diff --git a/cnvd/2020/CNVD-2020-23735.yaml b/cnvd/2020/CNVD-2020-23735.yaml index 2a5823431c..85600bc9d1 100644 --- a/cnvd/2020/CNVD-2020-23735.yaml +++ b/cnvd/2020/CNVD-2020-23735.yaml @@ -1,12 +1,16 @@ id: CNVD-2020-23735 info: - name: Xxunchi Local File read + name: Xxunchi CMS - Local File Inclusion author: princechaddha severity: medium - description: Xunyou cms has an arbitrary file reading vulnerability. Attackers can use vulnerabilities to obtain sensitive information. + description: Xunyou CMS is vulnerable to local file inclusion. Attackers can use vulnerabilities to obtain sensitive information. reference: - https://www.cnvd.org.cn/flaw/show/2025171 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cwe-id: CWE-22 tags: xunchi,lfi,cnvd,cnvd2020 requests: @@ -26,3 +30,5 @@ requests: - "NzbwpQSdbY06Dngnoteo2wdgiekm7j4N" - "display_errors" condition: and + +# Enhanced by mp on 2022/07/22 diff --git a/cnvd/2020/CNVD-2020-62422.yaml b/cnvd/2020/CNVD-2020-62422.yaml index 0194c6d8b8..c3716dfdb0 100644 --- a/cnvd/2020/CNVD-2020-62422.yaml +++ b/cnvd/2020/CNVD-2020-62422.yaml @@ -1,9 +1,10 @@ id: CNVD-2020-62422 info: - name: Seeyon - Arbitrary File Retrieval + name: Seeyon - Local File Inclusion author: pikpikcu severity: medium + description: Seeyon is vulnerable to local file inclusion. reference: - https://blog.csdn.net/m0_46257936/article/details/113150699 tags: lfi,cnvd,cnvd2020,seeyon @@ -30,3 +31,5 @@ requests: words: - "ctpDataSource.password" condition: and + +# Enhanced by mp on 2022/07/22 diff --git a/cves/2008/CVE-2008-5587.yaml b/cves/2008/CVE-2008-5587.yaml index db4f2486d6..0d8ab084e0 100644 --- a/cves/2008/CVE-2008-5587.yaml +++ b/cves/2008/CVE-2008-5587.yaml @@ -1,15 +1,16 @@ id: CVE-2008-5587 info: - name: phpPgAdmin 4.2.1 - '_language' Local File Inclusion + name: phpPgAdmin <=4.2.1 - Local File Inclusion author: dhiyaneshDK severity: medium - description: Directory traversal vulnerability in libraries/lib.inc.php in phpPgAdmin 4.2.1 and earlier, when register_globals is enabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the _language parameter to index.php. + description: phpPgAdmin 4.2.1 is vulnerable to local file inclusion in libraries/lib.inc.php when register globals is enabled. Remote attackers can read arbitrary files via a .. (dot dot) in the _language parameter to index.php. reference: - https://www.exploit-db.com/exploits/7363 - http://web.archive.org/web/20210121184707/https://www.securityfocus.com/bid/32670/ - http://web.archive.org/web/20160520063306/http://secunia.com/advisories/33014 - http://web.archive.org/web/20151104173853/http://secunia.com/advisories/33263 + - https://nvd.nist.gov/vuln/detail/CVE-2008-5587 classification: cve-id: CVE-2008-5587 metadata: @@ -31,3 +32,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/22 diff --git a/cves/2009/CVE-2009-1151.yaml b/cves/2009/CVE-2009-1151.yaml index b376f5256a..3e82b7ac2e 100644 --- a/cves/2009/CVE-2009-1151.yaml +++ b/cves/2009/CVE-2009-1151.yaml @@ -13,7 +13,7 @@ info: - https://nvd.nist.gov/vuln/detail/CVE-2009-1151 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H - cvss-score: 10 + cvss-score: 10.0 cve-id: CVE-2009-1151 cwe-id: CWE-77 tags: cve,cve2009,phpmyadmin,rce,deserialization,kev diff --git a/cves/2015/CVE-2015-4666.yaml b/cves/2015/CVE-2015-4666.yaml index 6ed8078e37..445e4250b7 100644 --- a/cves/2015/CVE-2015-4666.yaml +++ b/cves/2015/CVE-2015-4666.yaml @@ -1,14 +1,14 @@ id: CVE-2015-4666 + info: - name: Xceedium Xsuite 2.4.4.5 - Directory Traversal + name: Xceedium Xsuite <=2.4.4.5 - Local File Inclusion author: 0x_Akoko severity: high - description: Directory traversal vulnerability in opm/read_sessionlog.php in Xceedium Xsuite 2.4.4.5 and earlier allows remote attackers to read arbitrary files in the logFile parameter. + description: Xceedium Xsuite 2.4.4.5 and earlier is vulnerable to local file inclusion via opm/read_sessionlog.php that allows remote attackers to read arbitrary files in the logFile parameter. reference: - https://www.modzero.com/advisories/MZ-15-02-Xceedium-Xsuite.txt - - https://www.cvedetails.com/cve/CVE-2015-4666 - http://packetstormsecurity.com/files/132809/Xceedium-Xsuite-Command-Injection-XSS-Traversal-Escalation.html - - http://www.modzero.ch/advisories/MZ-15-02-Xceedium-Xsuite.txt + - https://nvd.nist.gov/vuln/detail/CVE-2015-4666 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -31,3 +31,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/13 diff --git a/cves/2015/CVE-2015-5354.yaml b/cves/2015/CVE-2015-5354.yaml index 42b45db3e3..5af1fedb8f 100644 --- a/cves/2015/CVE-2015-5354.yaml +++ b/cves/2015/CVE-2015-5354.yaml @@ -4,12 +4,12 @@ info: name: Novius OS 5.0.1-elche - Open Redirect author: 0x_Akoko severity: medium - description: Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect parameter to admin/nos/login. + description: Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect parameter to admin/nos/login. reference: - https://packetstormsecurity.com/files/132478/Novius-OS-5.0.1-elche-XSS-LFI-Open-Redirect.html - https://vuldb.com/?id.76181 - - https://nvd.nist.gov/vuln/detail/CVE-2015-5354 - http://packetstormsecurity.com/files/132478/Novius-OS-5.0.1-elche-XSS-LFI-Open-Redirect.html + - https://nvd.nist.gov/vul n/detail/CVE-2015-5354 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 @@ -27,3 +27,5 @@ requests: part: header regex: - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 + +# Enhanced by mp on 2022/07/22 diff --git a/cves/2015/CVE-2015-7780.yaml b/cves/2015/CVE-2015-7780.yaml index d18f8a1350..c65f6d656a 100644 --- a/cves/2015/CVE-2015-7780.yaml +++ b/cves/2015/CVE-2015-7780.yaml @@ -1,15 +1,16 @@ id: CVE-2015-7780 info: - name: ManageEngine Firewall Analyzer 8.0 - Directory Traversal + name: ManageEngine Firewall Analyzer <8.0 - Local File Inclusion author: daffainfo severity: medium - description: Directory traversal vulnerability in ManageEngine Firewall Analyzer before 8.0. + description: ManageEngine Firewall Analyzer before 8.0 is vulnerable to local file inclusion. reference: - https://www.exploit-db.com/exploits/35933 - https://www.cvedetails.com/cve/CVE-2015-7780/ - http://jvndb.jvn.jp/ja/contents/2015/JVNDB-2015-000185.html - http://jvn.jp/en/jp/JVN21968837/index.html + - https://nvd.nist.gov/vuln/detail/CVE-2015-7780 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N cvss-score: 6.5 @@ -39,3 +40,5 @@ requests: part: header words: - "application/xml" + +# Enhanced by mp on 2022/07/22 diff --git a/cves/2018/CVE-2018-1271.yaml b/cves/2018/CVE-2018-1271.yaml index 6185cc46d9..7df75285eb 100644 --- a/cves/2018/CVE-2018-1271.yaml +++ b/cves/2018/CVE-2018-1271.yaml @@ -1,15 +1,16 @@ id: CVE-2018-1271 info: - name: Spring MVC Directory Traversal Vulnerability + name: Spring MVC Framework - Local File Inclusion author: hetroublemakr severity: medium - description: Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack. + description: Spring MVC Framework versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported are vulnerable to local file inclusion because they allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). A malicious user can send a request using a specially crafted URL that can lead a directory traversal attack. reference: - https://medium.com/@knownsec404team/analysis-of-spring-mvc-directory-traversal-vulnerability-cve-2018-1271-b291bdb6be0d - https://pivotal.io/security/cve-2018-1271 - http://web.archive.org/web/20210518132800/https://www.securityfocus.com/bid/103699 - https://access.redhat.com/errata/RHSA-2018:1320 + - https://nvd.nist.gov/vuln/detail/CVE-2018-1271 classification: cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 5.9 @@ -30,3 +31,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/22 diff --git a/cves/2018/CVE-2018-1335.yaml b/cves/2018/CVE-2018-1335.yaml index 7214f503f8..095694550c 100644 --- a/cves/2018/CVE-2018-1335.yaml +++ b/cves/2018/CVE-2018-1335.yaml @@ -5,13 +5,13 @@ info: author: pikpikcu severity: high description: Apache Tika versions 1.7 to 1.17 allow clients to send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. + remediation: Upgrade to Tika 1.18. reference: - https://rhinosecuritylabs.com/application-security/exploiting-cve-2018-1335-apache-tika/ - https://www.exploit-db.com/exploits/47208 - https://lists.apache.org/thread.html/b3ed4432380af767effd4c6f27665cc7b2686acccbefeb9f55851dca@%3Cdev.tika.apache.org%3E - http://web.archive.org/web/20210516175956/https://www.securityfocus.com/bid/104001 - https://nvd.nist.gov/vuln/detail/CVE-2018-1335 - remediation: Upgrade to Tika 1.18. classification: cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.1 diff --git a/cves/2018/CVE-2018-13980.yaml b/cves/2018/CVE-2018-13980.yaml index fd9ee56799..40cfb44af3 100644 --- a/cves/2018/CVE-2018-13980.yaml +++ b/cves/2018/CVE-2018-13980.yaml @@ -1,15 +1,15 @@ id: CVE-2018-13980 info: - name: Zeta Producer Desktop CMS 14.2.0 - Arbitrary File Retrieval + name: Zeta Producer Desktop CMS <14.2.1 - Local File Inclusion author: wisnupramoedya severity: medium - description: The websites that were built from Zeta Producer Desktop CMS before 14.2.1 are vulnerable to unauthenticated file disclosure if the plugin "filebrowser" is installed, because of assets/php/filebrowser/filebrowser.main.php?file=../ directory traversal. + description: Zeta Producer Desktop CMS before 14.2.1 is vulnerable to local file inclusion if the plugin "filebrowser" is installed because of assets/php/filebrowser/filebrowser.main.php?file=../ directory traversal. reference: - https://www.exploit-db.com/exploits/45016 - - https://nvd.nist.gov/vuln/detail/CVE-2018-13980 - https://www.sec-consult.com/en/blog/advisories/remote-code-execution-local-file-disclosure-zeta-producer-desktop-cms/ - http://packetstormsecurity.com/files/148537/Zeta-Producer-Desktop-CMS-14.2.0-Code-Execution-File-Disclosure.html + - https://nvd.nist.gov/vuln/detail/CVE-2018-13980 classification: cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N cvss-score: 5.5 @@ -32,3 +32,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/22 diff --git a/cves/2018/CVE-2018-15535.yaml b/cves/2018/CVE-2018-15535.yaml index 8e86a0dec2..b46a2213bf 100644 --- a/cves/2018/CVE-2018-15535.yaml +++ b/cves/2018/CVE-2018-15535.yaml @@ -4,7 +4,7 @@ info: name: Responsive FileManager <9.13.4 - Local File Inclusion author: daffainfo severity: high - description: Responsive FileManager before version 9.13.4 is susceptible to local file inclusion via filemanager/ajax_calls.php because it uses external input to construct a pathname that should be within a restricted directory. Instead, because it does not properly neutralize get_file sequences such as ".." can resolve to a location that is outside of that directory, aka local file inclusion. + description: Responsive FileManager before version 9.13.4 is vulnerable to local file inclusion via filemanager/ajax_calls.php because it uses external input to construct a pathname that should be within a restricted directory, aka local file inclusion. reference: - https://www.exploit-db.com/exploits/45271 - https://nvd.nist.gov/vuln/detail/CVE-2018-15535 @@ -33,4 +33,4 @@ requests: status: - 200 -# Enhanced by mp on 2022/07/07 +# Enhanced by mp on 2022/07/08 diff --git a/cves/2018/CVE-2018-16059.yaml b/cves/2018/CVE-2018-16059.yaml index e8d7c3e39e..b4d05a1fb5 100644 --- a/cves/2018/CVE-2018-16059.yaml +++ b/cves/2018/CVE-2018-16059.yaml @@ -1,15 +1,14 @@ id: CVE-2018-16059 info: - name: WirelessHART Fieldgate SWG70 3.0 - Directory Traversal + name: WirelessHART Fieldgate SWG70 3.0 - Local File Inclusion author: daffainfo severity: medium - description: Endress+Hauser WirelessHART Fieldgate SWG70 3.x devices allow Directory Traversal via the fcgi-bin/wgsetcgi filename parameter. + description: WirelessHART Fieldgate SWG70 3.0 is vulnerable to local file inclusion via the fcgi-bin/wgsetcgi filename parameter. reference: - - https://nvd.nist.gov/vuln/detail/CVE-2018-16059 - https://www.exploit-db.com/exploits/45342 - - https://www.exploit-db.com/exploits/45342/ - https://ics-cert.us-cert.gov/advisories/ICSA-19-073-03 + - https://nvd.nist.gov/vuln/detail/CVE-2018-16059 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 @@ -33,3 +32,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/22 diff --git a/cves/2018/CVE-2018-16133.yaml b/cves/2018/CVE-2018-16133.yaml index 7e54e984da..67d03b9f1a 100644 --- a/cves/2018/CVE-2018-16133.yaml +++ b/cves/2018/CVE-2018-16133.yaml @@ -1,15 +1,16 @@ id: CVE-2018-16133 info: - name: Cybrotech CyBroHttpServer 1.0.3 Directory Traversal + name: Cybrotech CyBroHttpServer 1.0.3 - Local File Inclusion author: 0x_Akoko severity: medium - description: Cybrotech CyBroHttpServer 1.0.3 allows Directory Traversal in the URI. + description: Cybrotech CyBroHttpServer 1.0.3 is vulnerable to local file inclusion in the URI. reference: - https://packetstormsecurity.com/files/149177/Cybrotech-CyBroHttpServer-1.0.3-Directory-Traversal.html - http://www.cybrotech.com/ - https://www.cvedetails.com/cve/CVE-2018-16133 - https://github.com/EmreOvunc/CyBroHttpServer-v1.0.3-Directory-Traversal + - https://nvd.nist.gov/vuln/detail/CVE-2018-16133 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 @@ -32,3 +33,5 @@ requests: - "fonts" - "extensions" condition: and + +# Enhanced by mp on 2022/07/22 diff --git a/cves/2018/CVE-2018-18775.yaml b/cves/2018/CVE-2018-18775.yaml index c20b618642..68a5f25079 100644 --- a/cves/2018/CVE-2018-18775.yaml +++ b/cves/2018/CVE-2018-18775.yaml @@ -1,14 +1,14 @@ id: CVE-2018-18775 info: - name: Cross Site Scripting in Microstrategy Web version 7 + name: Microstrategy Web 7 - Cross-Site Scripting author: 0x_Akoko severity: medium - description: Microstrategy Web, version 7, does not sufficiently encode user-controlled inputs, resulting in a Cross-Site Scripting (XSS) vulnerability via the Login.asp Msg parameter + description: Microstrategy Web 7 does not sufficiently encode user-controlled inputs, resulting in cross-site scripting via the Login.asp Msg parameter. reference: - https://www.exploit-db.com/exploits/45755 - http://packetstormsecurity.com/files/150059/Microstrategy-Web-7-Cross-Site-Scripting-Traversal.html - - https://www.exploit-db.com/exploits/45755/ + - https://nvd.nist.gov/vuln/detail/CVE-2018-18775 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 @@ -35,3 +35,5 @@ requests: words: - "text/html" part: header + +# Enhanced by mp on 2022/07/22 diff --git a/cves/2018/CVE-2018-18777.yaml b/cves/2018/CVE-2018-18777.yaml index cf30bb7307..98e918f515 100644 --- a/cves/2018/CVE-2018-18777.yaml +++ b/cves/2018/CVE-2018-18777.yaml @@ -1,17 +1,15 @@ id: CVE-2018-18777 info: - name: Path traversal vulnerability in Microstrategy Web version 7 + name: Microstrategy Web 7 - Local File Inclusion author: 0x_Akoko severity: medium description: | - Directory traversal vulnerability in Microstrategy Web, version 7, in "/WebMstr7/servlet/mstrWeb" (in the parameter subpage) - allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. - (slash dot dot) in a pathname used by a web application. NOTE: this is a deprecated product. + Microstrategy Web 7 is vulnerable to local file inclusion via "/WebMstr7/servlet/mstrWeb" (in the parameter subpage). Remote authenticated users can bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application. NOTE: this is a deprecated product. reference: - https://www.exploit-db.com/exploits/45755 - http://packetstormsecurity.com/files/150059/Microstrategy-Web-7-Cross-Site-Scripting-Traversal.html - - https://www.exploit-db.com/exploits/45755/ + - https://nvd.nist.gov/vuln/detail/CVE-2018-18777 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N cvss-score: 4.3 @@ -34,3 +32,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/22 diff --git a/cves/2018/CVE-2018-18778.yaml b/cves/2018/CVE-2018-18778.yaml index 17339edb6e..8d2d9a7575 100644 --- a/cves/2018/CVE-2018-18778.yaml +++ b/cves/2018/CVE-2018-18778.yaml @@ -1,13 +1,14 @@ id: CVE-2018-18778 info: - name: mini_httpd Path Traversal + name: ACME mini_httpd <1.30 - Local File Inclusion author: dhiyaneshDK severity: medium - description: ACME mini_httpd before 1.30 lets remote users read arbitrary files. + description: ACME mini_httpd before 1.30 is vulnerable to local file inclusion. reference: - https://www.acunetix.com/vulnerabilities/web/acme-mini_httpd-arbitrary-file-read/ - http://www.acme.com/software/mini_httpd/ + - https://nvd.nist.gov/vuln/detail/CVE-2018-18778 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N cvss-score: 6.5 @@ -31,3 +32,5 @@ requests: - type: regex regex: - "root:.*:0:0:" + +# Enhanced by mp on 2022/07/22 diff --git a/cves/2018/CVE-2018-2392.yaml b/cves/2018/CVE-2018-2392.yaml index 920686afb2..1b73051189 100644 --- a/cves/2018/CVE-2018-2392.yaml +++ b/cves/2018/CVE-2018-2392.yaml @@ -1,17 +1,18 @@ id: CVE-2018-2392 info: - name: SAP Internet Graphics Server (IGS) XML External Entity + name: SAP Internet Graphics Server (IGS) - XML External Entity Injection author: _generic_human_ severity: high description: | - SAP Internet Graphics Servers (IGS) running versions 7.20, 7.20EXT, 7.45, 7.49, or 7.53 has two XXE vulnerabilities within the XMLCHART page - CVE-2018-2392 and CVE-2018-2393. These vulnerabilities occur due to a lack of appropriate validation on the Extension HTML tag when submitting a POST request to the XMLCHART page to generate a new chart. + SAP Internet Graphics Servers (IGS) running versions 7.20, 7.20EXT, 7.45, 7.49, or 7.53 has two XML external entity injection (XXE) vulnerabilities within the XMLCHART page - CVE-2018-2392 and CVE-2018-2393. These vulnerabilities occur due to a lack of appropriate validation on the Extension HTML tag when submitting a POST request to the XMLCHART page to generate a new chart. reference: - https://launchpad.support.sap.com/#/notes/2525222 - https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/ - https://www.rapid7.com/db/modules/auxiliary/admin/sap/sap_igs_xmlchart_xxe/ - https://troopers.de/troopers18/agenda/3r38lr/ - https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/sap/sap_igs_xmlchart_xxe.rb + - https://nvd.nist.gov/vuln/detail/CVE-2018-2392 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H cvss-score: 7.5 @@ -87,3 +88,5 @@ requests: - "SAP Internet Graphics Server" part: header condition: and + +# Enhanced by mp on 2022/07/08 diff --git a/cves/2018/CVE-2018-3714.yaml b/cves/2018/CVE-2018-3714.yaml index 50093afd70..a03a875056 100644 --- a/cves/2018/CVE-2018-3714.yaml +++ b/cves/2018/CVE-2018-3714.yaml @@ -1,12 +1,13 @@ id: CVE-2018-3714 info: - name: node-srv Path Traversal + name: node-srv - Local File Inclusion author: madrobot severity: medium - description: node-srv node module suffers from a Path Traversal vulnerability due to lack of validation of url, which allows a malicious user to read content of any file with known path. + description: node-srv is vulnerable to local file inclusion due to lack of url validation, which allows a malicious user to read content of any file with known path. reference: - https://hackerone.com/reports/309124 + - https://nvd.nist.gov/vuln/detail/CVE-2018-3714 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N cvss-score: 6.5 @@ -27,3 +28,5 @@ requests: regex: - "root:.*:0:0:" part: body + +# Enhanced by mp on 2022/07/22 diff --git a/cves/2018/CVE-2018-3760.yaml b/cves/2018/CVE-2018-3760.yaml index d4508b7285..581996b99f 100644 --- a/cves/2018/CVE-2018-3760.yaml +++ b/cves/2018/CVE-2018-3760.yaml @@ -1,17 +1,17 @@ id: CVE-2018-3760 info: - name: Ruby On Rails Path Traversal + name: Ruby On Rails - Local File Inclusion author: 0xrudra,pikpikcu severity: high description: | - Ruby On Rails is a well-known Ruby Web development framework, which uses Sprockets as a static file server in development environment. Sprockets is a Ruby library that compiles and distributes static resource files. - There is a path traversal vulnerability caused by secondary decoding in Sprockets 3.7.1 and lower versions. An attacker can use %252e%252e/ to access the root directory and read or execute any file on the target server. + Ruby On Rails is vulnerable to local file inclusion caused by secondary decoding in Sprockets 3.7.1 and lower versions. An attacker can use %252e%252e/ to access the root directory and read or execute any file on the target server. reference: - https://github.com/vulhub/vulhub/tree/master/rails/CVE-2018-3760 - https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf - https://seclists.org/oss-sec/2018/q2/210 - https://xz.aliyun.com/t/2542 + - https://nvd.nist.gov/vuln/detail/CVE-2018-3760 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -46,3 +46,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/08 diff --git a/cves/2018/CVE-2018-6008.yaml b/cves/2018/CVE-2018-6008.yaml index 6007d6dd59..1e302599a3 100644 --- a/cves/2018/CVE-2018-6008.yaml +++ b/cves/2018/CVE-2018-6008.yaml @@ -1,15 +1,15 @@ id: CVE-2018-6008 info: - name: Joomla! Component Jtag Members Directory 5.3.7 - Arbitrary File Retrieval + name: Joomla! Jtag Members Directory 5.3.7 - Local File Inclusion author: daffainfo severity: high - description: Arbitrary file retrieval exists in the Jtag Members Directory 5.3.7 component for Joomla! via the download_file parameter. + description: Joomla! Jtag Members Directory 5.3.7 is vulnerable to local file inclusion via the download_file parameter. reference: - https://www.exploit-db.com/exploits/43913 - https://www.cvedetails.com/cve/CVE-2018-6008 - https://packetstormsecurity.com/files/146137/Joomla-Jtag-Members-Directory-5.3.7-Arbitrary-File-Download.html - - https://www.exploit-db.com/exploits/43913/ + - https://nvd.nist.gov/vuln/detail/CVE-2018-6008 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -32,3 +32,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/08 diff --git a/cves/2018/CVE-2018-6910.yaml b/cves/2018/CVE-2018-6910.yaml index 0482a6c896..508338e6c6 100644 --- a/cves/2018/CVE-2018-6910.yaml +++ b/cves/2018/CVE-2018-6910.yaml @@ -1,7 +1,7 @@ id: CVE-2018-6910 info: - name: DedeCMS 5.7 path disclosure + name: DedeCMS 5.7 - Path Disclosure author: pikpikcu severity: high description: DedeCMS 5.7 allows remote attackers to discover the full path via a direct request for include/downmix.inc.php or inc/inc_archives_functions.php @@ -9,6 +9,7 @@ info: - https://nvd.nist.gov/vuln/detail/CVE-2018-6910 - https://github.com/kongxin520/DedeCMS/blob/master/DedeCMS_5.7_Bug.md - https://kongxin.gitbook.io/dedecms-5-7-bug/ + - https://nvd.nist.gov/vuln/detail/CVE-2018-6910 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -34,3 +35,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/08 diff --git a/cves/2019/CVE-2019-11013.yaml b/cves/2019/CVE-2019-11013.yaml index 1e4b2284c8..2c3e839b0e 100644 --- a/cves/2019/CVE-2019-11013.yaml +++ b/cves/2019/CVE-2019-11013.yaml @@ -1,15 +1,15 @@ id: CVE-2019-11013 info: - name: Nimble Streamer 3.0.2-2 to 3.5.4-9 - Path Traversal + name: Nimble Streamer <=3.5.4-9 - Local File Inclusion author: 0x_Akoko severity: medium - description: Nimble Streamer 3.0.2-2 through 3.5.4-9 has a ../ directory traversal vulnerability. Successful exploitation could allow an attacker to traverse the file system to access files or directories that are outside of the restricted directory on the remote server. + description: Nimble Streamer 3.0.2-2 through 3.5.4-9 is vulnerable to local file inclusion. An attacker can traverse the file system to access files or directories that are outside of the restricted directory on the remote server. reference: - https://www.exploit-db.com/exploits/47301 - - https://nvd.nist.gov/vuln/detail/CVE-2019-11013 - https://mayaseven.com/nimble-directory-traversal-in-nimble-streamer-version-3-0-2-2-to-3-5-4-9/ - http://packetstormsecurity.com/files/154196/Nimble-Streamer-3.x-Directory-Traversal.html + - https://nvd.nist.gov/vuln/detail/CVE-2019-11013 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N cvss-score: 6.5 @@ -32,3 +32,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/22 diff --git a/cves/2019/CVE-2019-13396.yaml b/cves/2019/CVE-2019-13396.yaml index c6ef0512e4..2c6ab97158 100644 --- a/cves/2019/CVE-2019-13396.yaml +++ b/cves/2019/CVE-2019-13396.yaml @@ -1,15 +1,14 @@ id: CVE-2019-13396 info: - name: FlightPath Local File Inclusion + name: FlightPath - Local File Inclusion author: 0x_Akoko,daffainfo severity: medium - description: FlightPath versions prior to 4.8.2 and 5.0-rc2 suffer from a local file inclusion vulnerability. + description: FlightPath versions prior to 4.8.2 and 5.0-rc2 are vulnerable to local file inclusion. reference: - https://www.exploit-db.com/exploits/47121 - - https://www.cvedetails.com/cve/CVE-2019-13396/ - - https://nvd.nist.gov/vuln/detail/CVE-2019-13396 - http://getflightpath.com/node/2650 + - https://nvd.nist.gov/vuln/detail/CVE-2019-13396 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 @@ -49,3 +48,5 @@ requests: internal: true regex: - "idden' name='form_token' value='([a-z0-9]+)'>" + +# Enhanced by mp on 2022/07/22 diff --git a/cves/2019/CVE-2019-14251.yaml b/cves/2019/CVE-2019-14251.yaml index 599c8b5e1d..721e75c0db 100644 --- a/cves/2019/CVE-2019-14251.yaml +++ b/cves/2019/CVE-2019-14251.yaml @@ -1,14 +1,14 @@ id: CVE-2019-14251 info: - name: T24 in TEMENOS Channels R15.01 - Pre Authenticated Path Traversal + name: T24 Web Server - Local File Inclusion author: 0x_Akoko severity: high - description: An unauthenticated path traversal vulnerability was discovered permitting an attacker to exfiltrate data directly from the T24 web server. + description: T24 web server is vulnerable to unauthenticated local file inclusion that permits an attacker to exfiltrate data directly from server. reference: - https://github.com/kmkz/exploit/blob/master/CVE-2019-14251-TEMENOS-T24.txt - - https://www.cvedetails.com/cve/CVE-2019-14251 - https://vuldb.com/?id.146815 + - https://nvd.nist.gov/vuln/detail/CVE-2019-14251 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -34,3 +34,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/13 diff --git a/cves/2019/CVE-2019-14312.yaml b/cves/2019/CVE-2019-14312.yaml index 435aa1b6e5..3dec6fac8c 100644 --- a/cves/2019/CVE-2019-14312.yaml +++ b/cves/2019/CVE-2019-14312.yaml @@ -4,12 +4,12 @@ info: name: Aptana Jaxer 1.0.3.4547 - Local File inclusion author: daffainfo severity: medium - description: Aptana Jaxer 1.0.3.4547 is vulnerable to a local file inclusion vulnerability in the wikilite source code viewer. This vulnerability allows a remote attacker to read internal files on the server via a tools/sourceViewer/index.html?filename=../ URI. + description: Aptana Jaxer 1.0.3.4547 is vulnerable to local file inclusion in the wikilite source code viewer. An attacker can read internal files on the server via a tools/sourceViewer/index.html?filename=../ URI. reference: - https://www.exploit-db.com/exploits/47214 - - https://www.cvedetails.com/cve/CVE-2019-14312 - http://packetstormsecurity.com/files/153985/Aptana-Jaxer-1.0.3.4547-Local-File-Inclusion.html - https://github.com/aptana/Jaxer/commits/master + - https://nvd.nist.gov/vuln/detail/CVE-2019-14312 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N cvss-score: 6.5 @@ -32,3 +32,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/22 diff --git a/cves/2019/CVE-2019-18393.yaml b/cves/2019/CVE-2019-18393.yaml index 44dbe10aab..031dbfd448 100644 --- a/cves/2019/CVE-2019-18393.yaml +++ b/cves/2019/CVE-2019-18393.yaml @@ -1,13 +1,14 @@ id: CVE-2019-18393 info: - name: Openfire LFI + name: Ignite Realtime Openfire <4.42 - Local File Inclusion author: pikpikcu severity: medium - description: PluginServlet.java in Ignite Realtime Openfire through 4.4.2 does not ensure that retrieved files are located under the Openfire home directory, aka a directory traversal vulnerability. + description: Ignite Realtime Openfire through 4.4.2 is vulnerable to local file inclusion via PluginServlet.java. It does not ensure that retrieved files are located under the Openfire home directory. reference: - - https://swarm.ptsecurity.com/openfire-admin-console/ - https://github.com/igniterealtime/Openfire/pull/1498 + - https://swarm.ptsecurity.com/openfire-admin-console/ + - https://nvd.nist.gov/vuln/detail/CVE-2019-18393 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 @@ -31,3 +32,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/22 diff --git a/cves/2019/CVE-2019-18665.yaml b/cves/2019/CVE-2019-18665.yaml index 0ed61a5302..ba9d05adeb 100644 --- a/cves/2019/CVE-2019-18665.yaml +++ b/cves/2019/CVE-2019-18665.yaml @@ -1,15 +1,16 @@ id: CVE-2019-18665 info: - name: DOMOS 5.5 - Directory Traversal + name: DOMOS 5.5 - Local File Inclusion author: 0x_Akoko severity: high description: | - The Log module in SECUDOS DOMOS before 5.6 allows local file inclusion. + SECUDOS DOMOS before 5.6 allows local file inclusion via the log module. reference: - https://atomic111.github.io/article/secudos-domos-directory_traversal - https://vuldb.com/?id.144804 - https://www.cvedetails.com/cve/CVE-2019-18665 - https://www.secudos.de/news-und-events/aktuelle-news/domos-release-5-6 + - https://nvd.nist.gov/vuln/detail/CVE-2019-18665 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -32,3 +33,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/08 diff --git a/cves/2019/CVE-2019-2616.yaml b/cves/2019/CVE-2019-2616.yaml index 1eaba12a91..9d58ff8ce0 100644 --- a/cves/2019/CVE-2019-2616.yaml +++ b/cves/2019/CVE-2019-2616.yaml @@ -1,14 +1,14 @@ id: CVE-2019-2616 info: - name: XXE in Oracle Business Intelligence and XML Publisher + name: Oracle Business Intelligence/XML Publisher - XML External Entity Injection author: pdteam severity: high - description: Oracle Business Intelligence / XML Publisher 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - XML External Entity Injection + description: Oracle Business Intelligence and XML Publisher 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 are vulnerable to an XML external entity injection attack. reference: - - https://nvd.nist.gov/vuln/detail/CVE-2019-2616 - https://www.exploit-db.com/exploits/46729 - http://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html + - https://nvd.nist.gov/vuln/detail/CVE-2019-2616 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N cvss-score: 7.2 @@ -29,4 +29,6 @@ requests: - type: word part: interactsh_protocol # Confirms the HTTP Interaction words: - - "http" \ No newline at end of file + - "http" + +# Enhanced by mp on 2022/07/08 diff --git a/cves/2019/CVE-2019-2767.yaml b/cves/2019/CVE-2019-2767.yaml index 30f3f64964..7c30150422 100644 --- a/cves/2019/CVE-2019-2767.yaml +++ b/cves/2019/CVE-2019-2767.yaml @@ -1,14 +1,14 @@ id: CVE-2019-2767 info: - name: Oracle Business Intelligence - Publisher XXE + name: Oracle Business Intelligence Publisher - XML External Entity Injection author: madrobot severity: high - description: There is an XXE vulnerability in the BI Publisher (formerly XML Publisher) component of Oracle Fusion Middleware. The supported versions affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. This easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise BI Publisher. + description: Oracle Business Intelligence Publisher is vulnerable to an XML external entity injection attack. The supported versions affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. This easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise BI Publisher. reference: - - https://nvd.nist.gov/vuln/detail/CVE-2019-2767 - https://www.exploit-db.com/exploits/46729 - http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html + - https://nvd.nist.gov/vuln/detail/CVE-2019-2767 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N cvss-score: 7.2 @@ -26,3 +26,5 @@ requests: part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" + +# Enhanced by mp on 2022/07/08 diff --git a/cves/2019/CVE-2019-3799.yaml b/cves/2019/CVE-2019-3799.yaml index 167e2d5f81..a7ec533c28 100644 --- a/cves/2019/CVE-2019-3799.yaml +++ b/cves/2019/CVE-2019-3799.yaml @@ -1,14 +1,15 @@ id: CVE-2019-3799 info: - name: Spring-Cloud-Config-Server Directory Traversal + name: Spring Cloud Config Server - Local File Inclusion author: madrobot severity: medium - description: Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack. + description: Spring Cloud Config Server versions 2.1.x prior to 2.1.2, 2.0.x prior to 2.0.4, 1.4.x prior to 1.4.6, and older unsupported versions are vulnerable to local file inclusion because they allow applications to serve arbitrary configuration files. An attacker can send a request using a specially crafted URL that can lead to a directory traversal attack. reference: - https://github.com/mpgn/CVE-2019-3799 - https://pivotal.io/security/cve-2019-3799 - https://www.oracle.com/security-alerts/cpuapr2022.html + - https://nvd.nist.gov/vuln/detail/CVE-2019-3799 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N cvss-score: 6.5 @@ -29,3 +30,5 @@ requests: regex: - 'root:.*:0:0:' part: body + +# Enhanced by mp on 2022/07/22 diff --git a/cves/2019/CVE-2019-6340.yaml b/cves/2019/CVE-2019-6340.yaml index de4f606562..4730ee406b 100644 --- a/cves/2019/CVE-2019-6340.yaml +++ b/cves/2019/CVE-2019-6340.yaml @@ -1,15 +1,15 @@ id: CVE-2019-6340 info: - name: Drupal 8 core RESTful Web Services RCE + name: Drupal - Remote Code Execution author: madrobot severity: high - description: Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. + description: Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10 V contain certain field types that do not properly sanitize data from non-form sources, which can lead to arbitrary PHP code execution in some cases. reference: - - https://nvd.nist.gov/vuln/detail/CVE-2019-6340 - https://www.drupal.org/sa-core-2019-003 - http://web.archive.org/web/20210125004201/https://www.securityfocus.com/bid/107106/ - https://www.synology.com/security/advisory/Synology_SA_19_09 + - https://nvd.nist.gov/vuln/detail/CVE-2019-6340 classification: cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.1 @@ -48,3 +48,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/08 diff --git a/cves/2019/CVE-2019-7254.yaml b/cves/2019/CVE-2019-7254.yaml index 90a97ce7d7..5a2ae37b92 100644 --- a/cves/2019/CVE-2019-7254.yaml +++ b/cves/2019/CVE-2019-7254.yaml @@ -1,15 +1,16 @@ id: CVE-2019-7254 info: - name: eMerge E3 1.00-06 - Unauthenticated Directory Traversal + name: eMerge E3 1.00-06 - Local File Inclusion author: 0x_Akoko severity: high - description: Linear eMerge E3-Series devices allow File Inclusion. + description: Linear eMerge E3-Series devices are vulnerable to local file inclusion. reference: - https://www.exploit-db.com/exploits/47616 - https://applied-risk.com/labs/advisories - https://www.applied-risk.com/resources/ar-2019-005 - http://packetstormsecurity.com/files/155252/Linear-eMerge-E3-1.00-06-Directory-Traversal.html + - https://nvd.nist.gov/vuln/detail/CVE-2019-7254 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -33,3 +34,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/08 diff --git a/cves/2019/CVE-2019-7315.yaml b/cves/2019/CVE-2019-7315.yaml index 147803f5ca..cb43ae8ab9 100644 --- a/cves/2019/CVE-2019-7315.yaml +++ b/cves/2019/CVE-2019-7315.yaml @@ -1,13 +1,14 @@ id: CVE-2019-7315 + info: - name: Genie Access WIP3BVAF IP Camera - Directory Traversal + name: Genie Access WIP3BVAF IP Camera - Local File Inclusion author: 0x_Akoko severity: high - description: Genie Access WIP3BVAF WISH IP 3MP IR Auto Focus Bullet Camera devices through 3.X are vulnerable to directory traversal via the web interface, as demonstrated by reading /etc/shadow. + description: Genie Access WIP3BVAF WISH IP 3MP IR Auto Focus Bullet Camera devices through 3.X are vulnerable to local file inclusion via the web interface, as demonstrated by reading /etc/shadow. reference: - https://labs.nettitude.com/blog/cve-2019-7315-genie-access-wip3bvaf-ip-camera-directory-traversal/ - https://vuldb.com/?id.136593 - - https://www.cvedetails.com/cve/CVE-2019-7315 + - https://nvd.nist.gov/vuln/detail/CVE-2019-7315 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -30,3 +31,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/08 diff --git a/cves/2019/CVE-2019-8442.yaml b/cves/2019/CVE-2019-8442.yaml index fddffd8559..f215ab609c 100644 --- a/cves/2019/CVE-2019-8442.yaml +++ b/cves/2019/CVE-2019-8442.yaml @@ -1,13 +1,14 @@ id: CVE-2019-8442 info: - name: JIRA Directory Traversal + name: Jira - Local File Inclusion author: Kishore Krishna (siLLyDaddy) severity: high - description: The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to access files in the Jira webroot under the META-INF directory via a lax path access check. + description: Jira before version 7.13.4, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1, allows remote attackers to access files in the Jira webroot under the META-INF directory via local file inclusion. reference: - https://jira.atlassian.com/browse/JRASERVER-69241 - http://web.archive.org/web/20210125215006/https://www.securityfocus.com/bid/108460/ + - https://nvd.nist.gov/vuln/detail/CVE-2019-8442 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -30,3 +31,5 @@ requests: words: - 'com.atlassian.jira' part: body + +# Enhanced by mp on 2022/07/08 diff --git a/cves/2019/CVE-2019-8903.yaml b/cves/2019/CVE-2019-8903.yaml index 7b40a67c18..55409ed746 100644 --- a/cves/2019/CVE-2019-8903.yaml +++ b/cves/2019/CVE-2019-8903.yaml @@ -1,14 +1,15 @@ id: CVE-2019-8903 info: - name: Totaljs - Unauthenticated Directory Traversal + name: Totaljs <3.2.3 - Local File Inclusion author: madrobot severity: high - description: index.js in Total.js Platform before 3.2.3 allows path traversal. + description: Total.js Platform before 3.2.3 is vulnerable to local file inclusion. reference: - https://blog.certimetergroup.com/it/articolo/security/total.js-directory-traversal-cve-2019-8903 - https://github.com/totaljs/framework/commit/c37cafbf3e379a98db71c1125533d1e8d5b5aef7 - https://github.com/totaljs/framework/commit/de16238d13848149f5d1dae51f54e397a525932b + - https://nvd.nist.gov/vuln/detail/CVE-2019-8903 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -29,3 +30,5 @@ requests: words: - "apache2.conf" part: body + +# Enhanced by mp on 2022/07/08 diff --git a/cves/2019/CVE-2019-9041.yaml b/cves/2019/CVE-2019-9041.yaml index 63f362d687..0c5f3991c9 100644 --- a/cves/2019/CVE-2019-9041.yaml +++ b/cves/2019/CVE-2019-9041.yaml @@ -1,13 +1,14 @@ id: CVE-2019-9041 info: - name: ZZZCMS 1.6.1 RCE + name: ZZZCMS 1.6.1 - Remote Code Execution author: pikpikcu severity: high - description: An issue was discovered in ZZZCMS zzzphp V1.6.1. In the inc/zzz_template.php file, the parserIfLabel() function's filtering is not strict, resulting in PHP code execution, as demonstrated by the if:assert substring. + description: ZZZCMS zzzphp V1.6.1 is vulnerable to remote code execution via the inc/zzz_template.php file because the parserIfLabel() function's filtering is not strict, resulting in PHP code execution as demonstrated by the if:assert substring. reference: - - http://www.iwantacve.cn/index.php/archives/118/ - https://www.exploit-db.com/exploits/46454/ + - http://www.iwantacve.cn/index.php/archives/118/ + - https://nvd.nist.gov/vuln/detail/CVE-2019-9041 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.2 @@ -34,3 +35,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/08 diff --git a/cves/2019/CVE-2019-9922.yaml b/cves/2019/CVE-2019-9922.yaml index be54581963..196f28ed33 100644 --- a/cves/2019/CVE-2019-9922.yaml +++ b/cves/2019/CVE-2019-9922.yaml @@ -1,13 +1,15 @@ id: CVE-2019-9922 + info: - name: JE Messenger 1.2.2 Joomla - Directory Traversal + name: Joomla! Harmis Messenger 1.2.2 - Local File Inclusion author: 0x_Akoko severity: high - description: An issue was discovered in the Harmis JE Messenger component 1.2.2 for Joomla. Directory Traversal allows read access to arbitrary files. + description: Joomla! Harmis Messenger 1.2.2 is vulnerable to local file inclusion which could give an attacker read access to arbitrary files. reference: - https://github.com/azd-cert/CVE/blob/master/CVEs/CVE-2019-9922.md - https://www.cvedetails.com/cve/CVE-2019-9922 - https://extensions.joomla.org/extension/je-messenger/ + - https://nvd.nist.gov/vuln/detail/CVE-2019-9922 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -30,3 +32,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/13 diff --git a/cves/2020/CVE-2020-0618.yaml b/cves/2020/CVE-2020-0618.yaml index 742368e8a1..bb1ae5e03d 100644 --- a/cves/2020/CVE-2020-0618.yaml +++ b/cves/2020/CVE-2020-0618.yaml @@ -4,7 +4,7 @@ info: name: Microsoft SQL Server Reporting Services - Remote Code Execution author: joeldeleep severity: high - description: Microsoft SQL Server Reporting Services are susceptible to a remote code execution vulnerability when it incorrectly handles page requests. + description: Microsoft SQL Server Reporting Services is vulnerable to a remote code execution vulnerability because it incorrectly handles page requests. reference: - https://www.mdsec.co.uk/2020/02/cve-2020-0618-rce-in-sql-server-reporting-services-ssrs/ - https://github.com/euphrat1ca/CVE-2020-0618 diff --git a/cves/2020/CVE-2020-11455.yaml b/cves/2020/CVE-2020-11455.yaml index efb53e27c6..2c352ad8f1 100644 --- a/cves/2020/CVE-2020-11455.yaml +++ b/cves/2020/CVE-2020-11455.yaml @@ -1,15 +1,16 @@ id: CVE-2020-11455 info: - name: LimeSurvey 4.1.11 - Path Traversal + name: LimeSurvey 4.1.11 - Local File Inclusion author: daffainfo severity: medium - description: LimeSurvey before 4.1.12+200324 contains a path traversal vulnerability in application/controllers/admin/LimeSurveyFileManager.php. + description: LimeSurvey before 4.1.12+200324 is vulnerable to local file inclusion because it contains a path traversal vulnerability in application/controllers/admin/LimeSurveyFileManager.php. reference: - https://www.exploit-db.com/exploits/48297 - https://www.cvedetails.com/cve/CVE-2020-11455 - https://github.com/LimeSurvey/LimeSurvey/commit/daf50ebb16574badfb7ae0b8526ddc5871378f1b - http://packetstormsecurity.com/files/157112/LimeSurvey-4.1.11-Path-Traversal.html + - https://nvd.nist.gov/vuln/detail/CVE-2020-11455 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 @@ -32,3 +33,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/22 diff --git a/cves/2020/CVE-2020-11738.yaml b/cves/2020/CVE-2020-11738.yaml index 957bf05abb..4bfef355a7 100644 --- a/cves/2020/CVE-2020-11738.yaml +++ b/cves/2020/CVE-2020-11738.yaml @@ -1,13 +1,11 @@ id: CVE-2020-11738 info: - name: WordPress Duplicator plugin Directory Traversal + name: WordPress Duplicator 1.3.24 & 1.3.26 - Local File Inclusion author: dwisiswant0 severity: high description: | - The issue is being actively exploited, and allows attackers - to download arbitrary files, such as the wp-config.php file. - According to the vendor, the vulnerability was only in two + WordPress Duplicator 1.3.24 & 1.3.26 are vulnerable to local file inclusion vulnerabilities that could allow attackers to download arbitrary files, such as the wp-config.php file. According to the vendor, the vulnerability was only in two versions v1.3.24 and v1.3.26, the vulnerability wasn't present in versions 1.3.22 and before. reference: @@ -15,6 +13,7 @@ info: - https://snapcreek.com/duplicator/docs/changelog/?lite - https://www.wordfence.com/blog/2020/02/active-attack-on-recently-patched-duplicator-plugin-vulnerability-affects-over-1-million-sites/ - http://packetstormsecurity.com/files/160621/WordPress-Duplicator-1.3.26-Directory-Traversal-File-Read.html + - https://nvd.nist.gov/vuln/detail/CVE-2020-11738 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -44,4 +43,6 @@ requests: - "root:.*:0:0:" - "define\\('DB_(NAME|USER|PASSWORD|HOST|CHARSET|COLLATE)'" condition: or - part: body \ No newline at end of file + part: body + +# Enhanced by mp on 2022/07/13 diff --git a/cves/2020/CVE-2020-11853.yaml b/cves/2020/CVE-2020-11853.yaml index e4281ebca6..136b886a92 100644 --- a/cves/2020/CVE-2020-11853.yaml +++ b/cves/2020/CVE-2020-11853.yaml @@ -1,22 +1,17 @@ id: CVE-2020-11853 info: - name: Micro Focus Operation Bridge Manager RCE + name: Micro Focus Operations Bridge Manager <=2020.05 - Remote Code Execution author: dwisiswant0 severity: high description: | - This template supports the detection part only. - - UCMDB included in versions 2020.05 and below of Operations Bridge Manager are affected, - but this template can probably also be used to detect Operations Bridge Manager - (containeirized) and Application Performance Management. - - Originated from Metasploit module (#14654). + Micro Focus Operations Bridge Manager in versions 2020.05 and below is vulnerable to remote code execution via UCMDB. The vulnerability allows remote attackers to execute arbitrary code on affected installations of Data Center Automation. An attack requires network access and authentication as a valid application user. Originated from Metasploit module (#14654). reference: - http://packetstormsecurity.com/files/161366/Micro-Focus-Operations-Bridge-Manager-Remote-Code-Execution.html - https://softwaresupport.softwaregrp.com/doc/KM03747658 - https://softwaresupport.softwaregrp.com/doc/KM03747949 - https://softwaresupport.softwaregrp.com/doc/KM03747948 + - https://nvd.nist.gov/vuln/detail/CVE-2020-11853 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 @@ -37,4 +32,6 @@ requests: - "HttpUcmdbServiceProviderFactoryImpl" - "ServerVersion=11.6.0" part: body - condition: and \ No newline at end of file + condition: and + +# Enhanced by mp on 2022/07/13 diff --git a/cves/2020/CVE-2020-11978.yaml b/cves/2020/CVE-2020-11978.yaml index c8d58f0503..29a2e93143 100644 --- a/cves/2020/CVE-2020-11978.yaml +++ b/cves/2020/CVE-2020-11978.yaml @@ -1,15 +1,16 @@ id: CVE-2020-11978 info: - name: Apache Airflow <= 1.10.10 - 'Example Dag' Remote Code Execution + name: Apache Airflow <=1.10.10 - Remote Code Execution author: pdteam severity: high - description: An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable. + description: Apache Airflow versions 1.10.10 and below are vulnerable to remote code/command injection vulnerabilities in one of the example DAGs shipped with Airflow. This could allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). + remediation: If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable. reference: - https://github.com/pberba/CVE-2020-11978 - - https://nvd.nist.gov/vuln/detail/CVE-2020-11978 - https://twitter.com/wugeej/status/1400336603604668418 - https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E + - https://nvd.nist.gov/vuln/detail/CVE-2020-11978 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 @@ -62,3 +63,5 @@ requests: - 'contains(body_4, "operator":"BashOperator")' - 'contains(all_headers_4, "application/json")' condition: and + +# Enhanced by mp on 2022/07/13 diff --git a/cves/2020/CVE-2020-13158.yaml b/cves/2020/CVE-2020-13158.yaml index fcc417d88e..c4c2648f06 100644 --- a/cves/2020/CVE-2020-13158.yaml +++ b/cves/2020/CVE-2020-13158.yaml @@ -1,10 +1,10 @@ id: CVE-2020-13158 info: - name: Artica Proxy < 4.30.000000 Community Edition - Directory Traversal + name: Artica Proxy Community Edition <4.30.000000 - Local File Inclusion author: 0x_Akoko severity: high - description: Artica Proxy before 4.30.000000 Community Edition allows Directory Traversal via the fw.progrss.details.php popup parameter. + description: Artica Proxy Community Edition before 4.30.000000 is vulnerable to local file inclusion via the fw.progrss.details.php popup parameter. reference: - https://github.com/InfoSec4Fun/CVE-2020-13158 - https://sourceforge.net/projects/artica-squid/files/ @@ -30,3 +30,6 @@ requests: - type: status status: - 200 + + +# Enhanced by mp on 2022/07/13 diff --git a/cves/2020/CVE-2020-13700.yaml b/cves/2020/CVE-2020-13700.yaml index 9a0fa8e68e..a72076a338 100644 --- a/cves/2020/CVE-2020-13700.yaml +++ b/cves/2020/CVE-2020-13700.yaml @@ -1,17 +1,16 @@ id: CVE-2020-13700 info: - name: acf-to-rest-api wordpress plugin IDOR + name: WordPresss acf-to-rest-api <=3.1.0- Insecure Direct Object Reference author: pikpikcu severity: high description: | - An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress. - It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a - wp-json/acf/v3/options/ request that reads sensitive information in the wp_options table, such as the login and pass values. + WordPresss acf-to-rest-ap through 3.1.0 allows an insecure direct object reference via permalinks manipulation, as demonstrated by a wp-json/acf/v3/options/ request that can read sensitive information in the wp_options table such as the login and pass values. reference: - https://gist.github.com/mariuszpoplwski/4fbaab7f271bea99c733e3f2a4bafbb5 - https://wordpress.org/plugins/acf-to-rest-api/#developers - https://github.com/airesvsg/acf-to-rest-api + - https://nvd.nist.gov/vuln/detail/CVE-2020-13700 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -41,3 +40,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/13 diff --git a/cves/2020/CVE-2020-14864.yaml b/cves/2020/CVE-2020-14864.yaml index 3ba38ccd3c..2b65b04170 100644 --- a/cves/2020/CVE-2020-14864.yaml +++ b/cves/2020/CVE-2020-14864.yaml @@ -1,13 +1,14 @@ id: CVE-2020-14864 info: - name: Oracle Fusion - "getPreviewImage" Directory Traversal/Local File Inclusion + name: Oracle Fusion - Directory Traversal/Local File Inclusion author: Ivo Palazzolo (@palaziv) severity: high - description: Oracle Business Intelligence Enterprise Edition 5.5.0.0.0 / 12.2.1.3.0 / 12.2.1.4.0 - "getPreviewImage" Directory Traversal/Local File Inclusion + description: Oracle Business Intelligence Enterprise Edition 5.5.0.0.0, 12.2.1.3.0, and 12.2.1.4.0 are vulnerable to local file inclusion vulnerabilities via "getPreviewImage." reference: - http://packetstormsecurity.com/files/159748/Oracle-Business-Intelligence-Enterprise-Edition-5.5.0.0.0-12.2.1.3.0-12.2.1.4.0-LFI.html - https://www.oracle.com/security-alerts/cpuoct2020.html + - https://nvd.nist.gov/vuln/detail/CVE-2020-14864 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -28,4 +29,6 @@ requests: - type: regex regex: - 'root:.*:0:0:' - part: body \ No newline at end of file + part: body + +# Enhanced by mp on 2022/07/13 diff --git a/cves/2020/CVE-2020-15050.yaml b/cves/2020/CVE-2020-15050.yaml index b3ec3325f1..000a915b6e 100644 --- a/cves/2020/CVE-2020-15050.yaml +++ b/cves/2020/CVE-2020-15050.yaml @@ -1,10 +1,10 @@ id: CVE-2020-15050 info: - name: Suprema BioStar2 - Local File Inclusion (LFI) + name: Suprema BioStar <2.8.2 - Local File Inclusion author: gy741 severity: high - description: An issue was discovered in the Video Extension in Suprema BioStar 2 before 2.8.2. Remote attackers can read arbitrary files from the server via Directory Traversal. + description: Suprema BioStar before 2.8.2 Video Extension allows remote attackers can read arbitrary files from the server via local file inclusion. reference: - http://packetstormsecurity.com/files/158576/Bio-Star-2.8.2-Local-File-Inclusion.html - https://www.supremainc.com/en/support/biostar-2-pakage.asp @@ -29,3 +29,5 @@ requests: - "fonts" - "extensions" condition: and + +# Enhanced by mp on 2022/07/13 diff --git a/cves/2020/CVE-2020-16139.yaml b/cves/2020/CVE-2020-16139.yaml index 592bfd63b7..95a74a78fb 100644 --- a/cves/2020/CVE-2020-16139.yaml +++ b/cves/2020/CVE-2020-16139.yaml @@ -1,16 +1,17 @@ id: CVE-2020-16139 info: - name: Cisco 7937G Denial-of-Service Reboot Attack + name: Cisco Unified IP Conference Station 7937G - Denial-of-Service author: pikpikcu severity: high description: | - A denial-of-service in Cisco Unified IP Conference Station 7937G 1-4-4-0 through 1-4-5-7 allows attackers restart the device remotely through sending specially crafted packets. Note: We cannot prove this vulnerability exists. Out of an abundance of caution, this CVE is being assigned to better serve our customers and ensure all who are still running this product understand that the product is end of life and should be removed or upgraded. + Cisco Unified IP Conference Station 7937G 1-4-4-0 through 1-4-5-7 allows attackers to restart the device remotely via specially crafted packets that can cause a denial-of-service condition. Note: We cannot prove this vulnerability exists. Out of an abundance of caution, this CVE is being assigned to better serve our customers and ensure all who are still running this product understand that the product is end of life and should be removed or upgraded. reference: - https://blacklanternsecurity.com/2020-08-07-Cisco-Unified-IP-Conference-Station-7937G/ - http://packetstormsecurity.com/files/158819/Cisco-7937G-Denial-Of-Service.html - https://www.blacklanternsecurity.com/2020-08-07-Cisco-Unified-IP-Conference-Station-7937G/ - https://www.cisco.com/c/en/us/products/collateral/collaboration-endpoints/unified-ip-phone-7940g/end_of_life_notice_c51-729487.html + - https://nvd.nist.gov/vuln/detail/CVE-2020-16139 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H cvss-score: 7.5 @@ -34,4 +35,6 @@ requests: - "application/xml" - type: word words: - - 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' \ No newline at end of file + - 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + +# Enhanced by mp on 2022/07/13 diff --git a/cves/2020/CVE-2020-16952.yaml b/cves/2020/CVE-2020-16952.yaml index 55eec4cab2..ed099d1025 100644 --- a/cves/2020/CVE-2020-16952.yaml +++ b/cves/2020/CVE-2020-16952.yaml @@ -1,14 +1,15 @@ id: CVE-2020-16952 info: - name: Microsoft SharePoint Server-Side Include (SSI) and ViewState RCE + name: Microsoft SharePoint - Remote Code Execution author: dwisiswant0 severity: high - description: A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'. + description: Microsoft SharePoint is vulnerable to a remote code execution when the software fails to check the source markup of an application package. reference: - https://srcincite.io/pocs/cve-2020-16952.py.txt - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952 - https://github.com/rapid7/metasploit-framework/blob/1a341ae93191ac5f6d8a9603aebb6b3a1f65f107/documentation/modules/exploit/windows/http/sharepoint_ssi_viewstate.md + - https://nvd.nist.gov/vuln/detail/CVE-2020-16952 classification: cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H cvss-score: 7.8 @@ -41,3 +42,5 @@ requests: - 200 - 201 condition: or + +# Enhanced by mp on 2022/07/13 diff --git a/cves/2020/CVE-2020-17505.yaml b/cves/2020/CVE-2020-17505.yaml index 1d14c7bc10..70b6b00ac0 100644 --- a/cves/2020/CVE-2020-17505.yaml +++ b/cves/2020/CVE-2020-17505.yaml @@ -1,13 +1,14 @@ id: CVE-2020-17505 info: - name: Artica Web Proxy 4.30 OS Command Injection + name: Artica Web Proxy 4.30 - OS Command Injection author: dwisiswant0 severity: high - description: Artica Web Proxy 4.30.000000 allows an authenticated remote attacker to inject commands via the service-cmds parameter in cyrus.php. These commands are executed with root privileges via service_cmds_peform. + description: Artica Web Proxy 4.30 allows an authenticated remote attacker to inject commands via the service-cmds parameter in cyrus.php. These commands are executed with root privileges via service_cmds_peform. reference: - https://blog.max0x4141.com/post/artica_proxy/ - http://packetstormsecurity.com/files/159267/Artica-Proxy-4.30.000000-Authentication-Bypass-Command-Injection.html + - https://nvd.nist.gov/vuln/detail/CVE-2020-17505 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 @@ -41,3 +42,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/13 diff --git a/cves/2020/CVE-2020-17518.yaml b/cves/2020/CVE-2020-17518.yaml index 3fb367fddd..56ca8b7d02 100644 --- a/cves/2020/CVE-2020-17518.yaml +++ b/cves/2020/CVE-2020-17518.yaml @@ -1,17 +1,17 @@ id: CVE-2020-17518 info: - name: Apache Flink Upload Path Traversal + name: Apache Flink 1.5.1 - Local File Inclusion author: pdteam severity: high description: | - Apache Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, - through a maliciously modified HTTP HEADER. + Apache Flink 1.5.1 is vulnerable to local file inclusion because of a REST handler that allows file uploads to an arbitrary location on the local file system through a maliciously modified HTTP HEADER. reference: - https://github.com/vulhub/vulhub/tree/master/flink/CVE-2020-17518 - https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cdev.flink.apache.org%3E - https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261@%3Cuser.flink.apache.org%3E - https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261@%3Cdev.flink.apache.org%3E + - https://nvd.nist.gov/vuln/detail/CVE-2020-17518 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N cvss-score: 7.5 @@ -41,3 +41,5 @@ requests: - type: dsl dsl: - 'contains(body, "test-poc") && status_code == 200' # Using CVE-2020-17519 to confirm this. + +# Enhanced by mp on 2022/07/13 diff --git a/cves/2020/CVE-2020-17519.yaml b/cves/2020/CVE-2020-17519.yaml index 1585625f0b..49e8144891 100644 --- a/cves/2020/CVE-2020-17519.yaml +++ b/cves/2020/CVE-2020-17519.yaml @@ -1,15 +1,16 @@ id: CVE-2020-17519 info: - name: Apache Flink directory traversal + name: Apache Flink - Local File Inclusion author: pdteam severity: high - description: A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. + description: Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process (aka local file inclusion). reference: - https://github.com/B1anda0/CVE-2020-17519 - https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cdev.flink.apache.org%3E - https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d@%3Cdev.flink.apache.org%3E - https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d@%3Cuser.flink.apache.org%3E + - https://nvd.nist.gov/vuln/detail/CVE-2020-17519 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -30,3 +31,5 @@ requests: regex: - "root:.*:0:0:" part: body + +# Enhanced by mp on 2022/07/13 diff --git a/cves/2020/CVE-2020-2036.yaml b/cves/2020/CVE-2020-2036.yaml index c0214bf122..4b74fc8d77 100644 --- a/cves/2020/CVE-2020-2036.yaml +++ b/cves/2020/CVE-2020-2036.yaml @@ -1,14 +1,15 @@ id: CVE-2020-2036 info: - name: Palo Alto Networks Reflected XSS + name: Palo Alto Networks PAN-OS Web Interface - Cross Site-Scripting author: madrobot severity: high description: | - A reflected cross-site scripting (XSS) vulnerability exists in the PAN-OS management web interface. A remote attacker able to convince an administrator with an active authenticated session on the firewall management interface to click on a crafted link to that management web interface could potentially execute arbitrary JavaScript code in the administrator's browser and perform administrative actions. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.16; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9. + PAN-OS management web interface is vulnerable to reflected cross-site scripting. A remote attacker able to convince an administrator with an active authenticated session on the firewall management interface to click on a crafted link to that management web interface could potentially execute arbitrary JavaScript code in the administrator's browser and perform administrative actions. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.16; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9. reference: - https://swarm.ptsecurity.com/swarm-of-palo-alto-pan-os-vulnerabilities/ - https://security.paloaltonetworks.com/CVE-2020-2036 + - https://nvd.nist.gov/vuln/detail/CVE-2020-2036 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H cvss-score: 8.8 @@ -38,3 +39,5 @@ requests: words: - "text/html" part: header + +# Enhanced by mp on 2022/07/13 diff --git a/cves/2020/CVE-2020-23972.yaml b/cves/2020/CVE-2020-23972.yaml index 3bf88583e8..8d6884eb40 100644 --- a/cves/2020/CVE-2020-23972.yaml +++ b/cves/2020/CVE-2020-23972.yaml @@ -1,18 +1,17 @@ id: CVE-2020-23972 info: - name: Joomla! Component GMapFP 3.5 - Unauthenticated Arbitrary File Upload + name: Joomla! Component GMapFP 3.5 - Arbitrary File Upload author: dwisiswant0 severity: high description: | - An attacker can access the upload function of the application - without authenticating to the application and also can upload - files due the issues of unrestricted file upload which can be - bypassed by changing Content-Type & name file too double ext. + Joomla! Component GMapFP 3.5 is vulnerable to arbitrary file upload vulnerabilities. An attacker can access the upload function of the application + without authentication and can upload files because of unrestricted file upload which can be bypassed by changing Content-Type & name file too double ext. reference: - https://www.exploit-db.com/exploits/49129 - https://raw.githubusercontent.com/me4yoursecurity/Reports/master/README.md - http://packetstormsecurity.com/files/159072/Joomla-GMapFP-J3.5-J3.5F-Arbitrary-File-Upload.html + - https://nvd.nist.gov/vuln/detail/CVE-2020-23972 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N cvss-score: 7.5 @@ -56,3 +55,5 @@ requests: part: body regex: - "window\\.opener\\.(changeDisplayImage|addphoto)\\(\"(.*?)\"\\);" + +# Enhanced by mp on 2022/07/13 diff --git a/cves/2020/CVE-2020-24571.yaml b/cves/2020/CVE-2020-24571.yaml index c54df7ed6f..a89c9b23e4 100644 --- a/cves/2020/CVE-2020-24571.yaml +++ b/cves/2020/CVE-2020-24571.yaml @@ -1,12 +1,13 @@ id: CVE-2020-24571 info: - name: NexusDB v4.50.22 Path Traversal + name: NexusDB <4.50.23 - Local File Inclusion author: pikpikcu severity: high - description: NexusQA NexusDB before 4.50.23 allows the reading of files via ../ directory traversal. + description: NexusQA NexusDB before 4.50.23 allows the reading of files via ../ directory traversal and local file inclusion. reference: - https://www.nexusdb.com/mantis/bug_view_advanced_page.php?bug_id=2371 + - https://nvd.nist.gov/vuln/detail/CVE-2020-24571 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -29,3 +30,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/13 diff --git a/cves/2020/CVE-2020-24579.yaml b/cves/2020/CVE-2020-24579.yaml index 98bea02cd2..b3b8bc7767 100644 --- a/cves/2020/CVE-2020-24579.yaml +++ b/cves/2020/CVE-2020-24579.yaml @@ -1,13 +1,14 @@ id: CVE-2020-24579 info: - name: D-Link DSL 2888a - Remote Command Execution + name: D-Link DSL 2888a - Authentication Bypass/Remote Command Execution author: pikpikcu severity: high - description: An issue was discovered on D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55. An unauthenticated attacker could bypass authentication to access authenticated pages and functionality. + description: D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55 are vulnerable to authentication bypass issues which can lead to remote command execution. An unauthenticated attacker could bypass authentication to access authenticated pages and functionality. reference: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/d-link-multiple-security-vulnerabilities-leading-to-rce/ - https://www.trustwave.com/en-us/resources/security-resources/security-advisories/ + - https://nvd.nist.gov/vuln/detail/CVE-2020-24579 classification: cvss-metrics: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 @@ -40,3 +41,5 @@ requests: - "nobody:[x*]:65534:65534" - "root:.*:0:0:" condition: or + +# Enhanced by mp on 2022/07/13 diff --git a/cves/2020/CVE-2020-24949.yaml b/cves/2020/CVE-2020-24949.yaml index c6e3ecb048..f498b0d7d8 100644 --- a/cves/2020/CVE-2020-24949.yaml +++ b/cves/2020/CVE-2020-24949.yaml @@ -1,18 +1,20 @@ id: CVE-2020-24949 info: - name: PHPFusion 9.03.50 Remote Code Execution + name: PHP-Fusion 9.03.50 - Remote Code Execution author: geeknik severity: high - description: Privilege escalation in PHP-Fusion 9.03.50 downloads/downloads.php allows an authenticated user (not admin) to send a crafted request to the server and perform remote command execution (RCE). + description: PHP-Fusion 9.03.50 downloads/downloads.php allows an authenticated user (not admin) to send a crafted request to the server and perform remote command execution. reference: - https://packetstormsecurity.com/files/162852/phpfusion90350-exec.txt - https://github.com/php-fusion/PHP-Fusion/issues/2312 - http://packetstormsecurity.com/files/162852/PHPFusion-9.03.50-Remote-Code-Execution.html + - https://nvd.nist.gov/vuln/detail/CVE-2020-24949 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2020-24949 + cwe-id: CWE-77 tags: cve,cve2020,phpfusion,rce,php requests: @@ -30,4 +32,6 @@ requests: - type: word part: body words: - - "infusion_db.php" \ No newline at end of file + - "infusion_db.php" + +# Enhanced by mp on 2022/07/13 diff --git a/cves/2020/CVE-2020-25078.yaml b/cves/2020/CVE-2020-25078.yaml index 6dfff9d5bc..9446eae118 100644 --- a/cves/2020/CVE-2020-25078.yaml +++ b/cves/2020/CVE-2020-25078.yaml @@ -1,14 +1,14 @@ id: CVE-2020-25078 info: - name: D-Link DCS-2530L Administrator password disclosure + name: D-Link DCS-2530L/DCS-2670L - Administrator Password Disclosure author: pikpikcu severity: high - description: An issue was discovered on D-Link DCS-2530L before 1.06.01 Hotfix and DCS-2670L through 2.02 devices. The unauthenticated /config/getuser endpoint allows for remote administrator password disclosure. + description: D-Link DCS-2530L before 1.06.01 Hotfix and DCS-2670L through 2.02 devices are vulnerable to password disclosures vulnerabilities because the /config/getuser endpoint allows for remote administrator password disclosure. reference: - - https://nvd.nist.gov/vuln/detail/CVE-2020-25078 - https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10180 - https://twitter.com/Dogonsecurity/status/1273251236167516161 + - https://nvd.nist.gov/vuln/detail/CVE-2020-25078 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -36,3 +36,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/15 diff --git a/cves/2020/CVE-2020-25540.yaml b/cves/2020/CVE-2020-25540.yaml index 09ea481ed3..278a0044be 100644 --- a/cves/2020/CVE-2020-25540.yaml +++ b/cves/2020/CVE-2020-25540.yaml @@ -1,15 +1,16 @@ id: CVE-2020-25540 info: - name: ThinkAdmin 6 - Arbitrarily File Read (CVE-2020-25540) + name: ThinkAdmin 6 - Local File Inclusion author: geeknik severity: high - description: ThinkAdmin v6 is affected by a directory traversal vulnerability. An unauthorized attacker can read arbitrary files on a remote server via GET request encode parameter. + description: ThinkAdmin version 6 is affected by a local file inclusion vulnerability because an unauthorized attacker can read arbitrary files on a remote server via GET request encode parameter. reference: - https://www.exploit-db.com/exploits/48812 - https://github.com/zoujingli/ThinkAdmin/issues/244 - https://wtfsec.org/posts/thinkadmin-v6-%E5%88%97%E7%9B%AE%E5%BD%95-%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96/ - http://packetstormsecurity.com/files/159177/ThinkAdmin-6-Arbitrary-File-Read.html + - https://nvd.nist.gov/vuln/detail/CVE-2020-25540 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -30,3 +31,5 @@ requests: - type: regex regex: - "root:.*:0:0:" + +# Enhanced by mp on 2022/07/15 diff --git a/cves/2020/CVE-2020-25780.yaml b/cves/2020/CVE-2020-25780.yaml index c85c8fac4e..651bd79aea 100644 --- a/cves/2020/CVE-2020-25780.yaml +++ b/cves/2020/CVE-2020-25780.yaml @@ -1,14 +1,14 @@ id: CVE-2020-25780 info: - name: Commvault CommCell Directory Traversal + name: Commvault CommCell - Local File Inclusion author: pdteam severity: high - description: In CommCell in Commvault before 14.68, 15.x before 15.58, 16.x before 16.44, 17.x before 17.29, and 18.x before 18.13, Directory Traversal can occur such that an attempt to view a log file can instead view a file outside of the log-files folder. + description: CommCell in Commvault before 14.68, 15.x before 15.58, 16.x before 16.44, 17.x before 17.29, and 18.x before 18.13 are vulnerable to local file inclusion because an attacker can view a log file can instead view a file outside of the log-files folder. reference: - - https://nvd.nist.gov/vuln/detail/CVE-2020-25780 - https://srcincite.io/blog/2021/11/22/unlocking-the-vault.html - http://kb.commvault.com/article/63264 + - https://nvd.nist.gov/vuln/detail/CVE-2020-25780 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -44,4 +44,6 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/07/15 diff --git a/cves/2020/CVE-2020-26073.yaml b/cves/2020/CVE-2020-26073.yaml index eaea12f311..249ba38d43 100644 --- a/cves/2020/CVE-2020-26073.yaml +++ b/cves/2020/CVE-2020-26073.yaml @@ -1,13 +1,14 @@ id: CVE-2020-26073 info: - name: Cisco SD-WAN vManage Software Directory Traversal + name: Cisco SD-WAN vManage Software - Local File Inclusion author: madrobot severity: high description: | - A vulnerability in the application data endpoints of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to gain access to sensitive information. + Cisco SD-WAN vManage Software in the application data endpoints is vulnerable to local file inclusion which could allow an unauthenticated, remote attacker to gain access to sensitive information. reference: - https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-vman-traversal-hQh24tmk.html + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26073 classification: cve-id: CVE-2020-26073 tags: cve,cve2020,cisco,lfi @@ -25,3 +26,5 @@ requests: regex: - "root:.*:0:0:" part: body + +# Enhanced by mp on 2022/07/15 diff --git a/cves/2020/CVE-2020-27191.yaml b/cves/2020/CVE-2020-27191.yaml index 78e22728b9..5a31464e24 100644 --- a/cves/2020/CVE-2020-27191.yaml +++ b/cves/2020/CVE-2020-27191.yaml @@ -1,14 +1,14 @@ id: CVE-2020-27191 info: - name: LionWiki 3.2.11 - LFI + name: LionWiki <3.2.12 - Local File Inclusion author: 0x_Akoko severity: high - description: LionWiki before 3.2.12 allows an unauthenticated user to read files as the web server user via crafted string in the index.php f1 variable, aka Local File Inclusion. + description: LionWiki before 3.2.12 allows an unauthenticated user to read files as the web server user via crafted strings in the index.php f1 variable, aka local file inclusion. reference: - https://www.junebug.site/blog/cve-2020-27191-lionwiki-3-2-11-lfi - http://lionwiki.0o.cz/index.php?page=Main+page - - https://www.cvedetails.com/cve/CVE-2020-27191 + - https://nvd.nist.gov/vuln/detail/CVE-2020-27191 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -30,3 +30,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/15 diff --git a/cves/2020/CVE-2020-27361.yaml b/cves/2020/CVE-2020-27361.yaml index cee31b2f96..b9f9b21595 100644 --- a/cves/2020/CVE-2020-27361.yaml +++ b/cves/2020/CVE-2020-27361.yaml @@ -1,12 +1,13 @@ id: CVE-2020-27361 info: - name: Akkadian Provisioning Manager - Files Listing + name: Akkadian Provisioning Manager 4.50.02 - Sensitive Information Disclosure author: gy741 severity: high - description: An issue exists within Akkadian Provisioning Manager 4.50.02 which allows attackers to view sensitive information within the /pme subdirectories. + description: Akkadian Provisioning Manager 4.50.02 could allow viewing of sensitive information within the /pme subdirectories. reference: - https://www.blacklanternsecurity.com/2021-07-01-Akkadian-CVE/ + - https://nvd.nist.gov/vuln/detail/CVE-2020-27191 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -30,3 +31,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/15 diff --git a/cves/2020/CVE-2020-27467.yaml b/cves/2020/CVE-2020-27467.yaml index 63b939873e..c3bfd9c523 100644 --- a/cves/2020/CVE-2020-27467.yaml +++ b/cves/2020/CVE-2020-27467.yaml @@ -1,15 +1,15 @@ id: CVE-2020-27467 info: - name: Processwire CMS < 2.7.1 - Directory Traversal + name: Processwire CMS <2.7.1 - Local File Inclusion author: 0x_Akoko severity: high - description: Local File Inclusion in Processwire CMS < 2.7.1 allows to retrieve arbitrary files via the download parameter to index.php By providing a specially crafted path to the vulnerable parameter, a remote attacker can retrieve the contents of sensitive files on the local system. + description: Processwire CMS prior to 2.7.1 is vulnerable to local file inclusion because it allows a remote attacker to retrieve sensitive files via the download parameter to index.php. reference: - https://github.com/Y1LD1R1M-1337/LFI-ProcessWire - https://processwire.com/ - - https://www.cvedetails.com/cve/CVE-2020-27467 - https://github.com/ceng-yildirim/LFI-processwire + - https://nvd.nist.gov/vuln/detail/CVE-2020-27467 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -31,3 +31,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/15 diff --git a/cves/2020/CVE-2020-27866.yaml b/cves/2020/CVE-2020-27866.yaml index 0bd51729fb..192bcb500f 100644 --- a/cves/2020/CVE-2020-27866.yaml +++ b/cves/2020/CVE-2020-27866.yaml @@ -1,16 +1,16 @@ id: CVE-2020-27866 info: - name: NETGEAR Authentication Bypass vulnerability + name: NETGEAR - Authentication Bypass author: gy741 severity: high - description: This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6020, R6080, R6120, R6220, R6260, R6700v2, R6800, R6900v2, R7450, JNR3210, WNR2020, - Nighthawk AC2100, and Nighthawk AC2400 routers. Authentication is not required to exploit this vulnerability. + description: NETGEAR R6020, R6080, R6120, R6220, R6260, R6700v2, R6800, R6900v2, R7450, JNR3210, WNR2020, Nighthawk AC2100, and Nighthawk AC2400 routers are vulnerable to authentication bypass vulnerabilities which could allow network-adjacent attackers to bypass authentication on affected installations. reference: - https://wzt.ac.cn/2021/01/13/AC2400_vuln/ - https://www.zerodayinitiative.com/advisories/ZDI-20-1451/ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27866 - https://kb.netgear.com/000062641/Security-Advisory-for-Password-Recovery-Vulnerabilities-on-Some-Routers + - https://nvd.nist.gov/vuln/detail/CVE-2020-27866 classification: cvss-metrics: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 @@ -37,4 +37,6 @@ requests: - type: word words: - 'Debug Enable!' - part: body \ No newline at end of file + part: body + +# Enhanced by mp on 2022/07/15 diff --git a/cves/2020/CVE-2020-27986.yaml b/cves/2020/CVE-2020-27986.yaml index b59fc6a4bb..7abfe56c38 100644 --- a/cves/2020/CVE-2020-27986.yaml +++ b/cves/2020/CVE-2020-27986.yaml @@ -1,15 +1,16 @@ id: CVE-2020-27986 info: - name: SonarQube unauth + name: SonarQube - Authentication Bypass author: pikpikcu severity: high description: | SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP, SVN, and GitLab credentials via the api/settings/values URI. - NOTE: reportedly, the vendor's position for SMTP and SVN is "it is the administrator's responsibility to configure it." + remediation: Reportedly, the vendor's position for SMTP and SVN is "it is the administrator's responsibility to configure it." reference: - https://csl.com.co/sonarqube-auditando-al-auditor-parte-i/ + - https://nvd.nist.gov/vuln/detail/CVE-2020-27866 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -35,3 +36,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/15 diff --git a/cves/2020/CVE-2020-3452.yaml b/cves/2020/CVE-2020-3452.yaml index 17e29a39b0..812d5a3c1e 100644 --- a/cves/2020/CVE-2020-3452.yaml +++ b/cves/2020/CVE-2020-3452.yaml @@ -1,11 +1,11 @@ id: CVE-2020-3452 info: - name: Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) - Arbitrary File Retrieval + name: Cisco Adaptive Security Appliance (ASA)/Firepower Threat Defense (FTD) - Local File Inclusion author: pdteam severity: high description: | - A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files. + Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software is vulnerable to local file inclusion due to directory traversal attacks that can read sensitive files on a targeted system because of a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files. reference: - https://twitter.com/aboul3la/status/1286012324722155525 - http://packetstormsecurity.com/files/158646/Cisco-ASA-FTD-Remote-File-Disclosure.html @@ -13,6 +13,7 @@ info: - http://packetstormsecurity.com/files/159523/Cisco-ASA-FTD-9.6.4.42-Path-Traversal.html - http://packetstormsecurity.com/files/160497/Cisco-ASA-9.14.1.10-FTD-6.6.0.1-Path-Traversal.html - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86 + - https://nvd.nist.gov/vuln/detail/CVE-2020-3452 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -31,3 +32,5 @@ requests: - "INTERNAL_PASSWORD_ENABLED" - "CONF_VIRTUAL_KEYBOARD" condition: and + +# Enhanced by mp on 2022/07/15 diff --git a/cves/2020/CVE-2020-5284.yaml b/cves/2020/CVE-2020-5284.yaml index ea57a1a846..1315a10ebb 100644 --- a/cves/2020/CVE-2020-5284.yaml +++ b/cves/2020/CVE-2020-5284.yaml @@ -1,14 +1,15 @@ id: CVE-2020-5284 info: - name: Next.js .next/ limited path traversal + name: Next.js <9.3.2 - Local File Inclusion author: rootxharsh,iamnoooob,dwisiswant0 severity: medium - description: Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2. + description: Next.js versions before 9.3.2 are vulnerable to local file inclusion. An attacker can craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. + remediation: This issue is fixed in version 9.3.2. reference: - - https://github.com/zeit/next.js/releases/tag/v9.3.2 https://github.com/zeit/next.js/security/advisories/GHSA-fq77-7p7r-83rj - https://github.com/zeit/next.js/releases/tag/v9.3.2 - https://github.com/zeit/next.js/security/advisories/GHSA-fq77-7p7r-83rj + - https://nvd.nist.gov/vuln/detail/CVE-2020-5284 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N cvss-score: 4.3 @@ -33,3 +34,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/22 diff --git a/cves/2020/CVE-2020-5405.yaml b/cves/2020/CVE-2020-5405.yaml index 73a539a58a..bdd52136f0 100644 --- a/cves/2020/CVE-2020-5405.yaml +++ b/cves/2020/CVE-2020-5405.yaml @@ -1,13 +1,13 @@ id: CVE-2020-5405 info: - name: Spring Cloud Directory Traversal + name: Spring Cloud Config - Local File Inclusion author: harshbothra_ severity: medium - description: Spring Cloud Config, versions 2.2.x prior to 2.2.2, versions 2.1.x prior to 2.1.7, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server - module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack. + description: Spring Cloud Config versions 2.2.x prior to 2.2.2, 2.1.x prior to 2.1.7, and older unsupported versions are vulnerable to local file inclusion because they allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. reference: - https://pivotal.io/security/cve-2020-5405 + - https://nvd.nist.gov/vuln/detail/CVE-2020-5405 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N cvss-score: 6.5 @@ -28,3 +28,5 @@ requests: regex: - "root:.*:0:0:" part: body + +# Enhanced by mp on 2022/07/22 diff --git a/cves/2020/CVE-2020-8193.yaml b/cves/2020/CVE-2020-8193.yaml index 1be799ea20..102a94651f 100644 --- a/cves/2020/CVE-2020-8193.yaml +++ b/cves/2020/CVE-2020-8193.yaml @@ -1,14 +1,15 @@ id: CVE-2020-8193 info: - name: Citrix unauthenticated LFI + name: Citrix - Local File Inclusion author: pdteam severity: medium - description: Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows unauthenticated access to certain URL endpoints. + description: Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 are vulnerable to local file inclusion because they allow unauthenticated access to certain URL endpoints. reference: - https://github.com/jas502n/CVE-2020-8193 - http://packetstormsecurity.com/files/160047/Citrix-ADC-NetScaler-Local-File-Inclusion.html - https://support.citrix.com/article/CTX276688 + - https://nvd.nist.gov/vuln/detail/CVE-2020-8193 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N cvss-score: 6.5 @@ -73,3 +74,5 @@ requests: regex: - "root:.*:0:0:" part: body + +# Enhanced by mp on 2022/07/22 diff --git a/cves/2020/CVE-2020-8644.yaml b/cves/2020/CVE-2020-8644.yaml index 9f91299c9c..ddeb6aaefd 100644 --- a/cves/2020/CVE-2020-8644.yaml +++ b/cves/2020/CVE-2020-8644.yaml @@ -55,4 +55,4 @@ requests: status: - 200 -# Enhanced by mp on 2022/07/07 +# Enhanced by mp on 2022/07/07 \ No newline at end of file diff --git a/cves/2021/CVE-2021-21402.yaml b/cves/2021/CVE-2021-21402.yaml index b5f92f7375..d28cbde27b 100644 --- a/cves/2021/CVE-2021-21402.yaml +++ b/cves/2021/CVE-2021-21402.yaml @@ -1,18 +1,18 @@ id: CVE-2021-21402 info: - name: Jellyfin prior to 10.7.0 Unauthenticated Arbitrary File Read + name: Jellyfin <10.7.0 - Local File Inclusion author: dwisiswant0 severity: medium description: | - Jellyfin allows unauthenticated arbitrary file read. This issue is more prevalent when - Windows is used as the host OS. Servers that are exposed to the public Internet are - potentially at risk. This is fixed in version 10.7.1. + Jellyfin before 10.7.0 is vulnerable to local file inclusion. This issue is more prevalent when Windows is used as the host OS. Servers exposed to public Internet are potentially at risk. + remediation: This is fixed in version 10.7.1. reference: - https://securitylab.github.com/advisories/GHSL-2021-050-jellyfin/ - https://github.com/jellyfin/jellyfin/security/advisories/GHSA-wg4c-c9g9-rxhx - https://github.com/jellyfin/jellyfin/releases/tag/v10.7.1 - https://github.com/jellyfin/jellyfin/commit/0183ef8e89195f420c48d2600bc0b72f6d3a7fd7 + - https://nvd.nist.gov/vuln/detail/CVE-2021-21402 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N cvss-score: 6.5 @@ -42,3 +42,5 @@ requests: regex: - "\\[(font|extension|file)s\\]" part: body + +# Enhanced by mp on 2022/07/22 diff --git a/cves/2021/CVE-2021-23241.yaml b/cves/2021/CVE-2021-23241.yaml index 708a5cf378..e5a8cb4784 100644 --- a/cves/2021/CVE-2021-23241.yaml +++ b/cves/2021/CVE-2021-23241.yaml @@ -1,15 +1,15 @@ id: CVE-2021-23241 info: - name: Mercury Router Web Server Directory Traversal + name: MERCUSYS Mercury X18G 1.0.5 Router - Local File Inclusion author: daffainfo severity: medium - description: MERCUSYS Mercury X18G 1.0.5 devices allow Directory Traversal via ../ in conjunction with a loginLess or login.htm URI (for authentication bypass) to the web server, as demonstrated by the /loginLess/../../etc/passwd URI. + description: MERCUSYS Mercury X18G 1.0.5 devices are vulnerable to local file inclusion via ../ in conjunction with a loginLess or login.htm URI (for authentication bypass) to the web server, as demonstrated by the /loginLess/../../etc/passwd URI. reference: - https://github.com/BATTZION/MY_REQUEST/blob/master/Mercury%20Router%20Web%20Server%20Directory%20Traversal.md - - https://nvd.nist.gov/vuln/detail/CVE-2021-23241 - https://www.mercusys.com/en/ - https://www.mercurycom.com.cn/product-521-1.html + - https://nvd.nist.gov/vuln/detail/CVE-2021-23241 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 @@ -32,3 +32,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/22 diff --git a/cves/2021/CVE-2021-26085.yaml b/cves/2021/CVE-2021-26085.yaml index 2aed8f2d73..c22b5688b8 100644 --- a/cves/2021/CVE-2021-26085.yaml +++ b/cves/2021/CVE-2021-26085.yaml @@ -1,15 +1,14 @@ id: CVE-2021-26085 info: - name: Confluence Pre-Authorization Arbitrary File Read in /s/ endpoint - CVE-2021-26085 + name: Atlassian Confluence Server - Local File Inclusion author: princechaddha severity: medium - description: Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint. + description: Atlassian Confluence Server allows remote attackers to view restricted resources via local file inclusion in the /s/ endpoint. reference: - https://packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.html - - https://nvd.nist.gov/vuln/detail/CVE-2021-26085 - https://jira.atlassian.com/browse/CONFSERVER-67893 - - http://packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.html + - https://nvd.nist.gov/vuln/detail/CVE-2021-26085 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 @@ -36,3 +35,5 @@ requests: - "Confluence" - "com.atlassian.confluence.setup.ConfluenceAppConfig" condition: and + +# Enhanced by mp on 2022/07/22 diff --git a/cves/2021/CVE-2021-26086.yaml b/cves/2021/CVE-2021-26086.yaml index 6f562be26f..80abadebbd 100644 --- a/cves/2021/CVE-2021-26086.yaml +++ b/cves/2021/CVE-2021-26086.yaml @@ -1,14 +1,14 @@ id: CVE-2021-26086 info: - name: Jira Limited Local File Read + name: Atlassian Jira Limited - Local File Inclusion author: cocxanh severity: medium - description: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint. + description: Affected versions of Atlassian Jira Limited Server and Data Center are vulnerable to local file inclusion because they allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint. reference: - https://jira.atlassian.com/browse/JRASERVER-72695 - - https://nvd.nist.gov/vuln/detail/CVE-2021-26086 - http://packetstormsecurity.com/files/164405/Atlassian-Jira-Server-Data-Center-8.4.0-File-Read.html + - https://nvd.nist.gov/vuln/detail/CVE-2021-26086 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 @@ -33,3 +33,5 @@ requests: - "" part: body condition: and + +# Enhanced by mp on 2022/07/22 diff --git a/cves/2021/CVE-2021-27748.yaml b/cves/2021/CVE-2021-27748.yaml index 32df97fa56..4d908e4c87 100644 --- a/cves/2021/CVE-2021-27748.yaml +++ b/cves/2021/CVE-2021-27748.yaml @@ -5,11 +5,11 @@ info: author: pdteam severity: high description: | - IBM WebSphere HCL Digital Experience is susceptible to server-side request forgery vulnerability that impacts on-premise deployments and containers. + IBM WebSphere HCL Digital Experience is vulnerable to server-side request forgery that impacts on-premise deployments and containers. reference: - https://blog.assetnote.io/2021/12/26/chained-ssrf-websphere/ - https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0095665 - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27748 + - hhttps://nvd.nist.gov/vuln/detail/CVE-2022-31268 classification: cve-id: CVE-2021-27748 metadata: @@ -35,4 +35,6 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/07/15 diff --git a/cves/2021/CVE-2021-28149.yaml b/cves/2021/CVE-2021-28149.yaml index 9a8a2cc332..7cd62c1bd9 100644 --- a/cves/2021/CVE-2021-28149.yaml +++ b/cves/2021/CVE-2021-28149.yaml @@ -1,15 +1,15 @@ id: CVE-2021-28149 info: - name: Hongdian Directory Traversal + name: Hongdian H8922 3.0.5 Devices - Local File Inclusion author: gy741 severity: medium description: | - Hongdian H8922 3.0.5 devices allow Directory Traversal. The /log_download.cgi log export handler does not validate user input and allows a remote attacker with minimal privileges to download any file from the device by substituting ../ (e.g., ../../etc/passwd) This can be carried out with a web browser by changing the file name accordingly. Upon visiting log_download.cgi?type=../../etc/passwd and logging in, the web server will allow a download of the contents of the /etc/passwd file. + Hongdian H8922 3.0.5 devices are vulnerable to local file inclusion. The /log_download.cgi log export handler does not validate user input and allows a remote attacker with minimal privileges to download any file from the device by substituting ../ (e.g., ../../etc/passwd) This can be carried out with a web browser by changing the file name accordingly. Upon visiting log_download.cgi?type=../../etc/passwd and logging in, the web server will allow a download of the contents of the /etc/passwd file. reference: - https://ssd-disclosure.com/ssd-advisory-hongdian-h8922-multiple-vulnerabilities/ - - https://nvd.nist.gov/vuln/detail/CVE-2021-28149 - http://en.hongdian.com/Products/Details/H8922 + - https://nvd.nist.gov/vuln/detail/CVE-2021-28149 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N cvss-score: 6.5 @@ -47,3 +47,5 @@ requests: - "sshd:[x*]" - "root:[$]" part: body + +# Enhanced by mp on 2022/07/22 diff --git a/cves/2021/CVE-2021-28151.yaml b/cves/2021/CVE-2021-28151.yaml index 9a57731f21..7a40803175 100644 --- a/cves/2021/CVE-2021-28151.yaml +++ b/cves/2021/CVE-2021-28151.yaml @@ -1,15 +1,15 @@ id: CVE-2021-28151 info: - name: Hongdian Command Injection + name: Hongdian H8922 3.0.5 - Remote Command Injection author: gy741 severity: high description: | Hongdian H8922 3.0.5 devices allow OS command injection via shell metacharacters into the ip-address (aka Destination) field to the tools.cgi ping command, which is accessible with the username guest and password guest. reference: - https://ssd-disclosure.com/ssd-advisory-hongdian-h8922-multiple-vulnerabilities/ - - https://nvd.nist.gov/vuln/detail/CVE-2021-28151 - http://en.hongdian.com/Products/Details/H8922 + - https://nvd.nist.gov/vuln/detail/CVE-2021-28151 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 @@ -55,3 +55,5 @@ requests: - "groups=" part: body condition: and + +# Enhanced by mp on 2022/07/15 diff --git a/cves/2021/CVE-2021-28377.yaml b/cves/2021/CVE-2021-28377.yaml index 630cd6063d..03cc1bbced 100644 --- a/cves/2021/CVE-2021-28377.yaml +++ b/cves/2021/CVE-2021-28377.yaml @@ -1,10 +1,10 @@ id: CVE-2021-28377 info: - name: ChronoForums 2.0.11 - Directory Traversal + name: Joomla! ChronoForums 2.0.11 - Local File Inclusion author: 0x_Akoko severity: medium - description: The ChronoForums avatar function is vulnerable through unauthenticated path traversal attacks. This enables unauthenticated attackers to read arbitrary files, for example the Joomla! configuration file which contains credentials. + description: Joomla! ChronoForums 2.0.11 avatar function is vulnerable to local file inclusion through unauthenticated path traversal attacks. This enables an attacker to read arbitrary files, for example the Joomla! configuration file which contains credentials. reference: - https://herolab.usd.de/en/security-advisories/usd-2021-0007/ - https://nvd.nist.gov/vuln/detail/CVE-2021-28377 @@ -29,3 +29,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/22 diff --git a/cves/2021/CVE-2021-28937.yaml b/cves/2021/CVE-2021-28937.yaml index afb05c10f6..bdf8fa2c1a 100644 --- a/cves/2021/CVE-2021-28937.yaml +++ b/cves/2021/CVE-2021-28937.yaml @@ -1,13 +1,14 @@ id: CVE-2021-28937 info: - name: Acexy Wireless-N WiFi Repeater Password Disclosure + name: Acexy Wireless-N WiFi Repeater REV 1.0 - Repeater Password Disclosure author: geeknik severity: high - description: The password.html page of the Web management interface of the Acexy Wireless-N WiFi Repeater REV 1.0 contains the administrator account password in plaintext. + description: Acexy Wireless-N WiFi Repeater REV 1.0 is vulnerable to password disclosure because the password.html page of the web management interface contains the administrator account password in plaintext. reference: - https://blog-ssh3ll.medium.com/acexy-wireless-n-wifi-repeater-vulnerabilities-8bd5d14a2990 - http://acexy.com + - https://nvd.nist.gov/vuln/detail/CVE-2021-28937 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -31,3 +32,5 @@ requests: - "addCfg('username'" - "addCfg('newpass'" condition: and + +# Enhanced by mp on 2022/07/15 diff --git a/cves/2021/CVE-2021-29442.yaml b/cves/2021/CVE-2021-29442.yaml index 9f495334b8..18472b1e65 100644 --- a/cves/2021/CVE-2021-29442.yaml +++ b/cves/2021/CVE-2021-29442.yaml @@ -1,18 +1,17 @@ id: CVE-2021-29442 info: - name: Nacos prior to 1.4.1 Missing Authentication Check + name: Nacos <1.4.1 - Authentication Bypass author: dwisiswant0 severity: high description: | - In Nacos before version 1.4.1, the ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. - While the /data/remove endpoint is properly protected with the @Secured annotation, the /derby endpoint is not protected and can be openly accessed by unauthenticated users. - These endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql) + Nacos before version 1.4.1 is vulnerable to authentication bypass because the ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. While the /data/remove endpoint is properly protected with the @Secured annotation, the /derby endpoint is not protected and can be openly accessed by unauthenticated users. These endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql). reference: - https://securitylab.github.com/advisories/GHSL-2020-325_326-nacos/ - https://github.com/alibaba/nacos/issues/4463 - https://github.com/alibaba/nacos/pull/4517 - https://github.com/advisories/GHSA-36hp-jr8h-556f + - https://nvd.nist.gov/vuln/detail/CVE-2021-29442 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -37,3 +36,5 @@ requests: regex: - "\"TABLENAME\":\"(?:(?:(?:(?:(?:APP_CONFIGDATA_RELATION_[PS]UB|SYS(?:(?:CONGLOMERAT|ALIAS|(?:FI|RO)L)E|(?:(?:ROUTINE)?|COL)PERM|(?:FOREIGN)?KEY|CONSTRAINT|T(?:ABLEPERM|RIGGER)|S(?:TAT(?:EMENT|ISTIC)|EQUENCE|CHEMA)|DEPEND|CHECK|VIEW|USER)|USER|ROLE)S|CONFIG_(?:TAGS_RELATION|INFO_(?:AGGR|BETA|TAG))|TENANT_CAPACITY|GROUP_CAPACITY|PERMISSIONS|SYSCOLUMNS|SYS(?:DUMMY1|TABLES)|APP_LIST)|CONFIG_INFO)|TENANT_INFO)|HIS_CONFIG_INFO)\"" part: body + +# Enhanced by mp on 2022/07/15 diff --git a/cves/2021/CVE-2021-30497.yaml b/cves/2021/CVE-2021-30497.yaml index 28669446a4..1a53836672 100644 --- a/cves/2021/CVE-2021-30497.yaml +++ b/cves/2021/CVE-2021-30497.yaml @@ -1,19 +1,21 @@ id: CVE-2021-30497 info: - name: Ivanti Avalanche Directory Traversal + name: Ivanti Avalanche 6.3.2 - Local File Inclusion author: gy741 severity: high - description: A directory traversal vulnerability in Ivanti Avalanche allows remote unauthenticated user to access files that reside outside the 'image' folder + description: Ivanti Avalanche 6.3.2 is vulnerable to local file inclusion because it allows remote unauthenticated user to access files that reside outside the 'image' folder. reference: - https://ssd-disclosure.com/ssd-advisory-ivanti-avalanche-directory-traversal/ - https://forums.ivanti.com/s/article/Security-Alert-CVE-2021-30497-Directory-Traversal-Vulnerability?language=en_US - https://help.ivanti.com/wl/help/en_us/aod/5.4/Avalanche/Console/Launching_the_Avalanche.htm + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30497 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2021-30497 - tags: cve,cve2021,avalanche,traversal + cwe-id: CWE-36 + tags: cve,cve2021,avalanche,traversal,lfi requests: - method: GET @@ -30,3 +32,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/14 diff --git a/cves/2021/CVE-2021-31602.yaml b/cves/2021/CVE-2021-31602.yaml index ad9ddd6e9a..ea2c1430eb 100644 --- a/cves/2021/CVE-2021-31602.yaml +++ b/cves/2021/CVE-2021-31602.yaml @@ -1,15 +1,16 @@ id: CVE-2021-31602 info: - name: Pentaho <= 9.1 Authentication Bypass of Spring APIs + name: Hitachi Vantara Pentaho/Business Intelligence Server - Authentication Bypass author: pussycat0x severity: high - description: An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. The Security Model has different layers of Access Control. One of these layers is the applicationContext security, which is defined in the applicationContext-spring-security.xml file. The default configuration allows an unauthenticated user with no previous knowledge of the platform settings to extract pieces of information without possessing valid credentials. + description: Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x are vulnerable to authentication bypass. The Security Model has different layers of Access Control. One of these layers is the applicationContext security, which is defined in the applicationContext-spring-security.xml file. The default configuration allows an unauthenticated user with no previous knowledge of the platform settings to extract pieces of information without possessing valid credentials. reference: - https://seclists.org/fulldisclosure/2021/Nov/13 - https://portswigger.net/daily-swig/remote-code-execution-sql-injection-bugs-uncovered-in-pentaho-business-analytics-software - https://hawsec.com/publications/pentaho/HVPENT210401-Pentaho-BA-Security-Assessment-Report-v1_1.pdf - https://www.hitachi.com/hirt/security/index.html + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31602 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -38,3 +39,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/15 diff --git a/cves/2021/CVE-2021-3223.yaml b/cves/2021/CVE-2021-3223.yaml index a9dd6fd4d3..1c503afb8d 100644 --- a/cves/2021/CVE-2021-3223.yaml +++ b/cves/2021/CVE-2021-3223.yaml @@ -1,14 +1,15 @@ id: CVE-2021-3223 info: - name: Node RED Dashboard - Directory Traversal + name: Node RED Dashboard <2.26.2 - Local File Inclusion author: gy741,pikpikcu severity: high - description: Node-RED-Dashboard before 2.26.2 allows ui_base/js/..%2f directory traversal to read files. + description: NodeRED-Dashboard before 2.26.2 is vulnerable to local file inclusion because it allows ui_base/js/..%2f directory traversal to read files. reference: - https://github.com/node-red/node-red-dashboard/issues/669 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3223 - https://github.com/node-red/node-red-dashboard/releases/tag/2.26.2 + - https://nvd.nist.gov/vuln/detail/CVE-2021-3223 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -37,3 +38,5 @@ requests: part: body words: - "Node-RED web server is listening" + +# Enhanced by mp on 2022/07/15 diff --git a/cves/2021/CVE-2021-3374.yaml b/cves/2021/CVE-2021-3374.yaml index ea91933fa6..21d6a8d0cb 100644 --- a/cves/2021/CVE-2021-3374.yaml +++ b/cves/2021/CVE-2021-3374.yaml @@ -1,14 +1,14 @@ id: CVE-2021-3374 info: - name: Rstudio Shiny Server Directory Traversal + name: Rstudio Shiny Server <1.5.16 - Local File Inclusion author: geeknik severity: medium - description: Rstudio Shiny-Server prior to 1.5.16 is vulnerable to directory traversal and source code leakage. This can be exploited by appending an encoded slash to the URL. + description: Rstudio Shiny Server prior to 1.5.16 is vulnerable to local file inclusion and source code leakage. This can be exploited by appending an encoded slash to the URL. reference: - - https://github.com/colemanjp/rstudio-shiny-server-directory-traversal-source-code-leak - https://github.com/colemanjp/shinyserver-directory-traversal-source-code-leak - https://blog.rstudio.com/2021/01/13/shiny-server-1-5-16-update/ + - https://nvd.nist.gov/vuln/detail/CVE-2021-3374 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 @@ -34,3 +34,5 @@ requests: part: body regex: - "[A-Za-z].*\\.R" + +# Enhanced by mp on 2022/07/22 diff --git a/cves/2021/CVE-2021-36749.yaml b/cves/2021/CVE-2021-36749.yaml index 703728a67c..e9af093e66 100644 --- a/cves/2021/CVE-2021-36749.yaml +++ b/cves/2021/CVE-2021-36749.yaml @@ -1,15 +1,15 @@ id: CVE-2021-36749 info: - name: Apache Druid Authentication Restrictions Bypass + name: Apache Druid - Local File Inclusion author: _0xf4n9x_ severity: medium - description: In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1. + description: Apache Druid ingestion system is vulnerable to local file inclusion. The InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1. reference: - - https://nvd.nist.gov/vuln/detail/CVE-2021-36749 - https://www.cvedetails.com/cve/CVE-2021-36749/ - https://github.com/BrucessKING/CVE-2021-36749 - https://lists.apache.org/thread.html/rc9400a70d0ec5cdb8a3486fc5ddb0b5282961c0b63e764abfbcb9f5d%40%3Cdev.druid.apache.org%3E + - https://nvd.nist.gov/vuln/detail/CVE-2021-36749 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N cvss-score: 6.5 @@ -34,3 +34,5 @@ requests: - "root:.*:0:0:" - "druid:*:1000:1000:" condition: or + +# Enhanced by mp on 2022/07/22 diff --git a/cves/2021/CVE-2021-41569.yaml b/cves/2021/CVE-2021-41569.yaml index 7dc2a16196..d456cdf249 100644 --- a/cves/2021/CVE-2021-41569.yaml +++ b/cves/2021/CVE-2021-41569.yaml @@ -1,13 +1,13 @@ id: CVE-2021-41569 info: - name: SAS 9.4 build 1520 - Local File Inclusion + name: SAS/Internet 9.4 1520 - Local File Inclusion author: 0x_Akoko severity: high - description: SAS/Intrnet 9.4 build 1520 and earlier allows Local File Inclusion. The samples library (included by default) in the appstart.sas file, allows end-users of the application to access the sample.webcsf1.sas program, which contains user-controlled macro variables that are passed to the DS2CSF macro. + description: SAS/Internet 9.4 build 1520 and earlier allows local file inclusion. The samples library (included by default) in the appstart.sas file, allows end-users of the application to access the sample.webcsf1.sas program, which contains user-controlled macro variables that are passed to the DS2CSF macro. reference: - https://www.mindpointgroup.com/blog/high-risk-vulnerability-discovery-localfileinclusion-sas - - https://nvd.nist.gov/vuln/detail/CVE-2021-41569 - https://support.sas.com/kb/68/641.html + - https://nvd.nist.gov/vuln/detail/CVE-2021-41569 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -30,3 +30,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/15 diff --git a/cves/2022/CVE-2022-0656.yaml b/cves/2022/CVE-2022-0656.yaml index b07a17b563..4ddb691a47 100644 --- a/cves/2022/CVE-2022-0656.yaml +++ b/cves/2022/CVE-2022-0656.yaml @@ -1,10 +1,10 @@ id: CVE-2022-0656 info: - name: uDraw < 3.3.3 - Unauthenticated Arbitrary File Access + name: uDraw <3.3.3 - Local File Inclusion author: akincibor severity: high - description: The plugin does not validate the url parameter in its udraw_convert_url_to_base64 AJAX action (available to both unauthenticated and authenticated users) before using it in the file_get_contents function and returning its content base64 encoded in the response. As a result, unauthenticated users could read arbitrary files on the web server (such as /etc/passwd, wp-config.php etc). + description: uDraw before 3.3.3 does not validate the url parameter in its udraw_convert_url_to_base64 AJAX action (available to both unauthenticated and authenticated users) before using it in the file_get_contents function and returning its content base64 encoded in the response. As a result, unauthenticated users could read arbitrary files on the web server (such as /etc/passwd, wp-config.php etc). reference: - https://wpscan.com/vulnerability/925c4c28-ae94-4684-a365-5f1e34e6c151 - https://nvd.nist.gov/vuln/detail/CVE-2022-0656 @@ -40,3 +40,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/22 diff --git a/cves/2022/CVE-2022-24129.yaml b/cves/2022/CVE-2022-24129.yaml index f54912b105..9d3dc396c3 100644 --- a/cves/2022/CVE-2022-24129.yaml +++ b/cves/2022/CVE-2022-24129.yaml @@ -1,15 +1,15 @@ id: CVE-2022-24129 info: - name: Shibboleth OIDC OP plugin <3.0.4 - Server-Side Request Forgery + name: Shibboleth OIDC OP <3.0.4 - Server-Side Request Forgery author: 0x_Akoko severity: high - description: The OIDC OP plugin before 3.0.4 for Shibboleth Identity Provider allows server-side request forgery (SSRF) due to insufficient restriction of the request_uri parameter. This allows attackers to interact with arbitrary third-party HTTP services. + description: The Shibboleth Identity Provider OIDC OP plugin before 3.0.4 is vulnerable to server-side request forgery (SSRF) due to insufficient restriction of the request_uri parameter, which allows attackers to interact with arbitrary third-party HTTP services. reference: - https://github.com/sbaresearch/advisories/tree/public/2022/SBA-ADV-20220127-01_Shibboleth_IdP_OIDC_OP_Plugin_SSRF - https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376878976/OIDC+OP - - https://nvd.nist.gov/vuln/detail/CVE-2022-24129 - http://shibboleth.net/community/advisories/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-24129 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N cvss-score: 8.2 @@ -33,3 +33,5 @@ requests: part: interactsh_request words: - "ShibbolethIdp" + +# Enhanced by mp on 2022/07/15 diff --git a/cves/2022/CVE-2022-26233.yaml b/cves/2022/CVE-2022-26233.yaml index 7a7376e711..018e1e1627 100644 --- a/cves/2022/CVE-2022-26233.yaml +++ b/cves/2022/CVE-2022-26233.yaml @@ -1,15 +1,16 @@ id: CVE-2022-26233 info: - name: Barco Control Room Management Suite - Directory Traversal + name: Barco Control Room Management Suite <=2.9 Build 0275 - Local File Inclusion author: 0x_Akoko severity: high - description: Barco Control Room Management through Suite 2.9 Build 0275 was discovered to be vulnerable to directory traversal, allowing attackers to access sensitive information and components. Requests must begin with the "GET /..\.." substring. + description: Barco Control Room Management through Suite 2.9 Build 0275 is vulnerable to local file inclusion that could allow attackers to access sensitive information and components. Requests must begin with the "GET /..\.." substring. reference: - https://0day.today/exploit/37579 - https://www.cvedetails.com/cve/CVE-2022-26233 - http://seclists.org/fulldisclosure/2022/Apr/0 - http://packetstormsecurity.com/files/166577/Barco-Control-Room-Management-Suite-Directory-Traversal.html + - https://nvd.nist.gov/vuln/detail/CVE-2022-26233 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -32,3 +33,5 @@ requests: - "fonts" - "extensions" condition: and + +# Enhanced by mp on 2022/07/15 diff --git a/cves/2022/CVE-2022-27849.yaml b/cves/2022/CVE-2022-27849.yaml index 1600ad9e9f..3c821fe2bc 100644 --- a/cves/2022/CVE-2022-27849.yaml +++ b/cves/2022/CVE-2022-27849.yaml @@ -1,14 +1,14 @@ id: CVE-2022-27849 info: - name: WordPress Simple Ajax Chat plugin <= 20220115 - Sensitive Information Disclosure vulnerability + name: WordPress Simple Ajax Chat <20220116 - Sensitive Information Disclosure vulnerability author: random-robbie severity: high description: | - Simple Ajax Chat < 20220216 - Sensitive Information Disclosure. The plugin does not properly restrict access to the exported data via the sac-export.csv file, which could allow unauthenticated users to access it + WordPress Simple Ajax Chat before 20220216 is vulnerable to sensitive information disclosure. The plugin does not properly restrict access to the exported data via the sac-export.csv file, which could allow unauthenticated users to access it. reference: - https://wordpress.org/plugins/simple-ajax-chat/#developers - - https://nvd.nist.gov/vuln/detail/CVE-2022-27849/ - https://patchstack.com/database/vulnerability/simple-ajax-chat/wordpress-simple-ajax-chat-plugin-20220115-sensitive-information-disclosure-vulnerability + - https://nvd.nist.gov/vuln/detail/CVE-2022-27849 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -41,3 +41,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/15 diff --git a/cves/2022/CVE-2022-28079.yaml b/cves/2022/CVE-2022-28079.yaml index a95add7afd..54b0078cdc 100644 --- a/cves/2022/CVE-2022-28079.yaml +++ b/cves/2022/CVE-2022-28079.yaml @@ -1,16 +1,17 @@ id: CVE-2022-28079 info: - name: College Management System - SQL Injection + name: College Management System 1.0 - SQL Injection author: ritikchaddha severity: high description: | - College Management System v1.0 was discovered to contain a SQL injection vulnerability via the course_code parameter. + College Management System 1.0 contains a SQL injection vulnerability via the course code parameter. reference: - https://github.com/erengozaydin/College-Management-System-course_code-SQL-Injection-Authenticated - https://download.code-projects.org/details/1c3b87e5-f6a6-46dd-9b5f-19c39667866f - https://nvd.nist.gov/vuln/detail/CVE-2022-28079 - https://code-projects.org/college-management-system-in-php-with-source-code/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-28079 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 @@ -41,3 +42,5 @@ requests: - type: status status: - 302 + +# Enhanced by mp on 2022/07/15 diff --git a/cves/2022/CVE-2022-28080.yaml b/cves/2022/CVE-2022-28080.yaml index 1ec3be3f6c..b04f58c7db 100644 --- a/cves/2022/CVE-2022-28080.yaml +++ b/cves/2022/CVE-2022-28080.yaml @@ -5,12 +5,12 @@ info: author: lucasljm2001,ekrause,ritikchaddha severity: high description: | - Detects an SQL Injection vulnerability in Royal Event System + Royal Event is vulnerable to a SQL injection vulnerability. reference: - https://www.exploit-db.com/exploits/50934 - https://www.sourcecodester.com/sites/default/files/download/oretnom23/Royal%20Event.zip - - https://nvd.nist.gov/vuln/detail/CVE-2022-28080 - https://github.com/erengozaydin/Royal-Event-Management-System-todate-SQL-Injection-Authenticated + - https://nvd.nist.gov/vuln/detail/CVE-2022-28080 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 @@ -68,3 +68,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/15 diff --git a/cves/2022/CVE-2022-29014.yaml b/cves/2022/CVE-2022-29014.yaml index 6ab57685b7..f6982af5aa 100644 --- a/cves/2022/CVE-2022-29014.yaml +++ b/cves/2022/CVE-2022-29014.yaml @@ -1,14 +1,13 @@ id: CVE-2022-29014 info: - name: Razer Sila Gaming Router v2.0.441_api-2.0.418 - LFI + name: Razer Sila Gaming Router 2.0.441_api-2.0.418 - Local File Inclusion author: edoardottt severity: high - description: A local file inclusion vulnerability in Razer Sila Gaming Router v2.0.441_api-2.0.418 allows attackers to read arbitrary files. + description: Razer Sila Gaming Router 2.0.441_api-2.0.418 is vulnerable to local file inclusion which could allow attackers to read arbitrary files. reference: - https://www.exploit-db.com/exploits/50864 - https://nvd.nist.gov/vuln/detail/CVE-2022-29014 - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29014 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -34,3 +33,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/15 diff --git a/cves/2022/CVE-2022-29298.yaml b/cves/2022/CVE-2022-29298.yaml index a5e250cf89..05d98530d4 100644 --- a/cves/2022/CVE-2022-29298.yaml +++ b/cves/2022/CVE-2022-29298.yaml @@ -1,15 +1,15 @@ id: CVE-2022-29298 info: - name: SolarView Compact 6.00 - Directory Traversal + name: SolarView Compact 6.00 - Local File Inclusion author: ritikchaddha severity: high - description: SolarView Compact ver.6.00 allows attackers to access sensitive files via directory traversal. + description: SolarView Compact 6.00 is vulnerable to local file inclusion which could allow attackers to access sensitive files. reference: - https://www.exploit-db.com/exploits/50950 - https://drive.google.com/file/d/1-RHw9ekVidP8zc0xpbzBXnse2gSY1xbH/view - - https://nvd.nist.gov/vuln/detail/CVE-2022-29298 - https://drive.google.com/file/d/1-RHw9ekVidP8zc0xpbzBXnse2gSY1xbH/view?usp=sharing + - https://nvd.nist.gov/vuln/detail/CVE-2022-29298 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -35,3 +35,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/15 diff --git a/cves/2022/CVE-2022-31268.yaml b/cves/2022/CVE-2022-31268.yaml index 55cb977531..b8148bb605 100644 --- a/cves/2022/CVE-2022-31268.yaml +++ b/cves/2022/CVE-2022-31268.yaml @@ -1,15 +1,15 @@ id: CVE-2022-31268 info: - name: Gitblit 1.9.3 - Path traversal + name: Gitblit 1.9.3 - Local File Inclusion author: 0x_Akoko severity: high description: | - A Path Traversal vulnerability in Gitblit 1.9.3 can lead to reading website files via /resources//../ (e.g., followed by a WEB-INF or META-INF pathname). + Gitblit 1.9.3 is vulnerable to local file inclusion via /resources//../ (e.g., followed by a WEB-INF or META-INF pathname). reference: - https://github.com/metaStor/Vuls/blob/main/gitblit/gitblit%20V1.9.3%20path%20traversal/gitblit%20V1.9.3%20path%20traversal.md - - https://www.cvedetails.com/cve/CVE-2022-31268 - https://vuldb.com/?id.200500 + - https://nvd.nist.gov/vuln/detail/CVE-2022-31268 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -44,3 +44,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/15 diff --git a/cves/2022/CVE-2022-32409.yaml b/cves/2022/CVE-2022-32409.yaml index c827dbb9e3..45a9d0ff2e 100644 --- a/cves/2022/CVE-2022-32409.yaml +++ b/cves/2022/CVE-2022-32409.yaml @@ -1,14 +1,14 @@ id: CVE-2022-32409 info: - name: i3geo - Directory Traversal + name: Portal do Software Publico Brasileiro i3geo 7.0.5 - Local File Inclusion author: pikpikcu severity: critical - description: A local file inclusion (LFI) vulnerability in the component codemirror.php of Portal do Software Publico Brasileiro i3geo v7.0.5 allows attackers to execute arbitrary PHP code via a crafted HTTP request + description: Portal do Software Publico Brasileiro i3geo 7.0.5 is vulnerable to local file inclusion in the component codemirror.php, which allows attackers to execute arbitrary PHP code via a crafted HTTP request. reference: - https://github.com/wagnerdracha/ProofOfConcept/blob/main/i3geo_proof_of_concept.txt - - https://nvd.nist.gov/vuln/detail/CVE-2022-32409 - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion + - https://nvd.nist.gov/vuln/detail/CVE-2022-32409 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 @@ -34,3 +34,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/22 diff --git a/cves/2022/CVE-2022-33174.yaml b/cves/2022/CVE-2022-33174.yaml index 8a150a3e5c..59e665b041 100644 --- a/cves/2022/CVE-2022-33174.yaml +++ b/cves/2022/CVE-2022-33174.yaml @@ -1,11 +1,11 @@ id: CVE-2022-33174 info: - name: Powertek Firmware - Authorization Bypass + name: Powertek Firmware <3.30.30 - Authorization Bypass author: pikpikcu severity: high description: | - Power Distribution Units running on Powertek firmware (multiple brands) before 3.30.30 allows remote authorization bypass in the web interface. To exploit the vulnerability, an attacker must send an HTTP packet to the data retrieval interface (/cgi/get_param.cgi) with the tmpToken cookie set to an empty string followed by a semicolon. This bypasses an active session authorization check. This can be then used to fetch the values of protected sys.passwd and sys.su.name fields that contain the username and password in cleartext. + Powertek firmware (multiple brands) before 3.30.30 running Power Distribution Units are vulnerable to authorization bypass in the web interface. To exploit the vulnerability, an attacker must send an HTTP packet to the data retrieval interface (/cgi/get_param.cgi) with the tmpToken cookie set to an empty string followed by a semicolon. This bypasses an active session authorization check. This can be then used to fetch the values of protected sys.passwd and sys.su.name fields that contain the username and password in cleartext. reference: - https://gynvael.coldwind.pl/?lang=en&id=748 - https://nvd.nist.gov/vuln/detail/CVE-2022-33174 @@ -45,3 +45,5 @@ requests: regex: - '([A-Z0-9a-z]+)<\/sys\.passwd>' - '([a-z]+)<\/sys\.su\.name>' + +# Enhanced by mp on 2022/07/15 diff --git a/cves/2022/CVE-2022-34046.yaml b/cves/2022/CVE-2022-34046.yaml index 5980cd828d..cd08056064 100644 --- a/cves/2022/CVE-2022-34046.yaml +++ b/cves/2022/CVE-2022-34046.yaml @@ -12,6 +12,8 @@ info: metadata: verified: true shodan-query: http.title:"Wi-Fi APP Login" + classification: + cve-id: CVE-2022-34046 tags: cve,cve2022,wavlink,router,exposure requests: diff --git a/cves/2022/CVE-2022-34047.yaml b/cves/2022/CVE-2022-34047.yaml index 6f57a4eb82..14ab842761 100644 --- a/cves/2022/CVE-2022-34047.yaml +++ b/cves/2022/CVE-2022-34047.yaml @@ -12,6 +12,8 @@ info: metadata: verified: true shodan-query: http.title:"Wi-Fi APP Login" + classification: + cve-id: CVE-2022-34047 tags: cve,cve2022,wavlink,router,exposure requests: diff --git a/default-logins/apache/dubbo-admin-default-login.yaml b/default-logins/apache/dubbo-admin-default-login.yaml index 0ed4d68121..adce2c9d73 100644 --- a/default-logins/apache/dubbo-admin-default-login.yaml +++ b/default-logins/apache/dubbo-admin-default-login.yaml @@ -1,11 +1,16 @@ id: dubbo-admin-default-login info: - name: Dubbo Admin Default Login + name: Apache Dubbo - Default Admin Discovery author: ritikchaddha severity: high + description: Apache Dubbo default admin credentials were discovered. reference: - https://www.cnblogs.com/wishwzp/p/9438658.html + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 tags: dubbo,apache,default-login requests: @@ -37,3 +42,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/15 diff --git a/default-logins/fuelcms/fuelcms-default-login.yaml b/default-logins/fuelcms/fuelcms-default-login.yaml index c46140539c..69bbdf24b8 100644 --- a/default-logins/fuelcms/fuelcms-default-login.yaml +++ b/default-logins/fuelcms/fuelcms-default-login.yaml @@ -1,12 +1,16 @@ id: fuelcms-default-login info: - name: Fuel CMS Default Credentials + name: Fuel CMS - Default Admin Discovery author: Adam Crosser severity: high description: Fuel CMS default admin credentials were discovered. reference: - https://docs.getfuelcms.com/general/security + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 tags: fuelcms,default-login,oss requests: @@ -54,3 +58,5 @@ requests: group: 1 regex: - 'id="ci_csrf_token_FUEL" value="([0-9a-z]+)" \/>' + +# Enhanced by mp on 2022/07/15 diff --git a/default-logins/jinher-oa-default-login.yaml b/default-logins/jinher-oa-default-login.yaml index 7c604317dc..391fbafc43 100644 --- a/default-logins/jinher-oa-default-login.yaml +++ b/default-logins/jinher-oa-default-login.yaml @@ -1,12 +1,16 @@ id: jinher-oa-default-login info: - name: Jinher oa C6 Default Password + name: Jinher-OA C6 - Default Admin Discovery author: ritikchaddha severity: high - description: Jinher-OA C6 default administrator account credential. + description: Jinher-OA C6 default admin credentials were discovered. reference: - https://github.com/nu0l/poc-wiki/blob/main/%E9%87%91%E5%92%8COA-C6-default-password.md + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 tags: jinher,default-login requests: @@ -42,3 +46,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/15 diff --git a/default-logins/jupyterhub/jupyterhub-default-login.yaml b/default-logins/jupyterhub/jupyterhub-default-login.yaml index fa7f7c44b0..5ca1422013 100644 --- a/default-logins/jupyterhub/jupyterhub-default-login.yaml +++ b/default-logins/jupyterhub/jupyterhub-default-login.yaml @@ -1,11 +1,16 @@ id: jupyterhub-default-login info: - name: Jupyterhub Default Login + name: Jupyterhub - Default Admin Discovery author: For3stCo1d severity: high + description: Jupyterhub default admin credentials were discovered. reference: - https://github.com/jupyterhub/jupyterhub + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 metadata: shodan-query: http.title:"JupyterHub" tags: jupyterhub,default-login @@ -38,4 +43,6 @@ requests: - type: status status: - - 302 \ No newline at end of file + - 302 + +# Enhanced by mp on 2022/07/15 diff --git a/default-logins/octobercms-default-login.yaml b/default-logins/octobercms-default-login.yaml index ac7530cfa6..2fde8c095b 100644 --- a/default-logins/octobercms-default-login.yaml +++ b/default-logins/octobercms-default-login.yaml @@ -1,13 +1,17 @@ id: octobercms-default-login info: - name: OctoberCMS Default Login + name: OctoberCMS - Default Admin Discovery author: princechaddha severity: high - description: OctoberCMS default administrator account credential. + description: OctoberCMS default admin credentials were discovered. reference: - https://github.com/octobercms/october - https://octobercms.com/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 metadata: verified: true shodan-query: http.component:"October CMS" @@ -58,3 +62,5 @@ requests: group: 1 regex: - 'meta name="csrf\-token" content="([A-Za-z0-9]+)">' + +# Enhanced by mp on 2022/07/15 diff --git a/default-logins/openemr/openemr-default-login.yaml b/default-logins/openemr/openemr-default-login.yaml index 5a08aa24f2..3eff5c8e62 100644 --- a/default-logins/openemr/openemr-default-login.yaml +++ b/default-logins/openemr/openemr-default-login.yaml @@ -1,9 +1,9 @@ id: openemr-default-login info: - name: OpenEMR Default Login + name: OpenEMR - Default Admin Discovery author: Geekby - description: OpenEMR default login was discovered. + description: OpenEMR default admin credentials were discovered. severity: high reference: - https://github.com/openemr/openemr-devops/tree/master/docker/openemr/6.1.0/#openemr-official-docker-image @@ -44,3 +44,5 @@ requests: - type: status status: - 302 + +# Enhanced by mp on 2022/07/15 diff --git a/exposed-panels/avtech-avn801-camera-panel.yaml b/exposed-panels/avtech-avn801-camera-panel.yaml index 6c233d50a7..a36f8957c2 100644 --- a/exposed-panels/avtech-avn801-camera-panel.yaml +++ b/exposed-panels/avtech-avn801-camera-panel.yaml @@ -1,10 +1,10 @@ id: avtech-avn801-camera-panel info: - name: Avtech AVN801 Network Camera Panel Detect + name: Avtech AVN801 Network Camera - Admin Panel Detection author: idealphase severity: info - description: AVTECH offers a range of IP camera series with different shapes, resolutions and lens to fulfill different demands. Select the items needed to narrow down product search. + description: An Avtech AVN801 Network Camera administration panel was detected. reference: - http://www.avtech.com.tw metadata: @@ -28,3 +28,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/22 diff --git a/exposed-panels/codemeter-webadmin-panel.yaml b/exposed-panels/codemeter-webadmin-panel.yaml index bcb121e897..6bee96ae0f 100644 --- a/exposed-panels/codemeter-webadmin-panel.yaml +++ b/exposed-panels/codemeter-webadmin-panel.yaml @@ -1,10 +1,14 @@ id: codemeter-webadmin-panel info: - name: CodeMeter WebAdmin Panel + name: CodeMeter - WebAdmin Panel Access author: Techryptic (@Tech) severity: high - description: Panel on CodeMeter WebAdmin application. + description: CodeMeter WebAdmin panel was accessed. + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cwe-id: CWE-200 tags: codemeter,webadmin,panel requests: @@ -23,3 +27,5 @@ requests: status: - 301 - 302 + +# Enhanced by mp on 2022/07/15 diff --git a/exposed-panels/exposed-nomad.yaml b/exposed-panels/exposed-nomad.yaml index 31e23d2e9e..596c2e082d 100644 --- a/exposed-panels/exposed-nomad.yaml +++ b/exposed-panels/exposed-nomad.yaml @@ -1,11 +1,16 @@ id: exposed-nomad info: - name: Exposed Nomad Jobs + name: Nomad - Exposed Jobs author: pdteam - severity: high + severity: medium + description: Nomad jobs were discovered. reference: - https://www.nomadproject.io/docs/internals/security + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cwe-id: CWE-200 tags: nomad,devops,hashicorp,panel requests: @@ -28,4 +33,6 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/07/15 diff --git a/exposed-panels/odoo-database-manager.yaml b/exposed-panels/odoo-database-manager.yaml index 3031253bbe..230f9883f7 100644 --- a/exposed-panels/odoo-database-manager.yaml +++ b/exposed-panels/odoo-database-manager.yaml @@ -1,9 +1,10 @@ id: odoo-database-manager info: - name: Odoo-Database-Manager + name: Odoo - Database Manager Discovery author: __Fazal,R3dg33k severity: high + description: Odoo database manager was discovered. tags: panel,odoo requests: @@ -21,3 +22,5 @@ requests: - "Odoo" - "{ action: 'database_manager' }" condition: and + +# Enhanced by mp on 2022/07/15 diff --git a/exposed-panels/portainer-init-deploy.yaml b/exposed-panels/portainer-init-deploy.yaml index 8e01787f93..bf321f2d6b 100644 --- a/exposed-panels/portainer-init-deploy.yaml +++ b/exposed-panels/portainer-init-deploy.yaml @@ -1,9 +1,10 @@ id: portainer-init-deploy info: - name: Portainer Init Deploy + name: Portainer - Init Deploy Discovery author: princechaddha severity: high + description: Portainer initialization deployment files were discovered. reference: - https://documentation.portainer.io/v2.0/deploy/initial/ tags: portainer,exposure,docker,devops,panel @@ -27,3 +28,5 @@ requests: - type: status status: - 404 + +# Enhanced by mp on 2022/07/15 diff --git a/exposures/configs/codeigniter-env.yaml b/exposures/configs/codeigniter-env.yaml index 3d19875c13..2210e13695 100644 --- a/exposures/configs/codeigniter-env.yaml +++ b/exposures/configs/codeigniter-env.yaml @@ -1,9 +1,10 @@ id: codeigniter-env info: - name: Codeigniter .env file + name: Codeigniter - .env File Discovery author: emenalf severity: high + description: Codeigniter .env file was discovered. tags: config,exposure,codeigniter requests: @@ -33,3 +34,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/15 diff --git a/exposures/configs/coremail-config-disclosure.yaml b/exposures/configs/coremail-config-disclosure.yaml index 2aaf8be503..3f85863b5f 100644 --- a/exposures/configs/coremail-config-disclosure.yaml +++ b/exposures/configs/coremail-config-disclosure.yaml @@ -1,9 +1,10 @@ id: coremail-config-disclosure info: - name: Coremail Config Disclosure + name: Coremail - Config Discovery author: princechaddha severity: high + description: Coremail configuration information was discovered. reference: - https://www.secpulse.com/archives/107611.html tags: config,exposure @@ -26,3 +27,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/15 diff --git a/exposures/configs/dbeaver-credentials.yaml b/exposures/configs/dbeaver-credentials.yaml index afdf328951..058bbcca4d 100644 --- a/exposures/configs/dbeaver-credentials.yaml +++ b/exposures/configs/dbeaver-credentials.yaml @@ -1,9 +1,14 @@ id: dbeaver-credentials info: - name: DBeaver Credential Exposure + name: DBeaver - Credentials Discovery author: geeknik - severity: high + severity: medium + description: DBeaver credentials were discovered. + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N + cvss-score: 5.8 + cwe-id: CWE-522 tags: exposure,dbeaver requests: @@ -33,3 +38,5 @@ requests: dsl: - "!contains(tolower(body), '/core/config/databases.yml file and download. + description: qdPM 9.2 database credentials were discovered. reference: - https://www.exploit-db.com/exploits/50176 tags: qdpm,exposure @@ -27,3 +27,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/15 diff --git a/iot/targa-camera-lfi.yaml b/iot/targa-camera-lfi.yaml index cc8f60c715..40de4a9464 100644 --- a/iot/targa-camera-lfi.yaml +++ b/iot/targa-camera-lfi.yaml @@ -1,14 +1,16 @@ id: targa-camera-lfi info: - name: Selea Targa IP OCR-ANPR Camera - Unauthenticated Directory Traversal + name: Selea Targa IP OCR-ANPR Camera - Local File Inclusion author: gy741 severity: high - description: The ANPR camera suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the Download Archive in Storage page using get_file.php script is not properly verified - before being used to download files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks and aid the attacker to disclose clear-text credentials resulting - in authentication bypass. + description: Selea Targa IP OCR-ANPR camera suffers from an unauthenticated local file inclusion vulnerability because input passed through the Download Archive in Storage page using get_file.php script is not properly verified before being used to download files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks and aid the attacker in disclosing clear-text credentials. reference: - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5616.php + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N + cvss-score: 8.6 + cwe-id: CWE-22 tags: targa,lfi,iot,camera,selea requests: @@ -26,3 +28,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/14 diff --git a/misconfiguration/rack-mini-profiler.yaml b/misconfiguration/rack-mini-profiler.yaml index 78ca392d9d..d1d3004841 100644 --- a/misconfiguration/rack-mini-profiler.yaml +++ b/misconfiguration/rack-mini-profiler.yaml @@ -1,9 +1,10 @@ id: rack-mini-profiler info: - name: rack-mini-profiler environment information disclosure + name: rack-mini-profiler - Environment Information Disclosure author: vzamanillo severity: high + description: rack-mini-profiler is prone to environmental information disclosure which could help an attacker formulate additional attacks. tags: config,debug,rails requests: @@ -20,3 +21,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/21 diff --git a/misconfiguration/selenium-exposure.yaml b/misconfiguration/selenium-exposure.yaml index 9654e3bee4..af42e461ec 100644 --- a/misconfiguration/selenium-exposure.yaml +++ b/misconfiguration/selenium-exposure.yaml @@ -1,11 +1,11 @@ id: selenium-exposure info: - name: Selenium Node exposure + name: Selenium - Node Exposure author: w0Tx severity: high description: | - If a Selenium Node is exposed without any form of authentication, RCE could be possible if chromium is configured. By default the port is 4444, still, most of the internet facing are done through reverse proxies. + Selenium was shown to have an exposed node. If a Selenium node is exposed without any form of authentication, remote command execution could be possible if chromium is configured. By default the port is 4444, still, most of the internet facing are done through reverse proxies. reference: - https://nutcrackerssecurity.github.io/selenium.html - https://labs.detectify.com/2017/10/06/guest-blog-dont-leave-your-grid-wide-open/ @@ -32,3 +32,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/21 diff --git a/misconfiguration/service-pwd.yaml b/misconfiguration/service-pwd.yaml index 3b8299cb1e..a34e9ea7b2 100644 --- a/misconfiguration/service-pwd.yaml +++ b/misconfiguration/service-pwd.yaml @@ -1,10 +1,10 @@ id: service-pwd info: - name: Service password file + name: service.pwd - Sensitive Information Disclosure author: pussycat0x severity: high - description: Searches for sensitive service.pwd file. + description: service.pwd was discovered, which is likely to contain sensitive information. reference: - https://www.exploit-db.com/ghdb/7256 tags: exposure,listing,service @@ -24,3 +24,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/21 diff --git a/misconfiguration/skycaiji-install.yaml b/misconfiguration/skycaiji-install.yaml index 4edf4869d7..9affe49ded 100644 --- a/misconfiguration/skycaiji-install.yaml +++ b/misconfiguration/skycaiji-install.yaml @@ -1,9 +1,10 @@ id: skycaiji-install info: - name: SkyCaiji Exposed Installation + name: SkyCaiji - Exposed Installation author: pikpikcu severity: high + description: SkyCaiji was discovered. tags: tech,skycaiji,exposure,misconfig requests: @@ -24,3 +25,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/21 diff --git a/misconfiguration/solr-query-dashboard.yaml b/misconfiguration/solr-query-dashboard.yaml index f36e4e3316..f1cd3dea51 100644 --- a/misconfiguration/solr-query-dashboard.yaml +++ b/misconfiguration/solr-query-dashboard.yaml @@ -1,9 +1,10 @@ id: solr-admin-query info: - name: Solr Admin Query Page + name: Solr - Admin Page Access author: dhiyaneshDK severity: high + description: Solr's admin page was able to be accessed with no authentication requirements in place. reference: - https://www.exploit-db.com/ghdb/5856 tags: solr,unauth @@ -23,3 +24,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/21 diff --git a/misconfiguration/spidercontrol-scada-server-info.yaml b/misconfiguration/spidercontrol-scada-server-info.yaml index 19ff108ebd..6280f9f8ea 100644 --- a/misconfiguration/spidercontrol-scada-server-info.yaml +++ b/misconfiguration/spidercontrol-scada-server-info.yaml @@ -1,10 +1,10 @@ id: spidercontrol-scada-server-info info: - name: SpiderControl SCADA Web Server Info Exposure + name: SpiderControl SCADA Web Server - Sensitive Information Exposure author: geeknik severity: high - description: Numerous, market-leading OEM manufacturers - from a wide variety of industries - rely on SpiderControl. + description: SpiderControl SCADA Web Server is vulnerable to sensitive information exposure. Numerous, market-leading OEM manufacturers - from a wide variety of industries - rely on SpiderControl. reference: - https://spidercontrol.net/spidercontrol-inside/ tags: spidercontrol,scada,exposure @@ -29,3 +29,5 @@ requests: part: header kval: - Server + +# Enhanced by mp on 2022/07/21 diff --git a/misconfiguration/teamcity/teamcity-registration-enabled.yaml b/misconfiguration/teamcity/teamcity-registration-enabled.yaml index 8f8936ce61..8013cfc12e 100644 --- a/misconfiguration/teamcity/teamcity-registration-enabled.yaml +++ b/misconfiguration/teamcity/teamcity-registration-enabled.yaml @@ -5,7 +5,7 @@ info: author: Ph33r severity: high description: | - JetBrains - TeamCity - register User Allow + JetBrains TeamCity allows all visitors to register due to a misconfiguration. reference: - https://ph33r.medium.com/misconfig-in-teamcity-panel-lead-to-auth-bypass-in-apache-org-0day-146f6a1a4e2b classification: @@ -28,4 +28,6 @@ requests: matchers: - type: word words: - - 'Register a New User Account — TeamCity' + - 'Register a New User Account ? TeamCity' + +# Enhanced by mp on 2022/07/21 diff --git a/misconfiguration/unauth-wavink-panel.yaml b/misconfiguration/unauth-wavink-panel.yaml index 752e478a10..67553706e5 100644 --- a/misconfiguration/unauth-wavink-panel.yaml +++ b/misconfiguration/unauth-wavink-panel.yaml @@ -1,9 +1,10 @@ id: unauth-wavink-panel info: - name: Unauthenticated Wavlink Panel + name: Wavlink Panel - Unauthenticated Access author: princechaddha severity: high + description: Wavlink Panel was able to be accessed with no authentication requirements in place. metadata: verified: true shodan-query: http.title:"Wi-Fi APP Login" @@ -42,3 +43,5 @@ requests: group: 1 regex: - 'var passphraseKey12="(.*)";' + +# Enhanced by mp on 2022/07/21 diff --git a/misconfiguration/unauthenticated-alert-manager.yaml b/misconfiguration/unauthenticated-alert-manager.yaml index b67f4484e3..2512ba26c4 100644 --- a/misconfiguration/unauthenticated-alert-manager.yaml +++ b/misconfiguration/unauthenticated-alert-manager.yaml @@ -1,9 +1,10 @@ id: unauthenticated-alert-manager info: - name: Unauthenticated Alert Manager + name: Alert Manager - Unauthenticated Access author: dhiyaneshDK severity: high + description: Alert Manager was able to be accessed with no authentication requirements in place. metadata: shodan-query: http.title:"Alertmanager" tags: unauth,alertmanager @@ -22,3 +23,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/21 diff --git a/misconfiguration/unauthenticated-mongo-express.yaml b/misconfiguration/unauthenticated-mongo-express.yaml index 68416a63c1..854c41cc8b 100644 --- a/misconfiguration/unauthenticated-mongo-express.yaml +++ b/misconfiguration/unauthenticated-mongo-express.yaml @@ -1,9 +1,10 @@ id: unauthenticated-mongo-express info: - name: Mongo Express Unauthenticated + name: Mongo Express - Unauthenticated Access author: dhiyaneshDK,b0rn2r00t severity: high + description: Mongo Express was able to be access with no authentication requirements in place. reference: - https://www.exploit-db.com/ghdb/5684 tags: mongo,unauth @@ -25,3 +26,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/20 diff --git a/misconfiguration/unauthenticated-prtg.yaml b/misconfiguration/unauthenticated-prtg.yaml index 0fd245d544..297ce00ea9 100644 --- a/misconfiguration/unauthenticated-prtg.yaml +++ b/misconfiguration/unauthenticated-prtg.yaml @@ -1,9 +1,10 @@ id: unauthenticated-prtg info: - name: Unauthenticated PRTG Traffic Grapher + name: PRTG Traffic Grapher - Unauthenticated Access author: dhiyaneshDK severity: high + description: PRTG Traffic Grapher was able to be accessed with no authentication requirements in place. reference: - https://www.exploit-db.com/ghdb/5808 tags: config,unauth,prtg @@ -23,3 +24,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/20 diff --git a/misconfiguration/unauthenticated-tensorboard.yaml b/misconfiguration/unauthenticated-tensorboard.yaml index 88db2175d9..816f6361a1 100644 --- a/misconfiguration/unauthenticated-tensorboard.yaml +++ b/misconfiguration/unauthenticated-tensorboard.yaml @@ -1,8 +1,9 @@ id: unauthenticated-tensorboard info: - name: Unauthenticated Tensorboard by Tensorflow + name: Tensorflow Tensorboard - Unauthenticated Access author: dhiyaneshDk + description: Tensorflow Tensorboard was able to be accessed with no authentication requirements in place. severity: high tags: tensorflow,tensorboard,unauth @@ -22,4 +23,6 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/07/20 diff --git a/misconfiguration/unauthorized-h3csecparh-login.yaml b/misconfiguration/unauthorized-h3csecparh-login.yaml index 952e876faf..ccc11f21e6 100644 --- a/misconfiguration/unauthorized-h3csecparh-login.yaml +++ b/misconfiguration/unauthorized-h3csecparh-login.yaml @@ -1,9 +1,10 @@ id: unauthorized-h3csecparh-login info: - name: Unauthorized H3C Secparh Login + name: H3C Server - Unauthenticated Access author: ritikchaddha severity: high + description: H3C server was able to be accessed with no authentication requirements in place. metadata: verified: true shodan-query: http.html:"H3C-SecPath-运维审计系统" @@ -28,3 +29,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/21 diff --git a/network/clickhouse-unauth.yaml b/network/clickhouse-unauth.yaml index 5c036da74f..350b6f56d1 100644 --- a/network/clickhouse-unauth.yaml +++ b/network/clickhouse-unauth.yaml @@ -1,9 +1,10 @@ id: clickhouse-unauth info: - name: Unauth ClickHouse Disclosure + name: ClickHouse - Unauthorized Access author: lu4nx severity: high + description: ClickHouse was able to be accessed with no required authentication in place. tags: network,clickhouse,unauth network: @@ -23,4 +24,6 @@ network: words: - "ClickHouse" - "UTC" - condition: and \ No newline at end of file + condition: and + +# Enhanced by mp on 2022/07/20 diff --git a/network/exposed-redis.yaml b/network/exposed-redis.yaml index a2fac4fc2f..94d958b4d3 100644 --- a/network/exposed-redis.yaml +++ b/network/exposed-redis.yaml @@ -1,9 +1,10 @@ id: exposed-redis info: - name: Redis Unauth Server + name: Redis Server - Unauthenticated Access author: pdteam severity: high + description: Redis server without any required authentication was discovered. reference: - https://redis.io/topics/security tags: network,redis,unauth @@ -26,3 +27,5 @@ network: negative: true words: - "redis_mode:sentinel" + +# Enhanced by mp on 2022/07/20 diff --git a/network/exposed-zookeeper.yaml b/network/exposed-zookeeper.yaml index da21739da6..dc86cfa297 100644 --- a/network/exposed-zookeeper.yaml +++ b/network/exposed-zookeeper.yaml @@ -1,9 +1,10 @@ id: exposed-zookeeper info: - name: ZooKeeper Unauth Server + name: Apache ZooKeeper - Unauthenticated Access author: pdteam severity: high + description: Apache ZooKeeper was able to be accessed without any required authentication. reference: - https://zookeeper.apache.org/security.html tags: network,zookeeper,unauth @@ -21,3 +22,5 @@ network: - type: word words: - "zookeeper.version" + +# Enhanced by mp on 2022/07/21 diff --git a/network/mongodb-unauth.yaml b/network/mongodb-unauth.yaml index 9883dc2bca..b93aa67915 100644 --- a/network/mongodb-unauth.yaml +++ b/network/mongodb-unauth.yaml @@ -1,9 +1,10 @@ id: mongodb-unauth info: - name: Unauth MongoDB Disclosure + name: MongoDB - Unauthenticated Access author: pdteam severity: high + description: MongoDB was able to be accessed with no password. Note that MongoDB does not require a password by default. reference: - https://github.com/orleven/Tentacle - https://book.hacktricks.xyz/pentesting/27017-27018-mongodb @@ -24,3 +25,5 @@ network: - type: word words: - "totalLinesWritten" + +# Enhanced by mp on 2022/07/20 diff --git a/network/tidb-unauth.yaml b/network/tidb-unauth.yaml index d556c31a53..b34a23eec0 100644 --- a/network/tidb-unauth.yaml +++ b/network/tidb-unauth.yaml @@ -1,9 +1,10 @@ id: tidb-unauth info: - name: Unauth TiDB Disclosure + name: TiDB - Unauthenticated Access author: lu4nx severity: high + description: TiDB server was able to be accessed because no authentication was required. metadata: zoomeye-dork: tidb +port:"4000" tags: network,tidb,unauth @@ -26,3 +27,5 @@ network: # resp format: # 07: length, 02: sequence number, 00: success - "0700000200000002000000" + +# Enhanced by mp on 2022/07/20 diff --git a/takeovers/aftership-takeover.yaml b/takeovers/aftership-takeover.yaml index 2d1c439020..7db83c4367 100644 --- a/takeovers/aftership-takeover.yaml +++ b/takeovers/aftership-takeover.yaml @@ -1,9 +1,10 @@ id: aftership-takeover info: - name: Aftership Takeover Detection + name: Aftership - Subdomain Takeover Detection author: pdteam severity: high + description: Aftership subdomain takeover was detected. reference: - https://github.com/EdOverflow/can-i-take-over-xyz tags: takeover @@ -16,4 +17,6 @@ requests: matchers: - type: word words: - - Oops.

The page you're looking for doesn't exist. \ No newline at end of file + - Oops.

The page you're looking for doesn't exist. + +# Enhanced by mp on 2022/07/20 diff --git a/takeovers/agilecrm-takeover.yaml b/takeovers/agilecrm-takeover.yaml index 85a2447b81..1aa0629707 100644 --- a/takeovers/agilecrm-takeover.yaml +++ b/takeovers/agilecrm-takeover.yaml @@ -1,9 +1,10 @@ id: agilecrm-takeover info: - name: agilecrm takeover detection + name: agilecrm - Subdomain Takeover Detection author: pdteam severity: high + description: agilecrm subdomain takeover was detected. reference: - https://github.com/EdOverflow/can-i-take-over-xyz tags: takeover @@ -16,4 +17,6 @@ requests: matchers: - type: word words: - - Sorry, this page is no longer available. \ No newline at end of file + - Sorry, this page is no longer available. + +# Enhanced by mp on 2022/07/20 diff --git a/takeovers/aha-takeover.yaml b/takeovers/aha-takeover.yaml index e6e8200eec..dd4502fc63 100644 --- a/takeovers/aha-takeover.yaml +++ b/takeovers/aha-takeover.yaml @@ -1,9 +1,10 @@ id: aha-takeover info: - name: Aha Takeover Detection + name: Aha - Subdomain Takeover Detection author: pdteam severity: high + description: An Aha subdomain takeover was detected. reference: - https://github.com/EdOverflow/can-i-take-over-xyz tags: takeover @@ -16,4 +17,6 @@ requests: matchers: - type: word words: - - There is no portal here ... sending you back to Aha! \ No newline at end of file + - There is no portal here ... sending you back to Aha! + +# Enhanced by mp on 2022/07/19 diff --git a/technologies/elfinder-version.yaml b/technologies/elfinder-version.yaml index e83b34783c..a4f20d896a 100644 --- a/technologies/elfinder-version.yaml +++ b/technologies/elfinder-version.yaml @@ -1,13 +1,17 @@ id: elfinder-version info: - name: elFinder version extractor + name: elFinder 2.1.58 - Remote Code Execution author: idealphase - severity: info - description: elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary - code and commands on the server hosting the elFinder PHP connector, even with minimal configuration. The issues were patched in version 2.1.59. As a workaround, ensure the connector is not exposed without authentication. + severity: critical + description: elFinder 2.1.58 is vulnerable to remote code execution. This can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration. + remediation: The issues were patched in version 2.1.59. As a workaround, ensure the connector is not exposed without authentication. reference: - https://github.com/Studio-42/elFinder/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10.0 + cwe-id: CWE-77 tags: tech,elfinder,oss requests: @@ -35,3 +39,5 @@ requests: regex: - '\* Version (.+) \(' - "elFinder.prototype.version = '([0-9.]+)';" + +# Enhanced by mp on 2022/07/22 diff --git a/vulnerabilities/apache/apache-solr-file-read.yaml b/vulnerabilities/apache/apache-solr-file-read.yaml index 390f09194e..ccb3629709 100644 --- a/vulnerabilities/apache/apache-solr-file-read.yaml +++ b/vulnerabilities/apache/apache-solr-file-read.yaml @@ -1,13 +1,18 @@ id: apache-solr-file-read info: - name: Apache Solr <= 8.8.1 Arbitrary File Read + name: Apache Solr <= 8.8.1 - Local File Inclusion author: DhiyaneshDk severity: high + description: Apache Solr versions prior to and including 8.8.1 are vulnerable to local file inclusion. reference: - https://twitter.com/Al1ex4/status/1382981479727128580 - https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/ - https://twitter.com/sec715/status/1373472323538362371 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cwe-id: CWE-22 tags: apache,solr,lfi requests: @@ -40,4 +45,6 @@ requests: - type: regex regex: - - "root:.*:0:0:" \ No newline at end of file + - "root:.*:0:0:" + +# Enhanced by mp on 2022/07/22 diff --git a/vulnerabilities/backdoor/jexboss-backdoor.yaml b/vulnerabilities/backdoor/jexboss-backdoor.yaml index df3db4caa7..249a62ac2d 100644 --- a/vulnerabilities/backdoor/jexboss-backdoor.yaml +++ b/vulnerabilities/backdoor/jexboss-backdoor.yaml @@ -14,10 +14,10 @@ info: requests: - method: GET path: - - "{{BaseURL}}/jexws/jexws.jsp?ppp={{url_encode('§command§')}}" - - "{{BaseURL}}/jexws4/jexws4.jsp?ppp={{url_encode('§command§')}}" - - "{{BaseURL}}/jexinv4/jexinv4.jsp?ppp={{url_encode('§command§')}}" - - "{{BaseURL}}/jbossass/jbossass.jsp?ppp={{url_encode('§command§')}}" + - "{{BaseURL}}/jexws/jexws.jsp?ppp={{url_encode('{{command}}')}}" + - "{{BaseURL}}/jexws4/jexws4.jsp?ppp={{url_encode('{{command}}')}}" + - "{{BaseURL}}/jexinv4/jexinv4.jsp?ppp={{url_encode('{{command}}')}}" + - "{{BaseURL}}/jbossass/jbossass.jsp?ppp={{url_encode('{{command}}')}}" payloads: command: diff --git a/vulnerabilities/generic/crlf-injection.yaml b/vulnerabilities/generic/crlf-injection.yaml index 2fe6563ca0..4c0078ec88 100644 --- a/vulnerabilities/generic/crlf-injection.yaml +++ b/vulnerabilities/generic/crlf-injection.yaml @@ -1,10 +1,10 @@ id: crlf-injection info: - name: CRLF injection + name: CRLF - Injection Detection author: melbadry9,nadino,xElkomy severity: low - description: Improper sanitization of CRLF sequences. + description: CRLF sequences were not properly sanitized. tags: crlf,generic requests: @@ -25,3 +25,5 @@ requests: regex: - '(?m)^(?:Set-Cookie\s*?:(?:\s*?|.*?;\s*?))(crlfinjection=crlfinjection)(?:\s*?)(?:$|;)' part: header + +# Enhanced by mp on 2022/07/22 diff --git a/vulnerabilities/generic/generic-linux-lfi.yaml b/vulnerabilities/generic/generic-linux-lfi.yaml index a1860993d6..0d3a8368e3 100644 --- a/vulnerabilities/generic/generic-linux-lfi.yaml +++ b/vulnerabilities/generic/generic-linux-lfi.yaml @@ -1,10 +1,14 @@ id: generic-linux-lfi info: - name: Generic Linux based LFI Test + name: Generic Linux - Local File Inclusion author: geeknik,unstabl3,pentest_swissky,sushantkamble,0xSmiley severity: high - description: Searches for /etc/passwd on passed URLs + description: Generic Linux is subject to local file Inclusion on searches for /etc/passwd on passed URLs. + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cwe-id: CWE-22 tags: linux,lfi,generic requests: @@ -40,3 +44,5 @@ requests: regex: - "root:.*:0:0:" part: body + +# Enhanced by mp on 2022/07/22 diff --git a/vulnerabilities/generic/generic-windows-lfi.yaml b/vulnerabilities/generic/generic-windows-lfi.yaml index 5297d77088..f267663710 100644 --- a/vulnerabilities/generic/generic-windows-lfi.yaml +++ b/vulnerabilities/generic/generic-windows-lfi.yaml @@ -1,10 +1,14 @@ id: generic-windows-lfi info: - name: Generic Windows based LFI Test + name: Windows - Local File Inclusion author: mesaglio,sushantkamble severity: high - description: Searches for /windows/win.ini on passed URLs + description: Windows is vulnerable to local file inclusion because of searches for /windows/win.ini on passed URLs. + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cwe-id: CWE-22 tags: azure,windows,lfi,generic requests: @@ -30,3 +34,5 @@ requests: - "extensions" condition: and part: body + +# Enhanced by mp on 2022/07/22 diff --git a/vulnerabilities/grafana/grafana-file-read.yaml b/vulnerabilities/grafana/grafana-file-read.yaml index dd4365996a..5cf3e0497f 100644 --- a/vulnerabilities/grafana/grafana-file-read.yaml +++ b/vulnerabilities/grafana/grafana-file-read.yaml @@ -1,14 +1,21 @@ id: grafana-file-read info: - name: Grafana v8.x Arbitrary File Read + name: Grafana 8.x - Local File Inclusion author: z0ne,dhiyaneshDk,jeya.seelan,dwisiswant0 severity: high + description: Grafana 8.x is vulnerable to local file inclusion. reference: + - https://grafana.com/blog/2021/12/08/an-update-on-0day-cve-2021-43798-grafana-directory-traversal/ - https://nosec.org/home/detail/4914.html - https://github.com/jas502n/Grafana-VulnTips - - hhttps://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p + - https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p - https://twitter.com/naglinagli/status/1468155313182416899 + - https://nvd.nist.gov/vuln/detail/CVE-2021-43798 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cwe-id: CWE-22 tags: grafana,lfi,fuzz requests: @@ -31,3 +38,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/22 diff --git a/vulnerabilities/huawei/huawei-hg255s-lfi.yaml b/vulnerabilities/huawei/huawei-hg255s-lfi.yaml index 71a0d509f3..d9454324b6 100644 --- a/vulnerabilities/huawei/huawei-hg255s-lfi.yaml +++ b/vulnerabilities/huawei/huawei-hg255s-lfi.yaml @@ -1,12 +1,17 @@ id: huawei-hg255s-lfi info: - name: Huawei HG255s - Directory Traversal + name: Huawei HG255s - Local File Inclusion author: 0x_Akoko severity: high + description: Huawei HG255s is vulnerable to local file inclusion due to insufficient validation of the received HTTP requests. A remote attacker may access the local files on the device without authentication. reference: - https://cxsecurity.com/issue/WLB-2017090053 - https://www.youtube.com/watch?v=n02toTFkLOU + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cwe-id: CWE-22 metadata: shodan-query: http.html:"HG532e" tags: huawei,lfi,router @@ -25,3 +30,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/22 diff --git a/vulnerabilities/ibm/ibm-infoprint-lfi.yaml b/vulnerabilities/ibm/ibm-infoprint-lfi.yaml index 899fad8ae8..3e7d311de1 100644 --- a/vulnerabilities/ibm/ibm-infoprint-lfi.yaml +++ b/vulnerabilities/ibm/ibm-infoprint-lfi.yaml @@ -1,12 +1,16 @@ id: ibm-infoprint-lfi info: - name: IBM InfoPrint 4247-Z03 Impact Matrix Printer - Directory Traversal + name: IBM InfoPrint 4247-Z03 Impact Matrix Printer - Local File Inclusion author: harshbothra_ severity: medium - description: Directory traversal vulnerability on IBM InfoPrint 4247-Z03 Impact Matrix Printer. + description: IBM InfoPrint 4247-Z03 Impact Matrix Printer is subject to local file inclusion. reference: - https://www.exploit-db.com/exploits/47835 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cwe-id: CWE-22 tags: ibm,lfi,matrix,printer requests: @@ -22,3 +26,5 @@ requests: regex: - "root:.*:0:0:" part: body + +# Enhanced by mp on 2022/07/22 diff --git a/vulnerabilities/moodle/moodle-filter-jmol-lfi.yaml b/vulnerabilities/moodle/moodle-filter-jmol-lfi.yaml index 26c79550c9..7138e6ad11 100644 --- a/vulnerabilities/moodle/moodle-filter-jmol-lfi.yaml +++ b/vulnerabilities/moodle/moodle-filter-jmol-lfi.yaml @@ -1,10 +1,16 @@ id: moodle-filter-jmol-lfi info: - name: Moodle filter_jmol - LFI + name: Moodle Jmol Filter 6.1 - Local File Inclusion author: madrobot severity: high - description: Local file inclusion on Moodle. + description: Moodle is vulnerable to local file inclusion. + reference: + - https://www.exploit-db.com/exploits/46881 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:W/RC:C + cvss-score: 7.5 + cwe-id: CWE-22 tags: moodle,lfi requests: @@ -20,3 +26,5 @@ requests: regex: - "root:.*:0:0:" part: body + +# Enhanced by mp on 2022/07/22 diff --git a/vulnerabilities/other/3cx-management-console.yaml b/vulnerabilities/other/3cx-management-console.yaml index 389cf88761..dc248947bd 100644 --- a/vulnerabilities/other/3cx-management-console.yaml +++ b/vulnerabilities/other/3cx-management-console.yaml @@ -1,12 +1,16 @@ id: 3cx-management-console info: - name: 3CX Management Console - Directory Traversal + name: 3CX Management Console - Local File Inclusion author: random-robbie severity: high - description: Directory traversal vulnerability on 3CX Management Console. + description: 3CX Management Console is vulnerable to local file inclusion. reference: - https://medium.com/@frycos/pwning-3cx-phone-management-backends-from-the-internet-d0096339dd88 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cwe-id: CWE-22 metadata: shoda-query: http.title:"3CX Phone System Management Console" tags: 3cx,lfi,voip @@ -33,3 +37,5 @@ requests: - "fonts" - "extensions" condition: and + +# Enhanced by mp on 2022/07/22 diff --git a/vulnerabilities/other/asanhamayesh-lfi.yaml b/vulnerabilities/other/asanhamayesh-lfi.yaml index 462ea627f3..8498ce7225 100644 --- a/vulnerabilities/other/asanhamayesh-lfi.yaml +++ b/vulnerabilities/other/asanhamayesh-lfi.yaml @@ -1,12 +1,17 @@ id: asanhamayesh-lfi info: - name: Asanhamayesh CMS 3.4.6 Directory traversal Vulnerability + name: Asanhamayesh CMS 3.4.6 - Local File Inclusion author: 0x_Akoko severity: high + description: Asanhamayesh CMS 3.4.6 is vulnerable to local file inclusion. reference: - https://cxsecurity.com/issue/WLB-2018030006 - https://asanhamayesh.com + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cwe-id: CWE-22 tags: asanhamayesh,lfi,traversal requests: @@ -23,3 +28,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/22 diff --git a/vulnerabilities/other/bems-api-lfi.yaml b/vulnerabilities/other/bems-api-lfi.yaml index fa2efedbb9..895ae23769 100644 --- a/vulnerabilities/other/bems-api-lfi.yaml +++ b/vulnerabilities/other/bems-api-lfi.yaml @@ -1,12 +1,17 @@ id: bems-api-lfi info: - name: Longjing Technology BEMS API 1.21 - Arbitrary File Retrieval + name: Longjing Technology BEMS API 1.21 - Local File Inclusion author: gy741 severity: high - description: The application suffers from an unauthenticated arbitrary file retrieval vulnerability. Input passed through the fileName parameter through the downloads API endpoint is not properly verified before being used to download files. This can be exploited to disclose the contents of arbitrary and sensitive files through directory traversal attacks. + description: Longjing Technology BEMS API 1.21 is vulnerable to local file inclusion. Input passed through the fileName parameter through the downloads API endpoint is not properly verified before being used to download files. This can be exploited to disclose the contents of arbitrary and sensitive files through directory traversal attacks. reference: - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5657.php + - https://packetstormsecurity.com/files/163702/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cwe-id: CWE-22 tags: lfi requests: @@ -23,3 +28,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/22 diff --git a/vulnerabilities/other/blue-ocean-excellence-lfi.yaml b/vulnerabilities/other/blue-ocean-excellence-lfi.yaml index d2f7caa672..e16f0ecf1e 100644 --- a/vulnerabilities/other/blue-ocean-excellence-lfi.yaml +++ b/vulnerabilities/other/blue-ocean-excellence-lfi.yaml @@ -1,11 +1,16 @@ id: blue-ocean-excellence-lfi info: - name: Blue Ocean Excellence LFI + name: Blue Ocean Excellence - Local File Inclusion author: pikpikcu severity: high + description: Blue Ocean Excellence is vulnerable to local file inclusion. reference: - https://blog.csdn.net/qq_41901122/article/details/116786883 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cwe-id: CWE-22 tags: blue-ocean,lfi requests: @@ -23,3 +28,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/22 diff --git a/vulnerabilities/other/bullwark-momentum-lfi.yaml b/vulnerabilities/other/bullwark-momentum-lfi.yaml index 8b58ca18ae..09ef6eefdf 100644 --- a/vulnerabilities/other/bullwark-momentum-lfi.yaml +++ b/vulnerabilities/other/bullwark-momentum-lfi.yaml @@ -1,13 +1,17 @@ id: bullwark-momentum-lfi info: - name: Bullwark Momentum Series JAWS 1.0 - Directory Traversal + name: Bullwark Momentum Series JAWS 1.0 - Local File Inclusion author: pikpikcu severity: high + description: Bullwark Momentum Series JAWS 1.0 is vulnerable to local file inclusion. reference: - https://www.exploit-db.com/exploits/47773 - - http://www.bullwark.net/ # vendor homepage - http://www.bullwark.net/Kategoriler.aspx?KategoriID=24 # software link + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cwe-id: CWE-22 metadata: version: Bullwark Momentum Series Web Server JAWS/1.0 shodan-query: Bullwark @@ -31,3 +35,5 @@ requests: - type: regex regex: - "root:.*:0:0:" + +# Enhanced by mp on 2022/07/22 diff --git a/vulnerabilities/other/carel-bacnet-gateway-traversal.yaml b/vulnerabilities/other/carel-bacnet-gateway-traversal.yaml index 1b4037f347..85d93953d6 100644 --- a/vulnerabilities/other/carel-bacnet-gateway-traversal.yaml +++ b/vulnerabilities/other/carel-bacnet-gateway-traversal.yaml @@ -1,12 +1,17 @@ id: carel-bacnet-gateway-traversal info: - name: Carel pCOWeb HVAC BACnet Gateway 2.1.0 - Unauthenticated Directory Traversal + name: Carel pCOWeb HVAC BACnet Gateway 2.1.0 - Local File Inclusion author: gy741 severity: medium - description: The device suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the 'file' GET parameter through the 'logdownload.cgi' Bash script is not properly verified before being used to download log files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks. + description: Carel pCOWeb HVAC BACnet Gateway 2.1.0 is vulnerable to local file inclusion because of input passed through the 'file' GET parameter through the 'logdownload.cgi' Bash script is not properly verified before being used to download log files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks. reference: - https://www.zeroscience.mk/codes/carelpco_dir.txt + - https://thecyberpost.com/tools/exploits-cve/carel-pcoweb-hvac-bacnet-gateway-2-1-0-unauthenticated-directory-traversal/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cwe-id: CWE-22 tags: carel,lfi,traversal,unauth,bacnet,unauth requests: @@ -18,3 +23,5 @@ requests: - type: regex regex: - "root:.*:0:0:" + +# Enhanced by mp on 2022/07/22 diff --git a/vulnerabilities/other/cs-cart-unauthenticated-lfi.yaml b/vulnerabilities/other/cs-cart-unauthenticated-lfi.yaml index 1f0775c517..a5a31a0e5f 100644 --- a/vulnerabilities/other/cs-cart-unauthenticated-lfi.yaml +++ b/vulnerabilities/other/cs-cart-unauthenticated-lfi.yaml @@ -1,12 +1,16 @@ id: cs-cart-unauthenticated-lfi info: - name: CS-Cart unauthenticated LFI + name: CS-Cart - Local File Inclusion author: 0x_Akoko severity: high - description: A vulnerability in CS-Cart allows remote unauthenticated attackers to access locally stored files and reveal their content. + description: CS-Cart is vulnerable to local file inclusion because it allows remote unauthenticated attackers to access locally stored files and reveal their content. reference: - https://cxsecurity.com/issue/WLB-2020100100 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cwe-id: CWE-22 tags: cscart,lfi requests: @@ -24,3 +28,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/22 diff --git a/vulnerabilities/other/dicoogle-pacs-lfi.yaml b/vulnerabilities/other/dicoogle-pacs-lfi.yaml index 84da5d8927..51e356b709 100644 --- a/vulnerabilities/other/dicoogle-pacs-lfi.yaml +++ b/vulnerabilities/other/dicoogle-pacs-lfi.yaml @@ -1,13 +1,18 @@ id: dicoogle-pacs-lfi info: - name: Dicoogle PACS 2.5.0 - Directory Traversal + name: Dicoogle PACS 2.5.0 - Local File Inclusion author: 0x_akoko severity: high - description: In version 2.5.0, it is vulnerable to local file inclusion. This allows an attacker to read arbitrary files that the web user has access to. Admin credentials aren't required. + description: Dicoogle PACS 2.5.0 is vulnerable to local file inclusion. This allows an attacker to read arbitrary files that the web user has access to. Admin credentials aren't required. reference: + - https://www.exploit-db.com/exploits/45007 - https://cxsecurity.com/issue/WLB-2018070131 - http://www.dicoogle.com/home + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cwe-id: CWE-22 tags: windows,lfi,dicoogle requests: @@ -23,3 +28,5 @@ requests: - "fonts" - "extensions" condition: and + +# Enhanced by mp on 2022/07/22 diff --git a/vulnerabilities/other/digitalrebar-traversal.yaml b/vulnerabilities/other/digitalrebar-traversal.yaml index de0c651b4e..f0e57c7006 100644 --- a/vulnerabilities/other/digitalrebar-traversal.yaml +++ b/vulnerabilities/other/digitalrebar-traversal.yaml @@ -1,13 +1,17 @@ id: digitalrebar-traversal info: - name: Digital Rebar - Directory traversal + name: Digital Rebar - Local File Inclusion author: c-sh0 severity: high - description: Web requests can navigate outside of DRP controlled areas - Directory traversal. Affected versions - v4.3.0, v4.3.2, v4.3.3, v4.4.0 (maybe others) + description: Digital Rebar versions 4.3.0, 4.3.2, 4.3.3, 4.4.0, and maybe others are vulnerable to local file inclusion because web requests can navigate outside of DRP controlled areas. reference: - https://docs.rackn.io/en/latest/doc/security/cve_20200924A.html - https://docs.rackn.io/en/latest/doc/release.html + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cwe-id: CWE-22 tags: lfi,rackn,digitalrebar requests: @@ -31,3 +35,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/22 diff --git a/vulnerabilities/other/dss-download-fileread.yaml b/vulnerabilities/other/dss-download-fileread.yaml index 732b472466..f8533dd8e1 100644 --- a/vulnerabilities/other/dss-download-fileread.yaml +++ b/vulnerabilities/other/dss-download-fileread.yaml @@ -1,9 +1,14 @@ id: dss-download-fileread info: - name: DSS Download File Read + name: DSS Download - Local File Inclusion author: ritikchaddha severity: high + description: DSS Download is vulnerable to local file inclusion. + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cwe-id: CWE-22 tags: lfi,dss,lfr requests: @@ -22,3 +27,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/07/22 diff --git a/vulnerabilities/other/eibiz-lfi.yaml b/vulnerabilities/other/eibiz-lfi.yaml index 5ba1f5f9d8..75f25bfd01 100644 --- a/vulnerabilities/other/eibiz-lfi.yaml +++ b/vulnerabilities/other/eibiz-lfi.yaml @@ -1,12 +1,16 @@ id: eibiz-lfi info: - name: Eibiz i-Media Server Digital Signage 3.8.0 File Path Traversal + name: Eibiz i-Media Server Digital Signage 3.8.0 - Local File Inclusion author: 0x_akoko severity: high - description: An unauthenticated remote attacker can exploit this to view the contents of files located outside of the server's root directory. The issue can be triggered through the oldfile GET parameter. + description: Eibiz i-Media Server Digital Signage 3.8.0 is vulnerable to local file inclusion. An unauthenticated remote attacker can exploit this to view the contents of files located outside of the server's root directory. The issue can be triggered through the oldfile GET parameter. reference: - https://packetstormsecurity.com/files/158943/Eibiz-i-Media-Server-Digital-Signage-3.8.0-File-Path-Traversal.html + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cwe-id: CWE-22 tags: windows,lfi,eibiz requests: @@ -22,3 +26,5 @@ requests: - "fonts" - "extensions" condition: and + +# Enhanced by mp on 2022/07/22