0
cve-id: CVE-2009-1151
cwe-id: CWE-77
tags: cve,cve2009,phpmyadmin,rce,deserialization,kev

10
cves/2015/CVE-2015-4666.yaml
View File

@ -1,14 +1,14 @@
id: CVE-2015-4666
info:
name: Xceedium Xsuite 2.4.4.5 - Directory Traversal
name: Xceedium Xsuite <=2.4.4.5 - Local File Inclusion
author: 0x_Akoko
severity: high
description: Directory traversal vulnerability in opm/read_sessionlog.php in Xceedium Xsuite 2.4.4.5 and earlier allows remote attackers to read arbitrary files in the logFile parameter.
description: Xceedium Xsuite 2.4.4.5 and earlier is vulnerable to local file inclusion via opm/read_sessionlog.php that allows remote attackers to read arbitrary files in the logFile parameter.
reference:
- https://www.modzero.com/advisories/MZ-15-02-Xceedium-Xsuite.txt
- https://www.cvedetails.com/cve/CVE-2015-4666
- http://packetstormsecurity.com/files/132809/Xceedium-Xsuite-Command-Injection-XSS-Traversal-Escalation.html
- http://www.modzero.ch/advisories/MZ-15-02-Xceedium-Xsuite.txt
- https://nvd.nist.gov/vuln/detail/CVE-2015-4666
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -31,3 +31,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/13

6
cves/2015/CVE-2015-5354.yaml
View File

@ -4,12 +4,12 @@ info:
name: Novius OS 5.0.1-elche - Open Redirect
author: 0x_Akoko
severity: medium
description: Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect parameter to admin/nos/login.
description: Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect parameter to admin/nos/login.
reference:
- https://packetstormsecurity.com/files/132478/Novius-OS-5.0.1-elche-XSS-LFI-Open-Redirect.html
- https://vuldb.com/?id.76181
- https://nvd.nist.gov/vuln/detail/CVE-2015-5354
- http://packetstormsecurity.com/files/132478/Novius-OS-5.0.1-elche-XSS-LFI-Open-Redirect.html
- https://nvd.nist.gov/vul n/detail/CVE-2015-5354
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -27,3 +27,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by mp on 2022/07/22

7
cves/2015/CVE-2015-7780.yaml
View File

@ -1,15 +1,16 @@
id: CVE-2015-7780
info:
name: ManageEngine Firewall Analyzer 8.0 - Directory Traversal
name: ManageEngine Firewall Analyzer <8.0 - Local File Inclusion
author: daffainfo
severity: medium
description: Directory traversal vulnerability in ManageEngine Firewall Analyzer before 8.0.
description: ManageEngine Firewall Analyzer before 8.0 is vulnerable to local file inclusion.
reference:
- https://www.exploit-db.com/exploits/35933
- https://www.cvedetails.com/cve/CVE-2015-7780/
- http://jvndb.jvn.jp/ja/contents/2015/JVNDB-2015-000185.html
- http://jvn.jp/en/jp/JVN21968837/index.html
- https://nvd.nist.gov/vuln/detail/CVE-2015-7780
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
cvss-score: 6.5
@ -39,3 +40,5 @@ requests:
part: header
words:
- "application/xml"
# Enhanced by mp on 2022/07/22

7
cves/2018/CVE-2018-1271.yaml
View File

@ -1,15 +1,16 @@
id: CVE-2018-1271
info:
name: Spring MVC Directory Traversal Vulnerability
name: Spring MVC Framework - Local File Inclusion
author: hetroublemakr
severity: medium
description: Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
description: Spring MVC Framework versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported are vulnerable to local file inclusion because they allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). A malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
reference:
- https://medium.com/@knownsec404team/analysis-of-spring-mvc-directory-traversal-vulnerability-cve-2018-1271-b291bdb6be0d
- https://pivotal.io/security/cve-2018-1271
- http://web.archive.org/web/20210518132800/https://www.securityfocus.com/bid/103699
- https://access.redhat.com/errata/RHSA-2018:1320
- https://nvd.nist.gov/vuln/detail/CVE-2018-1271
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 5.9
@ -30,3 +31,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/22

2
cves/2018/CVE-2018-1335.yaml
View File

@ -5,13 +5,13 @@ info:
author: pikpikcu
severity: high
description: Apache Tika versions 1.7 to 1.17 allow clients to send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients.
remediation: Upgrade to Tika 1.18.
reference:
- https://rhinosecuritylabs.com/application-security/exploiting-cve-2018-1335-apache-tika/
- https://www.exploit-db.com/exploits/47208
- https://lists.apache.org/thread.html/b3ed4432380af767effd4c6f27665cc7b2686acccbefeb9f55851dca@%3Cdev.tika.apache.org%3E
- http://web.archive.org/web/20210516175956/https://www.securityfocus.com/bid/104001
- https://nvd.nist.gov/vuln/detail/CVE-2018-1335
remediation: Upgrade to Tika 1.18.
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.1

8
cves/2018/CVE-2018-13980.yaml
View File

@ -1,15 +1,15 @@
id: CVE-2018-13980
info:
name: Zeta Producer Desktop CMS 14.2.0 - Arbitrary File Retrieval
name: Zeta Producer Desktop CMS <14.2.1 - Local File Inclusion
author: wisnupramoedya
severity: medium
description: The websites that were built from Zeta Producer Desktop CMS before 14.2.1 are vulnerable to unauthenticated file disclosure if the plugin "filebrowser" is installed, because of assets/php/filebrowser/filebrowser.main.php?file=../ directory traversal.
description: Zeta Producer Desktop CMS before 14.2.1 is vulnerable to local file inclusion if the plugin "filebrowser" is installed because of assets/php/filebrowser/filebrowser.main.php?file=../ directory traversal.
reference:
- https://www.exploit-db.com/exploits/45016
- https://nvd.nist.gov/vuln/detail/CVE-2018-13980
- https://www.sec-consult.com/en/blog/advisories/remote-code-execution-local-file-disclosure-zeta-producer-desktop-cms/
- http://packetstormsecurity.com/files/148537/Zeta-Producer-Desktop-CMS-14.2.0-Code-Execution-File-Disclosure.html
- https://nvd.nist.gov/vuln/detail/CVE-2018-13980
classification:
cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
cvss-score: 5.5
@ -32,3 +32,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/22

4
cves/2018/CVE-2018-15535.yaml
View File

@ -4,7 +4,7 @@ info:
name: Responsive FileManager <9.13.4 - Local File Inclusion
author: daffainfo
severity: high
description: Responsive FileManager before version 9.13.4 is susceptible to local file inclusion via filemanager/ajax_calls.php because it uses external input to construct a pathname that should be within a restricted directory. Instead, because it does not properly neutralize get_file sequences such as ".." can resolve to a location that is outside of that directory, aka local file inclusion.
description: Responsive FileManager before version 9.13.4 is vulnerable to local file inclusion via filemanager/ajax_calls.php because it uses external input to construct a pathname that should be within a restricted directory, aka local file inclusion.
reference:
- https://www.exploit-db.com/exploits/45271
- https://nvd.nist.gov/vuln/detail/CVE-2018-15535
@ -33,4 +33,4 @@ requests:
status:
- 200
# Enhanced by mp on 2022/07/07
# Enhanced by mp on 2022/07/08

9
cves/2018/CVE-2018-16059.yaml
View File

@ -1,15 +1,14 @@
id: CVE-2018-16059
info:
name: WirelessHART Fieldgate SWG70 3.0 - Directory Traversal
name: WirelessHART Fieldgate SWG70 3.0 - Local File Inclusion
author: daffainfo
severity: medium
description: Endress+Hauser WirelessHART Fieldgate SWG70 3.x devices allow Directory Traversal via the fcgi-bin/wgsetcgi filename parameter.
description: WirelessHART Fieldgate SWG70 3.0 is vulnerable to local file inclusion via the fcgi-bin/wgsetcgi filename parameter.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2018-16059
- https://www.exploit-db.com/exploits/45342
- https://www.exploit-db.com/exploits/45342/
- https://ics-cert.us-cert.gov/advisories/ICSA-19-073-03
- https://nvd.nist.gov/vuln/detail/CVE-2018-16059
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
@ -33,3 +32,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/22

7
cves/2018/CVE-2018-16133.yaml
View File

@ -1,15 +1,16 @@
id: CVE-2018-16133
info:
name: Cybrotech CyBroHttpServer 1.0.3 Directory Traversal
name: Cybrotech CyBroHttpServer 1.0.3 - Local File Inclusion
author: 0x_Akoko
severity: medium
description: Cybrotech CyBroHttpServer 1.0.3 allows Directory Traversal in the URI.
description: Cybrotech CyBroHttpServer 1.0.3 is vulnerable to local file inclusion in the URI.
reference:
- https://packetstormsecurity.com/files/149177/Cybrotech-CyBroHttpServer-1.0.3-Directory-Traversal.html
- http://www.cybrotech.com/
- https://www.cvedetails.com/cve/CVE-2018-16133
- https://github.com/EmreOvunc/CyBroHttpServer-v1.0.3-Directory-Traversal
- https://nvd.nist.gov/vuln/detail/CVE-2018-16133
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
@ -32,3 +33,5 @@ requests:
- "fonts"
- "extensions"
condition: and
# Enhanced by mp on 2022/07/22

8
cves/2018/CVE-2018-18775.yaml
View File

@ -1,14 +1,14 @@
id: CVE-2018-18775
info:
name: Cross Site Scripting in Microstrategy Web version 7
name: Microstrategy Web 7 - Cross-Site Scripting
author: 0x_Akoko
severity: medium
description: Microstrategy Web, version 7, does not sufficiently encode user-controlled inputs, resulting in a Cross-Site Scripting (XSS) vulnerability via the Login.asp Msg parameter
description: Microstrategy Web 7 does not sufficiently encode user-controlled inputs, resulting in cross-site scripting via the Login.asp Msg parameter.
reference:
- https://www.exploit-db.com/exploits/45755
- http://packetstormsecurity.com/files/150059/Microstrategy-Web-7-Cross-Site-Scripting-Traversal.html
- https://www.exploit-db.com/exploits/45755/
- https://nvd.nist.gov/vuln/detail/CVE-2018-18775
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -35,3 +35,5 @@ requests:
words:
- "text/html"
part: header
# Enhanced by mp on 2022/07/22

10
cves/2018/CVE-2018-18777.yaml
View File

@ -1,17 +1,15 @@
id: CVE-2018-18777
info:
name: Path traversal vulnerability in Microstrategy Web version 7
name: Microstrategy Web 7 - Local File Inclusion
author: 0x_Akoko
severity: medium
description: |
Directory traversal vulnerability in Microstrategy Web, version 7, in "/WebMstr7/servlet/mstrWeb" (in the parameter subpage)
allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /..
(slash dot dot) in a pathname used by a web application. NOTE: this is a deprecated product.
Microstrategy Web 7 is vulnerable to local file inclusion via "/WebMstr7/servlet/mstrWeb" (in the parameter subpage). Remote authenticated users can bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application. NOTE: this is a deprecated product.
reference:
- https://www.exploit-db.com/exploits/45755
- http://packetstormsecurity.com/files/150059/Microstrategy-Web-7-Cross-Site-Scripting-Traversal.html
- https://www.exploit-db.com/exploits/45755/
- https://nvd.nist.gov/vuln/detail/CVE-2018-18777
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
cvss-score: 4.3
@ -34,3 +32,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/22

7
cves/2018/CVE-2018-18778.yaml
View File

@ -1,13 +1,14 @@
id: CVE-2018-18778
info:
name: mini_httpd Path Traversal
name: ACME mini_httpd <1.30 - Local File Inclusion
author: dhiyaneshDK
severity: medium
description: ACME mini_httpd before 1.30 lets remote users read arbitrary files.
description: ACME mini_httpd before 1.30 is vulnerable to local file inclusion.
reference:
- https://www.acunetix.com/vulnerabilities/web/acme-mini_httpd-arbitrary-file-read/
- http://www.acme.com/software/mini_httpd/
- https://nvd.nist.gov/vuln/detail/CVE-2018-18778
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
cvss-score: 6.5
@ -31,3 +32,5 @@ requests:
- type: regex
regex:
- "root:.*:0:0:"
# Enhanced by mp on 2022/07/22

7
cves/2018/CVE-2018-2392.yaml
View File

@ -1,17 +1,18 @@
id: CVE-2018-2392
info:
name: SAP Internet Graphics Server (IGS) XML External Entity
name: SAP Internet Graphics Server (IGS) - XML External Entity Injection
author: _generic_human_
severity: high
description: |
SAP Internet Graphics Servers (IGS) running versions 7.20, 7.20EXT, 7.45, 7.49, or 7.53 has two XXE vulnerabilities within the XMLCHART page - CVE-2018-2392 and CVE-2018-2393. These vulnerabilities occur due to a lack of appropriate validation on the Extension HTML tag when submitting a POST request to the XMLCHART page to generate a new chart.
SAP Internet Graphics Servers (IGS) running versions 7.20, 7.20EXT, 7.45, 7.49, or 7.53 has two XML external entity injection (XXE) vulnerabilities within the XMLCHART page - CVE-2018-2392 and CVE-2018-2393. These vulnerabilities occur due to a lack of appropriate validation on the Extension HTML tag when submitting a POST request to the XMLCHART page to generate a new chart.
reference:
- https://launchpad.support.sap.com/#/notes/2525222
- https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/
- https://www.rapid7.com/db/modules/auxiliary/admin/sap/sap_igs_xmlchart_xxe/
- https://troopers.de/troopers18/agenda/3r38lr/
- https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/sap/sap_igs_xmlchart_xxe.rb
- https://nvd.nist.gov/vuln/detail/CVE-2018-2392
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
cvss-score: 7.5
@ -87,3 +88,5 @@ requests:
- "SAP Internet Graphics Server"
part: header
condition: and
# Enhanced by mp on 2022/07/08

7
cves/2018/CVE-2018-3714.yaml
View File

@ -1,12 +1,13 @@
id: CVE-2018-3714
info:
name: node-srv Path Traversal
name: node-srv - Local File Inclusion
author: madrobot
severity: medium
description: node-srv node module suffers from a Path Traversal vulnerability due to lack of validation of url, which allows a malicious user to read content of any file with known path.
description: node-srv is vulnerable to local file inclusion due to lack of url validation, which allows a malicious user to read content of any file with known path.
reference:
- https://hackerone.com/reports/309124
- https://nvd.nist.gov/vuln/detail/CVE-2018-3714
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
cvss-score: 6.5
@ -27,3 +28,5 @@ requests:
regex:
- "root:.*:0:0:"
part: body
# Enhanced by mp on 2022/07/22

8
cves/2018/CVE-2018-3760.yaml
View File

@ -1,17 +1,17 @@
id: CVE-2018-3760
info:
name: Ruby On Rails Path Traversal
name: Ruby On Rails - Local File Inclusion
author: 0xrudra,pikpikcu
severity: high
description: |
Ruby On Rails is a well-known Ruby Web development framework, which uses Sprockets as a static file server in development environment. Sprockets is a Ruby library that compiles and distributes static resource files.
There is a path traversal vulnerability caused by secondary decoding in Sprockets 3.7.1 and lower versions. An attacker can use %252e%252e/ to access the root directory and read or execute any file on the target server.
Ruby On Rails is vulnerable to local file inclusion caused by secondary decoding in Sprockets 3.7.1 and lower versions. An attacker can use %252e%252e/ to access the root directory and read or execute any file on the target server.
reference:
- https://github.com/vulhub/vulhub/tree/master/rails/CVE-2018-3760
- https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf
- https://seclists.org/oss-sec/2018/q2/210
- https://xz.aliyun.com/t/2542
- https://nvd.nist.gov/vuln/detail/CVE-2018-3760
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -46,3 +46,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/08

8
cves/2018/CVE-2018-6008.yaml
View File

@ -1,15 +1,15 @@
id: CVE-2018-6008
info:
name: Joomla! Component Jtag Members Directory 5.3.7 - Arbitrary File Retrieval
name: Joomla! Jtag Members Directory 5.3.7 - Local File Inclusion
author: daffainfo
severity: high
description: Arbitrary file retrieval exists in the Jtag Members Directory 5.3.7 component for Joomla! via the download_file parameter.
description: Joomla! Jtag Members Directory 5.3.7 is vulnerable to local file inclusion via the download_file parameter.
reference:
- https://www.exploit-db.com/exploits/43913
- https://www.cvedetails.com/cve/CVE-2018-6008
- https://packetstormsecurity.com/files/146137/Joomla-Jtag-Members-Directory-5.3.7-Arbitrary-File-Download.html
- https://www.exploit-db.com/exploits/43913/
- https://nvd.nist.gov/vuln/detail/CVE-2018-6008
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -32,3 +32,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/08

5
cves/2018/CVE-2018-6910.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2018-6910
info:
name: DedeCMS 5.7 path disclosure
name: DedeCMS 5.7 - Path Disclosure
author: pikpikcu
severity: high
description: DedeCMS 5.7 allows remote attackers to discover the full path via a direct request for include/downmix.inc.php or inc/inc_archives_functions.php
@ -9,6 +9,7 @@ info:
- https://nvd.nist.gov/vuln/detail/CVE-2018-6910
- https://github.com/kongxin520/DedeCMS/blob/master/DedeCMS_5.7_Bug.md
- https://kongxin.gitbook.io/dedecms-5-7-bug/
- https://nvd.nist.gov/vuln/detail/CVE-2018-6910
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -34,3 +35,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/08

8
cves/2019/CVE-2019-11013.yaml
View File

@ -1,15 +1,15 @@
id: CVE-2019-11013
info:
name: Nimble Streamer 3.0.2-2 to 3.5.4-9 - Path Traversal
name: Nimble Streamer <=3.5.4-9 - Local File Inclusion
author: 0x_Akoko
severity: medium
description: Nimble Streamer 3.0.2-2 through 3.5.4-9 has a ../ directory traversal vulnerability. Successful exploitation could allow an attacker to traverse the file system to access files or directories that are outside of the restricted directory on the remote server.
description: Nimble Streamer 3.0.2-2 through 3.5.4-9 is vulnerable to local file inclusion. An attacker can traverse the file system to access files or directories that are outside of the restricted directory on the remote server.
reference:
- https://www.exploit-db.com/exploits/47301
- https://nvd.nist.gov/vuln/detail/CVE-2019-11013
- https://mayaseven.com/nimble-directory-traversal-in-nimble-streamer-version-3-0-2-2-to-3-5-4-9/
- http://packetstormsecurity.com/files/154196/Nimble-Streamer-3.x-Directory-Traversal.html
- https://nvd.nist.gov/vuln/detail/CVE-2019-11013
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
cvss-score: 6.5
@ -32,3 +32,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/22

9
cves/2019/CVE-2019-13396.yaml
View File

@ -1,15 +1,14 @@
id: CVE-2019-13396
info:
name: FlightPath Local File Inclusion
name: FlightPath - Local File Inclusion
author: 0x_Akoko,daffainfo
severity: medium
description: FlightPath versions prior to 4.8.2 and 5.0-rc2 suffer from a local file inclusion vulnerability.
description: FlightPath versions prior to 4.8.2 and 5.0-rc2 are vulnerable to local file inclusion.
reference:
- https://www.exploit-db.com/exploits/47121
- https://www.cvedetails.com/cve/CVE-2019-13396/
- https://nvd.nist.gov/vuln/detail/CVE-2019-13396
- http://getflightpath.com/node/2650
- https://nvd.nist.gov/vuln/detail/CVE-2019-13396
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
@ -49,3 +48,5 @@ requests:
internal: true
regex:
- "idden' name='form_token' value='([a-z0-9]+)'>"
# Enhanced by mp on 2022/07/22

8
cves/2019/CVE-2019-14251.yaml
View File

@ -1,14 +1,14 @@
id: CVE-2019-14251
info:
name: T24 in TEMENOS Channels R15.01 - Pre Authenticated Path Traversal
name: T24 Web Server - Local File Inclusion
author: 0x_Akoko
severity: high
description: An unauthenticated path traversal vulnerability was discovered permitting an attacker to exfiltrate data directly from the T24 web server.
description: T24 web server is vulnerable to unauthenticated local file inclusion that permits an attacker to exfiltrate data directly from server.
reference:
- https://github.com/kmkz/exploit/blob/master/CVE-2019-14251-TEMENOS-T24.txt
- https://www.cvedetails.com/cve/CVE-2019-14251
- https://vuldb.com/?id.146815
- https://nvd.nist.gov/vuln/detail/CVE-2019-14251
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -34,3 +34,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/13

6
cves/2019/CVE-2019-14312.yaml
View File

@ -4,12 +4,12 @@ info:
name: Aptana Jaxer 1.0.3.4547 - Local File inclusion
author: daffainfo
severity: medium
description: Aptana Jaxer 1.0.3.4547 is vulnerable to a local file inclusion vulnerability in the wikilite source code viewer. This vulnerability allows a remote attacker to read internal files on the server via a tools/sourceViewer/index.html?filename=../ URI.
description: Aptana Jaxer 1.0.3.4547 is vulnerable to local file inclusion in the wikilite source code viewer. An attacker can read internal files on the server via a tools/sourceViewer/index.html?filename=../ URI.
reference:
- https://www.exploit-db.com/exploits/47214
- https://www.cvedetails.com/cve/CVE-2019-14312
- http://packetstormsecurity.com/files/153985/Aptana-Jaxer-1.0.3.4547-Local-File-Inclusion.html
- https://github.com/aptana/Jaxer/commits/master
- https://nvd.nist.gov/vuln/detail/CVE-2019-14312
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
cvss-score: 6.5
@ -32,3 +32,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/22

9
cves/2019/CVE-2019-18393.yaml
View File

@ -1,13 +1,14 @@
id: CVE-2019-18393
info:
name: Openfire LFI
name: Ignite Realtime Openfire <4.42 - Local File Inclusion
author: pikpikcu
severity: medium
description: PluginServlet.java in Ignite Realtime Openfire through 4.4.2 does not ensure that retrieved files are located under the Openfire home directory, aka a directory traversal vulnerability.
description: Ignite Realtime Openfire through 4.4.2 is vulnerable to local file inclusion via PluginServlet.java. It does not ensure that retrieved files are located under the Openfire home directory.
reference:
- https://swarm.ptsecurity.com/openfire-admin-console/
- https://github.com/igniterealtime/Openfire/pull/1498
- https://swarm.ptsecurity.com/openfire-admin-console/
- https://nvd.nist.gov/vuln/detail/CVE-2019-18393
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
@ -31,3 +32,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/22

7
cves/2019/CVE-2019-18665.yaml
View File

@ -1,15 +1,16 @@
id: CVE-2019-18665
info:
name: DOMOS 5.5 - Directory Traversal
name: DOMOS 5.5 - Local File Inclusion
author: 0x_Akoko
severity: high
description: |
The Log module in SECUDOS DOMOS before 5.6 allows local file inclusion.
SECUDOS DOMOS before 5.6 allows local file inclusion via the log module.
reference:
- https://atomic111.github.io/article/secudos-domos-directory_traversal
- https://vuldb.com/?id.144804
- https://www.cvedetails.com/cve/CVE-2019-18665
- https://www.secudos.de/news-und-events/aktuelle-news/domos-release-5-6
- https://nvd.nist.gov/vuln/detail/CVE-2019-18665
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -32,3 +33,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/08

10
cves/2019/CVE-2019-2616.yaml
View File

@ -1,14 +1,14 @@
id: CVE-2019-2616
info:
name: XXE in Oracle Business Intelligence and XML Publisher
name: Oracle Business Intelligence/XML Publisher - XML External Entity Injection
author: pdteam
severity: high
description: Oracle Business Intelligence / XML Publisher 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - XML External Entity Injection
description: Oracle Business Intelligence and XML Publisher 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 are vulnerable to an XML external entity injection attack.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2019-2616
- https://www.exploit-db.com/exploits/46729
- http://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- https://nvd.nist.gov/vuln/detail/CVE-2019-2616
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
cvss-score: 7.2
@ -29,4 +29,6 @@ requests:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
- "http"
# Enhanced by mp on 2022/07/08

8
cves/2019/CVE-2019-2767.yaml
View File

@ -1,14 +1,14 @@
id: CVE-2019-2767
info:
name: Oracle Business Intelligence - Publisher XXE
name: Oracle Business Intelligence Publisher - XML External Entity Injection
author: madrobot
severity: high
description: There is an XXE vulnerability in the BI Publisher (formerly XML Publisher) component of Oracle Fusion Middleware. The supported versions affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. This easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise BI Publisher.
description: Oracle Business Intelligence Publisher is vulnerable to an XML external entity injection attack. The supported versions affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. This easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise BI Publisher.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2019-2767
- https://www.exploit-db.com/exploits/46729
- http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://nvd.nist.gov/vuln/detail/CVE-2019-2767
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
cvss-score: 7.2
@ -26,3 +26,5 @@ requests:
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
# Enhanced by mp on 2022/07/08

7
cves/2019/CVE-2019-3799.yaml
View File

@ -1,14 +1,15 @@
id: CVE-2019-3799
info:
name: Spring-Cloud-Config-Server Directory Traversal
name: Spring Cloud Config Server - Local File Inclusion
author: madrobot
severity: medium
description: Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.
description: Spring Cloud Config Server versions 2.1.x prior to 2.1.2, 2.0.x prior to 2.0.4, 1.4.x prior to 1.4.6, and older unsupported versions are vulnerable to local file inclusion because they allow applications to serve arbitrary configuration files. An attacker can send a request using a specially crafted URL that can lead to a directory traversal attack.
reference:
- https://github.com/mpgn/CVE-2019-3799
- https://pivotal.io/security/cve-2019-3799
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://nvd.nist.gov/vuln/detail/CVE-2019-3799
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
cvss-score: 6.5
@ -29,3 +30,5 @@ requests:
regex:
- 'root:.*:0:0:'
part: body
# Enhanced by mp on 2022/07/22

8
cves/2019/CVE-2019-6340.yaml
View File

@ -1,15 +1,15 @@
id: CVE-2019-6340
info:
name: Drupal 8 core RESTful Web Services RCE
name: Drupal - Remote Code Execution
author: madrobot
severity: high
description: Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases.
description: Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10 V contain certain field types that do not properly sanitize data from non-form sources, which can lead to arbitrary PHP code execution in some cases.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2019-6340
- https://www.drupal.org/sa-core-2019-003
- http://web.archive.org/web/20210125004201/https://www.securityfocus.com/bid/107106/
- https://www.synology.com/security/advisory/Synology_SA_19_09
- https://nvd.nist.gov/vuln/detail/CVE-2019-6340
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.1
@ -48,3 +48,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/08

7
cves/2019/CVE-2019-7254.yaml
View File

@ -1,15 +1,16 @@
id: CVE-2019-7254
info:
name: eMerge E3 1.00-06 - Unauthenticated Directory Traversal
name: eMerge E3 1.00-06 - Local File Inclusion
author: 0x_Akoko
severity: high
description: Linear eMerge E3-Series devices allow File Inclusion.
description: Linear eMerge E3-Series devices are vulnerable to local file inclusion.
reference:
- https://www.exploit-db.com/exploits/47616
- https://applied-risk.com/labs/advisories
- https://www.applied-risk.com/resources/ar-2019-005
- http://packetstormsecurity.com/files/155252/Linear-eMerge-E3-1.00-06-Directory-Traversal.html
- https://nvd.nist.gov/vuln/detail/CVE-2019-7254
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -33,3 +34,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/08

9
cves/2019/CVE-2019-7315.yaml
View File

@ -1,13 +1,14 @@
id: CVE-2019-7315
info:
name: Genie Access WIP3BVAF IP Camera - Directory Traversal
name: Genie Access WIP3BVAF IP Camera - Local File Inclusion
author: 0x_Akoko
severity: high
description: Genie Access WIP3BVAF WISH IP 3MP IR Auto Focus Bullet Camera devices through 3.X are vulnerable to directory traversal via the web interface, as demonstrated by reading /etc/shadow.
description: Genie Access WIP3BVAF WISH IP 3MP IR Auto Focus Bullet Camera devices through 3.X are vulnerable to local file inclusion via the web interface, as demonstrated by reading /etc/shadow.
reference:
- https://labs.nettitude.com/blog/cve-2019-7315-genie-access-wip3bvaf-ip-camera-directory-traversal/
- https://vuldb.com/?id.136593
- https://www.cvedetails.com/cve/CVE-2019-7315
- https://nvd.nist.gov/vuln/detail/CVE-2019-7315
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -30,3 +31,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/08

7
cves/2019/CVE-2019-8442.yaml
View File

@ -1,13 +1,14 @@
id: CVE-2019-8442
info:
name: JIRA Directory Traversal
name: Jira - Local File Inclusion
author: Kishore Krishna (siLLyDaddy)
severity: high
description: The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to access files in the Jira webroot under the META-INF directory via a lax path access check.
description: Jira before version 7.13.4, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1, allows remote attackers to access files in the Jira webroot under the META-INF directory via local file inclusion.
reference:
- https://jira.atlassian.com/browse/JRASERVER-69241
- http://web.archive.org/web/20210125215006/https://www.securityfocus.com/bid/108460/
- https://nvd.nist.gov/vuln/detail/CVE-2019-8442
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -30,3 +31,5 @@ requests:
words:
- '<groupId>com.atlassian.jira</groupId>'
part: body
# Enhanced by mp on 2022/07/08

7
cves/2019/CVE-2019-8903.yaml
View File

@ -1,14 +1,15 @@
id: CVE-2019-8903
info:
name: Totaljs - Unauthenticated Directory Traversal
name: Totaljs <3.2.3 - Local File Inclusion
author: madrobot
severity: high
description: index.js in Total.js Platform before 3.2.3 allows path traversal.
description: Total.js Platform before 3.2.3 is vulnerable to local file inclusion.
reference:
- https://blog.certimetergroup.com/it/articolo/security/total.js-directory-traversal-cve-2019-8903
- https://github.com/totaljs/framework/commit/c37cafbf3e379a98db71c1125533d1e8d5b5aef7
- https://github.com/totaljs/framework/commit/de16238d13848149f5d1dae51f54e397a525932b
- https://nvd.nist.gov/vuln/detail/CVE-2019-8903
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -29,3 +30,5 @@ requests:
words:
- "apache2.conf"
part: body
# Enhanced by mp on 2022/07/08

9
cves/2019/CVE-2019-9041.yaml
View File

@ -1,13 +1,14 @@
id: CVE-2019-9041
info:
name: ZZZCMS 1.6.1 RCE
name: ZZZCMS 1.6.1 - Remote Code Execution
author: pikpikcu
severity: high
description: An issue was discovered in ZZZCMS zzzphp V1.6.1. In the inc/zzz_template.php file, the parserIfLabel() function's filtering is not strict, resulting in PHP code execution, as demonstrated by the if:assert substring.
description: ZZZCMS zzzphp V1.6.1 is vulnerable to remote code execution via the inc/zzz_template.php file because the parserIfLabel() function's filtering is not strict, resulting in PHP code execution as demonstrated by the if:assert substring.
reference:
- http://www.iwantacve.cn/index.php/archives/118/
- https://www.exploit-db.com/exploits/46454/
- http://www.iwantacve.cn/index.php/archives/118/
- https://nvd.nist.gov/vuln/detail/CVE-2019-9041
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.2
@ -34,3 +35,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/08

8
cves/2019/CVE-2019-9922.yaml
View File

@ -1,13 +1,15 @@
id: CVE-2019-9922
info:
name: JE Messenger 1.2.2 Joomla - Directory Traversal
name: Joomla! Harmis Messenger 1.2.2 - Local File Inclusion
author: 0x_Akoko
severity: high
description: An issue was discovered in the Harmis JE Messenger component 1.2.2 for Joomla. Directory Traversal allows read access to arbitrary files.
description: Joomla! Harmis Messenger 1.2.2 is vulnerable to local file inclusion which could give an attacker read access to arbitrary files.
reference:
- https://github.com/azd-cert/CVE/blob/master/CVEs/CVE-2019-9922.md
- https://www.cvedetails.com/cve/CVE-2019-9922
- https://extensions.joomla.org/extension/je-messenger/
- https://nvd.nist.gov/vuln/detail/CVE-2019-9922
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -30,3 +32,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/13

2
cves/2020/CVE-2020-0618.yaml
View File

@ -4,7 +4,7 @@ info:
name: Microsoft SQL Server Reporting Services - Remote Code Execution
author: joeldeleep
severity: high
description: Microsoft SQL Server Reporting Services are susceptible to a remote code execution vulnerability when it incorrectly handles page requests.
description: Microsoft SQL Server Reporting Services is vulnerable to a remote code execution vulnerability because it incorrectly handles page requests.
reference:
- https://www.mdsec.co.uk/2020/02/cve-2020-0618-rce-in-sql-server-reporting-services-ssrs/
- https://github.com/euphrat1ca/CVE-2020-0618

7
cves/2020/CVE-2020-11455.yaml
View File

@ -1,15 +1,16 @@
id: CVE-2020-11455
info:
name: LimeSurvey 4.1.11 - Path Traversal
name: LimeSurvey 4.1.11 - Local File Inclusion
author: daffainfo
severity: medium
description: LimeSurvey before 4.1.12+200324 contains a path traversal vulnerability in application/controllers/admin/LimeSurveyFileManager.php.
description: LimeSurvey before 4.1.12+200324 is vulnerable to local file inclusion because it contains a path traversal vulnerability in application/controllers/admin/LimeSurveyFileManager.php.
reference:
- https://www.exploit-db.com/exploits/48297
- https://www.cvedetails.com/cve/CVE-2020-11455
- https://github.com/LimeSurvey/LimeSurvey/commit/daf50ebb16574badfb7ae0b8526ddc5871378f1b
- http://packetstormsecurity.com/files/157112/LimeSurvey-4.1.11-Path-Traversal.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-11455
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
@ -32,3 +33,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/22

11
cves/2020/CVE-2020-11738.yaml
View File

@ -1,13 +1,11 @@
id: CVE-2020-11738
info:
name: WordPress Duplicator plugin Directory Traversal
name: WordPress Duplicator 1.3.24 & 1.3.26 - Local File Inclusion
author: dwisiswant0
severity: high
description: |
The issue is being actively exploited, and allows attackers
to download arbitrary files, such as the wp-config.php file.
According to the vendor, the vulnerability was only in two
WordPress Duplicator 1.3.24 & 1.3.26 are vulnerable to local file inclusion vulnerabilities that could allow attackers to download arbitrary files, such as the wp-config.php file. According to the vendor, the vulnerability was only in two
versions v1.3.24 and v1.3.26, the vulnerability wasn't
present in versions 1.3.22 and before.
reference:
@ -15,6 +13,7 @@ info:
- https://snapcreek.com/duplicator/docs/changelog/?lite
- https://www.wordfence.com/blog/2020/02/active-attack-on-recently-patched-duplicator-plugin-vulnerability-affects-over-1-million-sites/
- http://packetstormsecurity.com/files/160621/WordPress-Duplicator-1.3.26-Directory-Traversal-File-Read.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-11738
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -44,4 +43,6 @@ requests:
- "root:.*:0:0:"
- "define\\('DB_(NAME|USER|PASSWORD|HOST|CHARSET|COLLATE)'"
condition: or
part: body
part: body
# Enhanced by mp on 2022/07/13

15
cves/2020/CVE-2020-11853.yaml
View File

@ -1,22 +1,17 @@
id: CVE-2020-11853
info:
name: Micro Focus Operation Bridge Manager RCE
name: Micro Focus Operations Bridge Manager <=2020.05 - Remote Code Execution
author: dwisiswant0
severity: high
description: |
This template supports the detection part only.
UCMDB included in versions 2020.05 and below of Operations Bridge Manager are affected,
but this template can probably also be used to detect Operations Bridge Manager
(containeirized) and Application Performance Management.
Originated from Metasploit module (#14654).
Micro Focus Operations Bridge Manager in versions 2020.05 and below is vulnerable to remote code execution via UCMDB. The vulnerability allows remote attackers to execute arbitrary code on affected installations of Data Center Automation. An attack requires network access and authentication as a valid application user. Originated from Metasploit module (#14654).
reference:
- http://packetstormsecurity.com/files/161366/Micro-Focus-Operations-Bridge-Manager-Remote-Code-Execution.html
- https://softwaresupport.softwaregrp.com/doc/KM03747658
- https://softwaresupport.softwaregrp.com/doc/KM03747949
- https://softwaresupport.softwaregrp.com/doc/KM03747948
- https://nvd.nist.gov/vuln/detail/CVE-2020-11853
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
@ -37,4 +32,6 @@ requests:
- "HttpUcmdbServiceProviderFactoryImpl"
- "ServerVersion=11.6.0"
part: body
condition: and
condition: and
# Enhanced by mp on 2022/07/13

9
cves/2020/CVE-2020-11978.yaml
View File

@ -1,15 +1,16 @@
id: CVE-2020-11978
info:
name: Apache Airflow <= 1.10.10 - 'Example Dag' Remote Code Execution
name: Apache Airflow <=1.10.10 - Remote Code Execution
author: pdteam
severity: high
description: An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.
description: Apache Airflow versions 1.10.10 and below are vulnerable to remote code/command injection vulnerabilities in one of the example DAGs shipped with Airflow. This could allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use).
remediation: If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.
reference:
- https://github.com/pberba/CVE-2020-11978
- https://nvd.nist.gov/vuln/detail/CVE-2020-11978
- https://twitter.com/wugeej/status/1400336603604668418
- https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2020-11978
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
@ -62,3 +63,5 @@ requests:
- 'contains(body_4, "operator":"BashOperator")'
- 'contains(all_headers_4, "application/json")'
condition: and
# Enhanced by mp on 2022/07/13

7
cves/2020/CVE-2020-13158.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2020-13158
info:
name: Artica Proxy < 4.30.000000 Community Edition - Directory Traversal
name: Artica Proxy Community Edition <4.30.000000 - Local File Inclusion
author: 0x_Akoko
severity: high
description: Artica Proxy before 4.30.000000 Community Edition allows Directory Traversal via the fw.progrss.details.php popup parameter.
description: Artica Proxy Community Edition before 4.30.000000 is vulnerable to local file inclusion via the fw.progrss.details.php popup parameter.
reference:
- https://github.com/InfoSec4Fun/CVE-2020-13158
- https://sourceforge.net/projects/artica-squid/files/
@ -30,3 +30,6 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/13

9
cves/2020/CVE-2020-13700.yaml
View File

@ -1,17 +1,16 @@
id: CVE-2020-13700
info:
name: acf-to-rest-api wordpress plugin IDOR
name: WordPresss acf-to-rest-api <=3.1.0- Insecure Direct Object Reference
author: pikpikcu
severity: high
description: |
An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress.
It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a
wp-json/acf/v3/options/ request that reads sensitive information in the wp_options table, such as the login and pass values.
WordPresss acf-to-rest-ap through 3.1.0 allows an insecure direct object reference via permalinks manipulation, as demonstrated by a wp-json/acf/v3/options/ request that can read sensitive information in the wp_options table such as the login and pass values.
reference:
- https://gist.github.com/mariuszpoplwski/4fbaab7f271bea99c733e3f2a4bafbb5
- https://wordpress.org/plugins/acf-to-rest-api/#developers
- https://github.com/airesvsg/acf-to-rest-api
- https://nvd.nist.gov/vuln/detail/CVE-2020-13700
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -41,3 +40,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/13

9
cves/2020/CVE-2020-14864.yaml
View File

@ -1,13 +1,14 @@
id: CVE-2020-14864
info:
name: Oracle Fusion - "getPreviewImage" Directory Traversal/Local File Inclusion
name: Oracle Fusion - Directory Traversal/Local File Inclusion
author: Ivo Palazzolo (@palaziv)
severity: high
description: Oracle Business Intelligence Enterprise Edition 5.5.0.0.0 / 12.2.1.3.0 / 12.2.1.4.0 - "getPreviewImage" Directory Traversal/Local File Inclusion
description: Oracle Business Intelligence Enterprise Edition 5.5.0.0.0, 12.2.1.3.0, and 12.2.1.4.0 are vulnerable to local file inclusion vulnerabilities via "getPreviewImage."
reference:
- http://packetstormsecurity.com/files/159748/Oracle-Business-Intelligence-Enterprise-Edition-5.5.0.0.0-12.2.1.3.0-12.2.1.4.0-LFI.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-14864
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -28,4 +29,6 @@ requests:
- type: regex
regex:
- 'root:.*:0:0:'
part: body
part: body
# Enhanced by mp on 2022/07/13

6
cves/2020/CVE-2020-15050.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2020-15050
info:
name: Suprema BioStar2 - Local File Inclusion (LFI)
name: Suprema BioStar <2.8.2 - Local File Inclusion
author: gy741
severity: high
description: An issue was discovered in the Video Extension in Suprema BioStar 2 before 2.8.2. Remote attackers can read arbitrary files from the server via Directory Traversal.
description: Suprema BioStar before 2.8.2 Video Extension allows remote attackers can read arbitrary files from the server via local file inclusion.
reference:
- http://packetstormsecurity.com/files/158576/Bio-Star-2.8.2-Local-File-Inclusion.html
- https://www.supremainc.com/en/support/biostar-2-pakage.asp
@ -29,3 +29,5 @@ requests:
- "fonts"
- "extensions"
condition: and
# Enhanced by mp on 2022/07/13

9
cves/2020/CVE-2020-16139.yaml
View File

@ -1,16 +1,17 @@
id: CVE-2020-16139
info:
name: Cisco 7937G Denial-of-Service Reboot Attack
name: Cisco Unified IP Conference Station 7937G - Denial-of-Service
author: pikpikcu
severity: high
description: |
A denial-of-service in Cisco Unified IP Conference Station 7937G 1-4-4-0 through 1-4-5-7 allows attackers restart the device remotely through sending specially crafted packets. Note: We cannot prove this vulnerability exists. Out of an abundance of caution, this CVE is being assigned to better serve our customers and ensure all who are still running this product understand that the product is end of life and should be removed or upgraded.
Cisco Unified IP Conference Station 7937G 1-4-4-0 through 1-4-5-7 allows attackers to restart the device remotely via specially crafted packets that can cause a denial-of-service condition. Note: We cannot prove this vulnerability exists. Out of an abundance of caution, this CVE is being assigned to better serve our customers and ensure all who are still running this product understand that the product is end of life and should be removed or upgraded.
reference:
- https://blacklanternsecurity.com/2020-08-07-Cisco-Unified-IP-Conference-Station-7937G/
- http://packetstormsecurity.com/files/158819/Cisco-7937G-Denial-Of-Service.html
- https://www.blacklanternsecurity.com/2020-08-07-Cisco-Unified-IP-Conference-Station-7937G/
- https://www.cisco.com/c/en/us/products/collateral/collaboration-endpoints/unified-ip-phone-7940g/end_of_life_notice_c51-729487.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-16139
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
cvss-score: 7.5
@ -34,4 +35,6 @@ requests:
- "application/xml"
- type: word
words:
- 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
- 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
# Enhanced by mp on 2022/07/13

7
cves/2020/CVE-2020-16952.yaml
View File

@ -1,14 +1,15 @@
id: CVE-2020-16952
info:
name: Microsoft SharePoint Server-Side Include (SSI) and ViewState RCE
name: Microsoft SharePoint - Remote Code Execution
author: dwisiswant0
severity: high
description: A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'.
description: Microsoft SharePoint is vulnerable to a remote code execution when the software fails to check the source markup of an application package.
reference:
- https://srcincite.io/pocs/cve-2020-16952.py.txt
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952
- https://github.com/rapid7/metasploit-framework/blob/1a341ae93191ac5f6d8a9603aebb6b3a1f65f107/documentation/modules/exploit/windows/http/sharepoint_ssi_viewstate.md
- https://nvd.nist.gov/vuln/detail/CVE-2020-16952
classification:
cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
cvss-score: 7.8
@ -41,3 +42,5 @@ requests:
- 200
- 201
condition: or
# Enhanced by mp on 2022/07/13

7
cves/2020/CVE-2020-17505.yaml
View File

@ -1,13 +1,14 @@
id: CVE-2020-17505
info:
name: Artica Web Proxy 4.30 OS Command Injection
name: Artica Web Proxy 4.30 - OS Command Injection
author: dwisiswant0
severity: high
description: Artica Web Proxy 4.30.000000 allows an authenticated remote attacker to inject commands via the service-cmds parameter in cyrus.php. These commands are executed with root privileges via service_cmds_peform.
description: Artica Web Proxy 4.30 allows an authenticated remote attacker to inject commands via the service-cmds parameter in cyrus.php. These commands are executed with root privileges via service_cmds_peform.
reference:
- https://blog.max0x4141.com/post/artica_proxy/
- http://packetstormsecurity.com/files/159267/Artica-Proxy-4.30.000000-Authentication-Bypass-Command-Injection.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-17505
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
@ -41,3 +42,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/13

8
cves/2020/CVE-2020-17518.yaml
View File

@ -1,17 +1,17 @@
id: CVE-2020-17518
info:
name: Apache Flink Upload Path Traversal
name: Apache Flink 1.5.1 - Local File Inclusion
author: pdteam
severity: high
description: |
Apache Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system,
through a maliciously modified HTTP HEADER.
Apache Flink 1.5.1 is vulnerable to local file inclusion because of a REST handler that allows file uploads to an arbitrary location on the local file system through a maliciously modified HTTP HEADER.
reference:
- https://github.com/vulhub/vulhub/tree/master/flink/CVE-2020-17518
- https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cdev.flink.apache.org%3E
- https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261@%3Cuser.flink.apache.org%3E
- https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261@%3Cdev.flink.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2020-17518
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
cvss-score: 7.5
@ -41,3 +41,5 @@ requests:
- type: dsl
dsl:
- 'contains(body, "test-poc") && status_code == 200' # Using CVE-2020-17519 to confirm this.
# Enhanced by mp on 2022/07/13

7
cves/2020/CVE-2020-17519.yaml
View File

@ -1,15 +1,16 @@
id: CVE-2020-17519
info:
name: Apache Flink directory traversal
name: Apache Flink - Local File Inclusion
author: pdteam
severity: high
description: A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process.
description: Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process (aka local file inclusion).
reference:
- https://github.com/B1anda0/CVE-2020-17519
- https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cdev.flink.apache.org%3E
- https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d@%3Cdev.flink.apache.org%3E
- https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d@%3Cuser.flink.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2020-17519
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -30,3 +31,5 @@ requests:
regex:
- "root:.*:0:0:"
part: body
# Enhanced by mp on 2022/07/13

7
cves/2020/CVE-2020-2036.yaml
View File

@ -1,14 +1,15 @@
id: CVE-2020-2036
info:
name: Palo Alto Networks Reflected XSS
name: Palo Alto Networks PAN-OS Web Interface - Cross Site-Scripting
author: madrobot
severity: high
description: |
A reflected cross-site scripting (XSS) vulnerability exists in the PAN-OS management web interface. A remote attacker able to convince an administrator with an active authenticated session on the firewall management interface to click on a crafted link to that management web interface could potentially execute arbitrary JavaScript code in the administrator's browser and perform administrative actions. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.16; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9.
PAN-OS management web interface is vulnerable to reflected cross-site scripting. A remote attacker able to convince an administrator with an active authenticated session on the firewall management interface to click on a crafted link to that management web interface could potentially execute arbitrary JavaScript code in the administrator's browser and perform administrative actions. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.16; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9.
reference:
- https://swarm.ptsecurity.com/swarm-of-palo-alto-pan-os-vulnerabilities/
- https://security.paloaltonetworks.com/CVE-2020-2036
- https://nvd.nist.gov/vuln/detail/CVE-2020-2036
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
cvss-score: 8.8
@ -38,3 +39,5 @@ requests:
words:
- "text/html"
part: header
# Enhanced by mp on 2022/07/13

11
cves/2020/CVE-2020-23972.yaml
View File

@ -1,18 +1,17 @@
id: CVE-2020-23972
info:
name: Joomla! Component GMapFP 3.5 - Unauthenticated Arbitrary File Upload
name: Joomla! Component GMapFP 3.5 - Arbitrary File Upload
author: dwisiswant0
severity: high
description: |
An attacker can access the upload function of the application
without authenticating to the application and also can upload
files due the issues of unrestricted file upload which can be
bypassed by changing Content-Type & name file too double ext.
Joomla! Component GMapFP 3.5 is vulnerable to arbitrary file upload vulnerabilities. An attacker can access the upload function of the application
without authentication and can upload files because of unrestricted file upload which can be bypassed by changing Content-Type & name file too double ext.
reference:
- https://www.exploit-db.com/exploits/49129
- https://raw.githubusercontent.com/me4yoursecurity/Reports/master/README.md
- http://packetstormsecurity.com/files/159072/Joomla-GMapFP-J3.5-J3.5F-Arbitrary-File-Upload.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-23972
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
cvss-score: 7.5
@ -56,3 +55,5 @@ requests:
part: body
regex:
- "window\\.opener\\.(changeDisplayImage|addphoto)\\(\"(.*?)\"\\);"
# Enhanced by mp on 2022/07/13

7
cves/2020/CVE-2020-24571.yaml
View File

@ -1,12 +1,13 @@
id: CVE-2020-24571
info:
name: NexusDB v4.50.22 Path Traversal
name: NexusDB <4.50.23 - Local File Inclusion
author: pikpikcu
severity: high
description: NexusQA NexusDB before 4.50.23 allows the reading of files via ../ directory traversal.
description: NexusQA NexusDB before 4.50.23 allows the reading of files via ../ directory traversal and local file inclusion.
reference:
- https://www.nexusdb.com/mantis/bug_view_advanced_page.php?bug_id=2371
- https://nvd.nist.gov/vuln/detail/CVE-2020-24571
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -29,3 +30,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/13

7
cves/2020/CVE-2020-24579.yaml
View File

@ -1,13 +1,14 @@
id: CVE-2020-24579
info:
name: D-Link DSL 2888a - Remote Command Execution
name: D-Link DSL 2888a - Authentication Bypass/Remote Command Execution
author: pikpikcu
severity: high
description: An issue was discovered on D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55. An unauthenticated attacker could bypass authentication to access authenticated pages and functionality.
description: D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55 are vulnerable to authentication bypass issues which can lead to remote command execution. An unauthenticated attacker could bypass authentication to access authenticated pages and functionality.
reference:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/d-link-multiple-security-vulnerabilities-leading-to-rce/
- https://www.trustwave.com/en-us/resources/security-resources/security-advisories/
- https://nvd.nist.gov/vuln/detail/CVE-2020-24579
classification:
cvss-metrics: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
@ -40,3 +41,5 @@ requests:
- "nobody:[x*]:65534:65534"
- "root:.*:0:0:"
condition: or
# Enhanced by mp on 2022/07/13

10
cves/2020/CVE-2020-24949.yaml
View File

@ -1,18 +1,20 @@
id: CVE-2020-24949
info:
name: PHPFusion 9.03.50 Remote Code Execution
name: PHP-Fusion 9.03.50 - Remote Code Execution
author: geeknik
severity: high
description: Privilege escalation in PHP-Fusion 9.03.50 downloads/downloads.php allows an authenticated user (not admin) to send a crafted request to the server and perform remote command execution (RCE).
description: PHP-Fusion 9.03.50 downloads/downloads.php allows an authenticated user (not admin) to send a crafted request to the server and perform remote command execution.
reference:
- https://packetstormsecurity.com/files/162852/phpfusion90350-exec.txt
- https://github.com/php-fusion/PHP-Fusion/issues/2312
- http://packetstormsecurity.com/files/162852/PHPFusion-9.03.50-Remote-Code-Execution.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-24949
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2020-24949
cwe-id: CWE-77
tags: cve,cve2020,phpfusion,rce,php
requests:
@ -30,4 +32,6 @@ requests:
- type: word
part: body
words:
- "infusion_db.php"
- "infusion_db.php"
# Enhanced by mp on 2022/07/13

8
cves/2020/CVE-2020-25078.yaml
View File

@ -1,14 +1,14 @@
id: CVE-2020-25078
info:
name: D-Link DCS-2530L Administrator password disclosure
name: D-Link DCS-2530L/DCS-2670L - Administrator Password Disclosure
author: pikpikcu
severity: high
description: An issue was discovered on D-Link DCS-2530L before 1.06.01 Hotfix and DCS-2670L through 2.02 devices. The unauthenticated /config/getuser endpoint allows for remote administrator password disclosure.
description: D-Link DCS-2530L before 1.06.01 Hotfix and DCS-2670L through 2.02 devices are vulnerable to password disclosures vulnerabilities because the /config/getuser endpoint allows for remote administrator password disclosure.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2020-25078
- https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10180
- https://twitter.com/Dogonsecurity/status/1273251236167516161
- https://nvd.nist.gov/vuln/detail/CVE-2020-25078
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -36,3 +36,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/15

7
cves/2020/CVE-2020-25540.yaml
View File

@ -1,15 +1,16 @@
id: CVE-2020-25540
info:
name: ThinkAdmin 6 - Arbitrarily File Read (CVE-2020-25540)
name: ThinkAdmin 6 - Local File Inclusion
author: geeknik
severity: high
description: ThinkAdmin v6 is affected by a directory traversal vulnerability. An unauthorized attacker can read arbitrary files on a remote server via GET request encode parameter.
description: ThinkAdmin version 6 is affected by a local file inclusion vulnerability because an unauthorized attacker can read arbitrary files on a remote server via GET request encode parameter.
reference:
- https://www.exploit-db.com/exploits/48812
- https://github.com/zoujingli/ThinkAdmin/issues/244
- https://wtfsec.org/posts/thinkadmin-v6-%E5%88%97%E7%9B%AE%E5%BD%95-%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96/
- http://packetstormsecurity.com/files/159177/ThinkAdmin-6-Arbitrary-File-Read.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-25540
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -30,3 +31,5 @@ requests:
- type: regex
regex:
- "root:.*:0:0:"
# Enhanced by mp on 2022/07/15

10
cves/2020/CVE-2020-25780.yaml
View File

@ -1,14 +1,14 @@
id: CVE-2020-25780
info:
name: Commvault CommCell Directory Traversal
name: Commvault CommCell - Local File Inclusion
author: pdteam
severity: high
description: In CommCell in Commvault before 14.68, 15.x before 15.58, 16.x before 16.44, 17.x before 17.29, and 18.x before 18.13, Directory Traversal can occur such that an attempt to view a log file can instead view a file outside of the log-files folder.
description: CommCell in Commvault before 14.68, 15.x before 15.58, 16.x before 16.44, 17.x before 17.29, and 18.x before 18.13 are vulnerable to local file inclusion because an attacker can view a log file can instead view a file outside of the log-files folder.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2020-25780
- https://srcincite.io/blog/2021/11/22/unlocking-the-vault.html
- http://kb.commvault.com/article/63264
- https://nvd.nist.gov/vuln/detail/CVE-2020-25780
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -44,4 +44,6 @@ requests:
- type: status
status:
- 200
- 200
# Enhanced by mp on 2022/07/15

7
cves/2020/CVE-2020-26073.yaml
View File

@ -1,13 +1,14 @@
id: CVE-2020-26073
info:
name: Cisco SD-WAN vManage Software Directory Traversal
name: Cisco SD-WAN vManage Software - Local File Inclusion
author: madrobot
severity: high
description: |
A vulnerability in the application data endpoints of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to gain access to sensitive information.
Cisco SD-WAN vManage Software in the application data endpoints is vulnerable to local file inclusion which could allow an unauthenticated, remote attacker to gain access to sensitive information.
reference:
- https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-vman-traversal-hQh24tmk.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26073
classification:
cve-id: CVE-2020-26073
tags: cve,cve2020,cisco,lfi
@ -25,3 +26,5 @@ requests:
regex:
- "root:.*:0:0:"
part: body
# Enhanced by mp on 2022/07/15

8
cves/2020/CVE-2020-27191.yaml
View File

@ -1,14 +1,14 @@
id: CVE-2020-27191
info:
name: LionWiki 3.2.11 - LFI
name: LionWiki <3.2.12 - Local File Inclusion
author: 0x_Akoko
severity: high
description: LionWiki before 3.2.12 allows an unauthenticated user to read files as the web server user via crafted string in the index.php f1 variable, aka Local File Inclusion.
description: LionWiki before 3.2.12 allows an unauthenticated user to read files as the web server user via crafted strings in the index.php f1 variable, aka local file inclusion.
reference:
- https://www.junebug.site/blog/cve-2020-27191-lionwiki-3-2-11-lfi
- http://lionwiki.0o.cz/index.php?page=Main+page
- https://www.cvedetails.com/cve/CVE-2020-27191
- https://nvd.nist.gov/vuln/detail/CVE-2020-27191
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -30,3 +30,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/15

7
cves/2020/CVE-2020-27361.yaml
View File

@ -1,12 +1,13 @@
id: CVE-2020-27361
info:
name: Akkadian Provisioning Manager - Files Listing
name: Akkadian Provisioning Manager 4.50.02 - Sensitive Information Disclosure
author: gy741
severity: high
description: An issue exists within Akkadian Provisioning Manager 4.50.02 which allows attackers to view sensitive information within the /pme subdirectories.
description: Akkadian Provisioning Manager 4.50.02 could allow viewing of sensitive information within the /pme subdirectories.
reference:
- https://www.blacklanternsecurity.com/2021-07-01-Akkadian-CVE/
- https://nvd.nist.gov/vuln/detail/CVE-2020-27191
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -30,3 +31,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/15

8
cves/2020/CVE-2020-27467.yaml
View File

@ -1,15 +1,15 @@
id: CVE-2020-27467
info:
name: Processwire CMS < 2.7.1 - Directory Traversal
name: Processwire CMS <2.7.1 - Local File Inclusion
author: 0x_Akoko
severity: high
description: Local File Inclusion in Processwire CMS < 2.7.1 allows to retrieve arbitrary files via the download parameter to index.php By providing a specially crafted path to the vulnerable parameter, a remote attacker can retrieve the contents of sensitive files on the local system.
description: Processwire CMS prior to 2.7.1 is vulnerable to local file inclusion because it allows a remote attacker to retrieve sensitive files via the download parameter to index.php.
reference:
- https://github.com/Y1LD1R1M-1337/LFI-ProcessWire
- https://processwire.com/
- https://www.cvedetails.com/cve/CVE-2020-27467
- https://github.com/ceng-yildirim/LFI-processwire
- https://nvd.nist.gov/vuln/detail/CVE-2020-27467
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -31,3 +31,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/15

10
cves/2020/CVE-2020-27866.yaml
View File

@ -1,16 +1,16 @@
id: CVE-2020-27866
info:
name: NETGEAR Authentication Bypass vulnerability
name: NETGEAR - Authentication Bypass
author: gy741
severity: high
description: This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6020, R6080, R6120, R6220, R6260, R6700v2, R6800, R6900v2, R7450, JNR3210, WNR2020,
Nighthawk AC2100, and Nighthawk AC2400 routers. Authentication is not required to exploit this vulnerability.
description: NETGEAR R6020, R6080, R6120, R6220, R6260, R6700v2, R6800, R6900v2, R7450, JNR3210, WNR2020, Nighthawk AC2100, and Nighthawk AC2400 routers are vulnerable to authentication bypass vulnerabilities which could allow network-adjacent attackers to bypass authentication on affected installations.
reference:
- https://wzt.ac.cn/2021/01/13/AC2400_vuln/
- https://www.zerodayinitiative.com/advisories/ZDI-20-1451/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27866
- https://kb.netgear.com/000062641/Security-Advisory-for-Password-Recovery-Vulnerabilities-on-Some-Routers
- https://nvd.nist.gov/vuln/detail/CVE-2020-27866
classification:
cvss-metrics: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
@ -37,4 +37,6 @@ requests:
- type: word
words:
- 'Debug Enable!'
part: body
part: body
# Enhanced by mp on 2022/07/15

7
cves/2020/CVE-2020-27986.yaml
View File

@ -1,15 +1,16 @@
id: CVE-2020-27986
info:
name: SonarQube unauth
name: SonarQube - Authentication Bypass
author: pikpikcu
severity: high
description: |
SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP,
SVN, and GitLab credentials via the api/settings/values URI.
NOTE: reportedly, the vendor's position for SMTP and SVN is "it is the administrator's responsibility to configure it."
remediation: Reportedly, the vendor's position for SMTP and SVN is "it is the administrator's responsibility to configure it."
reference:
- https://csl.com.co/sonarqube-auditando-al-auditor-parte-i/
- https://nvd.nist.gov/vuln/detail/CVE-2020-27866
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -35,3 +36,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/15

7
cves/2020/CVE-2020-3452.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2020-3452
info:
name: Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) - Arbitrary File Retrieval
name: Cisco Adaptive Security Appliance (ASA)/Firepower Threat Defense (FTD) - Local File Inclusion
author: pdteam
severity: high
description: |
A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.
Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software is vulnerable to local file inclusion due to directory traversal attacks that can read sensitive files on a targeted system because of a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.
reference:
- https://twitter.com/aboul3la/status/1286012324722155525
- http://packetstormsecurity.com/files/158646/Cisco-ASA-FTD-Remote-File-Disclosure.html
@ -13,6 +13,7 @@ info:
- http://packetstormsecurity.com/files/159523/Cisco-ASA-FTD-9.6.4.42-Path-Traversal.html
- http://packetstormsecurity.com/files/160497/Cisco-ASA-9.14.1.10-FTD-6.6.0.1-Path-Traversal.html
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86
- https://nvd.nist.gov/vuln/detail/CVE-2020-3452
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -31,3 +32,5 @@ requests:
- "INTERNAL_PASSWORD_ENABLED"
- "CONF_VIRTUAL_KEYBOARD"
condition: and
# Enhanced by mp on 2022/07/15

9
cves/2020/CVE-2020-5284.yaml
View File

@ -1,14 +1,15 @@
id: CVE-2020-5284
info:
name: Next.js .next/ limited path traversal
name: Next.js <9.3.2 - Local File Inclusion
author: rootxharsh,iamnoooob,dwisiswant0
severity: medium
description: Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2.
description: Next.js versions before 9.3.2 are vulnerable to local file inclusion. An attacker can craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory.
remediation: This issue is fixed in version 9.3.2.
reference:
- https://github.com/zeit/next.js/releases/tag/v9.3.2 https://github.com/zeit/next.js/security/advisories/GHSA-fq77-7p7r-83rj
- https://github.com/zeit/next.js/releases/tag/v9.3.2
- https://github.com/zeit/next.js/security/advisories/GHSA-fq77-7p7r-83rj
- https://nvd.nist.gov/vuln/detail/CVE-2020-5284
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
cvss-score: 4.3
@ -33,3 +34,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/22

8
cves/2020/CVE-2020-5405.yaml
View File

@ -1,13 +1,13 @@
id: CVE-2020-5405
info:
name: Spring Cloud Directory Traversal
name: Spring Cloud Config - Local File Inclusion
author: harshbothra_
severity: medium
description: Spring Cloud Config, versions 2.2.x prior to 2.2.2, versions 2.1.x prior to 2.1.7, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server
module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.
description: Spring Cloud Config versions 2.2.x prior to 2.2.2, 2.1.x prior to 2.1.7, and older unsupported versions are vulnerable to local file inclusion because they allow applications to serve arbitrary configuration files through the spring-cloud-config-server module.
reference:
- https://pivotal.io/security/cve-2020-5405
- https://nvd.nist.gov/vuln/detail/CVE-2020-5405
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
cvss-score: 6.5
@ -28,3 +28,5 @@ requests:
regex:
- "root:.*:0:0:"
part: body
# Enhanced by mp on 2022/07/22

7
cves/2020/CVE-2020-8193.yaml
View File

@ -1,14 +1,15 @@
id: CVE-2020-8193
info:
name: Citrix unauthenticated LFI
name: Citrix - Local File Inclusion
author: pdteam
severity: medium
description: Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows unauthenticated access to certain URL endpoints.
description: Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 are vulnerable to local file inclusion because they allow unauthenticated access to certain URL endpoints.
reference:
- https://github.com/jas502n/CVE-2020-8193
- http://packetstormsecurity.com/files/160047/Citrix-ADC-NetScaler-Local-File-Inclusion.html
- https://support.citrix.com/article/CTX276688
- https://nvd.nist.gov/vuln/detail/CVE-2020-8193
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
cvss-score: 6.5
@ -73,3 +74,5 @@ requests:
regex:
- "root:.*:0:0:"
part: body
# Enhanced by mp on 2022/07/22

2
cves/2020/CVE-2020-8644.yaml
View File

@ -55,4 +55,4 @@ requests:
status:
- 200
# Enhanced by mp on 2022/07/07
# Enhanced by mp on 2022/07/07

10
cves/2021/CVE-2021-21402.yaml
View File

@ -1,18 +1,18 @@
id: CVE-2021-21402
info:
name: Jellyfin prior to 10.7.0 Unauthenticated Arbitrary File Read
name: Jellyfin <10.7.0 - Local File Inclusion
author: dwisiswant0
severity: medium
description: |
Jellyfin allows unauthenticated arbitrary file read. This issue is more prevalent when
Windows is used as the host OS. Servers that are exposed to the public Internet are
potentially at risk. This is fixed in version 10.7.1.
Jellyfin before 10.7.0 is vulnerable to local file inclusion. This issue is more prevalent when Windows is used as the host OS. Servers exposed to public Internet are potentially at risk.
remediation: This is fixed in version 10.7.1.
reference:
- https://securitylab.github.com/advisories/GHSL-2021-050-jellyfin/
- https://github.com/jellyfin/jellyfin/security/advisories/GHSA-wg4c-c9g9-rxhx
- https://github.com/jellyfin/jellyfin/releases/tag/v10.7.1
- https://github.com/jellyfin/jellyfin/commit/0183ef8e89195f420c48d2600bc0b72f6d3a7fd7
- https://nvd.nist.gov/vuln/detail/CVE-2021-21402
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
cvss-score: 6.5
@ -42,3 +42,5 @@ requests:
regex:
- "\\[(font|extension|file)s\\]"
part: body
# Enhanced by mp on 2022/07/22

8
cves/2021/CVE-2021-23241.yaml
View File

@ -1,15 +1,15 @@
id: CVE-2021-23241
info:
name: Mercury Router Web Server Directory Traversal
name: MERCUSYS Mercury X18G 1.0.5 Router - Local File Inclusion
author: daffainfo
severity: medium
description: MERCUSYS Mercury X18G 1.0.5 devices allow Directory Traversal via ../ in conjunction with a loginLess or login.htm URI (for authentication bypass) to the web server, as demonstrated by the /loginLess/../../etc/passwd URI.
description: MERCUSYS Mercury X18G 1.0.5 devices are vulnerable to local file inclusion via ../ in conjunction with a loginLess or login.htm URI (for authentication bypass) to the web server, as demonstrated by the /loginLess/../../etc/passwd URI.
reference:
- https://github.com/BATTZION/MY_REQUEST/blob/master/Mercury%20Router%20Web%20Server%20Directory%20Traversal.md
- https://nvd.nist.gov/vuln/detail/CVE-2021-23241
- https://www.mercusys.com/en/
- https://www.mercurycom.com.cn/product-521-1.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-23241
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
@ -32,3 +32,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/22

9
cves/2021/CVE-2021-26085.yaml
View File

@ -1,15 +1,14 @@
id: CVE-2021-26085
info:
name: Confluence Pre-Authorization Arbitrary File Read in /s/ endpoint - CVE-2021-26085
name: Atlassian Confluence Server - Local File Inclusion
author: princechaddha
severity: medium
description: Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint.
description: Atlassian Confluence Server allows remote attackers to view restricted resources via local file inclusion in the /s/ endpoint.
reference:
- https://packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-26085
- https://jira.atlassian.com/browse/CONFSERVER-67893
- http://packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-26085
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
@ -36,3 +35,5 @@ requests:
- "<display-name>Confluence</display-name>"
- "com.atlassian.confluence.setup.ConfluenceAppConfig"
condition: and
# Enhanced by mp on 2022/07/22

8
cves/2021/CVE-2021-26086.yaml
View File

@ -1,14 +1,14 @@
id: CVE-2021-26086
info:
name: Jira Limited Local File Read
name: Atlassian Jira Limited - Local File Inclusion
author: cocxanh
severity: medium
description: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint.
description: Affected versions of Atlassian Jira Limited Server and Data Center are vulnerable to local file inclusion because they allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint.
reference:
- https://jira.atlassian.com/browse/JRASERVER-72695
- https://nvd.nist.gov/vuln/detail/CVE-2021-26086
- http://packetstormsecurity.com/files/164405/Atlassian-Jira-Server-Data-Center-8.4.0-File-Read.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-26086
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
@ -33,3 +33,5 @@ requests:
- "</web-app>"
part: body
condition: and
# Enhanced by mp on 2022/07/22

8
cves/2021/CVE-2021-27748.yaml
View File

@ -5,11 +5,11 @@ info:
author: pdteam
severity: high
description: |
IBM WebSphere HCL Digital Experience is susceptible to server-side request forgery vulnerability that impacts on-premise deployments and containers.
IBM WebSphere HCL Digital Experience is vulnerable to server-side request forgery that impacts on-premise deployments and containers.
reference:
- https://blog.assetnote.io/2021/12/26/chained-ssrf-websphere/
- https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0095665
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27748
- hhttps://nvd.nist.gov/vuln/detail/CVE-2022-31268
classification:
cve-id: CVE-2021-27748
metadata:
@ -35,4 +35,6 @@ requests:
- type: status
status:
- 200
- 200
# Enhanced by mp on 2022/07/15

8
cves/2021/CVE-2021-28149.yaml
View File

@ -1,15 +1,15 @@
id: CVE-2021-28149
info:
name: Hongdian Directory Traversal
name: Hongdian H8922 3.0.5 Devices - Local File Inclusion
author: gy741
severity: medium
description: |
Hongdian H8922 3.0.5 devices allow Directory Traversal. The /log_download.cgi log export handler does not validate user input and allows a remote attacker with minimal privileges to download any file from the device by substituting ../ (e.g., ../../etc/passwd) This can be carried out with a web browser by changing the file name accordingly. Upon visiting log_download.cgi?type=../../etc/passwd and logging in, the web server will allow a download of the contents of the /etc/passwd file.
Hongdian H8922 3.0.5 devices are vulnerable to local file inclusion. The /log_download.cgi log export handler does not validate user input and allows a remote attacker with minimal privileges to download any file from the device by substituting ../ (e.g., ../../etc/passwd) This can be carried out with a web browser by changing the file name accordingly. Upon visiting log_download.cgi?type=../../etc/passwd and logging in, the web server will allow a download of the contents of the /etc/passwd file.
reference:
- https://ssd-disclosure.com/ssd-advisory-hongdian-h8922-multiple-vulnerabilities/
- https://nvd.nist.gov/vuln/detail/CVE-2021-28149
- http://en.hongdian.com/Products/Details/H8922
- https://nvd.nist.gov/vuln/detail/CVE-2021-28149
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
cvss-score: 6.5
@ -47,3 +47,5 @@ requests:
- "sshd:[x*]"
- "root:[$]"
part: body
# Enhanced by mp on 2022/07/22

6
cves/2021/CVE-2021-28151.yaml
View File

@ -1,15 +1,15 @@
id: CVE-2021-28151
info:
name: Hongdian Command Injection
name: Hongdian H8922 3.0.5 - Remote Command Injection
author: gy741
severity: high
description: |
Hongdian H8922 3.0.5 devices allow OS command injection via shell metacharacters into the ip-address (aka Destination) field to the tools.cgi ping command, which is accessible with the username guest and password guest.
reference:
- https://ssd-disclosure.com/ssd-advisory-hongdian-h8922-multiple-vulnerabilities/
- https://nvd.nist.gov/vuln/detail/CVE-2021-28151
- http://en.hongdian.com/Products/Details/H8922
- https://nvd.nist.gov/vuln/detail/CVE-2021-28151
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
@ -55,3 +55,5 @@ requests:
- "groups="
part: body
condition: and
# Enhanced by mp on 2022/07/15

6
cves/2021/CVE-2021-28377.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2021-28377
info:
name: ChronoForums 2.0.11 - Directory Traversal
name: Joomla! ChronoForums 2.0.11 - Local File Inclusion
author: 0x_Akoko
severity: medium
description: The ChronoForums avatar function is vulnerable through unauthenticated path traversal attacks. This enables unauthenticated attackers to read arbitrary files, for example the Joomla! configuration file which contains credentials.
description: Joomla! ChronoForums 2.0.11 avatar function is vulnerable to local file inclusion through unauthenticated path traversal attacks. This enables an attacker to read arbitrary files, for example the Joomla! configuration file which contains credentials.
reference:
- https://herolab.usd.de/en/security-advisories/usd-2021-0007/
- https://nvd.nist.gov/vuln/detail/CVE-2021-28377
@ -29,3 +29,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/22

7
cves/2021/CVE-2021-28937.yaml
View File

@ -1,13 +1,14 @@
id: CVE-2021-28937
info:
name: Acexy Wireless-N WiFi Repeater Password Disclosure
name: Acexy Wireless-N WiFi Repeater REV 1.0 - Repeater Password Disclosure
author: geeknik
severity: high
description: The password.html page of the Web management interface of the Acexy Wireless-N WiFi Repeater REV 1.0 contains the administrator account password in plaintext.
description: Acexy Wireless-N WiFi Repeater REV 1.0 is vulnerable to password disclosure because the password.html page of the web management interface contains the administrator account password in plaintext.
reference:
- https://blog-ssh3ll.medium.com/acexy-wireless-n-wifi-repeater-vulnerabilities-8bd5d14a2990
- http://acexy.com
- https://nvd.nist.gov/vuln/detail/CVE-2021-28937
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -31,3 +32,5 @@ requests:
- "addCfg('username'"
- "addCfg('newpass'"
condition: and
# Enhanced by mp on 2022/07/15

9
cves/2021/CVE-2021-29442.yaml
View File

@ -1,18 +1,17 @@
id: CVE-2021-29442
info:
name: Nacos prior to 1.4.1 Missing Authentication Check
name: Nacos <1.4.1 - Authentication Bypass
author: dwisiswant0
severity: high
description: |
In Nacos before version 1.4.1, the ConfigOpsController lets the user perform management operations like querying the database or even wiping it out.
While the /data/remove endpoint is properly protected with the @Secured annotation, the /derby endpoint is not protected and can be openly accessed by unauthenticated users.
These endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql)
Nacos before version 1.4.1 is vulnerable to authentication bypass because the ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. While the /data/remove endpoint is properly protected with the @Secured annotation, the /derby endpoint is not protected and can be openly accessed by unauthenticated users. These endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql).
reference:
- https://securitylab.github.com/advisories/GHSL-2020-325_326-nacos/
- https://github.com/alibaba/nacos/issues/4463
- https://github.com/alibaba/nacos/pull/4517
- https://github.com/advisories/GHSA-36hp-jr8h-556f
- https://nvd.nist.gov/vuln/detail/CVE-2021-29442
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -37,3 +36,5 @@ requests:
regex:
- "\"TABLENAME\":\"(?:(?:(?:(?:(?:APP_CONFIGDATA_RELATION_[PS]UB|SYS(?:(?:CONGLOMERAT|ALIAS|(?:FI|RO)L)E|(?:(?:ROUTINE)?|COL)PERM|(?:FOREIGN)?KEY|CONSTRAINT|T(?:ABLEPERM|RIGGER)|S(?:TAT(?:EMENT|ISTIC)|EQUENCE|CHEMA)|DEPEND|CHECK|VIEW|USER)|USER|ROLE)S|CONFIG_(?:TAGS_RELATION|INFO_(?:AGGR|BETA|TAG))|TENANT_CAPACITY|GROUP_CAPACITY|PERMISSIONS|SYSCOLUMNS|SYS(?:DUMMY1|TABLES)|APP_LIST)|CONFIG_INFO)|TENANT_INFO)|HIS_CONFIG_INFO)\""
part: body
# Enhanced by mp on 2022/07/15

10
cves/2021/CVE-2021-30497.yaml
View File

@ -1,19 +1,21 @@
id: CVE-2021-30497
info:
name: Ivanti Avalanche Directory Traversal
name: Ivanti Avalanche 6.3.2 - Local File Inclusion
author: gy741
severity: high
description: A directory traversal vulnerability in Ivanti Avalanche allows remote unauthenticated user to access files that reside outside the 'image' folder
description: Ivanti Avalanche 6.3.2 is vulnerable to local file inclusion because it allows remote unauthenticated user to access files that reside outside the 'image' folder.
reference:
- https://ssd-disclosure.com/ssd-advisory-ivanti-avalanche-directory-traversal/
- https://forums.ivanti.com/s/article/Security-Alert-CVE-2021-30497-Directory-Traversal-Vulnerability?language=en_US
- https://help.ivanti.com/wl/help/en_us/aod/5.4/Avalanche/Console/Launching_the_Avalanche.htm
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30497
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2021-30497
tags: cve,cve2021,avalanche,traversal
cwe-id: CWE-36
tags: cve,cve2021,avalanche,traversal,lfi
requests:
- method: GET
@ -30,3 +32,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/14

7
cves/2021/CVE-2021-31602.yaml
View File

@ -1,15 +1,16 @@
id: CVE-2021-31602
info:
name: Pentaho <= 9.1 Authentication Bypass of Spring APIs
name: Hitachi Vantara Pentaho/Business Intelligence Server - Authentication Bypass
author: pussycat0x
severity: high
description: An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. The Security Model has different layers of Access Control. One of these layers is the applicationContext security, which is defined in the applicationContext-spring-security.xml file. The default configuration allows an unauthenticated user with no previous knowledge of the platform settings to extract pieces of information without possessing valid credentials.
description: Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x are vulnerable to authentication bypass. The Security Model has different layers of Access Control. One of these layers is the applicationContext security, which is defined in the applicationContext-spring-security.xml file. The default configuration allows an unauthenticated user with no previous knowledge of the platform settings to extract pieces of information without possessing valid credentials.
reference:
- https://seclists.org/fulldisclosure/2021/Nov/13
- https://portswigger.net/daily-swig/remote-code-execution-sql-injection-bugs-uncovered-in-pentaho-business-analytics-software
- https://hawsec.com/publications/pentaho/HVPENT210401-Pentaho-BA-Security-Assessment-Report-v1_1.pdf
- https://www.hitachi.com/hirt/security/index.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31602
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -38,3 +39,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/15

7
cves/2021/CVE-2021-3223.yaml
View File

@ -1,14 +1,15 @@
id: CVE-2021-3223
info:
name: Node RED Dashboard - Directory Traversal
name: Node RED Dashboard <2.26.2 - Local File Inclusion
author: gy741,pikpikcu
severity: high
description: Node-RED-Dashboard before 2.26.2 allows ui_base/js/..%2f directory traversal to read files.
description: NodeRED-Dashboard before 2.26.2 is vulnerable to local file inclusion because it allows ui_base/js/..%2f directory traversal to read files.
reference:
- https://github.com/node-red/node-red-dashboard/issues/669
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3223
- https://github.com/node-red/node-red-dashboard/releases/tag/2.26.2
- https://nvd.nist.gov/vuln/detail/CVE-2021-3223
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -37,3 +38,5 @@ requests:
part: body
words:
- "Node-RED web server is listening"
# Enhanced by mp on 2022/07/15

8
cves/2021/CVE-2021-3374.yaml
View File

@ -1,14 +1,14 @@
id: CVE-2021-3374
info:
name: Rstudio Shiny Server Directory Traversal
name: Rstudio Shiny Server <1.5.16 - Local File Inclusion
author: geeknik
severity: medium
description: Rstudio Shiny-Server prior to 1.5.16 is vulnerable to directory traversal and source code leakage. This can be exploited by appending an encoded slash to the URL.
description: Rstudio Shiny Server prior to 1.5.16 is vulnerable to local file inclusion and source code leakage. This can be exploited by appending an encoded slash to the URL.
reference:
- https://github.com/colemanjp/rstudio-shiny-server-directory-traversal-source-code-leak
- https://github.com/colemanjp/shinyserver-directory-traversal-source-code-leak
- https://blog.rstudio.com/2021/01/13/shiny-server-1-5-16-update/
- https://nvd.nist.gov/vuln/detail/CVE-2021-3374
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
@ -34,3 +34,5 @@ requests:
part: body
regex:
- "[A-Za-z].*\\.R"
# Enhanced by mp on 2022/07/22

8
cves/2021/CVE-2021-36749.yaml
View File

@ -1,15 +1,15 @@
id: CVE-2021-36749
info:
name: Apache Druid Authentication Restrictions Bypass
name: Apache Druid - Local File Inclusion
author: _0xf4n9x_
severity: medium
description: In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1.
description: Apache Druid ingestion system is vulnerable to local file inclusion. The InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-36749
- https://www.cvedetails.com/cve/CVE-2021-36749/
- https://github.com/BrucessKING/CVE-2021-36749
- https://lists.apache.org/thread.html/rc9400a70d0ec5cdb8a3486fc5ddb0b5282961c0b63e764abfbcb9f5d%40%3Cdev.druid.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2021-36749
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
cvss-score: 6.5
@ -34,3 +34,5 @@ requests:
- "root:.*:0:0:"
- "druid:*:1000:1000:"
condition: or
# Enhanced by mp on 2022/07/22

8
cves/2021/CVE-2021-41569.yaml
View File

@ -1,13 +1,13 @@
id: CVE-2021-41569
info:
name: SAS 9.4 build 1520 - Local File Inclusion
name: SAS/Internet 9.4 1520 - Local File Inclusion
author: 0x_Akoko
severity: high
description: SAS/Intrnet 9.4 build 1520 and earlier allows Local File Inclusion. The samples library (included by default) in the appstart.sas file, allows end-users of the application to access the sample.webcsf1.sas program, which contains user-controlled macro variables that are passed to the DS2CSF macro.
description: SAS/Internet 9.4 build 1520 and earlier allows local file inclusion. The samples library (included by default) in the appstart.sas file, allows end-users of the application to access the sample.webcsf1.sas program, which contains user-controlled macro variables that are passed to the DS2CSF macro.
reference:
- https://www.mindpointgroup.com/blog/high-risk-vulnerability-discovery-localfileinclusion-sas
- https://nvd.nist.gov/vuln/detail/CVE-2021-41569
- https://support.sas.com/kb/68/641.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-41569
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -30,3 +30,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/15

6
cves/2022/CVE-2022-0656.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2022-0656
info:
name: uDraw < 3.3.3 - Unauthenticated Arbitrary File Access
name: uDraw <3.3.3 - Local File Inclusion
author: akincibor
severity: high
description: The plugin does not validate the url parameter in its udraw_convert_url_to_base64 AJAX action (available to both unauthenticated and authenticated users) before using it in the file_get_contents function and returning its content base64 encoded in the response. As a result, unauthenticated users could read arbitrary files on the web server (such as /etc/passwd, wp-config.php etc).
description: uDraw before 3.3.3 does not validate the url parameter in its udraw_convert_url_to_base64 AJAX action (available to both unauthenticated and authenticated users) before using it in the file_get_contents function and returning its content base64 encoded in the response. As a result, unauthenticated users could read arbitrary files on the web server (such as /etc/passwd, wp-config.php etc).
reference:
- https://wpscan.com/vulnerability/925c4c28-ae94-4684-a365-5f1e34e6c151
- https://nvd.nist.gov/vuln/detail/CVE-2022-0656
@ -40,3 +40,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/22

8
cves/2022/CVE-2022-24129.yaml
View File

@ -1,15 +1,15 @@
id: CVE-2022-24129
info:
name: Shibboleth OIDC OP plugin <3.0.4 - Server-Side Request Forgery
name: Shibboleth OIDC OP <3.0.4 - Server-Side Request Forgery
author: 0x_Akoko
severity: high
description: The OIDC OP plugin before 3.0.4 for Shibboleth Identity Provider allows server-side request forgery (SSRF) due to insufficient restriction of the request_uri parameter. This allows attackers to interact with arbitrary third-party HTTP services.
description: The Shibboleth Identity Provider OIDC OP plugin before 3.0.4 is vulnerable to server-side request forgery (SSRF) due to insufficient restriction of the request_uri parameter, which allows attackers to interact with arbitrary third-party HTTP services.
reference:
- https://github.com/sbaresearch/advisories/tree/public/2022/SBA-ADV-20220127-01_Shibboleth_IdP_OIDC_OP_Plugin_SSRF
- https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376878976/OIDC+OP
- https://nvd.nist.gov/vuln/detail/CVE-2022-24129
- http://shibboleth.net/community/advisories/
- https://nvd.nist.gov/vuln/detail/CVE-2022-24129
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
cvss-score: 8.2
@ -33,3 +33,5 @@ requests:
part: interactsh_request
words:
- "ShibbolethIdp"
# Enhanced by mp on 2022/07/15

7
cves/2022/CVE-2022-26233.yaml
View File

@ -1,15 +1,16 @@
id: CVE-2022-26233
info:
name: Barco Control Room Management Suite - Directory Traversal
name: Barco Control Room Management Suite <=2.9 Build 0275 - Local File Inclusion
author: 0x_Akoko
severity: high
description: Barco Control Room Management through Suite 2.9 Build 0275 was discovered to be vulnerable to directory traversal, allowing attackers to access sensitive information and components. Requests must begin with the "GET /..\.." substring.
description: Barco Control Room Management through Suite 2.9 Build 0275 is vulnerable to local file inclusion that could allow attackers to access sensitive information and components. Requests must begin with the "GET /..\.." substring.
reference:
- https://0day.today/exploit/37579
- https://www.cvedetails.com/cve/CVE-2022-26233
- http://seclists.org/fulldisclosure/2022/Apr/0
- http://packetstormsecurity.com/files/166577/Barco-Control-Room-Management-Suite-Directory-Traversal.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-26233
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -32,3 +33,5 @@ requests:
- "fonts"
- "extensions"
condition: and
# Enhanced by mp on 2022/07/15

8
cves/2022/CVE-2022-27849.yaml
View File

@ -1,14 +1,14 @@
id: CVE-2022-27849
info:
name: WordPress Simple Ajax Chat plugin <= 20220115 - Sensitive Information Disclosure vulnerability
name: WordPress Simple Ajax Chat <20220116 - Sensitive Information Disclosure vulnerability
author: random-robbie
severity: high
description: |
Simple Ajax Chat < 20220216 - Sensitive Information Disclosure. The plugin does not properly restrict access to the exported data via the sac-export.csv file, which could allow unauthenticated users to access it
WordPress Simple Ajax Chat before 20220216 is vulnerable to sensitive information disclosure. The plugin does not properly restrict access to the exported data via the sac-export.csv file, which could allow unauthenticated users to access it.
reference:
- https://wordpress.org/plugins/simple-ajax-chat/#developers
- https://nvd.nist.gov/vuln/detail/CVE-2022-27849/
- https://patchstack.com/database/vulnerability/simple-ajax-chat/wordpress-simple-ajax-chat-plugin-20220115-sensitive-information-disclosure-vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2022-27849
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -41,3 +41,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/15

7
cves/2022/CVE-2022-28079.yaml
View File

@ -1,16 +1,17 @@
id: CVE-2022-28079
info:
name: College Management System - SQL Injection
name: College Management System 1.0 - SQL Injection
author: ritikchaddha
severity: high
description: |
College Management System v1.0 was discovered to contain a SQL injection vulnerability via the course_code parameter.
College Management System 1.0 contains a SQL injection vulnerability via the course code parameter.
reference:
- https://github.com/erengozaydin/College-Management-System-course_code-SQL-Injection-Authenticated
- https://download.code-projects.org/details/1c3b87e5-f6a6-46dd-9b5f-19c39667866f
- https://nvd.nist.gov/vuln/detail/CVE-2022-28079
- https://code-projects.org/college-management-system-in-php-with-source-code/
- https://nvd.nist.gov/vuln/detail/CVE-2022-28079
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
@ -41,3 +42,5 @@ requests:
- type: status
status:
- 302
# Enhanced by mp on 2022/07/15

6
cves/2022/CVE-2022-28080.yaml
View File

@ -5,12 +5,12 @@ info:
author: lucasljm2001,ekrause,ritikchaddha
severity: high
description: |
Detects an SQL Injection vulnerability in Royal Event System
Royal Event is vulnerable to a SQL injection vulnerability.
reference:
- https://www.exploit-db.com/exploits/50934
- https://www.sourcecodester.com/sites/default/files/download/oretnom23/Royal%20Event.zip
- https://nvd.nist.gov/vuln/detail/CVE-2022-28080
- https://github.com/erengozaydin/Royal-Event-Management-System-todate-SQL-Injection-Authenticated
- https://nvd.nist.gov/vuln/detail/CVE-2022-28080
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
@ -68,3 +68,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/15

7
cves/2022/CVE-2022-29014.yaml
View File

@ -1,14 +1,13 @@
id: CVE-2022-29014
info:
name: Razer Sila Gaming Router v2.0.441_api-2.0.418 - LFI
name: Razer Sila Gaming Router 2.0.441_api-2.0.418 - Local File Inclusion
author: edoardottt
severity: high
description: A local file inclusion vulnerability in Razer Sila Gaming Router v2.0.441_api-2.0.418 allows attackers to read arbitrary files.
description: Razer Sila Gaming Router 2.0.441_api-2.0.418 is vulnerable to local file inclusion which could allow attackers to read arbitrary files.
reference:
- https://www.exploit-db.com/exploits/50864
- https://nvd.nist.gov/vuln/detail/CVE-2022-29014
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29014
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -34,3 +33,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/15

8
cves/2022/CVE-2022-29298.yaml
View File

@ -1,15 +1,15 @@
id: CVE-2022-29298
info:
name: SolarView Compact 6.00 - Directory Traversal
name: SolarView Compact 6.00 - Local File Inclusion
author: ritikchaddha
severity: high
description: SolarView Compact ver.6.00 allows attackers to access sensitive files via directory traversal.
description: SolarView Compact 6.00 is vulnerable to local file inclusion which could allow attackers to access sensitive files.
reference:
- https://www.exploit-db.com/exploits/50950
- https://drive.google.com/file/d/1-RHw9ekVidP8zc0xpbzBXnse2gSY1xbH/view
- https://nvd.nist.gov/vuln/detail/CVE-2022-29298
- https://drive.google.com/file/d/1-RHw9ekVidP8zc0xpbzBXnse2gSY1xbH/view?usp=sharing
- https://nvd.nist.gov/vuln/detail/CVE-2022-29298
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -35,3 +35,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/15

8
cves/2022/CVE-2022-31268.yaml
View File

@ -1,15 +1,15 @@
id: CVE-2022-31268
info:
name: Gitblit 1.9.3 - Path traversal
name: Gitblit 1.9.3 - Local File Inclusion
author: 0x_Akoko
severity: high
description: |
A Path Traversal vulnerability in Gitblit 1.9.3 can lead to reading website files via /resources//../ (e.g., followed by a WEB-INF or META-INF pathname).
Gitblit 1.9.3 is vulnerable to local file inclusion via /resources//../ (e.g., followed by a WEB-INF or META-INF pathname).
reference:
- https://github.com/metaStor/Vuls/blob/main/gitblit/gitblit%20V1.9.3%20path%20traversal/gitblit%20V1.9.3%20path%20traversal.md
- https://www.cvedetails.com/cve/CVE-2022-31268
- https://vuldb.com/?id.200500
- https://nvd.nist.gov/vuln/detail/CVE-2022-31268
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -44,3 +44,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/15

8
cves/2022/CVE-2022-32409.yaml
View File

@ -1,14 +1,14 @@
id: CVE-2022-32409
info:
name: i3geo - Directory Traversal
name: Portal do Software Publico Brasileiro i3geo 7.0.5 - Local File Inclusion
author: pikpikcu
severity: critical
description: A local file inclusion (LFI) vulnerability in the component codemirror.php of Portal do Software Publico Brasileiro i3geo v7.0.5 allows attackers to execute arbitrary PHP code via a crafted HTTP request
description: Portal do Software Publico Brasileiro i3geo 7.0.5 is vulnerable to local file inclusion in the component codemirror.php, which allows attackers to execute arbitrary PHP code via a crafted HTTP request.
reference:
- https://github.com/wagnerdracha/ProofOfConcept/blob/main/i3geo_proof_of_concept.txt
- https://nvd.nist.gov/vuln/detail/CVE-2022-32409
- https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion
- https://nvd.nist.gov/vuln/detail/CVE-2022-32409
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -34,3 +34,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/22

6
cves/2022/CVE-2022-33174.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2022-33174
info:
name: Powertek Firmware - Authorization Bypass
name: Powertek Firmware <3.30.30 - Authorization Bypass
author: pikpikcu
severity: high
description: |
Power Distribution Units running on Powertek firmware (multiple brands) before 3.30.30 allows remote authorization bypass in the web interface. To exploit the vulnerability, an attacker must send an HTTP packet to the data retrieval interface (/cgi/get_param.cgi) with the tmpToken cookie set to an empty string followed by a semicolon. This bypasses an active session authorization check. This can be then used to fetch the values of protected sys.passwd and sys.su.name fields that contain the username and password in cleartext.
Powertek firmware (multiple brands) before 3.30.30 running Power Distribution Units are vulnerable to authorization bypass in the web interface. To exploit the vulnerability, an attacker must send an HTTP packet to the data retrieval interface (/cgi/get_param.cgi) with the tmpToken cookie set to an empty string followed by a semicolon. This bypasses an active session authorization check. This can be then used to fetch the values of protected sys.passwd and sys.su.name fields that contain the username and password in cleartext.
reference:
- https://gynvael.coldwind.pl/?lang=en&id=748
- https://nvd.nist.gov/vuln/detail/CVE-2022-33174
@ -45,3 +45,5 @@ requests:
regex:
- '<sys\.passwd>([A-Z0-9a-z]+)<\/sys\.passwd>'
- '<sys\.su\.name>([a-z]+)<\/sys\.su\.name>'
# Enhanced by mp on 2022/07/15

2
cves/2022/CVE-2022-34046.yaml
View File

@ -12,6 +12,8 @@ info:
metadata:
verified: true
shodan-query: http.title:"Wi-Fi APP Login"
classification:
cve-id: CVE-2022-34046
tags: cve,cve2022,wavlink,router,exposure
requests:

2
cves/2022/CVE-2022-34047.yaml
View File

@ -12,6 +12,8 @@ info:
metadata:
verified: true
shodan-query: http.title:"Wi-Fi APP Login"
classification:
cve-id: CVE-2022-34047
tags: cve,cve2022,wavlink,router,exposure
requests:

9
default-logins/apache/dubbo-admin-default-login.yaml
View File

@ -1,11 +1,16 @@
id: dubbo-admin-default-login
info:
name: Dubbo Admin Default Login
name: Apache Dubbo - Default Admin Discovery
author: ritikchaddha
severity: high
description: Apache Dubbo default admin credentials were discovered.
reference:
- https://www.cnblogs.com/wishwzp/p/9438658.html
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cwe-id: CWE-522
tags: dubbo,apache,default-login
requests:
@ -37,3 +42,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/07/15

Some files were not shown because too many files have changed in this diff Show More