Updates across many templates for clarity, spelling, and grammar.

patch-1
sullo 2021-09-05 17:13:45 -04:00
parent 1f403d4ddb
commit ef1f7c5e92
55 changed files with 74 additions and 74 deletions

View File

@ -4,7 +4,7 @@ info:
name: PhpMyAdmin Scripts/setup.php Deserialization Vulnerability
author: princechaddha
severity: high
description: Setup script used to generate configuration can be fooled using a crafted POST request to include arbitrary PHP code in generated configuration file. Combined with ability to save files on server, this can allow unauthenticated users to execute arbitrary PHP code.
description: Setup script used to create PhpMyAdmin configurations can be fooled by using a crafted POST request to include arbitrary PHP code in the generated configuration file. Combined with the ability to save files on server, this can allow unauthenticated users to execute arbitrary PHP code.
reference:
- https://www.phpmyadmin.net/security/PMASA-2009-3/
- https://github.com/vulhub/vulhub/tree/master/phpmyadmin/WooYun-2016-199433

View File

@ -2,7 +2,7 @@ id: CVE-2009-4223
info:
name: KR-Web <= 1.1b2 RFI
description: KR is a web content-server based on Apache-PHP-MySql technology who gives to internet programmers some PHP classes semplifying database content access. Elsewere, it gives some admin and user tools to write, hyerarchize and authorize contents.
description: KR is a web content-server based on Apache-PHP-MySql technology which gives to programmers some PHP classes simplifying database content access. Additionally, it gives some admin and user tools to write, hierarchize, and authorize contents.
reference:
- https://sourceforge.net/projects/krw/
- https://www.exploit-db.com/exploits/10216

View File

@ -4,7 +4,7 @@ info:
name: Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution
author: exploitation,dwisiswant0,alex
severity: critical
description: In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.
description: In Struts 2 before 2.3.15.1 the information following "action:", "redirect:", or "redirectAction:" is not properly sanitized. Since said information will be evaluated as an OGNL expression against the value stack, this introduces the possibility to inject server side code.
reference: http://struts.apache.org/release/2.3.x/docs/s2-016.html
tags: cve,cve2013,rce,struts,apache

View File

@ -4,7 +4,7 @@ info:
name: NETGEAR DGN2200 / DGND3700 - Admin Password Disclosure
author: suman_kar
severity: critical
description: Vulnerability exists within the page 'BSW_cxttongr.htm' which can allow a remote attacker to access this page without any authentication. Attacker can use this password to gain administrator access of the targeted routers web interface.
description: A vulnerability exists within the page 'BSW_cxttongr.htm' which can allow a remote attacker to access this page without any authentication. The attacker can then use this password to gain administrator access of the targeted router's web interface.
tags: cve,cve2016,iot,netgear,router
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-5649

View File

@ -3,7 +3,7 @@ id: CVE-2017-15715
info:
name: Apache Arbitrary File Upload
author: geeknik
description: In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename.
description: In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are externally blocked, but only by matching the trailing portion of the filename.
reference: https://github.com/vulhub/vulhub/tree/master/httpd/CVE-2017-15715
severity: high
tags: cve,cve2017,apache,httpd,fileupload

View File

@ -4,7 +4,7 @@ info:
name: Graphite 'graphite.composer.views.send_email' SSRF
author: huowuzhao
severity: high
description: send_email in graphite-web/webapp/graphite/composer/views.py in Graphite through 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to this SSRF request is encoded into an image file and then sent to an e-mail address that can be supplied by the attacker. Thus, an attacker can exfiltrate any information.
description: Graphite's send_email in graphite-web/webapp/graphite/composer/views.py in versions up to 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to this SSRF request is encoded into an image file and then sent to an email address that can be supplied by the attacker. Thus, an attacker can exfiltrate any information.
reference:
- http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html
- https://github.com/graphite-project/graphite-web/issues/2008

View File

@ -5,7 +5,7 @@ info:
author: divya_mudgal
severity: critical
reference: https://www.nccgroup.com/ae/our-research/technical-advisory-unauthenticated-sql-injection-in-lansweeper/
description: Lansweeper web application through 7.1.115.4 allows unauthenticated SQL injection via the "row" and "column" GET parameter to the /WidgetHandler.ashx?MethodName=Sort&ID=1&column=INJECTION&row=INJECTION URI.
description: Lansweeper web application through 7.1.115.4 allows unauthenticated SQL injection via the "row" and "column" GET parameters to /WidgetHandler.ashx?MethodName=Sort&ID=1&column=INJECTION&row=INJECTION URI.
tags: cve,cve2019,sqli,lansweeper
requests:

View File

@ -4,7 +4,7 @@ info:
name: Webmin <= 1.920 Unauthenticated Remote Command Execution
author: bp0lr
severity: high
description: An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability.
description: An issue was discovered in Webmin <=1.920. The 'old' parameter in password_change.cgi contains a command injection vulnerability.
reference: https://pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html
tags: cve,cve2019,webmin,rce

View File

@ -4,7 +4,7 @@ info:
name: Oracle Business Intelligence - Publisher XXE
author: madrobot
severity: high
description: Vulnerability in the BI Publisher (formerly XML Publisher) component of Oracle Fusion Middleware. The supported version that is affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise BI Publisher (formerly XML Publisher).
description: There is an XXE vulnerability in the BI Publisher (formerly XML Publisher) component of Oracle Fusion Middleware. The supported versions affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. This easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise BI Publisher.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2019-2767
- https://www.exploit-db.com/exploits/46729

View File

@ -4,7 +4,7 @@ info:
name: YouPHPTube Encoder RCE
author: pikpikcu
severity: critical
description: A command injection have been found in YouPHPTube Encoder. A successful attack could allow an attacker to compromise the server. Exploitable unauthenticated command injections exist in YouPHPTube Encoder 2.3 a plugin for providing encoder functionality in YouPHPTube. The parameter base64Url in /objects/getImage.php is vulnerable to a command injection attack.
description: A command injection vulnerability has been found in YouPHPTube Encoder. A successful attack could allow an attacker to compromise the server. Exploitable unauthenticated command injections exist in YouPHPTube Encoder 2.3, a plugin for providing encoder functionality in YouPHPTube. The parameter base64Url in /objects/getImage.php is vulnerable to a command injection attack.
reference: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0917
tags: cve,cve2019,rce

View File

@ -4,7 +4,7 @@ info:
name: GLPI v.9.4.6 - Open redirect
author: pikpikcu
severity: low
description: In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp. This is fixed in version 9.4.6.
description: In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection, which is based on a regexp. This is fixed in version 9.4.6.
reference:
- https://github.com/glpi-project/glpi/security/advisories/GHSA-gxv6-xq9q-37hg
- https://github.com/glpi-project/glpi/archive/9.4.6.zip

View File

@ -4,7 +4,7 @@ info:
name: Oracle WebLogic Server Administration Console Handle RCE
author: pdteam
severity: critical
description: Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
description: Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows high privileged attackers with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14883
tags: cve,cve2020,oracle,rce,weblogic

View File

@ -4,7 +4,7 @@ info:
name: WP File Manager RCE
author: foulenzer
severity: critical
description: The vulnerability allows unauthenticated remote attackers to upload .php files. This templates only detects the plugin, not its vulnerability.
description: The vulnerability allows unauthenticated remote attackers to upload .php files. This template only detects the plugin, not its vulnerability.
reference:
- https://plugins.trac.wordpress.org/changeset/2373068
- https://github.com/w4fz5uck5/wp-file-manager-0day

View File

@ -4,7 +4,7 @@ info:
name: ThinkAdmin 6 - Arbitrarily File Read (CVE-2020-25540)
author: geeknik
severity: medium
description: ThinkAdmin v6 is affected by a directory traversal vulnerability. An unauthorized attacker can read arbitrarily file on a remote server via GET request encode parameter.
description: ThinkAdmin v6 is affected by a directory traversal vulnerability. An unauthorized attacker can read arbitrary files on a remote server via GET request encode parameter.
reference: https://www.exploit-db.com/exploits/48812
tags: cve,cve2020,thinkadmin,lfi

View File

@ -4,7 +4,7 @@ info:
name: NETGEAR ProSAFE Plus - Unauthenticated Remote Code Execution
author: gy741
severity: critical
description: It was found that every section of the web could be used as a valid endpoint to submit POST requests being the action defined by the submitId argument. The problem was located in the login.html webpage, that has to be publicly available to perform login requests but does not implement any restriction for executing debug actions. This will allow users execute system commands.
description: NETGEAR ProSAFE Plus was found to allow any HTML page as a valid endpoint to submit POST requests, allowing debug action via the submitId and debugCmd parameters. The problem is publicly exposed in the login.html webpage, which has to be publicly available to perform login requests but does not implement any restriction for executing debug actions. This will allow attackers to execute system commands.
reference:
- https://research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/
- https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/

View File

@ -4,7 +4,7 @@ info:
name: Monitorr 1.7.6m - Unauthenticated Remote Code Execution
author: gy741
severity: critical
description: This template detects an Monitorr 1.7.6m a remote code execution vulnerability. Improper input validation and lack of authorization leading to arbitrary file upload in web application. An unauthorized attacker with web access to could upload and execute a specially crafted file leading to remote code execution within the Monitorr.
description: This template detects a remote code execution (RCE) vulnerability in Monitorr 1.7.6m. Improper input validation and lack of authorization leads to arbitrary file uploads in the web application. An unauthorized attacker with web access to could upload and execute a specially crafted file, leading to remote code execution within the Monitorr.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2020-28871
- https://lyhinslab.org/index.php/2020/09/12/how-the-white-box-hacking-works-authorization-bypass-and-remote-code-execution-in-monitorr-1-7-6/

View File

@ -4,7 +4,7 @@ info:
name: Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated)
author: LogicalHunter
severity: high
description: The Canto plugin 1.3.0 for WordPress contains a blind SSRF vulnerability. It allows an unauthenticated attacker can make a request to any internal and external server via /includes/lib/detail.php?subdomain=SSRF.
description: The Canto plugin 1.3.0 for WordPress contains a blind SSRF vulnerability. It allows an unauthenticated attacker to make a request to any internal and external server via /includes/lib/detail.php?subdomain=SSRF.
reference:
- https://www.exploit-db.com/exploits/49189
- https://nvd.nist.gov/vuln/detail/CVE-2020-28976

View File

@ -3,7 +3,7 @@ info:
name: UnRaid Remote Code Execution
author: madrobot
severity: high
description: A vulnerability in UnRaid allows remote unauthenticated attackers to execute arbirary code.
description: A vulnerability in UnRaid allows remote unauthenticated attackers to execute arbitrary code.
reference: https://sysdream.com/news/lab/2020-02-06-cve-2020-5847-cve-2020-5849-unraid-6-8-0-unauthenticated-remote-code-execution-as-root/
tags: cve,cve2020,rce

View File

@ -5,7 +5,7 @@ info:
author: dwisiswant0
severity: critical
tags: cve,cve2020,rce
description: LinuxKI v6.0-1 and earlier is vulnerable to an remote code execution which is resolved in release 6.0-2.
description: LinuxKI v6.0-1 and earlier are vulnerable to a remote code execution. This is resolved in release 6.0-2.
reference:
- http://packetstormsecurity.com/files/157739/HP-LinuxKI-6.01-Remote-Command-Injection.html
- http://packetstormsecurity.com/files/158025/LinuxKI-Toolset-6.01-Remote-Command-Execution.html

View File

@ -2,7 +2,7 @@ id: CVE-2020-9402
info:
name: Django SQL Injection
description: Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.
description: Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allow SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it is possible to break character escaping and inject malicious SQL.
reference:
- https://github.com/vulhub/vulhub/tree/master/django/CVE-2020-9402
- https://docs.djangoproject.com/en/3.0/releases/security/

View File

@ -3,7 +3,7 @@ info:
name: rConfig Unauthenticated Sensitive Information Disclosure
author: madrobot
severity: high
description: An issue was discovered in includes/head.inc.php in rConfig before 3.9.4. An unauthenticated attacker can retrieve saved cleartext credentials via a GET request to settings.php. Because the application was not exiting after a redirect is applied, the rest of the page still executed, resulting in the disclosure of cleartext credentials in the response.
description: An issue was discovered in includes/head.inc.php in rConfig before 3.9.4. An unauthenticated attacker can retrieve saved cleartext credentials via a GET request to settings.php. Because the application does not exit after a redirect is applied, the rest of the page still executed, resulting in the disclosure of cleartext credentials in the response.
reference:
- https://blog.hivint.com/rconfig-3-9-3-unauthenticated-sensitive-information-disclosure-ead4ed88f153
- https://github.com/rconfig/rconfig/commit/20f4e3d87e84663d922b937842fddd9af1b68dd9

View File

@ -5,7 +5,7 @@ info:
author: dwisiswant0
severity: critical
reference: https://swarm.ptsecurity.com/unauth-rce-vmware/
description: The vulnerability allows unauthenticated remote attackers to upload file leading to remote code execution (RCE). This templates only detects the plugin.
description: The vulnerability allows unauthenticated remote attackers to upload files leading to remote code execution (RCE). This templates only detects the plugin.
tags: cve,cve2021,vmware,rce
requests:

View File

@ -4,7 +4,7 @@ info:
name: VICIdial - Multiple sensitive Information disclosure
author: pdteam
severity: high
description: VICIdial's Web Client contains many sensitive files that can be access from the client side. These files contain mysqli logs, auth logs, debug information, successful and unsuccessful login attempts with their corresponding IP's, User-Agents, credentials and much more. This information can be leveraged by an attacker to gain further access to VICIdial systems. This vulnerability affects all versions as of 20/5/21
description: VICIdial's Web Client contains many sensitive files that can be accessed from the client side. These files contain mysqli logs, auth logs, debug information, successful and unsuccessful login attempts with their corresponding IP's, User-Agents, credentials and much more. This information can be leveraged by an attacker to gain further access to VICIdial systems. This vulnerability affects all versions as of 20/5/2021.
reference: https://github.com/JHHAX/VICIdial
tags: cve,cve2021

View File

@ -3,7 +3,7 @@ id: CVE-2021-33221
info:
name: CommScope Ruckus IoT Controller Unauthenticated Service Details
author: geeknik
description: A 'service details' API endpoint discloses system and configuration information to an attacker without requiring authentication. This information includes DNS and NTP servers that the devices uses for time and host resolution. It also includes the internal hostname and IoT Controller version. A fully configured device in production may leak other, more sensitive information (API keys and tokens).
description: A 'service details' API endpoint discloses system and configuration information to an attacker without requiring authentication. This information includes DNS and NTP servers that the devices use for time and host resolution. It also includes the internal hostname and IoT Controller version. A fully configured device in production may leak other, more sensitive information (API keys and tokens).
reference: https://www.commscope.com/globalassets/digizuite/917216-faq-security-advisory-id-20210525-v1-0.pdf
severity: medium
tags: cve,cve2021,commscope,ruckus,debug

View File

@ -4,7 +4,7 @@ info:
author: andysvints
severity: high
tags: glpi,default-login
description: GLPI is an ITSM software tool that helps you plan and manage IT changes. Checking is default super admin account(glpi/glpi) is enabled.
description: GLPI is an ITSM software tool that helps you plan and manage IT changes. This template checks if a default super admin account (glpi/glpi) is enabled.
reference: https://glpi-project.org/
requests:

View File

@ -4,7 +4,7 @@ info:
name: yarn lock file disclosure
author: oppsec
severity: info
description: yarn.lock is a file which store all exactly versions of each dependency were installed.
description: The yarn.lock file stores the versions of each Yarn dependency installed.
tags: exposure
requests:

View File

@ -3,7 +3,7 @@ info:
name: iis-shortname
author: nodauf
severity: info
description: If IIS use old .Net Framwork it's possible to enumeration folder with the symbol ~.
description: When IIS uses an old .Net Framwork it's possible to enumeration folder with the symbol ~.
tags: fuzz
reference:

View File

@ -2,7 +2,7 @@ id: kevinlab-device-detect
info:
name: KevinLAB Devices Detection
description: KevinLab is a venture company specialized in IoT, Big Data, A.I based energy management platform. KevinLAB's BEMS (Building Energy Management System) enables efficient energy management in buildings. It improves the efficient of energy use by collecting and analyzing various information of energy usage and facilities in the building. It also manages energy usage, facility efficiency and indoor environment control.
description: KevinLab is a venture company specialized in IoT, Big Data, A.I based energy management platform. KevinLAB's BEMS (Building Energy Management System) enables efficient energy management in buildings by collecting and analyzing various information of energy usage and facilities as well as efficiency and indoor environment control.
author: gy741
severity: info
tags: iot

View File

@ -4,7 +4,7 @@ info:
name: XP Webcam Viewer Page
author: aashiq
severity: medium
description: Searches for exposed webcams by querying the /mobile.html endpoint and existance of webcamXP in the body
description: Searches for exposed webcams by querying the /mobile.html endpoint and the existence of webcamXP in the body.
tags: webcam,iot
requests:

View File

@ -3,7 +3,7 @@ id: google-floc-disabled
info:
name: Google FLoC Disabled
author: geeknik
description: The detected website has decided to explicity exclude itself from Google FLoC tracking.
description: The detected website has decided to explicilty exclude itself from Google FLoC tracking.
reference: https://www.bleepingcomputer.com/news/security/github-disables-google-floc-user-tracking-on-its-website/
severity: info
tags: google,floc,misc

View File

@ -4,8 +4,8 @@ info:
name: Joomla htaccess file disclosure
author: oppsec
severity: info
description: Joomla have a htaccess file to store some configuration about HTTP Config, Directory Listening etc...
tags: misc
description: Joomla has an htaccess file to store configurations about HTTP config, directory listing, etc.
tags: misc,joomla
requests:
- method: GET

View File

@ -4,8 +4,8 @@ info:
name: Joomla manifest file disclosure
author: oppsec
severity: info
description: joomla.xml is a xml file which stores some informations about installed Joomla, like version, files and paths.
tags: misc
description: joomla.xml is a file which stores information about installed Joomla, such as version, files, and paths.
tags: misc,joomla
requests:
- method: GET

View File

@ -4,7 +4,7 @@ info:
name: Moodle Changelog File
author: oppsec
severity: info
description: Moodle have a file which describes API changes in core libraries and APIs, can be used to discover Moodle version.
description: Moodle has a file which describes API changes in core libraries and APIs, and can be used to discover Moodle version.
tags: misc
requests:

View File

@ -4,7 +4,7 @@ info:
author: DhiyaneshDk
name: AEM UserInfo Servlet
severity: info
description: UserInfoServlet is exposed, it allows to bruteforce credentials. You can get valid usernames from jcr:createdBy, jcr:lastModifiedBy, cq:LastModifiedBy attributes of any JCR node.
description: UserInfoServlet is exposed which allows an attacker to bruteforce credentials. You can get valid usernames from jcr:createdBy, jcr:lastModifiedBy, cq:LastModifiedBy attributes of any JCR node.
tags: aem

View File

@ -4,7 +4,7 @@ info:
name: ITMS-Misconfigured
author: dhiyaneshDK
severity: info
description: detectes misconfigured Service-now ITSM instances
description: Detection of misconfigured ServiceNow ITSM instances.
reference:
- https://medium.com/@th3g3nt3l/multiple-information-exposed-due-to-misconfigured-service-now-itsm-instances-de7a303ebd56
- https://github.com/leo-hildegarde/SnowDownKB/

View File

@ -4,7 +4,7 @@ info:
name: HTTP Missing Security Headers
author: socketz,geeknik,G4L1T0,convisoappsec,kurohost,dawid-czarnecki
severity: info
description: It searches missing security headers, but obviously, could be so less generic and could be useless for Bug Bounty.
description: It searches for missing security headers, but obviously, could be so less generic and could be useless for Bug Bounty.
tags: misconfig,generic
requests:

View File

@ -2,7 +2,7 @@ id: laravel-debug-enabled
info:
name: Laravel Debug Enabled
author: notsoevilweasel
description: Laravel with APP_DEBUG set to true prone to showing verbose errors.
description: Laravel with APP_DEBUG set to true is prone to show verbose errors.
severity: medium
tags: debug,laravel,misconfig

View File

@ -5,7 +5,7 @@ info:
author: iamthefrogy
severity: medium
tags: network,ssh,openssh
description: SSHv1 is a deprecated and have known cryptographic issues.
description: SSHv1 is deprecated and has known cryptographic issues.
reference:
- https://www.kb.cert.org/vuls/id/684820
- https://nvd.nist.gov/vuln/detail/CVE-2001-1473

View File

@ -5,7 +5,7 @@ info:
author: iamthefrogy
severity: info
tags: network,mysql,bruteforce,db
description: MySQL instance with enabled native password support prone vulnerable for password brute-force attack.
description: MySQL instance with enabled native password support is prone to password brute-force attacks.
network:
- host:

View File

@ -5,7 +5,7 @@ info:
author: iamthefrogy
severity: low
tags: network,openssh
description: OpenSSH 5.3 is vulnerable to username enumeraiton and DoS vulnerabilities.
description: OpenSSH 5.3 is vulnerable to username enumeration and DoS vulnerabilities.
reference:
- http://seclists.org/fulldisclosure/2016/Jul/51
- https://security-tracker.debian.org/tracker/CVE-2016-6210

View File

@ -4,7 +4,7 @@ info:
name: Open URL redirect detection
author: afaq,melbadry9,Elmahdi,pxmme1337,Regala_,andirrahmani1,geeknik
severity: low
description: A user-controlled input redirect users to an external website.
description: A user-controlled input redirects users to an external website.
tags: redirect,generic
requests:

View File

@ -4,7 +4,7 @@ info:
name: CouchDB Admin Party
author: organiccrap
severity: high
description: Requests made against CouchDB is done in the context of an admin user.
description: Requests made against CouchDB are done in the context of an admin user.
tags: couchdb
requests:

View File

@ -4,7 +4,7 @@ info:
name: EyeLock nano NXT 3.5 - Local File Disclosure
author: geeknik
severity: high
description: nano NXT suffers from a file disclosure vulnerability when input passed thru the 'path' parameter to 'logdownload.php' script is not properly verified before being used to read files. This can be exploited to disclose contents of files from local resources.
description: nano NXT suffers from a file disclosure vulnerability when input passed through the 'path' parameter to 'logdownload.php' script is not properly verified before being used to read files. This can be exploited to disclose contents of files from local resources.
reference: https://www.zeroscience.mk/codes/eyelock_lfd.txt
tags: iot,lfi,eyelock

View File

@ -4,7 +4,7 @@ info:
name: KevinLAB BEMS (Building Energy Management System) Undocumented Backdoor Account
author: gy741
severity: critical
description: The BEMS solution has an undocumented backdoor account and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution thru the RMI. Attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the BEMS is offering remotely.
description: The BEMS solution has an undocumented backdoor account, and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution through the RMI. An attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel, and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the BEMS is offering remotely.
reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5654.php
tags: kevinlab

View File

@ -4,7 +4,7 @@ info:
name: KevinLAB HEMS Undocumented Backdoor Account
author: gy741
severity: critical
description: The HEMS solution has an undocumented backdoor account and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution thru the RMI. Attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the HEMS is offering remotely.
description: The HEMS solution has an undocumented backdoor account and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution through the RMI. An attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the HEMS is offering remotely.
reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5654.php
tags: kevinlab,default-login,backdoor

View File

@ -4,7 +4,7 @@ info:
name: NETGEAR DGN2200v1 Router Authentication Bypass
author: gy741
severity: high
description: NETGEAR decided to use to check if a page has “.jpg”, “.gif” or “ess_” substrings, trying to match the entire URL. We can therefore access any page on the device, including those that require authentication, by appending a GET variable with the relevant substring (like “?.gif”).
description: NETGEAR DGN2200v1 Router does not require authentication if a page has “.jpg”, “.gif”, or “ess_” substrings, however matches the entire URL. Any page on the device can therefore be accessed, including those that require authentication, by appending a GET variable with the relevant substring (e.g., “?.gif”).
reference:
- https://www.microsoft.com/security/blog/2021/06/30/microsoft-finds-new-netgear-firmware-vulnerabilities-that-could-lead-to-identity-theft-and-full-system-compromise/
- https://kb.netgear.com/000062646/Security-Advisory-for-Multiple-HTTPd-Authentication-Vulnerabilities-on-DGN2200v1

View File

@ -4,7 +4,7 @@ info:
name: sar2html 3.2.1 - 'plot' Remote Code Execution
author: gy741
severity: critical
description: SAR2HTML could allow a remote attacker to execute arbitrary commands on the system, caused by a commend injection flaw in the index.php script. By sending specially-crafted commands, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
description: SAR2HTML could allow a remote attacker to execute arbitrary commands on the system, caused by a command injection flaw in the index.php script. By sending specially-crafted commands, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
reference:
- https://www.exploit-db.com/exploits/49344
tags: sar2html,rce,oob

View File

@ -4,7 +4,7 @@ info:
name: Spring Boot Actuators (Jolokia) XXE
author: dwisiswant0,ipanda
severity: high
description: A vulnerability in Spring Boot Actuators's 'jolokia' endpoint allows remote attackers to preform an XML External Entities attack, include content stored on a remote server as if it was its own - this has the potential to allow the execution of arbitrary code and/or disclosure of sensitive information from the target machine.
description: A vulnerability in Spring Boot Actuators's 'jolokia' endpoint allows remote attackers to perform an XML External Entities (XXE) attack and include content stored on a remote server as if it was its own. This has the potential to allow the execution of arbitrary code and/or disclosure of sensitive information from the target machine.
reference:
- https://www.veracode.com/blog/research/exploiting-spring-boot-actuators
- https://github.com/mpgn/Spring-Boot-Actuator-Exploit

View File

@ -3,7 +3,7 @@ id: azkaban-workflow
info:
name: Azkaban Security Checks
author: pdteam
description: A simple workflow that runs all azkaban related nuclei templates on a given target.
description: A simple workflow that runs all Azkaban related nuclei templates on a given target.
tags: workflow
workflows:

View File

@ -3,7 +3,7 @@ id: bigip-workflow
info:
name: F5 BIG-IP Security Checks
author: dwisiswant0
description: A simple workflow that runs all Bigip related nuclei templates on a given target.
description: A simple workflow that runs all BigIP related nuclei templates on a given target.
tags: workflow
# Supported on Nuclei v2.2.0 (https://github.com/projectdiscovery/nuclei/releases/tag/v2.2.0)

View File

@ -3,7 +3,7 @@ id: lucee-workflow
info:
name: Lucee Detection Workflow
author: geeknik,dhiyaneshDk
description: A simple workflow that runs all Lucee related nuclei templates on given target.
description: A simple workflow that runs all Lucee related nuclei templates on a given target.
tags: workflow
workflows:

View File

@ -1,9 +1,9 @@
id: springboot-workflow
info:
name: Springboot Security Checks
name: Spring Boot Security Checks
author: dwisiswant0
description: A simple workflow that runs all springboot related nuclei templates on a given target.
description: A simple workflow that runs all Spring Boot related nuclei templates on a given target.
tags: workflow
# Supported on Nuclei v2.2.0 (https://github.com/projectdiscovery/nuclei/releases/tag/v2.2.0)

View File

@ -3,7 +3,7 @@ id: worksite-takeover-workflow
info:
name: Worksite Takeover Workflow
author: pdteam
description: A simple workflow that runs DNS based detection to filter hosts runnng worksite and do further HTTP based check to confirm takeover.
description: A simple workflow that runs DNS based detection to filter hosts running Worksite and do further HTTP based check to confirm takeover.
reference: https://blog.melbadry9.xyz/dangling-dns/xyz-services/ddns-worksites
workflows: